►
From YouTube: Data Security and Storage Hardening In Rook and Ceph
Description
Presented by: Federico Lucifredi & Ana mcTaggart
Data Security and Storage Hardening In Rook and Ceph
We explore the security model exposed by Rook with Ceph, the leading software-defined storage platform of the Open Source world. Digging increasingly deeper in the stack, we examine hardening options for Ceph storage appropriate for a variety of threat profiles. Options include defining a threat model, limiting the blast radius of an attack by implementing separate security zones, the use of encryption at rest and in-flight and FIPS 140-2 validated ciphers, hardened builds and default configuration, as well as user access controls and key management. Data retention and secure deletion are also addressed. The very process of containerization creates additional security benefits with lightweight separation of domains. Rook makes the process of applying hardening options easier, as this becomes a matter of simply modifying a .yaml file with the appropriate security context upon creation, making it a snap to apply the standard hardening options of Ceph to a container-based storage system.
B
A
Away
from
the
idea
that
we
have
to
introduce
ourselves
so
very
briefly:
I
had
the
privilege
of
spending
my
entire
career
in
free
and
open
source
software
I'm,
the
product
management
director
for
Obsession
as
a
platform
I'm
red
hat
and
soon
in
IBM.
Previously
it
was
Ubuntu
Server
pm
at
canonical.
If
you
remember
1404,
that
was
my
favorite
accomplishment
there
and
if
you
go
back
the
decade,
the
systems
management
car
that
cars
hired
everyone
at
Susan.
A
There
are
a
few
things
here
on
the
list
that
I
worked
on.
I
was
the
maintainer
of
Mount
I,
suppose
I,
technically
still
am
also.
We
consider
Collins
version
preferred
these
days,
so
I
don't
have
that
much
to
do,
but
it's
still
there
on
your
Mac.
If
you
type
man
man,
you
find
me,
Shameless
plug
I
have
a
book
by
O'reilly
and
that's
why
you
see
me
there
surrounded
by
clouds
in
my
author
portrait
and
well
I.
Think
that's
plenty
enough
for
me.
So
Anna.
C
Hacker
I
use
they
them
pronouns
and
I
work
on
security
at
red
hat
and
soon
to
be
ibf
I'm.
Currently,
an
incident
response
at
red
hat
and
I'll
be
working
on
security
for
all
of
for
all
of
our
storage
products,
such
as
cluster
odf
and
sap.
When
we
moved
to
IBM
I
did
grad
school
at
UCSC
in
formal
methods
and
also
Storage
security.
I
did
my
undergrad
at
UMass
Amherst
and
in
my
free
time,
I
love
to
hike
with
my
dog
and
garden.
A
And
there
would
be
a
third
speaker
which
is
Mike
Hackett,
who
unfortunately,
is
super
busy
keeping
holding
before
it
for
our
support
team,
so
it
could
be
with
us
today,
but
he
is.
He
is
an
equal
contributor
to
this
work.
So
thanks
thanks
to
him
for
all
that
he
has
put
in
now
we're
not
going
to
do
the
introduction
to
what
Seth
is
in
the
session.
A
A
A
It
needs
to
be
defined
in
the
context
of
an
actual
track
model.
Are
you
facing
script,
kiddies
or
Gru,
or
some
dry
that
privileged
inside
their
scenario?
Some
of
these
want
to
steal
your
data.
Others
want
to
crypto,
lock
you
and
hold
you
for
ransom,
others,
yet
maybe
just
satisfied
with
the
disrupting
your
service.
A
Yes,
hopefully,
yes,
so
some
of
them
may
want
to
actually
cause
damage.
Others
may
be
satisfied
with
the
disruption
not
need
to
actually
steal
your
data,
so
the
the
model
of
who
you're
facing
is
essential
so
that
you
can
pick
from
the
vast
collection
of
hard-earning
practices
you
can
put
in
place,
which
ones
make
sense
for
you
and
your
users.
A
A
Authority
over
data
Transmissions
Crossing,
this
Zone
should
make
use
of
encryption
note
that
the
public
Zone
as
I
just
defined
it
does
not
include
the
storage
cluster
front
end.
