hp integrity nonstop system security roadmap

59
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice NetApp and HP Confidential HP Integrity NonStop HP Integrity NonStop System Security Roadmap System Security Roadmap NonStop Education NonStop Education 03/19/09 03/19/09 © 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Technology for better business outcomes Karen Copeland, NED Product Management Karen Copeland, NED Product Management Wendy Bartlett, NED Distinguished Technologist Wendy Bartlett, NED Distinguished Technologist

Upload: others

Post on 05-Jan-2022

13 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: HP Integrity NonStop System Security Roadmap

© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

NetApp and HP Confidential

HP Integrity NonStopHP Integrity NonStopSystem Security RoadmapSystem Security RoadmapNonStop EducationNonStop Education

03/19/09 03/19/09

© 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

Technology for better business outcomes

Karen Copeland, NED Product ManagementKaren Copeland, NED Product Management

Wendy Bartlett, NED Distinguished TechnologistWendy Bartlett, NED Distinguished Technologist

Page 2: HP Integrity NonStop System Security Roadmap

© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

NetApp and HP Confidential

AgendaAgenda••NonStop Roadmap Introduction NonStop Roadmap Introduction ••NonStop Security RoadmapNonStop Security Roadmap••Where to get more informationWhere to get more information

© 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

Technology for better business outcomes

Page 3: HP Integrity NonStop System Security Roadmap

© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

NetApp and HP Confidential

© 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

Technology for better business outcomes

Security Roadmap IntroductionSecurity Roadmap Introduction

Page 4: HP Integrity NonStop System Security Roadmap

4

• When security is breached companies face: − Fines

− Lost productivity

− Customer loss/dissatisfaction

− Government Probes

− Bad Press

− Ruined reputations

Security Issues and customers

• Around the world there are 20,000 security regulations that businesses must meet and more emerge locally every year.

Source: http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP

860,000State of Ohio

1,200,000Johns Hopkins University and Hospital

9,000,000Dai Nippon Printing

45,700,000TJ Maxx retail stores

User records

ImpactedSecurity Breach

100,000,000+Heartland PaymentSystems

Page 5: HP Integrity NonStop System Security Roadmap

520 March 2009

Products – Partners – Solutions

Your secure end-to-end business advantage

HP Secure Advantage

Technology

People and process

Encryption and Key Management, working with integrated compliance solutions across organization

Use encryption and Identity Management, in combination with other pro-active security management techniques

Minimize disruptions due to security breaches with a trusted and hardened infrastructure

Protect validationEstablish a secure audit trail across the organization as proof of compliance for internal and external auditors, with real-time alerts and process alignment

Protect dataIn all its forms:Data at restData in motionData in use

Protect resourcesBy improving availability and protecting your networks, systems, applications, software and DBMS, using trusted platforms

NonStop is participating in the HP Secure Advantage program and is driving a Security Roadmap to offer

enhanced capabilities to our NonStop customers

Business Outcomes

5

Page 6: HP Integrity NonStop System Security Roadmap

6

HP NonStop Security Requirements from Customers

• Protect critical business data on the NonStop

• Be able to meet compliance regulations as business needs require: − Many NonStop retail and financial customers must comply with the PCI

(Payment Card Industry) Data Security Standard

• Security should not be an “after thought” but should be integral part of the system

• Products should provide reasonable ROI for customers − Products should be priced to provide a good value

− Training efforts to use products should be not be excessive

− Effort to install, configure and maintain products should not be complex

Page 7: HP Integrity NonStop System Security Roadmap

HP NonStop Security Roadmap Inputs/Influences

Connect Security

SIG

HP Strategic

Direction

OtherNonStop Partners

NonStop Security

CAB

Direct Customer

Input

HP accepts and uses input from a number of important sources to build the Security Roadmap, including:

•The Connect Security SIG

•HP’s Strategic Direction

•Direct Customer Input

•NonStop Security Partners

•NonStop Security CAB

•Other Sources (May include sales or field information, input from customer and industry surveys, technical information on industry trends and competitive directions.)

7

Page 8: HP Integrity NonStop System Security Roadmap

820 March 2009

HP NonStop Security Strategy Progression

HP provided base security functions

In the Past

8

NonStop Partners provided advanced and customized security features directly to

NonStop customers

Today In the Future

HP is increasing security offerings to meet

customer requests for basic security features to come from HP directly

NonStop Partners continue as in the past – but may also work with HP to offer new & existing security products

through HP

HP will continue to offer security products and may add products to the pricebook as appropriate to meet our customers’

needs

Partners continue as in the past delivering to customers directly and through HP

Page 9: HP Integrity NonStop System Security Roadmap

9

NonStop Security Strategy

• Improve NonStop security capabilities offered by HP− Enhance security offerings to offer new

security products to customers

− Correct existing product shortcomings

− Invest in areas of largest impact

• Leverage Partner products − Examine opportunities to leverage

existing partner technologies and engage for new customer offerings

• Leverage expertise inside HP− Participate in the Secure Advantage

program − Support security standards and HP

interoperability efforts

Page 10: HP Integrity NonStop System Security Roadmap

10

NonStop Security AreasCategories

On Platform Security

Only authorized users can access the system. Access to data and other resources is controlled and audited.

