From 72f5df58e9d2d195b305159518ea19d565bb3dbd Mon Sep 17 00:00:00 2001 From: Diane Fleming Date: Wed, 13 Nov 2013 14:56:59 -0600 Subject: [PATCH] Fix headings in Security Guide Partial-Bug: #1250515 author: diane fleming Change-Id: I38aad628ec24475a25cba151a2d056a0f60a8a95 backport: none --- doc/security-guide/ch001_acknowledgements.xml | 2 +- .../ch002_why-and-how-we-wrote-this-book.xml | 4 ++-- doc/security-guide/ch004_book-introduction.xml | 14 +++++++------- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/doc/security-guide/ch001_acknowledgements.xml b/doc/security-guide/ch001_acknowledgements.xml index ed05339bea..62deeb8983 100644 --- a/doc/security-guide/ch001_acknowledgements.xml +++ b/doc/security-guide/ch001_acknowledgements.xml @@ -1,6 +1,6 @@ - Acknowledgements + Acknowledgments The OpenStack Security Group would like to acknowledge contributions from the following organizations who were instrumental in making this book possible. These are: diff --git a/doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml b/doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml index f72fe99178..3a220ff6e3 100644 --- a/doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml +++ b/doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml @@ -1,6 +1,6 @@ - Why and How We Wrote This Book + Why and how we wrote this book As OpenStack adoption continues to grow and the product matures, security has become a priority. The OpenStack Security Group has recognized the need for a comprehensive and authoritative security guide. The OpenStack Security Guide has been written to provide an overview of security best practices, guidelines, and recommendations for increasing the security of an OpenStack deployment. The authors bring their expertise from deploying and securing OpenStack in a variety of environments. The guide augments the OpenStack Operations Guide and can be referenced to harden existing OpenStack deployments or to evaluate the security controls of OpenStack cloud providers.
@@ -103,7 +103,7 @@
- How to Contribute to This Book + How to contribute to this book The initial work on this book was conducted in an overly air-conditioned room that served as our group office for the entirety of the documentation sprint. diff --git a/doc/security-guide/ch004_book-introduction.xml b/doc/security-guide/ch004_book-introduction.xml index e2b6f23dc2..b8a75cb9bf 100644 --- a/doc/security-guide/ch004_book-introduction.xml +++ b/doc/security-guide/ch004_book-introduction.xml @@ -11,10 +11,10 @@ Each OpenStack deployment embraces a wide variety of technologies, spanning Linux distributions, database systems, messaging queues, OpenStack components themselves, access control policies, logging services, security monitoring tools, and much more. It should come as no surprise that the security issues involved are equally diverse, and their in-depth analysis would require several guides. We strive to find a balance, providing enough context to understand OpenStack security issues and their handling, and provide external references for further information. The guide could be read from start to finish or sampled as necessary like a reference. We briefly introduce the kinds of clouds: private, public, and hybrid before presenting an overview of the OpenStack components and their related security concerns in the remainder of the chapter.
- Cloud Types + Cloud types OpenStack is a key enabler in adoption of cloud technology and has several common deployment use cases. These are commonly known as Public, Private, and Hybrid models. The following sections use the National Institute of Standards and Technology (NIST) definition of cloud to introduce these different types of cloud as they apply to OpenStack.
- Public Cloud + Public cloud According to NIST, a public cloud is one in which the infrastructure is open to the general public for consumption. OpenStack public clouds are typically run by a service @@ -33,7 +33,7 @@ infrastructure from external attacks.
- Private Cloud + Private cloud At the opposite end of the spectrum is the private cloud. As NIST defines it, a private cloud is provisioned for exclusive use by a single organization comprising multiple @@ -48,7 +48,7 @@ NIST defines a community cloud as one whose  infrastructure is provisioned for the exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third-party, or some combination of them, and it may exist on or off premises.
- Hybrid Cloud + Hybrid cloud A hybrid cloud is defined by NIST as a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). For example an online retailer may have their advertising and catalogue presented on a public cloud that allows for elastic provisioning. This would enable them to handle seasonal loads in a flexible, cost-effective fashion. Once a customer begins to process their order, they are transferred to the more secure private cloud backend that is PCI compliant. For the purposes of this document, we treat Community and Hybrid similarly, dealing explicitly only with the @@ -58,7 +58,7 @@
- OpenStack Service Overview + OpenStack service overview OpenStack embraces a modular architecture to provide a set of core services that facilitates scalability and elasticity as core design tenets. This chapter briefly reviews OpenStack components, their use cases and security considerations. @@ -104,7 +104,7 @@ The OpenStack dashboard service (Horizon) provides a web-based interface for both cloud administrators and cloud tenants. Through this interface administrators and tenants can provision, manage, and monitor cloud resources. Horizon is commonly deployed in a public facing manner with all the usual security concerns of public web portals.
- Identity Management + Identity management The identity management service (Keystone) is a shared service that provides authentication and authorization services throughout the entire cloud infrastructure. Keystone has pluggable support for multiple forms of authentication. Security concerns here pertain to trust in authentication, management of authorization tokens, and secure communication.
@@ -114,7 +114,7 @@ Trusted processes for managing the life cycle of disk images are required, as are all the previously mentioned issues with respect to data security.
- Other Supporting Technology + Other supporting technology OpenStack relies on messaging for internal communication between several of its services. By default, OpenStack uses message queues based on the Advanced Message Queue Protocol (AMQP). Similar to most OpenStack services, it supports pluggable components. Today the implementation backend could be RabbitMQ, Qpid, or ZeroMQ. As most management commands flow through the message queueing system, it is a primary security concern for any OpenStack deployment. Message queueing security is discussed in detail later in this guide. Several of the components use databases though it is not explicitly called out. Securing the access to the databases and their contents is yet another security concern, and consequently discussed in more detail later in this guide.