More Related Content
Similar to Design and Deploy Secure Clouds for Financial Services Use Cases(20)
Design and Deploy Secure Clouds for Financial Services Use Cases
- 1. Design and DeploySecure Clouds for Financial Services – Use Cases August 18, 2016
- 2. Copyright © PLUMgrid,Inc. 2011-2015 Introduction Speakers 2 Principal Solutions Architect Justin Moore Sr. Solution Architect – OpenStack Tiger Team Joe Antkowiak PLUMgrid Red Hat
- 3. Copyright © PLUMgrid,Inc. 2011-2015 Agenda What’s will be covered today 3 1 OpenStack Infrastructure Security - Addressing Common Security Challenges using Red Hat OpenStack Platform Security and compliance through automation and micro-segmentation with OpenStack and SDN Micro-Segmentation Demo3 2
- 4. OpenStack Infrastructure Security AddressingCommon Security Challenges using Red Hat OpenStack Platform Joe Antkowiak Sr Solution Architect August 18, 2016
- 5. Agenda Common OpenStackInfrastructure Security Challenges Addressing Challenges with Red Hat OpenStack Platform Director Addressing Challenges with Red Hat CloudForms
- 6. OpenStack Infrastructure Security CommonChallenges Many Manual Tasks Infrastructure Secured Post Deployment Detecting Change and Enforcing Policy Maintaining Secure Configuration and Policy When Upgrading and Scaling
- 7. <footer> OPENSTACK PLATFORM DIRECTOR DAY1 + SCALING/UPGRADING Director is included in Red Hat OpenStack Platform CLOUDFORMS DAY 2 + LIFECYCLE CloudForms is included in Red Hat OpenStack Platform
- 8. <footer> Red Hat OpenStackPlatform Director DEPLOYMENTPLANNING OPERATIONS Updates and upgrades Scaling up and down Change management Deployment orchestration Service configuration Sanity checks Network topology Service parameters Resource capacity OpenStack Orchestration
- 9. OpenStack Platform Director(OSPd) Advantages for OpenStack Security USES OPENSTACK TO DEPLOY OPENSTACK Concepts applicable to workloads running on OpenStack are applicable to OpenStack itself IMAGE BASED Nodes installed from a customize-able source image TEMPLATE BASED Customize-able, reusable, repeatable use of Heat templates (YAML) to install, scale, and upgrade
- 10. OSP Director ImageCustomization Image Customization Examples for Security KERNEL Deploy a custom kernel build, or hardened kernel (with validation) PACKAGES Deploy specific package versions or additional packages LOCAL ACCOUNTS AND POLICIES Define custom local accounts and SELinux configuration
- 11. OSP Director Template-BasedDeployment Template-Based Configuration Examples for Security SSL/TLS ENABLED CONTROL PLANE AND ENDPOINTS Enable transport encryption on all control plane communication using your certificates AAA INTEGRATION Integrate with your AAA infrastructure (LDAP, Kerberos, etc) SERVICES CONFIGURATION Configure Logging, NTP, Monitoring Tools
- 12. <footer> Red Hat CloudForms UNIFIED MANAGEMENT AND OPERATIONS COMPLETE LIFECYCLE MANAGEMENT VISIBILITY AND ANALYTICS COMPLIANCE AND GOVERNANCE INTEGRATIONAND COMPOSABILITY Unified Management for OpenStack
- 13. CloudForms Compliance andGovernance ANALYZE Automatically perform SmartState Analysis on OpenStack Nodes and Instances (agent-less) TRACK AND ALERT Report on changes and drift, automatically alert based on defined policy REMEDIATE Automatically kick off defined remediation or deeper inspection actions Example Functions
- 14. CloudForms SmartState Analysis Examplesof Items Tracked PACKAGES AND FILES Package versions, new/changed files LOCAL USERS AND ACTIONS User actions/commands, users and groups added or changed COMPONENT CHANGES Added or changed network interfaces, storage attached, new instances or containers running
- 15. Thank you! Please PostQuestions in Webinar Visit Red Hat at OpenStack East August 23-24, NYC red.ht/openstack red.ht/cloudforms
- 16. Security and compliancethrough automation and micro-segmentation with OpenStack and SDN Justin Moore
