Organized the security areas and OpenStack component list.

hyakuhei · Feb 27, 2013 · e14f2ef · e14f2ef
1 parent bf588b6
commit e14f2ef
Showing 1 changed file with 92 additions and 87 deletions.
diff --git a/outline-expanded.txt b/outline-expanded.txt
@@ -19,15 +19,20 @@ The OpenStack System Security General Principles provides a general overview of
 
   - Areas presented in this document include:
     - System and Communications Protection
-    - Log Aggregation
+    - Log Management
     - Configuration Management
     - Identification and Authentication
     - Incident Response
     - Risk Assessment
     - System and Information Integrity
 
   - General principles 
-The general principles outlined here assume that each of the security areas listed is applied to each of OpenStack's components.  For example, when considering how to secure Nova, we should look at all software components and run through each area (System and Communications Protection, Log Aggregation, Configuration Management, and so on..).  Some components such as hypervisor security may have additional best practices listed within a given area.  All areas may not apply but it is best to run through each area and ask the questions.
+The general principles outlined here assume that each of the security areas listed is applied to each 
+of OpenStack's components.  For example, when considering how to secure Nova, we should look at all 
+software components and review each area to determine how it effects Nova (System and Communications 
+Protection, Log Management, Configuration Management, and so on..).  Some components such as hypervisor 
+security may have additional best practices listed within a given area.  All areas may not apply but 
+it is best to run through each area and ask the questions.
 
 When thinking about the security areas, we should in general:
 
@@ -50,52 +55,52 @@ When thinking about the security areas, we should in general:
 
     - Generic view of an OpenStack deployment
       - System services, ports and protocols table
-      - Compute (Nova)
-      	- Configuration Guidance
-      	- Hypervisor Security
-      	  - General measures for securing hypervisors
-      	  - Refer to section below in hypervisor security
-      - Storage (Swift)
-      	- Direct Threats
-      	- Configuration Guidance
-      	- SSL Stuff
-      - Networking (Quantum)
-        - Direct Threats
-        - Configuration Guidance
-      - Dashboard (Horizon)
-        - Direct Threats
-        - Configuration Guidance
-      - Identity (Keystone)
-        - Direct Threats
-        - Configuration Guidance
-      - Image (Glance)
-        - Direct Threats
-        - Configuration Guidance
-
     - OpenStack Data flow
       - [insert OpenStack flow diagrams for each service]
 
-* Areas of Security Focus
-* System and Communications Protection
-  - Application Partitioning
-    - Hypervisor security
-      Isolate guests using system level access control to contain hypervisor/guest vm breaches. Adoption of stronger security at this layer may not be possible with all hypervisors.
-      - KVM on RHEL
-	- sVirt on SELinux is an option
-      - KVM on Ubuntu
-      - Xen  
-      - ESX
-      - LXC
-      - HyperV ??
-
-  - Denial of Service Protection
-  - Cryptographic Key Establishment and Management
-  - Use of Cryptography
-  - Secure DNS (Authoritative Source)
-  - Secure DNS (Recursive or Caching Resolver)
-  - Session Authenticity
-
-* Log aggregation
+* Securing OpenStack Components
+    - Compute (Nova)
+      - Configuration Guidance
+      	- Hypervisor Security
+	  Isolate guests using system level access control to contain hypervisor/guest vm breaches.
+	  Adoption of stronger security at this layer may not be possible with all hypervisors.
+      	  - KVM on RHEL
+	    - sVirt on SELinux is an option
+	  - KVM on Ubuntu
+      	  - Xen  
+      	  - ESX
+      	  - LXC
+      	  - HyperV ??
+      	  - General measures for securing hypervisors
+      	  - Refer to section below in hypervisor security
+    - Storage (Swift)
+      - Direct Threats
+      - Configuration Guidance
+      - SSL Stuff
+    - Networking (Quantum)
+      - Direct Threats
+      - Configuration Guidance
+    - Dashboard (Horizon)
+      - Direct Threats
+      - Configuration Guidance
+    - Identity (Keystone)
+      - Direct Threats
+      - Configuration Guidance
+    - Image (Glance)
+      - Direct Threats
+      - Configuration Guidance
+
+* Areas of Security Focus in detail
+  - System and Communications Protection
+    - Application Partitioning
+    - Denial of Service Protection
+    - Cryptographic Key Establishment and Management
+    - Use of Cryptography
+    - Secure DNS (Authoritative Source)
+    - Secure DNS (Recursive or Caching Resolver)
+    - Session Authenticity
+
+  - Log Management
     - Logged Events
     - Content of Logged Records
     - Log Storage Capacity & Retention
@@ -104,49 +109,49 @@ When thinking about the security areas, we should in general:
     - Protection of Log Information
     - Non-repudiation
 
-* Configuration Management
-  - Baseline Configuration
-  - Configuration Change Control
-  - Security Impact Analysis
-  - Access Restrictions for Change
-  - Configuration Settings
-  - Least Privilege Functionality
-  - System Inventory
-
-* Identification and Authentication
-  - Identifier Management
-  - Authenticator Management
-  - Cryptographic Module Authentication
-  - Identification and Authentication (tenants)
-
-* Incident Response
-  - Incident Response Testing & Exercises
-  - Incident Handling
-  - Incident Monitoring
-  - Incident Reporting
-  - Incident Response Assistance
-  - Incident Response Plan
-
-* Risk Assessment
-  - Risk Assessment Policy and Procedures
-  - Security Categorization
+  - Configuration Management
+    - Baseline Configuration
+    - Configuration Change Control
+    - Security Impact Analysis
+    - Access Restrictions for Change
+    - Configuration Settings
+    - Least Privilege Functionality
+    - System Inventory
+
+  - Identification and Authentication
+    - Identifier Management
+    - Authenticator Management
+    - Cryptographic Module Authentication
+    - Identification and Authentication (tenants)
+
+  - Incident Response
+    - Incident Response Testing & Exercises
+    - Incident Handling
+    - Incident Monitoring
+    - Incident Reporting
+    - Incident Response Assistance
+    - Incident Response Plan
+
   - Risk Assessment
-  - Vulnerability Scanning
-    - List open source scanners
-    - List OpenSCAP for automated scanning?
-
-* System and Information Integrity
-  - Malicious Code Protection
-  - Information System Monitoring
-    - OSSEC?
-  - Security Alerts, Advisories, and Directives
-  - Security Functionality Verification
-  - Software and Information Integrity
-  - Spam Protection
-  - Information Input Restrictions
-  - Information Input Validation
-  - Information Output Handling and Retention
-  - Predictable Failure Prevention
+    - Risk Assessment Policy and Procedures
+    - Security Categorization
+    - Risk Assessment
+    - Vulnerability Scanning
+      - List open source scanners
+      - List OpenSCAP for automated scanning?
+
+  - System and Information Integrity
+    - Malicious Code Protection
+    - Information System Monitoring
+      - OSSEC?
+    - Security Alerts, Advisories, and Directives
+    - Security Functionality Verification
+    - Software and Information Integrity
+    - Spam Protection
+    - Information Input Restrictions
+    - Information Input Validation
+    - Information Output Handling and Retention
+    - Predictable Failure Prevention
 
 Other OpenStack Security Guidance
 * Security Notes