Travis McPeak, OpenStack security project core team & security architect, IBM
Travis McPeak, OpenStack security project core team & security architect, IBM

The cloud can transform how your enterprise does business — poised to deliver improved reliability, flexibility, and performance. However, these benefits are all for nothing if you shift to a cloud environment and your company's confidential data is compromised.

For organisations thinking about a move to the cloud, security is the number one concern. In fact, a survey from Hytrust found that such worry is holding business and IT professionals back from a cloud migration.

To alleviate such concerns and provide a secure solution for creating public and private cloud, the OpenStack community has multiple resources and safeguards in place. This includes a thriving community of some of the most well known users, IT vendors, and developers in the world — all of which are committed to securing OpenStack code.

As a result, hundreds of the world's largest brands rely on OpenStack to run their businesses every day, such as HMRC, Volkswagen, eBay, PayPal, and Walmart.

Tapping into the extensive knowledge of the OpenStack community, what are the five most commonly asked OpenStack security questions by users and technologists?

1.     Are open source projects easier targets for a breach?

There is no reason to believe that open source poses more risk than proprietary software. In 2006, the US Department of Homeland Security coordinated an initiative called, “Vulnerability Discovery and Remediation Open Source Hardening Project,” to assess emerging technologies for vulnerabilities. The research turned up approximately one security glitch for every 1,000 lines of code, supporting the IBM stance that open source software has significantly fewer code defects than commercial software. Also, providing public access to source code — keeping it open and available for review — means that bugs are found and fixed more quickly.

2.     How does the OpenStack community keep vulnerable code out of production?

Unlike many commercial cloud platforms, security for OpenStack is a collaborative effort among thousands of developers who work together to ensure that OpenStack provides a reliable and secure platform for public, private, and hybrid deployments. With a community so large and robust, it's important to have safeguards and support processes in place to help ensure that new code meets stringent security standards, throughout all layers from the operating system through applications of the stack.  

Three groups are focused on keeping vulnerable code out of production and actively pursuing security fixes:

  • The OpenStack Security Project: A security team of 250 members focuses on technical and governance activities and serves as a central point of contact for security issues. This group also issues Security Advisories (OSSA) and Security Notes (OSSN), both of which are aimed at OpenStack users and vendors who run OpenStack or distribute OpenStack for commercial use.
  • Project-specific security experts: Most critical OpenStack projects have their own core reviewers to ensure general releases contain secure code and coordinate patch development.  
  • Commercial OpenStack vendors: Companies that rely on OpenStack for their own cloud environments and/or commercial products have a vested interest in keeping OpenStack secure. They maintain dedicated security teams, and if any issues are uncovered, these teams engage with the OpenStack Security Project to collaborate on fixes that are shared with the OpenStack community via notes or new releases.

3.     Do OpenStack developers take security as seriously as our company?

It's imperative that OpenStack project developers have support and tools at their fingertips to write secure code. To provide developers with resources to do this, the OpenStack Security Project created a set of guidelines to help developers avoid common mistakes that can lead to security vulnerabilities. These guidelines have been widely adopted across the developer community. In addition, the OpenStack Security Project manages three tools to help address security issues:

  • Bandit: A stand-alone tool that can be run against source code. Created as a security liner for Python source code.
  • Syntribos: A tool in development that automatically detects security issues in OpenStack RESTful APIs and services.
  • Anchor: An ephemeral PKI certification system that users automated issuing rules and short life certificates to mitigate common certificate security issues.

4.     Who can help our organisation deploy OpenStack?

A good place to start is the OpenStack Marketplace, where you can easily search products, services, and distributors available in your area. All OpenStack developers, whether in-house or commercial, should follow the OpenStack Operations Guide, which offers experience from operators who have run OpenStack in production for six months or longer, as well as the OpenStack Security Guide—written by a group of security experts.

5.     If there is a security issue, how do we get patches and updates?

Typically, patches are tested and distributed by your distributor, which are accelerated as needed for security fixes that fall in between OpenStack's major releases, which occur twice a year. You can also download immediate fixes from the appropriate project's repository, ensuring that urgent security matters are fixed as quickly as possible.     

Security through community

With security threats constantly evolving, being part of a network of thousands of developers — who share potential vulnerabilities and associated patches — provides security peace of mind for enterprises. It's a community committed to improving the security and quality of the OpenStack cloud for all involved.

Contributed by Travis McPeak, OpenStack security project core team & security architect, IBM