- 17. Copyright © PLUMgrid,Inc. 2011-2015 • Regulatory Compliance • PCI • SOX • Security • Separation of concerns • Minimize attack surface • Strict enforcement of access control • Operations • Reduce manual effort through automation • Protect against misconfiguration • Dev/Test pointed to Prod • Incorrect or invalid firewall rule • Server placed on wrong network • Rapidly scale Technology Challenges in FSI
- 18. Copyright © PLUMgrid,Inc. 2011-2015 • Too slow • Ticket based manual workflows take days or weeks • New methodologies demand on-demand infrastructure, and tight integration with the SDLC • Agile • CI/CD • Micro-services • Error prone • Lack of automation and standardization leads to errors • Incomplete or inadequate de-comission processes • Too expensive • Scale-up Access Control devices/Forklift upgrades • Highly skilled and highly paid engineers performing trivial ticket based activities Traditional Approaches No Longer Work 18
- 19. Copyright © PLUMgrid,Inc. 2011-2015 • Cloud! • Ok – it’s not really that simple. What about all of that security stuff? • SDN! • Again – it’s not really as simple as buying an SDN. • How will we design the system to ensure that security is baked into the end-to-end environment? • Micro-segmentation • Great – another buzzword! • Micro-segmentation is the process of controlling access to and from a service based on the combination of security boundary and attack foot- print • Don’t we already do that? • Not really! So How Do We Keep Up? 19
- 20. Copyright © PLUMgrid,Inc. 2011-2015 Virtual Domains Your Private Virtual Data Center 20 • Tenant Virtual Domains • Isolation & segmentation of workloads • Self-service provision of all functions • Service Virtual Domains • Owned by Cloud Operator • Used to apply common services or security policies • Hosts external connectivity • Virtual Domain Chaining • Decouple changes from physical infrastructure • Fully distributed within IO Visor layer on each compute node DNS Service Virtual Domain Tenant Virtual Domains
- 21. Copyright © PLUMgrid,Inc. 2011-2015 PLUMgrid Virtual Domains Components of a Virtual Domain 21 Virtual Domain DistributedPolicy EnforcementZone Edge Policy Enforcement Point Virtual Domain (VD) — ISOLATION • Secure Tenant Isolation for multi-tenant clouds Contains all Network definitions for that Project • Rich set of analytics and monitoring • Option to encrypt traffic on a per VD basis Topology — Overlay based fully Distributed Network Functions • Network topology view • DVS/DVR/NAT/DNS/DHCP functions • Fully Distributed (No hairpin or network nodes) • Integration with external VTEP Gateways • Topology based Service Insertion (FW/LB/IPS) Policy boundary — SEGMENTATION • Group Based Policies & Micro-segmentation • All traffic in-out of VD goes through Policy Engine • Used for Security Groups (L2-4 stateless or state- full security) • Policy based VTAP (traffic capture) • Policy based Service Insertion (FW/LB/IPS) • Support for Service Chains or single Service Function
- 22. Copyright © PLUMgrid,Inc. 2011-2015 PLUMgrid ONS Components 22 Internet IO Visor Gateway IO Visor Edges (Compute Nodes) PLUMgrid Directors VXLAN-based Overlay PLUMgrid CloudApex & OpsVM
- 23. Copyright © PLUMgrid,Inc. 2011-2015 Example Application – Customer Service Tool 23 DNS Global Cloud Policy Prod CSTDev CST
- 24. Copyright © PLUMgrid,Inc. 2011-2015 Three-Tier Architecture Presentation tier Logic tier Data tier Database Storage GET LIST OF ALL SALES MADE LAST YEAR ADD ALL SALES TOGETHER > GET SALES TOTAL > GET SALES TOTAL 4 TOTAL SALES QUERY SALE 1 SALE 2 SALE 3 SALE 4
- 25. Copyright © PLUMgrid,Inc. 2011-2015 PLUMgrid Policy Path 25 Group Classification (source & destination End Point classification) Packets - sMAC / .1Q - src_IP/dst_IP - Application / Ports - Protocols Meta Data - Tenant ID / App ID - VM UUID / Name - End Point Type / Group - Location / physical Server Behavior - Traffic Profile - Sys Call profile - Storage Access Profile Stateful Security Groups Security Logs & Alerts Policy based VTAP Traffic mirroring Policy based Service Insertion VNF 1 VNF 2 VNF 3 - Service Chains - Distributed Service Insertion - Local Affinity
- 26.
- 27. Q&A Please use theQ&A panel to ask questions
- 28. Copyright © PLUMgrid,Inc. 2011-2015 THANK YOU!