1 / 28

Keystone Security A Symantec Perspective on Securing Keystone

Keystone Security A Symantec Perspective on Securing Keystone. Keith Newstadt. Cloud Services Architect. Symantec’s Cloud Platform Engineering Objectives.

hansel
Download Presentation

Keystone Security A Symantec Perspective on Securing Keystone

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Keystone SecurityA Symantec Perspective on Securing Keystone Keith Newstadt Cloud Services Architect Keystone Security – OpenStack Summit Atlanta

  2. Symantec’s Cloud Platform Engineering Objectives • We are building a consolidated cloud platform that provides infrastructure and platform services for next generation Symantec products and services • An exciting “greenfield” opportunity to re-invent our cloud infrastructure with strong executive leadership and support • Building a global team in the US, Europe, and Asia of top-notch, open source minded engineers in the areas of cloud and big data • Our development model is to use open source components as building blocks • Identify capability gaps and contribute back to the community • We have selected OpenStack as one of the underlying infrastructure services layer • We plan to analyze and help improve the overall security posture of OpenStack components • We are starting small, but will scale to thousands of nodes across multiple data centers OpenStack Summit - Atlanta

  3. The Symantec Team • Me • In Security for nearly 15 years • Norton Web Services • Including the Norton Identity Provider • Billions of requests, 100M+ users, 100M+ endpoints • Under constant attack • Now working on Symantec’s next generation cloud, using OpenStack • The team • Cloud Platform Engineering • Symantec Compliance Suite • Symantec Validation and ID Production (VIP) • Symantec Product Security Group • Global Security Organization (InfoSec) Keystone Security – OpenStack Summit Atlanta

  4. Brief Keystone Overview Single point of auth for all OpenStack services. OpenStack Service Keystone Validate Identity Single sign on to OpenStack services Authenticate Identity token Common API layer on top of various authentication protocols Identity token Reduces exposure of credentials and more… Keystone Security – OpenStack Summit Atlanta

  5. Keystone Security is Critical Passwords Keys Certs Tokens DoS Keystone Security – OpenStack Summit Atlanta

  6. Symantec’s Approach to Securing Keystone Threat Resilience Multifactor Authentication Identity Standards Infrastructure Operating System Auditing Threat Modeling Security Scans Compliance Keystone Security – OpenStack Summit Atlanta

  7. Process Keystone Security – OpenStack Summit Atlanta

  8. What are my assets? Is my particular deployment secure? Where am I likely to be attacked? What am I trying to protect? Keystone Security – OpenStack Summit Atlanta

  9. Threat Modeling Could someone spoof the LDAP server? Spoofing Tampering Mitigation option: LDAP server authentication Repudiation Information Disclosure Denial of Service Elevation of Privileges Keystone Security – OpenStack Summit Atlanta

  10. Did I get the right images and distros? Could something malicious be injected into the deployment process? Am I running the most secure patch level? Am I running what I think I’m running? Keystone Security – OpenStack Summit Atlanta

  11. Supply Chain Management Questions around third party component security is an unsolved problem. Make sure it’s good. Make sure it’s secure Security It seems obvious, but… Make sure you’ve validated We’re using Symantec Control Compliance Suite Others: Qualys, Nessus, etc. Stay on a secure patch level Keystone Security – OpenStack Summit Atlanta

  12. Environment Keystone Security – OpenStack Summit Atlanta

  13. Can someone change my deployment? What assets could be stolen from my environment? Do I know what happened after I’ve been attacked? Is my system hardened against attacks? Keystone Security – OpenStack Summit Atlanta

  14. Keystone Compliance Every deployment is different. Start by following the trail from keystone.conf Config Files Log Files Hardening Auditing We’re using Symantec Data Center Security for Linux and OpenStack compliance. Ports Executables Other tools are out there as well: SELinux, Tripwire, etc. Environment Keystone Security – OpenStack Summit Atlanta

  15. What high value assets are being transmitted? What would be the repercussions if these assets were intercepted or tampered with? How much of my environment do I trust? Is my data secure while in motion? Keystone Security – OpenStack Summit Atlanta

  16. Security of Credentials on the Wire Assets: credentials and tokens POST /tokens Attack vectors on both internal and external networks. Balance risk and cost. Cinder Keystone Nova Swift … Keystone Security – OpenStack Summit Atlanta

  17. Application Keystone Security – OpenStack Summit Atlanta

  18. Who is attacking me? What is their target? How do I stop them? Will I know when I’m under attack? (and I will be…) Keystone Security – OpenStack Summit Atlanta

  19. Keystone Intrusion Detection How do you fend off an attack? What will you need after an attack? Rate limiting to impede brute force attacks Track users, token hashes, source IP addresses Challenges to foil automated attacks Aggregate logs in a central location Blacklist malicious IPs Perform analytics, correlation Security vs. privacy Detect and block anomalous user behavior Prevention Forensics Add request logging and blocking at a proxy, load balancer, or in a Keystone filter Keystone Security – OpenStack Summit Atlanta

  20. Are passwords enough? What additional kinds of auth should I support? How should I implement it? Am I effectively validating my users? Keystone Security – OpenStack Summit Atlanta

  21. Two Factor Auth Authenticator LDAP Server MySQL DB LDAP Server VIP Service RADIUS Server RSASecureID Symantec VIP Gateway … Backend Driver LDAP Driver SQL Driver RADIUS Driver Identity Provider Keystone Keystone Security – OpenStack Summit Atlanta

  22. How do I delegate? How do I control access scope? What is the technical and management cost of a solution? How do my services and scripts authenticate themselves? Keystone Security – OpenStack Summit Atlanta

  23. Autonomous Authentication • Considerations: • Secure cached credentials • Limit scope • Expiration • Management Service Token Keystone Nova ? Credentials Delegation • Potential Solutions: • Cached passwords • EC2 key • Trusts • Keys • Certificates • ? Keystone Security – OpenStack Summit Atlanta

  24. Standards… Keystone Security – OpenStack Summit Atlanta

  25. Keystone and Standard Protocols • Interest in industry standard Identity protocols for OpenStack • Symantec has been through a migration like this before • Community has already summited blueprints • Benefits • Single sign on • Improved integration • Control over credentials • Unified authentication experience • Symantec will look to participate in this effort Keystone Security – OpenStack Summit Atlanta

  26. Protect your credentials everywhere Securing your use of Keystone is an ongoing process Share Parting thoughts Keystone Security – OpenStack Summit Atlanta

  27. Q&A Keystone Security – OpenStack Summit Atlanta

  28. Keith Newstadt keith_newstadt@symantec.com Keystone Security – OpenStack Summit Atlanta

More Related