BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
ATLANTA -- The OpenStack Foundation Board of Directors has identified gaps in the open source cloud computing platform as part of a behind-the-scenes campaign called "Win the Enterprise."
Intel's IT staff kicked off the initiative with a phone meeting of the board on April 30, according to sources inside the foundation. They created a list of gaps between enterprise expectations and what OpenStack currently delivers, according to PowerPoint slides obtained by SearchCloudComputing.
Among the gaps is a need for better documentation to correct some mistaken but common ideas among OpenStack's prospective enterprise customers about the security of the platform.
"We don't use OpenStack because the security sucks," said one network planner for a major telecommunications provider, who requested anonymity. "[The] Keystone [identity management service] stores and transmits passwords in plain text."
This is a misconception, according to Jonathan Bryce, executive vice president of the OpenStack Foundation, but he said better documentation would make Keystone more understood.
Neutron is still new -- and depending on the configuration, you may be more or less secure depending on how mature your vendor is.
Keystone, updated as part of OpenStack Icehouse last month, consists of two parts: the Keystone Service and an identity backend. Both are configurable to protect sensitive data, such as passwords. The backend would ideally consist of Lightweight Directory Access Protocol directories or an encrypted MySQL database, Bryce said.
As for the front-end Keystone Service, Transport Layer Security (TLS) is recommended to keep client HTTP requests -- which could include passwords -- from being transmitted in plain text. That's because security in the Keystone service is based on the transport layer, Bryce said.
But this best practice isn't always followed, according to a presentation by Bryan Payne, director of security research for Mountain View, California-based Nebula Inc., which sells an OpenStack appliance.
"You would be surprised at how many OpenStack clouds there are that don't use TLS," he said.
Security in OpenStack isn't lacking so much as user awareness of its best practices, Payne emphasized in a separate interview following his talk at the OpenStack Summit.
Though technical expertise is needed to create truly secure OpenStack clouds, some enterprises are considering OpenStack precisely because of the opportunity to control security in their environments, and many still consider it a more secure alternative to public clouds such as Amazon Web Services.
"Having the ability to manage infrastructure along the lines of Amazon is attractive," said Todd Sanders, application architect with an archiving service provider. "But it needs to be internal to our data center, rather than stored in a communal public cloud."
The ghost in the machine: Hardware-based OpenStack security bugaboos
OpenStack security only goes as far as the underlying hardware plugged into its cloud management software framework. This is important for IT pros to remember when using OpenStack Neutron, its network as a service, according to a cloud consultant who also requested anonymity.
"Neutron is still new -- and depending on the configuration, you may be more or less secure depending on how mature your vendor is," he said.
The underlying server hardware, too, can introduce security vulnerabilities, though there are also workarounds for this, according to a presentation here by Christian Huebner, cloud architect for Mirantis, Inc., an OpenStack distributor and consulting firm based in Mountain View, California.
Huebner recommended Intel's Trusted Execution Technology (TXT) to prevent changes to guest operating systems that could allow a hacker to take them over. TXT can be integrated into OpenStack using the Trusted Filter plugin, which uses a command-line interface.
In addition to better documentation, better security review and penetration testing are also needed to detect future vulnerabilities, according to the Intel presentation here. Encryption of all OpenStack APIs is also recommended in the document.
Other gaps highlighted in the Intel presentation include high availability. To meet a goal of 99.7% virtual machine (VM) availability, OpenStack must have the ability to restart VMs automatically following a host failure and support live migration, which it does not do today.