Grounded in the Cloud
Showing results for 
Search instead for 
Did you mean: 

OpenStack Summit Sessions: Cloud Security


As mentioned in a previous post, the OpenStack community is now voting on submitted talks for the upcoming Summit in Paris.  I have broken the submissions down into separate blogs to make it easier to find the available HP Helion submitted talks for your voting consideration.



OpenStack Public Cloud: The Security Operations Perspective

In this talk we discuss the realities of running OpenStack as a multi-tenant public cloud, responding to daily security incidents and providing a secure environment for our customers. We discuss the operational security processes and practices, recap genuine security incidents and discuss plans for the future. Our goal with this talk is to demonstrate the realities of security operations and incident management in a cloud environment


Data Privacy in the Cloud

Secure deletion is critical to maintaining data security and privacy within a cloud-computing environment. Failure to implement effective secure delete mechanisms may result in the exposure of sensitive user or provider information. Tenant data leakage and isolation has also been a primary concern around cloud adoption.


There are a number of components in OpenStack where data is not securely deleted.  Furthermore an option for secure deletion does not exist.  Common compliance and business requirements for users such as those in government, medical and financial fields require mandatory strong, configurable data deletion policies.  Specific OpenStack examples include the lack of secure deletion for ephemeral files used by Nova, and objects stored in Swift, which is in turn used by services such as Glance and Trove.


Jason Hullinger will focus on areas of OpenStack that require stronger data deletion policies and documentation.  He will demonstrate successful extraction of deleted private keys, customer data and source code from Glance images.

Jason will illustrate how OpenStack users can securely create Glance images to avoid such data leakage.  He will also address how Solid State Drives (SSD) differ from traditional hard disk drives, exploring how the traditional methods of secure file deletion complicate data retention on SSD's due to wear leveling, and the need for OpenStack to account for differing types of hardware when deleting data. 


Management of Master Key Encryption Keys

Barbican is an OpenStack project which is designed and developed for the secure storage, provisioning and management of secrets. These secrets are mostly (but not limited to) cryptographic keys, certificates and passwords and are used to protect critical data or identities on behalf of users.

Barbican uses key encryption keys (a.k.a. KEK) to encrypt and protects these secrets from malicious access and tampering of critical data. Confidentiality of these secrets depends on the confidentiality of the per-tenant KEK. 

Barbican uses a similar encryption technique to protect the confidentiality of per-tenant KEKs and it uses another key called “Master Key Encryption Key” (a.k.a MKEK) to encrypt them. Secure storage and management of MKEKs is vital for integrity and data confidentiality.

In this presentation we want to propose a plug-in approach to store the MKEKs in a separate system. The Barbican deployer can decide which system they want to use to store the MKEKs. Depending on the level of trust, the system may be a hardware security appliance or a secured data store.

In this presentation we also want to propose the lifecycle management (Generation, Retrieval, Rotation and Decommissioning) aspects of the master key encryption which is also vital for protection of data at rest.


OSSG: Delivering and Improving on Security in OpenStack

The OSSG talk has been a popular staple of the OpenStack summit for years, with this talk Robert will discuss the hard work the security community has performed during the last release cycle including Security Notes, Threat Analysis and Automated Security Checks and discuss the next steps for security in OpenStack.

Robert will take the audience through the state of the art in OpenStack security. The audience will learn about vulnerable points in OpenStack and how the security group is working with the rest of the community to improve code quality, raise security awareness and detect vulnerabilities.


SSL Everywhere with Ephemeral PKI

All eyes are on OpenStack security as this amazing product matures from DevTest plaything to enterprise grade cloud controller. One of the major pain points with securing OpenStack is deployment, configuration and support for SSL. Deploying a CA and integrating it with OpenStack services is hard enough, getting assurance from SSL and ensuring that the libraries using SSL are really working is nearly impossible. Most current guides ignore this part of the setup.

During our presentation we will unveil our solution to both of these problems. We present an open-source Ephemeral PKI system that sidesteps the revocation issues that plague most OpenStack deployments and provides a stateless, HA mechanism for providing certificate services to entire cloud infrastructures, supporting isolated deployments and multiple, per-service trust anchors. We hope this way deploying secure communication will become the norm rather than difficult add-on.


Identifying Security Issues in the Cloud: Threat Analysis for OpenStack

In this talk we will explain how the OSSG is conducting formal Threat Analysis activities for major OpenStack components.  We discuss our process: the tools, diagrams and methods in place.  We will present some of the security issues that have been identified in our early analysis efforts and discuss how to get involved with the threat analysis efforts.


Our goal with Threat Analysis is to engage project core developers and provide an in depth security review of each major OpenStack component. More info about this work is available at


Senior Manager, Cloud Online Marketing
0 Kudos
About the Author


I manage the HPE Helion social media and website teams promoting the enterprise cloud solutions at HPE for hybrid, public, and private clouds. I was previously at Dell promoting their Cloud solutions and was the open source community manager for OpenStack and at Rackspace and Citrix Systems. While at Citrix Systems, I founded the Citrix Developer Network, developed global alliance and licensing programs, and even once added audio to the DOS ICA client with assembler. Follow me at @SpectorID

Jan 30-31, 2018
Expert Days - 2018
Visit this forum and get the schedules for online HPE Expert Days where you can talk to HPE product experts, R&D and support team members and get answ...
Read more
See posts for dates
HPE Webinars - 2018
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all