The
chef
public
underscore
Network,
which
defines
the
storage
front
end
and
properly
belongs
in
what
is
called
the
storage
access
zone.
So
maybe
not
the
most
ideal
terminology
there,
but
that's
what
it
is.
A
The
SAS
client
Zone
refers
to
networks
accessing
test
clients
like
the
object,
Gateway,
the
soft
file
system
or
block
storage.
Deaf
clients
are
not
always
excluded
from
the
public
security
Zone,
for
instance,
it's
possible
to
expose
the
object
gateways
as
3
or
Swift
API
and
the
public
security
Zone.
A
A
Operators
often
run
clear
text
traffic
in
the
cluster
Zone,
relying
on
the
physical
separation
of
VLAN
separation
from
all
other
network
traffic,
and
here
is
a
good
example.
This
would
not
be
a
valid
choice
if
your
attract
Model
includes
an
adversarial
privileged
Insider,
whereas
it's
perfectly
fine.
If
you're
a
threat
model
is
for
script
kidneys.
So
again,
you
need
to
choose
what
you're
doing,
based
on
what
your
thought
model
is.
A
Now,
components
spanning
the
boundary
of
two
security
zones
with
different
Thrust
out
or
authentication
requirements
must
be
carefully
configured.
These
are
natural
weak
points
in
network
architecture,
as
could
always
be
configured
to
meet
the
requirements
of
the
higher
level
security
zone
of
the
two.
A
Conversely,
an
object
Gateway
in
the
client
security
Zone
will
need
to
access
the
cluster
security
Zone's
monitors
on
Port,
seven,
six,
seven,
eight,
nine
and
osds
on
full
range
of
ports
and
will
likely
expose
its
S3
API
to
the
public
security
Zone
exemplifying
the
the
Zone
Crossing
scenario.
That
I
was
just
describing.
A
C
C
Product
security
at
Red
Hat
poll
is
a
secure
development
life
cycle
with
the
goal
of
reducing
risk
and
improving
security
for
both
staff
and
Rook.
We
suggest
improvements
we
pen
test.
We
manifest
all
of
our
dependencies,
even
the
really
obscure
ones
in
an
in
some
container
somewhere.
We
review
vulnerabilities,
we
track
weaknesses
and
exploits.
C
We
approve
a
router
releases,
checking
details.
We
review
all
new
releases,
checking
new
libraries
for
cpes
checking
old
ones
too,
and
we've
recently
somewhat
recently
within
the
past
year.
This
we
split
it
into
incident
response
and
security
architect
roles
in
part
to
ensure
good
Geographic
coverage
and
preventing
any
lapses
covering
all
stages
of
our
software,
because
I
don't
want
to
work
at
two
in
the
morning
and
nobody
does
and
nobody's
so
sharpest.
But
so
one
of
these
branches
is
called
incident
response.
This
is
the
branch
that
I
currently
work
in.
C
C
We
also
try
to
coordinate
all
Publications
to
prevent
disclosing
a
flaw
before
engineering
is
aware,
and
in
some
cases,
we'll
even
wait
to
publish
until
we
have
a
fix
ready.
This
all
depends
on
whether
or
not
we're
actually
able
to
keep
it
under
Embargo.
Of
course,
if
somebody
publishes
something
to
Twitter,
we
can't
exactly
follow
this
process,
but
when
we
get
a
report
to
us,
we
we
really
try
to
coordinate
to
minimize
the
amount
of
time
that
significant
security
vulnerabilities
are
public
without
us
having
it
fixed.
C
We
also
regularly
check
for
exploits
that
are
discovered
well
after
a
vulnerability
is
published,
because
that
can
affect
the
severity
of
an
exploit
of
a
vulnerability
and
in
very
exciting
news.
We
recently
open
sourced
our
incident
response
plan
that
covers
our
process
for
responding
to
incidents.
We
do
this
to
help
industry
overall
and
really
include
the
open
source
ethos
within
incident
response
on
the
other
side
of
things
prior
to
release
our
security
architect
Works,
to
improve
stuff
by
working
on
the
design
of
it.
