[Openstack-security] develop a common State of OpenStack Security briefing

Brian Schott brian.schott at nimbisservices.com
Wed Jul 31 22:43:50 UTC 2013


This was February 2012, so it is also a bit out of date and may suffer from CEOptimism (a common enough affliction :-).  


I'm more aware of the and some of the design changes this group is recommending after participating in the doc sprint, but I'd also argue that a deployment team has a better chance of hardening OpenStack over the proprietary or open-core alternatives.


It also depends on the use case for the deployment.  Behind their corporate firewall for internal use only, OpenStack is probably much safer than their existing IT infrastructure.  Nothing like clear-text VNC sessions to improve security.


The talk should try to score base OpenStack deployments for different use cases, summarize deployment recommendations for each, and talk about current and future efforts planned by the community.  
—
Sent from Mailbox for iPad

On Wed, Jul 31, 2013 at 10:51 AM, Clark, Robert Graham
<robert.clark at hp.com> wrote:

> Interesting deck although I think it's a mistake to believe that OpenStack
> itself is made out of 'defensible' technologies and the only requirement
> is to turn on the correct 'switches'.
> This is certainly the case in a lot of the technologies used and a large
> degree of what the security guide addresses is exactly this - flipping the
> right switches to secure your deployment. However there are a bunch of
> design decisions that need to be revisited because the security impact is
> significant and the effort required to fix can be very high.
> On 31/07/2013 13:51, "Brian Schott" <brian.schott at nimbisservices.com>
> wrote:
>>You can find the talk here:
>>https://cloudsecurityalliance.org/events/presentation-material/
>>https://cloudsecurityalliance.org/wp-content/uploads/2011/05/RSA-CSA-Chris
>>-C-Kemp-Keynote-February-2012.pptx
>>
>>I agree with you on some of the default configuration choices were made
>>without security in mind, but the point I was trying to make is on slide
>>35.  OpenStack is made up of defensible technologies, but the
>>responsibility is on the deployment.  In some ways, I see this as no
>>different than other web frameworks in their default deployments.
>>
>>Brian
>>
>>
>>
>>On Jul 31, 2013, at 6:53 AM, "Clark, Robert Graham" <robert.clark at hp.com>
>>wrote:
>>
>>> I've not seen the slides so I'm only speaking to your description but I
>>>don't think I completely agree with the point that Chris was making back
>>>then. There are certain design decisions such as unauthenticated RPC
>>>over AMQP that have significant security impact and need to be
>>>addressed, some of the 'Glue' that Bryan mentioned below.
>>> 
>>> It'd be great to see the deck and see which ideas we can bring forward
>>>and where we need to highlight the areas of OpenStack that go beyond
>>>'hardening any other IT system'.
>>> 
>>> 
>>> From: Brian Schott
>>><brian.schott at nimbisservices.com<mailto:brian.schott at nimbisservices.com>>
>>> Date: Wednesday, 31 July 2013 05:44
>>> To: Bryan Payne <bdpayne at acm.org<mailto:bdpayne at acm.org>>
>>> Cc: Robert Clark <robert.clark at hp.com<mailto:robert.clark at hp.com>>,
>>>"openstack-security at lists.openstack.org<mailto:openstack-security at lists.o
>>>penstack.org>" 
>>><openstack-security at lists.openstack.org<mailto:openstack-security at lists.o
>>>penstack.org>>
>>> Subject: Re: [Openstack-security] develop a common State of OpenStack
>>>Security briefing
>>> 
>>> Chris Kemp had some good holistic overview slides at one of the summits
>>>that talked about the strength of OpenStack in terms of its plugin
>>>architecture and that it is made up of stuff no different than hardening
>>>any other IT system.  No magic fix for security, no major barriers for
>>>securing deployments, but probably better than your average public
>>>facing IT system out of the box.  Good positive message with a dose of
>>>there is no such thing as a free lunch.  This could get done in 4-5
>>>slides.  The first slide in this section should be almost a stand-alone
>>>summary of the 4-5 slides.
>>> 
>>> We could have a single service overview slide with a services report
