OpenStack Security Guide glossary

Change-Id: I3c60cb33dc0d27b7cd4ce794c592fb2e182028ad

doc/src/docbkx/openstack-security/bk_openstack-sec-guide.xml

@@ -101,4 +101,5 @@
     <xi:include href="ch064_certifications-compliance-statements.xml"/>
     <xi:include href="ch065_privacy.xml"/>
     <xi:include href="ch066_case-studies-compliance.xml"/>
+  <glossary role="auto"/>
 </book>

doc/src/docbkx/openstack-security/ch004_book-introduction.xml

@@ -1,7 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <chapter xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://docbook.org/ns/docbook" xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="ch004_book-introduction"><?dbhtml stop-chunking?>
     <title>Introduction to OpenStack</title>
-    <para>This guide provides security insight into OpenStack deployments. The intended audience includes cloud architects, deployers, and administrators.  In addition, cloud users will find the guide both educational and helpful in provider selection, while auditors will find it useful as a reference document to support their compliance certification efforts. This guide is also recommended for anyone interested in cloud security.</para>
+    <para>This guide provides security insight into OpenStack
+    deployments. The intended audience is cloud architects, deployers,
+    and administrators.  In addition, cloud users will find the guide
+    both educational and helpful in provider selection, while auditors
+    will find it useful as a reference document to support their
+    compliance certification efforts. This guide is also recommended
+    for anyone interested in cloud security.</para>
     <para>Each OpenStack deployment embraces a wide variety of technologies, spanning Linux distributions, database systems, messaging queues, OpenStack components themselves, access control policies, logging services, security monitoring tools, and much more. It should come as no surprise that the security issues involved are equally diverse, and their in-depth analysis would require several guides. We strive to find a balance, providing enough context to understand OpenStack security issues and their handling, and provide external references for further information. The guide could be read from start to finish or sampled as necessary like a reference.</para>
     <para>We briefly introduce the kinds of clouds: private, public, and hybrid before presenting an overview of the OpenStack components and their related security concerns in the remainder of the chapter.</para>
     <section xml:id="ch004_book-introduction-idp117824">
@@ -9,11 +15,33 @@
       <para>OpenStack is a key enabler in adoption of cloud technology and has several common deployment use cases. These are commonly known as Public, Private, and Hybrid models. The following sections use the National Institute of Standards and Technology (NIST) <link xlink:href="http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf">definition of cloud</link> to introduce these different types of cloud as they apply to OpenStack.</para>
       <section xml:id="ch004_book-introduction-idp119328">
         <title>Public Cloud</title>
-        <para>According to NIST, a public cloud is one in which the infrastructure is open to the general public for consumption. OpenStack public clouds are typically run by a service provider and can be consumed by individuals, corporations, or any paying customer. A public cloud provider may expose a full set of features such as software defined networking, block storage, in addition to multiple instance types. Due to the nature of public clouds, they will be exposed to a higher degree of risk. As a consumer of a public cloud you should validate that your selected provider has the necessary certifications, attestations, and other regulatory considerations. As a public cloud provider, depending on your target customers, you may be subject to one or more regulations. Additionally, even if not required to meet regulatory requirements, a provider should ensure tenant isolation as well as protecting management infrastructure from external attacks.</para>
+        <para>According to NIST, a public cloud is one in which the
+        infrastructure is open to the general public for consumption.
+        OpenStack public clouds are typically run by a service
+        provider and can be consumed by individuals, corporations, or
+        any paying customer. A public cloud provider may expose a full
+        set of features such as software defined networking, block
+        storage, in addition to multiple instance types. Due to the
+        nature of public clouds, they are exposed to a higher degree
+        of risk. As a consumer of a public cloud you should validate
+        that your selected provider has the necessary certifications,
+        attestations, and other regulatory considerations. As a public
+        cloud provider, depending on your target customers, you may be
+        subject to one or more regulations. Additionally, even if not
+        required to meet regulatory requirements, a provider should
+        ensure tenant isolation as well as protecting management
+        infrastructure from external attacks.</para>
       </section>
       <section xml:id="ch004_book-introduction-idp121488">
         <title>Private Cloud</title>
-        <para>At the opposite end of the spectrum is the private cloud. As NIST defines it, a private cloud is provisioned for exclusive use by a single organization comprising multiple consumers (e.g. business units). It may be owned, managed, and operated by the organization, a third-party, or some combination of them, and it may exist on or off premises. Private cloud use cases are diverse, as such, their individual security concerns will vary.</para>
+        <para>At the opposite end of the spectrum is the private
+        cloud. As NIST defines it, a private cloud is provisioned for
+        exclusive use by a single organization comprising multiple
+        consumers (e.g. business units). It may be owned, managed, and
+        operated by the organization, a third-party, or some
+        combination of them, and it may exist on or off premises.
+        Private cloud use cases are diverse, as such, their individual
+        security concerns vary.</para>
       </section>
       <section xml:id="ch004_book-introduction-idp123456">
         <title>Community cloud</title>
@@ -22,7 +50,11 @@
       <section xml:id="ch004_book-introduction-idp125312">
         <title>Hybrid Cloud</title>
