[openstack-dev] [OSSG] OpenStack Security Group Task List
Bryan D. Payne
bdpayne at acm.org
Fri Oct 26 18:24:26 UTC 2012
>> Do we have an idea about the threat surface/ or do we have a threat model
>> yet? I understand it is a complex task, but would like to understand the
>> team's feel for it.
>
> Threat models always struck me as low in value. Trust relationships are far
> more useful.
I find both useful. Either way, some of the challenge here is that
different people are using OpenStack differently. So they will have
different concerns from a threat model / trust relationship
perspective. Nevertheless, this is a useful activity for us to engage
in at some point. I would like to see perhaps a few different models
that represent the spectrum of most likely OpenStack deployments.
This could provide a useful guide as we think about how to best
approach the security improvements.
In the near term, there are a large number of low hanging fruit from a
security fix perspective. I think it is safe to safe that we should
address these items regardless of the threat model. Hopefully this
email thread will continue to identify these key areas.
Cheers,
-bryan
More information about the OpenStack-dev
mailing list