Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Security [clear filter]
Monday, May 12


OpenStack Security Group (OSSG): An Update on Our Progress and Plans

Originally organized in Fall 2012, the OpenStack Security Group (OSSG) now fills many critical security roles within the OpenStack Community. From assisting the Vulnerability Management Team (VMT) to consulting with projects about security best practices and testing technique, the OSSG has kept very busy. This talk will highlight the group’s recent work and set the direction for future work. Anyone interested in OpenStack security should attend.

Come to learn about all of the interesting work happening in OSSG. Here’s a sampling of what we will discuss:
  • OpenStack Security Notes (OSSNs)
  • OpenStack Security Guide
  • Invited security review of Ironic
  • Security guidelines for projects
  • Security testing

avatar for Robert Clark

Robert Clark

Lead Security Architect, HP
Robert is a HP Distinguished Technologist, the lead security architect for HP Helion OpenStack and the current PTL of the OpenStack Security team. His career has its roots in threat modelling, vulnerability analysis and virtualization security. He is passionate about security and... Read More →
avatar for Nathan Kinder

Nathan Kinder

Software Engineering Manager, Red Hat, Red Hat
Nathan is a Software Engineering Manager at Red Hat, where he manages the development of the identity and security related components of the Red Hat Enterprise Linux OpenStack Platform, Red Hat Directory Server, and Red Hat Certificate System products.  He is an active member... Read More →

Monday May 12, 2014 11:15am - 11:55am
Room B101


State of OpenStack Security
This session will bring the attendee up to date on the current state of the art in OpenStack Security. This talk will start with a high level state of the stack" that covers a review of the security enhancements between Havana and IceHouse as well as a review of current vulnerabilities, advisiories, and open issues. They will then discuss the results of an extensive root cause analysis which will discuss findings on how vulnerabilities happen in OpenStack, and how to make OpenStack a more secure, mature, platform for Enterprise.

avatar for Robert Clark

Robert Clark

Lead Security Architect, HP
Robert is a HP Distinguished Technologist, the lead security architect for HP Helion OpenStack and the current PTL of the OpenStack Security team. His career has its roots in threat modelling, vulnerability analysis and virtualization security. He is passionate about security and... Read More →

Monday May 12, 2014 12:05pm - 12:45pm
Room B101


Security for Private OpenStack Clouds
Private clouds are much more than just a public cloud behind a firewall. Private clouds reach into the enterprise and have deep integration with key shared infrastructure that is external to the cloud such as LDAP, Storage, VLANs, DNS, NTP, etc. Furthermore, private clouds have a different threat profile. Users may be from the same organization, but insider attacks and targeted external attacks motivate unique security solutions.
This talk begins with a look at the different threats between public and private clouds, both technical and human. Then we will explore how these differences motivate different security solutions for private cloud deployments. This talk will cover both high level concepts and technical details, providing useful information for anyone interested in private cloud security.

Monday May 12, 2014 2:00pm - 2:40pm
Room B101


Learning to Trust the Cloud / Securing OpenStack with Intel Trusted Computing (Combined)
Cloud computing provides obvious economic and manageability benefits. Unused resources in production environments can be used to deploy development instances. Public clouds mean we can avoid buying rooms full of mostly idle hardware just to cater for worst case scenarios. And, thanks to hypervisors imposing isolation between instances, this should all come at no cost to security.
But is that true? What happens if someone does break out of a guest? What damage can they do? How can we detect it? What's the absolutely worst case scenario? With increasing levels of concern over low-level system vulnerabilities, how can we reassure users that their cloud environments are secure?
This presentation will cover the various techniques and technologies required to build a truly trustworthy cloud, ranging from boot attestation to runtime introspection. It will also discuss techniques that attackers can potentially use to gain persistent access to systems, perhaps even over reinstallation.


Matthew Garrett

Principal Security Software Engineer, CoreOS
Matthew Garrett is a security developer at CoreOS, specialising in the areas where software starts knowing a little more about hardware than you'd like. He implemented much of Linux's support for UEFI Secure Boot, does things with TPMs and has found more bugs in system firmware than... Read More →
avatar for Christian Huebner

Christian Huebner

Cloud Architect, Mirantis
Christian Huebner works at Mirantis, Inc. as OpenStack Cloud Architect. Coming from a conventional storage architecture background, he moved into cloud storage before joining Mirantis and later into general cloud architecture. He is providing architectural guidance and implementation... Read More →

Monday May 12, 2014 2:50pm - 3:30pm
Room B101


An Overview of Cloud Auditing Support for OpenStack
A key feature of any Cloud infrastructure is to provide auditing capabilities for compliance with security, operational and business processes. In this talk we provide an overview of the recent enhancements made in OpenStack projects to support API and security auditing using the DMTF Cloud Auditing Data Federation (CADF) standard. We will describe how auditing is seamlessly enabled for Nova, Glance, Swift, Cinder, Neutron and Keystone and illustrate what is audited, where it is stored, what the records contain and how this supports compliance. We will finish by presenting some possible future directions such as extending the use of CADF beyond audit to facilitate event correlation and federation across multiple tiers.

avatar for Rob Basham

Rob Basham

Architect, Cloud Systems Software, IBM
Rob works at IBM designing systems management software with a focus on monitoring and automation. He is relatively new to OpenStack but has been working on various aspects of systems management for quite some time. Rob is an innovator and author of dozens of patents across a broad... Read More →
avatar for Gordon Chung

