This document discusses using Red Hat OpenStack Platform and micro-segmentation to securely deploy financial services clouds. It covers common OpenStack security challenges, how Red Hat OpenStack Platform addresses these challenges through automation and templates, and how micro-segmentation provides isolation and strict access controls. The presentation then demonstrates micro-segmentation using virtual domains to separate workloads and apply fine-grained security policies in a demo.
5. Agenda
Common OpenStack Infrastructure Security Challenges
Addressing Challenges with Red Hat OpenStack Platform Director
Addressing Challenges with Red Hat CloudForms
6. OpenStack Infrastructure Security
Common Challenges
Many Manual Tasks
Infrastructure Secured Post Deployment
Detecting Change and Enforcing Policy
Maintaining Secure Configuration and Policy
When Upgrading and Scaling
7. <footer>
OPENSTACK PLATFORM DIRECTOR
DAY 1 + SCALING/UPGRADING
Director is included in Red Hat OpenStack
Platform
CLOUDFORMS
DAY 2 + LIFECYCLE
CloudForms is included in Red Hat
OpenStack Platform
8. <footer>
Red Hat OpenStack Platform Director
DEPLOYMENTPLANNING OPERATIONS
Updates and upgrades
Scaling up and down
Change management
Deployment orchestration
Service configuration
Sanity checks
Network topology
Service parameters
Resource capacity
OpenStack Orchestration
9. OpenStack Platform Director (OSPd)
Advantages for OpenStack Security
USES OPENSTACK TO DEPLOY OPENSTACK
Concepts applicable to workloads running on OpenStack
are applicable to OpenStack itself
IMAGE BASED
Nodes installed from a customize-able source image
TEMPLATE BASED
Customize-able, reusable, repeatable use of Heat
templates (YAML) to install, scale, and upgrade
10. OSP Director Image Customization
Image Customization Examples for Security
KERNEL
Deploy a custom kernel build, or hardened kernel (with
validation)
PACKAGES
Deploy specific package versions or additional packages
LOCAL ACCOUNTS AND POLICIES
Define custom local accounts and SELinux configuration
11. OSP Director Template-Based Deployment
Template-Based Configuration Examples for Security
SSL/TLS ENABLED CONTROL PLANE AND ENDPOINTS
Enable transport encryption on all control plane
communication using your certificates
AAA INTEGRATION
Integrate with your AAA infrastructure (LDAP, Kerberos,
etc)
SERVICES CONFIGURATION
Configure Logging, NTP, Monitoring Tools
13. CloudForms Compliance and Governance
ANALYZE
Automatically perform SmartState Analysis on
OpenStack Nodes and Instances (agent-less)
TRACK AND ALERT
Report on changes and drift, automatically alert based
on defined policy
REMEDIATE
Automatically kick off defined remediation or deeper
inspection actions
Example Functions
14. CloudForms SmartState Analysis
Examples of Items Tracked
PACKAGES AND FILES
Package versions, new/changed files
LOCAL USERS AND ACTIONS
User actions/commands, users and groups added or
changed
COMPONENT CHANGES
Added or changed network interfaces, storage attached,
new instances or containers running
15. Thank you!
Please Post Questions in Webinar
Visit Red Hat at OpenStack East
August 23-24, NYC
red.ht/openstack
red.ht/cloudforms
16. Security and compliance through automation and
micro-segmentation with OpenStack and SDN
Justin Moore