[Main Conference] [clear filter]
Wednesday, October 28

2:00pm JST

Data Lake on OpenStack - Petabyte Scale!
Got lots of data that you want to make use of? Not so easy to set up an environment to do so and maintain it, eh? Symantec’s data lake is a large scale example of marrying OpenStack platform technologies with big data enabling technologies such as Hadoop, Hive, Storm, Kafka, Spark, etc. This talk will cover what Symantec has done to allow our various teams to easily leverage our many petabytes of security data to increase the protection of our customers against threats such as APTs, identity thieves, and malicious web sites.

Symantec leverages our OpenStack cloud to create multiple analytics clusters, ranging in size from multi-PB to just a few VMs. We use various OpenStack services through a CloudBreak plug-in. Some other technologies we use in setting up and operating these clusters include Ambari, Puppet, a home-grown synthetic transaction system, Zabbix, and Dasher.

avatar for David T. Lin

David T. Lin

Senior Director, Cloud Platform Engineering, Symantec
Cloud Security

Wednesday October 28, 2015 2:00pm - 2:40pm JST

3:40pm JST

Securing the Fortress With Barbican at Symantec
TLS Keys, Disk Encryption Keys, and Service Passwords, are examples of sensitive data that needs to be kept away from prying eyes, yet still needs to be readily available for automated processes. Storing passwords and secrets in config files in your version control system potentially exposes that data to actors who shouldn’t have it. Barbican provides a secure repository to store such data and the controls to ensure only authorized users can get to that data.

As part of Symantec’s enterprise cloud initiative, we are deploying Barbican to handle not only our own OpenStack Key Management needs, but also as a Key Management as a Service option for our product groups. Our journey with Barbican has been fraught with challenges and in this talk, we will share our experience and lessons learned along the way.

Some of the topics to be covered:

  • Our uses cases for Barbican

  • How we’ve deployed Barbican

  • Operationalizing Barbican

  • Our practices and lessons learned

avatar for Jason Fritcher

Jason Fritcher

Principal Infrastructure Engineer, Symantec
Jason Fritcher is an Infrastructure Engineer in Symantec's Cloud Platform Engineering group who works on using Barbican to bring improved security to their OpenStack cloud. He has nearly 20 years of experience working in operations, development and security roles, building and running... Read More →

Wednesday October 28, 2015 3:40pm - 4:20pm JST

4:40pm JST

Secure Your OpenStack Infrastructure
Balancing needs of security and scale for an elastic cloud is tricky if not downright impossible. How do you roll out agile, self service Platform as a Service (PaaS) application clouds while in parallel ensuring protection for OpenStack API end points from DDoS attacks, separation of tenant and provider networks, perimeter endpoint security plus satisfy compliance requirements such as encryption in-flight and at rest?

This session will cover security at scale without dependence on existing technologies and tools like 5 tuple and IPTables. Come learn:

  • How you can achieve regulatory compliance on per tenant basis

  • How separation of tenant and provider networks can be done and simultaneously satisfy both parties security requirements

  • How to leverage the use of next generation firewalls for intrusion detection and host quarantine

  • How to protect OpenStack API endpoints - for example Nova and Swift - from DDoS attacks that overrun the database

avatar for Rick Kundiger

Rick Kundiger

Rick Kundiger is a former U.S. Government data center architect with 15 years of experience. While there Rick designed and deployed various IT systems throughout the world and travelled throughout Asia, Europe, Africa and the Middle East. Rick began working with OpenStack and Software... Read More →
avatar for Pere Monclus

Pere Monclus

Before co-founding PLUMgrid, Pere was a Distinguished Engineer at Cisco Systems in the Research and Advanced Development team, where he led innovation in the areas of cloud, security and converged infrastructure. Prior to that, he was responsible for the architecture and technology... Read More →

Wednesday October 28, 2015 4:40pm - 5:20pm JST

5:30pm JST

OpenStack Federation: Past, Present, and Future (Panel)
Allowing implementors to “trust but verify” OpenStack clouds makes federation work.  This is done through SAML & Keystone's federation support for multiple OpenStack clouds. But what about audit data? How can you verify that the events emitted from a cloud service provider are true? And what about keys & secrets? How can you verify that the keys you have in your private cloud are being used by a cloud service provider correctly & securely?

