d782c62427
* Expand 'Univ' to 'University' for correctness. * Remove scattered instances of double-spacing between sentences so that guide is consistent. * Use '—' instead of '-' to improve appearance of list items. * Adjust preposition placements to improve grammar. * Add an xref instead of advising reader to "read below" so that we do a better job of guiding the reader through the document. * Remove stray, empty <emphasis> items to clean up code. * Remove unnecessary hyphens to improve grammar correctness. * Other minor grammar improvements. Change-Id: I0dffd2e05cf89e4a9421512cb4e24a2ee242e21d
126 lines
15 KiB
XML
126 lines
15 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
||
<chapter xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://docbook.org/ns/docbook" xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="ch005_security-domains"><?dbhtml stop-chunking?>
|
||
<title>Security Boundaries and Threats</title>
|
||
<para>A cloud can be abstracted as a collection of logical components by virtue of their function, users, and shared security concerns, which we call security domains. Threat actors and vectors are classified based on their motivation and access to resources. Our goal is to provide you a sense of the security concerns with respect to each domain depending on your risk/vulnerability protection objectives.</para>
|
||
<section xml:id="ch005_security-domains-idp39040">
|
||
<title>Security Domains</title>
|
||
<para>A security domain comprises users, applications, servers or networks that share common trust requirements and expectations within a system. Typically they have the same authentication and authorization (AuthN/Z) requirements and users.</para>
|
||
<para>Although you may desire to break these domains down further (we later discuss where this may be appropriate), we generally refer to four distinct security domains which form the bare minimum that is required to deploy any OpenStack cloud securely. These security domains are:</para>
|
||
<orderedlist><listitem>
|
||
<para>Public</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>Guest</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>Management</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>Data</para>
|
||
</listitem>
|
||
</orderedlist>
|
||
<para>We selected these security domains because they can be mapped independently or combined to represent the majority of the possible areas of trust within a given OpenStack deployment. For example, some deployment topologies combine both guest and data domains onto one physical network versus others, which have these networks physically separated. In each case, the cloud operator should be aware of the appropriate security concerns. Security domains should be mapped out against your specific OpenStack deployment topology. The domains and their trust requirements depend upon whether the cloud instance is public, private, or hybrid.</para>
|
||
<para><inlinemediaobject><imageobject role="html">
|
||
<imagedata contentdepth="298" contentwidth="338" fileref="static/untrusted_trusted.png" format="PNG" scalefit="1"/>
|
||
</imageobject>
|
||
<imageobject role="fo">
|
||
<imagedata contentdepth="100%" fileref="static/untrusted_trusted.png" format="PNG" scalefit="1" width="100%"/>
|
||
</imageobject>
|
||
</inlinemediaobject></para>
|
||
<section xml:id="ch005_security-domains-idp50384">
|
||
<title>Public</title>
|
||
<para>The public security domain is an entirely untrusted area of the cloud infrastructure. It can refer to the Internet as a whole or simply to networks over which you have no authority. Any data that transits this domain with confidentiality or integrity requirements should be protected using compensating controls.</para>
|
||
<para>This domain should always be considered <emphasis>untrusted</emphasis>.</para>
|
||
</section>
|
||
<section xml:id="ch005_security-domains-idp52768">
|
||
<title>Guest</title>
|
||
<para>Typically used for compute instance-to-instance traffic, the guest security domain handles compute data generated by instances on the cloud but not services that support the operation of the cloud, such as API calls.</para>
|
||
<para>Public cloud providers and private cloud providers who do not have stringent controls on instance use or who allow unrestricted internet access to VMs should consider this domain to be <emphasis>untrusted</emphasis>. Private cloud providers may want to consider this network as internal and therefore <emphasis>trusted</emphasis> only if they have controls in place to assert that they trust instances and all their tenants.</para>
|
||
</section>
|
||
<section xml:id="ch005_security-domains-idp55632">
|
||
<title>Management</title>
|
||
<para>The management security domain is where services interact. Sometimes referred to as the "control plane", the networks in this domain transport confidential data such as configuration parameters, usernames, and passwords. Command and Control traffic typically resides in this domain, which necessitates strong integrity requirements. Access to this domain should be highly restricted and monitored. At the same time, this domain should still employ all of the security best practices described in this guide.</para>
|
||
