Keystone Security

A Symantec Perspective on Securing

Keystone
Keith Newstadt

Cloud Services Architect

Keystone Security OpenStack Summit Atlanta

Symantecs Cloud Platform Engineering

Objectives
We are building a consolidated cloud platform that provides infrastructure and
platform services for next generation Symantec products and services
An exciting greenfield opportunity to re-invent our cloud infrastructure with strong executive
leadership and support
Building a global team in the US, Europe, and Asia of top-notch, open source minded engineers
in the areas of cloud and big data

Our development model is to use open source components as building blocks

Identify capability gaps and contribute back to the community

We have selected OpenStack as one of the underlying infrastructure services layer

We plan to analyze and help improve the overall security posture of OpenStack
components
We are starting small, but will scale to thousands of nodes across multiple data
centers
OpenStack Summit - Atlanta

The Symantec Team

Me
In Security for nearly 15 years
Norton Web Services
Including the Norton Identity Provider
Billions of requests, 100M+ users, 100M+ endpoints
Under constant attack

Now working on Symantecs next generation cloud, using OpenStack

The team
Cloud Platform Engineering
Symantec Compliance Suite
Symantec Validation and ID Production (VIP)
Symantec Product Security Group
Global Security Organization (InfoSec)
Keystone Security OpenStack Summit Atlanta

Brief Keystone Overview

Keystone

OpenStack
Service

Validate Identity

Single point of auth for all

OpenStack services.
Single sign on to
OpenStack services

Authentic
ate

Identity
token

Identit
y token

Common API layer on top

of various authentication
protocols
Reduces exposure of
credentials
and more

Keystone Security OpenStack Summit Atlanta

Keystone Security is Critical

Passwords
Keys
Certs
Tokens
DoS

Keystone Security OpenStack Summit Atlanta

Symantecs Approach to Securing

Keystone
Threat Resilience
Multifactor Authentication
Identity Standards

Infrastructure
Operating System
Auditing

Ap
pli
ca
tio
n
Environmen
t

Threat Modeling
Security Scans
Compliance

Keystone Security OpenStack Summit Atlanta

Process
6

Process

Keystone Security OpenStack Summit Atlanta

What are my assets?

What am I trying to protect?

Is my particular deployment secure?
Where am I likely to be attacked?

Keystone Security OpenStack Summit Atlanta

Threat Modeling
Could someone spoof the
LDAP server?
Mitigation option: LDAP
server authentication

Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privileges

Keystone Security OpenStack Summit Atlanta

Did I get the right images and distros?

Am I running what I think Im running?

Could something malicious be injected into the
deployment process?
Am I running the most secure patch level?
Keystone Security OpenStack Summit Atlanta

1
0

Security

Supply Chain Management

Downlo
ad

Make sure its

good.

Build

Make sure its

secure

Deploy

Patch

Questions around third

party component security
is an unsolved problem.

It seems obvious, but

Make sure youve

validated
Stay on a secure patch
level

Keystone Security OpenStack Summit Atlanta

Were using Symantec

Control Compliance Suite
Others: Qualys, Nessus,
etc.
1
1

Environment

Keystone Security OpenStack Summit Atlanta

1
2

Can someone change my deployment?

Is my system hardened against

What assets could be stolen from my
attacks?
environment?
Do I know what happened after Ive been
attacked?
Keystone Security OpenStack Summit Atlanta

1
3

Keystone Compliance

G
N
I
N
E
D
R
A
H

Config
Files
Log Files
Ports
Executable
s
Environme
nt

Keystone Security OpenStack Summit Atlanta

G
N
I
T
I
D
U
A

Every deployment is
different. Start by
following the trail from
keystone.conf
Were using Symantec
Data Center Security for
Linux and OpenStack
compliance.
Other tools are out
there as well: SELinux,
Tripwire, etc.

1
4

What high value assets are being transmitted?

Is my data secure while in motion?

What would be the repercussions if these assets

were intercepted or tampered with?
How much of my environment do I trust?

Keystone Security OpenStack Summit Atlanta

1
5

Security of Credentials on the Wire

Assets: credentials and
tokens
POST /tokens

Attack vectors on both

internal and external
networks.

Balance risk and cost.

Keysto
ne

Keystone Security OpenStack Summit Atlanta

Nova

Cinder

Swift

1
6

Application

Keystone Security OpenStack Summit Atlanta

1
7

Who is attacking
me? attack?
Will I know when
Im under
(and I will be)
What is their target?
How do I stop them?
Keystone Security OpenStack Summit Atlanta

1
8

Keystone Intrusion Detection

How do you fend off an attack?

What will you need after an attack?

Rate limiting to
impede brute force
attacks

Track users, token

hashes, source IP
addresses

Challenges to foil
automated attacks

Aggregate logs in a
central location

Blacklist malicious IPs

Perform analytics,
correlation

Detect and block

anomalous user
behavior

Prevention

Forensics

Security vs. privacy

Add request logging and blocking

at a proxy, load balancer, or in a
Keystone filter

Keystone Security OpenStack Summit Atlanta

1
9

Are passwords enough?

Am I effectively validating my users?

What additional kinds of auth should I support?
How should I implement it?

Keystone Security OpenStack Summit Atlanta

2
0

Two Factor Auth

Authenticator

LDAP
Server

MySQL
DB
RSA
SecureI
D

RADIUS Server

Backend Driver

Identity Provider

LDAP
Server

LDAP
Driver

SQL
Driver

VIP
Service

Symantec
VIP Gateway

RADIUS
Driver

Keyston
e

Keystone Security OpenStack Summit Atlanta

2
1

How do I delegate?

How do my services and scripts

authenticate
themselves?
How do
I control access scope?
What is the technical and management cost of a
solution?
Keystone Security OpenStack Summit Atlanta

2
2

Autonomous Authentication
Keysto
ne

Credenti
als

Service
Token

Nova

Considerations:
Secure cached
credentials
Limit scope
Expiration
Management

Delegation

Potential Solutions:
Cached passwords
EC2 key
Trusts
Keys
Certificates
?

Keystone Security OpenStack Summit Atlanta

2
3

Standards

Keystone Security OpenStack Summit Atlanta

2
4

Keystone and Standard Protocols

Interest in industry standard Identity protocols for
OpenStack
Symantec has been through a migration like this before
Community has already summited blueprints

Benefits
Single sign on
Improved integration
Control over credentials
Unified authentication experience

Symantec will look to participate in this effort

Keystone Security OpenStack Summit Atlanta

2
5

Protect your credentials everywhere

Parting thoughts

Securing your use of Keystone is an ongoing

process
Share
Keystone Security OpenStack Summit Atlanta

2
6

Q&A

Keystone Security OpenStack Summit Atlanta

2
7

Thank you!
Keith Newstadt
keith_newstadt@symantec.com
Copyright 2013 Symantec Corporation. All rights reserved.Symantec and the Symantec Logo are trademarks or registered trademarks
of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this
document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to
change without notice.

Keystone Security OpenStack Summit Atlanta

2
8