SlideShare una empresa de Scribd logo
1 de 25
Descargar para leer sin conexión
© 2012 IBM Corporation
OpenStack Security Update
for CIS 2013
Henry Nash
OpenStack Keystone Core Committer
IBM (CSI) OpenStack Tech Lead
henry.nash@uk.ibm.com
© 2012 IBM Corporation2
Agenda
•  What is OpenStack and who is adopting it?
•  Introduction to OpenStack and its API flow
•  API protection in Openstack
•  What’s coming next in OpenStack
© 2012 IBM Corporation3
Agenda
•  What is OpenStack and who is adopting it?
•  Introduction to OpenStack and its API flow
•  API protection in Openstack
•  What’s coming next in OpenStack
© 2012 IBM Corporation4
The OpenStack Goal
“Our goal is to produce the ubiquitous Open Source cloud
computing platform that will meet the needs of public and
private cloud providers regardless of size, by being simple to
implement and massively scalable.”
•  Open Source (Apache 2.0 license)
•  “Linux of the datacentre”, avoid vendor lock-in, maintain
workload portability
•  Build a great engine, packagers will build a great car (think
Linux vs RHEL/SUSW)
© 2012 IBM Corporation5
History and Releases
•  Founded in 2010 as an opensource project by Rackspace and NASA
•  Now managed by an open foundation
•  7 releases so far, bi-yearly
•  Most common release in production: Folsom (09/2012)
•  Latest release: Grizzly (04/2013)
•  Next release: Havana (09/2013)
•  Each release à new version of the existing core projects
à new core projects are released
à overall architectural picture might change
© 2012 IBM Corporation6
OpenStack is a global collaboration of developers & cloud computing
technologists working to produce an ubiquitous Infrastructure as a Service
(IaaS) open source cloud computing platform for public & private clouds.
Community with exponential growthECOSYSTEMSIZE
CUMULATIVE 

CONTRIBUTORS
AVG MONTHLY

CONTRIBUTORS
PATCHES MERGED IN Q4 2012
859
 238
 3,241
165
Companies
8,204
Individual Members
INDIVIDUALS
© 2012 IBM Corporation7
Who’s using OpenStack?
7	
  