This session looks at what federation use cases have been delivered in previous releases, what is currently being worked on, and the use cases left to help ease the experience of cross-cloud operations.   We provide a brief overview of the standard based CADF  federation audit format that has been adopted by the OpenStack community.  We then discuss enhancements that are being added across OpenStack projects beyond Keystone to support federation and audit capabilities.  Finally we discuss future enhancements that are needed to maximize the consumability of OpenStack federated cloud support.

avatar for Steve Martinelli

Steve Martinelli

Senior Software Developer, IBM, IBM Canada Ltd.
Steve Martinelli is an OpenStack Active Technical Contributor and a Keystone Core Contributor. He primarily focuses on enabling Keystone, which is OpenStack's Identity Manager, to better integrate into enterprise environments. Steve was responsible for adding Federated Identity and... Read More →
avatar for Douglas Mendizábal

Douglas Mendizábal

PTL Barbican, Rackspace
Douglas is a Racker, and the current PTL for the Key Management (Barbican) project.  Before being involved in OpenStack, Douglas was a software development consultant specializing in secure development of mobile and web applications.  Douglas also helps organize the Alamo City Python... Read More →
avatar for Joe Savak

Joe Savak

Senior Product Manager, Rackspace
Joe Savak is a Senior Product Manager over Integration Services at Rackspace. In his current role, he oversees products designed to connect all-the-things and deliver optimal and secure user-experiences for customers. 
avatar for Brad Topol

Brad Topol

Distinguished Engineer, IBM
Dr. Brad Topol is an IBM Distinguished Engineer leading efforts focused on Open Technologies and Developer Advocacy. In his current role, Brad leads a development team focused on contributing to and improving Kubernetes and several other cloud native open source projects. Brad is... Read More →

Wednesday October 28, 2015 5:30pm - 6:10pm JST
Thursday, October 29

9:00am JST

Make Keystone The Center Of Universe - How eBay Uses it in Multi-security Zones
We will share the experience how we use global keystone here at eBay, those are addressed by real questions:

The instances running in production environment have different security level than the ones running in development environment. Projects locates in high secured zones requires 2FA(Two Factor Authentication) to authenticate while others use password credential. We also introduced a more secured authentication method for service access - API Key, which restricts not only what project it would be grant access to but also where the key can be used. The dynamic project based policy makes that happen and easy to use/configure. We will take a deep look at it as well.

We also isolate the controlling services from the production services into the secured control plane. We enhanced the Keystone to a fully armed IAM(Identity & Access Management) and integrate all the control plane services with it.

We will also share the experience on how to reduce the PKIZ token size as for global keystone, the token size would increase per region basis.

  • eBay multi-environment security model

  • Fill the gap between keystone and a generic IAM

  • The answer to more secured service access - API Key

  • Dynamic Project Based Policy for API Key authentication & management

  • eBay global keystone journey

  • Make the token smaller!

avatar for Subbu Allamaraju

Subbu Allamaraju

Vice President, Expedia Inc.
Subbu is the Chief Engineer of cloud at eBay Inc. His team builds and operates a multi-tenant geographically distributed OpenStack based private cloud. This cloud now serves 100% of PayPal web and mid tier workloads, significant parts of eBay front end and services, and thousands... Read More →
avatar for Xiaogang Xin

Xiaogang Xin

Cloud Engineering Manager 云工程师经理, eBay
Xiaogang Xin is the manager of eBay Cloud team. He has worked in infrastructure cloud area for many years, with deep understanding of Kubernetes and its enterprise-level transformation. He is currently responsible for large scale Kubernetes cluster DevOps at eBay which host complex... Read More →

Thursday October 29, 2015 9:00am - 9:40am JST

9:50am JST

Enhancing OpenStack FWaaS to Address Real World Business Needs
Firewall as a Service in OpenStack requires several improvements for real-world deployment. In this talk we will share ideas that improve Performance of firewalls and enhance OpenStack FWaaS by supporting capabilities like Scheduling and Logging.

This session will include a Demo of the work in progress.


The current version of FWaaS configures IPTable rules in a sub-optimal way. The proposed solution aims at segregating the rules dynamically and pushing only the relevant rules on to the IPTables.

One of the  value added feature of firewalls, used by most network admins, is the ability to schedule policies with a specific periodicity and time interval. The proposed solution aims at enhacing the FWaaS Horizon UI and Neutron plugin to enable Tenants to schedule firewall policies.

The current proposal aims at enhancing the FWaaS and enable logging on the firewall policies. The logs generated can be redirected to a Syslog server and can be analyzed by tools like Splunk.


