Design and Deploy Secure Clouds for Financial Services Use Cases

Design and Deploy Secure Clouds
for Financial Services – Use Cases
August 18, 2016

Copyright © PLUMgrid, Inc. 2011-2015
Introduction
Speakers
2
Principal Solutions Architect
Justin Moore
Sr. Solution Architect – OpenStack Tiger Team
Joe Antkowiak
PLUMgrid
Red Hat

Agenda
What’s will be covered today
3
1 OpenStack Infrastructure Security
- Addressing Common Security Challenges using
Red Hat OpenStack Platform
Security and compliance through automation and
micro-segmentation with OpenStack and SDN
Micro-Segmentation Demo3
2

OpenStack Infrastructure Security
Addressing Common Security Challenges
using Red Hat OpenStack Platform
Joe Antkowiak
Sr Solution Architect
August 18, 2016

Agenda
 Common OpenStack Infrastructure Security Challenges
 Addressing Challenges with Red Hat OpenStack Platform Director
 Addressing Challenges with Red Hat CloudForms

OpenStack Infrastructure Security
Common Challenges
 Many Manual Tasks
 Infrastructure Secured Post Deployment
 Detecting Change and Enforcing Policy
 Maintaining Secure Configuration and Policy
When Upgrading and Scaling

<footer>
OPENSTACK PLATFORM DIRECTOR
DAY 1 + SCALING/UPGRADING
Director is included in Red Hat OpenStack
Platform
CLOUDFORMS
DAY 2 + LIFECYCLE
CloudForms is included in Red Hat
OpenStack Platform

<footer>
Red Hat OpenStack Platform Director
DEPLOYMENTPLANNING OPERATIONS
Updates and upgrades
Scaling up and down
Change management
Deployment orchestration
Service configuration
Sanity checks
Network topology
Service parameters
Resource capacity
OpenStack Orchestration

OpenStack Platform Director (OSPd)
Advantages for OpenStack Security
USES OPENSTACK TO DEPLOY OPENSTACK
Concepts applicable to workloads running on OpenStack
are applicable to OpenStack itself
IMAGE BASED
Nodes installed from a customize-able source image
TEMPLATE BASED
Customize-able, reusable, repeatable use of Heat
templates (YAML) to install, scale, and upgrade

OSP Director Image Customization
Image Customization Examples for Security
KERNEL
Deploy a custom kernel build, or hardened kernel (with
validation)
PACKAGES
Deploy specific package versions or additional packages
LOCAL ACCOUNTS AND POLICIES
Define custom local accounts and SELinux configuration

OSP Director Template-Based Deployment
Template-Based Configuration Examples for Security
SSL/TLS ENABLED CONTROL PLANE AND ENDPOINTS
Enable transport encryption on all control plane
communication using your certificates
AAA INTEGRATION
Integrate with your AAA infrastructure (LDAP, Kerberos,
etc)
SERVICES CONFIGURATION
Configure Logging, NTP, Monitoring Tools

<footer>
Red Hat CloudForms
UNIFIED
MANAGEMENT
AND
OPERATIONS
COMPLETE
LIFECYCLE
MANAGEMENT
VISIBILITY
AND
ANALYTICS
COMPLIANCE
AND
GOVERNANCE
INTEGRATION AND
COMPOSABILITY
Unified Management for OpenStack

CloudForms Compliance and Governance
ANALYZE
Automatically perform SmartState Analysis on
OpenStack Nodes and Instances (agent-less)
TRACK AND ALERT
Report on changes and drift, automatically alert based
on defined policy
REMEDIATE
Automatically kick off defined remediation or deeper
inspection actions
Example Functions

CloudForms SmartState Analysis
Examples of Items Tracked
PACKAGES AND FILES
Package versions, new/changed files
LOCAL USERS AND ACTIONS
User actions/commands, users and groups added or
changed
COMPONENT CHANGES
Added or changed network interfaces, storage attached,
new instances or containers running

Thank you!
Please Post Questions in Webinar
Visit Red Hat at OpenStack East
August 23-24, NYC
red.ht/openstack
red.ht/cloudforms

Security and compliance through automation and
micro-segmentation with OpenStack and SDN
Justin Moore

• Regulatory Compliance
• PCI
• SOX
• Security
• Separation of concerns
• Minimize attack surface
• Strict enforcement of access control
• Operations
• Reduce manual effort through automation
• Protect against misconfiguration
• Dev/Test pointed to Prod
• Incorrect or invalid firewall rule
• Server placed on wrong network
• Rapidly scale
Technology Challenges in FSI

