design and deploy secure clouds for financial services use cases

Design and Deploy Secure Clouds for Financial Services – Use CasesAugust 18, 2016

Copyright © PLUMgrid, Inc. 2011-2015

IntroductionSpeakers

2

Principal Solutions ArchitectJustin Moore

Sr. Solution Architect – OpenStack Tiger TeamJoe Antkowiak

PLUMgrid

Red Hat


AgendaWhat’s will be covered today

3

1 OpenStack Infrastructure Security - Addressing Common Security Challenges using

Red Hat OpenStack Platform

Security and compliance through automation and micro-segmentation with OpenStack and SDN

Micro-Segmentation Demo3

2

OpenStack Infrastructure Security

Addressing Common Security Challenges using Red Hat OpenStack Platform

Joe AntkowiakSr Solution ArchitectAugust 18, 2016

Agenda

Common OpenStack Infrastructure Security Challenges Addressing Challenges with Red Hat OpenStack Platform Director Addressing Challenges with Red Hat CloudForms

OpenStack Infrastructure Security

Common Challenges

Many Manual Tasks Infrastructure Secured Post Deployment Detecting Change and Enforcing Policy Maintaining Secure Configuration and

Policy When Upgrading and Scaling

<footer>

OPENSTACK PLATFORM DIRECTORDAY 1 + SCALING/UPGRADINGDirector is included in Red Hat

OpenStack Platform

CLOUDFORMSDAY 2 + LIFECYCLE

CloudForms is included in Red Hat OpenStack Platform

<footer>

Red Hat OpenStack Platform Director

DEPLOYMENTPLANNING OPERATIONSUpdates and upgradesScaling up and downChange management

Deployment orchestrationService configuration

Sanity checks

Network topologyService parametersResource capacity

OpenStack Orchestration

OpenStack Platform Director (OSPd)Advantages for OpenStack Security

USES OPENSTACK TO DEPLOY OPENSTACKConcepts applicable to workloads running on OpenStack are applicable to OpenStack itself

IMAGE BASEDNodes installed from a customize-able source image

TEMPLATE BASEDCustomize-able, reusable, repeatable use of Heat templates (YAML) to install, scale, and upgrade

OSP Director Image CustomizationImage Customization Examples for Security

KERNELDeploy a custom kernel build, or hardened kernel (with validation)

PACKAGESDeploy specific package versions or additional packages

LOCAL ACCOUNTS AND POLICIESDefine custom local accounts and SELinux configuration

OSP Director Template-Based DeploymentTemplate-Based Configuration Examples for Security

SSL/TLS ENABLED CONTROL PLANE AND ENDPOINTSEnable transport encryption on all control plane communication using your certificates

AAA INTEGRATIONIntegrate with your AAA infrastructure (LDAP, Kerberos, etc)

SERVICES CONFIGURATIONConfigure Logging, NTP, Monitoring Tools

<footer>

Red Hat CloudForms

UNIFIED MANAGEMENT

AND OPERATIONS

COMPLETE LIFECYCLE

MANAGEMENT

VISIBILITY AND

ANALYTICS

COMPLIANCEAND

GOVERNANCE

INTEGRATION AND

COMPOSABILITY

Unified Management for OpenStack

CloudForms Compliance and Governance

ANALYZEAutomatically perform SmartState Analysis on OpenStack Nodes and Instances (agent-less)

TRACK AND ALERTReport on changes and drift, automatically alert based on defined policy

REMEDIATEAutomatically kick off defined remediation or deeper inspection actions

Example Functions

CloudForms SmartState AnalysisExamples of Items Tracked

PACKAGES AND FILESPackage versions, new/changed files

LOCAL USERS AND ACTIONSUser actions/commands, users and groups added or changed

COMPONENT CHANGESAdded or changed network interfaces, storage attached, new instances or containers running

Thank you!Please Post Questions in WebinarVisit Red Hat at OpenStack EastAugust 23-24, NYC

red.ht/openstackred.ht/cloudforms

Security and compliance through automation and micro-segmentation with OpenStack and SDNJustin Moore


