Oracle Solaris 11            Extending Data Center Grade            Security to the Cloud            Glenn Brunette       ...
The following is intended to outline our general product direction. It is intended    for information purposes only, and m...
Traditional OS Security Techniques    • Software Minimization    • Installing Up-to-Date Security Patches    • System and ...
Cloud Security Differences        Self-Service                                             Hyper-Connectivity   Increasing...
Successful Strategies for Cloud Security    • Start with “Good Ingredients”    • Build and Test “Once”, Deploy Everywhere ...
Simplified Provisioning    Solaris 11 Automated Installation6   Copyright © 2011, Oracle and/or its affiliates. All rights...
Streamlined Patch Management        Solaris 11 Image Packaging System                                                     ...
Reduced Attack Surface    Solaris 11 Network Secure by Default    • Expose only required services to the network          ...
Strong Service Isolation    Solaris 11 Zones    • Solaris 11 Zones          – Restricted operating environment for enhance...
Separation of Duty     Solaris 11 Role-based Access Control     • Role-based Access Control           – Compose collection...
Separation of Duty     Solaris 11 Fine-grained Process Privileges     • Fine-Grained Process Privileges           –      S...
Isolating Management Roles and Capabilities                                                                  Service Admin...
Holistic Data Protection     Solaris 11 ZFS Encryption     • Encryption policy is set at the ZFS data set level     • Supp...
Holistic Data Protection     Solaris 11 Cryptographic Framework     • Unified Standards-based       Framework     • Automa...
Hardware Cryptographic AccelerationProcessor / Mechanisms                                             UltraSPARC T2/ T2+  ...
Comprehensive Monitoring     Solaris 11 Auditing     • Solaris 11 Auditing           –      Kernel-based fine-grained intr...
Putting it all together          with Solaris 11 Security!17   Copyright © 2011, Oracle and/or its affiliates. All rights ...
Architectural Strategies     Building a Secure Service Delivery Platform for the CloudService Hardening,                  ...
Architectural Strategies     Building a Secure Service Delivery Platform for the Cloud                                    ...
Architectural Strategies     Building a Secure Service Delivery Platform for the Cloud                Encrypted Root      ...
Architectural Strategies     Building a Secure Service Delivery Platform for the Cloud                                    ...
Additional Strategies22   Copyright © 2011, Oracle and/or its affiliates. All rights     reserved.
Successful Strategies for Cloud Security     • Start with “Good Ingredients”     • Build and Test “Once”, Deploy Everywher...
For More Information / Try Out Today     • Product overview and download           – oracle.com/solaris     • Oracle Techn...
Questions25   Copyright © 2011, Oracle and/or its affiliates. All rights     reserved.
26   Copyright © 2011, Oracle and/or its affiliates. All rights     reserved.
Upcoming SlideShare
Loading in …5
×

Extending Datacenter-grade security to the Cloud

1,082 views

Published on

Final presentation from Solaris 11 Technical Forum events conducted in New York, Boston, Chicago and other North American cities.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,082
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
53
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Extending Datacenter-grade security to the Cloud

