Open-source security: Can OpenStack really protect your cloud data?

A free, open-source platform, OpenStack was created with the ambitious target of giving infrastructure-as-a-service to consumers in a rapid, self-serve manner. It is now one of the most popular open-source cloud projects with the likes of eBay and Walmart relying on its framework.

Speed and simplicity were essential throughout OpenStackโ€™s development, with users now easily able to manage it through a web-based dashboard, command-line tools, or through a RESTful API. Security, however, took a backseat until recent incidents such as the VENOM breakout and Heartbleed SSL-related flaw gave rise to no small discussion around its ability to keep data safe as a cloud platform. Safety had apparently been sacrificed for speed and efficiency at the development stage.

[clickToTweet tweet=”In #OpenStack, safety had apparently been sacrificed for speed and efficiency at the development stage #security #cloud” quote=”In OpenStack, safety had apparently been sacrificed for speed and efficiency at the development stage”]

That said, when assessing the relative security of OpenStack it is important to remember that the inevitable complexity of public computing, which introduces many layers of interacting technology, is part of the reason security issues are evolving so quickly and tend to introduce many difficult cloud issues.

Existing exploits

OpenStack is relatively new code. Therefore is likely to contain numerous software vulnerabilities and implementation issues, which continue to be uncovered by the OpenStack community. However with specific portals and projects devised to tackle emerging security issues head on, it the OpenStack community appears to be taking security concerns quite seriously.

the OpenStack community appears to be taking security concerns quite seriously

At the highest-level, general implementation-based vulnerabilities do exist such as clear text RPC communications and the use of plaintext passwords in some of the authentication files. In addition to this, the reliance of OpenStack on other components can pose an issue. For example, if your team were to use an old version of OpenSSL that suffers from Heartbleed, your organisationโ€™s OpenStack implementation may be affected as well.

Staying aware of the latest vulnerabilities and advice on what to do can be found on the communityโ€™s security portal,ย security.openstack.com. This page will make sure users know of the latest security patches. You can even track the open software flaws, based on Common Vulnerabilities and Exposure (CVE).

Patching progress

The OpenStack Security Project attempts to tackle security directly, and allows the community to share and report vulnerabilities so they get fixed. The security guide is also a great tool for users as it acknowledges some of the security issues around implementing OpenStack and helps to deploy the platform in the most secure manner.

Despite the fact that OpenStack is a โ€œcloudโ€ computing platform, it still helps in managing real servers that physically exist somewhere, sending traffic on real networks. Therefore, all the normal, relevant security controls should be considered; (firewalls, IPS, anti-malware, WAD etc.). In certain cases, OpenStack even offers APIs that can help you apply traditional security controls (such as network IPS via the Networking API) using this new cloud model. As with anything, CTO/CIOโ€™s will also need to make sure the OpenStack software is properly marinated and updated regularly.

Best practice

Auditing your system regularly on a set schedule is an absolute necessity to stand any chance of finding vulnerabilities before they are exploited. Make sure you prioritise any potential exploits based on severity and real-world impact; there may well be cases where a vulnerability could be devastating but simply isnโ€™t accessible in your companyโ€™s implementation.

One other tip here is to make sure you track the time it takes your team to close or mitigate the threat. They should be closing high priority or severe vulnerabilities quicker over time.

All in all, OpenStack is an amazing platform with tons of potential in the enterprise realm. As with all new technology platforms, however, data breaches are happening at a staggering rate and the first question that every CTO/CIO should ask themselves before implementing is how secure can I make this network?

every CTO/CIO should ask themselves before implementing, how secure can I make this network?

+ posts

Corey Nachreiner, CTO, WatchGuard

Recognized as a thought leader in IT security, Nachreiner spearheads WatchGuard's technology vision and direction. He has operated at the frontline of cyber security for 16 years, and for nearly a decade has been evaluating and making accurate predictions about information security trends.

As an authority on network security and internationally quoted commentator, Nachreiner's expertise and ability to dissect complex security topics make him a sought-after speaker at forums such as Gartner, Infosec and RSA.

AI Readiness - Harnessing the Power of Data and AI

Newsletter

Related articles

A Practical Guide to the EU AI Act

Disclaimer: This article is opinion-based; please seek legal advice...

Building a Smart City

If you ask me how I picture the future,...

Mastering Hypervisors for Enhanced Business Efficiency

The cloud computing landscape is a complex ecosystem characterised...

Cloud Computing’s Role in Digital Transformation

Definition of Digital Transformation Digital transformation refers to the process...

The hidden costs of technical debt inaction

With technology moving at a rapid pace, you would...