Making section id names readable in security guide
In the security guide, the section id names are the chapter name with a random id number on the end. This is harder to work with and not really necessary, for example, case-studies-system-documentation-idp44480. Replacing section id names with "case-studies-system-documentation-alice-private-cloud". Changing the ids at the section definitions for case studies throughout. No references are made to these section ids within security guide and hence no changes needed there. Partial-Bug: #1340388 Change-Id: Ibaccd164332239dc9d701a74f5b84c2fd357feb6
This commit is contained in:
Priti Desai
parent
ec3e7f8404
commit
b950fd4532
|
|
@ -14,7 +14,7 @@
|
|||
directory services, while Bob will need to provide access to the
|
||||
public.
|
||||
</para>
|
||||
<section xml:id="case-studies-identity-management-idp87424">
|
||||
<section xml:id="case-studies-identity-management-alice-private-cloud">
|
||||
<title>Alice's private cloud</title>
|
||||
<para>
|
||||
Alice's enterprise has a well-established directory service
|
||||
|
|
@ -39,7 +39,7 @@
|
|||
capabilities in SPICE.
|
||||
</para>
|
||||
</section>
|
||||
<section xml:id="case-studies-identity-management-idp131936">
|
||||
<section xml:id="case-studies-identity-management-bob-public-cloud">
|
||||
<title>Bob's public cloud</title>
|
||||
<para>
|
||||
Because Bob must support authentication for the general
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
<?dbhtml stop-chunking?>
|
||||
<title>Case studies</title>
|
||||
<para>In this case study we discuss how Alice and Bob would address endpoint configuration to secure their private and public clouds. Alice's cloud is not publicly accessible, but she is still concerned about securing the endpoints against improper use. Bob's cloud, being public, must take measures to reduce the risk of attacks by external adversaries.</para>
|
||||
<section xml:id="case-studies-api-endpoints-idp3824">
|
||||
<section xml:id="case-studies-api-endpoints-alice-private-cloud">
|
||||
<title>Alice's private cloud</title>
|
||||
<para>
|
||||
Alice's organization requires that the security architecture
|
||||
|
|
@ -29,7 +29,7 @@
|
|||
detection on all of the API endpoints.
|
||||
</para>
|
||||
</section>
|
||||
<section xml:id="case-studies-api-endpoints-idp6592">
|
||||
<section xml:id="case-studies-api-endpoints-bob-public-cloud">
|
||||
<title>Bob's public cloud</title>
|
||||
<para>
|
||||
Bob must also protect the access to the public and private
|
||||
|
|
|
|||
|
|
@ -7,14 +7,14 @@
|
|||
<?dbhtml stop-chunking?>
|
||||
<title>Case studies</title>
|
||||
<para>In this case study we discuss how Alice and Bob would address common compliance requirements. The preceding chapter refers to a wide variety of compliance certifications and standards. Alice will address compliance in a private cloud, while Bob will be focused on compliance for a public cloud.</para>
|
||||
<section xml:id="case-studies-compliance-idp44592">
|
||||
<section xml:id="case-studies-compliance-alice-private-cloud">
|
||||
<title>Alice's private cloud</title>
|
||||
<para>Alice is building an OpenStack private cloud for the United States government, specifically to provide elastic compute environments for signal processing. Alice has researched government compliance requirements, and has identified that her private cloud will be required to certify against FISMA and follow the FedRAMP accreditation process, which is required for all federal agencies, departments and contractors to become a Certified Cloud Provider (CCP). In this particular scenario for signal processing, the FISMA controls required will most likely be FISMA High, which indicates possible "severe or catastrophic adverse effects" should the information system become compromised. In addition to FISMA Moderate controls Alice must ensure her private cloud is FedRAMP certified, as this is a requirement for all agencies that currently utilize, or host federal information within a cloud environment.</para>
|
||||
<para>To meet these strict government regulations Alice undertakes a number of activities. Scoping of requirements is particularly important due to the volume of controls that must be implemented, which will be defined in NIST Publication 800-53.</para>
|
||||
<para>All technology within her private cloud must be FIPS certified technology, as mandated within NIST 800-53 and FedRAMP. As the U.S. Department of Defense is involved, Security Technical Implementation Guides (STIGs) will come into play, which are the configuration standards for DOD IA and IA-enabled devices / systems. Alice notices a number of complications here as there is no STIG for OpenStack, so she must address several underlying requirements for each OpenStack service; for example, the networking SRG and Application SRG will both be applicable (<link xlink:href="http://iase.disa.mil/srgs/index.html">list of SRGs</link>). Other critical controls include ensuring that all identities in the cloud use PKI, that SELinux is enabled, that encryption exists for all wire-level communications, and that continuous monitoring is in place and clearly documented. Alice is not concerned with object encryption, as this will be the tenants responsibility rather than the provider.</para>
