EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securityOpenStackMeghRajKeystone

OpenStack Private Cloud Security Architecture

OpenStack is the open-source cloud platform underlying NIC MeghRaj (India's National Cloud) and many large enterprise private clouds. Understanding its component security model is essential for government and large-enterprise cloud security practitioners in India.

Ashish Revar3 July 202618 min read1 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

OpenStack Security Guide

Official OpenStack project security guide covering all components and hardening recommendations.

CIS OpenStack Benchmark

CIS Benchmark for OpenStack with Level 1 and Level 2 hardening controls.

NIC MeghRaj — National Cloud Portal

NIC MeghRaj portal for government agencies using India's National Cloud platform.

OpenStack Keystone Security Documentation

Keystone security compliance features including Fernet tokens, MFA, and LDAP hardening.

More articlesTest your knowledge

Why OpenStack Security Matters for Indian Practitioners

NIC MeghRaj — the National Cloud of India — is built on OpenStack, operated by the National Informatics Centre (NIC) for Indian government agencies. Many large Indian banks, telecom providers, and state governments operate private OpenStack deployments. Understanding OpenStack's security model is therefore not merely theoretical for Indian cloud security professionals.

OpenStack Architecture: The Core Components

OpenStack is a collection of coordinated services:

ComponentService NameFunction
IdentityKeystoneAuthentication and authorisation (SSO for all other components)
ComputeNovaVM lifecycle management (equivalent to EC2)
ImageGlanceVM image storage and retrieval
NetworkingNeutronVirtual networking (equivalent to VPC)
Object StorageSwiftDistributed object storage (equivalent to S3)
Block StorageCinderPersistent block volumes (equivalent to EBS)
DashboardHorizonWeb UI
OrchestrationHeatInfrastructure-as-Code (equivalent to CloudFormation)
TelemetryCeilometer / GnocchiMetrics and billing

Each service communicates with others over a message bus (RabbitMQ) and an API layer. The security model requires securing both the API surface and the internal bus.

Keystone: Identity and Access Control

Keystone is the central identity service. All OpenStack API calls are authenticated by Keystone and include a scoped token. Tokens have a configurable TTL (default 1 hour).

Security considerations for Keystone:

IssueRiskMitigation
Default admin password not changedImmediate compromiseChange before first deployment; use secrets management
Token store on single nodeSingle point of failure + attack targetUse Fernet tokens (encrypted, distributed; no central store)
LDAP backend with cleartext bindCredential exposureUse STARTTLS or LDAPS; never cleartext LDAP
Token validation latencyReplay windowEnable token revocation list
v2 Identity API (deprecated)Lacks domain scoping; weaker RBACEnforce Identity API v3 only

Fernet Tokens are the recommended token provider. Unlike UUID tokens (which required a central database lookup for every validation), Fernet tokens are symmetric-encrypted and self-contained — any API service can validate them locally using the shared key material.

Nova Security: Compute Isolation

Nova manages VMs using a hypervisor (typically QEMU/KVM on OpenStack). Tenant isolation relies on:

Isolation MechanismWhat It Provides
Separate QEMU processesEach VM runs in its own process; OS-level isolation
KVM hardware virtualisationIntel VT-x/AMD-V prevents guest-to-host escapes
cgroups + Linux namespacesResource isolation per VM (CPU, memory, network)
Security Groups (via Neutron)Network-level isolation between tenants
Trusted Execution EnvironmentsAvailable on specific hardware for encrypted VM memory

High-risk Nova misconfigurations:

  • nova.conf: allow_resize_to_same_host = True can allow a VM to migrate to a host where it can probe shared memory
  • Insufficient QEMU version (CVE catalogue regularly updated; run monthly yum update qemu-kvm)
  • Public API endpoint without TLS (default in test installations)
  • Nova API accessible from VM network (metadata endpoint — use IMDSv2 equivalent in Nova)

Neutron Security: Virtual Networking

Neutron provides software-defined networking. Key security features:

FeatureConfiguration
Security GroupsStateful firewall rules per port (similar to AWS Security Groups)
Network isolationEach tenant gets isolated virtual network; no cross-tenant traffic without explicit routing
VXLAN / GRE tunnelsTenant traffic encapsulated; separated even on shared physical switches
Port SecurityPrevents MAC/IP spoofing from VMs (anti-spoofing rules)
Firewall-as-a-Service (FWaaS)Stateful firewall at router level

Critical Neutron security setting:

# neutron.conf
[DEFAULT]
# Allow security groups to be modified
allow_bulk_requests = true

# Enforce port security (prevents IP/MAC spoofing)
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

Port security must be explicitly enabled. In test environments, it is sometimes disabled and accidentally carried into production.

OpenStack Hardening Guide

The CIS OpenStack Benchmark and the OpenStack Security Guide (maintained by the OpenStack Security Project) provide detailed hardening guidance. Key items:

AreaControl
API endpointsTLS 1.2+ for all internal and external API communication
Message busRabbitMQ with TLS and credential authentication (not guest/guest)
DatabaseMariaDB/PostgreSQL with encrypted storage and audit logging
LoggingCentralised logging (ELK stack or OpenSearch) for all component logs
Image verificationSign images with Glance (using Barbican for key storage)
NetworkSeparate management, data, and API networks on different VLANs
SecretsUse Barbican (OpenStack Key Manager) — never store credentials in config files
PackagesMonthly security patch cycle; subscribe to OpenStack security advisories

MeghRaj: India's National Cloud

NIC MeghRaj is the approved cloud platform for Indian government workloads classified as "Meity Cloud Category C" (the highest-sensitivity tier). Agencies using MeghRaj benefit from:

  • Physical infrastructure located within India (data sovereignty by design)
  • Network connectivity over NKN (National Knowledge Network) or NIC network (not public internet)
  • Compliance with Government of India IT security policies
  • Common security services (Identity, Monitoring, WAF) provided by NIC

For agencies operating workloads on MeghRaj, the security controls described in this article are implemented at the platform level by NIC — tenant security responsibilities are narrower than on public cloud but still include application security, data protection, and IAM configuration within the tenant boundary.