Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security for Private OpenStack Clouds

Bryan Payne
May 15, 2014
Technology
0
85

Security for Private OpenStack Clouds

OpenStack Summit, Spring 2014. Private clouds are much more than just a public cloud behind a firewall. Private clouds reach into the enterprise and have deep integration with key shared infrastructure that is external to the cloud such as LDAP, Storage, VLANs, DNS, NTP, etc. Furthermore, private clouds have a different threat profile. Users may be from the same organization, but insider attacks and targeted external attacks motivate unique security solutions. https://www.youtube.com/watch?v=PAPMwGL3hkI

Bryan Payne

May 15, 2014
Tweet

More Decks by Bryan Payne

See All by Bryan Payne
How To Have Impact In Security: Stories About Risk Reduction At Scale
bdpayne
0
2
Fail, Learn, Fix: Improving Security The Old-Fashioned Way
bdpayne
0
270
BLESS: Better Security and Ops for SSH Access
bdpayne
3
750
Securing Containers the Netflix Way
bdpayne
1
2.4k
PKI at Scale Using Short-Lived Certificates
bdpayne
0
880
Platform Security Jobs at Netflix
bdpayne
0
880
Improving Cloud Security with Attacker Profiling
bdpayne
2
830
Key Management in AWS: How Netflix Secures Sensitive Data Without Its Own Data Center
bdpayne
4
1.9k
Security at Different Layers of Abstractions: Application, Operating Systems, and Hardware
bdpayne
0
210

Other Decks in Technology

See All in Technology
「経験の点」の位置を意識したキャリア形成 / Career development with an awareness of the “point of experience” position
pauli
4
110
QA/SDETの現在と、これからの挑戦
imtnd
0
150
PicoRabbit: a Tiny Presentation Device Powered by Ruby
harukasan
PRO
2
260
テストって楽しい!開発を加速させるテストの魅力 / Testing is Fun! The Fascinating of Testing to Accelerate Development
aiandrox
0
120
読んで学ぶ Amplify Gen2 / Amplify と CDK の関係を紐解く #jawsug_tokyo
tacck
PRO
1
260
持続可能なドキュメント運用のリアル: 1年間の成果とこれから
akitok_
1
230
PostgreSQL Log File Mastery: Optimizing Database Performance Through Advanced Log Analysis
shiviyer007
PRO
1
140
【Oracle Cloud ウェビナー】ご希望のクラウドでOracle Databaseを実行〜マルチクラウド・ソリューション徹底解説〜
oracle4engineer
PRO
1
120
PdM採用とAIの製品活用を同時に頑張ってみた話 / EM oasis 20250418
rakus_dev
0
120
AWS全冠芸人が見た世界 ~資格取得より大切なこと~
masakiokuda
5
6.5k
ビジネスとデザインとエンジニアリングを繋ぐために 一人のエンジニアは何ができるか / What can a single engineer do to connect business, design, and engineering?
kaminashi
2
680
Bazel for Ruby (RubyKaigi 2025)
p0deje
0
130

Featured

See All Featured
Build The Right Thing And Hit Your Dates
maggiecrowley
35
2.7k
Raft: Consensus for Rubyists
vanstee
137
6.9k
A Tale of Four Properties
chriscoyier
158
23k
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
Practical Orchestrator
shlominoach
187
11k
Measuring & Analyzing Core Web Vitals
bluesmoon
7
400
Embracing the Ebb and Flow
colly
85
4.7k
Why Our Code Smells
bkeepers
PRO
336
57k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Gamification - CAS2011
davidbonilla
81
5.2k
Stop Working from a Prison Cell
hatefulcrawdad
268
20k
Build your cross-platform service in a week with App Engine
jlugia
230
18k

Transcript

  1. © 2014 Nebula, Inc. All rights reserved. (cloud) Computing for

    the Enterprise Security for Private OpenStack Clouds Bryan D. Payne May 12, 2014

  2. © 2014 Nebula, Inc. All rights reserved. “Why  Security  Ma/ers

     In  A  Private  Cloud”  

  3. © 2014 Nebula, Inc. All rights reserved. Public   Private

     

  4. © 2014 Nebula, Inc. All rights reserved. Private  Network  

    Internet   Storage   Email   LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI  