C
We
also,
as
I
said,
before,
carefully
review
all
major
releases,
our
new
libraries
for
cpe's
vulnerabilities.
We
review
all
exceptions
to
security
policy
in
some
cases
will
approve
them
and
in
other
cases
we'll
say:
hey
engineering.
You
actually
have
to
go
fix
this
and
we
work
with
the
compliance
team
to
validate
stuff
to
our
security
standards
and
any
policies
that
are
that
we're
implementing.
C
C
Let's
talk
about
encryption
and
key
management
for
yourself
server
side
operators
overwhelmingly
choose
to
encrypt
data
at
rest,
using
the
Linux,
unified,
Key,
System,
better
known
key
setup,
better
known
as
Lux,
and
all
data
and
metadata
of
a
soft
storage
cluster
can
be
secured.
I'll
give
it
one
moment.
C
C
We
are
also
enabling
security
best
practices
by
locating
our
monitor
damage
our
mons
on
separate
hosts
from
the
osds.
This
basically
means
that
the
drive
or
host
is
physically
separated
from
its
decryption
Keys.
You
need
both
drives
to
get
the
keys
and
the
data
and
this
interest
to
anti-affinity
of
the
keys
and
the
data
they
encrypt.
Obviously,.
C
Object,
stored,
Gateway.
In
addition,
our
rgw
has
additional
capabilities.
This
includes
encryption
at
ingestion
time,
the
use
of
per
user
Keys,
as
opposed
to
per
Drive
Keys
We,
allow
key
rotation
with
tools
like
Vault.
We
have
support
for
AWS,
SSE
KMS
and
more.
We
even
have
a
Department
of
Defense
Cipher
certified
under
Pips
140-2
as
a
standard
that
can
be
used
when
they're
supplied
by
a
Rel,
inappropriate
version.
As
you
can
see,
we
just
have
a
wide
variety
of
options
for
Key
Management
on
the
slides.
C
And
now
that
we've
talked
about
encryption
at
rest,
we
got
to
talk
about
encryption
and
Transit.
Network
communication
can
be
secured
by
turning
on
the
CEF
protocol.
Encryption
in
the
in
the
messenger
version
2.1
protocol
introduces
Nautilus.
This
is
the
one
that
we
worked
with
product
Security
on
and
you
know
we
definitely
have
an
option
to
have
the
Legacy
clear
text
protocol.
C
Fine,
it's
secure
enough.
The
networks
where
the
cluster
is
using
the
stuff
protocol
are
usually
physically
or
logically
isolated
from
access,
but
so
for
compatibility
reasons
you
want
to
have
the
clear
text
protocol
as
the
default.
At
the
same
time,
we
now
have
an
encrypted
internal
protocol
and
again
all
data
at
rest
is
encrypted,
irrespective
of
access
protocol.
C
In
nearly
all
cases,
all
of
our
customers
are
choosing
to
use
those
methods
and
for
data
in
transit,
we're
using
fips
140-2
certified
ciphers
as
an
option
and
again
we
we
offer
that
option
just
with
compatibility
and
overheads
why
we
wouldn't
traditionally
encrypt
the
back
end
protocols,
but
in
most
cases
the
performance
impact
is
actually
really
insignificant
for
a
properly
designed
cluster.
Our
latency
is
overshadowed
by
the
network
communication
as
long
as
our
CPU
overhead
is
accounted
for
and
we
have
some
best
practices
on
this
slide.
C
For
example,
you
can
use
TLS
security
from
your
object
gateway
to
your
S3
clients.
You
can
use
your
you
know
we'll
go
into
this,
but
TLS
termination
at
H.A
proxy
is
a
special
case
and
we
always
incur
encourage
Network
hygiene
at
individual
mode
so
going
on
to
the
next.
So
going
on
to
a
little
bit
more
here.
Looking
at
specific
protocols,
our
S3
service
is
usually
secured
between
rgw
and
the
S3
client,
with
TLS
on
Port
443.
C
C
And
again,
just
like
I
mentioned
TLS
termination
at
aha
proxies
a
special
case
where
the
link
between
h,
a
proxy
and
rgw
is
in
clear
text.
