Mirantis OpenStack Express: Security White Paper



Similar documents
SoftLayer Fundamentals. Security / Firewalls. August, 2014

Guide to the LBaaS plugin ver for Fuel

Installation Runbook for Avni Software Defined Cloud

GoodData Corporation Security White Paper

KeyLock Solutions Security and Privacy Protection Practices

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Famly ApS: Overview of Security Processes

Appendix to; Assessing Systemic Risk to Cloud Computing Technology as Complex Interconnected Systems of Systems

Autodesk PLM 360 Security Whitepaper

FileCloud Security FAQ

White Paper How Noah Mobile uses Microsoft Azure Core Services

Openstack. Cloud computing with Openstack. Saverio Proto

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Elastix SIP Firewall. Quick Installation Guide

CONTENTS. PCI DSS Compliance Guide

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

NEFSIS DEDICATED SERVER

Cloud Security Case Study Amazon Web Services. Ugo Piazzalunga Technical Manager, IT Security

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Recommended IP Telephony Architecture

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

TOP SECRETS OF CLOUD SECURITY

All the benefits of Public Cloud on Private, Dedicated Infrastructure. Benefits. Enterprise-Level Security. High Performance. Compliant and Audited

THE BLUENOSE SECURITY FRAMEWORK

ProphetStor Federator Runbook for Mirantis FUEL 4.1 Revision

ClickTale Security Standards and Practices: Delivering Peace of Mind in Digital Optimization

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Effective End-to-End Cloud Security

Acano solution. Security Considerations. August E

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

STM Quick Installation Guide

GE Measurement & Control. Cyber Security for NEI 08-09

Secure VidyoConferencing SM TECHNICAL NOTE. Protecting your communications VIDYO

Altus UC Security Overview

Complying with PCI Data Security

OCTOBER 2015 TAULIA SUPPLIER ARCHITECTURE OVERVIEW TAULIA 201 MISSION STREET SAN FRANCISCO CA 94105

CloudCIX Bootcamp. The essential IaaS getting started guide.

Develop a process for applying updates to systems, including verifying properties of the update. Create File Systems

Lecture 02b Cloud Computing II

Outline. Why Neutron? What is Neutron? API Abstractions Plugin Architecture

Building A Secure Microsoft Exchange Continuity Appliance

SDN v praxi overlay sítí pro OpenStack Daniel Prchal daniel.prchal@hpe.com

Security Issues in Cloud Computing

Software Defined Networking (SDN) and OpenStack. Christian Koenning

PCI v2.0 Compliance for Wireless LAN

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Security Whitepaper. NetTec NSI Philosophy. Best Practices

319 MANAGED HOSTING TECHNICAL DETAILS

Security Features: Lettings & Property Management Software

NephOS A Licensed End-to-end IaaS Cloud Software Stack for Enterprise or OEM On-premise Use.

Improving OpenStack* Hybrid Cloud Security

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Copyright 2014, Oracle and/or its affiliates. All rights reserved. 2

Private Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

SITECATALYST SECURITY

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

How To Achieve Pca Compliance With Redhat Enterprise Linux

Integrating Cisco ISE with GO!Enterprise MDM Quick Start

Installation Runbook for F5 Networks BIG-IP LBaaS Plugin for OpenStack Kilo

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

CompTIA Cloud+ 9318; 5 Days, Instructor-led

1 Introduction 2. 2 Document Disclaimer 2

Introduction to OpenStack

Architecture Overview

CompTIA Cloud+ Course Content. Length: 5 Days. Who Should Attend:

Ubuntu OpenStack on VMware vsphere: A reference architecture for deploying OpenStack while limiting changes to existing infrastructure

Virtualization, SDN and NFV

Cornerstones of Security

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Security and Data Protection for Online Document Management Software

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Getting Started with OpenStack and VMware vsphere TECHNICAL MARKETING DOCUMENTATION V 0.1/DECEMBER 2013

Cloud Security with Stackato

Quantum Hyper- V plugin

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

QuickBooks Online: Security & Infrastructure

VERSION DATE NAME DESCRIPTION

BeBanjo Infrastructure and Security Overview

Executive Summary and Purpose

Release Notes for Fuel and Fuel Web Version 3.0.1

Delivering peace of mind in digital optimization: Clicktale's security standards and practices

Woodcock-Johnson and Woodcock-Muñoz Language Survey Revised Normative Update Technical and Data Security Overview

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

How to Configure an Initial Installation of the VMware ESXi Hypervisor

Security Whitepaper: ivvy Products

Copyright Pivotal Software Inc, of 10

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

Cloud on TIEN Part I: OpenStack Cloud Deployment. Vasinee Siripoonya Electronic Government Agency of Thailand Kasidit Chanchio Thammasat

