The course provides hands-on knowledge of the security aspects of OpenStack private and public clouds. It starts with an introduction to the system, and then participants receive practical information on implementing security in the cloud.
Duration
- 16 hours divided into 2 to 4 days (remote or stationary)
Requirements
- basic (theoretical) knowledge of cloud computing idea
- hands-on Linux administration knowledge
- basic cyber security knowledge
Training Content
1. Introduction to OpenStack
- History of OpenStack
- Cloud Types (Public, Private, Hybrid)
- OpenStack service overview
2. Security aspects in OpenStack
- Security domains
- Security threat classification
- OpenStack hardening according to Security Technical Implementation Guides (STIG)
- Secure communication recommendations (TLS, SSL, cryptographic algorithms, proxy mechanisms)
- OpenStack API endpoints
3. Keystone - identity service
- Keystone architecture
- Authentication methods
- Authorization and identity service providers
- Policies
- Tokens and Fernet keys
- Domains
- Keystone federation (external identity providers)
4. Glance - image service
- Glance architecture
- Image visibility
- Image metadata customization
5. Nova - compute service
- Nova architecture
- Hypervisor selection
- Compute nodes hardening
- Flavor customization
- Virtual console selection
- SSH key pair management
- Metadata service, user data and config drive
- Security groups / rules management and port security
- Floating IP assignment
- Filter scheduler customization and instance distribution across hypervisors
- CPU / RAM overcommitment and instance limit per Compute
- Instance offline / live migrations and CPU constraints
6. Neutron - networking service
- Neutron networking architecture
- L2 isolation and tunneling
- L3 routing and NAT
- Network QoS policies and rules
- FWaaS, LBaaS
- Securing OpenStack networking services
- East-West and North-South routing
7. Cinder - block storage service
- Cinder architecture
- Volume types and QoS specs
- Cinder backends (LVM, CEPH) security considerations
- Volume wiping
8. Barbican - key manager service
- Barbican architecture
- Managing passphrases
- Managing keys
- Volume encryption supported by the key manager
- Configuring Cinder service for volume encryption
- Creating and testing encrypted volumes
9. Securing OpenStack architecture
- OpenStack setup using VLAN isolation - best practices
- OpenStack Controller High Availability
- OpenStack Instance High Availability
Book a Training
Let us know more about your training expectations and goals
Contact us