         <para>A hybrid cloud is defined by NIST as a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).  For example an online retailer may have their advertising and catalogue presented on a public cloud that allows for elastic provisioning. This would enable them to handle seasonal loads in a flexible, cost-effective fashion. Once a customer begins to process their order, they are transferred to the more secure private cloud backend that is PCI compliant.</para>
-        <para>For the purposes of this document, we treat Community and Hybrid similarly, dealing explicitly only with the extremes of Public and Private clouds from a security perspective. Your security measures will depend where your deployment falls upon the private public continuum.</para>
+        <para>For the purposes of this document, we treat Community
+        and Hybrid similarly, dealing explicitly only with the
+        extremes of Public and Private clouds from a security
+        perspective. Your security measures depend where your
+        deployment falls upon the private public continuum.</para>
       </section>
     </section>
     <section xml:id="ch004_book-introduction-idp128528">
@@ -39,9 +71,13 @@
         <title>OpenStack Compute</title>
         <para>OpenStack compute (Nova) provides services to support the management of virtual machine instances at scale, instances that host multi-tiered applications, dev/test environments, "Big Data" crunching Hadoop clusters, and/or high performance computing.</para>
         <para>Nova facilitates this management through an abstraction layer that interfaces with supported hypervisors, which we address later on in more detail.</para>
-        <para>Later in the guide, we will focus generically on the virtualization stack as it relates to hypervisors.</para>
-	<para>For information about the current state of feature support, see <link xlink:href="https://wiki.openstack.org/wiki/HypervisorSupportMatrix">OpenStack's Hypervisor Support Matrix</link>.</para>
-        <para>The security of Nova is critical for an OpenStack deployment. Hardening techniques should include support for strong instance isolation, secure communication between Nova sub-components, and resiliency of public facing API endpoints.</para>
+        <para>Later in the guide, we focus generically on the
+        virtualization stack as it relates to hypervisors.</para>
+	<para>For information about the current state of feature support, see
+          <link
+          xlink:href="https://wiki.openstack.org/wiki/HypervisorSupportMatrix"
+          >OpenStack Hypervisor Support Matrix</link>.</para>
+        <para>The security of Nova is critical for an OpenStack deployment. Hardening techniques should include support for strong instance isolation, secure communication between Nova sub-components, and resiliency of public-facing <glossterm>API</glossterm> endpoints.</para>
       </section>
       <section xml:id="ch004_book-introduction-idp138800">
         <title>OpenStack Object Storage</title>
@@ -51,12 +87,16 @@
       </section>
       <section xml:id="ch004_book-introduction-idp141536">
         <title>OpenStack Block Storage</title>
-        <para>OpenStack block storage service (Cinder), provides persistent block storage for compute instances. Cinder is responsible for managing the life-cycle of block devices, from the creation and attachment of volumes to instances, to their release.</para>
+        <para>The OpenStack Block Storage service (Cinder) provides
+        persistent block storage for compute instances. Cinder is
+        responsible for managing the life-cycle of block devices, from
+        the creation and attachment of volumes to instances, to their
+        release.</para>
         <para>Security considerations for block storage are similar to that of object storage.</para>
       </section>
       <section xml:id="ch004_book-introduction-idp143424">
         <title>OpenStack Networking</title>
-        <para>The OpenStack networking service (Neutron, previously called Quantum), provides various networking services to cloud users (tenants) such as IP address management, DNS, DHCP, load balancing, and security groups (network access rules, like firewall policies). It provides a framework for software defined networking (SDN) that allows for pluggable integration with various networking solutions.</para>
+        <para>The OpenStack networking service (Neutron, previously called Quantum), provides various networking services to cloud users (tenants) such as IP address management, <glossterm>DNS</glossterm>, <glossterm>DHCP</glossterm>, load balancing, and security groups (network access rules, like firewall policies). It provides a framework for software defined networking (SDN) that allows for pluggable integration with various networking solutions.</para>
         <para>OpenStack Networking allows cloud tenants to manage their guest network configurations. Security concerns with the networking service include network traffic isolation, availability, integrity and confidentiality.</para>
       </section>
       <section xml:id="ch004_book-introduction-idp145600">
@@ -75,7 +115,7 @@
       </section>
       <section xml:id="ch004_book-introduction-idp152400">
         <title>Other Supporting Technology</title>
-        <para>OpenStack relies on messaging for internal communication between several of its services. By default, OpenStack uses message queues based on the Advanced Message Queue Protocol (AMQP).  Similar to most OpenStack services, it supports pluggable components. Today the implementation backend could be either RabbitMQ, Qpid, or ZeroMQ.</para>
+        <para>OpenStack relies on messaging for internal communication between several of its services. By default, OpenStack uses message queues based on the Advanced Message Queue Protocol (<glossterm>AMQP</glossterm>).  Similar to most OpenStack services, it supports pluggable components. Today the implementation backend could be <glossterm>RabbitMQ</glossterm>, <glossterm>Qpid</glossterm>, or <glossterm>ZeroMQ</glossterm>.</para>
         <para>As most management commands flow through the message queueing system, it is a primary security concern for any OpenStack deployment.  Message queueing security is discussed in detail later in this guide.</para>
         <para>Several of the components use databases though it is not explicitly called out. Securing the access to the databases and their contents is yet another security concern, and consequently discussed in more detail later in this guide.</para>
       </section>