<para>In most deployments this domain is considered <emphasis>trusted</emphasis>. However, when considering an OpenStack deployment, there are many systems that bridge this domain with others, potentially reducing the level of trust you can place on this domain. See <xref linkend="ch005_security-domains-idp61360" /> for more information.</para>
|
||
</section>
|
||
<section xml:id="ch005_security-domains-idp59216">
|
||
<title>Data</title>
|
||
<para>The data security domain is concerned primarily with information pertaining to the storage services within OpenStack. Much of the data that crosses this network has high integrity and confidentiality requirements and depending on the type of deployment there may also be strong availability requirements.</para>
|
||
<para>The trust level of this network is heavily dependent on deployment decisions and as such we do not assign this any default level of trust.</para>
|
||
</section>
|
||
</section>
|
||
<section xml:id="ch005_security-domains-idp61360">
|
||
<title>Bridging Security Domains</title>
|
||
<para>A <emphasis>bridge</emphasis> is a component that exists inside more than one security domain. Any component that bridges security domains with different trust levels or authentication requirements must be carefully configured. These bridges are often the weak points in network architecture. A bridge should always be configured to meet the security requirements of the highest trust level of any of the domains it is bridging. In many cases the security controls for bridges should be a primary concern due to the likelihood of attack.</para>
|
||
<para><inlinemediaobject><imageobject role="html">
|
||
<imagedata contentdepth="266" contentwidth="222" fileref="static/bridging_security_domains_1.png" format="PNG" scalefit="1"/>
|
||
</imageobject>
|
||
<imageobject role="fo">
|
||
<imagedata contentdepth="100%" fileref="static/bridging_security_domains_1.png" format="PNG" scalefit="1" width="100%"/>
|
||
</imageobject>
|
||
</inlinemediaobject></para>
|
||
<para>The diagram above shows a compute node bridging the data and management domains, as such the compute node should be configured to meet the security requirements of the management domain. Similarly the API Endpoint in this diagram is bridging the untrusted public domain and the management domain, and should be configured to protect against attacks from the public domain propagating through to the management domain.</para>
|
||
<para><inlinemediaobject><imageobject role="html">
|
||
<imagedata contentdepth="418" contentwidth="559" fileref="static/bridging_domains_clouduser.png" format="PNG" scalefit="1"/>
|
||
</imageobject>
|
||
<imageobject role="fo">
|
||
<imagedata contentdepth="100%" fileref="static/bridging_domains_clouduser.png" format="PNG" scalefit="1" width="100%"/>
|
||
</imageobject>
|
||
</inlinemediaobject></para>
|
||
<para>In some cases deployers may want to consider securing a bridge to a higher standard than any of the domains in which it resides. Given the above example of an API endpoint, an adversary could potentially target the API endpoint from the public domain, leveraging it in the hopes of compromising or gaining access to the management domain.</para>
|
||
<para>The design of OpenStack is such that separation of security domains is difficult - as core services will usually bridge at least two domains, special consideration must be given when applying security controls to them.</para>
|
||
</section>
|
||
<section xml:id="ch005_security-domains-idp95264">
|
||
<title>Threat Classification, Actors and Attack Vectors</title>
|
||
<para>Most types of cloud deployment, public or private, are exposed to some form of attack. In this chapter we categorize attackers and summarize potential types of attacks in each security domain.</para>
|
||
<section xml:id="ch005_security-domains-idp96560">
|
||
<title>Threat Actors</title>
|
||
<para>A threat actor is an abstract way to refer to a class of adversary that you may attempt to defend against. The more capable the actor, the more expensive the security controls that are required for successful attack mitigation and prevention. Security is a tradeoff between cost, usability and defense. In some cases it will not be possible to secure a cloud deployment against all of the threat actors we describe here. Those deploying an OpenStack cloud will have to decide where the balance lies for their deployment / usage.</para>
|
||
<itemizedlist><listitem>
|
||
<para><emphasis role="bold">Intelligence Services</emphasis> — Considered by this guide as the most capable adversary. Intelligence Services and other state actors can bring tremendous resources to bear on a target. They have capabilities beyond that of any other actor. It is very difficult to defend against these actors without incredibly stringent controls in place, both human and technical.</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para><emphasis role="bold">Serious Organized Crime</emphasis> — Highly capable and financially driven groups of attackers. Able to fund in-house exploit development and target research. In recent years the rise of organizations such as the Russian Business Network, a massive cyber-criminal enterprise has demonstrated how cyber attacks have become a commodity. Industrial espionage falls within the SOC group.</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para><emphasis role="bold">Highly Capable Groups</emphasis> — This refers to 'Hacktivist' type organizations who are not typically commercially funded but can pose a serious threat to service providers and cloud operators.</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para><emphasis role="bold">Motivated Individuals</emphasis> — Acting alone, these attackers come in many guises, such as rogue or malicious employees, disaffected customers, or small-scale industrial espionage.</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para><emphasis role="bold">Script Kiddies</emphasis> — Automated vulnerability scanning/exploitation. Non-targeted attacks. Often only a nuisance, compromise by one of these actors presents a major risk to an organization's reputation.</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