© 2012 IBM Corporation8
PayPal Uses OpenStack
•  Processed more than $26,000 in mobile
payments every minute in 2012
•  OpenStack runs thousands of VMs to
support their self-service developer
model
•  Internal team manages deployment and
operations, using OpenStack Compute,
Storage & Shared Services
“We needed agility without
sacrificing availability. By
leveraging the collective
innovation of the OpenStack
community, we can develop
and grow our private cloud
much quicker without having
to reinvent anything.”
Saran Mandair, senior director of
PayPal infrastructure engineering
© 2012 IBM Corporation9
CERN Uses OpenStack
•  Large Hardron Collider tracks 4 million
collisions/sec, out of which it selects
200 complex images to store/sec
•  Building out a 50,000 core OpenStack
farm to handle
“We record 40 Mbytes per
second each 6 months,
adding to the currently store
of around 140 PB today”
Randall Sonie, research scientist,
University of Victoria
© 2012 IBM Corporation10
Why are IBM involved?
It’s the right model:
•  For companies to truly bet their business on
cloud, it has to be open
•  Hypervisor agnosticism allows best choice
of virtualization technology for the task
(and likely more than one choice needed)
•  An IaaS that enables the hypervisor owners
to maintain the currency of support for
their hypervisor
It enables easier delivery of the higher
value components and services:
•  Deployment and lifecycle management of
middleware and application patterns
•  Image lifecycle management
•  Orchestration
•  IBM Products where you can see this in
action already:
•  SmartCloud Orchestrator
Orchestration Services
Platform Level Services
OperationalExtensions(APIs) Infrastructure Level Services
DevelopmentExtensions(Tooling)
(Image Lifecycle Mgmt) (Pattern Services)
(Provisioning, configuration, resource
allocation, security, metering, etc.)
Cloud Resources
Storage Compute Network
http://www-03.ibm.com/software/products/us/en/smartcloud-orchestrator/
© 2012 IBM Corporation11
Agenda
•  What is OpenStack and who is adopting it?
•  Introduction to OpenStack and its API flow
•  API protection in Openstack
•  What’s coming next in OpenStack
© 2012 IBM Corporation12
OpenStack Cloud Platform
Code available under Apache 2.0 license. Design tenets
– scale & elasticity, share nothing & distribute everything
© 2012 IBM Corporation13
Openstack projects – conceptual architecture
nova
Compute
swift
Object Store
glance
Image Library
cinder
Block Storage
keystone
Identity
horizon
Dashboard
quantum
Network
use authentication service
via API
• Provides sample UI
• Reference implementation of
API usage
use API to
store image
files
use API to
manage images
use API for
volumes for
instances
use API for network
connectivity for instances
IaaS
New with Folsom release
© 2012 IBM Corporation14
Agenda
•  What is OpenStack and who is adopting it?
•  Introduction to OpenStack and its API flow
•  API protection in Openstack
•  What’s coming next in OpenStack
© 2012 IBM Corporation15
OpenStack API Protection – Summary View
© 2012 IBM Corporation16
OpenStack Tokens
§  These are “bearer” tokens
§ i.e. “if you have one, I won’t ask how you got it and will honor it”
§  Obtained by asking keystone for a certain “scope”
§ e.g. “Get me a token for working with project X”
§  Expiration set by system (default 24 hours)
§ …making this a small number (e.g. minutes) doesn’t work well
§  Can be revoked if things change
§ e.g. user is disabled, roles are unassigned
§  Can be encrypted (pki) and stored client side to save server
round trips for token validation
§  Recommended for performance
© 2012 IBM Corporation17
OpenStack Roles & Assignments
§  “Roles” are simply names that are globally unique (within a
keystone instance)
§ They are the “shared secret” between a role-assignment in keystone
and a rule in the policy files owned by each of the projects
§  “Role assignments” (use to be called “grants”) are what gives
a user a role on a target object
§ e.g. Give “Henry” the role “Tea-maker” on project “Test”
§ Only two object types supported – domains and projects
§ Role assignments always have a target object
§ i.e. you can’t just say: Give “Henry” the role “Tea-maker”
§ The is no generic “super user” role that you can give a user
§  …although individual projects have their own way of providing some
kind of by-pass to API protection
© 2012 IBM Corporation18
OpenStack Domains and Projects
§  “Projects” encapsulate a set of infrastructure resources
§ e.g. images, storage, VMs etc.
§ In earlier versions of OpenStack users were (sort of) members of
projects
§  “Domains” are an administrative encapsulation
§ i.e. users, groups and projects
§ Often mapped to a customer in a public or shared private cloud
§ Only Keystone is really domain-aware
§ …although this might change in the future (e.g. images that are domain-
wide)
§ Domains only supported from Grizzly release onwards
© 2012 IBM Corporation19
API Protection - Guidelines
§  Two classes of APIs to protect
§ Regular projects (nova, glance, cinder etc.)
§ Keystone identity administration
§ Both use roles and policy files
§ One policy file per project (including keystone)
§  Two types of cloud operational models
§ Central control – where all admin is done by cloud provider
§ Delegated control – where you want to delegate some of the
management
§ E.g. the owner of a domain can manage their own users and groups
© 2012 IBM Corporation20
API Protection – Guidelines – Policy File is Key
"admin_required": [["role:admin"], ["is_admin:1"]],
"owner" : [["user_id:%(user_id)s"]],
”member" : [[”project_id:%(project_id)s"]],
"admin_or_owner": [["rule:admin_required"], ["rule:owner"]],
"admin_or_member": [["rule:admin_required"], ["rule:member"]],
"identity:get_domain": [["rule:admin_required"]],
"identity:list_domains": [["rule:admin_required"]],
"identity:create_domain": [["rule:admin_required"]],
"identity:update_domain": [["rule:admin_required"]],
"identity:delete_domain": [["rule:admin_required"]],
"identity:get_project": [["rule:admin_or_membe"]],
"identity:list_projects": [["rule:admin_required"]],
"identity:list_user_projects": [["rule:admin_or_owner"]],
……
…..
Example extract from a simple, central control, keystone policy file
© 2012 IBM Corporation21
API Protection – Guidelines – Policy Files
§  Delegated Control involves more complex planning and
subsequent rules in the policy file
§ Most delegated rules center around use of domain_id, e.g.
"identity:create_project": [["rule:admin_required"],[“domain_id”%(project.domain_id)],
§  However, reality is that Grizzly has a number of holes in its
ability to easily delegate management
§ Policy checking can only compare what’s in the token with what’s in the
API call
§ Works well for creating object
§ Doesn’t work for, say, deleting an object – since there is no domain_id
referenced in the API call
§ Improvements coming in Havana….
© 2012 IBM Corporation22
Agenda
•  What is OpenStack and who is adopting it?
•  Introduction to OpenStack and its API flow
•  API protection in Openstack
•  What’s coming next in OpenStack
© 2012 IBM Corporation23
What’s coming in Havana (no guarantees…)
§  Token Provider Interface
§ Let’s companies use their own token generators, although within the
same keystone API constructs
§  OAuth2 Delegation Extension
§ Use OAuth2 to allow a consumer delegation of particular roles on
behalf of a user
§  Keystone identity backend split
§ Store your users & groups in a corporate LDAP, but your role-
assignments somewhere else (e.g. Keystone SQL)
§  Projects can inherit roles from domain (Extension)
§ Designed to better support the management split between cloud
provide administrator (who sets up domains) and customer
administrator (who manages within a domain)
© 2012 IBM Corporation24
What’s coming in Havana (no guarantees…)
§  Enhanced policy file capabilities for keystone
§ Allows check on target of operation (e.g. useful for update/delete
operations)
§ Enables true separation of management between cloud provider and a
domain administrator
© 2012 IBM Corporation
OpenStack Security Update
for CIS 2013
Henry Nash
OpenStack Keystone Core Committer
IBM (CSI) OpenStack Tech Lead
henry.nash@uk.ibm.com

