Piston Computing Secures OpenStack

by Sean Kerner

A new take on OpenStack debuts with automated deployment and security baked in.

There seems to be no shortage of interest in companies both old and new, in delivering OpenStack based cloud platforms. OpenStack is an open source cloud platform that was originally started by NASA and Rackspace. The latest core release came out last week codenamed Diablo offering improved management and networking features.

Former NASA cloud architect, Joshua McKenty is now working for his own startup called Piston Cloud, and this week he announced a new OpenStack based distribution called Piston Enterprise OS (pentOS). The pentOS approach aims to combine ease of deployment with security.

"This is turn-key OpenStack," McKenty told InternetNews.com. "We don't even require you to install anything on any individual server."

McKenty explained that the way Piston has packaged pentOS is as a single USB stick that is plugged into a desktop or notebook computer, where users configure a file. The USB stick is then plugged into a top of rack switch and then the switch will install and configure OpenStack to every piece of hardware that it detects.

The pentOS easy installation is dependant on leveraging a number of open standards that are already widely deployed. One of those standards is IPMI (Integrated Power Management Interface) that allows Piston to detect hardware before it is already powered on.

"We developed a protocol that we call Cloud Post," McKenty said. "We use this to map the IPMI ports to the corresponding 10 gigabit Ethernet converged networking ports."

Piston is also aiming to flatten networking layers with an approach that McKenty calls, null-tier networking. The idea is to take the complexity out of the networking hardware layer and automate things in software.

"Let's deploy a single class of hardware and then use software to manage which services run where," McKenty said. "You get better availability and utilization and you take complexity out of management and administration."

Another aspect of Piston's simple USB key based deployment method means fewer people are needed to install and setup an OpenStack cloud. McKenty noted that by reducing the number of people that need permissions for the pentOS deployment also reduces the potential attack surface from insider attacks.

Piston also leverages its own hardened Linux distribution in order to enforce security. McKenty noted that in many cases, OpenStack deployments with the KVM hypervisor typically leverage Ubuntu Linux.

"So you go through the Ubuntu Linux installation process and you have a half dozen things at least that were part of the installation process that you don't really need," McKenty said. "There are packages that represent potential security vulnerabilities."

For that reason Piston has rolled its own hardened Linux distribution that includes only the bits required to run pentOS OpenStack.

"We can really lock this thing down in ways that you can't get away with on a stock operating system," McKenty said. "We have no assumption that anything needs to run on the physical hardware other than OpenStack."

Going a step further, pentOS implements the CloudAudit standard in an effort to provide a compliance baseline for the cloud.

"The point of the CloudAudit standard is to allow enterprises and external auditor to assert, assure and audit IT environment to match traditional regulatory compliance requirements," McKenty said.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.

Follow ServerWatch on Twitter

This article was originally published on Friday Sep 30th 2011
Mobile Site | Full Site