Data In Motion

Network and sensitive data moving between systems or workstations cannot be deciphered if intercepted.

Audit and Compliance

Security policies can be verified to be working and compliance regulations can be proven to be in place.

Data At Rest

Stored data and sensitive customer information is protected on disk and tape

Page 11: HP Integrity NonStop System Security Roadmap

11

NonStop Security Other Areas of Future Investment

NonStop Security Education & Training

Security Certification training track for NonStop. How to lock down the system, expert usage of Security products including partner products, how to apply PCI DSS to the NonStop environment.

Aimed at HP NonStop field people and Customers

Security Services for NonStop

Services to help customers implement security products and toolsProduct installation, setup, configuration, tuning servicesAdvice and guidance on meeting compliance regulations using NonStop

Page 12: HP Integrity NonStop System Security Roadmap

© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

NetApp and HP Confidential

© 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

Technology for better business outcomes

NonStop Security RoadmapNonStop Security Roadmap

Page 13: HP Integrity NonStop System Security Roadmap

13

On Platform: Safeguard EnhancementsAvailable Now from HP

Recent Safeguard EnhancementsPassword length, strength (H06.08, H06.09, G06.31)

Reset failed logon counts (H06.10)

Sanctioned privileged logon & performance improvements (H06.11)

Audit pool CLEARONPURGE Options (H06.12)Configurable audit exclusion (H06.14, J06.03)

Variable-length text description audit (H06.14, J06.03)

TACL logoff/exit audit (H06.14, J06.03)

Configurable OSS audit exclusion (H06.15, J06.04)

Creator ID and creation timestamp in user/alias/group authentication records (H06.15, J06.04)

G06.32 functionality is equivalent to H06.14/J06.03

On Platform Security

Only authorized users can access the system. Access to data and other resources is controlled and audited.

Page 14: HP Integrity NonStop System Security Roadmap

14

On Platform: Safeguard Enhancements Released in November 2008 from HP

H06.16/J06.05:

PASSWORD program: support for aliases; ability for group manager to change group member password and for owner, owner’s group manager and secondary owners to change user/alias password

255-byte description fields for the following types of object authorization records: disk files, disk volumes, disk subvolumes, devices, subdevices, processes, subprocesses, objecttype, Sec-Group

The next G-series Safeguard release currently is targeted for the summer of 2009

Future product plans, dates, and functionality are subject to change without notice.

On Platform Security

Only authorized users can access the system. Access to data and other resources is controlled and audited.

Page 15: HP Integrity NonStop System Security Roadmap

15

On Platform: Safeguard Enhancements Targeted for May 2009

H06.18/J06.09:

• Support for additional POSIX APIs: initgroups(), setgroups(), seteuid(), and setegid()

• SEEP interface enhancements for security partners:

• Inclusion of object file name in Authorization SEEP structure

• Evaluation of password change request before sending the password event to a Password Quality SEEP

• Wild card support for GROUP ADD MEMBER and ALTER MEMBER commands

• $ZSMP (OSMP) released with HIGHPIN set

Future product plans, dates, and functionality are subject to change without notice.

On Platform Security

Only authorized users can access the system. Access to data and other resources is controlled and audited.

Page 16: HP Integrity NonStop System Security Roadmap

16

On Platform: Safeguard/Standard Security Major Challenges

• Lack of control over OSS as compared to Guardian

• Lack of integration between Safeguard and OSS ACLs

• Or at least a SEEP-like hook for partners

• Lack of integration between Safeguard and SQL/MX

• We’d like to know what the minimum useful contribution would be – consultation with volume ACLs or …?

• Lack of multi-threading within Safeguard

On Platform Security

Only authorized users can access the system. Access to data and other resources is controlled and audited.

Future product plans, dates, and functionality are subject to change without notice.

