1. OpenStack Security A Primer

2. Me: Joshua McKenty Twitter: @jmckenty Email: joshua@pistoncloud.com Former Chief Architect, NASA Nebula Founding Member, OpenStack OpenStack Project Policy Board

3. “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier

5. The Three Pillars of Security

6. “Bonus” Security Pillar Forensics

7. Real Security Assume everything goes wrong, even impossible things.

8. FIPS 199 Definition: Confidentiality Integrity Availability Defining Security

9. Defining Vulnerability

10. Build on “Shared Nothing” to achieve “Trust No One” Also known as “Defense in Depth” AUTOMATE EVERYTHING “Fat Fingers” == Plausible Deniability Automated == non-repudiable change control Build to the OSI 7-layer model

11. Layer 1

12. Lock your doors Do your background checks Use separate physical networks for admin Network model and management Use RFC 1918 address space when appropriate Use VLANs if necessary Firewall every machine (ebtables, iptables) Border firewalls (port and protocol level) Layer 1, 2 and 3

13. Never assume it’s bilateral

14. Control system access Best case: no host-based shell access AT ALL. Second-best: federated AUTH with 2-factor, keys only Worstcase: Host-level root login with passwords Run IDS – on hosts and guests Scan Continuously – hosts and guests, on all networks Proactively defend – Fail2Ban, etc. ( F2B-a-a-S) Layer 4, 5, 6 and 7

15. Don't trust the hypervisor (TXT / TPM) Conversely, don't trust the VM (blue-pill exploits, etc.) Host-based FW within the VM (CloudPassage "Halo") Access-control for VMs – same approaches apply (Auth-as-a-Service) Layer ‘V’

16. “Proof” and Policy In God We Trust – All Others, Bring Data.

18. Classic best practices – redundant, off-site log servers Log aggregation and analysis / event detection Logging-as-a-Service Log early, log often

19. Make and verify your assertions (Coming soon…) CloudAudit

20. Did you remember to delete his account?

21. Security Theatre “Given enough hand-waving, all systems are secure.”

23. Crypto is useless – if keys are stored with the data Private networks are useless – if doors aren’t locked Certification only proves that you’re doing, what you said you were going to do. You can still be wrong. Forget “Trust, but verify”. Just don’t trust. Don’t get confused!

24. Bonus: Forensics It’s not an “If” – it’s a “When”

25. Have a chaos-monkey of compromise Can you perform forensics and remediation, without impacting other users of your cloud? Spanning ports and extra storage “Graveyard” for recently deleted images, instances Bonus Section: Forensics

26. What’s in the CloudPipe? “We can only see a short distance ahead, but we can see plenty there that needs to be done.” – Alan Turing

27. The Machine Aka “Sneaky Monkey” Continuous Integration of penetration and vulnerability testing.

28. We’re doing “stuff” No… really. Hardening

29. Outfoxing the fox Intel is working with many companies within OpenStack, including Piston. Trusted Execution

30. Questions?

31. Matt Linton – Nebula CSO Jesse Andrews – AnsoLabs Founder Soo Choi – 7120.7 Nazi Matt Chew- Spence – FIPS 199 Guru Keith Shackleford and James Williams Chris Kemp Bobby Cates, Dave Swagger, E. Lopez, Grace De Leon, Guy with Gun #1, Guy with Gun #2… Credits