OpenStack Security Group: Status Update and Plans

OpenStack Security Group: Status Update and Plans

938bca9547ba1cac3e69d80efd67fe6b?s=128

Bryan Payne

April 18, 2013
Tweet

Transcript

  1. OpenStack Security Group Status Update and Plans Bryan D. Payne

    bryan.payne@nebula.com Robert Clark robert.clark@hp.com
  2. Recap From Last Summit • Discussed the need for a

    unified OpenStack security group • Attempted to gather the relevant parties ◦ Got a lot, happy for others to join • Put forward a high level game plan
  3. • OSSG membership since the Grizzly summit * * OSSG

    Membership
  4. Launchpad Group • https://launchpad.net/~openstack-ossg • Linked into other areas of

    launchpad ◦ security tagged bugs ◦ linked to security note work • Provides email notification for the above
  5. Weekly Meetings • https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity • IRC Meetings ◦ Started in

    Jan 2013 ◦ Thursdays at 18:00 UTC ◦ 30 minute sync-up between OSSG members • Minutes posted online
  6. Security Notes (OSNs) • https://launchpad.net/osn • Purpose of OSNs ◦

    Convey security best practice information ◦ Timely ◦ Complement CVEs • OSNs to date ◦ Security impact of Libvirt / LXC ◦ Keystone request header size can lead to DoS • More to come
  7. Volume Encryption • Work done by team at JHU/APL ◦

    Will be included in Havana • Transparent encryption of data at rest
  8. HTTPS Support in Clients • Work done by Dean Troyer

    at Nebula • Starting with (early 2013 release) ◦ python-keystoneclient ◦ python-glanceclient ◦ python-novaclient ◦ python-cinderclient ◦ python-swiftclient • Clients support ◦ Proper hostname checking ◦ Custom certificate chains ◦ Full certificate validation ◦ http://hackstack.org/x/blog/2012/12/21/securing-openstack-client-connections-part-2/
  9. Review Efforts • Mailing list discussions • Security tagging for

    bugs / PRs ◦ Security tag on bugs (available today) ◦ Security tag on gerrit (work in progress) • Assistance on vulnerability reports
  10. OpenStack Security Mailing List • Setup recently (early April) •

    Facilitates security discussions ◦ OSSG discussions ◦ Meeting place for security discussions ◦ Interactions with broader development community • Fills a separate niche than openstack-dev • openstack-security@lists.openstack.org
  11. OSSG Challenges • Rethinking security at all levels ◦ Understand

    current state ◦ Monitor, influence changes ◦ Start small, but scale • OpenStack expertise vs. Security expertise ◦ OSSG has many security experts ◦ OSSG has less OpenStack experts ◦ Need more participation from core developers • Time -- everyone is busy
  12. OpenStack Simplicity Nova Swift

  13. Nova Swift Network Glance Keystone Horizon Cinder Individual Services

  14. Nova Swift Network Glance Keystone Horizon Cinder Security Domains

  15. Nova Swift Network Glance Keystone Horizon Cinder Gated Interconnects

  16. Nova Swift Network Glance Keystone Horizon Cinder Map Data Paths

  17. Good Job...? Secure Design Complete!

  18. Nova Swift Network Glance Keystone Horizon Cinder Individual Services

  19. Nova Swift Network Glance Keystone Horizon Cinder DNS Metering Automation

    Load Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Lots of Glue Certificate Authorities
  20. Nova Swift Network Glance Keystone Horizon Cinder DNS Metering Automation

    Load Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Data Paths Certificate Authorities
  21. Nova Swift Network Glance Keystone Horizon Cinder DNS Metering Automation

    Load Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Message Plumbing Certificate Authorities
  22. Nova Swift Network Glance Keystone Horizon Cinder DNS Metering Automation

    Load Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Billing Plumbing Certificate Authorities
  23. Alarm Plumbing Nova Swift Network Glance Keystone Horizon Cinder DNS

    Metering Automation Load Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate Authorities
  24. SSL Plumbing Nova Swift Network Glance Keystone Horizon Cinder DNS

    Metering Automation Load Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate Authorities
  25. Under Cloud Admin Plumbing Nova Swift Network Glance Keystone Horizon

    Cinder DNS Metering Automation Load Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate Authorities
  26. Nova Swift Network Glance Keystone Horizon Cinder DNS Metering Automation

    Load Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance SO MUCH PLUMBING Certificate Authorities
  27. PANIC ?

  28. KEEP CALM and CONTRIBUTE

  29. Where to start?

  30. OSSG Work In Progress • Security Hardening Guide • Recruiting

    • OpenStack Security Notes • Consultancy and Support • Critical Code Review
  31. OpenStack Hardening Guide • Initial project and templates • Engaged

    with Private, Public and Government Agencies • Documentation Sprint in June • Security Awareness
  32. How You Can Help • Get Involved! ◦ Be our

    eyes & ears on core projects ◦ Participate in weekly IRC meetings ◦ Volunteer to help with security tasks • Share your knowledge ◦ OpenStack security? ◦ Secure deployment options? ◦ Architectural security concerns? ◦ Please share what you know!
  33. Recruiting :: Enthusiasts • Hardening Guide Reviewers • Security Note

    Editors • Issue Researchers • Community Engagement • Security Group Tooling
  34. Recruiting :: OpenStack Devs • Code Review • Design Review

    • Security Blueprints • Help with Patching • Community Engagement
  35. Recruiting :: InfoSec Ninjas • Threat Analysis • Architectural Security

    Reviews • Code Reviews • Automated Code Review • VMT Engagement • Security Evangelism & Awareness
  36. • Documentation sprint in June • Lots of work to

    be done • Actively seeking more OSSG members • Work with community for improving all aspects of security in OpenStack Summary
  37. Questions Bryan D. Payne bryan.payne@nebula.com Robert Clark robert.clark@hp.com