Page 17: HP Integrity NonStop System Security Roadmap

17

On Platform: Safeguard/Standard Security Individual RFEs Under Evaluation

• Additional SEEP interface enhancements for security partners

• Support PRIV LOGON using Licensed flag as a surrogate when Safeguard is down

• Ability for changes to AUDIT-USER-ACTION-PASS and AUDIT-USER-ACTION-FAIL to take effect immediately

• Add SECOND and THIRD as search options to CHECK-DISKFILE-PATTERN attribute to provide more granularity and flexibility

• Consultation with Safeguard on debug requests for application processes

• Ability to audit TACL LOGOFFs with less additional audit generated

• Additional audit information, e.g.

• Actual file system error for failure cases

• IP address

• … and more…

On Platform Security

Only authorized users can access the system. Access to data and other resources is controlled and audited.

Future product plans, dates, and functionality are subject to change without notice.

Page 18: HP Integrity NonStop System Security Roadmap

18

On Platform: NonStop System Console Available Now

(For J-series, H-series and G-series)

Customer Choice for Windows security Customers can now install Windows security packages for virus and intrusion protection.

NonStop System Console Security PolicyA policy document stating HP’s policy for the installation of security software and patches on the NS Console. Available on the web now.

NS Console Security Guidelines A white paper providing guidance to NonStop customers on how HP recommends they handle security configurations on the NS Console. Available on the web now.

On Platform Security

Only authorized users can access the system. Access to data and other resources is controlled and audited.

Page 19: HP Integrity NonStop System Security Roadmap

NonStop System Console SecurityProgram Details

Qualified AntiVirus/Firewall Packages

- Symantec EndPoint Protection v11.0- Symantec AntiVirus v10.x (all releases) - Sygate Security Agent v4.x (all releases)- Note: Sygate is now part of Symantec

- McAfee Total Protection for Endpoint- Windows default Firewall

Can be added to the NS Console without violating Support Contracts

Customer purchases SW from vendor directly and installs

Customer goes to vendor directly for product support

HP verifies that the product does not interfere with OSM or other software functioning on the NonStop Console

HP does NOT verify the vendor product’s security functionality HP verifies Microsoft and vendor security patches within 30 days of announcement

19

Page 20: HP Integrity NonStop System Security Roadmap

NonStop Security Programs NSSOAP and iTP WebServer

On Platform Security

Only authorized users can access the system. Access to data and other resources is controlled and audited.

•NS SOAP Digital Signatures (H06.14/J06.03)− Use of digitally signed, application-level SOAP requests (using secure XML)

• iTP WebServer (H06.14/J06.03)− Support for Digital Signatures in NS SOAP Requests

− User can sign requests with a private key•Server can authenticate user•Server can check for message tampering

− Server can include server certificate in response•User can ascertain that the response came from the authenticating server•User can check for message tampering

• iTP WebServer (H06.15/J06.04)− Logical Network Partitioning (LNP) with TCP/IPv6

− Logging enhancements

•No plan for support on G-series20

Page 21: HP Integrity NonStop System Security Roadmap

21

iTP WebServer enhancements targeted for 2009:

− TLS 1.1 Protocol Support • SSL already supported

− PCI logging standard compliance • Provide “user exit” to customer-supplied process that can sanitize log records by masking or removing sensitive data

− Private key import/export • Enable import and export of private keys with iTP WebServer key database.

•Will make iTP WebServer more interoperable

On Platform: iTP WebServer Security Enhancements – today and future

Future product plans, dates, and functionality are subject to change without notice.

On Platform Security

Only authorized users can access the system. Access to data and other resources is controlled and audited.

Page 22: HP Integrity NonStop System Security Roadmap

22

Data In Motion SecurityAvailable now from HP

•Open Source SSH − Provides SSH support through the OSS environment

•NonStop SSH− Provides secure data transmission for both native Guardian and OSS environments when using terminal emulation, FTP, etc

•NonStop SSH––––Secure FTP− Provides NonStop SSH server support or Secure FTP use only

− Lower cost option for customers who just want Secure FTP enabled

•NonStop System Console− Secure transmission using SSH for SSH-enabled clients on the console.

− SSL is used by the OSM subsystem for secure communications with the system

Available with J-series, H-series and G-series software.

Data In Motion

Network and sensitive data moving between systems or workstations cannot be deciphered if intercepted.

Page 23: HP Integrity NonStop System Security Roadmap

23

Network Security Available now and coming in the future from HP

• IPSec support

−Available in new generation of NonStop Comm controllers (CLIMs) for NonStop BladeSystems and NonStop Integrity systems

−BladeSystems as of August 2008−NS-16x00 systems as of November 2008

•Enhanced data encryption for other products

−Software Essentials project (software distribution)−Additional manageability products −Visual Inspect −Targeted for 2009 timeframe

Future product plans, dates, and functionality are subject to change without notice.

Data In Motion

Network and sensitive data moving between systems or workstations cannot be deciphered if intercepted.

