We perform an analysis of the OpenStack infrastructure from which we are able to derive a complete strategy for defence-in-depth. We will present a concise system description which explicitly enumerates the assumptions and vulnerabilities present in real systems, and allows us to put each potential defensive measure into context within the architecture of OpenStack.
Our analysis models the way an attacker works within the system, finding chains of weaknesses which lead to a desired goal. Once we can understand and exhibit the consequences of the compromise of any individual component, we may then concentrate our hardening efforts without cognitive bias or naive assumption.
The analysis is interesting because it goes some way towards explaining the "Honeymoon Period" for discovery of system vulnerability (Blaze, Clark et al), and can increase the time between successful exploits by acknowledging that an attack is a constructive proof of vulnerability which must be broken in as many places as possible.