doc/src/docbkx/openstack-security/ch008_system-roles-types.xml

@@ -18,7 +18,7 @@
       <para>Documentation should provide a general description of the OpenStack environment and cover all systems used (production, development, test, etc.). Documenting system components, networks, services, and software often provides the bird's-eye view needed to thoroughly cover and consider security concerns, attack vectors and possible security domain bridging points.  A system inventory may need to capture ephemeral resources such as virtual machines or virtual disk volumes that would otherwise be persistent resources in a traditional IT system.</para>
       <section xml:id="ch008_system-roles-types-idp50832">
         <title>Hardware Inventory</title>
-        <para>Clouds without stringent compliance requirements for written documentation may at least benefit from having a Configuration Management Database (CMDB). CMDB's are normally used for hardware asset tracking and overall life-cycle management. By leveraging a CMDB, an organization can quickly identify cloud infrastructure hardware (e.g. compute nodes, storage nodes, and network devices) that exists on the network but may not be adequately protected and/or forgotten. OpenStack provisioning system may provide some CMDB-like functions especially if auto-discovery features of hardware attributes are available.</para>
+        <para>Clouds without stringent compliance requirements for written documentation may at least benefit from having a Configuration Management Database (<glossterm>CMDB</glossterm>). CMDB's are normally used for hardware asset tracking and overall life-cycle management. By leveraging a CMDB, an organization can quickly identify cloud infrastructure hardware (e.g. compute nodes, storage nodes, and network devices) that exists on the network but may not be adequately protected and/or forgotten. OpenStack provisioning system may provide some CMDB-like functions especially if auto-discovery features of hardware attributes are available.</para>
       </section>
       <section xml:id="ch008_system-roles-types-idp53536">
         <title>Software Inventory</title>

