OpenStack Cloud at Yahoo Scale: How to Avoid Disaster

Presented at Black Hat USA 2014, Aug. 6, 2014, 2:15 p.m. (25 minutes).

OpenStack is an Open Source project that allows you to manage a cloud of VMs that has grown into a widely adopted platform. The issue with having a centralized Infrastructure As A Service (IAAS) is that if you compromise the management cluster you can attack everything it controls, which is a lot at Yahoo scale. How do you keep your OpenStack cluster safe? What do you do when a management system, hypervisor, or VM is compromised? This talk will discuss specific things that you can do to harden your cluster and make it more difficult for a large compromise to happen. If a compromise is detected, there are specific steps you can take to reduce the impact as well as to gather intelligence you can take action on. The impact of different network architectures on OpenStack security will also be discussed. Throughout this talk, I will use examples from the Yahoo deployments of OpenStack clusters to illustrate what Yahoo does to secure its systems and ensure our users continue to trust us.

Presenters:

  • Anders Beitnes - Yahoo
    Anders is a security researcher by passion and profession. He became interested in security through the comp.risks Usenet group. He is currently working as a Paranoid at Yahoo. Prior to Yahoo, he worked on embedded CAs for VPNs at Nokia. He has about 6 years of experience in application security engineering & testing and has worked on securing Hadoop, OpenStack, and numerous other open source technologies at Yahoo. Anders has a BS in Computer Science and a BA in Business Economics from the University of California, Santa Barbara. He also holds the ISC2's CISSP certification, as well as the Stanford Advanced Computer Security Professional certificate.

Links:

Similar Presentations: