Visit the OpenStack Summit page for the latest news, registration and hotels.

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Security [clear filter]
Monday, November 3

11:40 CET

Extending Barbican - Managing Secrets and Events Your Way
Barbican provides a simple OpenStack-friendly REST service for secrets management. But what goes on behind the scenes when you make that service call? Barbican can work with many existing technologies and systems to securely store and generate secrets via a plugin approach, utilizing systems such as HSMs, Dogtag and KMIP. Workflow plugins automate SSL certificate requests with Certificate Authorities (CAs), such as Symantec. Event plugins enable sending events to consuming systems for monitoring or auditing, including CADF events into Ceilometer. In this presentation we detail how these various plugins work and interact with Barbican, and how they could be extended to suit your enterprise's specific integration needs.


Ade Lee

Principal Software Engineer, Red Hat
Ade is a Principal Software Engineer at Red Hat and Project Lead for the Dogtag Certificate System project. He has been focused on making Dogtag more accessible to other projects by developing new REST interfaces and streamlining installation and configuration tools. He continues... Read More →

Nathan Reller

Software Engineer/Architect, Advanced Cloud Technologies, Johns Hopkins University Applied Physics Laboratory
Nathan Reller is the chief engineer for The Johns Hopkins University Applied Physics Laboratory's (JHU/APL) involvement with OpenStack. Nathan is a member of the Barbican core team and was influential in the Cinder volume encryption feature. He earned a M.S. and B.S. in computer science... Read More →
avatar for John Wood

John Wood

Enterprise Architect on the Barbican Team, Rackspace
John is an Enterprise Architect at Rackspace, and a core developer for the Barbican key management project. He has been active in working with other contributors and projects to foster Barbican's integration into OpenStack. John received a B.S. in Electrical Engineering from the... Read More →

Monday November 3, 2014 11:40 - 12:20 CET
Room 243

12:30 CET

SSL Everywhere with Ephemeral PKI
All eyes are on OpenStack security as this amazing product matures from DevTest plaything to enterprise grade cloud controller. One of the major pain points with securing OpenStack is deployment, configuration and support for SSL. Deploying a CA and integrating it with OpenStack services is hard enough, getting assurance from SSL and ensuring that the libraries using SSL are really working is nearly impossible. Most current guides ignore this part of the setup.

During our presentation we will unveil our solution to both of these problems. We present an open-source Ephemeral PKI system that sidesteps the revocation issues that plague most OpenStack deployments and provides a stateless, HA mechanism for providing certificate services to entire cloud infrastructures, supporting isolated deployments and multiple, per-service trust anchors. We hope this way deploying secure communication will become the norm rather than difficult add-on.

avatar for Robert Clark

Robert Clark

Lead Security Architect, HP
Robert is a HP Distinguished Technologist, the lead security architect for HP Helion OpenStack and the current PTL of the OpenStack Security team. His career has its roots in threat modelling, vulnerability analysis and virtualization security. He is passionate about security and... Read More →

Monday November 3, 2014 12:30 - 13:10 CET
Room 243

14:30 CET

Using Containers Without Risking Your *aas (Canonical)
It is not generally considered safe to run untrusted code in a container as uid 0.  You might have seen that in fine print at the bottom of a slide deck after being blown away by the long list of reasons that containers are totally awesome.

Luckily, that fine print is now a historical artifact.

User Namespaces are a feature added to the linux kernel in version 3.13.  They allow for the root user inside the container to be an unprivileged user outside.  This allows running of init or other process that expect to be run as root without risk.

The talk will describe how to use user namespaces and other linux security tools such as seccomp and LSM to safely run untrusted code inside a container.  It will also discuss how techniques are used by the granite nova driver to provide secure containers via openstack compute api.


Serge Hallyn

Ubuntu Server Team, Canonical
Serge Hallyn works for Canonical as a member of the Ubuntu Server team, with a particular focus on the virtualization stack. He has been involved with containers since the first upstream kernel patches for uts and pid namespaces. He was involved with LSM from the start, is listed... Read More →
avatar for Scott Moser

Scott Moser

Ubuntu Server Team
Scott Moser is a member of the Ubuntu Server and Openstack Team.  He has been involved in Openstack since around Cactus time frame.  He is maintainer of cloud-init, and has had a focal role in the production of the Official Ubuntu Cloud Images.

Monday November 3, 2014 14:30 - 15:10 CET
Room 243

15:20 CET

Trusted Bare Metal What's That?
You are a cloud user who wants bare metal for performance forging the security benefits of virtualization. All the OpenStack services, such as, Nova, Keystone, and Glance, all run on bare metal. At launch time, can we trust that they are free of malware?

Ironic in OpenStack provides support for flashing machines using network boot, PXE/iPXE. We propose modifying Ironic for trusted boot by using a two phase measured launch approach. In Phase 1, measure the Ironic boot loader, and in Phase 2, measure the Glance image we seek to install on the machine. Glance images could carry expected hash values.

The solution described relies on tboot, an open source trusted boot loader, OAT, an open source remote attestation service, Intel TXT technology, and a trusted platform module (TPM).  We round out the talk with a demo illustrating trusted boot.

Contributors: Tan Lin (Intel), Gang Wei (Intel), and Devananda van der Veen (HP)

avatar for Dr. Malini Bhandaru

Dr. Malini Bhandaru

Architect, Intel
Malini Bhandaru is a Sr. Cloud Architect with the Open source Technology Center, Intel and has been involved with OpenStack for over three years. Her tenure at Intel spans work on cloud and security, fast encryption algorithms, and Xeon platform power and performance. Prior to Intel... Read More →

Monday November 3, 2014 15:20 - 16:00 CET
Room 243

16:20 CET

Identifying Security Issues in the Cloud: Threat Analysis for OpenStack
In this talk we will explain how the OSSG is conducting formal Threat Analysis activities for major OpenStack components.  We discuss our process: the tools, diagrams and methods in place.  We will present some of the security issues that have been identified in our early analysis efforts and discuss how to get involved with the threat analysis efforts.

Our goal with Threat Analysis is to engage project core developers and provide an in depth security review of each major OpenStack component. More info about this work is available at https://wiki.openstack.org/wiki/Security/Threat_Analysis


Abu Shohel Ahmed

Experienced Researcher
Shohel is an Experienced Researcher in Ericsson where he works with identity, security, and privacy challenges for IT and Telecom environments. For last couple of years, he is working on analysing system and software vulnerabilities and threats. His research interests include identity... Read More →
avatar for Robert Clark

Robert Clark

Lead Security Architect, HP
Robert is a HP Distinguished Technologist, the lead security architect for HP Helion OpenStack and the current PTL of the OpenStack Security team. His career has its roots in threat modelling, vulnerability analysis and virtualization security. He is passionate about security and... Read More →

Monday November 3, 2014 16:20 - 17:00 CET
Room 243

17:10 CET

Secure Keystone Deployment: Lessons Learned and Best Practices
In the Juno summit, Symantec presented it's perspective on securing Keystone.  Security is really a mindset and process. We proposed a layered security approach starting with the process for securing Keystone architecture, followed by securing the environment where Keystone is deployed and configured. Since then we have been implementing those security measures in our production environment. In this talk, we will discuss exactly how we have made our Keystone deployment secure and what we have learnt along the way.

Specifically, we will cover:

  • Keystone's LDAP capabilities

    • User account management

  • Two factor authentication

  • How to avoid storing plaintext password in configuration files?

  • Generic guidelines on how to secure OpenStack endpoints

  • Autonomous authentication using Trusts

  • How to secure Keystone event notifications?

  • Keystone Intrusion Detection


avatar for Priti Desai

Priti Desai

Software Engineer, IBM
Developer Advocate at IBM. Implements CI/CD with Tekton and Serverless with OpenWhisk. OpenStack Evangelist in the past and have presented at various OpenStack summits (Paris, Vancouver, and Japan).

Monday November 3, 2014 17:10 - 17:50 CET
Room 243
Wednesday, November 5

09:00 CET

Leveraging Existing Identity Sources for OpenStack Clouds
Keystone is the reference implementation of the Identity API in OpenStack. It needs to deal with traditional identity concepts such as users and groups as well as centrally managing authorization. This session will cover how Keystone can leverage existing identity sources for authentication and identity information and instead focus on it's primary job of centrally managing access to cloud services and resources.

Keystone has a pluggable architecture that allows it to work with different identity sources. These options range from storing identity information locally to using external identity sources such as an LDAP server or a SAML identity provider. Nearly all companies and organizations already have an existing authoritative identity source that provides centralized authentication and user and group information. Configuring Keystone to use this central identity source is a popular goal for those deploying OpenStack, yet its not straight-forward to actually accomplish due to variations of different identity sources.

In this presentation, Nathan Kinder will review how Keystone has evolved around the concept of identity to date.  An overview of the very latest options for handling identity information will be provided, along with the pros and cons of the available approaches. We will also discuss how Keystone can leverage existing identity sources to provide strong authentication mechanisms in addition to discussing more complex scenarios such as using multiple external identity sources from a single Keystone instance.

avatar for Nathan Kinder

Nathan Kinder

Software Engineering Manager, Red Hat, Red Hat
Nathan is a Software Engineering Manager at Red Hat, where he manages the development of the identity and security related components of the Red Hat Enterprise Linux OpenStack Platform, Red Hat Directory Server, and Red Hat Certificate System products.  He is an active member... Read More →

Wednesday November 5, 2014 09:00 - 09:40 CET
Room 251

09:50 CET

Using Ceilometer Data to Detect Fraudulent Activity in Our OpenStack Cluster

Ceilometer, initially meant for billing, has been used for many other innovative and creative purposes in the past. There are many possible uses. However, can we use it to detect fraudulent activity happening in our OpenStack installation?

In this conference we are going discuss how much we can detect using Ceilometer, showing results where we successfully detect some fraudulent activities such as an internal DDoS attack or the now popular Bitcoin mining,discussing what kind of metrics and intervals we need to achieve it and how we can all do it in our own OpenStack deployments.

This work was inspired by the work done by the author, Marc, while as a member of the Big Data TechFund team at Cisco Systems, later continued as a MSc dissertation at the University of Kent, supervised by Dr. Julio Hernandez Castro and mentored by Debo Dutta, a Principal Engineer at Cisco's CTO Cloud Office.


Debojyoti Dutta

Principal Engineer
Debo~ is a principal engineer in the Office of the Cloud CTO at Cisco Systems where he is involved in several efforts on Openstack including building out large scale big data systems. He is passionate about different aspects of large scale streaming data. He has years of data science... Read More →

Julio Hernandez-Castro

Lecturer in Computer Security, University of Kent
Julio Hernandez-Castro is a Lecturer in Computer Security at the School of Computing, University of Kent, UK. His PhD was on application of Artificial Intelligence techniques to Computer Security and Cryptography, and has worked in this and closely related fields for the last 15 years... Read More →
avatar for Marc Solanas Tarre

Marc Solanas Tarre

Big Data on OpenStack R & D, Cisco Systems
Marc is a Software Engineer in the CTO Cloud lab in Cisco Systems, in San Jose, CA. He is passionate about Big Data and distributed systems. Particularly, he is interested on how to optimize Big Data on OpenStack by tuning resource placement, network and storage configurations. He... Read More →

Wednesday November 5, 2014 09:50 - 10:30 CET
Room 251

11:00 CET

Cloud Security: Do You Know Where Workloads are Running? Ensuring Boundary Control in OpenStack Cloud
Speakers: Raghu Yeluri, Intel Corporation

As an Enterprise and/or a Cloud service provider, you would have to ensure that all regulatory requirements for workload and data sovereignty are met.   You have to answer the questions from your customers like:

where is my workload running? ,  Are my workloads running in a compliant location? ,  How can I trust the Integrity of the host servers on which my workloads are running , can you prove to me that my workloads and data have not violated policies? , How can I control via policy where my workload can and cannot migrate and run .


In this session, we will present a solution architecture and soon to  be up streamed implementation with a walk through/demonstration of  set of OpenStack extensions and solution components that address these questions.

It will provide a recipe for how to:

  1. Enable a system admin to securely write an asset/geo-tag descriptors on to the host servers,

  2. make that descriptor available to the OpenStack scheduler

  3. Define the location/segregation/geo policy for the VMs/Workloads

  4. LocationComplianceFilter in OpenScheduler to pick a compliant set of servers


Raghu Yeluri

Sr. Principal Engineer, Intel
Raghu Yeluri is a Sr. Principal Engineer and lead Security Architect in the Data Center Group at Intel Corporation with focus on container, virtualization and cloud security. In this role, he drives security solution architecture and development to deliver hardware-assisted security... Read More →

Wednesday November 5, 2014 11:00 - 11:40 CET
Room 251