Questions & Answers: Security in bwCloud
What does "security" mean in the bwCloud?[faq_security_1]
With the term "security" we refer in the bwCloud to the security and protection of the entire operating environment. The bwCloud infrastructure is a shared environment, i.e. different users share the same hardware. For this reason, the bwCloud operating group must ensure that all users have access to the resources and that there are as far as possible, no interference from individuals.
security, bwCloud, operating environment
Are individual instances secured by the bwCloud operating group?[faq_security_2]
No, the bwCloud operations group focuses its security measures exclusively on ensuring the operation of the bwCloud infrastructure and all related components as a whole. Single or individual instances are not secured ("managed") by the bwCloud operating group.
The respective users of the virtual machines are fully responsible for the secure operation of their VMs. From the point at which a new VM is started, it is the sole responsibility of the user to ensure safe operation of the virtual machine. Therefore we recommend to perform a system update immediately after starting a new virtual machine. To do this, log in to the virtual machine via SSH and run the appropriate command to update the operating system.
individual security measures, start VM, system update, responsability,
What is a "security incident"?[faq_security_3]
The bwCloud operations group receives regular alerts from various sources if individual virtual machines within the bwCloud behave in an abnormal manner. In some cases, these notifications point to security-critical incidents or situations, for example, when third parties have broken into a running instance. In these cases we refer to them as "security incidents".
Since the bwCloud operations group must ensure the proper operation of the entire bwCloud infrastructure, such security incidents are investigated immediately after they become known using a standardized process. To do this, the owner of the virtual machine is first determined. They are informed immediately of the reported incident. At the same time, the affected virtual machine(s) are stopped in order to terminate possible faults. Together with the owner of the affected machine(s), the further steps towards a solution are then worked out and carried out.
security incident, security critical, security critical, stop instance
What do I do if I fear I've been hacked?[faq_security_4]
If your own VMs are behaving "strangely", it may be that they have been hacked. In this case, please follow these steps:
- Log in to the OpenStack Dashboard (Quicklink: https://portal.bw-cloud.org)
- Change your OpenStack service password (Quicklink: https://bw-cloud.org/q/3rFV)
- Stop the affected instances do not delete!
- Submit a ticket (Quicklink: http://bw-cloud.org/q/t) Important information: Which
instances are possibly affected? How can the "strange" behaviour describe? Which measures have already been implemented? We will contact you immediately and clarify the situation.
behaviour, suspicion, hacker, attack
Does the bwCloud operations group check the running instances, for example through so-called "penetration tests"?[faq_security_5]
No, the running instances are not checked for open ports or other characteristics. However, the entire bwCloud operating environment is monitored - for example, in the area of network monitoring the current up- and downstream streams are monitored. If the network traffic here changes abruptly, significantly and atypically above normal levels, this is checked at the node and OpenStack monitoring level.
However, we do not look inside the virtual machines!
automatic, tests, penetration tests, network monitoring
What about the security (= integrity) of my data in the bwCloud?[faq_security_6]
Both the runtime environment (root disk) of a virtual machine and the attached storage are stored in our CEPH storage systems. This is organized in such a way that each piece of information is stored on three different hard disks (redundancy level 3). This means that the data is pretty good against hardware failure protected. Furthermore, the virtual machine data (both root disk and attachd storage) is not backed up anymore! So please make sure that you have an appropriate backup of the data.
In general, the bwCloud is operated as a "best-effort resource". This means: To be able to offer an appropriate amount of read-only memory for the performance, no high redundancy is built in. In certain and very rare scenarios (software errors of the CEPH storage system, several disks fail), no recovery is possible, which is why we recommend to store all valuable data on corresponding external storage systems (like all relevant configurations required to recover the machine are needed, ....).
redundancy, CEPH, attached storage, root disk, hardware failure
My service should only be available for my clients![faq_security_7]
Secure your services in the bwCloud against access by others using security groups. Password protection alone is not sufficient. Redirecting services to non-standard ports hardly increases protection.
Share the port of your instance only with the necessary IP addresses. This manual describes how to use security groups.
Operating unsecured services or services with vulnerabilities is not permitted even under correct access restriction with security groups.
network, port, access, security