>>>card kind of table.  Then maybe have a single status slide for every
>>>service and hit those top-level bullets very briefly with a reference to
>>>the appropriate hardening guide section or wiki.  We don't have to
>>>completely reimplement the security guide, but should then some slides
>>>behind each summary slide that tunnels into each of those top-level
>>>bullets?  That might be too much.  Things like security bugs can get
>>>very stale fast.
>>> 
>>> 
>>> On Jul 30, 2013, at 12:31 PM, Bryan D. Payne
>>><bdpayne at acm.org<mailto:bdpayne at acm.org>> wrote:
>>> 
>>> I think that it's useful to talk about the "glue components" (e.g., the
>>>message queue, database, etc) and current thinking on best practices
>>>there.  Also, on best practices for deployment and keeping everything up
>>>to date.  Finally, I think it's important to highlight both the good
>>>things that we have today, but also the gaps / areas where improvement
>>>is needed.
>>> 
>>> -bryan
>>> 
>>> 
>>> On Tue, Jul 30, 2013 at 5:00 AM, Clark, Robert Graham
>>><robert.clark at hp.com<mailto:robert.clark at hp.com>> wrote:
>>> I¹d certainly be happy to throw some time into this.
>>> 
>>> Things I¹d expect to see in the deck:
>>> 
>>> ·        Holistic overview, general security posture
>>> 
>>> ·        Service overview, perhaps restricted to core IaaS services or
>>>wider
>>> 
>>> o   Covers secure configuration
>>> 
>>> o   Especially new options, improvements
>>> 
>>> o   Security Bugs
>>> 
>>> o   Design issues
>>> 
>>> ·        Review of recent security issues and OSSNs
>>> 
>>> ·        ?
>>> 
>>> From: Nicolae Paladi
>>>[mailto:n.paladi at gmail.com<mailto:n.paladi at gmail.com>]
>>> Sent: 30 July 2013 07:25
>>> To: Bryan D. Payne
>>> Cc: 
>>>openstack-security at lists.openstack.org<mailto:openstack-security at lists.op
>>>enstack.org>
>>> Subject: Re: [Openstack-security] develop a common State of OpenStack
>>>Security briefing
>>> 
>>> Great initiative, I'd be glad to "test drive" such a presentation at
>>>our next OpenStack meetup in September;
>>> 
>>> Just my 2 cents: would be good to have a slide or two on the state of
>>>VPN support in Neutron, as well as what the capabilities of security
>>>groups are
>>> 
>>> /nicolae
>>> 
>>> On 29 July 2013 23:56, Bryan D. Payne
>>><bdpayne at acm.org<mailto:bdpayne at acm.org>> wrote:
>>> This sounds very valuable.  What kinds of information would you guys
>>>like to see in this?
>>> 
>>> Also, I'm thinking the slides could be setup in a way that suits either
>>>30 min or 60 min presentation lengths.  Does that seem reasonable?
>>> 
>>> -bryan
>>> 
>>> On Mon, Jul 29, 2013 at 12:24 PM, Brian Schott
>>><brian.schott at nimbisservices.com<mailto:brian.schott at nimbisservices.com>>
>>> wrote:
>>> I was thinking that it would be great if we could collectively have a
>>>common "State of OpenStack Security" that Stackers could give at local
>>>OpenStack MeetUps or other venues.  This topic comes up all of the time
>>>and a good executive overview briefing would raise the awareness of what
>>>OpenStack is doing in this space.
>>> 
>>> Is there interest in OSSG in pulling together such a briefing?
>>> Brian
>>> 
>>> -------------------------------------------------
>>> Brian Schott, CTO
>>> Nimbis Services, Inc.
>>> brian.schott at nimbisservices.com<mailto:brian.schott at nimbisservices.com>
>>> ph: 443-274-6064<tel:443-274-6064>  fx: 443-274-6060<tel:443-274-6060>
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Openstack-security mailing list
>>> 
>>>Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.op
>>>enstack.org>
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>> 
>>> 
>>> _______________________________________________
>>> Openstack-security mailing list
>>> 
>>>Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.op
>>>enstack.org>
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>> 
>>> 
>>> _______________________________________________
>>> Openstack-security mailing list
>>> 
>>>Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.op
>>>enstack.org>
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>> 
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20130731/7ebe7c15/attachment.html>


More information about the Openstack-security mailing list