|
||||
<para>If Alice has adequately scoped and executed these compliance activities, she may begin the process to become FedRAMP compliant by hiring an approved third-party auditor. Typically this process takes up to 6 months, after which she will receive an Authority to Operate and can offer OpenStack cloud services to the government.</para>
|
||||
</section>
|
||||
<section xml:id="case-studies-compliance-idp49712">
|
||||
<section xml:id="case-studies-compliance-bob-public-cloud">
|
||||
<title>Bob's public cloud</title>
|
||||
<para>Bob is tasked with compliance for a new OpenStack public
|
||||
cloud deployment, that is focused on providing cloud services to
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
<para>In this case study we discuss how Alice and Bob would address database
|
||||
selection and configuration for their respective private and public
|
||||
clouds.</para>
|
||||
<section xml:id="case-studies-database-idp38048">
|
||||
<section xml:id="case-studies-database-alice-private-cloud">
|
||||
<title>Alice's private cloud</title>
|
||||
<para>Alice's organization has high availability concerns and so she has
|
||||
selected MySQL as the underlying database for the cloud services. She places
|
||||
|
|
@ -23,7 +23,7 @@
|
|||
<systemitem class="service">nova-conductor</systemitem> sub-service due to the
|
||||
desire for fine-grained access control policies and audit support.</para>
|
||||
</section>
|
||||
<section xml:id="case-studies-database-idp40064">
|
||||
<section xml:id="case-studies-database-bob-public-cloud">
|
||||
<title>Bob's public cloud</title>
|
||||
<para>Bob is concerned about strong separation of his tenants' data, so
|
||||
he has elected to use the PostgreSQL database, known for its stronger security
|
||||
|
|
|
|||
|
|
@ -7,13 +7,13 @@
|
|||
<?dbhtml stop-chunking?>
|
||||
<title>Case studies</title>
|
||||
<para>In this case study we discuss how Alice and Bob would ensure that their instances are properly isolated. First we consider hypervisor selection, and then techniques for hardening QEMU and applying mandatory access controls.</para>
|
||||
<section xml:id="case-studies-instance-isolation-idp480000">
|
||||
<section xml:id="case-studies-instance-isolation-alice-private-cloud">
|
||||
<title>Alice's private cloud</title>
|
||||
<para>Alice chooses Xen for the hypervisor in her cloud due to a strong internal knowledge base and a desire to use the Xen security modules (XSM) for fine-grained policy enforcement.</para>
|
||||
<para>Alice is willing to apply a relatively large amount of resources to software packaging and maintenance. She will use these resources to build a highly customized version of QEMU that has many components removed, thereby reducing the attack surface. She will also ensure that all compiler hardening options are enabled for QEMU. Alice accepts that these decisions will increase long-term maintenance costs.</para>
|
||||
<para>Alice writes XSM policies (for Xen) and SELinux policies (for Linux domain 0, and device domains) to provide stronger isolation between the instances. Alice also uses the Intel TXT support in Xen to measure the hypervisor launch in the TPM.</para>
|
||||
</section>
|
||||
<section xml:id="case-studies-instance-isolation-idp482832">
|
||||
<section xml:id="case-studies-instance-isolation-bob-public-cloud">
|
||||
<title>Bob's public cloud</title>
|
||||
<para>Bob is very concerned about instance isolation since the users in a public cloud represent anyone with a credit card, meaning they are inherently untrusted. Bob has just started hiring the team that will deploy the cloud, so he can tailor his candidate search for specific areas of expertise. With this in mind, Bob chooses a hypervisor based on its technical features, certifications, and community support. KVM has an EAL 4+ common criteria rating, with a labeled security protection profile (LSPP) to provide added assurance for instance isolation. This, combined with the strong support for KVM within the OpenStack community drives Bob's decision to use KVM.</para>
|
||||
<para>Bob weighs the added cost of repackaging QEMU and decides that he cannot commit those resources to the project. Fortunately, his Linux distribution has already enabled the compiler hardening options. So he decides to use this QEMU package. Finally, Bob leverages sVirt to manage the SELinux polices associated with the virtualization stack.</para>
|
||||
|
|
|
|||
|
|
@ -7,13 +7,13 @@
|
|||
<?dbhtml stop-chunking?>
|
||||
<title>Case studies</title>
|
||||
<para>In this case study we discuss how Alice and Bob would architect their clouds with respect to instance entropy, scheduling instances, trusted images, and instance migrations.</para>
|
||||
<section xml:id="case-studies-instance-management-idp44448">
|
||||
<section xml:id="case-studies-instance-management-alice-private-cloud">
|
||||
<title>Alice's private cloud</title>
|
||||