Page 24: HP Integrity NonStop System Security Roadmap

24

Data At Rest (Encryption)General Approaches

Data At Rest

Stored data and sensitive customer information is protected on disk and tape

Host Application Modification

Host application is modified to call encryption library to encrypt data before it is written to disk and decrypt data when read.

‘Bump in the wire’ Appliance

A device placed inline between the system and storage device encrypts data before it is written to the device and decrypts it when read.

Encryption Capable Storage Device The storage device is capable of encrypting data before writing it and decrypting when reading.

Encryption during Storage IO

The storage controller encrypts data before writing to the device and decrypts data when reading.

Database Encryption

Encryption/decryption can be specified at the column level.

All Solutions:

•Must provide a way to manage the encryption keys.

•Affect latency and throughput. The impact varies depending on the technique and the amount of data to be encrypted.

Page 25: HP Integrity NonStop System Security Roadmap

25

Data At Rest (Encryption)Which approaches are available on NonStopHost Application Modification

Host application is modified to call encryption library to encrypt data before it is written to disk and decrypt data when read.

‘Bump in the Wire’ Appliance

A device placed inline between the system and storage device encrypts data before it is written to the device and decrypts it when read.

Encryption Capable Storage Device or Subsystem The storage device is capable of encrypting data before writing it and decrypting when reading.

Encryption during Storage IO

The storage controller encrypts data before writing to the device and decrypts data when reading.

Database Encryption

Encryption/decryption can be specified at the column level.

Available Today from Partners

Available Today from Partners

NetApp offers the DataFort Appliance which has been validated onNonStop and can be used for data encryption with fibre channel disks. TSI offers multiple options for tape encryption.

Coming in 2009 from HP

New integrated Volume Level encryption solution from HP will allow customers to turn on encryption for disks attached to the system through the Storage CLIM. LTO-4 Tape encryption is supported by this program.

Available Today from HP and Coming

Secure VTS supports encryption of both its own disks and tapes that it writes. LTO-4 Tape has encryption capabilities and will be available on NonStop this year. Other storage devices may include encryption capabilities in the future.

Under Investigation

Design effort is being evaluated for future program.

Several NonStop Security partners offer encryption libraries that run on NonStop which customers can incorporate into their applications.

Page 26: HP Integrity NonStop System Security Roadmap

26

‘Bump in the Wire’ Encryption: DataFortAvailable Today from NetApp

• HP has qualified the DataFort encryption appliance from NetApp

• The DataFort appliance combines wire-speed encryption, access controls, authentication, and automated key management − Solution is deployed with no disruption to applications− Encryption is done in-line between the NonStop host and drives

− HP validation included requirements for NonStop environment: • Fault tolerance • Online initial encryption and key rotation

− Qualification was done for Integrity NonStop servers; the device should work with S-series as well.

− This is a reference sale by NetApp - contact NetApp directly

• For more information visit: http://www.netapp.com/us/products/storage-systems/datafort/

Data At Rest

Stored data and sensitive customer information is protected on disk and tape

Page 27: HP Integrity NonStop System Security Roadmap

27

• TSI offers the CryptoStorTM appliance for tape encryption (formerly NeoScale TE2000) − Includes option of nCipher’s KeyVault for key management

• TSI now also offers NetApp’s DataFort as a solution for tape encryption on the NonStop− Available through TSI for tape encryption on NonStop

− Includes option of NetApp’s LKM for key management

‘Bump in the Wire’ Tape Encryption Solutions TSI Partner and NetApp

Data At Rest

Stored data and sensitive customer information is protected on disk and tape

Page 28: HP Integrity NonStop System Security Roadmap

Encryption through the Storage CLIMComing from HP

•Volume Level Encryption (VLE) −No application changes required

− Supports devices attached to the Storage CLIM: SAS and HP XP disks and LTO-4 tape

− Encryption can be configured on a per-device basis

−Uses a version of the HP Secure Key Management Solution

−Will be available for Integrity NonStop and Integrity NonStop BladeSystems

−Not available for S-series or other platforms that do not support the Storage CLIM

−Delivery targeted for later this year

− FIPS 140- 2 validation will be underway by end of the year

Future product plans, dates, and functionality are subject to change without notice.

Data At Rest

Stored data and sensitive customer information is protected on disk and tape

28

Page 29: HP Integrity NonStop System Security Roadmap

29

Storage CLIM

Data At Rest SecurityVLE Overview

Integrity NonStop 16x00

Or

NonStop BladeSystem

HP Secure

Key Manager

HP Secure Key Management solution manages keys for both disk and tape

Supports SAS drives, XP disk arrays, LTO-4 Tape and Secure VTS

SAS HP StorageWorksXP Arrays LTO-4

Secure Virtual Tape System

Future product plans, dates, and functionality are subject to change without notice.