Computer Networks. Secure Systems

Security Considerations in Cloud Deployments Matthew Garrett

Transcription:

Mirantis OpenStack Express: Security White Paper Version 1.0 2005 2014 All Rights Reserved www.mirantis.com 1

Introduction While the vast majority IT professionals are now familiar with the cost-saving and agility benefits of cloud computing, many still perceive the traditional multi-tenant public cloud environments as insecure or simply incompatible with their security compliance requirements because of the lack of control they have toward the physical machines, network and storage equipment. Mirantis OpenStack Express provides you with the ease of use of an elastic OpenStack cloud environment while providing complete controls over its underlying hardware and host operating systems configuration without compromises on security. Because we ask our customers to trust Mirantis with their business-critical data and applications, we think it is important to describe in this paper Mirantis OpenStack Express physical and operational security measures and controls we apply in a transparent and understandable manner. We hope this will help you appraise to what extent Mirantis OpenStack Express has improved security features when compared to other more traditional, multi-tenant cloud environments. 2005 2014 All Rights Reserved www.mirantis.com 2

Overview Mirantis OpenStack Express offers on-demand private datacenters powered by the stable Mirantis OpenStack distribution running on high performance hardware that is dedicated to the sole use of your organization. It s your private cloud. As such, Mirantis OpenStack Express combines the best of both worlds. The elasticity and agility benefits of the pay-as-you-go cloud computing model powered by the leading opensource technology of OpenStack come along with the inherent security and privacy benefits you get from running your own private data center that is completely isolated from the other co-hosted tenants. Furthermore, Mirantis OpenStack Express is designed to be effective and easy to use. Using the OpenStack Express Datacenter Management Console, you can choose the size and characteristics of the private cloud you want and pay only for the amount of hardware you use and the time you use it. Then you can add more physical nodes (or remove them) dynamically to scale the capacity of your datacenter up and down based on the demand forecast. Once your resources are effectively provisioned in the data center, you can create one or more multi-node OpenStack highly available cloud environments using Mirantis OpenStack Fuel, the provisioning and configuration management automation engine developed by Mirantis and the community, provided out-of-the-box with Mirantis OpenStack Express. Applied Security Measures and Controls Physical and Operational Security As stated above, Mirantis OpenStack Express has been design to cope with the arguably conflicting goals of providing extended controls over the data center infrastructure, including providing root access the host operating system running the cloud controller and the compute nodes (the hypervisor) while ensuring a strict isolation between tenants. That s the reason why the physical and operational security is the foundation of Mirantis OpenStack Express. If your data center is not physically secure, neither are the cloud environments running on top of it. No other security measures we apply at the OpenStack level would matter without it. That is why, Mirantis partners with world-class bare-metal service providers, such as SoftLayer, whose data centers are fully audited based on controls and reportings that meet industry-recognized requirements for security. This includes but is not limited to: 2005 2014 All Rights Reserved www.mirantis.com 3

Data centers located only in facilities with controlled access and 24/7 security staff Digital security video surveillance and biometric security systems Machines room access strictly limited to employees and escorted contractors or visitors Barcode-only identification on hardware; no customer markings of any type on the machines themselves All data removed from re-provisioned machines with drive wipe software approved by the Department of Defense Engineers and technicians trained on internal industry standard policies and procedures and audited yearly Geographic redundancy for all core systems for disaster recovery and business continuity Network Security Each Mirantis OpenStack Express private data center is provisioned with two independent and isolated networks. Each physical node that is added in a private data center has two network interfaces that are bound to each network. One public network that is used to support egress and ingress traffic to and from the Internet One private network that is used to support internal traffic only Typically, the public network is used to provide access to the OpenStack dashboard (Horizon), the OpenStack services endpoints (i.e. Nova, Keystone, Cinder, Glance, ) and the instances public IP addresses known as floating IPs. The private network in turn is used for interinstances communications using OpenStack Networking GRE tunneling and internal Fuel communications including PXE booting to install the host operating systems on the OpenStack controller and compute nodes as shown in the figure below. 2005 2014 All Rights Reserved www.mirantis.com 4

Figure 1: Data Center Network Architecture With Mirantis OpenStack Express, the public and private networks of you datacenter are implemented as untagged VLANS which means that the packets you send and receive do not contain VLAN information (i.e. 802.1Q VLAN-ID) in the Ethernet frames. For example in the figure above, customer "A" has VLAN A.1 and VLAN A.2, customer B has VLAN B.1 and LAN B.2 and so forth. Ports between switches and the nodes of the data center are "untagged" and so packets transmitted on your networks are just normal Ethernet packets that cannot be tampered with fake VLAN-ID information. 2005 2014 All Rights Reserved www.mirantis.com 5