Gordon Chung

Software developer - Openstack
gordon chung is a software developer in the Software Group Standards Strategy organization within IBM. his current role involves contributing code to OpenStack and supporting the community. gordon is currently a core contributor in the Ceilometer project and occasionally contributes... Read More →
avatar for Matt Rutkowski

Matt Rutkowski

STSM Cloud Open Tech., IBM
My amorphous job and tile within IBM encompass engaging with and progressing all manner of open source and stds. projects, basically anything that is “born on,” connects to, or touches cloud (e.g., data, services, fabric, distributed platforms, IoT, etc.). Currently, I am leading... Read More →
avatar for Brad Topol

Brad Topol

Distinguished Engineer, IBM
Dr. Brad Topol is an IBM Distinguished Engineer leading efforts focused on Open Technologies and Developer Advocacy. In his current role, Brad leads a development team focused on contributing to and improving Kubernetes. Brad is a Kubernetes contributor, serves as a member of the... Read More →

Monday May 12, 2014 3:40pm - 4:20pm
Room B101


KeyStone Security and Architecture Review
This presentation will cover architectural and procedural security concepts within KeyStone, specifically Trusts or Delgations, AMQP Security with KeyStone and integration with a Corporate LDAP for single source of truth.

Given the distributed nature of OpenStack KeyStone plays a major role in binding all of the Projects together but not much is mentioned about how to do this with KeyStone or what the pitfalls and dangers of hooking up a centralized Security System to the rest of the cloud will be. Not only do you have to be wary of the services that connect to KeyStone but you also have to be cautious of the kinds of input and data you give to KeyStone from external sources.

The security and protection of the Identity and Token repository for OpenStack or other services needs to be the most protected component within your Cloud Infrastructure.

avatar for Keith Newstadt

Keith Newstadt

Cloud Services Architect, Symantec
Keith has been in the Security industry for nearly 15 years working on everything from Web services to host-based security products to security appliances. Keith was most recently the architect for Norton's Identity Provider which authenticates Norton's 100M+ users to the various... Read More →

Monday May 12, 2014 4:40pm - 5:20pm
Room B101


OpenStack - QA Security Code Analysis
Today's corporate security groups are not staffed to handle the specialized skills needed to perform code analysis and security testing from OpenStack. This discussion will focus on three areas: 1. Who should be responsible for testing (hint: a specialized group of ninjas; 2. Automating API and Code testing w/demo; how this translates into better code in OpenStack.
There is a paradigm shift in how security testing is being conducted by software companies. The benefits of moving security testing away from an info-security" perspective will make security testing a repeatable process that is streamlined, more efficient, and more secure in OpenStack environment.

avatar for Jim Freeman

Jim Freeman

Director, Quality and Security Engineering, Rackspace Hosting
Jim is a Director of Quality and Security Engineering at Rackspace. Jim has successfully built a team of specialized security engineers that is part of the development, quality, and delivery process at Rackspace. Jim felt that the best way to interconnect and ensure security testing... Read More →

Monday May 12, 2014 5:30pm - 6:10pm
Room B101
Wednesday, May 14


Will Your Cloud Be Compliant?
Architecting a standards compliant cloud can be difficult. There are emerging cloud specific security standards such as FedRAMP and CSA that should be considered in addition to existing NIST/ISO and PCI-DSS standards. OpenStack workflows and resources that exist today either fully or partially meet these common compliance requirements. We will discuss areas that need work and areas that appear to be in good shape.
The talk includes a study of PayPal’s experience in reviewing OpenStack security as relates to complying with PCI-DSS in their private cloud and existing data center environment. It dives into the many design decisions PayPal made within their environment considering whether to use physical versus logical devices, review hypervisor versus guest compliance, and whether to maintain separate management networks for PCI versus non-PCI traffic.

avatar for Scott Carlson

Scott Carlson

Architect, Cloud Platform Security, PayPal
Scott Carlson has been with PayPal since the end of 2011. He’s spent the last 15 years in the Banking, Education, and Payment sectors perfecting the art of sys-admining, cloud-ifying and in keeping mission critical systems from falling to pieces. In 2013, he spoke at both the VMWorld... Read More →
avatar for Evgeniya Shumakher

Evgeniya Shumakher

Head of Technology Partnerships, Mirantis
Evgeniya Shumakher is a Head of Technology Partnership at Mirantis, where she coordinates and leads efforts to help Mirantis partners navigate OpenStack and Kubernetes ecosystems and to expand the utility of Mirantis products to customers via integration of partner products and t... Read More →

Wednesday May 14, 2014 4:30pm - 5:10pm
Room B102


The Network as the Security and Policy Enforcement Point in OpenStack Environments
Security concerns remain a strong deterrent to enterprise acceptance of the cloud, especially with recent events illustrating the vulnerability of data in the cloud. As OpenStack-based clouds have been focused on providing the environment needed for elastic, on-demand multi-tenant applications, how security, isolation and policies are enforced has largely been unclear. This talk will explore the changing nature of the network as it transitions to new models more suited to the cloud with SDN, NFV and Virtual Network Infrastructure, and the inter-relationship between networking, and security and policy enforcement. It will explore why and how security and policy enforcement should be integrated into the networking design of OpenStack cloud environments.

avatar for Pere Monclus

Pere Monclus

CTO and Co-Founder of PLUMgrid, PLUMgrid
Before co-founding PLUMgrid, Pere was a Distinguished Engineer at Cisco Systems in the Research and Advanced Development team, where he led innovation in the areas of cloud, security and converged infrastructure. Prior to that, he was responsible for the architecture and technology... Read More →

Wednesday May 14, 2014 5:20pm - 6:00pm
Room B102