Secure VTS has built-in encryption support that includes its own Key Manager

Page 30: HP Integrity NonStop System Security Roadmap

3020 March 2009

Storage CLIM

Data at Rest SecurityVLE Architecture

Integrity NonStop 16x00

or

NonStop BladeSystem

HP Secure

Key Manager

SAS HP StorageWorksXP Arrays

LTO-4

Data Encryption Services for data

stored on diskKey Management Services for LTO-4

Future product plans, dates, and functionality are subject to change without notice.

HP Secure

Key Manager

HP Secure Key Manager will be sold in clusters to ensure fault tolerance –though one configuration can support multiple NonStop servers

Page 31: HP Integrity NonStop System Security Roadmap

Data At Rest SecurityVLE Configuration and Operation

• Configure storage CLIMs as clients of the Secure Key Management cluster using a tool that runs on the NonStop Console

• Configure encryption for individual disks and tape drives or tape media through SCF −Only members of new Safeguard encryption

management group can alter encryption attribute

• Initial drive keying and key rotation are done online

31Future product plans, dates, and functionality are subject to change without notice.

Page 32: HP Integrity NonStop System Security Roadmap

Data At Rest SecurityVLE Disk Encryption

• Encryption/decryption is done in the storage CLIM−The storage CLIM retrieves keys from the Secure Key

Management subsystem

• Encryption algorithm options: −XTS-AES-256 - currently in NIST approval process

−CBC-AES-256 – NIST approved

• Initial drive keying and key rotation are done online

32Future product plans, dates, and functionality are subject to change without notice.

SAS HP StorageWorksXP Arrays

Page 33: HP Integrity NonStop System Security Roadmap

Data At Rest SecurityVLE Tape Encryption

• Encryption/decryption is done in the tape drive

• The storage CLIM retrieves keys from the Secure Key Management subsystem and passes them to the tape drive

• Uses CBM-AES-256 algorithm

33Future product plans, dates, and functionality are subject to change without notice.

LTO-4

Page 34: HP Integrity NonStop System Security Roadmap

3420 March 2009

FIPS = Federal Information Processing Standards

HP Secure Key Manager Underlying platform for the NonStop Key Manager

34

• Secure, centralized encryption key management• Automates key generation and management based on security policies for multiple

libraries

• Can expand across entire infrastructure over time

• Strong auditable security• Hardened server appliance with FIPS 140-2 Level 2 validation

• Identity-based access, administration, logging

• Reliable lifetime key archival• Automatic multi-site key replication, high availability clustering and failover

Future product plans, dates, and functionality are subject to change without notice.

The right encryption key to the right person at the right time

Page 35: HP Integrity NonStop System Security Roadmap

Data at Rest SecurityVLE Components

Hardware to be purchased

• Storage CLIM upgrade• For best performance, we will recommend purchase of a more powerful Storage CLIM.

• Key Management • A multi-node HP Secure Key Management solution will need to be purchased.

• A single installation can manage keys for multiple NonStop systems.

Future product plans, dates, and functionality

are subject to change without notice.35

Software to be purchased

• Software will be shipped on the SUT and on the accompanying DVD for the Storage CLIM.

• Customers will buy licenses to enable encryption. • We expect to offer both per-Storage-CLIM and per-system options.

• The HP Secure Key Management solution will also require Client licensing, based on the number of CLIMs that will be accessing it.

Product pricing is not complete at this time. We will know more about pricing in the May timeframe. The goal is to be very competitive in the market.

Page 36: HP Integrity NonStop System Security Roadmap

36

Encryption-Capable Storage Subsystem: VTSAvailable now from HP

•Secure VTS : Virtual Tape Server Encryption(For J-series, H-series and G-series)

−Both hardware appliance & SW solution for VTS

−Includes key management (currently different than VLE key management)

Future product plans, dates, and functionality are subject to change without notice.

Data At Rest

Stored data and sensitive customer information is protected on disk and tape

Encryption/Key Mgmt

Virtual Tape Pools and Cartridges

Automated Tape Library or

Dedicated Drives

NonStop Server or Storage CLIM

Page 37: HP Integrity NonStop System Security Roadmap

37

The Last Stop on the Road: Data SanitizationAvailable now from HP

•Data sanitization for NonStop disks(For J-series, H-series and G-series systems)

– A DoD compliant data sanitization plug-in for OSM

– Small charge for G-series systems

– No charge for H-series or J-series systems

Future product plans, dates, and functionality are subject to change without notice.