Data Center Management Console Secure Access Each Mirantis OpenStack Express account is assigned a unique user id with a secure selfgenerated password that is protected against brute-force attacks. In addition, customer access points including the OpenStack Express Data Center Details Page, the Fuel Master Node Web UI, the OpenStack Dashboard and the OpenStack services endpoints allow secure HTTPS access so that you can establish secure communications with your cloud assets. Secure HTTPS access uses high-grade TLS 1.2 encryption based on strong and well known and standard symmetric and asymmetric algorithms like AES and RSA. Furthermore, as user with superuser privileges, you have the ability to substitute the dynamically generated certificates used in the Mirantis OpenStack environments by your own certificates signed by your Root Certificate Authority (CA). Data Center Nodes Secure Access By default, Mirantis OpenStack Express does not provide direct login to the physical nodes of your data center except the Fuel Master Node. From the Data Center Details page, you can obtain the SSH credentials which gives you non-root access to the Fuel Master node. Then, from there you can SSH as root to any physical node of your Mirantis OpenStack environment, including the controller node and the compute nodes, by running the command: $ ssh root@node-x.domain.tld[1] As root user you can change that login policy according to your own security needs and requirements. Secure Online Payment Mirantis OpenStack Express uses a third-party providers that are verified Level 1 PCI DSS compliant for securely storing sensitive credit cards information and for processing online payments. As such, Mirantis OpenStack Express doesn t store and even doesn t see any of sensitive information of your credit card. Instead, it is sent directly, through a highly secure connection, to a credit card vault backend and online payment service providers that will process the transaction on our behalf. Security vulnerabilities assessment and analysis Each release of Mirantis OpenStack Express goes through stringent vulnerability assessment and analysis both for Internet facing perimeter servers, web apps and service endpoints and from within the private data center in an attempt to identify network, server and application 2005 2014 All Rights Reserved www.mirantis.com 6

vulnerabilities. Those security assessments and analysis are performed using Qualys and Nessus appliances. Vulnerabilities are systematically detected and fixed before a new version of Mirantis OpenStack Express is released. OpenStack Related Security Capabilities Built-in firewalls Mirantis OpenStack Express brings networking services that are more flexible and powerful than security group capabilities built into the former releases of OpenStack. For example, security groups and security group rules allows administrators to specify the type of traffic and direction (ingress/egress) that is allowed to pass through a port. When a port is created in OpenStack Networking it is associated with a security group, which if not specified, is associated with a 'default' security group. By default this group will drop all ingress traffic and allow all egress. Rules can be added to this group to change its default behavior. New security groups and rules can be created by administrators, for instance, to enable HTTP and HTTPS traffic to an individual instance or group of instances. Role-based Authorizations and Access Controls The OpenStack Identity Service (Keystone) supports the notion of groups and roles. Users belong to groups and a group is assigned a list of roles. Each user can be assigned unique security credentials and roles eliminating the need for shared passwords or keys and allowing the security best practices of role separation and least privilege. Furthermore, each OpenStack service plays the role of a Policy Enforcement Point whereby a policy rule associated with each service s resource is evaluated against the user's role(s) and tenant association to determine if he/she has access to the requested resource 1. The Identity Service along with the Policy Enforcement Points enables fine-grained access controls to the OpenStack resources. Only users with the admin role can provision new users and have access to various management functions. In turn, a user assigned to a role with lesser privileges can be confined to able to only spin up instances and attach volumes for example. 1 Each OpenStack service has a policy file in JSON format, called policy.json. The policy file specifies the rules that govern access to each resource. A resource can be the service s API access point, the ability to attach a volume or to launch an instance. 2005 2014 All Rights Reserved www.mirantis.com 7

Sharing Security Responsibility for Security Because Mirantis OpenStack Express provides you root access to the physical nodes of your data center and also because you have to ability to modify the configuration of our OpenStack deployments, the security responsibilities will be shared. Mirantis OpenStack Express has secured the data center management console, the networking infrastructure, as well as the Fuel Master Node and its Web UI to provide you with fully functional cloud environments where the OpenStack security best practices are transparently applied for you. But it is your responsibility to secure anything you put on top of your cloud environment and above all make sure that custom configurations do not break the security measures Mirantis OpenStack Express has built for you. This includes the host operating systems configuration changes, the controller node and compute configuration changes, your OpenStack instances themselves and anything you install on them, any Keystone accounts that access your instances, the security group that allows outside access to your instances, the integrity of your images registry and Cinder volumes, etc. This means that there are several security decisions you need to make and controls you must configure. For information on how to configure a particular OpenStack service, see the OpenStack Administration Guide for that service. For more tips on security best practices for OpenStack resources, see the OpenStack Security Guide. You may also want to subscribe to the OpenStack security notifications that are posted by the Vulnerability Management Team (VMT) to OpenStack Announce mailing list. 2005 2014 All Rights Reserved www.mirantis.com 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information