<para>Alice has a need for lots of high quality entropy in the instances. For this reason, she decides to purchase hardware with Intel Ivy Bridge chip sets that support the RdRand instruction on each compute node. Using the entropy gathering daemon (EGD) and libvirt's EGD support, Alice ensures that this entropy pool is distributed to the instances on each compute node.</para>
|
||||
<para>For instance scheduling, Alice uses the trusted compute pools to ensure that all cloud workloads are deployed to nodes that presented a proper boot time attestation. Alice decides to disable user permissions for image uploading to help ensure that the images used in the cloud are generated in a known and trusted manner by the cloud administrators.</para>
|
||||
<para>Finally, Alice disables instance migrations as this feature is less critical for the high performance application workloads expected to run in this cloud. This helps avoid the various security concerns related to instance migrations.</para>
|
||||
</section>
|
||||
<section xml:id="case-studies-instance-management-idp47664">
|
||||
<section xml:id="case-studies-instance-management-bob-public-cloud">
|
||||
<title>Bob's public cloud</title>
|
||||
<para>Bob is aware that entropy will be a concern for some of his customers, such as those in the financial industry. However, due to the added cost and complexity, Bob has decided to forgo integrating hardware entropy into the first iteration of his cloud. He adds hardware entropy as a fast-follow to do for a later improvement for the second generation of his cloud architecture.</para>
|
||||
<para>Bob is interested in ensuring that customers receive a high quality of service. He is concerned that providing excess explicit user control over instance scheduling could negatively impact the quality of service. As a result, he disables this feature. Bob provides images in the cloud from a known trusted source for users to use. Additionally, he allows users to upload their own images. However, users generally cannot share their images. This helps prevent a user from sharing a malicious image, which could negatively impact the security of other users in the cloud.</para>
|
||||
|
|
|
|||
|
|
@ -24,12 +24,12 @@
|
|||
<para>SLA and security monitoring</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<section xml:id="case-studies-management-interfaces-idp48432">
|
||||
<section xml:id="case-studies-management-interfaces-alice-private-cloud">
|
||||
<title>Alice's private cloud</title>
|
||||
<para>When building her private cloud, while air-gapped, Alice still needs to consider her service management interfaces. Before deploying her private cloud, Alice has completed her system documentation. Specifically she has identified which OpenStack services will exist in each security domain. From there Alice has further restricted access to management interfaces by deploying a combination of IDS, SSL encryption, and physical network isolation. Additionally, Alice requires high availability and redundant services. Thus, Alice sets up redundant infrastructure for various OpenStack API services.</para>
|
||||
<para>Alice also needs to provide assurances that the physical servers and hypervisors have been built from a known secure state into a well-defined configuration. To enable this, Alice uses a combination of a Configuration Management platform to configure each machine according to the standards and regulations she must comply with. It will also enable Alice to report periodically on the state of her cloud and perform remediation to a known state should anything be out of the ordinary. Additionally, Alice provides hardware assurances by using a PXE system to build her nodes from a known set of base images. During the boot process, Alice provides further assurances by enabling Intel TXT and related trusted boot technologies provided by the hardware.</para>
|
||||
</section>
|
||||
<section xml:id="case-studies-management-interfaces-idp51424">
|
||||
<section xml:id="case-studies-management-interfaces-bob-public-cloud">
|
||||
<title>Bob's public cloud</title>
|
||||
<para>As a public cloud provider, Bob is concerned with both the continuous availability of management interfaces and the security of transactions to the management interfaces. To that end Bob implements multiple redundant OpenStack API endpoints for the services his cloud will run. Additionally on the public network Bob uses SSL to encrypt all transactions between his customers and his cloud interfaces. To isolate his cloud operations Bob has physically isolated his management, instance migration, and storage networks.</para>
|
||||
<para>To ease scaling and reduce management overhead Bob implements a configuration management system. For customer data assurances, Bob offers a backup as a service product as requirements will vary between customers. Finally, Bob does not provide a "baremetal" or the ability to schedule an entire node, so to reduce management overhead and increase operational efficiency Bob does not implement any node boot time security.</para>
|
||||
|
|
|
|||
|
|
@ -7,11 +7,11 @@
|
|||
<?dbhtml stop-chunking?>
|
||||
<title>Case studies</title>
|
||||
