major.io words of wisdom from a systems engineer

Talk Recap: Holistic Security for OpenStack Clouds

1

Thanks to everyone who attended my talk at the OpenStack Summit in Barcelona! I really enjoyed sharing some tips with the audience and it was great to meet some attendees in person afterwards.

If you weren’t able to make it, don’t fret! This post will cover some of the main points of the talk and link to the video and slides.

Purpose

OpenStack clouds are inherently complex. Operating a cloud involves a lot of moving pieces in software, hardware, and networking. Securing complex systems can be a real challenge, especially for newcomers to the information security realm. One wrong turn can knock critical infrastructure online or lead to lengthy debugging sessions.

However, securing OpenStack clouds doesn’t need to be a tremendously stressful experience. It requires a methodical, thoughful, and strategic approach. The goal of the talk is give the audience a reliable strategy that is easy to start with and that scales easily over time.

Why holistic?

The dictionary definition of holistic is:

characterized by comprehension of the parts of something as intimately connected and explicable only by reference to the whole

To simplify things a bit, thinking about something holistically means that you understand that there are small parts that are valuable on their own, but they make much more value when combined together. Also, it’s difficult to talk about the individual parts and get a real understanding of the whole.

In holistic medicine, humans are considered to be a body, mind, and spirit. OpenStack clouds involve servers, software, and a business goal. Security consists of people, process, and technology. To truly understand what’s going on, you need to take a look at something with all of its parts connected.

Security refresher

Get into the mindset that attackers will get in eventually. Just change each instance of if to when in your conversations. Attackers can be wrong many times, but the defenders only need to be wrong once to allow a breach to occur.

Simply building a huge moat and tall castle walls around the outside isn’t sufficient. Attackers will have free reign to move around inside and take what they want. Multiple layers are needed, and this is the backbone of a defense-in-depth strategy.

Cloud operators need to work from the outside inwards, much like you do with utensils at a fancy dinner. Make a good wall around the outside and work on tightening down the internals at multiple levels.

Four layers for OpenStack

During the talk, I divided OpenStack clouds into four main layers:

  • outer perimeter
  • control and data planes
  • OpenStack services and backend services in the control plane
  • OpenStack services

For the best explanation of what to do at this level, I highly recommend reviewing the slides or the presentation video (keep scrolling).

The slides are on SlideShare and they are licensed CC-BY-SA. Feel free to share anything from the slide deck as you wish, but please share it via a similar license and attribute the source!

The video of the talk (including Q&A) is up on YouTube:

Feedback

I love feedback about my talks! I’m still a novice presenter and every little bit of feedback - positive or negative - really helps. Feel free to email me or talk to me on Twitter.