Data At Rest

Stored data and sensitive customer information is protected on disk and tape

Page 38: HP Integrity NonStop System Security Roadmap

38

Data Sanitization Plug-in for NonStop Product Features

• Meets Department of Defense (DoD) standards for Data Sanitization as described in the DoD 5220.22-M pattern

− Writes over segments of the disk making at least three passes onthe disk to overwrite data

− Uses a random series of characters during one of the write passes

• Plugs into OSM as a Guided Procedure

• Allows user to specify the number of “write” passes and specific write patterns to be used by the product to overwrite the disk

• Asks user to confirm the request before taking action

• Allows concurrent sanitization of multiple disks

• Supports disk devices sold on NonStop S-series, Integrity NonStop NS-Series and Integrity NonStop BladeSystems

• Provides output report to verify sanitization was successful

• Sends EMS events to notify when sanitization was initiated and when it was completed, with success or failure

Data At Rest

Stored data and sensitive customer information is protected on disk and tape

Page 39: HP Integrity NonStop System Security Roadmap

3920 March 2009

HP Secure Advantage ProgramCompliance Log Warehouse

High performance appliance with Log and Analysis Manager and Real-time Alert Manager modules

Next in the Trusted Compliance Solution family

HP Compliance Log Warehouse

• High speed collection and analysis of log data

• Provides security alerts in real time from scans of log record data from numerous sources

39

Page 40: HP Integrity NonStop System Security Roadmap

40

• High performance appliance collects events from the whole data center for analysis

HP NonStop Audit and Compliance HP Compliance Log Warehouse

Audit and Compliance

Security policies can be verified to be working and compliance regulations can be proven to be in place.

Page 41: HP Integrity NonStop System Security Roadmap

41

NonStop and CLW Maximizing HP investment

HP CLW

CLW Log Adapter

ComplianceAudit Reports

EVENT DATABASE

Report Engine

The CLW accepts input sources from multiple systems and system types concurrently to enable reporting on the compliance of the entire data center

HP Integrity NonStop server (NS-Series)

HP Integrity NonStop BladeSystem Product Line

•Log and Analysis Manager −Provides high speed collection and analysis of log data that automates compliance reporting of many industry and government standards

−Collects, compresses and stores log record data in a replicated repository designed for high-speed analysis for audits or forensic investigations

•Real-Time Alert Manager−Scans log record data from numerous sources, in real-time, for potential security-related or natural events and alerts trained personnel for action

HP NonStop System (S-series)

Page 42: HP Integrity NonStop System Security Roadmap

42

NonStop and CLW Basic architecture – available today

NonStop System

HP CLW

CLW Log Adapter for XYGATE

ComplianceAudit Reports

EVENT DATABASE

Report Engine

The Data Streaming transfer method uses Syslog (incorporated into Merged Audit) to use UDP to stream or “push” data to the CLW continually from the NonStop.

XYGATEEVENTS

XYGATEMerged Audit

This data transfer method offers close to “real time” data availability for reporting

There is some risk - if network is interrupted during update a potential data lossis possible

ODBC/MXEVENTS

Base24EVENTS

SAFEGUARDAUDIT TRAIL

EMS EVENTS

Page 43: HP Integrity NonStop System Security Roadmap

43

NonStop and CLW Basic architecture – available in 2009

NonStop System

HP CLW

CLW Log Adapter for XYGATE

ComplianceAudit Reports

EVENT DATABASE

Report Engine

ODBC/MXEVENTS

Base24EVENTS

SAFEGUARDAUDIT TRAIL

EMS EVENTS

XYGATEMerged Audit

Future product plans, dates, and functionality are subject to change without notice.

HP NonStopEvent Transporter

CLW Log Adapter for General NonStop Log Adapters

come with the CLWPurchase

The intention is to provide a basic HP NonStop Event Transporter at no additional charge

Page 44: HP Integrity NonStop System Security Roadmap

© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

NetApp and HP Confidential

© 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

Technology for better business outcomes

NonStop Security WebsitesNonStop Security Websitesand Partnersand Partners

Page 45: HP Integrity NonStop System Security Roadmap

4520 March 2009

HP Security WebsitesNonStop Security SitesWebSite

NonStop Security General Link

On Platform Security (Safeguard)

Data in Motion (SSH)

Data at Rest (NetApp relationship)