Más contenido relacionado

La actualidad más candente

OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone DeploymentPriti Desai
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionalityvivekbhat
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security EssentialsDNIF
 
Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsMajor Hayden
 
Connect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureConnect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureK.Mohamed Faizal
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisOWASP Hacker Thursday
 
CIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCloudIDSummit
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101Steve Martinelli
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Keystone: Federated
Keystone: FederatedKeystone: Federated
Keystone: Federatedjamielennox
 
Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataAidan Finn
 
Intel SoC as a Platform to Connect Sensor Data to AWS
Intel SoC as a Platform to Connect Sensor Data to AWSIntel SoC as a Platform to Connect Sensor Data to AWS
Intel SoC as a Platform to Connect Sensor Data to AWSAmazon Web Services
 

La actualidad más candente (20)

OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone Deployment
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security Essentials
 
Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack Clouds
 
Connect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureConnect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft Azure
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
Container Security
Container SecurityContainer Security
Container Security
 
Advanced Container Security
Advanced Container Security Advanced Container Security
Advanced Container Security
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin Jois
 
CIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve Martinelli
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
 
Keystone: Federated
Keystone: FederatedKeystone: Federated
Keystone: Federated
 
Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And Data
 
Intel SoC as a Platform to Connect Sensor Data to AWS
Intel SoC as a Platform to Connect Sensor Data to AWSIntel SoC as a Platform to Connect Sensor Data to AWS
Intel SoC as a Platform to Connect Sensor Data to AWS
 

Destacado

CIS13: AWS Identity and Access Management
CIS13: AWS Identity and Access ManagementCIS13: AWS Identity and Access Management
CIS13: AWS Identity and Access ManagementCloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
CIS13: Deliver Secure Apps with Great Experiences
CIS13: Deliver Secure Apps with Great ExperiencesCIS13: Deliver Secure Apps with Great Experiences
CIS13: Deliver Secure Apps with Great ExperiencesCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
 
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn FayCIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn FayCloudIDSummit
 
CIS 2015- Practical Identity in the IoT Era - Morteza Ansari
CIS 2015- Practical Identity in the IoT Era- Morteza AnsariCIS 2015- Practical Identity in the IoT Era- Morteza Ansari
CIS 2015- Practical Identity in the IoT Era - Morteza AnsariCloudIDSummit
 
CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards
CIS13: Hope or Hype: A Look at the Next Generation of Identity StandardsCIS13: Hope or Hype: A Look at the Next Generation of Identity Standards
CIS13: Hope or Hype: A Look at the Next Generation of Identity StandardsCloudIDSummit
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at ScaleCloudIDSummit
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
 
CIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market OverviewCIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market OverviewCloudIDSummit
 
CIS13: Beyond the Building: Secure Identity Services for Mobile and Cloud Apps
CIS13: Beyond the Building: Secure Identity Services for Mobile and Cloud AppsCIS13: Beyond the Building: Secure Identity Services for Mobile and Cloud Apps
CIS13: Beyond the Building: Secure Identity Services for Mobile and Cloud AppsCloudIDSummit
 
CIS13: Introduction to OpenID Connect
CIS13: Introduction to OpenID ConnectCIS13: Introduction to OpenID Connect
CIS13: Introduction to OpenID ConnectCloudIDSummit
 
Building a PaaS Platform like Bluemix on OpenStack
Building a PaaS Platform like Bluemix on OpenStackBuilding a PaaS Platform like Bluemix on OpenStack
Building a PaaS Platform like Bluemix on OpenStackAnimesh Singh
 
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...CloudIDSummit
 
CIS13: OpenID Connect: How it Solves your Problems
CIS13: OpenID Connect: How it Solves your ProblemsCIS13: OpenID Connect: How it Solves your Problems
CIS13: OpenID Connect: How it Solves your ProblemsCloudIDSummit
 
CIS13: Identity Trends and Transients
CIS13: Identity Trends and TransientsCIS13: Identity Trends and Transients
CIS13: Identity Trends and TransientsCloudIDSummit
 