doc/src/docbkx/openstack-security/ch012_configuration-management.xml

@@ -101,7 +101,7 @@
       <para>A production quality cloud should always use tools to automate configuration and deployment. This eliminates human error, and allows the cloud to scale much more rapidly. Automation also helps with continuous integration and testing.</para>
       <para>When building an OpenStack cloud it is strongly recommended to approach your design and implementation with a configuration management tool or framework in mind. Configuration management allows you to avoid the many pitfalls inherent in building, managing, and maintaining an infrastructure as complex as OpenStack. By producing the manifests, cookbooks, or templates required for a configuration management utility, you are able to satisfy a number of documentation and regulatory reporting requirements. Further, configuration management can also function as part of your BCP and DR plans wherein you can rebuild a node or service back to a known state in a DR event or given a compromise.</para>
       <para>Additionally, when combined with a version control system such as Git or SVN, you can track changes to your environment over time and remediate unauthorized changes that may occur. For example, a nova.conf or other configuration file falls out of compliance with your standard, your configuration management tool will be able to revert or replace the file and bring your configuration back into a known state. Finally a configuration management tool can also be used to deploy updates; simplifying the security patch process. These tools have a broad range of capabilities that are useful in this space. The key point for securing your cloud is to choose a tool for configuration management and use it.</para>
-      <para>There are many configuration management solutions; at the time of this writing there are two in the marketplace that are robust in their support of OpenStack environments: Chef and Puppet. A non-exhaustive listing of tools in this space is provided below:</para>
+      <para>There are many configuration management solutions; at the time of this writing there are two in the marketplace that are robust in their support of OpenStack environments: <glossterm>Chef</glossterm> and <glossterm>Puppet</glossterm>. A non-exhaustive listing of tools in this space is provided below:</para>
       <itemizedlist><listitem>
           <para>Chef</para>
         </listitem>

doc/src/docbkx/openstack-security/ch014_best-practices-for-operator-mode-access.xml

@@ -34,7 +34,7 @@
             <para>The dashboard provides GUI support for routers and load-balancers. For example, Horizon now implements all of the main Neutron features.</para>
           </listitem>
 <listitem>
-            <para>It is an extensible Django web application that allows easy plug-in of third-party products and services, such as billing, monitoring, and additional management tools.</para>
+            <para>It is an extensible <glossterm>Django</glossterm> web application that allows easy plug-in of third-party products and services, such as billing, monitoring, and additional management tools.</para>
           </listitem>
 <listitem>
             <para>The dashboard can also be branded for service providers and other commercial vendors.</para>
@@ -137,7 +137,7 @@
             <para>Ensure that the network interfaces are on their own private(management or a separate) network. Segregate management domains with firewalls or other network gear.</para>
           </listitem>
 <listitem>
-            <para>If you use a web interface to interact with the BMC/IPMI, always use the SSL interface (e.g. https or port 443). This SSL interface should <emphasis role="bold">NOT</emphasis> use self-signed certificates, as is often default, but should have trusted certificates using the correctly defined fully qualified domain names (FQDNs).</para>
+            <para>If you use a web interface to interact with the <glossterm>BMC</glossterm>/IPMI, always use the SSL interface (e.g. https or port 443). This SSL interface should <emphasis role="bold">NOT</emphasis> use self-signed certificates, as is often default, but should have trusted certificates using the correctly defined fully qualified domain names (FQDNs).</para>
           </listitem>
 <listitem>
             <para>Monitor the traffic on the management network. The anomalies may be easier to track than on the busier compute nodes</para>

doc/src/docbkx/openstack-security/ch017_threat-models-confidence-and-confidentiality.xml