Chandan Dutta Chowdhury

Tech Lead - Juniper Networks

Sarath Chandra Mekala

Tech Lead - Juniper Networks
avatar for Sriram Subramanian

Sriram Subramanian

Director - Software Engineering, Juniper Networks, Juniper Networks
Director - Software Engineering, Juniper Networks Author - OpenStack Networking Cookbook

Thursday October 29, 2015 9:50am - 10:30am JST

11:00am JST

Sentinel: A Platform for Fine-grained Application Security on OpenStack
In this talk, we present Sentinel, the platform providing fine-grained security to applications running on OpenStack. Sentinel is currently being used at web-scale within eBay to secure applications across multiple OpenStack clusters.

Sentinel provides a robust policy-declaration model to represent applications and inter-application dependencies, a highly-scalable policy engine to translate the policies into enforcement rules, a policy agent that applies the rules on endpoints automatically, and monitoring & auditing capabilities. The highly-scalable design of the policy engine enables rapid deployment of rules on hundreds of thousands of VMs deployed on multiple OpenStack clusters.

The talk will be organized as follows:

  • Overview of the cloud architecture at eBay

  • Architecture of Sentinel

  • Policy declaration model

  • Policy enforcement methodology, optimizations 

  • Integration with OpenStack

  • Automatic service-dependency discovery

  • Monitoring, auditing and real-time visualization

  • Comparison with OpenStack congress and OpenStack Firewall-as-a-Service (FWaaS) 

  • Challenges

About eBay Inc.: eBay Inc. enables commerce by delivering flexible and scalable solutions that foster merchant growth. eBay Inc. properties include eBay Market Places, eBay Enterprise and StubHub. eBay Marketplaces delivers one of the world's largest online Marketplaces to customers. With more than 149 million active users globally, eBay is one of the world's largest online Marketplaces with more than 700 million items listed on its site.

Thursday October 29, 2015 11:00am - 11:40am JST

11:50am JST

Real World DevOps Experience and Demo Delivering a Trusted and Secure OpenStack Cloud
Trusted Platform Module / Trusted Execution Technology (TPM/TXT) provides advanced hardware based security, root of trust, geo tag location, and helps deliver compliance reporting. However, integrating TPM/TXT into OpenStack is not for the feint at heart and requires changes to your cloud DevOps.

This session will review our experience, tips and tricks, and provide a live demo on how to accomplish this and reap the benefits of secure cloud. The demo will cover the geo location feature and hardware based trust feature that ensures your workloads are operating within boundary controls and on integrity measured trusted hosts. 

This session is for IT Operations, Sys-Admins, Architects and anyone interested in learning about the IT industry’s advanced hardware security root of trust delivered in OpenStackpolicy better for the future.  This talk is strictly about what is available today, utilities to make operator’s job better and what you can do about it.


Raghu Yeluri

Sr. Principal Engineer, Intel
Raghu Yeluri is a Sr. Principal Engineer and lead Security Architect in the Data Center Group at Intel Corporation with focus on confidential compute in cloud native, containerized deployments leveraging hardware-based security. In this role, he drives security solution architecture... Read More →

Thursday October 29, 2015 11:50am - 12:30pm JST

1:50pm JST

Unraveling Docker Security: Lessons From a Production Cloud
Whether you are integrating Docker containers into an existing cloud, or building out a multi-tenant cloud implementation using Docker, it can be a significant challenge to ensure proper security is in place. In this session, we will unravel various threads of security topics that all come together to provide properly configured security and isolation for Docker containers. Many of our findings are based on our experience in building and securing the IBM Container service based on Docker technology on top of an OpenStack IaaS. Topics include:
  • Usage and threat model
  • Implications of sharing the kernel with the host
  • How user namespaces provide isolation from the root user on host
  • Docker engine configuration for security and limitations for preventing forkbomb, filebomb, DOS
  • Security features and issues for Docker registry
  • Docker API and lack of multi-tenancy capabilities

avatar for Salman Baset

Salman Baset

Research Staff Member
Salman Baset is working as a Research Staff Member at IBM T. J. Watson Research Center. He received a PhD in Computer Science from Columbia University. His recent work at IBM has been focused on Docker security and designing, building, and securing IBM Containers. Presently, he also... Read More →

Stefan Berger

Senior Technical Staff Member, IBM Corporation
Stefan Berger works at IBM Research. His focus is on cloud security, virtualization security, trusted computing and more recently on security for containers. He is actively involved in several open source projects related to Linux virtualization, Linux containers, as well as the Linux... Read More →
avatar for Phil Estes

Phil Estes

Principal Engineer, AWS
Phil is a Principal Engineer for Amazon Web Services (AWS), focused on core container technologies that power AWS container offerings like Fargate, EKS, and ECS.Phil is currently an active contributor and maintainer for the CNCF containerd runtime project, and participates in the... Read More →

Thursday October 29, 2015 1:50pm - 2:30pm JST

2:40pm JST

Finally FDE - OpenStack Full Disk Encryption and Missing Pieces
Lets encrypt all the things!

