OpenStack Security Group: Status Update and Plans

Transcript

1. OpenStack Security Group Status Update and Plans Bryan D. Payne

   [email protected] Robert Clark [email protected]

2. Recap From Last Summit • Discussed the need for a

   unified OpenStack security group • Attempted to gather the relevant parties ◦ Got a lot, happy for others to join • Put forward a high level game plan

3. • OSSG membership since the Grizzly summit * * OSSG

   Membership

4. Launchpad Group • https://launchpad.net/~openstack-ossg • Linked into other areas of

   launchpad ◦ security tagged bugs ◦ linked to security note work • Provides email notification for the above

5. Weekly Meetings • https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity • IRC Meetings ◦ Started in

   Jan 2013 ◦ Thursdays at 18:00 UTC ◦ 30 minute sync-up between OSSG members • Minutes posted online

6. Security Notes (OSNs) • https://launchpad.net/osn • Purpose of OSNs ◦

   Convey security best practice information ◦ Timely ◦ Complement CVEs • OSNs to date ◦ Security impact of Libvirt / LXC ◦ Keystone request header size can lead to DoS • More to come

7. Volume Encryption • Work done by team at JHU/APL ◦

   Will be included in Havana • Transparent encryption of data at rest

8. HTTPS Support in Clients • Work done by Dean Troyer

   at Nebula • Starting with (early 2013 release) ◦ python-keystoneclient ◦ python-glanceclient ◦ python-novaclient ◦ python-cinderclient ◦ python-swiftclient • Clients support ◦ Proper hostname checking ◦ Custom certificate chains ◦ Full certificate validation ◦ http://hackstack.org/x/blog/2012/12/21/securing-openstack-client-connections-part-2/

9. Review Efforts • Mailing list discussions • Security tagging for

   bugs / PRs ◦ Security tag on bugs (available today) ◦ Security tag on gerrit (work in progress) • Assistance on vulnerability reports

10. OpenStack Security Mailing List • Setup recently (early April) •

    Facilitates security discussions ◦ OSSG discussions ◦ Meeting place for security discussions ◦ Interactions with broader development community • Fills a separate niche than openstack-dev • [email protected]

11. OSSG Challenges • Rethinking security at all levels ◦ Understand

    current state ◦ Monitor, influence changes ◦ Start small, but scale • OpenStack expertise vs. Security expertise ◦ OSSG has many security experts ◦ OSSG has less OpenStack experts ◦ Need more participation from core developers • Time -- everyone is busy

12. OpenStack Simplicity Nova Swift

13. Nova Swift Network Glance Keystone Horizon Cinder Individual Services

14. Nova Swift Network Glance Keystone Horizon Cinder Security Domains

15. Nova Swift Network Glance Keystone Horizon Cinder Gated Interconnects

16. Nova Swift Network Glance Keystone Horizon Cinder Map Data Paths

17. Good Job...? Secure Design Complete!

18. Nova Swift Network Glance Keystone Horizon Cinder Individual Services

19. Nova Swift Network Glance Keystone Horizon Cinder DNS Metering Automation

    Load Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Lots of Glue Certificate Authorities

20. Nova Swift Network Glance Keystone Horizon Cinder DNS Metering Automation

    Load Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Data Paths Certificate Authorities

21. Nova Swift Network Glance Keystone Horizon Cinder DNS Metering Automation

    Load Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Message Plumbing Certificate Authorities

22. Nova Swift Network Glance Keystone Horizon Cinder DNS Metering Automation

    Load Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Billing Plumbing Certificate Authorities

23. Alarm Plumbing Nova Swift Network Glance Keystone Horizon Cinder DNS

    Metering Automation Load Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate Authorities

24. SSL Plumbing Nova Swift Network Glance Keystone Horizon Cinder DNS

    Metering Automation Load Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate Authorities

25. Under Cloud Admin Plumbing Nova Swift Network Glance Keystone Horizon

    Cinder DNS Metering Automation Load Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance Certificate Authorities

26. Nova Swift Network Glance Keystone Horizon Cinder DNS Metering Automation

    Load Balancing Monitoring Billing Databases Orchestration Alarming Messaging Account Maintenance SO MUCH PLUMBING Certificate Authorities

27. PANIC ?

28. KEEP CALM and CONTRIBUTE

29. Where to start?

30. OSSG Work In Progress • Security Hardening Guide • Recruiting

    • OpenStack Security Notes • Consultancy and Support • Critical Code Review

31. OpenStack Hardening Guide • Initial project and templates • Engaged

    with Private, Public and Government Agencies • Documentation Sprint in June • Security Awareness

32. How You Can Help • Get Involved! ◦ Be our

    eyes & ears on core projects ◦ Participate in weekly IRC meetings ◦ Volunteer to help with security tasks • Share your knowledge ◦ OpenStack security? ◦ Secure deployment options? ◦ Architectural security concerns? ◦ Please share what you know!

33. Recruiting :: Enthusiasts • Hardening Guide Reviewers • Security Note

    Editors • Issue Researchers • Community Engagement • Security Group Tooling

34. Recruiting :: OpenStack Devs • Code Review • Design Review

    • Security Blueprints • Help with Patching • Community Engagement

35. Recruiting :: InfoSec Ninjas • Threat Analysis • Architectural Security

    Reviews • Code Reviews • Automated Code Review • VMT Engagement • Security Evangelism & Awareness

36. • Documentation sprint in June • Lots of work to

    be done • Actively seeking more OSSG members • Work with community for improving all aspects of security in OpenStack Summary

37. Questions Bryan D. Payne [email protected] Robert Clark [email protected]