So
you
have
to
keep
in
mind
security
zones
just
like
Federico
was
talking
about
earlier,
but
provided
it's
located
in
the
appropriate
security
Zone.
We
have
no
concern
and
again
just
like
I
was
mentioning
earlier
standard
Network
practices
like
firewalling
individual
nodes
to
only
exposed
a
cleared
list
of
Port
Supply.
Let's
not
have
all
of
our
ports
open
to
the
public.
C
C
C
Rip
supports
at
risk
data
encryption,
as
we
discussed
earlier
within
within
flight
stuff
protocol
encryption
in
1.9,
kubernetes
user
permission
systems
applies
to
persistent
volumes,
so
permissions
quotas,
all
that
comes
from
kubernetes
with
nothing
group
needs
to
do.
Brooke
supports
e-management
systems
as
well
in
our
DSi
driver
allowing
individual
volumes
to
be
encrypted
with
their
own
key.
This
limits
the
scope
per
key.
This
all
ensures
that
we
can
follow
best
practices
easily,
such
as
key
rotation,
revocation
and
limiting
the
scope
from
each
key.
C
The
manager
supports
the
whole
infrastructure
and
needs
to
be
reachable
on
the
storage
access
Zone.
Hence
why
we're
using
SSH?
So
you
can
see
this
is
how
we're
implementing
it
with
a
sort
of
different
ports,
and
you
know
where
exactly
we're
using
SSH
Keys
again
with
the
management
dashboard.
For
example,
the
dashboard
access
Zone
may
be
tailored
to
suit
your
local
threat
model
with
with
SSH.
C
Now
this
is
all
authentication
and
authorization
are
on
by
default
if
the
user
isn't
supplied
you're
going
to
just
give
them
the
client.admin
as
the
user
and
restrict
accordingly.
Now
you
still
need
some
good
practices.
For
example,
you
may
only
want
to
Grant
keyring,
read
and
write
permissions
for
the
current
user
and
root
with
client
admin
user
restricted
to
only
you
definitely
don't
want
all
users
to
be
root
as
per
best
practices,
because
that
just
gives
them
way
too
much
permission.
C
C
C
They
should
be
secured,
as
we
previously
discussed.
Regarding
data
at
rest,
we
can
couple
with
oidc
providers
such
as
keycloak,
backed
with
your
organizational's
identity
provider,
for
an
even
a
better
sense
of
granular
roles
or
identity.
Access
for
attribute
access,
really
we're
trying
to
make
this
as
accessible
as
possible
for
different
options
and
allow
our
users
to
have
as
many
different
choices
that
are
pretty
secure
going
on
to
the
next
slide.
C
I'll
finish
this
up
with
identity
and
access
and
then
I'll
hand
it
over
to
federicio.
After
this,
but
with
identity
and
access,
we
support
ldap
and
active
directory
users.
We
do
recommend
secure
ldap
for
identity
Services.
We
also
again,
we
support
openstack
Keystone
to
authenticate
our
object.
Gateway
users
in
general.
We
just
have
a
lot
of
options
for
identity
and
access
that
are
pretty
secure
and
when
the
slides
are
back
up,
I'm
going
to
hand
it
over
to
federicio
to
finish
us
up
on
the
auditing
slide.
A
My
bad
other
thing
is
fairly
self-explicative.
This
is
the
lag
format
that
we
use.
You
should
aggregate
your
logs
into
a
central
location.
If
you
can,
if
you
have
a
central
log
management
system
that
is
highly
recommended,
you
probably
also
want
to
purge
your
logs
on
on
a
regular
schedule.
There
is
no
sense
leaving
them
around
forever,
just
in
case
something
something
is
getting
leaked
there,
that
we're
not
aware
of.
A
And
then
data
retention,
so
this
is
actually
a
fairly
juicy
topic.
There
is
a
lot
here,
so
that's
data
retention,
behaviors
generally
users
don't
go
and
access
rados
directly.
So
we
look
at
the
at
the
higher
layers
here
in
RBD,
rgw
and
to
some
degree
the
file
system.