  1. 1. Oracle Solaris 11 Extending Data Center Grade Security to the Cloud Glenn Brunette Chief Technology Officer, ESG1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  2. 2. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle‟s products remains at the sole discretion of Oracle.2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  3. 3. Traditional OS Security Techniques • Software Minimization • Installing Up-to-Date Security Patches • System and Service Configuration Hardening • Strong Authentication and Access Control • Securing Data At Rest, In Transit, and In Use • Exploit Prevention and Detection • Host-based Packet Filtering • Activity Monitoring and Auditing3 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  4. 4. Cloud Security Differences Self-Service Hyper-Connectivity Increasing Velocity Interaction and Hyper-Scale of Change4 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  5. 5. Successful Strategies for Cloud Security • Start with “Good Ingredients” • Build and Test “Once”, Deploy Everywhere • Prohibit Change Where Possible • Compartmentalize Services and Access • Efficiently Detect and Respond to Threats • Holistically Leverage Encryption5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  6. 6. Simplified Provisioning Solaris 11 Automated Installation6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  7. 7. Streamlined Patch Management Solaris 11 Image Packaging System 6:00: pkg update New Security Maintenance Patch window: 6-7pm 6:00-6:02: Dependency checks, patch/update planning 6:04-6:06: reboot 6:02-6:04: New boot environment created, up and running again updates downloaded and applied• 4X Faster upgrades typical• Create ZFS boot environment to safely apply updates• Full dependency check of packages, crypto verified, auditable• Reboot updated ZFS boot environment 7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  8. 8. Reduced Attack Surface Solaris 11 Network Secure by Default • Expose only required services to the network – Reduce the operating system network foot print – Most services are disabled; a few are set to “local only” • Integrated with Service Management Facility – Common administrative model for all service operations – Fully customizable based upon unique site requirements • Foundation for Additional Protections and Configuration8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  9. 9. Strong Service Isolation Solaris 11 Zones • Solaris 11 Zones – Restricted operating environment for enhanced security – Per-zone hardening, RBAC, privileges, resource controls, etc. – Per-zone system resources, networking, data sets, etc. • New in Solaris 11 – Zone Integrity Policies (Flexible, Strict, Fixed, None) – Delegated Administration (Console, Install, Boot, Shutdown) – Virtual Networking (NICs, Switches, etc.)9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  10. 10. Separation of Duty Solaris 11 Role-based Access Control • Role-based Access Control – Compose collections of administrative rights for users and roles – Roles can only be assumed by authorized users – Accountability is preserved – original UID is always tracked • New in Solaris 11 – By default, the root account is now a role – Role authentication can use either user or role‟s password – CLI for managing users, roles, rights and groups10 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  11. 11. Separation of Duty Solaris 11 Fine-grained Process Privileges • Fine-Grained Process Privileges – Sandbox users and applications to limit potential for damage – Decomposes administrative capabilities into discrete privileges – Eliminates need for many services to start as „root‟ – Always enabled and enforced by the Solaris kernel • New in Solaris 11 – New privileges: file_read, file_write, and net_access – Support for “forced privileges” for set-uid root programs – Stop profile to limit specific commands and authorizations11 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  12. 12. Isolating Management Roles and Capabilities Service Administrator System Administrator Cloud Administrator12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  13. 13. Holistic Data Protection Solaris 11 ZFS Encryption • Encryption policy is set at the ZFS data set level • Supports delegation of key management operations • Leverages a dual key model: wrapping vs. encryption key • Variety of options for format/location of the wrapping key • Wrapping key inherited by child data sets13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  14. 14. Holistic Data Protection Solaris 11 Cryptographic Framework • Unified Standards-based Framework • Automatic Hardware Acceleration Usage • NSA Suite B Algorithms14 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  15. 15. Hardware Cryptographic AccelerationProcessor / Mechanisms UltraSPARC T2/ T2+ SPARC T3 SPARC T4 Asymmetric / RSA, DSA, ECC RSA, DH, DSA, ECC RSA, DH, DSA, ECC Public Key Encryption Symmetric Key / AES, DES, 3DES, AES, DES, 3DES, AES, DES, 3DES, RC4 Bulk Encryption Kasumi Camellia, Kasumi CRC32c, MD5, SHA- CRC32c, MD5, SHA- Message Digest / MD5, SHA-1, SHA- 1, SHA-256, SHA- 1, SHA-224, SHA-256, Hash Functions 256 SHA-384, SHA-512 384, SHA-512 Random Number Supported Supported Supported Generation API PKCS#11 PKCS#11 PKCS#11 Standard, Support Standard Standard uCrypto API15 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  16. 16. Comprehensive Monitoring Solaris 11 Auditing • Solaris 11 Auditing – Kernel-based fine-grained introspection – Captured events include: admin. actions, commands, syscalls – Configurable audit policy at both the system / user level – Zones can be audited from within the global zone – Audit logs can be exported as binary, text, or XML files • New in Solaris 11 – Auditing on by default with no performance penalty – Greater visibility into system events with less “noise”16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  17. 17. Putting it all together with Solaris 11 Security!17 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  18. 18. Architectural Strategies Building a Secure Service Delivery Platform for the CloudService Hardening, Non-Global ZoneEncrypted Comms, Limited Privileges Binaries and Libraries Configuration Files A ZFS Encrypted Temporary and Log Files Data Set(s) Application Data Delegated Application Administration Secure by Default / OS Hardening18 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  19. 19. Architectural Strategies Building a Secure Service Delivery Platform for the Cloud Encrypted Root Limited Resources Delegated Admin. Monitoring / Auditing Network Security19 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  20. 20. Architectural Strategies Building a Secure Service Delivery Platform for the Cloud Encrypted Root Encrypted Root Encrypted Root Limited Resources Limited Resources Limited Resources Delegated Admin. Delegated Admin. Delegated Admin. Monitoring / Auditing Monitoring / Auditing Monitoring / Auditing Network Security Network Security Network Security Virtual Networking (w/QoS and Data Link Protection)20 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  21. 21. Architectural Strategies Building a Secure Service Delivery Platform for the Cloud Monitoring / Auditing Delegated Administration Hardware Accel. Cryptography Solaris 11 Instance (Global Zone)21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  22. 22. Additional Strategies22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  23. 23. Successful Strategies for Cloud Security • Start with “Good Ingredients” • Build and Test “Once”, Deploy Everywhere • Prohibit Change Where Possible • Compartmentalize Services and Access • Efficiently Detect and Respond to Threats • Holistically Leverage Encryption23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  24. 24. For More Information / Try Out Today • Product overview and download – oracle.com/solaris • Oracle Technology Network – oracle.com/technetwork/server-storage/solaris11 • System administrators community – oracle.com/technetwork/systems @ORCL_Solaris facebook.com/oraclesolaris Oracle Solaris Insider24 Copyright © 2011, Oracle and/or its affiliates. All rights 24 reserved.
  25. 25. Questions25 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  26. 26. 26 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

×