Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security for Private OpenStack Clouds

Bryan Payne
May 15, 2014
Technology
0
73

Security for Private OpenStack Clouds

OpenStack Summit, Spring 2014. Private clouds are much more than just a public cloud behind a firewall. Private clouds reach into the enterprise and have deep integration with key shared infrastructure that is external to the cloud such as LDAP, Storage, VLANs, DNS, NTP, etc. Furthermore, private clouds have a different threat profile. Users may be from the same organization, but insider attacks and targeted external attacks motivate unique security solutions. https://www.youtube.com/watch?v=PAPMwGL3hkI

Bryan Payne

May 15, 2014
Tweet

More Decks by Bryan Payne

See All by Bryan Payne
Fail, Learn, Fix: Improving Security The Old-Fashioned Way
bdpayne
0
220
BLESS: Better Security and Ops for SSH Access
bdpayne
3
680
Securing Containers the Netflix Way
bdpayne
1
2.1k
PKI at Scale Using Short-Lived Certificates
bdpayne
0
810
Platform Security Jobs at Netflix
bdpayne
0
840
Improving Cloud Security with Attacker Profiling
bdpayne
2
810
Key Management in AWS: How Netflix Secures Sensitive Data Without Its Own Data Center
bdpayne
4
1.6k
Security at Different Layers of Abstractions: Application, Operating Systems, and Hardware
bdpayne
0
190
Platform Security at Netflix: Securing Microservices from the Ground Up
bdpayne
0
5.6k

Other Decks in Technology

See All in Technology
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
1
2.7k
Exadata Database Service on Dedicated Infrastructure X9M / Exadata Database Service on [email protected] X9M / Exadata Database Machine 比較
oracle4engineer
PRO
0
2.5k
プロデュ―サーさん、今日も安全運転でよろしくね☆~OBD2を用いた速度・回転数検知ツールの開発~
hato3isfriend
0
160
Web API development in Visual Studio 2022
tsubakimoto_s
0
160
Predictive back transition Animation on Android 14
line_developers
PRO
1
470
Modern Testing Tools for Java Developers
eliasnogueira
1
170
microCMSのエンジニア組織と文化
microcms
0
580
金融系子会社でレガシーシステムしか作ったことないけど、モダン開発に挑戦してみた
marikashiotsuki
1
120
OCI Data Integration技術情報 / ocidi_technical_jp
oracle4engineer
PRO
0
460
1人目QA奮闘記-2023年ver-/QA Engineer's Struggle 2023
mii3king
1
760
RedMica 2.3 (2023-05) 新機能ハイライト およびRedmineの2023年5月までの半年間の主要な開発成果
vividtone
0
160
Transit Gatewayを使わなければならない場面を改めて考えてみる #dx_osarai
non97
0
3.1k

Featured

See All Featured
Ruby is Unlike a Banana
tanoku
93
9.7k
GraphQLとの向き合い方2022年版
quramy
23
11k
Happy Clients
brianwarren
90
6k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
19k
The Power of CSS Pseudo Elements
geoffreycrofte
54
4.5k
The Pragmatic Product Professional
lauravandoore
22
3.8k
Designing for Performance
lara
601
65k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
7
1k
Designing for humans not robots
tammielis
245
24k
Product Roadmaps are Hard
iamctodd
39
8.2k
The World Runs on Bad Software
bkeepers
PRO
59
5.9k
[RailsConf 2023] Rails as a piece of cake
palkan
7
1.5k

Transcript

  1. © 2014 Nebula, Inc. All rights reserved.
    (cloud) Computing for the Enterprise
    Security for Private OpenStack Clouds
    Bryan D. Payne
    May 12, 2014

    View Slide

  2. © 2014 Nebula, Inc. All rights reserved.
    “Why  Security  Ma/ers  In  A  Private  Cloud”  

    View Slide

  3. © 2014 Nebula, Inc. All rights reserved.
    Public   Private  

    View Slide

  4. © 2014 Nebula, Inc. All rights reserved.
    Private  Network  
    Internet  
    Storage  
    Email  
    LDAP  
    NTP  
    VLAN  Tunnels  
    SIEM  
    DNS  
    PKI  

    View Slide

  5. © 2014 Nebula, Inc. All rights reserved.
    Storage  
    Email  
    LDAP  
    NTP  
    VLAN  Tunnels  
    SIEM  
    DNS  
    PKI  

    View Slide

  6. © 2014 Nebula, Inc. All rights reserved.
    Storage  
    Email  
    LDAP   NTP  
    VLAN  Tunnels  
    SIEM  
    DNS  
    PKI  
    1   2  
    3  

