R ACKSPACE PRIVATE CLOUD 12.2 SECURIT Y HARDENINGR AC K S PAC E PR I VATE C LO U D

September 2016

2 RACKSPACE PRIVATE CLOUD :: WHITE PAPER :: RACKSPACE PRIVATE CLOUD 12.2 SECURITY HARDENING

INtrODUCtION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

SeCUrItY HArDeNING CHALLeNGeS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Is automated security the magic bullet? . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

rACKSpACe prIVAte CLOUD 12 .2 SeCUrItY HArDeNING OVerVIeW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Powered by OpenStack-Ansible . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

rpC 12 .2 SeCUrItY HArDeNING beNeFItS . . . . . . . . . . . . . . . . . . . . . . . . . 4

More resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

AbOUt rACKSpACe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

TABLE OF CONTENTS

3 RACKSPACE PRIVATE CLOUD :: WHITE PAPER :: RACKSPACE PRIVATE CLOUD 12.2 SECURITY HARDENING

INTRODUCTIONFor many organizations, security hardening means balancing performance with security tasks. At the same time, organizations have to make sure that the effort put into hardening security doesn’t break another piece of the environment. Losing focus on security can lead to regulatory consequences or public relations nightmares.

Rackspace Private Cloud 12.2 (RPC 12.2) introduces a number of security-hardening measures designed to address the complexities of securing private clouds with highly customizable, automated security controls to serve both the stringent compliance-driven requirements of enterprises and the performance demands of business-critical applications.

SECURIT Y HARDENING CHALLENGESApplying security configurations to any system requires careful consideration of each change. While some changes reduce risk, they can cause performance or availability problems in a production environment. As an example, the Security Technical Implementation Guide (STIG) requires administrators to disable IPv6 networking and suspend hosts that can’t write audit logs due to a full disk. Both changes have security benefits, but can be highly disruptive in certain environments.

Reviewing the security merits of each change against the impacts to production requires security professionals and system administrators to combine their experience and expertise. Many compliance programs, such as PCI DSS, require companies to apply industry-accepted hardening standards to servers. This is not a one-time activity. Maintaining hardened systems over time requires careful attention to configuration changes and system alerts. This work often conflicts with the strategic, revenue generating activities of an organization.

Is automated security the magic bullet?Automated security controls provide the scalable, repeatable security improvements that organizations need so they can focus on increasing revenue. Still, system administrators have several demands for security changes in production environments:

• They must reduce risk and thwart common attacks.

• Implementing the changes should be easy.

• Maintaining them over time should not be time-consuming.

• Production environments cannot be disrupted.

• Changes should be open, transparent and tested.

The latest version of Rackspace Private Cloud takes security hardening to the next level with automated security controls that reduce risk without becoming a burden on system administrators.

R ACKSPACE PRIVATE CLOUD 12 .2 SECURIT Y HARDENING OVERVIEW

Rackspace Private Cloud 12.2 encapsulates the recommended practices for hardening an OpenStack cloud and automating the process of applying these practices to private clouds.

The new, optional security hardening role in RPC 12.2 provides increased security for the host operating system and many common services running on the host. The controls are based on the widely accepted Security Technical Implementation Guide (STIG) that the United States government uses to secure sensitive systems. All of the controls are automatically applied as part of the RPC deployment.

The STIG covers a wide variety of security improvements throughout a Linux system. It includes controls for user authentication, service management and kernel tuning. These controls reduce the chances of a successful attack and also decrease the attacker’s ability to move laterally if they are successful. System call auditing and file integrity monitoring provide actionable alerts for system administrators when suspicious activity occurs.

Each control has been carefully reviewed to determine if it could cause a problem within an OpenStack cloud. Any controls that could disrupt a virtual machine or an OpenStack service have been adjusted or thoroughly documented as an exception. This ensures that you get all of the security benefits of each control without any impact to your cloud.

4 RACKSPACE PRIVATE CLOUD :: WHITE PAPER :: RACKSPACE PRIVATE CLOUD 12.2 SECURITY HARDENING

Powered by OpenStack-AnsibleOpenStack-Ansible, an open source project in the OpenStack ecosystem, is under the hood of every RPC deployment. One of the roles within the project, OpenStack-Ansible security, applies over 200 security configurations in just a few minutes. The automation within the role was built and reviewed by OpenStack developers from various companies, including Rackspace.

RPC 12 .2 SECURIT Y HARDENING BENEFITS • Helps meet pCI DSS compliance requirements: The security configuration

management tool helps you to meet PCI DSS 3.1 Requirement 2.2 that states: “Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.”

• Auditor friendly: Audit mode can be used for testing or to validate compliance for auditing purposes. The setting lets you both demonstrate compliance and explain any exceptions.

• extensively documented: Each configuration is documented and referenced back to the specific STIG guideline addressed. The documentation also explains exceptions and configuration adjustments for auditors, and allows you to make educated decisions on which security configuration changes to apply.

DOCUmeNtAtION:

V-38496: Default operating system accounts, other than root, must be locked . (Configuration requirement from the STIG)

Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.