  5. © 2014 Nebula, Inc. All rights reserved. Storage   Email

      LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI  

  6. © 2014 Nebula, Inc. All rights reserved. Storage   Email

      LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI   1   2   3  

  7. © 2014 Nebula, Inc. All rights reserved. Intelligence   Services

      Serious  Organized  Crime   Highly  Capable  Groups   MoFvated  Individuals   Script  Kiddies   Likelihood  of  A,ack   Sophis2ca2on  &   Likelihood  of   Exploita2on   Source:  OpenStack  Security  Guide  

  8. © 2014 Nebula, Inc. All rights reserved. Compromise   User

     System   VM  Breakout   API  Vuln   Dashboard   Vuln   Access  Cloud   As  Admin   Access  Cloud   As  Outsider   Access  Cloud   As  User   View  Other   Instances   Abuse  Cloud   Resources   View  Data  In   Cloud   View  Data  In   Cloud   Modify  LDAP   View   External  Data   Follow  VLANs   into  Corp  Net   Spear   Phishing   IniMal  Access   Touch  Cloud   Exploit  Cloud   Exploit  Enterprise   Compromise   Instance  

  9. © 2014 Nebula, Inc. All rights reserved. Known  hardware  

    and  soIware   OrchestraFon   +   =   Security   Opportunity  

  10. © 2014 Nebula, Inc. All rights reserved. API Endpoints Web

    Dashboard Compute Node Compute Node Storage Node Storage Node Guest Management Data Management and Control Plane Services Cloud Users / Administrators Cloud Operators Instance Instance Instance Instance External

  11. © 2014 Nebula, Inc. All rights reserved. OpenStack  Projects  

    “The  Glue”  

  12. © 2014 Nebula, Inc. All rights reserved. Cloud  A/ack  Vectors

      MiFgaFon  Strategies   API  Endpoints   Service  hardening,  mandatory  access  controls,  code  audits   Web  Dashboard   CSP,  expected  domains,  HTTPS,  HSTS,  allowed  referrers   InformaMon  Leakage   SSL/TLS,  disable  memory  dedup,  randomize  resource  assign   VM  Breakout   Service  hardening,  mandatory  access  controls,  code  audits   Hardware  Sharing   Avoid  bare  metal  instances,  avoid  device  pass-­‐through   Default  Images   Secure  and  maintain  default  images   Secondary  AYacks   Least  priv,  mandatory  access  controls,  SSL/TLS,  strong  auth  

  13. © 2014 Nebula, Inc. All rights reserved. Threat: Information Leakage

    •  TLS for network services –  API endpoints –  Web dashboard –  Log feeds –  AD / LDAP –  External Storage •  Cross-VM attacks (timing, cache effects, etc)

  14. © 2014 Nebula, Inc. All rights reserved. Threat: VM Breakout

    •  Mandatory access controls –  SELinux + KVM (SVirt) •  Build hardening –  Remove unused device models from QEMU –  Compiler hardening flags •  General Node Hardening –  De-privilege node, with respect to cloud –  Boot + Runtime attestation, SELinux, etc

  15. © 2014 Nebula, Inc. All rights reserved. Threat: Control Plane

    Compromise •  Layers of Security –  Firewall (bi-directional on control plane) –  Limit propagation of sensitive data –  Unique secrets everywhere –  Audit network service interface bindings –  TLS, SELinux, boot + runtime attestation •  Primary Focus: Limit damage from a bad actor on the control plane

  16. © 2014 Nebula, Inc. All rights reserved. Threat: Vulnerabilities Upstream

    •  Targeted security audits –  Work closely with OpenStack and Linux communities •  Aggressive security update policies –  Cloud-specific triage process –  Be prepared to test and rollout quickly

  17. © 2014 Nebula, Inc. All rights reserved. Threat: Poor Entropy

    for Instances •  Mix entropy from multiple sources –  Hardware generated from multiple vendors •  Distribute securely / fairly –  Entropy stream distributed throughout cloud –  Available to all instances, using RNG Tools

  18. © 2014 Nebula, Inc. All rights reserved. Storage   Email

      LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI  

  19. © 2014 Nebula, Inc. All rights reserved. Email:  [email protected]  

    TwiYer:  @bdpsecurity