Well, lets not, that's silly - but there's a lot of smart things we can encrypt, some of them require shiny hardware but quite a lot can be done through the clever application of existing software.

In this talk Robert proposes a two tiered encryption model to be applied to an OpenStack deployment.

Foundational - Full Disk Encryption. Encrypting everything on disk is non-trivial when managing large datacentres full of gear. In fact the complexity of this task normally makes it prohibative unless using hardware based solutions. At HP we have developed a new way to approach this problem. It makes Linux Full Disk Encryption pretty painless, scales beautifully and finally does away with retroactive "Log in and type the key" type systems that are just plain horrible. We will peak beneath the covers of this solution and share the code with the community so that we can all deploy full disk encryption at scale in a reliable and safe way.

OpenStack Native - Cinder, Nova and Swift all have native encryption capabilities in the pipeline. During this section of the talk we review their progress and discuss when they can be integrated into running prouction clouds to create a multi-layered encrypted cloud.

Combining these technologies protects everything on disk from accidental loss or compromise while also cryptographically separating tenant data on disk - both have been strong asks for OpenStack for a long time.

In addition, we will introduce Project Marshal.

Project Marshal is an open source implementation of an agent that provides the missing piece of the puzzle for volume encryption.  Using the Barbican client API, it allows running virtual machines to access secrets stored in Barbican to use encrypted volumes with tenant managed keys.

We'll cover: 
- What is project “Marshal”?
- What are its features, claims, and roadmap?
- Where can I get the code?
- How can I help set priorities and contribute to Marshal?

avatar for Robert Clark

Robert Clark

Lead Security Architect, HP
Robert is a HP Distinguished Technologist, the lead security architect for HP Helion OpenStack and the current PTL of the OpenStack Security team. His career has its roots in threat modelling, vulnerability analysis and virtualization security. He is passionate about security and... Read More →
avatar for Dave McCowan

Dave McCowan

Technical Leader, OpenStack@Cisco, Cisco Systems
Dave McCowan leads security initiaves of the OpenStack team at Cisco.  He is an OpenStack contributor to the Barbican project.
avatar for Arvind Tiwari

Arvind Tiwari

Technical Leader, Engineering, Cisco
Arvind Tiwari is a Technical Leader in the CTO Group of Cisco Intercloud Services.  In his current role, Arvind is responsible for helping Cisco Intercloud teams on Identity, Security, Access Management, and Federation efforts.  He is also involved in multiple initiatives to make... Read More →

Thursday October 29, 2015 2:40pm - 3:20pm JST

3:30pm JST

OpenStack Neutron FWaaS Roadmap
The FWaaS project has been present since the Havana release. There was some serious discussion on what its trajectory should be and the feature priorities at Vancouver. As a community, we have been gathering inputs from operators and users to see what they would like to see happen and prioritizing to present the next steps and direction. We are also looking at the intersect with Security Groups. We will present the usecases, models, plan and welcome feedback.


Susanne Balle

Cloud Architect, Intel
Susanne is a Senior Principal Engineer at Intel in the SDI/Cloud Architecture and Pathfinding group. She has been involved in OpenStack in various projects since the Essex OpenStack summit. Her current interests are Networking and Networking Advanced Services such as LBaaS, Octavia... Read More →
avatar for German Eichberger

German Eichberger

Principal Cloud Software Engineer, HP
German Eichberger is a Principal Software Engineer with HP and Co-PTL of OpenStack Octavia. He earned a Master in Computer Science from University of Karlsruhe. His interests are Cloud, SDN, and Microservices.

Vishwanath Jayaraman

Software engineer, Self employed

Sridar Kandaswamy

Technical Leader, Cisco Systems, Cisco Systems
Sridar Kandaswamy is a Technical Leader in the Openstack team at Cisco Systems Inc. In his past life, he used to work on Switching & L4 - L7 services (the physical kind). He has primarily been working with FWaaS in OpenStack from its inception in Havana.  