NSC Security Program

Data Sanitization

URL

http://www.hp.com/go/nonstop/security

http://www.hp.com/go/nonstop/security/onplatformsecurity

http://www.hp.com/go/nonstop/security/datainmotion

http://www.hp.com/go/nonstop/security/dataatrest

http://www.hp.com/go/nonstop/security/nscsecurity

http://www.hp.com/go/nonstop/security/datasanitization

45

Page 46: HP Integrity NonStop System Security Roadmap

4620 March 2009

HP Security WebsitesSecure Advantage Program

WebSite

HP Secure Advantage Program

Secure Key Managers

Compliance Log Warehouse

URL

http://www.hp.com/security

http://h18006.www1.hp.com/products/storageworks/secure_key/index.html

http://www.hp.com/go/clw

46

Page 47: HP Integrity NonStop System Security Roadmap

4720 March 2009

On Platform SecurityNonStop Partner Offerings - At A Glance

Partner

ACI

comForte (Now includes Baker Street SW, Cross-EL and USA Software)

CSP(Computer Security Products)

Greenhouse

XYPRO

Product Offered

ACI Enterprise Security Services: AF (Application Firewall) ACI Enterprise Security Services: Single Sign-On

(Former InSession SafeTGate products)

SafePoint Product Suite - Alarms: Real Time Alerts, NSK Security Event Console, OSS User Administration, SafePoint Admin, SafePoint reports

CSP Passport Suite – Protect XP/Security Modeling, Alert-Plus, Auditview, CSP Authenticator, CSP NetPass, CSP SpoolView

Security Utilities - $AS Authentication Server, DiskWipe, Inset (Field Encryption), MPWD (Modem Port Watch Dog), PWQASEEP (Password controls), PWCOSEEP (Process Control SEEP), PASSYNC (Password Sync), Reprieve (Safeguard PCI Controls), Curious (Safeguard for Auditors), SECOM (Secure Command), SFTP (Secure FTP), MyLogin (Single Sign-On)

Safeguard PRO - Safeguard Mgr, Object Security, Password Quality, Safeguard Reports, User AuthenticationAccess PRO –Access controls (includes Spooler) Audit PRO - Merged Audit Reporting Product, Event monitorCompliance PRO - Security Compliance Wizard GUI

47

Page 48: HP Integrity NonStop System Security Roadmap

4820 March 2009

Data In Motion NonStop Partner Offerings - At a Glance

Partner

ACI

Bowden

comForte (Now includes Baker Street SW, Cross-EL and USA Software)

XYPRO

Product Offered

ACI Enterprise Security Services: SSL

Bowden SSL Bowden SSHBowden Secure FTP

SecurCS (SSL)SecurSH (SSH)SecurFTP SecurTN (Telnet Security)SecurPrint (SSL for Printers & Spooler)

XYPRO Secure Shell XYPRO Secure Communications Client: SSL XYPRO Host Encryption: SSL Encryption for NonStop Host

48

Page 49: HP Integrity NonStop System Security Roadmap

4920 March 2009

Data At Rest NonStop Partner Offerings - At a Glance Partner

comForte

Crossroads

Greenhouse

NETAPP

Opsol

TSI

XYPRO

Product Offered

SecurLIB – Data Encryption library & key management for application use (SW) SecurTape – Encryption offering for use with Backup/Restore (SW)

Disk and Tape Encryption & key management (HW & SW)

Inset – Field Encryption for applications (SW) BaReLib (Backup Restore Library) – DES Security to the data stream

DataFort Appliance & NonStop - Volume level disk encryption & key mgmt(HW & SW)

Omni-Crypto – Encryption infrastructure for ACI applications (SW)

Tape Encryption – Offers encryption appliances for Tape Encryption

Encryption Library for NonStop – application tool kit (includes SQL/MP & file level encryption) (SW)

Encryption SW Key Manager for NonStop (SW)Encryption SW Key Manager Lite for NonStop (SW)

49

Page 50: HP Integrity NonStop System Security Roadmap

NonStop Security Partner URLs - At a Glance Partner

ACI

Baker Street

Bowden

comForte

CSP

Crossroads

Greenhouse

NETAPP

Opsol

TSI

XYPRO

URL

http://www.aciworldwide.com/products/detail.aspx?product_id=274

http://www.bakerstreetsoftware.com/

http://www.bsi2.com/

http://www.comforte.com/

http://tandemsecurity.com/solutions.html

http://www.crossroads.com/Products/ProductsOverview.asp

http://www.greenhouse.de/products.html

http://www.decru.com/products/datafort0.htm

http://www.opsol.com/encryption.html

http://www.tributary.com/

https://www.xypro.com/index.php?id=13

50

Page 51: HP Integrity NonStop System Security Roadmap

NonStop Security ContactsWho to call at HP

Karen Copeland NonStop Product Manager for [email protected]

Wendy BartlettDistinguished Technologist, [email protected]

51

Page 52: HP Integrity NonStop System Security Roadmap

© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

NetApp and HP Confidential

© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

Questions?Questions?