Details: V-38496 in StIG Viewer. (Link to the STIG Viewer)

NOteS FOr DepLOYerS: (Auditors want to see these, too)

exception

The Ansible tasks will check for default system accounts (other than root) that are not locked. The tasks won't take any action, however, because any action could cause authorized users to be unable to access the system. However, if any unlocked default system accounts are found, the playbook will fall with an error message until the user accounts are locked.

Deployers who intentionally want to skip this step should use: --skip-tags V-38946 to avoid a playbook failure on this check.

Deployers are urged to audit the accounts on their systems and lock any users that don't need to log in via consoles or via ssh.

• easy to use: At launch, hundreds of security configuration settings are available to you. See the complete list here. All settings can be easily adjusted to align with your security needs with minimal disruption.

• backed by experts: Run your workloads backed by a team of experts who manage the world’s largest OpenStack-powered cloud. We were an integral part of setting the community standard for deploying OpenStack with Ansible and know best how to run and operate it. We also offer a comprehensive training curriculum and a suite of enablement services to help you become an expert too.

EXTERNALNETWORKS

REDUNDANT FIREWALLS

REDUNDANT LOAD BALANCERS

CONTROL PLANE

REDUNDANT 10GB NETWORK SWITCHES

BO

ND

1

BO

ND

0

BO

ND

0

BO

ND

0

BO

ND

1

BO

ND

0

BO

ND

1

BO

ND

0

Nova APIs

Glance APIs

Keystone APIs

LOGGING SERVER

COMPUTE #X

SWIFT STORAGE

#XLogstash

ElasticSearch

Kibana

STORAGE #X

Native Cinder

Ceph RBD

EMC VNX2

NetApp FASNeutron APIs

Cinder APIs

Heat APIs

Horizon

Rabbit MQ

Swift Proxy

MariaDB/Galera

Instances

PUBLIC NETWORK

MANAGEMENT NETWORK

VM NETWORK

STORAGE REPLICATION NETWORK

5 RACKSPACE PRIVATE CLOUD :: WHITE PAPER :: RACKSPACE PRIVATE CLOUD 12.2 SECURITY HARDENING

• We deliver Fanatical Support® for the world's leading clouds — it's the specialized expertise and 24x7x365, results-obsessed customer service that’s been a part of our DNA since 1999 . Rackspace proactively monitors and maintains the health of your private cloud, and offers the following service level agreements:

- 15-minute live response time guarantee to any emergency ticket with Core support.

- 100% network uptime guarantee and one-hour hardware replacement at no cost when hosted in a Rackspace data center.

- Industry-leading 99.99% OpenStack API Uptime Guarantee.

Adopting or upgrading to Rackspace Private Cloud 12.2 can help you meet both internal and external security requirements more quickly, with less cost and reduced effort, while boosting your confidence in the security of your systems. If your environment is exposed to the internet or subject to PCI DSS or other compliance regulations, consider applying this hardened configuration. We recommend that you test this role and any related configuration changes in a non-production environment first.

more resources:

• For a nuts and bolts look at Rackspace Private Cloud 12.2, read our Deep Dive blog here: http://blog.rackspace.com/rackspace-private-cloud-openstack-reference-architecture/ To turn on the security hardening feature, to make

configuration setting changes to secure your

private cloud enviroment, or to discuss your private

cloud strategy, contact a Private Cloud Architect at

go.rackspace.com/OpenStackExperts

FREE STRATEGY SESSION

September 27, 2016

ABOUT R ACKSPACERackspace (NYSE: RAX), the #1 managed cloud company, helps businesses tap the power of cloud computing without the challenge and expense of managing complex IT infrastructure and application platforms on their own. Rackspace engineers deliver specialized expertise on top of leading technologies developed by OpenStack®, Microsoft®, VMware® and others, through a results-obsessed service known as Fanatical Support®.

Learn more at www.rackspace.com or call us at 1-844-205-7765.

© 2016 Rackspace US, Inc.

This whitepaper is provided “AS IS” and is a general introduction to the service described. You should not rely solely on this whitepaper to decide whether to purchase the service. Features, benefits and/or pricing presented depend on system configuration and are subject to change without notice. Rackspace disclaims any representation, express or implied warranties, including any implied warranty of merchantability, fitness for a particular purpose, and non-infringement, or other commitment regarding its services except for those expressly stated in a Rackspace services agreement. This document is a general guide and is not legal advice, or an instruction manual. Your implementation of the measures described may not result in your compliance with law or other standard. This document may include examples of solutions that include non-Rackspace products or services. Except as expressly stated in its services agreements, Rackspace does not support, and disclaims all legal responsibility for, third party products and services. Unless otherwise agreed in a Rackspace service agreement, you must work directly with third parties to obtain their products and services and related support under separate legal terms between you and the third party.

Rackspace cannot guarantee the accuracy of any information presented after the date of publication.

Rackspace®, Fanatical Support® and other Rackspace marks are service marks or registered services of Rackspace US, Inc. and are registered in the United States and other countries. Other Rackspace or third party trademarks, service marks, images, products and brands remain the sole property of their respective holders and do not imply endorsement or sponsorship.