PingOne IDaaS: What You Need to Know
PingOne IDaaS: What You Need to KnowPingOne IDaaS: What You Need to Know
PingOne IDaaS: What You Need to KnowCloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 
Docker OpenStack Cloud Foundry
Docker OpenStack Cloud FoundryDocker OpenStack Cloud Foundry
Docker OpenStack Cloud FoundryAnimesh Singh
 

Destacado (20)

CIS13: AWS Identity and Access Management
CIS13: AWS Identity and Access ManagementCIS13: AWS Identity and Access Management
CIS13: AWS Identity and Access Management
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
CIS13: Deliver Secure Apps with Great Experiences
CIS13: Deliver Secure Apps with Great ExperiencesCIS13: Deliver Secure Apps with Great Experiences
CIS13: Deliver Secure Apps with Great Experiences
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn FayCIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
 
CIS 2015- Practical Identity in the IoT Era - Morteza Ansari
CIS 2015- Practical Identity in the IoT Era- Morteza AnsariCIS 2015- Practical Identity in the IoT Era- Morteza Ansari
CIS 2015- Practical Identity in the IoT Era - Morteza Ansari
 
CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards
CIS13: Hope or Hype: A Look at the Next Generation of Identity StandardsCIS13: Hope or Hype: A Look at the Next Generation of Identity Standards
CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at Scale
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
 
CIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market OverviewCIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market Overview
 
CIS13: Beyond the Building: Secure Identity Services for Mobile and Cloud Apps
CIS13: Beyond the Building: Secure Identity Services for Mobile and Cloud AppsCIS13: Beyond the Building: Secure Identity Services for Mobile and Cloud Apps
CIS13: Beyond the Building: Secure Identity Services for Mobile and Cloud Apps
 
CIS13: Introduction to OpenID Connect
CIS13: Introduction to OpenID ConnectCIS13: Introduction to OpenID Connect
CIS13: Introduction to OpenID Connect
 
Building a PaaS Platform like Bluemix on OpenStack
Building a PaaS Platform like Bluemix on OpenStackBuilding a PaaS Platform like Bluemix on OpenStack
Building a PaaS Platform like Bluemix on OpenStack
 
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
 
CIS13: OpenID Connect: How it Solves your Problems
CIS13: OpenID Connect: How it Solves your ProblemsCIS13: OpenID Connect: How it Solves your Problems
CIS13: OpenID Connect: How it Solves your Problems
 
CIS13: Identity Trends and Transients
CIS13: Identity Trends and TransientsCIS13: Identity Trends and Transients
CIS13: Identity Trends and Transients
 
PingOne IDaaS: What You Need to Know
PingOne IDaaS: What You Need to KnowPingOne IDaaS: What You Need to Know
PingOne IDaaS: What You Need to Know
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 
CIS13: SCIM Interop
CIS13: SCIM InteropCIS13: SCIM Interop
CIS13: SCIM Interop
 
Docker OpenStack Cloud Foundry
Docker OpenStack Cloud FoundryDocker OpenStack Cloud Foundry
Docker OpenStack Cloud Foundry
 

Similar a CIS13: OpenStack API Security

Optimizing Cloud Foundry and OpenStack for large scale deployments
Optimizing Cloud Foundry and OpenStack for large scale deploymentsOptimizing Cloud Foundry and OpenStack for large scale deployments
Optimizing Cloud Foundry and OpenStack for large scale deploymentsAnimesh Singh
 
IBM Cloud Manager with OpenStack Overview
IBM Cloud Manager with OpenStack OverviewIBM Cloud Manager with OpenStack Overview
IBM Cloud Manager with OpenStack OverviewPatrick Bouillaud
 
Developing and Deploying Microservices to IBM Cloud Private
Developing and Deploying Microservices to IBM Cloud PrivateDeveloping and Deploying Microservices to IBM Cloud Private
Developing and Deploying Microservices to IBM Cloud PrivateShikha Srivastava
 
Cloud foundry Docker Openstack - Leading Open Source Triumvirate
Cloud foundry Docker Openstack - Leading Open Source TriumvirateCloud foundry Docker Openstack - Leading Open Source Triumvirate
Cloud foundry Docker Openstack - Leading Open Source TriumvirateAnimesh Singh
 
Accelerate Digital Transformation with IBM Cloud Private
Accelerate Digital Transformation with IBM Cloud PrivateAccelerate Digital Transformation with IBM Cloud Private
Accelerate Digital Transformation with IBM Cloud PrivateMichael Elder
 
Mirantis OpenStack-DC-Meetup 17 Sept 2014
Mirantis OpenStack-DC-Meetup 17 Sept 2014Mirantis OpenStack-DC-Meetup 17 Sept 2014
Mirantis OpenStack-DC-Meetup 17 Sept 2014Mirantis
 
OpenStack Block Storage 101
OpenStack Block Storage 101OpenStack Block Storage 101
OpenStack Block Storage 101NetApp
 
