This is the second in a series of posts by speakers at the Hong Kong OpenStack Summit. Today we bring you a discussion of security compliance issues with OpenStack implementations, featuring security expert Tomasz Napierala. His talk, “Securing OpenStack for Compliance,” is scheduled for November 6, from 11:15 am to 11:55 am.
OpenStack adoption is growing constantly, but there are still areas where vanilla OpenStack cannot be used out of the box. One of those fields is financial sector requiring infrastructure to be properly hardened and secured to meet challenging industry compliance requirements. To make OpenStack suitable for security demanding environments we analyzed most of the components and developed a set of modules for system hardening. We’ll show a pragmatic set of guidelines to deploy OpenStack-based cloud infrastructure able to meet most of PCI DSS requirements.
Q: At what point of an OpenStack cloud implementation for a large financial institution do you begin thinking about the security compliance issues?
A: Because of my security background, this is something that comes to my mind straight away. If we are working on a complete implementation, we have a chance to think about the compliance at the design stage. To avoid future problems and unwanted compromises, that’s the best time to explain what constraints compliance brings and any architectural implications for the cloud when implementing best security practices.
Q: What tools do you use for system hardening in security demanding environments?
A: First we have to evaluate the current state of compliance to estimate the scope of the project. There are many low hanging fruits, but also some deep, complicated architectural issues, like the networking subsystem. During the analysis stage, we use some common tools, such as OpenVAS with custom plugins, but also less known tools such as OpenSCAP, and so on.
Q: What modules allow you to bring a system closer to compliance?
A: Our approach is to prepare an off-the-shelf solution that can be easily plugged into Fuel but also used as a library by other projects and users. Wherever we can, we use Puppet for automation. We also make sure that all of the tools we use are open source and can be used by the community. We’ve developed modules for baseline system hardening, taking care of the obvious stuff like password security and policies, proper auditing, and log retention. Then, we’ve also added some more sophisticated stuff like log analysis, inter-controller secure communication using tunnels, and a hardware security module for storing sensitive data.
Q: What guidelines do you use as you deploy an OpenStack cloud to ensure compliance with security standards?
A: Because of the customer’s nature as a financial institution, we concentrate mainly on PCI DSS [Payment Card Industry Data Security Standard] guidelines. During development, we also sometimes have to introduce stricter policies from the Center for Internet Security (CIS), Defense Information Systems Agency Security Technical Implementation Guide (STIG), and US Government Configuration Baselines (USGCB). In the future, we’d like to give the customer a choice of guidelines to use when implementing our modules.
Tomasz Napierala is a System administrator and DevOp with 16 years experience in IT service management. Prior to Mirantis, Tomasz successfully led a group of engineers that implemented PCI DSS in one of the biggest online payment companies in Europe and also managed a DevOps team at Wikia, Inc. His specialties include automation, HA, web performance, and security. Tomasz currently works at Mirantis as a Senior OpenStack Engineer.
Headed to the Hong Kong OpenStack Summit? Up your OpenStack game with a 3-day bootcamp for OpenStack!