![Page 1: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/1.jpg)
1 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Extending Data Center Grade
Security to the Cloud
Glenn Brunette
Chief Technology Officer, ESG
Oracle Solaris 11
![Page 2: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/2.jpg)
2 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
2 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
The following is intended to outline our general product direction. It is intended
for information purposes only, and may not be incorporated into any contract. It
is not a commitment to deliver any material, code, or functionality, and should
not be relied upon in making purchasing decisions. The development, release,
and timing of any features or functionality described for Oracle ‟s products
remains at the sole discretion of Oracle.
![Page 3: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/3.jpg)
3 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Traditional OS Security Techniques
• Software Minimization
• Installing Up-to-Date Security Patches
• System and Service Configuration Hardening
• Strong Authentication and Access Control
• Securing Data At Rest, In Transit, and In Use
• Exploit Prevention and Detection
• Host-based Packet Filtering
• Activity Monitoring and Auditing
![Page 4: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/4.jpg)
4 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Cloud Security Differences
Self-Service Interaction
Hyper-Connectivity and Hyper-Scale
Increasing Velocity of Change
![Page 5: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/5.jpg)
5 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Successful Strategies for Cloud Security
• Start with “Good Ingredients”
• Build and Test “Once”, Deploy Everywhere
• Prohibit Change Where Possible
• Compartmentalize Services and Access
• Efficiently Detect and Respond to Threats
• Holistically Leverage Encryption
![Page 6: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/6.jpg)
6 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Simplified ProvisioningSolaris 11 Automated Installation
![Page 7: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/7.jpg)
7 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Streamlined Patch Management
• 4X Faster upgrades typical
• Create ZFS boot environment to safely apply updates
• Full dependency check of packages, crypto verified, auditable
• Reboot updated ZFS boot environment
New Security
Patch
6:00: pkg update
6:00-6:02: Dependency checks,
patch/update planning
6:02-6:04: New boot environment created,
updates downloaded and applied6:04-6:06: reboot
up and running again
Maintenance window: 6-7pm
Solaris 11 Image Packaging System
![Page 8: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/8.jpg)
8 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Reduced Attack Surface
• Expose only required services to the network
– Reduce the operating system network foot print
– Most services are disabled; a few are set to “local only”
• Integrated with Service Management Facility
– Common administrative model for all service operations
– Fully customizable based upon unique site requirements
• Foundation for Additional Protections and Configuration
Solaris 11 Network Secure by Default
![Page 9: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/9.jpg)
9 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Strong Service Isolation
• Solaris 11 Zones
– Restricted operating environment for enhanced security
– Per-zone hardening, RBAC, privileges, resource controls, etc.
– Per-zone system resources, networking, data sets, etc.
• New in Solaris 11
– Zone Integrity Policies (Flexible, Strict, Fixed, None)
– Delegated Administration (Console, Install, Boot, Shutdown)
– Virtual Networking (NICs, Switches, etc.)
Solaris 11 Zones
![Page 10: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/10.jpg)
10 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Separation of Duty
• Role-based Access Control
– Compose collections of administrative rights for users and roles
– Roles can only be assumed by authorized users
– Accountability is preserved – original UID is always tracked
• New in Solaris 11– By default, the root account is now a role
– Role authentication can use either user or role‟s password
– CLI for managing users, roles, rights and groups
Solaris 11 Role-based Access Control
![Page 11: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/11.jpg)
11 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Separation of Duty
• Fine-Grained Process Privileges
– Sandbox users and applications to limit potential for damage
– Decomposes administrative capabilities into discrete privileges
– Eliminates need for many services to start as „root‟
– Always enabled and enforced by the Solaris kernel
• New in Solaris 11– New privileges: file_read, file_write, and net_access
– Support for “forced privileges” for set-uid root programs
– Stop profile to limit specific commands and authorizations
Solaris 11 Fine-grained Process Privileges
![Page 12: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/12.jpg)
12 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Isolating Management Roles and Capabilities