Exploring a simpler, more portable, less overhead solution to deploy Elastics...
Exploring a simpler, more portable, less overhead solution to deploy Elastics...Exploring a simpler, more portable, less overhead solution to deploy Elastics...
Exploring a simpler, more portable, less overhead solution to deploy Elastics...LetsConnect
 
Real World Application Orchestration Made Easy on VMware vCloud Air, vSphere ...
Real World Application Orchestration Made Easy on VMware vCloud Air, vSphere ...Real World Application Orchestration Made Easy on VMware vCloud Air, vSphere ...
Real World Application Orchestration Made Easy on VMware vCloud Air, vSphere ...Nati Shalom
 
Current State of Affairs – Cloud Computing - Indicthreads Cloud Computing Con...
Current State of Affairs – Cloud Computing - Indicthreads Cloud Computing Con...Current State of Affairs – Cloud Computing - Indicthreads Cloud Computing Con...
Current State of Affairs – Cloud Computing - Indicthreads Cloud Computing Con...IndicThreads
 
Edge 2016 Session 1886 Building your own docker container cloud on ibm power...
Edge 2016 Session 1886  Building your own docker container cloud on ibm power...Edge 2016 Session 1886  Building your own docker container cloud on ibm power...
Edge 2016 Session 1886 Building your own docker container cloud on ibm power...Yong Feng
 
OpenStack Summit: How companies of all sizes leverage OpenStack based private...
OpenStack Summit: How companies of all sizes leverage OpenStack based private...OpenStack Summit: How companies of all sizes leverage OpenStack based private...
OpenStack Summit: How companies of all sizes leverage OpenStack based private...Duncan Johnston-Watt
 
Unraveling OpenStack Clouds
 Unraveling OpenStack Clouds Unraveling OpenStack Clouds
Unraveling OpenStack CloudsIndicThreads
 
Dr. Daniel Sabbah, IBM - OpenStack in the IBM Cloud, OpenStack Israel 2015
Dr. Daniel Sabbah, IBM - OpenStack in the IBM Cloud, OpenStack Israel 2015Dr. Daniel Sabbah, IBM - OpenStack in the IBM Cloud, OpenStack Israel 2015
Dr. Daniel Sabbah, IBM - OpenStack in the IBM Cloud, OpenStack Israel 2015Cloud Native Day Tel Aviv
 
Continuously Design your Continuous Deployment
Continuously Design your Continuous DeploymentContinuously Design your Continuous Deployment
Continuously Design your Continuous DeploymentMichael Elder
 
S cv3179 spectrum-integration-openstack-edge2015-v5
S cv3179 spectrum-integration-openstack-edge2015-v5S cv3179 spectrum-integration-openstack-edge2015-v5
S cv3179 spectrum-integration-openstack-edge2015-v5Tony Pearson
 
OpenStack Workshop - WECode Harvard Conference
OpenStack Workshop - WECode Harvard ConferenceOpenStack Workshop - WECode Harvard Conference
OpenStack Workshop - WECode Harvard ConferenceIccha Sethi
 

Similar a CIS13: OpenStack API Security (20)

Optimizing Cloud Foundry and OpenStack for large scale deployments
Optimizing Cloud Foundry and OpenStack for large scale deploymentsOptimizing Cloud Foundry and OpenStack for large scale deployments
Optimizing Cloud Foundry and OpenStack for large scale deployments
 
IBM Cloud Manager with OpenStack Overview
IBM Cloud Manager with OpenStack OverviewIBM Cloud Manager with OpenStack Overview
IBM Cloud Manager with OpenStack Overview
 
VietOpenStack meetup 7th Openstack in ibm cloud
VietOpenStack meetup 7th Openstack in ibm cloudVietOpenStack meetup 7th Openstack in ibm cloud
VietOpenStack meetup 7th Openstack in ibm cloud
 
Developing and Deploying Microservices to IBM Cloud Private
Developing and Deploying Microservices to IBM Cloud PrivateDeveloping and Deploying Microservices to IBM Cloud Private
Developing and Deploying Microservices to IBM Cloud Private
 
Cloud foundry Docker Openstack - Leading Open Source Triumvirate
Cloud foundry Docker Openstack - Leading Open Source TriumvirateCloud foundry Docker Openstack - Leading Open Source Triumvirate
Cloud foundry Docker Openstack - Leading Open Source Triumvirate
 
Accelerate Digital Transformation with IBM Cloud Private
Accelerate Digital Transformation with IBM Cloud PrivateAccelerate Digital Transformation with IBM Cloud Private
Accelerate Digital Transformation with IBM Cloud Private
 
Mirantis OpenStack-DC-Meetup 17 Sept 2014
Mirantis OpenStack-DC-Meetup 17 Sept 2014Mirantis OpenStack-DC-Meetup 17 Sept 2014
Mirantis OpenStack-DC-Meetup 17 Sept 2014
 
OpenStack Block Storage 101
OpenStack Block Storage 101OpenStack Block Storage 101
OpenStack Block Storage 101
 
Exploring a simpler, more portable, less overhead solution to deploy Elastics...
Exploring a simpler, more portable, less overhead solution to deploy Elastics...Exploring a simpler, more portable, less overhead solution to deploy Elastics...
Exploring a simpler, more portable, less overhead solution to deploy Elastics...
 
