• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Extending Datacenter-grade security to the Cloud
 

Extending Datacenter-grade security to the Cloud

on

  • 1,170 views

Final presentation from Solaris 11 Technical Forum events conducted in New York, Boston, Chicago and other North American cities.

Final presentation from Solaris 11 Technical Forum events conducted in New York, Boston, Chicago and other North American cities.

Statistics

Views

Total Views
1,170
Views on SlideShare
1,170
Embed Views
0

Actions

Likes
0
Downloads
46
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Extending Datacenter-grade security to the Cloud Extending Datacenter-grade security to the Cloud Presentation Transcript

    • Oracle Solaris 11 Extending Data Center Grade Security to the Cloud Glenn Brunette Chief Technology Officer, ESG1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle‟s products remains at the sole discretion of Oracle.2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Traditional OS Security Techniques • Software Minimization • Installing Up-to-Date Security Patches • System and Service Configuration Hardening • Strong Authentication and Access Control • Securing Data At Rest, In Transit, and In Use • Exploit Prevention and Detection • Host-based Packet Filtering • Activity Monitoring and Auditing3 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Cloud Security Differences Self-Service Hyper-Connectivity Increasing Velocity Interaction and Hyper-Scale of Change4 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Successful Strategies for Cloud Security • Start with “Good Ingredients” • Build and Test “Once”, Deploy Everywhere • Prohibit Change Where Possible • Compartmentalize Services and Access • Efficiently Detect and Respond to Threats • Holistically Leverage Encryption5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Simplified Provisioning Solaris 11 Automated Installation6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Streamlined Patch Management Solaris 11 Image Packaging System 6:00: pkg update New Security Maintenance Patch window: 6-7pm 6:00-6:02: Dependency checks, patch/update planning 6:04-6:06: reboot 6:02-6:04: New boot environment created, up and running again updates downloaded and applied• 4X Faster upgrades typical• Create ZFS boot environment to safely apply updates• Full dependency check of packages, crypto verified, auditable• Reboot updated ZFS boot environment 7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Reduced Attack Surface Solaris 11 Network Secure by Default • Expose only required services to the network – Reduce the operating system network foot print – Most services are disabled; a few are set to “local only” • Integrated with Service Management Facility – Common administrative model for all service operations – Fully customizable based upon unique site requirements • Foundation for Additional Protections and Configuration8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Strong Service Isolation Solaris 11 Zones • Solaris 11 Zones – Restricted operating environment for enhanced security – Per-zone hardening, RBAC, privileges, resource controls, etc. – Per-zone system resources, networking, data sets, etc. • New in Solaris 11 – Zone Integrity Policies (Flexible, Strict, Fixed, None) – Delegated Administration (Console, Install, Boot, Shutdown) – Virtual Networking (NICs, Switches, etc.)9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Separation of Duty Solaris 11 Role-based Access Control • Role-based Access Control – Compose collections of administrative rights for users and roles – Roles can only be assumed by authorized users – Accountability is preserved – original UID is always tracked • New in Solaris 11 – By default, the root account is now a role – Role authentication can use either user or role‟s password – CLI for managing users, roles, rights and groups10 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Separation of Duty Solaris 11 Fine-grained Process Privileges • Fine-Grained Process Privileges – Sandbox users and applications to limit potential for damage – Decomposes administrative capabilities into discrete privileges – Eliminates need for many services to start as „root‟ – Always enabled and enforced by the Solaris kernel • New in Solaris 11 – New privileges: file_read, file_write, and net_access – Support for “forced privileges” for set-uid root programs – Stop profile to limit specific commands and authorizations11 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Isolating Management Roles and Capabilities Service Administrator System Administrator Cloud Administrator12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Holistic Data Protection Solaris 11 ZFS Encryption • Encryption policy is set at the ZFS data set level • Supports delegation of key management operations • Leverages a dual key model: wrapping vs. encryption key • Variety of options for format/location of the wrapping key • Wrapping key inherited by child data sets13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Holistic Data Protection Solaris 11 Cryptographic Framework • Unified Standards-based Framework • Automatic Hardware Acceleration Usage • NSA Suite B Algorithms14 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Hardware Cryptographic AccelerationProcessor / Mechanisms UltraSPARC T2/ T2+ SPARC T3 SPARC T4 Asymmetric / RSA, DSA, ECC RSA, DH, DSA, ECC RSA, DH, DSA, ECC Public Key Encryption Symmetric Key / AES, DES, 3DES, AES, DES, 3DES, AES, DES, 3DES, RC4 Bulk Encryption Kasumi Camellia, Kasumi CRC32c, MD5, SHA- CRC32c, MD5, SHA- Message Digest / MD5, SHA-1, SHA- 1, SHA-256, SHA- 1, SHA-224, SHA-256, Hash Functions 256 SHA-384, SHA-512 384, SHA-512 Random Number Supported Supported Supported Generation API PKCS#11 PKCS#11 PKCS#11 Standard, Support Standard Standard uCrypto API15 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Comprehensive Monitoring Solaris 11 Auditing • Solaris 11 Auditing – Kernel-based fine-grained introspection – Captured events include: admin. actions, commands, syscalls – Configurable audit policy at both the system / user level – Zones can be audited from within the global zone – Audit logs can be exported as binary, text, or XML files • New in Solaris 11 – Auditing on by default with no performance penalty – Greater visibility into system events with less “noise”16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Putting it all together with Solaris 11 Security!17 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Architectural Strategies Building a Secure Service Delivery Platform for the CloudService Hardening, Non-Global ZoneEncrypted Comms, Limited Privileges Binaries and Libraries Configuration Files A ZFS Encrypted Temporary and Log Files Data Set(s) Application Data Delegated Application Administration Secure by Default / OS Hardening18 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Architectural Strategies Building a Secure Service Delivery Platform for the Cloud Encrypted Root Limited Resources Delegated Admin. Monitoring / Auditing Network Security19 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Architectural Strategies Building a Secure Service Delivery Platform for the Cloud Encrypted Root Encrypted Root Encrypted Root Limited Resources Limited Resources Limited Resources Delegated Admin. Delegated Admin. Delegated Admin. Monitoring / Auditing Monitoring / Auditing Monitoring / Auditing Network Security Network Security Network Security Virtual Networking (w/QoS and Data Link Protection)20 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Architectural Strategies Building a Secure Service Delivery Platform for the Cloud Monitoring / Auditing Delegated Administration Hardware Accel. Cryptography Solaris 11 Instance (Global Zone)21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Additional Strategies22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • Successful Strategies for Cloud Security • Start with “Good Ingredients” • Build and Test “Once”, Deploy Everywhere • Prohibit Change Where Possible • Compartmentalize Services and Access • Efficiently Detect and Respond to Threats • Holistically Leverage Encryption23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • For More Information / Try Out Today • Product overview and download – oracle.com/solaris • Oracle Technology Network – oracle.com/technetwork/server-storage/solaris11 • System administrators community – oracle.com/technetwork/systems @ORCL_Solaris facebook.com/oraclesolaris Oracle Solaris Insider24 Copyright © 2011, Oracle and/or its affiliates. All rights 24 reserved.
    • Questions25 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
    • 26 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.