OpenStack is the open-source cloud platform underlying NIC MeghRaj (India's National Cloud) and many large enterprise private clouds. Understanding its component security model is essential for government and large-enterprise cloud security practitioners in India.
Sign in to mark this article as read and track your progress.
NIC MeghRaj — the National Cloud of India — is built on OpenStack, operated by the National Informatics Centre (NIC) for Indian government agencies. Many large Indian banks, telecom providers, and state governments operate private OpenStack deployments. Understanding OpenStack's security model is therefore not merely theoretical for Indian cloud security professionals.
OpenStack is a collection of coordinated services:
| Component | Service Name | Function |
|---|---|---|
| Identity | Keystone | Authentication and authorisation (SSO for all other components) |
| Compute | Nova | VM lifecycle management (equivalent to EC2) |
| Image | Glance | VM image storage and retrieval |
| Networking | Neutron | Virtual networking (equivalent to VPC) |
| Object Storage | Swift | Distributed object storage (equivalent to S3) |
| Block Storage | Cinder | Persistent block volumes (equivalent to EBS) |
| Dashboard | Horizon | Web UI |
| Orchestration | Heat | Infrastructure-as-Code (equivalent to CloudFormation) |
| Telemetry | Ceilometer / Gnocchi | Metrics and billing |
Each service communicates with others over a message bus (RabbitMQ) and an API layer. The security model requires securing both the API surface and the internal bus.
Keystone is the central identity service. All OpenStack API calls are authenticated by Keystone and include a scoped token. Tokens have a configurable TTL (default 1 hour).
Security considerations for Keystone:
| Issue | Risk | Mitigation |
|---|---|---|
| Default admin password not changed | Immediate compromise | Change before first deployment; use secrets management |
| Token store on single node | Single point of failure + attack target | Use Fernet tokens (encrypted, distributed; no central store) |
| LDAP backend with cleartext bind | Credential exposure | Use STARTTLS or LDAPS; never cleartext LDAP |
| Token validation latency | Replay window | Enable token revocation list |
| v2 Identity API (deprecated) | Lacks domain scoping; weaker RBAC | Enforce Identity API v3 only |
Fernet Tokens are the recommended token provider. Unlike UUID tokens (which required a central database lookup for every validation), Fernet tokens are symmetric-encrypted and self-contained — any API service can validate them locally using the shared key material.
Nova manages VMs using a hypervisor (typically QEMU/KVM on OpenStack). Tenant isolation relies on:
| Isolation Mechanism | What It Provides |
|---|---|
| Separate QEMU processes | Each VM runs in its own process; OS-level isolation |
| KVM hardware virtualisation | Intel VT-x/AMD-V prevents guest-to-host escapes |
| cgroups + Linux namespaces | Resource isolation per VM (CPU, memory, network) |
| Security Groups (via Neutron) | Network-level isolation between tenants |
| Trusted Execution Environments | Available on specific hardware for encrypted VM memory |
High-risk Nova misconfigurations:
nova.conf: allow_resize_to_same_host = True can allow a VM to migrate to a host where it can probe shared memoryyum update qemu-kvm)Neutron provides software-defined networking. Key security features:
| Feature | Configuration |
|---|---|
| Security Groups | Stateful firewall rules per port (similar to AWS Security Groups) |
| Network isolation | Each tenant gets isolated virtual network; no cross-tenant traffic without explicit routing |
| VXLAN / GRE tunnels | Tenant traffic encapsulated; separated even on shared physical switches |
| Port Security | Prevents MAC/IP spoofing from VMs (anti-spoofing rules) |
| Firewall-as-a-Service (FWaaS) | Stateful firewall at router level |
Critical Neutron security setting:
# neutron.conf
[DEFAULT]
# Allow security groups to be modified
allow_bulk_requests = true
# Enforce port security (prevents IP/MAC spoofing)
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
Port security must be explicitly enabled. In test environments, it is sometimes disabled and accidentally carried into production.
The CIS OpenStack Benchmark and the OpenStack Security Guide (maintained by the OpenStack Security Project) provide detailed hardening guidance. Key items:
| Area | Control |
|---|---|
| API endpoints | TLS 1.2+ for all internal and external API communication |
| Message bus | RabbitMQ with TLS and credential authentication (not guest/guest) |
| Database | MariaDB/PostgreSQL with encrypted storage and audit logging |
| Logging | Centralised logging (ELK stack or OpenSearch) for all component logs |
| Image verification | Sign images with Glance (using Barbican for key storage) |
| Network | Separate management, data, and API networks on different VLANs |
| Secrets | Use Barbican (OpenStack Key Manager) — never store credentials in config files |
| Packages | Monthly security patch cycle; subscribe to OpenStack security advisories |
NIC MeghRaj is the approved cloud platform for Indian government workloads classified as "Meity Cloud Category C" (the highest-sensitivity tier). Agencies using MeghRaj benefit from:
For agencies operating workloads on MeghRaj, the security controls described in this article are implemented at the platform level by NIC — tenant security responsibilities are narrower than on public cloud but still include application security, data protection, and IAM configuration within the tenant boundary.