OpenStack is an Open Source project that allows you to manage a cloud of VMs that has grown into a widely adopted platform. The issue with having a centralized Infrastructure As A Service (IAAS) is that if you compromise the management cluster you can attack everything it controls, which is a lot at Yahoo scale. How do you keep your OpenStack cluster safe? What do you do when a management system, hypervisor, or VM is compromised?
This talk will discuss specific things that you can do to harden your cluster and make it more difficult for a large compromise to happen. If a compromise is detected, there are specific steps you can take to reduce the impact as well as to gather intelligence you can take action on. The impact of different network architectures on OpenStack security will also be discussed. Throughout this talk, I will use examples from the Yahoo deployments of OpenStack clusters to illustrate what Yahoo does to secure its systems and ensure our users continue to trust us.