Sameer Satyam

Product Manager, Cloud Networks, Rackspace

Thursday October 29, 2015 3:30pm - 4:10pm JST

4:30pm JST

Inserting Advanced Network Security in OpenStack Clouds
OpenStack based private cloud environments deliver a variety of benefits to users with respect to flexibility, automation, and cost. The volume of traffic especially intra-vm (east/west) traffic, generated within the OpenStack clouds is enormous, continues to increase, and is not inspected or secured by current perimeter focused security appliances and solutions. Visibility into this network traffic and the ability to apply security controls including deep packet inspection where needed within the private cloud is of high importance to organizations considering next generation cloud architectures including OpenStack. As high profile security breaches continue to make headlines and elevate data center security to a board level concern for organizations implementing proper network security within OpenStack will become vital to the continued success of the OpenStack project.

Companies including both small scale startups and larger established security players have begun to tackle this challenge introducing concepts and products related to the micro-segmentation of networks that rely heavily on network virtualization platforms in some proprietary infrastructure contexts. In the OpenStack world, Neutron security groups and ACL controls provide a form of some of the micro-segmentation functionality available on other virtualization infrastructure platforms. Through its openness, OpenStack and its APIs have paved the way for the integration of third party software defined networking (SDN) controllers such as Midokura MidoNet that provide more complete micro-segmentation capabilities and enable the dynamic insertion distributed virtual advanced network security services such as network IPS, or next generation firewall.

This presentation will introduce the motivation for, challenges, and concepts involved in securing OpenStack private cloud network environments. We will start with a description of the problem space, namely east/west or intra-vm traffic within the data center. We will then discuss how to think about developing solution to this problem including high-level requirements. This will touch on topics including virtual security function orchestration, service insertion, and policy mapping. Finally, we will discuss a partnership and technology integration between Intel Security and Midokura that brings advanced network security service insertion to OpenStack environments. 

Time permitting a demonstration may be provided showing the joint solution deploying an open source SNORT appliance (IPS) and seamlessly inserting it into a MidoNet controlled network to protect workload VMs from being attacked by neighboring VMs on the same network.

avatar for Pino de Candia

Pino de Candia

CTO, Chief Architect, Midokura
As CTO, Pino is responsible for Midokura’s technical innovation and evolution of its flagship technology MidoNet.Pino de Candia joined Midokura as a Software Engineer in 2010. He built the early versions of MidoNet, led the Network Controller team as engineering lead and the Architecture... Read More →
avatar for Jacob Sendowski

Jacob Sendowski

Product Manager, Intel Security Group
Jacob Sendowski is a Product Manager in the Intel Security group focusing on security solutions for the Software Defined Data Center and private clouds. At Intel, he has held positions as a researcher within Intel Labs and an associate at Intel Capital. Jacob holds a Ph.D. in Electrical... Read More →

Thursday October 29, 2015 4:30pm - 5:10pm JST

5:20pm JST

Protecting Hybrid Cloud Environments From Being Breached
Every week we are hearing about more organizations being breached. Whether it is healthcare organizations like Anthem, financial institutions like JP Morgan Chase, content providers like Sony Pictures Entertainment, or government institutions like the US Office of Personnel and Management, it seems like no one is invulnerable. Adjacent to this frustrating trend, is a total upheaval of the enterprise technology stack in the datacenter. Now the datacenter evolved to a private cloud and enterprises are interested in offloading, for cost efficiency purposes, some of those workloads to the public cloud. Hence the emergence of the hybrid cloud.

The hybrid cloud presents unique security challenges that haven't existed before. With workloads moving between public and private clouds, across OpenStack environments and potentially in containers, how is an enterprise IT team supposed to protect their data and their company, from being breached? Is it even possible?

FlawCheck believes data protection is not an insurmountable problem. But as technology changes and threads change, protection strategies and solutions also need to change. In this presentation, we’ll cover the risks associated with hybrid cloud environments, with a particular emphasis on malware, vulnerabilities, remediation management of hybrid cloud environments, and breach avoidance.

avatar for Anthony Bettini

Anthony Bettini

Founder & CEO
Anthony Bettini is the Founder & CEO of FlawCheck, the leader in container security. Anthony was most recently the founding CEO of Appthority, the leader in mobile app security, SINET 16 award winner, and winner of the "Most Innovative Company of the Year" award at RSA Conference... Read More →
avatar for Sasan Padidar

Sasan Padidar

CTO, Flawcheck
Sasan Padidar is the founder & CTO of FlawCheck, the leading container security company. His academic and professional experience has been focused on security and scalability. Most recently, Sasan served as the Chief Architect at Appthority where he was responsible for leading the... Read More →

Thursday October 29, 2015 5:20pm - 6:00pm JST

Filter sessions
Apply filters to sessions.