Open stack is a Infrastructure as a Service initiative launched in July 2010 by Rackspace in collaboration with NASA. As of today there are more than 100 companies, including Cisco Systems Inc., HP, IBM, Citrix Systems Inc., Dell Inc., Intel Corp. and Microsoft that are contributing to its development. Open stack software is released under the terms of Apache license.
There are 3 components in open stack architecture . They are Compute (Nova) , Object Storage (Swift) and Image Service (Glance) .
There are 3 components in open stack architecture . They are Compute (Nova) , Object Storage (Swift) and Image Service (Glance) .
It is fairly obvious that Openstack mitigates the vendor technology lock in issues. But from security perspective Openstack like other Apache and Linux platforms ensures that security flaws are found and fixed quickly. In Openstack world, vulnerability management is performed by vulnerability management team, which is a group of independent security professionals who need not seek the consent of their employer to reveal the vulnerability of platform to downstream players in an organized and fair manner. A detailed explanation of Vulnerability management in Openstack is provided below.
Vulnerability management in Open stack:
It is a process by which information about a security flaw discovered is communicated to all the stakeholders without compromising the system security. VMT at open stack follows the rule of lesser disclosure.
Map of vulnerability disclosure in openstack:
1. Co-coordinator of VMT receives encrypted email from original reporter about the vulnerability.
2. Vulnerability management team along with reporter creates security-restricted Launchpad bug entry.
3. The Project Technical Lead of affected project is warned and asked to confirm impact
4. Then the reporter, VMT team, PTL and some key developers develop a fix
5. Vulnerability management team and developers get fix pre-approved by Core team
6. Core team alerts issue and provides fix to all stakeholders
7. development team updates the latest version of software. (OpenStack.org)
Vulnerability management in Open stack:
It is a process by which information about a security flaw discovered is communicated to all the stakeholders without compromising the system security. VMT at open stack follows the rule of lesser disclosure.
Map of vulnerability disclosure in openstack:
1. Co-coordinator of VMT receives encrypted email from original reporter about the vulnerability.
2. Vulnerability management team along with reporter creates security-restricted Launchpad bug entry.
3. The Project Technical Lead of affected project is warned and asked to confirm impact
4. Then the reporter, VMT team, PTL and some key developers develop a fix
5. Vulnerability management team and developers get fix pre-approved by Core team
6. Core team alerts issue and provides fix to all stakeholders
7. development team updates the latest version of software. (OpenStack.org)
On the flip side It is relatively new platform with little vendor experience. Hence system administrators and deployment personnel may make mistakes that could later turn out to be security flaws. Also open stack has a small security group which is still uncovering issues. The OpenStack Security Group (OSSG) is the group within the project that is tasked with looking at security.
Recently there have been many commercial implementations of OpenStack system to address these security vulnerabilities. For example PistonEnterprise OS (PentOS) claims to focus on the security and operations of the private cloud. Also there have been some unprecedented changes in the way security is being implemented in cloud systems. We now have “CloudAudit” to specification to help the cloud service providers to implement their architecture in such a way so that it would make security data readily available for their customers. Cloud service providers can emphasize their security measures to differentiate themselves from their competitors in an increasingly homogenous space. The advent of new auditing techniques and entry of open source cloud technologies, can potentially lead to various security vulnerabilities and equally creative solutions to solve them.
Bibliography
OpenStack.org. (n.d.). Retrieved from http://wiki.openstack.org/VulnerabilityManagement?highlight=%28VMT%29.
Wikipedia. (n.d.). Retrieved from http://en.wikipedia.org/wiki/OpenStack.
Recently there have been many commercial implementations of OpenStack system to address these security vulnerabilities. For example PistonEnterprise OS (PentOS) claims to focus on the security and operations of the private cloud. Also there have been some unprecedented changes in the way security is being implemented in cloud systems. We now have “CloudAudit” to specification to help the cloud service providers to implement their architecture in such a way so that it would make security data readily available for their customers. Cloud service providers can emphasize their security measures to differentiate themselves from their competitors in an increasingly homogenous space. The advent of new auditing techniques and entry of open source cloud technologies, can potentially lead to various security vulnerabilities and equally creative solutions to solve them.
Bibliography
OpenStack.org. (n.d.). Retrieved from http://wiki.openstack.org/VulnerabilityManagement?highlight=%28VMT%29.
Wikipedia. (n.d.). Retrieved from http://en.wikipedia.org/wiki/OpenStack.
No comments:
Post a Comment