Security for Private OpenStack Clouds

Transcript

1. © 2014 Nebula, Inc. All rights reserved. (cloud) Computing for

   the Enterprise Security for Private OpenStack Clouds Bryan D. Payne May 12, 2014

2. © 2014 Nebula, Inc. All rights reserved. “Why  Security  Ma/ers

    In  A  Private  Cloud”  

3. © 2014 Nebula, Inc. All rights reserved. Public   Private

    

4. © 2014 Nebula, Inc. All rights reserved. Private  Network  

   Internet   Storage   Email   LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI  

5. © 2014 Nebula, Inc. All rights reserved. Storage   Email

     LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI  

6. © 2014 Nebula, Inc. All rights reserved. Storage   Email

     LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI   1   2   3  

7. © 2014 Nebula, Inc. All rights reserved. Intelligence   Services

     Serious  Organized  Crime   Highly  Capable  Groups   MoFvated  Individuals   Script  Kiddies   Likelihood  of  A,ack   Sophis2ca2on  &   Likelihood  of   Exploita2on   Source:  OpenStack  Security  Guide  

8. © 2014 Nebula, Inc. All rights reserved. Compromise   User

    System   VM  Breakout   API  Vuln   Dashboard   Vuln   Access  Cloud   As  Admin   Access  Cloud   As  Outsider   Access  Cloud   As  User   View  Other   Instances   Abuse  Cloud   Resources   View  Data  In   Cloud   View  Data  In   Cloud   Modify  LDAP   View   External  Data   Follow  VLANs   into  Corp  Net   Spear   Phishing   IniMal  Access   Touch  Cloud   Exploit  Cloud   Exploit  Enterprise   Compromise   Instance  

9. © 2014 Nebula, Inc. All rights reserved. Known  hardware  

   and  soIware   OrchestraFon   +   =   Security   Opportunity  

10. © 2014 Nebula, Inc. All rights reserved. API Endpoints Web

    Dashboard Compute Node Compute Node Storage Node Storage Node Guest Management Data Management and Control Plane Services Cloud Users / Administrators Cloud Operators Instance Instance Instance Instance External

11. © 2014 Nebula, Inc. All rights reserved. OpenStack  Projects  

    “The  Glue”  

12. © 2014 Nebula, Inc. All rights reserved. Cloud  A/ack  Vectors

      MiFgaFon  Strategies   API  Endpoints   Service  hardening,  mandatory  access  controls,  code  audits   Web  Dashboard   CSP,  expected  domains,  HTTPS,  HSTS,  allowed  referrers   InformaMon  Leakage   SSL/TLS,  disable  memory  dedup,  randomize  resource  assign   VM  Breakout   Service  hardening,  mandatory  access  controls,  code  audits   Hardware  Sharing   Avoid  bare  metal  instances,  avoid  device  pass-­‐through   Default  Images   Secure  and  maintain  default  images   Secondary  AYacks   Least  priv,  mandatory  access  controls,  SSL/TLS,  strong  auth  

13. © 2014 Nebula, Inc. All rights reserved. Threat: Information Leakage

    •  TLS for network services –  API endpoints –  Web dashboard –  Log feeds –  AD / LDAP –  External Storage •  Cross-VM attacks (timing, cache effects, etc)

14. © 2014 Nebula, Inc. All rights reserved. Threat: VM Breakout

    •  Mandatory access controls –  SELinux + KVM (SVirt) •  Build hardening –  Remove unused device models from QEMU –  Compiler hardening flags •  General Node Hardening –  De-privilege node, with respect to cloud –  Boot + Runtime attestation, SELinux, etc

15. © 2014 Nebula, Inc. All rights reserved. Threat: Control Plane

    Compromise •  Layers of Security –  Firewall (bi-directional on control plane) –  Limit propagation of sensitive data –  Unique secrets everywhere –  Audit network service interface bindings –  TLS, SELinux, boot + runtime attestation •  Primary Focus: Limit damage from a bad actor on the control plane

16. © 2014 Nebula, Inc. All rights reserved. Threat: Vulnerabilities Upstream

    •  Targeted security audits –  Work closely with OpenStack and Linux communities •  Aggressive security update policies –  Cloud-specific triage process –  Be prepared to test and rollout quickly

17. © 2014 Nebula, Inc. All rights reserved. Threat: Poor Entropy

    for Instances •  Mix entropy from multiple sources –  Hardware generated from multiple vendors •  Distribute securely / fairly –  Entropy stream distributed throughout cloud –  Available to all instances, using RNG Tools

18. © 2014 Nebula, Inc. All rights reserved. Storage   Email

      LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI  

19. © 2014 Nebula, Inc. All rights reserved. Email:  [email protected]  

    TwiYer:  @bdpsecurity