openstack-securitylisted

# OpenStack Security Operations Security posture management for OpenStack requires defense-in-depth: no single control prevents all threats, so multiple overlapping layers protect the cloud. The defense layers are **network segmentation** (isolate management from tenant from external traffic), **TLS everywhere** (encrypt all API communication), **RBAC least-privilege** (users and services get only the permissions they need), and **audit logging** (record every authentication and authorization decision). Security is not a one-time deployment task. Certificates expire. Vulnerabilities are disclosed. Passwords must rotate. Security groups drift. The GUARD agent consumes this skill for continuous security posture assessment, evaluating whether the cloud's security controls remain effective against evolving threats. In NASA SE terms, security spans multiple phases: **Phase B** (security design and architecture), **Phase C** (certificate generation and TLS deployment), **Phase D** (security audit verification), and **Phase E** (ongoing security operations). SP-6105 SS 6.4 (Technical Risk Management) provides the framework for identifying, assessing, and mitigating security risks throughout the cloud lifecycle. ## Deploy ### Security-First Deployment **Kolla-Ansible TLS configuration (globals.yml):** ```yaml # Enable TLS on all interfaces kolla_enable_tls_internal: "yes" kolla_enable_tls_external: "yes" kolla_copy_ca_into_containers: "yes" # Certificate paths kolla_external_