Extending Datacenter-grade security to the Cloud

1 Copyright © 2011, Oracle and/or its affiliates. All rights

reserved.

Extending Data Center Grade

Security to the Cloud

Glenn Brunette

Chief Technology Officer, ESG

Oracle Solaris 11


reserved.


reserved.

The following is intended to outline our general product direction. It is intended

for information purposes only, and may not be incorporated into any contract. It

is not a commitment to deliver any material, code, or functionality, and should

not be relied upon in making purchasing decisions. The development, release,

and timing of any features or functionality described for Oracle ‟s products

remains at the sole discretion of Oracle.


reserved.

Traditional OS Security Techniques

• Software Minimization

• Installing Up-to-Date Security Patches

• System and Service Configuration Hardening

• Strong Authentication and Access Control

• Securing Data At Rest, In Transit, and In Use

• Exploit Prevention and Detection

• Host-based Packet Filtering

• Activity Monitoring and Auditing


reserved.

Cloud Security Differences

Self-Service Interaction

Hyper-Connectivity and Hyper-Scale

Increasing Velocity of Change


reserved.

Successful Strategies for Cloud Security

• Start with “Good Ingredients”

• Build and Test “Once”, Deploy Everywhere

• Prohibit Change Where Possible

• Compartmentalize Services and Access

• Efficiently Detect and Respond to Threats

• Holistically Leverage Encryption


reserved.

Simplified ProvisioningSolaris 11 Automated Installation


reserved.

Streamlined Patch Management

• 4X Faster upgrades typical

• Create ZFS boot environment to safely apply updates

• Full dependency check of packages, crypto verified, auditable

• Reboot updated ZFS boot environment

New Security

Patch

6:00: pkg update

6:00-6:02: Dependency checks,

patch/update planning

6:02-6:04: New boot environment created,

updates downloaded and applied6:04-6:06: reboot

up and running again

Maintenance window: 6-7pm

Solaris 11 Image Packaging System


reserved.

Reduced Attack Surface

• Expose only required services to the network

– Reduce the operating system network foot print

– Most services are disabled; a few are set to “local only”

• Integrated with Service Management Facility

– Common administrative model for all service operations

– Fully customizable based upon unique site requirements

• Foundation for Additional Protections and Configuration

Solaris 11 Network Secure by Default


reserved.

Strong Service Isolation

• Solaris 11 Zones

– Restricted operating environment for enhanced security

– Per-zone hardening, RBAC, privileges, resource controls, etc.

– Per-zone system resources, networking, data sets, etc.

• New in Solaris 11

– Zone Integrity Policies (Flexible, Strict, Fixed, None)

– Delegated Administration (Console, Install, Boot, Shutdown)

– Virtual Networking (NICs, Switches, etc.)

Solaris 11 Zones


reserved.

Separation of Duty

• Role-based Access Control

– Compose collections of administrative rights for users and roles

– Roles can only be assumed by authorized users

– Accountability is preserved – original UID is always tracked

• New in Solaris 11– By default, the root account is now a role

– Role authentication can use either user or role‟s password

– CLI for managing users, roles, rights and groups

Solaris 11 Role-based Access Control


reserved.

Separation of Duty

• Fine-Grained Process Privileges

– Sandbox users and applications to limit potential for damage

– Decomposes administrative capabilities into discrete privileges

– Eliminates need for many services to start as „root‟

– Always enabled and enforced by the Solaris kernel

• New in Solaris 11– New privileges: file_read, file_write, and net_access

– Support for “forced privileges” for set-uid root programs

– Stop profile to limit specific commands and authorizations

Solaris 11 Fine-grained Process Privileges


reserved.

Isolating Management Roles and Capabilities

System Administrator

Service Administrator

Cloud Administrator


reserved.

Holistic Data Protection

• Encryption policy is set at the ZFS data set level

• Supports delegation of key management operations

• Leverages a dual key model: wrapping vs. encryption key

• Variety of options for format/location of the wrapping key

• Wrapping key inherited by child data sets

Solaris 11 ZFS Encryption


reserved.

Holistic Data Protection

• Unified Standards-based

Framework

• Automatic Hardware

Acceleration Usage

• NSA Suite B Algorithms

Solaris 11 Cryptographic Framework


reserved.

Hardware Cryptographic Acceleration

Processor / Mechanisms UltraSPARC T2/ T2+ SPARC T3 SPARC T4

Asymmetric /

Public Key EncryptionRSA, DSA, ECC RSA, DH, DSA, ECC RSA, DH, DSA, ECC

Symmetric Key /

Bulk EncryptionAES, DES, 3DES, RC4

AES, DES, 3DES,

Kasumi

AES, DES, 3DES, Camellia, Kasumi

Message Digest /

Hash Functions

MD5, SHA-1, SHA-

256

CRC32c, MD5, SHA-

1, SHA-256, SHA-

384, SHA-512

CRC32c, MD5, SHA-1, SHA-224, SHA-256,

SHA-384, SHA-512

Random Number

GenerationSupported Supported Supported

API

Support

PKCS#11

Standard

PKCS#11

Standard

PKCS#11 Standard,

uCrypto API


reserved.

Comprehensive Monitoring

• Solaris 11 Auditing

– Kernel-based fine-grained introspection

– Captured events include: admin. actions, commands, syscalls

– Configurable audit policy at both the system / user level

– Zones can be audited from within the global zone

– Audit logs can be exported as binary, text, or XML files

• New in Solaris 11

– Auditing on by default with no performance penalty

– Greater visibility into system events with less “noise”

Solaris 11 Auditing


reserved.

Putting it all together

with Solaris 11 Security!


reserved.

Non-Global Zone

Architectural Strategies

A

Binaries and Libraries

Configuration Files

Temporary and Log Files

Application Data

ZFS Encrypted

Data Set(s)A

Delegated Application Administration

Secure by Default / OS Hardening

Service Hardening,

Encrypted Comms,

Limited Privileges

Building a Secure Service Delivery Platform for the Cloud


reserved.


Encrypted Root

Limited Resources

Delegated Admin.

Monitoring / Auditing

Network Security



reserved.


Virtual Networking (w/QoS and Data Link Protection)

Encrypted Root

Limited Resources

Delegated Admin.


Network Security

Encrypted Root

Limited Resources

Delegated Admin.


Network Security

Encrypted Root

Limited Resources

Delegated Admin.


Network Security



reserved.

Solaris 11 Instance (Global Zone)



Delegated Administration

Hardware Accel. Cryptography



reserved.

Additional Strategies


reserved.

Successful Strategies for Cloud Security

• Start with “Good Ingredients”

• Build and Test “Once”, Deploy Everywhere

• Prohibit Change Where Possible

• Compartmentalize Services and Access

• Efficiently Detect and Respond to Threats

• Holistically Leverage Encryption


reserved.

For More Information / Try Out Today

• Product overview and download

– oracle.com/solaris

• Oracle Technology Network

– oracle.com/technetwork/server-storage/solaris11

• System administrators community

– oracle.com/technetwork/systems

24

@ORCL_Solaris

facebook.com/oraclesolaris

Oracle Solaris Insider


reserved.

Questions


reserved.

Date post:	01-Dec-2014
Category:	Technology
Upload:	oracle-hardware
View:	1,256 times
Download:	0 times