System Administrator
Service Administrator
Cloud Administrator
![Page 13: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/13.jpg)
13 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Holistic Data Protection
• Encryption policy is set at the ZFS data set level
• Supports delegation of key management operations
• Leverages a dual key model: wrapping vs. encryption key
• Variety of options for format/location of the wrapping key
• Wrapping key inherited by child data sets
Solaris 11 ZFS Encryption
![Page 14: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/14.jpg)
14 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Holistic Data Protection
• Unified Standards-based
Framework
• Automatic Hardware
Acceleration Usage
• NSA Suite B Algorithms
Solaris 11 Cryptographic Framework
![Page 15: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/15.jpg)
15 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Hardware Cryptographic Acceleration
Processor / Mechanisms UltraSPARC T2/ T2+ SPARC T3 SPARC T4
Asymmetric /
Public Key EncryptionRSA, DSA, ECC RSA, DH, DSA, ECC RSA, DH, DSA, ECC
Symmetric Key /
Bulk EncryptionAES, DES, 3DES, RC4
AES, DES, 3DES,
Kasumi
AES, DES, 3DES, Camellia, Kasumi
Message Digest /
Hash Functions
MD5, SHA-1, SHA-
256
CRC32c, MD5, SHA-
1, SHA-256, SHA-
384, SHA-512
CRC32c, MD5, SHA-1, SHA-224, SHA-256,
SHA-384, SHA-512
Random Number
GenerationSupported Supported Supported
API
Support
PKCS#11
Standard
PKCS#11
Standard
PKCS#11 Standard,
uCrypto API
![Page 16: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/16.jpg)
16 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Comprehensive Monitoring
• Solaris 11 Auditing
– Kernel-based fine-grained introspection
– Captured events include: admin. actions, commands, syscalls
– Configurable audit policy at both the system / user level
– Zones can be audited from within the global zone
– Audit logs can be exported as binary, text, or XML files
• New in Solaris 11
– Auditing on by default with no performance penalty
– Greater visibility into system events with less “noise”
Solaris 11 Auditing
![Page 17: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/17.jpg)
17 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Putting it all together
with Solaris 11 Security!
![Page 18: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/18.jpg)
18 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Non-Global Zone
Architectural Strategies
A
Binaries and Libraries
Configuration Files
Temporary and Log Files
Application Data
ZFS Encrypted
Data Set(s)A
Delegated Application Administration
Secure by Default / OS Hardening
Service Hardening,
Encrypted Comms,
Limited Privileges
Building a Secure Service Delivery Platform for the Cloud
![Page 19: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/19.jpg)
19 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Architectural Strategies
Encrypted Root
Limited Resources
Delegated Admin.
Monitoring / Auditing
Network Security
Building a Secure Service Delivery Platform for the Cloud
![Page 20: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/20.jpg)
20 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Architectural Strategies
Virtual Networking (w/QoS and Data Link Protection)
Encrypted Root
Limited Resources
Delegated Admin.
Monitoring / Auditing
Network Security
Encrypted Root
Limited Resources
Delegated Admin.
Monitoring / Auditing
Network Security
Encrypted Root
Limited Resources
Delegated Admin.
Monitoring / Auditing
Network Security
Building a Secure Service Delivery Platform for the Cloud
![Page 21: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/21.jpg)
21 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Solaris 11 Instance (Global Zone)
Architectural Strategies
Monitoring / Auditing
Delegated Administration
Hardware Accel. Cryptography
Building a Secure Service Delivery Platform for the Cloud
![Page 22: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/22.jpg)
22 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Additional Strategies
![Page 23: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/23.jpg)
23 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Successful Strategies for Cloud Security
• Start with “Good Ingredients”
• Build and Test “Once”, Deploy Everywhere
• Prohibit Change Where Possible
• Compartmentalize Services and Access
• Efficiently Detect and Respond to Threats
• Holistically Leverage Encryption
![Page 24: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/24.jpg)
24 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
For More Information / Try Out Today
• Product overview and download
– oracle.com/solaris
• Oracle Technology Network
– oracle.com/technetwork/server-storage/solaris11
• System administrators community
– oracle.com/technetwork/systems
24
@ORCL_Solaris
facebook.com/oraclesolaris
Oracle Solaris Insider
![Page 25: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/25.jpg)
25 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Questions
![Page 26: Extending Datacenter-grade security to the Cloud](https://reader036.vdocuments.net/reader036/viewer/2022070302/547ce25fb47959a7508b47c6/html5/thumbnails/26.jpg)
26 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.