Atom feed of this document
  
 

Contents

Preface
Conventions
Document change history
1. Acknowledgments
2. Why and how we wrote this book
Objectives
How
How to contribute to this book
3. Introduction to OpenStack
Cloud types
OpenStack service overview
4. Security Boundaries and Threats
Security Domains
Bridging Security Domains
Threat Classification, Actors and Attack Vectors
5. Introduction to Case Studies
Case Study : Alice the private cloud builder
Case Study : Bob the public cloud provider
6. System Documentation Requirements
System Roles & Types
System Inventory
Network Topology
Services, Protocols and Ports
7. Case Studies: System Documentation
Alice's Private Cloud
Bob's Public Cloud
8. Management Introduction
9. Continuous Systems Management
Vulnerability Management
Configuration Management
Secure Backup and Recovery
Security Auditing Tools
10. Integrity Life-cycle
Secure Bootstrapping
Runtime Verification
11. Management Interfaces
Dashboard
OpenStack API
Secure Shell (SSH)
Management Utilities
Out-of-Band Management Interface
12. Case Studies: Management Interfaces
Alice's Private Cloud
Bob's Public Cloud
13. Introduction to SSL/TLS
Certification Authorities
SSL/TLS Libraries
Cryptographic Algorithms, Cipher Modes, and Protocols
Summary
14. Case Studies: PKI and Certificate Management
Alice's Private Cloud
Bob's Public Cloud
15. SSL Proxies and HTTP Services
Examples
nginx
HTTP Strict Transport Security
16. API Endpoint Configuration Recommendations
Internal API Communications
Paste and Middleware
API Endpoint Process Isolation & Policy
17. Case Studies: API Endpoints
Alice's Private Cloud
Bob's Public Cloud
18. Identity
Authentication
Authentication Methods
Authorization
Policies
Tokens
Future
19. Dashboard
Basic Web Server Configuration
HTTPS
HTTP Strict Transport Security (HSTS)
Front end Caching
Domain Names
Static Media
Secret Key
Session Backend
Allowed Hosts
Cookies
Password Auto Complete
Cross Site Request Forgery (CSRF)
Cross Site Scripting (XSS)
Cross Origin Resource Sharing (CORS)
Horizon Image Upload
Upgrading
Debug
20. Compute
Virtual Console Selection
21. Object Storage
First thing to secure – the network
Securing services – general
Securing storage services
Securing proxy services
Object storage authentication
Other notable items
22. Case Studies: Identity Management
Alice's Private Cloud
Bob's Public Cloud
23. State of Networking
24. Networking Architecture
OS Networking Service placement on Physical Servers
25. Networking Services
L2 Isolation using VLANs and Tunneling
Network Services
Network Services Extensions
Networking Services Limitations
26. Securing OpenStack Networking Services
OpenStack Networking Service Configuration
27. Networking Services Security Best Practices
Tenant Network Services Workflow
Networking Resource Policy Engine
Security Groups
Quotas
28. Case Studies: Networking
Alice's Private Cloud
Bob's Public Cloud
29. Message Queuing Architecture
30. Messaging Security
Messaging Transport Security
Queue Authentication and Access Control
Message Queue Process Isolation & Policy
31. Case Studies: Messaging
Alice's Private Cloud
Bob's Public Cloud
32. Database Backend Considerations
Security References for Database Backends
33. Database Access Control
OpenStack Database Access Model
Database Authentication and Access Control
Require User Accounts to Require SSL Transport
Authentication with X.509 Certificates
OpenStack Service Database Configuration
Nova Conductor
34. Database Transport Security
Database Server IP Address Binding
Database Transport
MySQL SSL Configuration
PostgreSQL SSL Configuration
35. Case Studies: Database
Alice's Private Cloud
Bob's Public Cloud
36. Data Privacy Concerns
Data Residency
Data Disposal
37. Data Encryption
Object Storage Objects
Block Storage Volumes & Instance Ephemeral Filesystems
Network Data
38. Key Management
References:
39. Case Studies: Tenant Data
Alice's Private Cloud
Bob's Public Cloud
40. Hypervisor Selection
Hypervisors in OpenStack
Selection Criteria
41. Hardening the Virtualization Layers
Physical Hardware (PCI Passthrough)
Virtual Hardware (QEMU)
sVirt: SELinux + Virtualization
42. Case Studies: Instance Isolation
Alice's Private Cloud
Bob's Public Cloud
43. Security Services for Instances
Entropy To Instances
Scheduling Instances to Nodes
Trusted Images
Instance Migrations
44. Case Studies: Instance Management
Alice's Private Cloud
Bob's Public Cloud
45. Forensics and Incident Response
Monitoring Use Cases
References
46. Case Studies: Monitoring and Logging
Alice's Private Cloud
Bob's Public Cloud
47. Compliance Overview
Security Principles
48. Understanding the Audit Process
Determining Audit Scope
Internal Audit
Prepare for External Audit
External Audit
Compliance Maintenance
49. Compliance Activities
Information Security Management System (ISMS)
Risk Assessment
Access & Log Reviews
Backup and Disaster Recovery
Security Training
Security Reviews
Vulnerability Management
Data Classification
Exception Process
50. Certification & Compliance Statements
Commercial Standards
SOC 3
ISO 27001/2
HIPAA / HITECH
Government Standards
51. Privacy
52. Case Studies: Compliance
Alice's Private Cloud
Bob's Public Cloud
A. Community support
Documentation
ask.openstack.org
OpenStack mailing lists
The OpenStack wiki
The Launchpad Bugs area
The OpenStack IRC channel
Documentation feedback
OpenStack distribution packages
Glossary
Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

loading table of contents...