The techniques described in this chapter are mostly based on STRIDE as we focus on Mirantis OpenStack, which is a software product. Each threat class is represented with a corresponding set of mitigation techniques and recommended tools. The table below represents information about threats and mitigation techniques based on the STRIDE model.
Threat Type | Violates | Mitigation | Tools |
---|---|---|---|
Spoofing | Authentication | PKI: LS and certificates, digital signatures | Secrets manager (Barbican) |
Tampering | Integrity | MAC/RBAC, digital signatures | SELinux, AppArmor, grsecurity, Identity Federation, secrets manager (Barbican) |
Repudiation | Non-repudiation | Secure logging and auditing, digital signatures | LMA toolchain, Keystone CADF events |
Information disclosure | Confidentiality | Encryption, MAC/RBAC | Volume encryption, ephemeral disk encryption in LVM format, Object encryption, secrets manager (Barbican), SELinux, AppArmor, grsecurity |
Denial of Service (DoS) | Availability | ACLs, filtering, quotas, geo distribution | Firewall (layer 3,4,7), load balancer, DDoS protection, availability zones in OpenStack |
Elevation of Privilege (EoP) | Authorization | MAC/RBAC, Group or role membership, privilege ownership, input validation | SELinux, AppArmor, grsecurity, Identity Federation, DMZ |
Threat Type | Violates | Mitigation | Tools |
---|---|---|---|
Insider threats (information disclosure, spoofing) | Cloud tenant security and privacy | Contractually, MAC/RBAC, data encryption (information disclosure), Isolate the management network from tenant’s networks (information disclosure, spoofing), sniff outgoing traffic (information disclosure) | SELinux, AppArmor, grsecurity, volume encryption, ephemeral disk encryption in LVM format, object encryption, secrets Manager (Barbican), DLP |
Co-tenant threats (spoofing, EoP, DoS, information disclosure, repudiation) | Cloud tenant security and privacy | East-west traffic inspection to detect anomalies and restricted application layer protocols (EoP, information disclosure), brute-force protection (EoP), Cloud separation using Host Agregates and Availability Zones to avoid running VMs with different security level on the same Compute node EoP, information disclosure, DoS), | WAF, IDPS, MOS brute force protection, trusted computing pool based on Intel TXT, host aggregates and Availability Zones in OpenStack Compute |
Tenants hack the provider: Running out of VM and get access to the management interface or network (EoP), Using stolen another tenant’s credentials (EoP, spoofing, repudiation), brute-force and dictionary attacks (EoP), resource exhaustion (DoS) | Cloud provider security and privacy | Brute force protection (EoP), limit access to admin interfaces (EoP), change default passwords (EoP), monitor and detect anomalies in management and tenants’ networks (EoP, information disclosure), disable indexing by search engines (information disclosure), logging (repudiation) | WAF, IDPS, LMA toolchain, brute-force protection |
NFV threats: intellectual property (information disclosure), altering of VNF images (tampering), network traffic loops (DoS), exhausting resources of the virtualisation infrastructure (DoS), VM can access another VM’s memory when using IOMMU (EoP), a cloned VNF image may contain confidential information (information disclosure), diagnostic interfaces enabled in a VNF for remote support can be exploited by attackers. | Cloud provider and tenant security and privacy | Protect the proprietary code in VNFs, integrity verification for VNF images, detect loops during topology validation or when forwarding messages, enable monitoring for degraded performance and anomalies in resource allocation, use shared IOMMU within the SR-IOV standard, use secure key management and a unique key pair for every cloned image as well as operator-controlled certification authorities (CAs) for internal services, enable authorization to control VNF’s maintenance operations. | LMA toolchain, SELinux, AppArmor, grsecurity, secrets manager. |
Outsider threats: targeted attacks (EoP), DDoS, human-related threats: insider access, social engineering (spoofing, EoP), third-party access (information disclosure), MITM (information disclosure) and DoS attacks using BGP exposed to Internet | Cloud provider and tenant security and privacy | DMZ (EoP), increasing staff security awareness (spoofing, EoP), BGP peer filtering (information disclosure, EoP) | Firewall (layer 3,4,7), load balancer, DDoS protection, sandbox |
Forensic threats | Cloud forensic data | Logging, setting security domain/project with forensic tools | LMA toolchain, network sniffer |
See also