Security for Private OpenStack Clouds

Security for Private OpenStack Clouds

OpenStack Summit, Spring 2014. Private clouds are much more than just a public cloud behind a firewall. Private clouds reach into the enterprise and have deep integration with key shared infrastructure that is external to the cloud such as LDAP, Storage, VLANs, DNS, NTP, etc. Furthermore, private clouds have a different threat profile. Users may be from the same organization, but insider attacks and targeted external attacks motivate unique security solutions. https://www.youtube.com/watch?v=PAPMwGL3hkI

938bca9547ba1cac3e69d80efd67fe6b?s=128

Bryan Payne

May 15, 2014
Tweet

Transcript

  1. © 2014 Nebula, Inc. All rights reserved. (cloud) Computing for

    the Enterprise Security for Private OpenStack Clouds Bryan D. Payne May 12, 2014
  2. © 2014 Nebula, Inc. All rights reserved. “Why  Security  Ma/ers

     In  A  Private  Cloud”  
  3. © 2014 Nebula, Inc. All rights reserved. Public   Private

     
  4. © 2014 Nebula, Inc. All rights reserved. Private  Network  

    Internet   Storage   Email   LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI  
  5. © 2014 Nebula, Inc. All rights reserved. Storage   Email

      LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI  
  6. © 2014 Nebula, Inc. All rights reserved. Storage   Email

      LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI   1   2   3  
  7. © 2014 Nebula, Inc. All rights reserved. Intelligence   Services

      Serious  Organized  Crime   Highly  Capable  Groups   MoFvated  Individuals   Script  Kiddies   Likelihood  of  A,ack   Sophis2ca2on  &   Likelihood  of   Exploita2on   Source:  OpenStack  Security  Guide  
  8. © 2014 Nebula, Inc. All rights reserved. Compromise   User

     System   VM  Breakout   API  Vuln   Dashboard   Vuln   Access  Cloud   As  Admin   Access  Cloud   As  Outsider   Access  Cloud   As  User   View  Other   Instances   Abuse  Cloud   Resources   View  Data  In   Cloud   View  Data  In   Cloud   Modify  LDAP   View   External  Data   Follow  VLANs   into  Corp  Net   Spear   Phishing   IniMal  Access   Touch  Cloud   Exploit  Cloud   Exploit  Enterprise   Compromise   Instance  
  9. © 2014 Nebula, Inc. All rights reserved. Known  hardware  

    and  soIware   OrchestraFon   +   =   Security   Opportunity  
  10. © 2014 Nebula, Inc. All rights reserved. API Endpoints Web

    Dashboard Compute Node Compute Node Storage Node Storage Node Guest Management Data Management and Control Plane Services Cloud Users / Administrators Cloud Operators Instance Instance Instance Instance External
  11. © 2014 Nebula, Inc. All rights reserved. OpenStack  Projects  

    “The  Glue”  
  12. © 2014 Nebula, Inc. All rights reserved. Cloud  A/ack  Vectors

      MiFgaFon  Strategies   API  Endpoints   Service  hardening,  mandatory  access  controls,  code  audits   Web  Dashboard   CSP,  expected  domains,  HTTPS,  HSTS,  allowed  referrers   InformaMon  Leakage   SSL/TLS,  disable  memory  dedup,  randomize  resource  assign   VM  Breakout   Service  hardening,  mandatory  access  controls,  code  audits   Hardware  Sharing   Avoid  bare  metal  instances,  avoid  device  pass-­‐through   Default  Images   Secure  and  maintain  default  images   Secondary  AYacks   Least  priv,  mandatory  access  controls,  SSL/TLS,  strong  auth  
  13. © 2014 Nebula, Inc. All rights reserved. Threat: Information Leakage

    •  TLS for network services –  API endpoints –  Web dashboard –  Log feeds –  AD / LDAP –  External Storage •  Cross-VM attacks (timing, cache effects, etc)
  14. © 2014 Nebula, Inc. All rights reserved. Threat: VM Breakout

    •  Mandatory access controls –  SELinux + KVM (SVirt) •  Build hardening –  Remove unused device models from QEMU –  Compiler hardening flags •  General Node Hardening –  De-privilege node, with respect to cloud –  Boot + Runtime attestation, SELinux, etc
  15. © 2014 Nebula, Inc. All rights reserved. Threat: Control Plane

    Compromise •  Layers of Security –  Firewall (bi-directional on control plane) –  Limit propagation of sensitive data –  Unique secrets everywhere –  Audit network service interface bindings –  TLS, SELinux, boot + runtime attestation •  Primary Focus: Limit damage from a bad actor on the control plane
  16. © 2014 Nebula, Inc. All rights reserved. Threat: Vulnerabilities Upstream

    •  Targeted security audits –  Work closely with OpenStack and Linux communities •  Aggressive security update policies –  Cloud-specific triage process –  Be prepared to test and rollout quickly
  17. © 2014 Nebula, Inc. All rights reserved. Threat: Poor Entropy

    for Instances •  Mix entropy from multiple sources –  Hardware generated from multiple vendors •  Distribute securely / fairly –  Entropy stream distributed throughout cloud –  Available to all instances, using RNG Tools
  18. © 2014 Nebula, Inc. All rights reserved. Storage   Email

      LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI  
  19. © 2014 Nebula, Inc. All rights reserved. Email:  bryan.payne@nebula.com  

    TwiYer:  @bdpsecurity