Keystone Security
A Symantec Perspective on Securing Keystone
Keith Newstadt
Cloud Services Architect
Keystone Security – OpenStack Summit Atlanta
1
Symantec’s Cloud Platform Engineering Objectives
• We are building a consolidated cloud platform that provides infrastructure and
platform services for next generation Symantec products and services
– An exciting “greenfield” opportunity to re-invent our cloud infrastructure with strong
executive leadership and support
– Building a global team in the US, Europe, and Asia of top-notch, open source minded
engineers in the areas of cloud and big data
• Our development model is to use open source components as building blocks
– Identify capability gaps and contribute back to the community
• We have selected OpenStack as one of the underlying infrastructure services
layer
• We plan to analyze and help improve the overall security posture of OpenStack
components
• We are starting small, but will scale to thousands of nodes across multiple data
centers
OpenStack Summit - Atlanta
2
The Symantec Team
• Me
– In Security for nearly 15 years
– Norton Web Services
• Including the Norton Identity Provider
• Billions of requests, 100M+ users, 100M+ endpoints
• Under constant attack
– Now working on Symantec’s next generation cloud, using OpenStack
• The team
– Cloud Platform Engineering
– Symantec Compliance Suite
– Symantec Validation and ID Production (VIP)
– Symantec Product Security Group
– Global Security Organization (InfoSec)
Keystone Security – OpenStack Summit Atlanta
3
Brief Keystone Overview
Keystone
Validate Identity
OpenStack Service
Single point of auth for all
OpenStack services.
Single sign on to OpenStack
services
Authenticate
Identity
token
Identity
token
Common API layer on top of
various authentication protocols
Reduces exposure of credentials
and more…
Keystone Security – OpenStack Summit Atlanta
4
Keystone Security is Critical
Passwords
Keys
Certs
Tokens
DoS
Keystone Security – OpenStack Summit Atlanta
5
Symantec’s Approach to Securing Keystone
Threat Resilience
Multifactor Authentication
Application
Identity Standards
Infrastructure
Operating System
Environment
Auditing
Threat Modeling
Security Scans
Process
Compliance
Keystone Security – OpenStack Summit Atlanta
6
Process
Keystone Security – OpenStack Summit Atlanta
7
What are my assets?
What
am
I
trying
to
protect?
Is my particular deployment secure?
Where am I likely to be attacked?
Keystone Security – OpenStack Summit Atlanta
8
Threat Modeling
Could someone spoof the LDAP
server?
Mitigation option: LDAP server
authentication
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privileges
Keystone Security – OpenStack Summit Atlanta
9
Did I get the right images and distros?
Am ICould
running
what
I
think
I’m
running?
something malicious be injected into the
deployment process?
Am I running the most secure patch level?
Keystone Security – OpenStack Summit Atlanta
10
Security
Supply Chain Management
Download
Make sure it’s good.
Build
Make sure it’s secure
Questions around third party
component security is an
unsolved problem.
It seems obvious, but…
Deploy
Patch
Make sure you’ve validated
Stay on a secure patch level
Keystone Security – OpenStack Summit Atlanta
We’re using Symantec Control
Compliance Suite
Others: Qualys, Nessus, etc.
11
Environment
Keystone Security – OpenStack Summit Atlanta
12
Can someone change my deployment?
Is my
system
hardened
against
attacks?
What assets could be stolen from my environment?
Do I know what happened after I’ve been attacked?
Keystone Security – OpenStack Summit Atlanta
13
Keystone Compliance
Config Files
Log Files
Ports
Every deployment is different.
Start by following the trail
from keystone.conf
We’re using Symantec Data
Center Security for Linux and
OpenStack compliance.
Executables
Environment
Keystone Security – OpenStack Summit Atlanta
Other tools are out there as
well: SELinux, Tripwire, etc.
14
What high value assets are being transmitted?
IsWhat
my would
databe secure
while
in
motion?
the repercussions if these assets
were intercepted or tampered with?
How much of my environment do I trust?
Keystone Security – OpenStack Summit Atlanta
15
Security of Credentials on the Wire
Assets: credentials and tokens
POST /tokens
Attack vectors on both internal
and external networks.
Balance risk and cost.
Keystone
Keystone Security – OpenStack Summit Atlanta
Nova
Cinder
Swift
…
16
Application
Keystone Security – OpenStack Summit Atlanta
17
is attacking
me?
Will I knowWho
when
I’m under
attack?
(and
will target?
be…)
What isI their
How do I stop them?
Keystone Security – OpenStack Summit Atlanta
18
Keystone Intrusion Detection
How do you fend off an attack?
What will you need after an attack?
Rate limiting to impede
brute force attacks
Track users, token hashes,
source IP addresses
Challenges to foil automated
attacks
Aggregate logs in a central
location
Blacklist malicious IPs
Perform analytics,
correlation
Detect and block anomalous
user behavior
Prevention
Forensics
Security vs. privacy
Add request logging and blocking at a
proxy, load balancer, or in a Keystone filter
Keystone Security – OpenStack Summit Atlanta
19
Are passwords enough?
AmWhat
I effectively
validating
my
users?
additional kinds of auth should I support?
How should I implement it?
Keystone Security – OpenStack Summit Atlanta
20
Two Factor Auth
Authenticator
LDAP
Server
MySQL
DB
RSA
SecureID
RADIUS Server
Backend Driver
Identity Provider
LDAP
Server
LDAP
Driver
SQL
Driver
VIP
Service
Symantec VIP
Gateway
…
RADIUS
Driver
Keystone
Keystone Security – OpenStack Summit Atlanta
21
How do I delegate?
How do my services and scripts
authenticate
How do I controlthemselves?
access scope?
What is the technical and management cost of a
solution?
Keystone Security – OpenStack Summit Atlanta
22
Autonomous Authentication
Keystone
Credentials
Service
Token
Nova
Considerations:
• Secure cached credentials
• Limit scope
• Expiration
• Management
?
Delegation
Potential Solutions:
• Cached passwords
• EC2 key
• Trusts
• Keys
• Certificates
• ?
Keystone Security – OpenStack Summit Atlanta
23
Standards…
Keystone Security – OpenStack Summit Atlanta
24
Keystone and Standard Protocols
• Interest in industry standard Identity protocols for
OpenStack
– Symantec has been through a migration like this before
– Community has already summited blueprints
• Benefits
–
–
–
–
Single sign on
Improved integration
Control over credentials
Unified authentication experience
• Symantec will look to participate in this effort
Keystone Security – OpenStack Summit Atlanta
25
Protect your credentials everywhere
Parting thoughts
Securing your use of Keystone is an ongoing process
Share
Keystone Security – OpenStack Summit Atlanta
26
Q&A
Keystone Security – OpenStack Summit Atlanta
27
Thank you!
Keith Newstadt
keith_newstadt@symantec.com
Copyright © 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,
are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Keystone Security – OpenStack Summit Atlanta
28