We
have
what
you
could
consider
intentional
data
retention.
You
can
go
and
delete
objects,
but,
for
example,
RBD
has
this
new
bit
of
functionality
called
the
trash
bin,
where
it
essentially
gives
you
an
undo
button
where
you
can
restore
a
volume
that
you've
deleted
this?
A
A
Obviously,
if
you
want
to
manage
data
retention
policies,
you
need
to
be
aware
of
these
behaviors,
and
then
there
are
places
where
you
intentionally
increase
the
data
retention
like
setting
up
rgw4
write
one
semantics,
as
a
financial
customer
may
do,
or
setting
up
a
multi-factor
authentication
on
rgw
to
to
protect
against.
Let's
say
a
ransomware
attack
to
make
it
more
difficult
to
go
and
delete
data,
so
these
are
things
at
at
the
sef's
level,
but
once
you
have
deleted
the
data
well,
it
may
not
be
easy
to
recover.
A
A
Obviously,
your
overwrites
are
going
to
go
someplace
else
than
when
and
then
where
the
original
data
was
stored,
so
for
a
secure
deletion
generally,
a
best
practice
is
to
encrypt
the
drives,
which
you
should
be
doing
anyway,
and
to
sanitize
the
Drives
By,
forgetting
the
key
that
they
were
encrypted
with.
That
is
much
faster.
It
is
compatible
with
Hardware
return
policies.
You
don't
have
to
you.
A
Don't
have
to
explain
to
your
heart
disk
vendor
that
you
shredded
the
drives
for
security
reasons
and
you're
returning
them
competing
for
a
new
drive
as
part
of
the
warranty
process
that
they
may
not
work
too
well,
and
so
it's
very
fast.
It's
compatible
with
with
RMA
processes,
and
you
should
be
encrypting
the
drives
anyway,
so
you
should
have
the
ability
to
do
that
to
begin
with
in
terms
of
hardening
the
binaries.
A
A
You
have
on
the
left
here
the
the
options
that
we
use
when
we
build
the
safe
binaries
and
on
the
right,
you
have
the
options
that
are
generally
provided
by
the
operating
system,
environment
and
kernel,
like
the
general
mix
of
aslr
hardening
strategies
or
limiting
system
calls
that
you
can
access
and
position
independent,
executables
and
the
like.
All
of
these
are
part
of
Raul's
default.
Configuration
I
believe
that
they're
also
part
of
ubuntu's
default
configuration.
So
our
most
common
os's
are
covered.
A
It's
not
it's
not
actually
secure,
but
when
you're
storing
it
into
some
other
things
like
Azure,
Corporal
or
some
other
external
location,
then
that
mechanism
actually
actually
protects
your
secrets.
So
every
Everything
varies
is
expanded
by
running
hacking,
kubernetes
chapter
six
by
Michael,
housenbluster,
former
colleague
and.
A
A
A
C
We
generally
do
if
we
get
a
report
of
a
vulnerability
that
could
result
in
a
Dos,
we'll
generally
send
it
over
to
engineering
just
like
we
would
any
other
vulnerability
trying
to
prevent
and
fix
it.
Of
course,
this
is
a
very
broad
category
of
attacks,
so,
for
example,
saying
like
oh,
it's
certified
against
EOS.
A
A
Storage
means
that
the
latency
is
generally
shadowed
by
Network
latency
and
the
encryption
overhead
is
not
going
to
affect
latency
much,
but
obviously
you
need
to
size
the
cluster
so
that
that
it
has
the
higher
power
to
to
do
this
in
the
customers
that
where
we
see
encryption
and
flight
in
news
this
is
generally
a
regulatory
requirement.
So
it's
not
not
something
where
there
is
a
choice.
Their
regulator
is
saying.
A
Even
if
the
network
traffic
is
on
a
separate
Network,
we
don't
care,
we
want
it
encrypted,
and
so
they
they
just
do
it
and
they
add
a
few
more
cores.
But
that's
that's
the
extent
of
the
effort.
So
it's
it's
not
significant
impact
at
rest.
