Establishing Digital Trust: Don't Sacrifice Security for Convenience
SAN DIEGO: Security concerns generally appear near the top of surveys in which IT and business executives are asked about barriers to cloud adoption. Given that, security should factor into any discussion of the cloud.
At the OpenStack Summit this week, security professionals within the open source community discussed the current state of how security is handled in the cloud platform project. While OpenStack does have a security model in place, there is still room for improvement.
OpenStack is a multi-stakeholder effort with broad participation from some of the biggest IT vendors in the world including IBM, Dell, HP, Intel, Cisco and AT&T, as well as Linux vendors Red Hat, SUSE and Canonical.
The OpenStack Security Group (OSSG) is the group within the project that is tasked with looking at security. The group is also associated with a Vulnerability Management Team (VMT) that reports bugs to be fixed.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Thus far discussions about OpenStack security have occurred only on closed mailing lists. OSSG member Bryan Payne told the audience that, to date, there is no public list of all the flaws that have already been fixed in OpenStack.
Known OpenStack Security Issues
Payne did discuss some of the known security issues. OpenStack has a Jenkins Continuous Integration (CI) build system. Payne noted that while it's not possible to do full penetration testing during the CI process, it is possible to look for basic issues.
He identified a potential security risk involving the Swift object storage component that would allow a Man-in-the-Middle (MiTM) attack to be easily executed.
"The Swift client is not even checking the server CA certificate," Payne said. "So basically it will connect and see there is an SSL connection, and then it will just proceed without any additional check."
He added, "Right now you're encrypting too -- who knows? It's perhaps better than not encrypting at all, but it's not ideal."
Robert Clarke, cloud security architect at HP, told the audience there are a number of security deficiencies that need to be addressed. HP's concern stems from the use of OpenStack as the basis for its public cloud offering.
When most people talk about security, the discussion tends to end up on the topic of cryptography, Clarke commented. He stressed that doing cryptography, and especially hashing correctly, is not an easy process. It's important for OpenStack users to truly understand how cryptography works, he said.
On Board with OpenStack
One of the ways security will evolve and improve at OpenStack is by increased participation. Payne said the OSSG is now soliciting help and needs security engineers and technical writers with OpenStack deployment experience. "We need lots of people that care working at different levels," he said.
"OSSG is a small group now," he said. "When we have enough people, we want to open it up and make it a resource." He added that "security is a constant space of innovation."