    View Slide

  7. © 2014 Nebula, Inc. All rights reserved.
    Intelligence  
    Services  
    Serious  Organized  Crime  
    Highly  Capable  Groups  
    MoFvated  Individuals  
    Script  Kiddies  
    Likelihood  of  A,ack  
    Sophis2ca2on  &  
    Likelihood  of  
    Exploita2on  
    Source:  OpenStack  Security  Guide  

    View Slide

  8. © 2014 Nebula, Inc. All rights reserved.
    Compromise  
    User  System  
    VM  Breakout  
    API  Vuln  
    Dashboard  
    Vuln  
    Access  Cloud  
    As  Admin  
    Access  Cloud  
    As  Outsider  
    Access  Cloud  
    As  User  
    View  Other  
    Instances  
    Abuse  Cloud  
    Resources  
    View  Data  In  
    Cloud  
    View  Data  In  
    Cloud  
    Modify  LDAP  
    View  
    External  Data  
    Follow  VLANs  
    into  Corp  Net  
    Spear  
    Phishing  
    IniMal  Access   Touch  Cloud   Exploit  Cloud   Exploit  Enterprise  
    Compromise  
    Instance  

    View Slide

  9. © 2014 Nebula, Inc. All rights reserved.
    Known  hardware  
    and  soIware  
    OrchestraFon   +   =   Security  
    Opportunity  

    View Slide

  10. © 2014 Nebula, Inc. All rights reserved.
    API Endpoints
    Web Dashboard
    Compute
    Node
    Compute
    Node
    Storage
    Node
    Storage
    Node
    Guest
    Management
    Data
    Management and Control Plane Services
    Cloud Users / Administrators
    Cloud Operators
    Instance
    Instance
    Instance
    Instance
    External

    View Slide

  11. © 2014 Nebula, Inc. All rights reserved.
    OpenStack  Projects   “The  Glue”  

    View Slide

  12. © 2014 Nebula, Inc. All rights reserved.
    Cloud  A/ack  Vectors   MiFgaFon  Strategies  
    API  Endpoints   Service  hardening,  mandatory  access  controls,  code  audits  
    Web  Dashboard   CSP,  expected  domains,  HTTPS,  HSTS,  allowed  referrers  
    InformaMon  Leakage   SSL/TLS,  disable  memory  dedup,  randomize  resource  assign  
    VM  Breakout   Service  hardening,  mandatory  access  controls,  code  audits  
    Hardware  Sharing   Avoid  bare  metal  instances,  avoid  device  pass-­‐through  
    Default  Images   Secure  and  maintain  default  images  
    Secondary  AYacks   Least  priv,  mandatory  access  controls,  SSL/TLS,  strong  auth  

    View Slide

  13. © 2014 Nebula, Inc. All rights reserved.
    Threat: Information Leakage
    •  TLS for network services
    –  API endpoints
    –  Web dashboard
    –  Log feeds
    –  AD / LDAP
    –  External Storage
    •  Cross-VM attacks (timing, cache effects, etc)

    View Slide

  14. © 2014 Nebula, Inc. All rights reserved.
    Threat: VM Breakout
    •  Mandatory access controls
    –  SELinux + KVM (SVirt)
    •  Build hardening
    –  Remove unused device models from QEMU
    –  Compiler hardening flags
    •  General Node Hardening
    –  De-privilege node, with respect to cloud
    –  Boot + Runtime attestation, SELinux, etc

    View Slide

  15. © 2014 Nebula, Inc. All rights reserved.
    Threat: Control Plane Compromise
    •  Layers of Security
    –  Firewall (bi-directional on control plane)
    –  Limit propagation of sensitive data
    –  Unique secrets everywhere
    –  Audit network service interface bindings
    –  TLS, SELinux, boot + runtime attestation
    •  Primary Focus: Limit damage from a bad actor
    on the control plane

    View Slide

  16. © 2014 Nebula, Inc. All rights reserved.
    Threat: Vulnerabilities Upstream
    •  Targeted security audits
    –  Work closely with OpenStack and Linux communities
    •  Aggressive security update policies
    –  Cloud-specific triage process
    –  Be prepared to test and rollout quickly

    View Slide

  17. © 2014 Nebula, Inc. All rights reserved.
    Threat: Poor Entropy for Instances
    •  Mix entropy from multiple sources
    –  Hardware generated from multiple vendors
    •  Distribute securely / fairly
    –  Entropy stream distributed throughout cloud
    –  Available to all instances, using RNG Tools

    View Slide

  18. © 2014 Nebula, Inc. All rights reserved.
    Storage  
    Email  
    LDAP  
    NTP  
    VLAN  Tunnels  
    SIEM  
    DNS  
    PKI  

    View Slide

  19. © 2014 Nebula, Inc. All rights reserved.
    Email:  [email protected]  
    TwiYer:  @bdpsecurity  

    View Slide