Barcelona Summit Notes: OpenStack Security on Track
Holistic Security for OpenStack CloudsThe security track started on Wednesday with ‘Holistic Security for OpenStack Clouds’ by Major Hayden, principal architect at Rackspace, where he said that ‘Securing OpenStack can feel like taking a trip to the Upside Down’.
He suggested that to cope with the challenge of securing complex systems, you need to follow the holistic approach. Don't just secure the outer perimeter with an expensive firewall with ‘laser beams’, but also provide small security improvements at multiple layers, both inside and outside the perimeter.
In particular, Major recommended separating the control plane, hypervisors, and tenants’ infrastructure by setting up the trust boundaries for traffic traveling between these three, for example by enabling SELinux and AppArmor on hypervisors.
The advice given by Major regarding control plane security includes:
- Monitoring messaging and database performance to look for anomalies or unauthorized access
- Using unique credentials for RabbitMQ and for each database
- Limiting communication between OpenStack services using, for example, iptables
- Giving each service a different keystone account with different credentials
- Monitoring for high bandwidth usage and high connection counts
Advanced Threat Protection and KubernetesIntel, along with Midokura and Forcepoint, presented the use case of bringing advanced threat protection to Kubernetes. The solution uses the OpenStack Kuryr project to redirect traffic from Neutron-managed networks to security Pods for inspection using Neutron's service-chaining.
ACL is not SecurityDuring the security part of the talk, Forcepoint pointed out that ‘ACL is not security’ and L4-L7 inspection is needed to catch the targeted attacks, for example, because targeted attacks proliferate across the networks by infecting one machine or network after another, gaining privileges and acting as an internal entity allowed by ACLs and bypassing firewalls.
The demo showed the shellshock attack on the vulnerable Web server run as a k8s Pod being blocked by the preconfigured containerized NGFW by Forcepoint. To send the packets from the Neutron network to the NGFW virtual service, the Intel Open Security Controller calls the Neutron API to redirect packets through Kuryr to the k8s security container. Intel Open Security Controller now has basic Kubernetes support highlighted in the demo by Manish Dave, Platform Architect from Intel, in addition to OpenStack support, which was presented in Tokyo a year ago.
Watch on YouTube: https://www.youtube.com/watch?v=5b8jYYS389g
Container Security and CIAIf the previous talk was about security on containers, the next one was about security of the container itself, presented by Scott McCarty, Senior Strategist from Red Hat, who looked into container security from the perspective of CIA (confidentiality, integrity, and availability).
He started this talk with a vivid example from his life of how his house had been robbed and what measures he took to protect his valuables in the future, trying to explain how much security is enough when managing risks.
The one risk with containers is that despite the fact that they leverage OS processes isolation, they still share the same kernel, which can be exploited to elevate privileges. Isolation is still one of the main concerns when creating secure infrastructure. Another container content that needs verification and validation before going to production.
Scott showed how you can run, for example, a read-only container with enabled SELinux that limits access to the container’s data so that it's available only for the process of running the container.
Watch on YouTube: https://www.youtube.com/watch?v=wKT191Ak9fA
Incident Response and Anomaly DetectionGrant Murphy, Security Architect from IBM, showed a good demo in his talk “Incident Response and Anomaly Detection Using Osquery”, during which he ran a malware sample that was a simple remote shell. That demo backdoor adds a reference to crontab to download itself to be persistent, establishes a connection to a remote server, and removes its executable from disk. In the demo, Grant showed how to trace all these activities with the help of simple SQL-style requests by osquery. Next, he showed how to configure osquery for OpenStack and query information from running OpenStack services. Osquery, in fact, has many features for monitoring, auditing, and intrusion detection with support for Yara rules, and is used by Facebook, Airbnb, Git, and Heroku.
Watch on YouTube: https://www.youtube.com/watch?v=5b8jYYS389g
Cloud Forensics vs. OpenStackIncident response in the cloud was also in the focus of the “Cloud Forensics vs. OpenStack” panel where experts Kim Hindart, CSO of City Network, Anders Carlsson, forensic expert from BTH, and the author of this article discussed the issues related to digital forensics in the cloud. One thing we discussed is comprehensive logging enablement as a way to mitigate a repudiation attack and find the traces of the attacker when an incident happens. For example, it is recommended to log both successful and unsuccessful login attempts. While the second ones may indicate a brute-force attack, the first ones can point to elevation of privileges that result from compromised credentials.
Another highlighted issue was exfiltrating digital evidence in a multi-tenant environment. For example, accessing Compute node logs that represent digital evidence may lead to confidentiality violations if the node includes additional tenants who are not related to the incident.
The OpenStack forensic tool (FROST) was the first and only attempt to create a forensic data acquisition solution. Introduced in 2013, it unfortunately has not gained support.
At the end of the panel, experts gave recommendations on how to prepare your organization for the inevitable security attack, with the consensus being that the best way to handle an incident is to prevent or block the attack at the very beginning, thus, simplifying the investigation process and minimizing losses.
Watch on YouTube: https://www.youtube.com/watch?v=cqZV3k0pUiw
Compliance: The EU General Data Protection Regulation (GDPR) is comingKim Hindart from City Network informed the audience that the EU General Data Protection Regulation (GDPR) is coming. Companies based outside the EU that provide services to EU citizens have until the 25th of May 2018 to make their cloud compliant. Otherwise, companies will be penalized with a fine of up to 20,000,000 EUR, or up to 4% of the total worldwide annual turnover.
Watch on YouTube: https://www.youtube.com/watch?v=c-7QQ5Eg__Y
The topic of HIPAA and PCI DSS compliance in OpenStack was also addressed by Blue Box Cloud DevOps. Watch on YouTube: https://www.youtube.com/watch?v=XHFM_1G-Hog
The state of OpenStack securityRobert Clark from IBM, the current PTL of the OpenStack Security project, reported the state of their work, as usual. He started with the Keystone, Barbican (secrets manager), and Castellan (key management interface to enable multiple key managers) projects.
The Threat Analysis process and Syntribos (the fuzzy testing framework for finding vulnerabilities in the API) were the main focus of the presentation, however. For example, Rob introduced the results of the threat analysis process for the Barbican project and ran the demo through SQL injection tests using Syntribos. At the end, he brought up the idea of a security incubator aimed at assisting small projects in security not necessarily related to OpenStack but primarily applied to or consumed by OpenStack projects.
Watch on YouTube: https://www.youtube.com/watch?v=GvunSafycX8
Secure Image Management InfrastructureSymantec presented secure image management infrastructure designed to solve the problem of using and updating images that may contain vulnerabilities. At Symantec (as well as at Mirantis), vulnerability scanning is considered an essential part of the image validation process for securing customers' clouds.
The speakers, Brad Pokorny, Timothy Symanczyk, and Richard Gooch, showed the magic of real-time image recovery done by the Dominator image supervisor in response to unsolicited image modification, which in the demo was deletion of files. Dominator initially calculates the hashes of all the files in the image and keeps the golden image in the machine database. Then, if file modification is detected, Dominator immediately recovers modified/deleted files based on the golden image the VM is supposed to have. This helps to mitigate image tampering attacks and keep the integrity of data, configuration files, and applications delivered within the image. For example, it could protect VMs against attacks by cryptolockers - ransomware that encrypts files to demand a ransom for their recovery, such as Linux.Encoder.1, which attacked Linux Web servers through a vulnerability in the Magento CMS platform.
Watch on YouTube: https://www.youtube.com/watch?v=vuL7in9CxHY
So that's it for this year. What's your most important security concern? Let us know in the comments!