@@ -5,10 +5,10 @@
     <para>While it is commonly accepted that data over public networks should be secured using cryptographic measures, such as Secure Sockets Layer or Transport Layer Security (SSL/TLS) protocols, it is insufficient to rely on security domain separation to protect internal traffic. Using a security-in-depth approach, we recommend securing all domains with SSL/TLS, including the management domain services. It is important that should a tenant escape their VM isolation and gain access to the hypervisor or host resources, compromise an API endpoint, or any other service, they must not be able to easily inject or capture messages, commands, or otherwise affect or control management capabilities of the cloud. SSL/TLS provides the mechanisms to ensure authentication, non-repudiation, confidentiality, and integrity of user communications to the OpenStack services and between the OpenStack services themselves.</para>
     <para>Public Key Infrastructure (PKI) is the set of hardware, software, and policies to operate a secure system which provides authentication, non-repudiation, confidentiality, and integrity. The core components of PKI are:</para>
     <itemizedlist><listitem>
-        <para>End Entity - user, process, or system which is the subject of a certificate</para>
+        <para>End Entity - user, process, or system that is the subject of a certificate</para>
       </listitem>
 <listitem>
-        <para>Certification Authority (CA) - defines certificate policies, management, and issuance of certificates</para>
+        <para>Certification Authority (<glossterm>CA</glossterm>) - defines certificate policies, management, and issuance of certificates</para>
       </listitem>
 <listitem>
         <para>Registration Authority (RA) - an optional system to which a CA delegates certain management functions</para>

doc/src/docbkx/openstack-security/ch035_case-studies-networking.xml

@@ -8,7 +8,7 @@
     </section>
     <section xml:id="ch035_case-studies-networking-idp40064">
       <title>Bob's Public Cloud</title>
-      <para>A major business driver for Bob is to provide an advanced networking services to his customers. Bob's customers would like to deploy multi-tiered application stacks. This multi-tiered application are either existing enterprise application or newly deployed applications. Since Bob's Public cloud is a multi-tenancy enterprise service, the choice to use for L2 isolation in this environment is to use Overlay networking. Another aspect of Bob's cloud is the self-service aspect where the customer can provision available networking services as needed. These networking services encompass L2 networks, L3 Routing, Network ACL and NAT. It is important that per-tenant quota's be implemented in this environment.</para>
+      <para>A major business driver for Bob is to provide an advanced networking services to his customers. Bob's customers would like to deploy multi-tiered application stacks. This multi-tiered application are either existing enterprise application or newly deployed applications. Since Bob's Public cloud is a multi-tenancy enterprise service, the choice to use for L2 isolation in this environment is to use Overlay networking. Another aspect of Bob's cloud is the self-service aspect where the customer can provision available networking services as needed. These networking services encompass L2 networks, L3 Routing, Network <glossterm>ACL</glossterm> and NAT. It is important that per-tenant quota's be implemented in this environment.</para>
       <para>An added benefit with utilizing OpenStack Networking is when new advanced networking services become available, these new features can be easily provided to the end customers.</para>
     </section>
   </chapter>

doc/src/docbkx/openstack-security/pom.xml

@@ -26,6 +26,13 @@
                         </goals>
                         <phase>generate-sources</phase>
                         <configuration>
+			  <preProcess>
+			    <mkdir dir="${project.build.directory}/mvn/com.rackspace.cloud.api/glossary"/>
+			    <copy todir="${project.build.directory}/mvn/com.rackspace.cloud.api/glossary">
+			      <fileset dir="../common/glossary"/>
+			    </copy>
+			    <move file="${project.build.directory}/mvn/com.rackspace.cloud.api/glossary/glossary-terms.xml" tofile="${project.build.directory}/mvn/com.rackspace.cloud.api/glossary/glossary.xml"/>
+			  </preProcess>
                             <includes>bk_openstack-sec-guide.xml</includes>
 			    <sourceDirectory>.</sourceDirectory>
 			    <canonicalUrlBase>http://docs.openstack.org/${release.path.name}/openstack-security/content/</canonicalUrlBase>