1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Extending Data Center Grade Security to the Cloud Glenn Brunette Chief Technology Officer, ESG Oracle Solaris 11
Dec 01, 2014
1 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Extending Data Center Grade
Security to the Cloud
Glenn Brunette
Chief Technology Officer, ESG
Oracle Solaris 11
2 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
2 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
The following is intended to outline our general product direction. It is intended
for information purposes only, and may not be incorporated into any contract. It
is not a commitment to deliver any material, code, or functionality, and should
not be relied upon in making purchasing decisions. The development, release,
and timing of any features or functionality described for Oracle ‟s products
remains at the sole discretion of Oracle.
3 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Traditional OS Security Techniques
• Software Minimization
• Installing Up-to-Date Security Patches
• System and Service Configuration Hardening
• Strong Authentication and Access Control
• Securing Data At Rest, In Transit, and In Use
• Exploit Prevention and Detection
• Host-based Packet Filtering
• Activity Monitoring and Auditing
4 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Cloud Security Differences
Self-Service Interaction
Hyper-Connectivity and Hyper-Scale
Increasing Velocity of Change
5 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Successful Strategies for Cloud Security
• Start with “Good Ingredients”
• Build and Test “Once”, Deploy Everywhere
• Prohibit Change Where Possible
• Compartmentalize Services and Access
• Efficiently Detect and Respond to Threats
• Holistically Leverage Encryption
6 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Simplified ProvisioningSolaris 11 Automated Installation
7 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Streamlined Patch Management
• 4X Faster upgrades typical
• Create ZFS boot environment to safely apply updates
• Full dependency check of packages, crypto verified, auditable
• Reboot updated ZFS boot environment
New Security
Patch
6:00: pkg update
6:00-6:02: Dependency checks,
patch/update planning
6:02-6:04: New boot environment created,
updates downloaded and applied6:04-6:06: reboot
up and running again
Maintenance window: 6-7pm
Solaris 11 Image Packaging System
8 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Reduced Attack Surface
• Expose only required services to the network
– Reduce the operating system network foot print
– Most services are disabled; a few are set to “local only”
• Integrated with Service Management Facility
– Common administrative model for all service operations
– Fully customizable based upon unique site requirements
• Foundation for Additional Protections and Configuration
Solaris 11 Network Secure by Default
9 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Strong Service Isolation
• Solaris 11 Zones
– Restricted operating environment for enhanced security
– Per-zone hardening, RBAC, privileges, resource controls, etc.
– Per-zone system resources, networking, data sets, etc.
• New in Solaris 11
– Zone Integrity Policies (Flexible, Strict, Fixed, None)
– Delegated Administration (Console, Install, Boot, Shutdown)
– Virtual Networking (NICs, Switches, etc.)
Solaris 11 Zones
10 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Separation of Duty
• Role-based Access Control
– Compose collections of administrative rights for users and roles
– Roles can only be assumed by authorized users
– Accountability is preserved – original UID is always tracked
• New in Solaris 11– By default, the root account is now a role
– Role authentication can use either user or role‟s password
– CLI for managing users, roles, rights and groups
Solaris 11 Role-based Access Control
11 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Separation of Duty
• Fine-Grained Process Privileges
– Sandbox users and applications to limit potential for damage
– Decomposes administrative capabilities into discrete privileges
– Eliminates need for many services to start as „root‟
– Always enabled and enforced by the Solaris kernel
• New in Solaris 11– New privileges: file_read, file_write, and net_access
– Support for “forced privileges” for set-uid root programs
– Stop profile to limit specific commands and authorizations
Solaris 11 Fine-grained Process Privileges
12 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Isolating Management Roles and Capabilities
System Administrator
Service Administrator
Cloud Administrator
13 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Holistic Data Protection
• Encryption policy is set at the ZFS data set level
• Supports delegation of key management operations
• Leverages a dual key model: wrapping vs. encryption key
• Variety of options for format/location of the wrapping key
• Wrapping key inherited by child data sets
Solaris 11 ZFS Encryption
14 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Holistic Data Protection
• Unified Standards-based
Framework
• Automatic Hardware
Acceleration Usage
• NSA Suite B Algorithms
Solaris 11 Cryptographic Framework
15 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Hardware Cryptographic Acceleration
Processor / Mechanisms UltraSPARC T2/ T2+ SPARC T3 SPARC T4
Asymmetric /
Public Key EncryptionRSA, DSA, ECC RSA, DH, DSA, ECC RSA, DH, DSA, ECC
Symmetric Key /
Bulk EncryptionAES, DES, 3DES, RC4
AES, DES, 3DES,
Kasumi
AES, DES, 3DES, Camellia, Kasumi
Message Digest /
Hash Functions
MD5, SHA-1, SHA-
256
CRC32c, MD5, SHA-
1, SHA-256, SHA-
384, SHA-512
CRC32c, MD5, SHA-1, SHA-224, SHA-256,
SHA-384, SHA-512
Random Number
GenerationSupported Supported Supported
API
Support
PKCS#11
Standard
PKCS#11
Standard
PKCS#11 Standard,
uCrypto API
16 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Comprehensive Monitoring
• Solaris 11 Auditing
– Kernel-based fine-grained introspection
– Captured events include: admin. actions, commands, syscalls
– Configurable audit policy at both the system / user level
– Zones can be audited from within the global zone
– Audit logs can be exported as binary, text, or XML files
• New in Solaris 11
– Auditing on by default with no performance penalty
– Greater visibility into system events with less “noise”
Solaris 11 Auditing
17 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Putting it all together
with Solaris 11 Security!
18 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Non-Global Zone
Architectural Strategies
A
Binaries and Libraries
Configuration Files
Temporary and Log Files
Application Data
ZFS Encrypted
Data Set(s)A
Delegated Application Administration
Secure by Default / OS Hardening
Service Hardening,
Encrypted Comms,
Limited Privileges
Building a Secure Service Delivery Platform for the Cloud
19 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Architectural Strategies
Encrypted Root
Limited Resources
Delegated Admin.
Monitoring / Auditing
Network Security
Building a Secure Service Delivery Platform for the Cloud
20 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Architectural Strategies
Virtual Networking (w/QoS and Data Link Protection)
Encrypted Root
Limited Resources
Delegated Admin.
Monitoring / Auditing
Network Security
Encrypted Root
Limited Resources
Delegated Admin.
Monitoring / Auditing
Network Security
Encrypted Root
Limited Resources
Delegated Admin.
Monitoring / Auditing
Network Security
Building a Secure Service Delivery Platform for the Cloud
21 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Solaris 11 Instance (Global Zone)
Architectural Strategies
Monitoring / Auditing
Delegated Administration
Hardware Accel. Cryptography
Building a Secure Service Delivery Platform for the Cloud
22 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Additional Strategies
23 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Successful Strategies for Cloud Security
• Start with “Good Ingredients”
• Build and Test “Once”, Deploy Everywhere
• Prohibit Change Where Possible
• Compartmentalize Services and Access
• Efficiently Detect and Respond to Threats
• Holistically Leverage Encryption
24 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
For More Information / Try Out Today
• Product overview and download
– oracle.com/solaris
• Oracle Technology Network
– oracle.com/technetwork/server-storage/solaris11
• System administrators community
– oracle.com/technetwork/systems
24
@ORCL_Solaris
facebook.com/oraclesolaris
Oracle Solaris Insider
25 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Questions
26 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.