Page 53: HP Integrity NonStop System Security Roadmap

© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

NetApp and HP Confidential

© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

Safeguard Safeguard Backup Slide followsBackup Slide follows

Page 54: HP Integrity NonStop System Security Roadmap

Safeguard Enhancements Last Two YearsFeature Function Benefit

• H06.08/G06.31 Support for 64-character passwords

Allows configuration of minimum/maximum password lengths up to 64 characters rather than 8

Stronger passwords

• H06.09/G06.31 Support for password pass phrases and quality attributes

Allows use of pass phrasesCan require passwords to include one or more upper case, lower case, numeric, and/or special characters

Stronger passwords

• H06.10/G06.32Ability to reset failed logon counts

Reset failed logon counts when user is locked out after too many attempts to logon without having to delete and re-add the user

Improved ease of use

• H06.11/G06.32Sanctioned privileged logon and performance improvements

Ability to identify programs allowed to log on as other users without providing a password, and audit such actionsImproved performance on some “info”commands

“Above board” logon mechanism

• H06.12/G06.32Audit pool CLEARONPURGE option

Control over whether audit files are cleared when they are deleted

Improved manageability

Return to Safeguard Slides

54

Page 55: HP Integrity NonStop System Security Roadmap

Safeguard Enhancements H06.14, J06.03 Releases

Feature Function Benefit

• New text description field modified to be variable-length

Avoids increasing audit record size unnecessarily when the field contents are short or nonexistent

Avoids unnecessary audit generation

• Configurable system-level audit client audit exclusion based on field name and value

Customers can configure exclusion of audit events based on field name and value, e.g. specific operations, outcomes, object types, owners, subjects, or creators

Avoids unnecessary audit generation

• TACL LOGOFF/EXIT audit

Generates audit when a LOGOFF or EXIT command is issued at the TACL prompt to log off from a terminal. Audit generation is controlled by AUDIT-PROCESS-ACCESS

Improved forensic information

55

Page 56: HP Integrity NonStop System Security Roadmap

Safeguard Enhancements H06.15, J06.04 Releases

Feature Function Benefit

• Configurable OSS audit exclusion at the user level

If AUDIT-OSS-FILTER is set, then AUDIT-USER-ACTION-PASS and AUDIT-USER-ACTION-FAIL also apply to OSS audit

Avoids unnecessary audit record generation

• Creator ID and creation timestamp in user/alias/group authentication records

Customers can determine who created a user, alias, or group and when it was done

Improved forensic information

56

Page 57: HP Integrity NonStop System Security Roadmap

Safeguard Enhancements: PASSWORD H06.16, J06.05 Releases

Feature Function Benefit

• Allow group manager to change user’s password when PROMPTPASSWORD is enabled

Make capability available in PASSWORD as well as SAFECOM

Improved manageability

• Allow SUPER.SUPER or any of its aliases to change the password of any alias on the system when PROMPTPASSWORD is enabled

Make capability available in PASSWORD as well as SAFECOM

Improved manageability

• Allow owner, owner's group manager and secondary owners to change password of user/alias

Make capability available in PASSWORD as well as SAFECOM

Improved manageability

• Accept the user name, user id, or alias name in the password change command line

Support password changes for aliases in PASSWORD as well as SAFECOM, provide more flexibility

Improved manageability, ease of use

57

Page 58: HP Integrity NonStop System Security Roadmap

Safeguard Enhancements: Other H06.16, J06.05 Releases

Feature Function Benefit

• Add text description field to object authorization records

Support up to 255-byte text description fields for the following Safeguard objects:

Disk filesDisk volumesDisk subvolumesDevicesSubdevicesProcessesSubprocessesObjecttypeSec-Group

Improved forensic information

More on past Safeguard Enhancements

58

Page 59: HP Integrity NonStop System Security Roadmap

Safeguard Enhancements: PASSWORD H06.18, J06.07 Releases

Feature Function Benefit

• Support for additional POSIX security APIs

Support for initgroups(), setgroups(), seteuid(), and setegid(), with appropriate audit generated

Improved ease of porting POSIX/UNIX applications

• Additional information for Authorization SEEPs

Inclusion of object file name in data structure sent to Authorization SEEP

Improved ability for SEEPs to control what programs are run, when, and by which user

• Change in flow between Safeguard and Password Quality SEEPs

Safeguard validation of password prior to sending it to Password Quality SEEP

Improved ability for PQ SEEPs to keep their password databases in sync with Safeguard’s

• Additional support for wild cards Support for wild cards in GROUP ADD MEMBER and ALTER MEMBER commands

Improved ease of use

• OSMP shipped with HIGHPIN set System runs the $ZSMP process pair in high PINs by default

Makes additional low PINs available for unconverted programs

59