Real World Application Orchestration Made Easy on VMware vCloud Air, vSphere ...
Real World Application Orchestration Made Easy on VMware vCloud Air, vSphere ...Real World Application Orchestration Made Easy on VMware vCloud Air, vSphere ...
Real World Application Orchestration Made Easy on VMware vCloud Air, vSphere ...
 
Openstack 101
Openstack 101Openstack 101
Openstack 101
 
Current State of Affairs – Cloud Computing - Indicthreads Cloud Computing Con...
Current State of Affairs – Cloud Computing - Indicthreads Cloud Computing Con...Current State of Affairs – Cloud Computing - Indicthreads Cloud Computing Con...
Current State of Affairs – Cloud Computing - Indicthreads Cloud Computing Con...
 
Edge 2016 Session 1886 Building your own docker container cloud on ibm power...
Edge 2016 Session 1886  Building your own docker container cloud on ibm power...Edge 2016 Session 1886  Building your own docker container cloud on ibm power...
Edge 2016 Session 1886 Building your own docker container cloud on ibm power...
 
OpenStack Summit: How companies of all sizes leverage OpenStack based private...
OpenStack Summit: How companies of all sizes leverage OpenStack based private...OpenStack Summit: How companies of all sizes leverage OpenStack based private...
OpenStack Summit: How companies of all sizes leverage OpenStack based private...
 
Unraveling OpenStack Clouds
 Unraveling OpenStack Clouds Unraveling OpenStack Clouds
Unraveling OpenStack Clouds
 
Dr. Daniel Sabbah, IBM - OpenStack in the IBM Cloud, OpenStack Israel 2015
Dr. Daniel Sabbah, IBM - OpenStack in the IBM Cloud, OpenStack Israel 2015Dr. Daniel Sabbah, IBM - OpenStack in the IBM Cloud, OpenStack Israel 2015
Dr. Daniel Sabbah, IBM - OpenStack in the IBM Cloud, OpenStack Israel 2015
 
Continuously Design your Continuous Deployment
Continuously Design your Continuous DeploymentContinuously Design your Continuous Deployment
Continuously Design your Continuous Deployment
 
S cv3179 spectrum-integration-openstack-edge2015-v5
S cv3179 spectrum-integration-openstack-edge2015-v5S cv3179 spectrum-integration-openstack-edge2015-v5
S cv3179 spectrum-integration-openstack-edge2015-v5
 
OpenStack Workshop - WECode Harvard Conference
OpenStack Workshop - WECode Harvard ConferenceOpenStack Workshop - WECode Harvard Conference
OpenStack Workshop - WECode Harvard Conference
 
China user group keynote
China user group keynoteChina user group keynote
China user group keynote
 

Más de CloudIDSummit

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication   reasons for optimism 20150607 v2Mobile security, identity & authentication   reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM  in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM  in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015  Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015  Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit
 
CIS 2015 The Ethics of Personal Data - Robin Wilton
CIS 2015 The Ethics of Personal Data - Robin WiltonCIS 2015 The Ethics of Personal Data - Robin Wilton
CIS 2015 The Ethics of Personal Data - Robin WiltonCloudIDSummit
 
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...CloudIDSummit
 
DIRECTORY CIS 2015 - Eric Fazendin
DIRECTORY CIS 2015 - Eric FazendinDIRECTORY CIS 2015 - Eric Fazendin
DIRECTORY CIS 2015 - Eric FazendinCloudIDSummit
 

Más de CloudIDSummit (20)

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication   reasons for optimism 20150607 v2Mobile security, identity & authentication   reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM  in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM  in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015  Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015  Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 
CIS 2015 The Ethics of Personal Data - Robin Wilton
CIS 2015 The Ethics of Personal Data - Robin WiltonCIS 2015 The Ethics of Personal Data - Robin Wilton
CIS 2015 The Ethics of Personal Data - Robin Wilton
 
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
 
DIRECTORY CIS 2015 - Eric Fazendin
DIRECTORY CIS 2015 - Eric FazendinDIRECTORY CIS 2015 - Eric Fazendin
DIRECTORY CIS 2015 - Eric Fazendin
 

Último

VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 

Último (20)

VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 

CIS13: OpenStack API Security

  • 1. © 2012 IBM Corporation OpenStack Security Update for CIS 2013 Henry Nash OpenStack Keystone Core Committer IBM (CSI) OpenStack Tech Lead henry.nash@uk.ibm.com
  • 2. © 2012 IBM Corporation2 Agenda •  What is OpenStack and who is adopting it? •  Introduction to OpenStack and its API flow •  API protection in Openstack •  What’s coming next in OpenStack
  • 3. © 2012 IBM Corporation3 Agenda •  What is OpenStack and who is adopting it? •  Introduction to OpenStack and its API flow •  API protection in Openstack •  What’s coming next in OpenStack
  • 4. © 2012 IBM Corporation4 The OpenStack Goal “Our goal is to produce the ubiquitous Open Source cloud computing platform that will meet the needs of public and private cloud providers regardless of size, by being simple to implement and massively scalable.” •  Open Source (Apache 2.0 license) •  “Linux of the datacentre”, avoid vendor lock-in, maintain workload portability •  Build a great engine, packagers will build a great car (think Linux vs RHEL/SUSW)
  • 5. © 2012 IBM Corporation5 History and Releases •  Founded in 2010 as an opensource project by Rackspace and NASA •  Now managed by an open foundation •  7 releases so far, bi-yearly •  Most common release in production: Folsom (09/2012) •  Latest release: Grizzly (04/2013) •  Next release: Havana (09/2013) •  Each release à new version of the existing core projects à new core projects are released à overall architectural picture might change
  • 6. © 2012 IBM Corporation6 OpenStack is a global collaboration of developers & cloud computing technologists working to produce an ubiquitous Infrastructure as a Service (IaaS) open source cloud computing platform for public & private clouds. Community with exponential growthECOSYSTEMSIZE CUMULATIVE 
 CONTRIBUTORS AVG MONTHLY
 CONTRIBUTORS PATCHES MERGED IN Q4 2012 859 238 3,241 165
Companies 8,204 Individual Members INDIVIDUALS
  • 7. © 2012 IBM Corporation7 Who’s using OpenStack? 7  
  • 8. © 2012 IBM Corporation8 PayPal Uses OpenStack •  Processed more than $26,000 in mobile payments every minute in 2012 •  OpenStack runs thousands of VMs to support their self-service developer model •  Internal team manages deployment and operations, using OpenStack Compute, Storage & Shared Services “We needed agility without sacrificing availability. By leveraging the collective innovation of the OpenStack community, we can develop and grow our private cloud much quicker without having to reinvent anything.” Saran Mandair, senior director of PayPal infrastructure engineering
  • 9. © 2012 IBM Corporation9 CERN Uses OpenStack •  Large Hardron Collider tracks 4 million collisions/sec, out of which it selects 200 complex images to store/sec •  Building out a 50,000 core OpenStack farm to handle “We record 40 Mbytes per second each 6 months, adding to the currently store of around 140 PB today” Randall Sonie, research scientist, University of Victoria
  • 10. © 2012 IBM Corporation10 Why are IBM involved? It’s the right model: •  For companies to truly bet their business on cloud, it has to be open •  Hypervisor agnosticism allows best choice of virtualization technology for the task (and likely more than one choice needed) •  An IaaS that enables the hypervisor owners to maintain the currency of support for their hypervisor It enables easier delivery of the higher value components and services: •  Deployment and lifecycle management of middleware and application patterns •  Image lifecycle management •  Orchestration •  IBM Products where you can see this in action already: •  SmartCloud Orchestrator Orchestration Services Platform Level Services OperationalExtensions(APIs) Infrastructure Level Services DevelopmentExtensions(Tooling) (Image Lifecycle Mgmt) (Pattern Services) (Provisioning, configuration, resource allocation, security, metering, etc.) Cloud Resources Storage Compute Network http://www-03.ibm.com/software/products/us/en/smartcloud-orchestrator/
  • 11. © 2012 IBM Corporation11 Agenda •  What is OpenStack and who is adopting it? •  Introduction to OpenStack and its API flow •  API protection in Openstack •  What’s coming next in OpenStack
  • 12. © 2012 IBM Corporation12 OpenStack Cloud Platform Code available under Apache 2.0 license. Design tenets – scale & elasticity, share nothing & distribute everything
  • 13. © 2012 IBM Corporation13 Openstack projects – conceptual architecture nova Compute swift Object Store glance Image Library cinder Block Storage keystone Identity horizon Dashboard quantum Network use authentication service via API • Provides sample UI • Reference implementation of API usage use API to store image files use API to manage images use API for volumes for instances use API for network connectivity for instances IaaS New with Folsom release
  • 14. © 2012 IBM Corporation14 Agenda •  What is OpenStack and who is adopting it? •  Introduction to OpenStack and its API flow •  API protection in Openstack •  What’s coming next in OpenStack
  • 15. © 2012 IBM Corporation15 OpenStack API Protection – Summary View
