Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Securing OpenStack For Compliance

    Încărcat de

    Loris Strozzini
    56 vizualizări42 pagini
    Securing OpenStack for Compliance

    Titlu original

    Securing OpenStack for Compliance

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    Securing OpenStack for Compliance

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    56 vizualizări42 pagini

    Securing OpenStack For Compliance

    Încărcat de

    Loris Strozzini
    Securing OpenStack for Compliance

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 42

    Ml8An1lS 2013 ACL 1 Ml8An1lS 2013

    Securing

    for compliance
    Tomasz Zen Napiera!a
    Sr. OpenStack Engineer
    Ml8An1lS 2013 ACL 2
    Tomasz Z. Napiera!a
    Senior OpenStack Engineer @ Mirantis, Inc.
    automation, web performance, compliance, security

    Ml8An1lS 2013 ACL 3
    Mirantis, Inc.
    Largest independent vendor of OpenStack services and technology.
    We operate from Mountain View, California, with remote ofces in Russia, Ukraine
    and Poland.
    60+ successful OpenStack implementations and 400+ infrastructure experts.

    Ml8An1lS 2013 ACL 4
    Mirantis, Inc.
    Ml8An1lS 2013 ACL 3
    Agenda
    Ml8An1lS 2013 ACL 6
    Whats included
    State of cloud compliance
    Modules overview
    Practical tips
    Ml8An1lS 2013 ACL 7
    Whats not included
    Securing VMs
    Guarantee
    Ml8An1lS 2013 ACL 8
    PCI DSS overview
    Ml8An1lS 2013 ACL 9
    PCI DSS recap
    Set of policies and procedures
    Optimize security of nancial data processing
    Protect cardholders
    12 general requirements
    Ongoing process
    PCI DSS version 2.0
    Ml8An1lS 2013 ACL 10
    State of compliance in cloud
    Not possible (pre 2012)
    Hard, not clear (pre 2013)
    PCI DSS 2.0 Cloud Computing Guide (Feb. 2013)
    Production deployments
    Rackspace
    Ml8An1lS 2013 ACL 11
    Where are we
    8ely on Cloud Servlce rovlder
    for PW->Pypervlsor relaLed compllance
    !"#$ &'() *#+",-./$0
    !" $
    Ml8An1lS 2013 ACL 12
    Whare are we
    Pardware
    neLwork
    SLorage
    Pypervlsor
    vM
    Ml8An1lS 2013 ACL 13
    PCI DSS requirements
    Source: hup://www.daLasecureworks.com/lmages/1rusLwave/pcl-requlremenLs-grld.png
    Ml8An1lS 2013 ACL 14
    Projects history
    Initially launched for customer (2 engineers)
    Moved into internal project (2+ engineers)
    Some parts reused in other projects
    2 clients using the tools
    Ml8An1lS 2013 ACL 13
    Projects limitations
    RedHat / CentOS compatible
    Only for private IaaS clouds
    Operator centric
    Technology focused
    Everything in scope
    No redo
    No OpenStack patches
    No rwall management
    Ml8An1lS 2013 ACL 16
    Ingredients
    Ml8An1lS 2013 ACL 17
    Elements
    Baseline hardening
    HSM PoC
    Auditing system
    Log collection system
    Intra cluster secure communication
    Audit tools
    Documentation

    Ml8An1lS 2013 ACL 18
    Tools
    Fuel extension
    Puppet modules
    OpenStack patches (not included)
    OpenSCAP proles (SRR)
    Documentation
    Checklist

    Ml8An1lS 2013 ACL 19
    Notes
    PCI DSS 2.0
    NIST

    Ml8An1lS 2013 ACL 20
    External dependencies
    LDAP / AD
    HSM (PoC available)
    Secure database + SSL

    Ml8An1lS 2013 ACL 21
    Puppet modules
    Ml8An1lS 2013 ACL 22
    aide
    File integrity checking with AIDE

    Ml8An1lS 2013 ACL 23
    auditd
    Auditing and logging during boot
    Auditing ang logging in runtime
    Crucial le access monitoring
    Over 80 rules
    Based on Aqueduct project https://fedorahosted.org/
    aqueduct/

    Ml8An1lS 2013 ACL 24
    baseline
    Disabling services
    Sysctl tuning
    Disabling interactive startup
    Password for single mode
    Prole tuning
    PCI DSS required info in issue/issue.net

    Ml8An1lS 2013 ACL 23
    clamav
    Scanning policies
    Update policies
    Logging

    Ml8An1lS 2013 ACL 26
    controller_ipsec
    Mesh tunnels between controllers

    Ml8An1lS 2013 ACL 27
    limits
    Tuning system limits

    Ml8An1lS 2013 ACL 28
    Logstash (+ kibana + zeromq)
    Entire log collection infrastructure
    Predended OpenStack inputs + lters

    Ml8An1lS 2013 ACL 29
    pam
    Cracklib
    Blocking accounts

    Ml8An1lS 2013 ACL 30
    pwpolicy
    Password policies

    Ml8An1lS 2013 ACL 31
    rabbitmq
    Added SSL support

    Ml8An1lS 2013 ACL 32
    securetty
    Disabling root login on console

    Ml8An1lS 2013 ACL 33
    secureusers
    Securing internl OpenStack and systems users

    Ml8An1lS 2013 ACL 34
    ssh
    Secure SSH client and server conguration

    Ml8An1lS 2013 ACL 33
    sudo
    Protecting from shell escapes
    Disabling sudo su for root
    Secure defaults for sessions

    Ml8An1lS 2013 ACL 36
    Whats not included
    System images
    Glance protection
    Swift encryption
    Ml8An1lS 2013 ACL 37
    Tips
    HSM (PoC available)
    Compliance is not technology
    Virtualized != cloud
    Automation is a king
    Get an expert
    Get experienced QSA
    Use Quantum

    Ml8An1lS 2013 ACL 38
    Notes
    Buggy egress ltering in Grizzly
    No default TLS support in VNC
    No image scanning, shredding, etc.
    User cleanup scripts
    No logging framework for tracking cloud
    activities?
    No granular access rights
    No default zero access policy

    Ml8An1lS 2013 ACL 39
    Notes on 8.5
    Ml8An1lS 2013 ACL 40
    Notes on 10.1
    Ml8An1lS 2013 ACL 41
    Roadmap
    Publication will be annouced on Mirantis blog
    Planned date: end of 2013
    Ml8An1lS 2013 ACL 42
    Questions?

    S-ar putea să vă placă și