• Too slow
• Ticket based manual workflows take days or weeks
• New methodologies demand on-demand
infrastructure, and tight integration with the SDLC
• Agile
• CI/CD
• Micro-services
• Error prone
• Lack of automation and standardization leads to
errors
• Incomplete or inadequate de-comission processes
• Too expensive
• Scale-up Access Control devices/Forklift upgrades
• Highly skilled and highly paid engineers performing
trivial ticket based activities
Traditional Approaches No Longer Work
18

• Cloud!
• Ok – it’s not really that simple. What about all of
that security stuff?
• SDN!
• Again – it’s not really as simple as buying an
SDN.
• How will we design the system to ensure that
security is baked into the end-to-end environment?
• Micro-segmentation
• Great – another buzzword!
• Micro-segmentation is the process of controlling
access to and from a service based on the
combination of security boundary and attack foot-
print
• Don’t we already do that?
• Not really!
So How Do We Keep Up?
19

Virtual Domains
Your Private Virtual Data Center
20
• Tenant Virtual Domains
• Isolation & segmentation of workloads
• Self-service provision of all functions
• Service Virtual Domains
• Owned by Cloud Operator
• Used to apply common services or security
policies
• Hosts external connectivity
• Virtual Domain Chaining
• Decouple changes from physical
infrastructure
• Fully distributed within IO Visor layer on
each compute node
DNS
Service Virtual Domain
Tenant Virtual Domains

PLUMgrid Virtual Domains
Components of a Virtual Domain
21
Virtual Domain
DistributedPolicy
EnforcementZone
Edge Policy
Enforcement Point
Virtual Domain (VD) — ISOLATION
• Secure Tenant Isolation for multi-tenant clouds
Contains all Network definitions for that Project
• Rich set of analytics and monitoring
• Option to encrypt traffic on a per VD basis
Topology — Overlay based fully
Distributed Network Functions
• Network topology view
• DVS/DVR/NAT/DNS/DHCP functions
• Fully Distributed (No hairpin or network nodes)
• Integration with external VTEP Gateways
• Topology based Service Insertion (FW/LB/IPS)
Policy boundary — SEGMENTATION
• Group Based Policies & Micro-segmentation
• All traffic in-out of VD goes through Policy Engine
• Used for Security Groups (L2-4 stateless or state-
full security)
• Policy based VTAP (traffic capture)
• Policy based Service Insertion (FW/LB/IPS)
• Support for Service Chains or single Service
Function

PLUMgrid ONS Components
22
Internet
IO Visor Gateway
IO Visor Edges (Compute Nodes)
PLUMgrid Directors
VXLAN-based
Overlay
PLUMgrid CloudApex & OpsVM

Example Application – Customer Service Tool
23
DNS
Global Cloud Policy
Prod CSTDev CST

Three-Tier Architecture
Presentation tier
Logic tier
Data tier
Database Storage
GET LIST OF ALL SALES
MADE LAST YEAR
ADD ALL SALES
TOGETHER
> GET SALES
TOTAL
> GET SALES
TOTAL
4 TOTAL SALES
QUERY
SALE 1
SALE 2
SALE 3
SALE 4

PLUMgrid Policy Path
25
Group
Classification
(source &
destination End
Point classification)
Packets
- sMAC / .1Q
- src_IP/dst_IP
- Application / Ports
- Protocols
Meta Data
- Tenant ID / App ID
- VM UUID / Name
- End Point Type / Group
- Location / physical Server
Behavior
- Traffic Profile
- Sys Call profile
- Storage Access Profile
Stateful
Security
Groups
Security
Logs &
Alerts
Policy
based
VTAP
Traffic
mirroring
Policy
based
Service
Insertion
VNF
1
VNF
2
VNF
3
- Service Chains
- Distributed Service Insertion
- Local Affinity

Q&A
Please use the Q&A panel to ask questions

THANK YOU!

Design and Deploy Secure Clouds for Financial Services Use Cases

More Related Content

What's hot (20)

Viewers also liked (14)

Similar to Design and Deploy Secure Clouds for Financial Services Use Cases (20)

More from PLUMgrid (10)

Recently uploaded (20)

Design and Deploy Secure Clouds for Financial Services Use Cases