  • 16. © 2012 IBM Corporation16 OpenStack Tokens §  These are “bearer” tokens § i.e. “if you have one, I won’t ask how you got it and will honor it” §  Obtained by asking keystone for a certain “scope” § e.g. “Get me a token for working with project X” §  Expiration set by system (default 24 hours) § …making this a small number (e.g. minutes) doesn’t work well §  Can be revoked if things change § e.g. user is disabled, roles are unassigned §  Can be encrypted (pki) and stored client side to save server round trips for token validation §  Recommended for performance
  • 17. © 2012 IBM Corporation17 OpenStack Roles & Assignments §  “Roles” are simply names that are globally unique (within a keystone instance) § They are the “shared secret” between a role-assignment in keystone and a rule in the policy files owned by each of the projects §  “Role assignments” (use to be called “grants”) are what gives a user a role on a target object § e.g. Give “Henry” the role “Tea-maker” on project “Test” § Only two object types supported – domains and projects § Role assignments always have a target object § i.e. you can’t just say: Give “Henry” the role “Tea-maker” § The is no generic “super user” role that you can give a user §  …although individual projects have their own way of providing some kind of by-pass to API protection
  • 18. © 2012 IBM Corporation18 OpenStack Domains and Projects §  “Projects” encapsulate a set of infrastructure resources § e.g. images, storage, VMs etc. § In earlier versions of OpenStack users were (sort of) members of projects §  “Domains” are an administrative encapsulation § i.e. users, groups and projects § Often mapped to a customer in a public or shared private cloud § Only Keystone is really domain-aware § …although this might change in the future (e.g. images that are domain- wide) § Domains only supported from Grizzly release onwards
  • 19. © 2012 IBM Corporation19 API Protection - Guidelines §  Two classes of APIs to protect § Regular projects (nova, glance, cinder etc.) § Keystone identity administration § Both use roles and policy files § One policy file per project (including keystone) §  Two types of cloud operational models § Central control – where all admin is done by cloud provider § Delegated control – where you want to delegate some of the management § E.g. the owner of a domain can manage their own users and groups
  • 20. © 2012 IBM Corporation20 API Protection – Guidelines – Policy File is Key "admin_required": [["role:admin"], ["is_admin:1"]], "owner" : [["user_id:%(user_id)s"]], ”member" : [[”project_id:%(project_id)s"]], "admin_or_owner": [["rule:admin_required"], ["rule:owner"]], "admin_or_member": [["rule:admin_required"], ["rule:member"]], "identity:get_domain": [["rule:admin_required"]], "identity:list_domains": [["rule:admin_required"]], "identity:create_domain": [["rule:admin_required"]], "identity:update_domain": [["rule:admin_required"]], "identity:delete_domain": [["rule:admin_required"]], "identity:get_project": [["rule:admin_or_membe"]], "identity:list_projects": [["rule:admin_required"]], "identity:list_user_projects": [["rule:admin_or_owner"]], …… ….. Example extract from a simple, central control, keystone policy file
  • 21. © 2012 IBM Corporation21 API Protection – Guidelines – Policy Files §  Delegated Control involves more complex planning and subsequent rules in the policy file § Most delegated rules center around use of domain_id, e.g. "identity:create_project": [["rule:admin_required"],[“domain_id”%(project.domain_id)], §  However, reality is that Grizzly has a number of holes in its ability to easily delegate management § Policy checking can only compare what’s in the token with what’s in the API call § Works well for creating object § Doesn’t work for, say, deleting an object – since there is no domain_id referenced in the API call § Improvements coming in Havana….
  • 22. © 2012 IBM Corporation22 Agenda •  What is OpenStack and who is adopting it? •  Introduction to OpenStack and its API flow •  API protection in Openstack •  What’s coming next in OpenStack
  • 23. © 2012 IBM Corporation23 What’s coming in Havana (no guarantees…) §  Token Provider Interface § Let’s companies use their own token generators, although within the same keystone API constructs §  OAuth2 Delegation Extension § Use OAuth2 to allow a consumer delegation of particular roles on behalf of a user §  Keystone identity backend split § Store your users & groups in a corporate LDAP, but your role- assignments somewhere else (e.g. Keystone SQL) §  Projects can inherit roles from domain (Extension) § Designed to better support the management split between cloud provide administrator (who sets up domains) and customer administrator (who manages within a domain)
  • 24. © 2012 IBM Corporation24 What’s coming in Havana (no guarantees…) §  Enhanced policy file capabilities for keystone § Allows check on target of operation (e.g. useful for update/delete operations) § Enables true separation of management between cloud provider and a domain administrator
  • 25. © 2012 IBM Corporation OpenStack Security Update for CIS 2013 Henry Nash OpenStack Keystone Core Committer IBM (CSI) OpenStack Tech Lead henry.nash@uk.ibm.com