Automated Security Hardening with OpenStack-Ansible
5 likes9,588 views
The document discusses the challenges of achieving effective information security in openstack environments through automated hardening using ansible. It emphasizes the need for security practices that are easy to implement, maintain, and non-disruptive, while also meeting compliance standards. Key highlights include the deployment of a security hardening role in openstack-ansible that applies over 200 security configurations rapidly, supporting users in maintaining secure systems without significant operational overhead.
![30
Design Summit:
Join the
OpenStack-Ansible developers
this Thursday/Friday in Austin!
IRC:
#openstack-ansible
Mailing list:
openstack-dev (tag with [openstack-
ansible][security])
Want to get involved?
Found a bug?
Have a new idea?](https://image.slidesharecdn.com/openstacksummitaustin2016-automatedsecurityhardeningwithopenstack-ansible-majorhayden-160426193444/85/Automated-Security-Hardening-with-OpenStack-Ansible-30-320.jpg)
Automated Security Hardening with OpenStack-Ansible
- 1. Automated Security Hardening with OpenStack-Ansible Major Hayden [email protected] @majorhayden
- 2. 2 Major Hayden Principal Architect since 2006 since 2012 since 2011
- 3. 3 Agenda • Security tug-of-war • Meeting halfway • Get involved!
- 4. 4 We can all agree on one thing: information security is insanely difficult
- 5. 5 We want just enough security to create valuable outcomes for our customers
- 6. 6 We avoid security changes that increase drag and friction within our organizations
- 7. 7Photo credit: Bruce Guenter (Flickr) If the auditors aren’t happy, nobody is happy.
- 8. 8 How do we make valuable security changes without disruption (and keep the auditors happy)?
- 9. 9Photo credit: Jaime Walker (jw1697, Flickr) Make security automatic (And yes, I know that makes it sound easy.)
- 10. 10 When the going gets tough, the tough adopt standards (This isn’t a famous quote. I just made it up for these slides.)
- 11. 11 Information security tip: People should feel like security is something they are a part of; not something that is being done to them. (I learned this lesson the hard way.)
- 12. 12 Which sounds better? Option #1 “As developers, you don’t know how to secure systems properly. We will tell you what to do and you must have it done in three months. If you don’t, we can’t take credit cards.”
- 13. 13 Which sounds better? Option #2 “Since you use Ansible, we wrote some automation that fits into your existing deployment method and won’t disrupt your production environments. Can we work with you to test it this month?”
- 14. 14 Automated security for OpenStack must be: Easy to implement Simple to maintain Non-disruptive to existing clouds Effective against attacks Open and transparent
- 15. 15 PCI-DSS 3.1 Requirement 2.2: “Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.”
- 16. 16 Selecting the right standard is challenging Some are as long as novels Very few directly apply to Ubuntu Some have restrictive licenses
- 17. 17 Our selection: Security Technical Implementation Guide (STIG) from the Defense Information Systems Agency (DISA)
- 18. 18 Active services Authentication Boot-time security Consoles File permissions/ownership File integrity management Kernel tuning Mail Package management SSH daemon Syscall Auditing The STIG covers many of the most critical security domains
- 19. 19 STIG(RHEL 6)
- 20. 20 Ansible is a software platform for configuration management and deployment (among many other things)
- 21. 21 OpenStack-Ansible deploys a production-ready OpenStack system using Ansible tasks and roles
- 22. 22 OpenStack-Ansible has a security hardening role with two components: Ansible Role Applies automated security hardening to multiple systems Documentation With content for deployers as well as auditors
- 23. 23 openstack-ansible-security role features: Applies 200+ security configurations in 90 seconds Highly configurable Comes with a built-in auditing mode for testing or for use with compliance auditors Carefully written to be non- disruptive to existing OpenStack clouds
- 24. 24 Documentation Configuration requirement from the STIG Link to the STIG viewer Notes for deployers about exceptions and additional configurations (auditors want to see these, too)
- 26. 26 Configuration
- 27. 27 Configuration Flip a boolean and redeploy the entire role or use a tag to only deploy certain parts.
- 28. 28 How do I get it? OpenStack-Ansible deployers Rackspace Private Cloud customers Anyone on Earth Already available in OpenStack-Ansible’s Liberty, Mitaka, and Newton releases! Adjust apply_security_hardening to True and deploy! Coming soon in Rackspace Private Cloud 12.2! Speak with your account manager for more details. Use it with your existing Ansible playbooks! The role works well in OpenStack and non- OpenStack environments (see the docs).
- 29. 29Photo credit: fvanrenterghem (Flickr) The road ahead: Support for Ubuntu 16.04 and CentOS 7 Rebase using the new STIG guidelines for RHEL 7 Improved reporting and metrics Identify configuration security issues within OpenStack services
- 30. 30 Design Summit: Join the OpenStack-Ansible developers this Thursday/Friday in Austin! IRC: #openstack-ansible Mailing list: openstack-dev (tag with [openstack- ansible][security]) Want to get involved? Found a bug? Have a new idea?