October 15, 16, 17, 18
Thanks for attending! The OpenStack Summit was a four-day conference for developers, users, and administrators of OpenStack Cloud Software.
OpenStack is a maturing force in the Cloud ecosystem and has significant security related growing-pains. No environment is more challenging for deployment than a public cloud. Our business is to allow people to run code and place files deep within our infrastructure. With customer data touching most systems this can be a dangerous proposition in this talk I will discuss some of architectural hurdles we have had to deal with and the countermeasures we have deployed over and above what youd expect to see in a private cloud. Well walk through a security wish list that would make OpenStack the most secure Cloud platform in the world and discuss how to move in that direction.
In a number of OpenStack projects, systems communicate via a messaging/RPC mechanism. The safety and reliability of this mechanism is vital to the security of OpenStack clouds. However, this messaging layer currently relies on implicit trust based on basic network connectivity. In Grizzly, there exists a blueprint to add cryptrographic trust between systems.
Eric Windisch is currently developing this trust mechanism based on feedback from the Folsom design summit. He will highlight the requirements of a trusted messaging system and the architecture of this solution.
72% of the 21 million health care records that have been compromised in the United States since September of 2009 should have been trivially protected using comprehensive encryption of the data before being written to disk. See: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html.
A busy OpenStack compute node might spin up hundreds or thousands of instances per day. Ephemeral, block, and object storage -- each and every one of these should always be encrypted before being written to the underlying physical media. Multiple excellent file and disk encrpytion solutions exist in Linux, such as eCryptfs and dmcrypt. With cryptographic co-processor acceleration (AES-NI) available on most modern CPUs, encryption is essentially "free""
The lack of quality sources of entropy in cloud computing environment is a problem that has gained considerable attention this year, and has consequences that permeate the entire fabric of cryptography in enterprises. Virtual machines typically lack physical hardware devices that provide random noise, such as microphones, wireless adapters, or serial bus interrupts. Monitoring network interrupts generated by traffic (such as ARP requests) is one of the few sources of unpredictable input in cloud networks, but even that traffic can be somewhat scarce in some networks. Without sufficient randomness, servers routinely generate vulnerable TLS certificates and predictable RSA/DSA private SSH keys.
In this session, well discuss a draft RFC, proposing a network protocol for peer-to-peer exchange of randomness, review an open source implementation of that protocol in C, consider the results of some entropy quality tests, propose its inclusion as an OpenStack Incubator project. Well consider the opportunity for collaboration among cloud guests to interchange randomness in ways that defy predictably from outside observers, internal users, as well as offline users.
We'll also discuss other potential solutions to the problem, such as passing through Intel's new DRNG to guests, extending Nova to seed guests with better entropy through a virtio or disk device, as well as other suggestions brought by attendees.
The presentation will look into the new security challenges that network virtualization presents, and the issues faced by both traditional tools and emerging approaches in addressing these challenges. It will discuss the importance of integrating security considerations in the design and deployment of network virtualization. It will also explore the new ideas and technologies in network virtualization security offered by networking companies in the OpenStack ecosystem.
There is a growing demand from cloud service providers and consumers alike to have better transparency into the system infrastructure and hardware platform used for the services. This impacts the audit and the resultant trustworthiness of the compute environment. Methods purely based on the trusted computing (TC) based solutions have proven to be difficult to implement and scale in the last decade. However there has been continued extensive research in this area to address the challenges because of the increasing unmet need. While the original intentions of TC - to ensure trustworthiness of a platform - still hold, there is an opportunity today to simplify the implementation. The key idea is to include platform attributes in an Attribute-Based Identity Management system (IdM) to have better visibility into the platform and use it to deduce the security state of the system. Incorporating the platform attributes will enable service providers to predict the behavior of the platform and enforce policies to protect digital content. Such a trust model may also reduce the burden on the user and may allow cases for platform credentials to be sufficient avoiding the need for user credentials if they are not needed for the service. This would preserve privacy of the user, provide higher security assurance, audit based risk assessment and help in better usability of the overall cloud system.
In this presentation we will provide an architecture considerations of Platform Attribute based IdM for Cloud Identity Platform. We will show how the access control policies can leverage platform attributes for security decision making as well as a fine granular audit. We will demonstrate how this maps to key real world security, identity management and auditing process from prevalent Standards Initiatives including Cloud Security Alliance, OASIS and Open Data Center Alliance.
We would also show how this model opens doors for extended research in (1) privacy preserving cryptographic primitives that can enforce platform attribute based IdM policies; (2) real world examples of security policies based on Platform Capabilities (with or without user credentials); and (3) Scalable and seamless mutual attestation model in a cloud provider and cloud consumer environment. A better view and understanding of the hardware platform capabilities (beyond just the TPM registers) and how they integrate with an Attribute-based IdM is key to leveraging the transparency and trustworthiness advantages of the proposed model.
This talk will describe the R&D recently performed at the University of Kent to add federated identity management to OpenStack. Specifically the Keystone pipeline has been modified by adding a new middleware component that calls a discovery service and credential validation service, in order to facilitate outgoing and incoming federated access, respectively. A client library has been built that makes use of these new keystone services. Several OpenStack clients have been modified to make calls to these new library APIs, so that federated access to Keystone services is possible. The technique that has been employed is designed to be federated identity management protocol agnostic, so that different FIM systems can be plugges in such as OpenID, Oauth, SAML, PKI, Kerberos etc. The working prototype uses SAML requests and responses.
Bryan D Payne, Robert Clark
As OpenStack continues to mature, it is increasingly important for the community to be proactive in improving security. The OpenStack Security Group (OSSG) is a new effort led by Nebula and HP to bring together security professionals who can work to address this need. Our goal is to create a group that complements the Vulnerability Management Team by working to improve the security in each project's software architecture, contributing software to address security relevant blueprints and bugs, and providing cross-project security assessments. This talk will introduce the OSSG and describe some of our early success stories, while starting a conversation about the best path forward for OpenStack security.
For many of the same reasons that software-as-a-service is catching on with enterprise buyers, delivering web services on top of infrastructure-as-a-service architectures is appealing to the SaaS developers. Operational agility, lower CapEx, and a broad array of tools and services are on tap that make both public and private IaaS clouds a great platform to build on. But how do you do this securely, especially in the public cloud where you have no access to the network or hypervisor your servers are running in?
Furthermore, for many SaaS providers, the person charged with security considerations isnt a CSO or IT specialist, but rather, a DevOps guru someone with their hands in both development and operations. While the traditional security professional is focused on compliance and security rules, this new crop is more concerned with continuous development and high availability.
In this session, CloudPassage Chief Evangelist, Andrew Hay, will break down the top security considerations that are specific to the cloud and offer practical steps for securing cloud-based application development. Hell also address the following: