openstack - security professionals information exchange
DESCRIPTION
A presentation to the Security Professionals Information Exchange in Calgary on Nov. 24, 2011.TRANSCRIPT
Infrastructure as a Service
An Introduction to OpenStack
Agenda
• Introductions
• Cybera
• Infrastructure as a Service
• OpenStack
• Security Landscape
• Other Technologies
• Methodologies
• Questions
Tech Adoption Curve
Amazon Web Services
OpenStack
“To produce the ubiquitous Open Source cloud
computing platform that will meet the needs of
public and private cloud providers regardless of
size, by being simple to implement and massively
scalable.”
OpenStack Object Storage
OpenStack Object Storage Architecture
OpenStack Image Service
OpenStack Compute
OpenStack Compute Architecture
OpenStack Compute Architecture
OpenStack Compute Architecture
OpenStack Security Fundamentals
• Keypairs
– Allows ssh access to
your instance
– Name
– Public key
– Private key
– 1024 bit
– “Injected” into VM
• Security Groups
– Firewall
– Name
– Port
– IP range
– Protocol
– Live outside VM
OpenStack Security Fundamentals
• HTTPS
• VLANManager mode
– VLAN and bridge for each project
– Requires a switch that supports VLAN tagging
– Private IPs that are only accessible from inside the VLAN
• Floating IPs
• VPN
– A special VPN instance (cloudpipe) needs to be created
– Certificate and key for the user to access the VPN
– Haven’t put this to use yet
Open Security Architecture: Cloud Computing Pattern
• Cloud Computing Pattern
• Controls
IaaS Security Best Practices
• AWS Security Best Practices
– Protect your data in transit
– Protect your data at rest
– Protect your AWS credentials
– Manage multiple Users and their permissions with IAM
– Secure your application
IaaS Security Best Practices
• Twenty Rules for Amazon Cloud Security
– Encrypt all network traffic.
– Use only encrypted file systems for block devices and non-
root local devices.
– Encrypt everything you put in S3 using strong encryption…
• Key Security Issues for the Amazon Cloud
– Amazon is in control of your data.
– The Amazon S3 cloud storage infrastructure is weakly
secured.
– Perimeter security in the cloud is very different…
OpenStack Vulnerability Management
• wiki.openstack.org/VulnerabilityManagement
• The OpenStack vulnerability management team is
responsible for coordinating the progressive
disclosure of a vulnerability.
• Classification
– Critical, Normal, Low
• Process
– From encrypted email
– From Launchpad bug entry
– Coordinated disclosure
OpenStack Community
OpenStack Projects
• DAIR
– www.canarie.ca/en/dair-program/about
– github.com/canarie/dair
• Cloud-Enabled Space Weather Platform
– www.ceswp.ca
• NeCTAR
– www.nectar.org.au
Other Technologies
• Virtual Computing Lab
• StarCluster
• Moodle
• Nagios & collectd
• Puppet
• KVM
• Python & Django
• Groovy & Grails
• Git
• Ubuntu & CentOS
• NoMachine
DevOps
• In a DevOps environment, developers and
sysadmins build relationships, processes, and tools
that allow them to better interact and ultimately
better service the customer.
• DevOps is also more than just software deployment
– it’s a whole new way of thinking about cooperation
and coordination between the people who make the
software and the people who run it.
• Infrastructure as Code
Scrum
• Agile
• Iterative (sprints)
• Focused on delivery and feedback
• Customer collaboration
Tech Radar
Confucius Sez
“Real knowledge is to know the extent of one’s ignorance.”
Questions?
• slideshare.net/cybera/openstack-security-
professionals-information-exchange
• cybera.ca
• cybera.ca/tech-radar
• cybera.ca/tech-radar/getting-started-with-cloud-
openstack-cybera
• groups.google.com/group/cybera-tech-radar