At the OpenStack Summit this week, security professionals within the open source community discussed the current state of how security is handled in the cloud platform project. While OpenStack does have a security model in place, there is still room for improvement.
OpenStack is a multi-stakeholder effort with broad participation from some of the biggest IT vendors in the world including IBM, Dell, HP, Intel, Cisco and AT&T, as well as Linux vendors Red Hat, SUSE and Canonical.
The OpenStack Security Group (OSSG) is the group within the project that is tasked with looking at security. The group is also associated with a Vulnerability Management Team (VMT) that reports bugs to be fixed.
Thus far discussions about OpenStack security have occurred only on closed mailing lists. OSSG member Bryan Payne told the audience that, to date, there is no public list of all the flaws that have already been fixed in OpenStack.
He identified a potential security risk involving the Swift object storage component that would allow a Man-in-the-Middle (MiTM) attack to be easily executed.
“The Swift client is not even checking the server CA certificate,” Payne said. “So basically it will connect and see there is an SSL connection, and then it will just proceed without any additional check.”
He added, “Right now you’re encrypting too — who knows? It’s perhaps better than not encrypting at all, but it’s not ideal.”