Encryption
is
essentially
completely
overshadowed
by
Network,
latency
and,
and
it's
something
that
at
this
point
is
the
fault:
I
stopped
tracking
the
prevalence
of
encryption
at
rest
in
2015
when
more
customers
than
not
were
using
encryption
at
rest.
Now,
it's
it
must
be
in
the
90
plus
group.
A
E
Frederico,
thanks
for
the
presentation,
hey
Hannah,
thanks
for
your
presentation,
I
had
a
question
about
audit
laws.
Hey
it
I
was
recently
troubleshooting
an
issue
and
I
was
surprised.
It
was
kind
of
a
discovery
for
me.
So
when
you
run
the
CLI
commands,
you
know
like
Steph
status
or
any
other,
like
you
know,
read
commands
from
the
CLI.
Those
are
all
those
all
get
logged
in
the
audit
log.
E
However,
I
was
surprised
to
not
see
like
if
I,
if
a
volume
gets
created
like
an
RBD
volume,
gets
created
or
do
or
destroyed,
that
type
of
activity
doesn't
get
logged
in
the
audit
log.
Is
that
something?
My
knowledge
is
only
up
until
Nautilus,
so
I
apologize,
if
that's
changed,
but
is
that?
Is
that
something
that
you
guys
are?
Is
it
is
that
is
that
configurable
or
are
there
thoughts
to
extending
the
audit
logs,
like
someone
deletes
an
RBD
volume
and
then
comes
and
complains
to
me
that
they
lost
data.
A
A
I
my
first
question
would
be
whether
there
is
a
difference
there
between
the
log
levels.
There
was
an
effort.
It's
been
several
years
back
where
a
number
of
things
were
pushed
into
higher
log
levels,
because
our
logs
were
enormously
chatty.
They
were
developer
friendly,
logs,
not
operator
friendly
logs.
So
probably
the
first
thing
that
I
would
check
is
maybe
it's
being
logged
at
the
higher
level,
but
it
seems
it
seems
wrong
that
at
whatever
level
you're
operating
at
that
is
not
being
logged.
B
Yeah
Federico,
I
I,
don't
think
this
is
logged
because
in
general
the
the
well
it's
not
logged
in
the
in
the
audit
log,
at
least
right.
So
because
the
the
audit
log
is
mostly
limited
to
just
kind
of
cluster-wide
activity,
and
that
means
mostly
things
that
concern
Raiders
itself
and
not
the
higher
level
applications
such
as
a
Blog
device
or
the
file
system.
B
E
B
Yeah,
that's
definitely
something
we
can.
We
could
look,
I
mean
there
is
no
reason
it
is
just
it
just.
It
would
need
to
be
designed
to
concern,
not
just
let's
say,
RBD
image,
creations
and
deletions
but
kind
of
across
stuff,
because,
like
I
said
right
now,
the
idea
with
the
audit
log
is
that
it's,
you
know
fairly
low
level,
and
if
we
wanted
to
extend
that
to
these
higher
level,
you
know
application
specific
and
I
keep
using
the
word
application.
But
it's
you
know
not
the
user
application.
B
These
are
just
things
on
top
of
radius.
If
we
wanted
to
extend
it
to
that
this,
you
know
we
would
need
a
comprehensive
design.
You
know
just
logging,
for
example,
creation
and
deletion.
Events
for
IBD
images
that
that
should
be
fine
from
the
perspective
of
you
know
not
overloading
the
log
and
not
overloading
the
cluster,
because
you
know
there's
a
natural
limit
on
the
number
of
RBD
images
you
can
create
just
because
at
some
point
and
you're
going
to
run
out
of
well.
B
At
least,
if
those
images
are
used,
if
they're
all
empty,
then
you
could
potentially
create
millions
and
millions
of
them.
But
if
those
images
are
real,
then
there
is
natural
limits
so
and
there's
no
there's
no
fundamental
reason
to
not
log
that
to
the
audit
log.
But
you
know
that's,
that's
that's
not
as
kind
of
not
a
short-term
fix.
This
would
need
some
design
work
and
to
have
a
comprehensive
kind
of
story
across
the
entire
project.