• Regulatory Compliance• PCI• SOX

• Security• Separation of concerns• Minimize attack surface• Strict enforcement of access control

• Operations• Reduce manual effort through automation• Protect against misconfiguration

• Dev/Test pointed to Prod• Incorrect or invalid firewall rule• Server placed on wrong network• Rapidly scale

Technology Challenges in FSI


• Too slow• Ticket based manual workflows take days or weeks• New methodologies demand on-demand infrastructure,

and tight integration with the SDLC• Agile• CI/CD• Micro-services

• Error prone• Lack of automation and standardization leads to errors• Incomplete or inadequate de-comission processes

• Too expensive• Scale-up Access Control devices/Forklift upgrades• Highly skilled and highly paid engineers performing trivial

ticket based activities

Traditional Approaches No Longer Work

18


• Cloud!• Ok – it’s not really that simple. What about all of

that security stuff?

• SDN!• Again – it’s not really as simple as buying an SDN.

• How will we design the system to ensure that security is baked into the end-to-end environment?

• Micro-segmentation• Great – another buzzword!

• Micro-segmentation is the process of controlling access to and from a service based on the combination of security boundary and attack foot-print

• Don’t we already do that?• Not really!

So How Do We Keep Up?

19


Virtual DomainsYour Private Virtual Data Center

20

Tenant Virtual Domains• Isolation & segmentation of workloads• Self-service provision of all functions

Service Virtual Domains• Owned by Cloud Operator• Used to apply common services or security

policies• Hosts external connectivity

Virtual Domain ChainingDecouple changes from physical infrastructure

Fully distributed within IO Visor layer on each compute node

DNS

Service Virtual Domain

Tenant Virtual Domains


PLUMgrid Virtual DomainsComponents of a Virtual Domain

21

Virtual Domain

Dis

tribu

ted

Pol

icy

Enf

orce

men

t Zon

e

Edge Policy

Enforcement Point

Virtual Domain (VD) — ISOLATION• Secure Tenant Isolation for multi-tenant clouds

Contains all Network definitions for that Project• Rich set of analytics and monitoring• Option to encrypt traffic on a per VD basis

Topology — Overlay based fully Distributed Network Functions• Network topology view• DVS/DVR/NAT/DNS/DHCP functions• Fully Distributed (No hairpin or network nodes)• Integration with external VTEP Gateways• Topology based Service Insertion (FW/LB/IPS)

Policy boundary — SEGMENTATION• Group Based Policies & Micro-segmentation• All traffic in-out of VD goes through Policy Engine• Used for Security Groups (L2-4 stateless or state-

full security)• Policy based VTAP (traffic capture)• Policy based Service Insertion (FW/LB/IPS)

• Support for Service Chains or single Service Function


PLUMgrid ONS Components

22

Internet

IO Visor Gateway

IO Visor Edges (Compute Nodes)

PLUMgrid Directors

VXLAN-based Overlay

PLUMgrid CloudApex & OpsVM


Example Application – Customer Service Tool

23

DNS

Global Cloud Policy

Prod CSTDev CST


Three-Tier Architecture

Presentation tier

Logic tier

Data tier

Database Storage

GET LIST OF ALL SALES MADE LAST YEAR

ADD ALL SALES TOGETHER

> GET SALES TOTAL

> GET SALES TOTAL4 TOTAL SALES

QUERY

SALE 1SALE 2SALE 3SALE 4


PLUMgrid Policy Path

25

GroupClassification

(source & destination End

Point classification)

Packets- sMAC / .1Q- src_IP/dst_IP- Application / Ports - Protocols

Meta Data- Tenant ID / App ID- VM UUID / Name- End Point Type / Group- Location / physical Server

Behavior - Traffic Profile- Sys Call profile- Storage Access Profile

Stateful Security Groups

Security Logs & Alerts

Policy based VTAP

Traffic mirroring

Policy based

Service Insertion

VNF 1

VNF 2

VNF 3

- Service Chains- Distributed Service Insertion- Local Affinity

Micro-Segmentation Demo

26

Q&APlease use the Q&A panel to ask questions


THANK YOU!