<para><inlinemediaobject><imageobject role="html">
|
||
<imagedata contentdepth="403" contentwidth="472" fileref="static/threat_actors.png" format="PNG" scalefit="1"/>
|
||
</imageobject>
|
||
<imageobject role="fo">
|
||
<imagedata contentdepth="100%" fileref="static/threat_actors.png" format="PNG" scalefit="1" width="100%"/>
|
||
</imageobject>
|
||
</inlinemediaobject></para>
|
||
</section>
|
||
<section xml:id="ch005_security-domains-idp111680">
|
||
<title>Public / Private Considerations</title>
|
||
<para>Private clouds are typically deployed by enterprises or institutions inside their networks and behind their firewalls. Enterprises will have strict policies on what data is allowed to exit their network and may even have different clouds for specific purposes. Users of a private cloud are typically employees of the organization that owns the cloud and are able to be held accountable for their actions. Employees often attend training sessions before accessing the cloud and will likely take part in regular scheduled security awareness training. Public clouds by contrast cannot make any assertions about their users, cloud use-cases or user motivations. This immediately pushes the guest security domain into a completely <emphasis>untrusted</emphasis> state for public cloud providers.</para>
|
||
<para>A notable difference in the attack surface of public clouds is that they must provide internet access to their services. Instance connectivity, access to files over the internet and the ability to interact with the cloud controlling fabric such as the API endpoints and dashboard are must-haves for the public cloud.</para>
|
||
<para>Privacy concerns for public and private cloud users are typically diametrically opposed. The data generated and stored in private clouds is normally owned by the operator of the cloud, who is able to deploy technologies such as data loss prevention (DLP) protection, file inspection, deep packet inspection and prescriptive firewalling. In contrast, privacy is one of the primary barriers to adoption for the public cloud, as many of these controls do not exist.</para>
|
||
</section>
|
||
<section xml:id="ch005_security-domains-idp116736">
|
||
<title>Outbound attacks and reputational risk</title>
|
||
<para>Careful consideration should be given to potential outbound abuse from a cloud deployment. Whether public or private, clouds tend to have lots of resource available. An attacker who has established a point of presence within the cloud, either through hacking in or via entitled access (rogue employee), can bring these resources to bear against the internet at large. Clouds with compute services make for ideal DDoS and brute force engines. This is perhaps a more pressing issue for public clouds as their users are largely unaccountable, and can quickly spin up numerous disposable instances for outbound attacks. Major damage can be inflicted upon a company's reputation if it becomes known for hosting malicious software or launching attacks on other networks. Methods of prevention include egress security groups, outbound traffic inspection, customer education and awareness, and fraud and abuse mitigation strategies.</para>
|
||
</section>
|
||
<section xml:id="ch005_security-domains-idp120000">
|
||
<title>Attack Types</title>
|
||
<para>The diagram shows the types of attacks that may be expected from the actors described in the previous section. Note that there will always be exceptions to this diagram but in general, this describes the sorts of attack that could be typical for each actor.</para>
|
||
<para><inlinemediaobject><imageobject role="html">
|
||
<imagedata contentdepth="642" contentwidth="616" fileref="static/high-capability.png" format="PNG" scalefit="1"/>
|
||
</imageobject>
|
||
<imageobject role="fo">
|
||
<imagedata contentdepth="100%" fileref="static/high-capability.png" format="PNG" scalefit="1" width="100%"/>
|
||
</imageobject>
|
||
</inlinemediaobject></para>
|
||
<para>The prescriptive defense for each form of attack is beyond the scope of this document. The above diagram can assist you in making an informed decision about which types of threats, and threat actors, should be protected against. For commercial public cloud deployments this might include prevention against serious crime. For those deploying private clouds for government use, more stringent protective mechanisms should be in place, including carefully protected facilities and supply chains. In contrast those standing up basic development or test environments will likely require less restrictive controls (middle of the spectrum).</para>
|
||
</section>
|
||
</section>
|
||
</chapter>
|