1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

Slides:



Advertisements
Similar presentations
A Flexible Cloud-Computing Platform Focus on solving business problems
Advertisements

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Cloud Platform Engineering 1 November 5 th, 2013 Brian Chong and Shane Gibson An Evaluation of OpenStack Deployment Frameworks.
Cloud computing is used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication.
STUDY ON OPENSTACK BY JAI KRISHNA. LIST OF COMPONENTS Introduction Components Architecture Where it is used.
© 2012 IBM Corporation Architecture of Quantum Folsom Release Yong Sheng Gong ( 龚永生 ) gongysh #openstack-dev Quantum Core developer.
Agile Infrastructure built on OpenStack Building The Next Generation Data Center with OpenStack John Griffith, Senior Software Engineer,
OpenStack Open Source Cloud Software. OpenStack: The Mission "To produce the ubiquitous Open Source cloud computing platform that will meet the needs.
Keystone Security A Symantec Perspective on Securing Keystone
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
Submitted by- Mr. Avinash Sadaphule 20 November 2009 Management Trainee, MKCL.
Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Zhipeng (Howard) Huang
Chapter 7 HARDENING SERVERS.
BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Cloud computing Tahani aljehani.
Security in Cloud Computing Presented by : Ahmed Alalawi.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Cloud Computing Why is it called the cloud?.
Cisco Public © 2010 Cisco and/or its affiliates. All rights reserved. 1 OpenStack – Enterprise Trends Shannon McFarland – CCIE #5245 Principal Engineer.
A Brief Overview by Aditya Dutt March 18 th ’ Aditya Inc.
Opensource for Cloud Deployments – Risk – Reward – Reality
INTRODUCTION TO CLOUD COMPUTING CS 595 LECTURE 7 2/23/2015.
Cloud Computing & Security Issues Prepared by: Hamoud Al-Shammari CS 6910 Summer, 2011 University of Colorado at Colorado Springs Engineering & Applied.
+ CS 325: CS Hardware and Software Organization and Architecture Cloud Architectures.
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.
Visual Studio Windows Azure Portal Rest APIs / PS Cmdlets US-North Central Region FC TOR PDU Servers TOR PDU Servers TOR PDU Servers TOR PDU.
Using Heat to Deploy and Manage Applications in OpenStack Trevor Roberts Jr, VMware, Inc. CNA1763 #CNA1763.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
Creating SmartArt 1.Create a slide and select Insert > SmartArt. 2.Choose a SmartArt design and type your text. (Choose any format to start. You can change.
Cloud Computing Use Case Draft v2.
CoprHD and OpenStack Ideas for future.
Architecture & Cybersecurity – Module 3 ELO-100Identify the features of virtualization. (Figure 3) ELO-060Identify the different components of a cloud.
Securing the Fortress with Barbican at Symantec Jason Fritcher Principal Infrastructure Engineer Cloud Platform Engineering.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
OpenStack overview of the project Belmiro Daniel Rodrigues Moreira CERN IT-PES-PS January 2011 Disclaimer: This presentation reflects the experience and.
noun ; Software Defined Enterprise/SDE/ The enterprise who leverages software to flank their traditional business offerings, or to create entirely new.
Document Name CONFIDENTIAL Version Control Version No.DateType of ChangesOwner/ Author Date of Review/Expiry The information contained in this document.
Hello Cloud… Mike Benkovich
© 2013 IBM Corporation CSTL Cloud Solutions and OpenStack Development Cloud Computing and OpenStack Guo Hui Liu, June 2013
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.
© 2012 Eucalyptus Systems, Inc. Cloud Computing Introduction Eucalyptus Education Services 2.
CON8473 – Oracle Distribution of OpenStack Ronen Kofman Director of Product Management Oracle OpenStack September, 2014 Copyright © 2014, Oracle and/or.
 December 2010 US Chief Information Officer Vivek Kundra released the Federal Cloud Computing Strategy. This became to be what is known as “Cloud First”
OPENSTACK Presented by Jordan Howell and Katie Woods.
Clouding with Microsoft Azure
Md Baitul Al Sadi, Isaac J. Cushman, Lei Chen, Rami J. Haddad
OpenStack.
Security on OpenStack 11/7/2013
Chapter 6: Securing the Cloud
THE BATTLE OF CLOUDS Openstack vs. Amazon
Smart Cities and Communities and Social Innovation
Configuring Windows Firewall with Advanced Security
Principles of Computer Security
StratusLab Final Periodic Review
StratusLab Final Periodic Review
OpenStack Ani Bicaku 18/04/ © (SG)² Konsortium.
Network Services, Cloud Computing, and Virtualization
* Introduction to Cloud computing * Introduction to OpenStack * OpenStack Design & Architecture * Demonstration of OpenStack Cloud.
Future Internet: Infrastructures and Services
Cloud Security AWS as an example.
Cloud Security AWS as an example.
OpenStack Summit Berlin – November 14, 2018
PayPal Cloud Journey & Architecture
Presentation transcript:

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist

Agenda What is Symantec doing? Security Concepts for Grizzly Release – Centralized Software Defined Data Center Management – Network Segmentation – Token/PKI Based Authentication – Distributed Policy Management – Auditing and Compliance Areas of focus for Securing a OpenStack Deployment 2

About Symantec and Us About Symantec Making the world a safer place… Enterprise system and data protection Norton branded consumer protection (not just Antivirus) Tackling the big problems Pioneered the Big Data approach to malware detection Significant cloud presence (Norton, MessageLabs, OCSP, etc.) About Brian Chong Infrastructure Architect for our OpenStack efforts Security & Network Focused Interested in securing OpenStack at all tiers SYMC Confidential 3

What is Symantec Doing? We are building a consolidated cloud platform that provides infrastructure and platform services to host Symantec SaaS applications – An exciting “greenfield” opportunity to re-invent our cloud infrastructure with strong executive leadership support Our development model is to use open source components as building blocks – Identify capability gaps and contribute back to community We have selected OpenStack as one of the underlying infrastructure services layers We plan to analyze and improve the overall security posture of OpenStack components We are starting small, but will scale to thousands of nodes across multiple data centers Cloud Platform Engineering 4

Scope of Investigation Version of OpenStack : Grizzly Components : Nova, Neutron, Glance, Cinder, Keystone, Swift, Horizon General : – Database : MySQL – AMQP : RabbitMQ – Hypervisor : KVM – Operating System : Ubuntu Cloud Platform Engineering 5

Security on OpenStack : Traditional Model (Defense in Depth) 6 Router ACLs Load Balancer Filters Firewall Rules Application/Host Security

Security on OpenStack : Software Defined Data Center Centralized Data Model for control access – All Control points are accessible by the applications that control the Data Center for elasticity of the service – All Services have access to change the system in relatively large ways (Compute, Network, Storage) to manage service SLAs – Layered Security is now much more difficult than before, which means stronger pinpoint security is more critical than before Host based controls become more critical – Operating System – Hypervisor / Virtualization Driver – Console 7

Security Sphere Security Sphere N Security on OpenStack : Centralized Model 8 Software Defined API Router ACLs Load Balancer Filters Firewall Rules Application Security

Security on OpenStack : Network Segmentation BMC and IPMI functions : Control of Hardware components – Deny All except to specific participating Deployment Servers Host/Admin : Control of Operating System – Deny All except to specific Jump Servers Service API/Messaging : Control of IaaS, Messaging & Database services and Authentication – Deny All except to each physical interface on participating Servers Private/Storage : VM to VM traffic and Storage or internal PaaS Services – Controlled by local Firewall Access (iptables per host or external Firewall) Public : External Access outside of the Cluster – Controlled by Gateway/Load Balancer/Firewall 9

Security on OpenStack : Token/PKI Based Authentication Token Expirations (assumes Caching) – Correlation of all changes in the distributed model with a issued Token PKI Token Management – Signing Certificate Expiration – Signing Engine (HSM or SW) – Root CA Distribution SSL Service Management – SSL Certificate Expiration for Services – Root CA Distribution – Private key generation and Management 10

Security on OpenStack : Distributed Policy Model Definition of different roles and policies are defined in Keystone per tenant and globally Each service has a policy.json file that lists out which defined role for that specific service has the capability to execute Each service node should be synchronized for their specific policy files or a multi-service security model can be used for the same type of service – Each upgrade has to maintain and define new roles that are included in every release 11

Security on OpenStack : Distributed Policy Model 12 KeyStone Nova Neutron Role Name policy.jso n Role Definition

Security on OpenStack : Auditing and Compliance Auditing – Sources : Message Queues, Log Files, Database Message Queue Event Validation process Log Parsers for Event Handling and Threat Detection Database Triggers for Security Events Compliance – Role to Policy Validation – Code Patching and Upgrade Versioning – User Information (Name, Password, Roles, etc) – IT Mgmt (ISO 27001, FISMA, FedRamp, etc) – PKI Key Management 13

Security on OpenStack : Auditing and Compliance Example : Boot a Virtual Machine – Keystone (Log, Database) – Nova (Log, Message, Database) – Glance (Log, Database) – Neutron (Log, Message, Database) – Host (Log) – Horizon (Log, Database) All of these events must be correlated to make sure that the proper rules and privileges were used during each command and against a CMDB to validate authorization 14

Areas of focus for Securing a OpenStack Deployment Message Server and Queuing – Signing all Messages and Validating Authorization Database Server and Instances – Encryption of Critical Columns Certificate Management – Overall Management and HSM Integration Distribution Verification – Signed Policy Distribution and Loading into all Services 2 Factor Authentication / Single Sign On – Token Authentication with Single Sign On through Horizon 15

16 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.