Open, but Secure. OpenStack Security.

When we talk to the security sector the concept of private cloud is a welcome one.  OpenStack is a proven technology and there are rarely any questions over how secure it is, despite there being thousands of developers involved in its coding.  In fact, some of the most interesting discussions we have into are how do they maintain the high security they demand whilst delivering a practical solution that will meet their needs?  However, there still seems to be a stigma over the viability of OpenStack as a secure alternative to costly, licensable cloud environments.

OpenStack Security

Let’s start with the obvious.  OpenStack was primarily developed as a private cloud. Configured correctly, used behind the firewall, on your own network, on-premise, you can’t get much more secure.  In fact, it only leaves you with the weakest point in any security system; the human using it. There are many examples, such as PayPal and VISA usng OpenStack.  There are also OpenStack public services, as it can be configured as IaaS as securely as any of the big public cloud services.

OpenStack divides trust into four security domains and uses these to categorise the security level requirement. Public (the internet) being the least trusted, then Guest (compute traffic), Management (Admin) and finally data level (data transit).  There are bridges configured to cross these domains, but the highest trust level is always applied.  For example, APIs bridge Guest and Public, since the API is for hooking into external applications and the security level applied is HTTPS.

Now let’s look at the practical security features you may not know about that make OpenStack viable as a secure cloud environment.

Integrated Authentication

The Horizon dashboard is self-service, so knowing who is accessing it and what level of access they should have is managed by the Keystone authentication service. Keystone allows you to confirm user identity by integrating with your existing Active Directory (AD), LDAP or other external authentication method. You can set policies for the accounts and silo the users to their allocated resource.  Each project space requires access credentials, so you can rest assured that access is restricted.

Cloud Instances

By default all cloud instances are created to be secure. That is, any communication requirements to the instances has to be relaxed by opening ports through the use of Security Groups and associated rules. For example, if you were to deploy a cloud instance hosting a web service you would need to associated a Security Group that contains ingress rules allowing ports 80 and 443 open to the instance.

During the launch process of a new cloud instance it’s possible to associate a Key Pair (security certificates generated using Horizon) with the instance. One use case for doing this is that it enforces a strong level of remote access security. So, using SSH to connect to the cloud instance will require a local copy of the Key Pair with password access being disabled. This is the default method of logging in to Ubuntu cloud instances launched using the publicly available Ubuntu cloud image.

Secure Console

Access to Horizon is available via SSL connection and with the option to enable encrypted VNC console, it’s possible to access cloud instances (Windows and Linux) ‘screens’ through the Horizon dashboard via SSL encrypted network traffic.

Networking

Moving data around is not a weak link for OpenStack.  It uses a tenant-facing API method for calling the services from the Horizon interface using IP addressing for orchestrating the network configuration. Each tenant, or project, network is created with its own unique VXLAN tag assigned. Networks are locked down by default.

Secure volume wipe

OpenStack security doesn’t finish once you are finished with your data. OpenStack features three secure disk volume wipe procedures, so once you free up the resource for re-use, you can be sure the next user can’t access your data.

  • None – OpenStack will leave the data and free the space for a re-write
  • Clean – Want speed and security? Then this feature will overwirite the volume once with zeros.
  • Scrub – OpenStack will overwrite the disk volumes with zeros 3 times.

OpenStack on ScaleCloud appliances

ScaleCloud® is a cloud appliance with high density compute and terabytes of storage condensed into a single server chassis. The integrated software builds a complete new OpenStack cloud environment in less than 20 minutes, eliminating the need for specialist cloud engineers. Use it as a private cloud for on-premise application development, or for providing public cloud hosting services, or BOTH – hybrid cloud.

OpenStack Addresses Cloud Security

For a complete overview of the lengths the OpenStack Foundation goes to to secure the OpenStack projects by implementing best practices read their “OpenStack addresses cloud security” page.

Tabitha Rawlinson on EmailTabitha Rawlinson on LinkedinTabitha Rawlinson on TwitterTabitha Rawlinson on Wordpress
Tabitha Rawlinson
Director of Operations @ Innovate IT Ltd
As Director of Operations, not only is Tabitha responsible for the daily business logistics, but also has the additional responsibility for delivering the product development pipeline in line with the company’s technology road map and ensuring it meets with the customers’ future needs. No mean feat, but with 10 years experience in product development in the energy sector for a global corporation, she brings a wealth of experience. Tabitha has an honours degree in Chemistry from The University of Kent and a PhD in Polymer Chemistry from Reading University.