<para>The message queue is a critical piece of infrastructure that supports a number of OpenStack services but is most strongly associated with the Compute service. Due to the nature of the message queue service, Alice and Bob have similar security concerns. One of the larger concerns that remains is that many systems have access to this queue and there is no way for a consumer of the queue messages to verify which host or service placed the messages on the queue. An attacker who is able to successfully place messages on the queue is able to create and delete VM instances, attach the block storage of any tenant and a myriad of other malicious actions. There are a number of solutions anticipated in the near future, with several proposals for message signing and encryption making their way through the OpenStack development process.</para>
|
||||
<section xml:id="case-studies-messaging-idp38416">
|
||||
<section xml:id="case-studies-messaging-alice-private-cloud">
|
||||
<title>Alice's private cloud</title>
|
||||
<para>In this case, Alice's controls are the same as Bob's controls, which are described below.</para>
|
||||
</section>
|
||||
<section xml:id="case-studies-messaging-idp39920">
|
||||
<section xml:id="case-studies-messaging-bob-public-cloud">
|
||||
<title>Bob's public cloud</title>
|
||||
<para>Bob assumes the infrastructure or networks underpinning the Compute service could become compromised, therefore he recognizes the importance of hardening the system by restricting access to the message queue. In order to accomplish this task Bob deploys his RabbitMQ servers with SSL and X.509 client auth for access control. Hardening activities assists in limiting the capabilities of a malicious user that has compromised the system by disallowing queue access, provided that this user does not have valid credentials to override the controls.</para>
|
||||
<para>Additionally, Bob adds strong network ACL rulesets to enforce which endpoints can communicate with the message servers. This second control provides some additional assurance should the other protections fail.</para>
|
||||
|
|
|
|||
|
|
@ -7,11 +7,11 @@
|
|||
<?dbhtml stop-chunking?>
|
||||
<title>Case studies</title>
|
||||
<para>In this case study we discuss how Alice and Bob would address monitoring and logging in the public vs a private cloud. In both instances, time synchronization and a centralized store of logs become extremely important for performing proper assessments and troubleshooting of anomalies. Just collecting logs is not very useful, a robust monitoring system must be built to generate actionable events.</para>
|
||||
<section xml:id="case-studies-monitoring-and-logging-idp194928">
|
||||
<section xml:id="case-studies-monitoring-and-logging-alice-private-cloud">
|
||||
<title>Alice's private cloud</title>
|
||||
<para>In the private cloud, Alice has a better understanding of the tenants’ requirements thus she has the ability to add appropriate oversight, actively enforcing compliance for monitoring and logging activities. Alice should identify critical services and data to verify that logging is turned on for each of the services while ensuring the information is being aggregated to a central log server. She should start with simple, known use cases then implement correlation and alerting to limit the number of false positives. To implement correlation and alerting, she sends the log data to her organization's existing SIEM tool. Security monitoring should be an ongoing process therefore she should continue to define use cases and alerts in order to have a better understanding of the network traffic activity and usage over time.</para>
|
||||
</section>
|
||||
<section xml:id="case-studies-monitoring-and-logging-idm1936">
|
||||
<section xml:id="case-studies-monitoring-and-logging-bob-public-cloud">
|
||||
<title>Bob's public cloud</title>
|
||||
<para>When it comes to logging, as a public cloud provider, Bob is interested in the activities for situational awareness as well as compliance. In the aspect of compliance, as a provider, Bob is subject to adherence to various rules and regulations to include activities such as providing timely, relevant logs or reports to customers to meet the requirements of their compliance programs. With that in mind, Bob configures all of his instances, nodes, and infrastructure devices to perform time synchronization with an external, validated time device. Additionally, Bob's team has built a Django based web application for his customers to perform self-service log retrieval from the SIEM tool. Bob also uses this SIEM tool along with a robust set of alerts and integration with his CMDB to provide operational awareness to both customers and cloud administrators.</para>
|
||||
</section>
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
<?dbhtml stop-chunking?>
|
||||
<title>Case studies</title>
|
||||
<para>In this case study we discuss how Alice and Bob would address providing networking services to the user.</para>
|
||||
<section xml:id="case-studies-networking-idp37440">
|
||||
<section xml:id="case-studies-networking-alice-private-cloud">
|
||||
<title>Alice's private cloud</title>
|
||||
<para>A key objective of Alice's cloud is to integrate with the
|
||||
existing auth services and security resources. The key design
|
||||
|
|
@ -25,7 +25,7 @@
|
|||
great visibility of tenant traffic by leveraging existing
