Open Stack

Interesting deck although I think it's a mistake to believe that OpenStack
itself is made out of 'defensible' technologies and the only requirement
is to turn on the correct 'switches'.

This is certainly the case in a lot of the technologies used and a large
degree of what the security guide addresses is exactly this - flipping the
right switches to secure your deployment. However there are a bunch of
design decisions that need to be revisited because the security impact is
significant and the effort required to fix can be very high.


On 31/07/2013 13:51, "Brian Schott" <brian.schott at nimbisservices.com>
wrote:

>You can find the talk here:
>https://cloudsecurityalliance.org/events/presentation-material/
>https://cloudsecurityalliance.org/wp-content/uploads/2011/05/RSA-CSA-Chris
>-C-Kemp-Keynote-February-2012.pptx
>
>I agree with you on some of the default configuration choices were made
>without security in mind, but the point I was trying to make is on slide
>35.  OpenStack is made up of defensible technologies, but the
>responsibility is on the deployment.  In some ways, I see this as no
>different than other web frameworks in their default deployments.
>
>Brian
>
>
>
>On Jul 31, 2013, at 6:53 AM, "Clark, Robert Graham" <robert.clark at hp.com>
>wrote:
>
>> I've not seen the slides so I'm only speaking to your description but I
>>don't think I completely agree with the point that Chris was making back
>>then. There are certain design decisions such as unauthenticated RPC
>>over AMQP that have significant security impact and need to be
>>addressed, some of the 'Glue' that Bryan mentioned below.
>> 
>> It'd be great to see the deck and see which ideas we can bring forward
>>and where we need to highlight the areas of OpenStack that go beyond
>>'hardening any other IT system'.
>> 
>> 
>> From: Brian Schott
>><brian.schott at nimbisservices.com<mailto:brian.schott at nimbisservices.com>>
>> Date: Wednesday, 31 July 2013 05:44
>> To: Bryan Payne <bdpayne at acm.org<mailto:bdpayne at acm.org>>
>> Cc: Robert Clark <robert.clark at hp.com<mailto:robert.clark at hp.com>>,
>>"openstack-security at lists.openstack.org<mailto:openstack-security at lists.o
>>penstack.org>" 
>><openstack-security at lists.openstack.org<mailto:openstack-security at lists.o
>>penstack.org>>
>> Subject: Re: [Openstack-security] develop a common State of OpenStack
>>Security briefing
>> 
>> Chris Kemp had some good holistic overview slides at one of the summits
>>that talked about the strength of OpenStack in terms of its plugin
>>architecture and that it is made up of stuff no different than hardening
>>any other IT system.  No magic fix for security, no major barriers for
>>securing deployments, but probably better than your average public
>>facing IT system out of the box.  Good positive message with a dose of
>>there is no such thing as a free lunch.  This could get done in 4-5
>>slides.  The first slide in this section should be almost a stand-alone
>>summary of the 4-5 slides.
>> 
>> We could have a single service overview slide with a services report
>>card kind of table.  Then maybe have a single status slide for every
>>service and hit those top-level bullets very briefly with a reference to
>>the appropriate hardening guide section or wiki.  We don't have to
>>completely reimplement the security guide, but should then some slides
>>behind each summary slide that tunnels into each of those top-level
>>bullets?  That might be too much.  Things like security bugs can get
>>very stale fast.
>> 
>> 
>> On Jul 30, 2013, at 12:31 PM, Bryan D. Payne
>><bdpayne at acm.org<mailto:bdpayne at acm.org>> wrote:
>> 
>> I think that it's useful to talk about the "glue components" (e.g., the
>>message queue, database, etc) and current thinking on best practices
>>there.  Also, on best practices for deployment and keeping everything up
>>to date.  Finally, I think it's important to highlight both the good
>>things that we have today, but also the gaps / areas where improvement
>>is needed.
>> 
>> -bryan
>> 
>> 
>> On Tue, Jul 30, 2013 at 5:00 AM, Clark, Robert Graham
>><robert.clark at hp.com<mailto:robert.clark at hp.com>> wrote:
>> I¹d certainly be happy to throw some time into this.
>> 
>> Things I¹d expect to see in the deck:
>> 
>> ·        Holistic overview, general security posture
>> 
>> ·        Service overview, perhaps restricted to core IaaS services or
>>wider
>> 
>> o   Covers secure configuration
>> 
>> o   Especially new options, improvements
>> 
>> o   Security Bugs
>> 
>> o   Design issues
>> 
>> ·        Review of recent security issues and OSSNs
>> 
>> ·        ?
>> 
>> From: Nicolae Paladi
>>[mailto:n.paladi at gmail.com<mailto:n.paladi at gmail.com>]
>> Sent: 30 July 2013 07:25
>> To: Bryan D. Payne
>> Cc: 
>>openstack-security at lists.openstack.org<mailto:openstack-security at lists.op
>>enstack.org>
>> Subject: Re: [Openstack-security] develop a common State of OpenStack
>>Security briefing
>> 
>> Great initiative, I'd be glad to "test drive" such a presentation at
>>our next OpenStack meetup in September;
>> 
>> Just my 2 cents: would be good to have a slide or two on the state of
>>VPN support in Neutron, as well as what the capabilities of security
>>groups are
>> 
>> /nicolae
>> 
>> On 29 July 2013 23:56, Bryan D. Payne
>><bdpayne at acm.org<mailto:bdpayne at acm.org>> wrote:
>> This sounds very valuable.  What kinds of information would you guys
>>like to see in this?
>> 
>> Also, I'm thinking the slides could be setup in a way that suits either
>>30 min or 60 min presentation lengths.  Does that seem reasonable?
>> 
>> -bryan
>> 
>> On Mon, Jul 29, 2013 at 12:24 PM, Brian Schott
>><brian.schott at nimbisservices.com<mailto:brian.schott at nimbisservices.com>>
>> wrote:
>> I was thinking that it would be great if we could collectively have a
>>common "State of OpenStack Security" that Stackers could give at local
>>OpenStack MeetUps or other venues.  This topic comes up all of the time
>>and a good executive overview briefing would raise the awareness of what
>>OpenStack is doing in this space.
>> 
>> Is there interest in OSSG in pulling together such a briefing?
>> Brian
>> 
>> -------------------------------------------------
>> Brian Schott, CTO
>> Nimbis Services, Inc.
>> brian.schott at nimbisservices.com<mailto:brian.schott at nimbisservices.com>
>> ph: 443-274-6064<tel:443-274-6064>  fx: 443-274-6060<tel:443-274-6060>
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Openstack-security mailing list
>> 
>>Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.op
>>enstack.org>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>> 
>> 
>> _______________________________________________
>> Openstack-security mailing list
>> 
>>Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.op
>>enstack.org>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>> 
>> 
>> _______________________________________________
>> Openstack-security mailing list
>> 
>>Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.op
>>enstack.org>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>> 
>