Introduction

Introduction

This document covers security best practices for Mirantis Cloud Platform (MCP) that include:

  • Description of typical threats that may affect a customer’s cloud

  • Threat modeling techniques

  • References to security standards

  • Threats mitigation techniques

  • Secure configuration of OpenStack components

  • Secure configuration of Docker and Kubernetes

  • Secure cloud architecture

  • Common use cases with using open source security solutions

MCP is a deployment and lifecycle management (LCM) solution that enables DevOps engineers to deploy and operate clouds based on Mirantis OpenStack and Kubernetes through continuous integration and continuous delivery (CI/CD).

Mirantis engineers put efforts to make the components more secure and to deploy cloud architecture capable of withstanding cyber threats.

This guide starts with explaining cyber attack models for threat modeling. These models help you understand threats to protect your cloud against them. The document guides through the most popular threat models: STRIDE from Microsoft, OCTAVE from CERT, and CAPEC from MITRE. In addition, we mention cloud specific threats and affected objects.

The next chapter describes general mitigation techniques for the threat model such as encryption, access controls, logging, load balancing, and so on.

Some components and hosts may need additional configuration after deployment depending on current environment and/or your specific needs. The Secure MCP OpenStack and Secure Kubernetes and Docker chapters describe these aspects. Additionally, refer to OpenStack Security Guide, Docker Security, and Kubernetes Security Best Practices for more information explaining the reasons of such configuration.

The next chapters guide you through the best practices of designing a secure cloud architecture including the demilitarized zone and installation of security solutions on top of cloud platform to provide incident detection, prevention, and investigation processes.

At the end, you can find common use cases that can help you to address the given recommendations.