Openstack Solution


“Automation reduces the chance of misadministration and mistakes, which are the leading causes of operations incidents, unexpected downtime and successful security attacks.”

Gartner


OpenStack provides strong native security controls to protect cloud environments, and if used properly, can deliver workloads that are more secure than those in traditional data centers. However, the customization and manual management required to implement these controls can be labor intensive and time consuming. A powerful security solution must utilize the native OpenStack controls without requiring a team to code, write, rewrite, adjust… and repeat the process every time a new change is introduced. As Gartner points out, to keep up with the pace of change and threats in your cloud infrastructure, you must move to security automation. A complete OpenStack security solution will need to provide:

Critical Solution Requirements

1
A real-time detailed visual mapping of all OpenStack accounts, Regions, Projects, Instances and related flows
2
A method for policy organization, orchestration and automated provisioning
3
A policy monitoring, verification and enforcement system
Cloudvisory’s Security Platform (CSP) provides the automation vital to your OpenStack cloud security strategy with continuous monitoring and detection of workloads, changes, and events while automating the security infrastructure that is native to OpenStack. CSP provides visual grouping of workloads based on any category (Accounts, Regions, Projects, and even other cloud providers) to allow for granular policy micro-segmentation and immediate updates to changes in the environment. CSP can identify rogue and malicious activity and take corrective action to halt a malware risk, returning the environment to a compliant and safe state.

“Cloudvisory gave us unprecedented visibility, micro-segmentation, and compliance capabilities to deliver business applications faster with better security.”

Fortune 500 Media and Telecom.

CSP delivers continuous monitoring, detection, and security automation
for OpenStack environments with:

Visualization   Visualization  

Understanding and managing the security of your workloads in OpenStack can be challenging using OpenStack Horizon, the CLI, or the REST API. In all cases, getting the proper perspective of the current infrastructure and any changes to it over time can be difficult due to the lack of visual representations into the relationships of Regions, Projects, Instances, Security Groups, and the network flows between them. Here’s the value Visualization can bring to an OpenStack deployment.

Visualizing the Infrastructure

Openstack Horizon Openstack Horizon Instances Openstack Horizon Instances

OpenStack Horizon is restricted to a list view of instances for a single project and region at a specific time. There is no visual mapping of the OpenStack environment. Troubleshooting can be slow and inaccurate due to the rapid changing environment.

Cloudvisory Visualization with CSP Visualization with CSP

Cloudvisory continuosly discovers the OpenStack infrastructure providing a visual mapping of OpenStack Accounts, Regions, Projects, Instances, network flows and even other cloud providers. As new workloads spin up or down, the visualization tool is immediately updated.

Troubleshooting Connectivity issues in OpenStack


Control   Control  

CSP provides a crucial Security Orchestration plane to help simplify the organization and control of security policies. Natural language policies are created with point and click ease and are associated to groups of workloads via meta-data and provider attributes, allowing for automated provisioning of those policies. As the environment changes, complex calculations determine the security policy changes required to keep the environment secure.

Organization & Orchestration

Openstack Horizon Openstack Horizon Policy Management Openstack Horizon Policy Management

Tags and Meta Data are critical for organizing workloads and associated security policies into groups. OpenStack tags must be assigned and managed per instance. After tags are set, the desired use is left up to the administrator. There is no direct corellation between tags and network security policies in OpenStack.

Cloudvisory Cloudvisory CSP Policy Management Cloudvisory CSP Policy Management

The Security Orchestration plane enables creation of natural language policies and the association of those policies to workloads via Infrastructure memberships and Tags and Group memberships (such as application or application tier). This orchestration plane enables automated calculation and provisioning of security policies, even as the environment undergoes change With security automation, the pace and accuracy of DevOps processing increases dramatically.

Cloudvisory Cloudvisory CSP Visual Grouping Cloudvisory CSP Visual Grouping

Cloudvisory provides visual grouping of workloads and network flows based on categories, such as Application, App Tier, Governance Policy, VPC, etc. These Logical Groups allow for granular micro-segmentation of policies and real-time security updates based on changes in the environment.

Openstack Horizon Openstack Horizon Security Groups Openstack Horizon Security Groups
Openstack Horizon Openstack Horizon Security Group Management Openstack Horizon Security Group Management

Using OpenStack Horizon to list and manage security groups is not intuitive and is limited to a single account in a single region for a single project.

Cloudvisory Cloudvisory CSP Policy Creation Cloudvisory CSP Policy Creation
Cloudvisory Cloudvisory CSP Policy Creation Cloudvisory CSP Policy Creation

Creating policies in Cloudvisory can be done across Accounts, across Regions, across Projects, at the workload or logical group level, and even across other Cloud Providers simply and intuitively. This enables agile management, security, and dynamic control of the OpenStack deployment.


Enforcement   Enforcement  

After discovery, visualization and orchestration Enforcement ensures all infrastructure, policies, and network flows remain in real-time compliance. CSP can identify unsanctioned or malicious activity, and immediately take corrective action to avoid a security breach. This is not possible with OpenStack tools without a significant investment in people, time, coding and testing. DevOps teams can take weeks to respond to a potential threat. Enforcement automates this process.

Network Flows

Openstack Horizon does not provide visibility into workload network flows

Cloudvisory Cloudvisory CSP Network Flows Cloudvisory CSP Network Flows

Cloudvisory can quickly identify non-compliant network flows and alert teams to potential threats. CSP continuously monitors security policies for needed adjustments, and alerts on non-compliant changes. Below, visual flow data specifically points out compliant and non-compliant flow details to quickly identify risk and potential malicious activity

Cloudvisory Cloudvisory CSP Flow Details Cloudvisory CSP Flow Details

Cloudvisory flow information is summarized per workload and logical group for a better understanding of the environment and faster triage of infected workloads or malicious behavior.

Detecting and Neutralizing Malware in Openstack






Identifying Policy Violations with automated rollback to the compliant state

Cloudvisory is constantly monitoring the security policy state to confirm it remains immutable and compliant. If an unauthorized change to the policies is identified, Cloudvisory detects, alerts, and can take automatic corrective action to return the OpenStack environment to its secure state.

Summary

Cloudvisory’s Security Platform (CSP) leverages OpenStack’s strong native security controls to protect its environment. Cloudvisory’s Security Platform provides security automation ensuring Openstack workloads are more secure than those in traditional data centers.


Related Materials