|
||||
features and tools of the physical infrastructure.</para>
|
||||
</section>
|
||||
<section xml:id="case-studies-networking-idp40064">
|
||||
<section xml:id="case-studies-networking-bob-public-cloud">
|
||||
<title>Bob's public cloud</title>
|
||||
<para>A major business driver for Bob is to provide an advanced
|
||||
networking services to his customers. Bob's customers would like
|
||||
|
|
|
|||
|
|
@ -7,11 +7,11 @@
|
|||
<?dbhtml stop-chunking?>
|
||||
<title>Case studies</title>
|
||||
<para>In this case study we discuss how Alice and Bob would address deployment of PKI certification authorities (CA) and certificate management.</para>
|
||||
<section xml:id="case-studies-pki-and-certificate-management-idp44432">
|
||||
<section xml:id="case-studies-pki-and-certificate-management-alice-private-cloud">
|
||||
<title>Alice's private cloud</title>
|
||||
<para>Alice as a cloud architect within a government agency knows that her agency operates its own certification authority. Alice contacts the PKI office in her agency that manages her PKI and certificate issuance. Alice obtains certificates issued by this CA and configures the services within both the public and management security domains to use these certificates. Since Alice's OpenStack deployment exists entirely on a disconnected from the Internet network, she makes sure to remove all default CA bundles that contain external public CA providers to ensure the OpenStack services only accept client certificates issued by her agency's CA.</para>
|
||||
</section>
|
||||
<section xml:id="case-studies-pki-and-certificate-management-idp46480">
|
||||
<section xml:id="case-studies-pki-and-certificate-management-bob-public-cloud">
|
||||
<title>Bob's public cloud</title>
|
||||
<para>Bob is architecting a public cloud and needs to ensure that the publicly facing OpenStack services are using certificates issued by a major public CA. Bob acquires certificates for his public OpenStack services and configures the services to use PKI and SSL and includes the public CAs in his trust bundle for the services. Additionally, Bob also wants to further isolate the internal communications amongst the services within the management security domain. Bob contacts the team within his organization that is responsible for managing his organization's PKI and issuance of certificates using their own internal CA. Bob obtains certificates issued by this internal CA and configures the services that communicate within the management security domain to use these certificates and configures the services to only accept client certificates issued by his internal CA.</para>
|
||||
</section>
|
||||
|
|
|
|||
|
|
@ -7,12 +7,12 @@
|
|||
<?dbhtml stop-chunking?>
|
||||
<title>Case studies</title>
|
||||
<para>In this case study we discuss how Alice and Bob would address their system documentation requirements. The documentation suggested above includes hardware and software records, network diagrams, and system configuration details.</para>
|
||||
<section xml:id="case-studies-system-documentation-idp44480">
|
||||
<section xml:id="case-studies-system-documentation-alice-private-cloud">
|
||||
<title>Alice's private cloud</title>
|
||||
<para>Alice needs detailed documentation to satisfy FedRAMP requirements. She sets up a configuration management database (CMDB) to store information regarding all of the hardware, firmware, and software versions used throughout the cloud. She also creates a network diagram detailing the cloud architecture, paying careful attention to the security domains and the services that span multiple security domains.</para>
|
||||
<para>Alice also needs to record each network service running in the cloud, what interfaces and ports it binds to, the security domains for each service, and why the service is needed. Alice decides to build automated tools to log into each system in the cloud over secure shell (SSH) using the <link xlink:href="http://fabfile.org">Python Fabric library</link>. The tools collect and store the information in the CMDB, which simplifies the audit process.</para>
|
||||
</section>
|
||||
<section xml:id="case-studies-system-documentation-idp47344">
|
||||
<section xml:id="case-studies-system-documentation-bob-public-cloud">
|
||||
<title>Bob's public cloud</title>
|
||||
<para>In this case, Bob will approach these steps the same as Alice.</para>
|
||||
</section>
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
both handle tenant data, data destruction, and data
|
||||
encryption.
|
||||
</para>
|
||||
<section xml:id="case-studies-tenant-data-idp44416">
|
||||
<section xml:id="case-studies-tenant-data-alice-private-cloud">
|
||||
<title>Alice's private cloud</title>
|
||||
<para>
|
||||
As stated during the introduction to Alice's case study, data
|
||||
|
|
@ -46,7 +46,7 @@
|
|||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
<section xml:id="case-studies-tenant-data-idp51856">
|
||||
<section xml:id="case-studies-tenant-data-bob-public-cloud">
|
||||
<title>Bob's public cloud</title>
|
||||
<para>
|
||||
As stated during the introduction to Bob's case study, tenant
|
||||
|
|
|
|||
Loading…
Reference in New Issue