Keystone Security A Symantec Perspective on Securing Keystone

Keystone Security – OpenStack Summit Atlanta 1

Keystone SecurityA Symantec Perspective on Securing Keystone

Keith NewstadtCloud Services Architect

Symantec’s Cloud Platform Engineering Objectives• We are building a consolidated cloud platform that provides infrastructure and

platform services for next generation Symantec products and services– An exciting “greenfield” opportunity to re-invent our cloud infrastructure with strong executive

leadership and support– Building a global team in the US, Europe, and Asia of top-notch, open source minded engineers in

the areas of cloud and big data• Our development model is to use open source components as building blocks

– Identify capability gaps and contribute back to the community• We have selected OpenStack as one of the underlying infrastructure services layer• We plan to analyze and help improve the overall security posture of OpenStack

components• We are starting small, but will scale to thousands of nodes across multiple data centers

2OpenStack Summit - Atlanta

The Symantec Team• Me

– In Security for nearly 15 years– Norton Web Services

• Including the Norton Identity Provider• Billions of requests, 100M+ users, 100M+ endpoints• Under constant attack

– Now working on Symantec’s next generation cloud, using OpenStack• The team

– Cloud Platform Engineering– Symantec Compliance Suite– Symantec Validation and ID Production (VIP)– Symantec Product Security Group– Global Security Organization (InfoSec)



Brief Keystone Overview

OpenStack ServiceKeystone

Authenticate

Identity token

Identity token

Validate Identity Single point of auth for all OpenStack services.

Single sign on to OpenStack services

Reduces exposure of credentials

Common API layer on top of various authentication protocols

and more…

Keystone Security is Critical


Passwords

Keys

Certs

Tokens

DoS

Symantec’s Approach to Securing Keystone


Application

Environment

ProcessThreat Modeling

Security Scans

Compliance

Infrastructure

Operating System

Auditing

Threat Resilience

Multifactor Authentication

Identity Standards


Process


What am I trying to protect?What are my assets?

Is my particular deployment secure?

Where am I likely to be attacked?

Threat Modeling


SpoofingCould someone spoof the LDAP server?

Mitigation option: LDAP server authentication

Tampering

Repudiation

Information Disclosure

Denial of Service

Elevation of Privileges


Am I running what I think I’m running?Did I get the right images and distros?

Could something malicious be injected into the deployment process?

Am I running the most secure patch level?

Supply Chain Management


Download

Build

Deploy

Patch

Make sure it’s good.

Make sure it’s secure

Make sure you’ve validated

Stay on a secure patch levelWe’re using Symantec Control Compliance Suite

Others: Qualys, Nessus, etc.

Questions around third party component security is an unsolved problem.

It seems obvious, but…

Secu

rity


Environment


Is my system hardened against attacks?

Can someone change my deployment?

What assets could be stolen from my environment?

Do I know what happened after I’ve been attacked?

Keystone Compliance


HARDENING

AUDITING We’re using Symantec Data

Center Security for Linux and OpenStack compliance.

Other tools are out there as well: SELinux, Tripwire, etc.

Config Files

Log Files

Ports

Executables

Every deployment is different. Start by following the trail from keystone.conf

Environment


Is my data secure while in motion?What high value assets are being transmitted?

What would be the repercussions if these assets were intercepted or tampered with?

How much of my environment do I trust?

Security of Credentials on the Wire


POST /tokens

Keystone Nova Cinder Swift …

Attack vectors on both internal and external networks.

Assets: credentials and tokens

Balance risk and cost.


Application


Will I know when I’m under attack?(and I will be…)

Who is attacking me?

What is their target?

How do I stop them?

Keystone Intrusion Detection


ForensicsPrevention

What will you need after an attack?

Track users, token hashes, source IP addresses

Perform analytics, correlation

Security vs. privacy

How do you fend off an attack?

Rate limiting to impede brute force attacks

Blacklist malicious IPs

Detect and block anomalous user behavior

Add request logging and blocking at a proxy, load balancer, or in a Keystone filter

Challenges to foil automated attacks

Aggregate logs in a central location

Are passwords enough?

What additional kinds of auth should I support?

How should I implement it?


Am I effectively validating my users?

Identity Provider

Authenticator

RADIUS Server

Backend Driver

Two Factor Auth


Keystone

LDAP Driver

LDAP Server

SQL Driver

MySQL DB

RADIUS Driver

RSA SecureID

Symantec VIP Gateway …

LDAPServer

VIP Service


How do my services and scripts authenticate themselves?

How do I delegate?

How do I control access scope?

What is the technical and management cost of a solution?

Autonomous Authentication


Credentials ?

Service Token

Considerations:• Secure cached credentials• Limit scope• Expiration• Management

Delegation

Potential Solutions:• Cached passwords• EC2 key• Trusts• Keys• Certificates• ?

Keystone Nova


Standards…

Keystone and Standard Protocols• Interest in industry standard Identity protocols for

OpenStack– Symantec has been through a migration like this before– Community has already summited blueprints

• Benefits– Single sign on– Improved integration– Control over credentials– Unified authentication experience

• Symantec will look to participate in this effort


Protect your credentials everywhere

Securing your use of Keystone is an ongoing process

Share


Parting thoughts


Q&A

Thank you!

Copyright © 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.


Keith [email protected]

Keystone Security A Symantec Perspective on Securing Keystone

Documents

Transcript of Keystone Security A Symantec Perspective on Securing Keystone