Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security for Private OpenStack Clouds

Bryan Payne
May 15, 2014
Technology
0
79

Security for Private OpenStack Clouds

OpenStack Summit, Spring 2014. Private clouds are much more than just a public cloud behind a firewall. Private clouds reach into the enterprise and have deep integration with key shared infrastructure that is external to the cloud such as LDAP, Storage, VLANs, DNS, NTP, etc. Furthermore, private clouds have a different threat profile. Users may be from the same organization, but insider attacks and targeted external attacks motivate unique security solutions. https://www.youtube.com/watch?v=PAPMwGL3hkI

Bryan Payne

May 15, 2014
Tweet

More Decks by Bryan Payne

See All by Bryan Payne
Fail, Learn, Fix: Improving Security The Old-Fashioned Way
bdpayne
0
260
BLESS: Better Security and Ops for SSH Access
bdpayne
3
740
Securing Containers the Netflix Way
bdpayne
1
2.3k
PKI at Scale Using Short-Lived Certificates
bdpayne
0
870
Platform Security Jobs at Netflix
bdpayne
0
870
Improving Cloud Security with Attacker Profiling
bdpayne
2
820
Key Management in AWS: How Netflix Secures Sensitive Data Without Its Own Data Center
bdpayne
4
1.9k
Security at Different Layers of Abstractions: Application, Operating Systems, and Hardware
bdpayne
0
200
Platform Security at Netflix: Securing Microservices from the Ground Up
bdpayne
0
5.8k

Other Decks in Technology

See All in Technology
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
680
AGIについてChatGPTに聞いてみた
blueb
0
130
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
120
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
第1回 国土交通省 データコンペ参加者向け勉強会③ - Snowflake x estie編 -
estie
0
120
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.2k
VideoMamba: State Space Model for Efficient Video Understanding
chou500
0
190
スクラムチームを立ち上げる〜チーム開発で得られたもの・得られなかったもの〜
ohnoeight
2
350
サイバーセキュリティと認知バイアス:対策の隙を埋める心理学的アプローチ
shumei_ito
0
380
複雑なState管理からの脱却
sansantech
PRO
1
140
OCI Network Firewall 概要
oracle4engineer
PRO
0
4.1k
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
170

Featured

See All Featured
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
860
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
Into the Great Unknown - MozCon
thekraken
32
1.5k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Visualization
eitanlees
145
15k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k

Transcript

  1. © 2014 Nebula, Inc. All rights reserved. (cloud) Computing for

    the Enterprise Security for Private OpenStack Clouds Bryan D. Payne May 12, 2014

  2. © 2014 Nebula, Inc. All rights reserved. “Why  Security  Ma/ers

     In  A  Private  Cloud”  

  3. © 2014 Nebula, Inc. All rights reserved. Public   Private

     

  4. © 2014 Nebula, Inc. All rights reserved. Private  Network  

    Internet   Storage   Email   LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI  

  5. © 2014 Nebula, Inc. All rights reserved. Storage   Email

      LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI  

  6. © 2014 Nebula, Inc. All rights reserved. Storage   Email

      LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI   1   2   3  

  7. © 2014 Nebula, Inc. All rights reserved. Intelligence   Services

      Serious  Organized  Crime   Highly  Capable  Groups   MoFvated  Individuals   Script  Kiddies   Likelihood  of  A,ack   Sophis2ca2on  &   Likelihood  of   Exploita2on   Source:  OpenStack  Security  Guide  

  8. © 2014 Nebula, Inc. All rights reserved. Compromise   User

     System   VM  Breakout   API  Vuln   Dashboard   Vuln   Access  Cloud   As  Admin   Access  Cloud   As  Outsider   Access  Cloud   As  User   View  Other   Instances   Abuse  Cloud   Resources   View  Data  In   Cloud   View  Data  In   Cloud   Modify  LDAP   View   External  Data   Follow  VLANs   into  Corp  Net   Spear   Phishing   IniMal  Access   Touch  Cloud   Exploit  Cloud   Exploit  Enterprise   Compromise   Instance  

  9. © 2014 Nebula, Inc. All rights reserved. Known  hardware  

    and  soIware   OrchestraFon   +   =   Security   Opportunity  

  10. © 2014 Nebula, Inc. All rights reserved. API Endpoints Web

    Dashboard Compute Node Compute Node Storage Node Storage Node Guest Management Data Management and Control Plane Services Cloud Users / Administrators Cloud Operators Instance Instance Instance Instance External

  11. © 2014 Nebula, Inc. All rights reserved. OpenStack  Projects  

    “The  Glue”  

  12. © 2014 Nebula, Inc. All rights reserved. Cloud  A/ack  Vectors

      MiFgaFon  Strategies   API  Endpoints   Service  hardening,  mandatory  access  controls,  code  audits   Web  Dashboard   CSP,  expected  domains,  HTTPS,  HSTS,  allowed  referrers   InformaMon  Leakage   SSL/TLS,  disable  memory  dedup,  randomize  resource  assign   VM  Breakout   Service  hardening,  mandatory  access  controls,  code  audits   Hardware  Sharing   Avoid  bare  metal  instances,  avoid  device  pass-­‐through   Default  Images   Secure  and  maintain  default  images   Secondary  AYacks   Least  priv,  mandatory  access  controls,  SSL/TLS,  strong  auth  

  13. © 2014 Nebula, Inc. All rights reserved. Threat: Information Leakage

    •  TLS for network services –  API endpoints –  Web dashboard –  Log feeds –  AD / LDAP –  External Storage •  Cross-VM attacks (timing, cache effects, etc)

  14. © 2014 Nebula, Inc. All rights reserved. Threat: VM Breakout

    •  Mandatory access controls –  SELinux + KVM (SVirt) •  Build hardening –  Remove unused device models from QEMU –  Compiler hardening flags •  General Node Hardening –  De-privilege node, with respect to cloud –  Boot + Runtime attestation, SELinux, etc

  15. © 2014 Nebula, Inc. All rights reserved. Threat: Control Plane

    Compromise •  Layers of Security –  Firewall (bi-directional on control plane) –  Limit propagation of sensitive data –  Unique secrets everywhere –  Audit network service interface bindings –  TLS, SELinux, boot + runtime attestation •  Primary Focus: Limit damage from a bad actor on the control plane

  16. © 2014 Nebula, Inc. All rights reserved. Threat: Vulnerabilities Upstream

    •  Targeted security audits –  Work closely with OpenStack and Linux communities •  Aggressive security update policies –  Cloud-specific triage process –  Be prepared to test and rollout quickly

  17. © 2014 Nebula, Inc. All rights reserved. Threat: Poor Entropy

    for Instances •  Mix entropy from multiple sources –  Hardware generated from multiple vendors •  Distribute securely / fairly –  Entropy stream distributed throughout cloud –  Available to all instances, using RNG Tools

  18. © 2014 Nebula, Inc. All rights reserved. Storage   Email

      LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI  

  19. © 2014 Nebula, Inc. All rights reserved. Email:  [email protected]  

    TwiYer:  @bdpsecurity