Oracle Solaris Secure Cloud Infrastructure
-
Upload
otn-systems-hub -
Category
Software
-
view
374 -
download
2
Transcript of Oracle Solaris Secure Cloud Infrastructure
Copyright©2015, Oracleand/oritsaffiliates.Allrightsreserved.|
SecureCloudInfrastructureSecure,Compliant,HighestPerforming
ScottLynn&DarrenJMoffatSolarisCoreTechnologiesJanuary2016
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
200MExperianMar‘14
150MeBay
May‘14
22MEducationJuly‘14
SABanksOCT‘13
CreditCards
150M+CodeAdobeOct‘13
98MTargetDec‘13
20MCreditBureau
12MTelecom
Jan‘14
56MHomeDepot
Sep‘14
ImmigrationJune’14
PersonalRecords
76MJPMCOct‘14
TheAgeofMegaBreaches
3Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
53MSonyDec‘14
227M
80MAnthemFeb‘15
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
SocialAttacksCommand&
Control
BruteForceHackingMalware
SQLInjectionAttack
StolenCredentials
TypicalAttackVectors
4Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
COMMANDSERVER
ATTACKER
DOWNLOADEDMALWARE
PHISHINGATTACK
XSSORSQLINJECTIONATTACK
AnatomyofanAttack– StartswithPhishing
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
ESTABLISHMULTIPLEBACKDOORS
DUMPINGPASSWORDSDOMAINCONTROLLER
GATHERINGDATA
AnatomyofanAttack– EstablishesaFoothold
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
EXFILTRATEDATAVIASTAGINGSERVER
ANYWHEREINTHEWORLD
AnatomyofanAttack– ExfiltratesData,CoversTracks.
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
RisksareOutside;VulnerabilitiesWithin
8
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
Threat#1:StolenprivilegedusercredentialsPeople
9
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
100%Ofinvestigateddatabreachesinvolvedstolencredentials
10
Source:MandiantThreatReport,2015
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|OracleCorporation- Confidential 11OracleCompany Confidential– SharedUnderTermsofOPNNDA 11
HowtheSonyBreachChangedSecurity
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
OracleSolarisMitigatesCredentialAbuse/Misuse
DelegationActivity-baseduseraccess
Time-BasedControlControlwhenuserscanperformactions
RemoteAuditing,LoggingandAlertingAuditentriessenttosecureserver;can’tbetampered
12
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
Threat#2:UnpatchedandmisconfiguredsystemsPlatform
13
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
99.9%OftheexploitedvulnerabilitieswerecompromisedmorethanayearaftertheCVEwaspublished
14
Source:VerizonDataBreach InvestigationsReport,2015
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
ExploitedVulnerabilitiesCompromised
15
74%
OFORGANIZATIONSTAKE3MONTHS+
TOPATCH
Source:VerizonDataBreach InvestigationsReport,2015;IIOUGDataSecuritySurvey,2014
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
Theageof“Ifitain’tbroke,don’tfixit,”isover!
16
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.| 17
It’simportanttopatchquicklyandoften…Patchingonothersystemstakessignificanttimeandmoney.
Firmware
Virtualization
OS
Database
Application OtherSystems:• Differenttools• Differentpatches• Possibleconflicts• Downtimes• ManualRollback
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
DramaticallySimplerLifecycleManagementSolvingpatchingandconfigurationvulnerabilities.
1818
Firmware
Virtualization
OS
Database
Application OracleSolaris:• Secure• Pre-tested• Single-sourcepatching.
1-StepSecurityPatching1-StepRollback
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
SimpleAdministrationMajorFinancialCustomer’sExperiencesPatchingOracleSolarisvs.RedHat
19
RedHatEnterpriseLinux
Solaris1116XServers/Admin
MANAGE
4000300020001000
250
4000
Machines/Administrator
1-StepSecurityPatching
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
Simple&Tailorable ComplianceReporting
20
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
StopMalwareBeforeItGetsInImmutableSystemsandVirtualMachines– Can’testablishafoothold– Preventadministratormistakes– Updateeventhoughit’sunwritablebyusersandapplications
TamperEvidentSoftware– FirmwaretoApplications– Installonlyknown,trustedsoftware– Notsigned;won’tinstall– VerifiedBoot
21
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
SecureLifecycleDoneRight
Secure• ImmutableSystemsandVirtualMachines
• TamperEvidentSoftware
• VerifiedBoot
Simple• 1-steppatching• Integratedsnapshots• 1-steprollback
Effective• Testedtogether• Fromfirmwaretoapplications
22
Firmware(
Virtualiza.on(
OS(
Database(
Applica.on(
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
LargeCityinGermanyAutomaticPatching
23
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
Threat#3:DirectdataaccessData
24
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
$194*Theaveragecostperrecordstoleninadatabreach.
25
Source:Symantechttp://www.databreachcalculator.com/GetStarted.aspx
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
52%
34%
11%
4%
Database
Network
Application
Middleware
ITLayersMostVulnerableToAttacks
67%
15%
15%
3%
Database
Network
Application
Middleware
AllocationofResourcesToSecureITLayer
Source:CSOOnlineMarketPulse,2013
NetworkSecurityisNotEnough:ProtecttheData!
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
OnlyPlatformtoProtectApplicationsinMemorySiliconSecuredMemory
• Firsteverhardwarebasedmemoryprotection• Stopsattackersfromaccessingapplicationmemoryinappropriately• Alwaysonwithoutcompromise• Improvedefficiency&moresecureandhigheravailableapplications• Compatiblewithcurrentapplications
27
Application Memory
Pointer“B”GO
M7Processor
Pointer“A”GO
Pointer“Y”
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
• Noperformanceloss• Automatically acceleratesJava,OracleDatabase,OpenSSL/TLS,andcustomapplications• Meetcompliancewithhighperformancediskencryption• SPARCM7SiliconSecuredMemory• IntegrateswithOracleKeyManager
28
AffordablyEncryptEverything,Everywhere,AlltheTime
Applications
Java
OracleDatabase
OperatingSystemUtilities
Storage
Virtualization
Firmware
Protectedatrest,inmotion,andinmemory
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
NewExploitmitigationfeatures:sxadm(1M)
NXSTACKNonExecutableStack
BeenaroundsinceSolaris2.6butnowcontrolledviasxadm(1M)NowonbydefaultTagatbuildtimewith:-znxstack=enable|disable
NXHEAPNonExecutableHeap
Newin11.3,notenabledbydefaultsincethereareasmallnumberoflegitimateusesforanexecutableHEAP.Tagatbuildtimewith:-znxheap=enable|disable
ASLRAddressSpaceLayoutRandomisation
Added11.1
sxadmget-p Parsablestatusoutputsxadmdelcust GobacktovendordelivereddefaultsInstallTimePolicy svccfg extractsecurity-extensions
29
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
ModernisingFirewallinOracleSolaris11.3• OpenBSD PFfirewallportedandintegratedintoOracleSolaris• ChooseeitherIPfilter orPF– onlyonecanbeactive– pkg:/network/firewall– pkg:/network/firewall/ftp-proxy– pkg:/network/firewall/pflog
• Rulesinpf.conf(4)• Loggingisvianewdladm(1M)controlledlinks• SMFsvc:/network/firewall• StartTransition: IPfilter isnowObsolete&mayberemovedinafuturerelease
30
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
Modernising SSH• OracleSolaris9addedfirstOpenSSH version,becomeforkedSunSSH overtime.• OpenSSH (+somepatches)inOracleSolaris11.3– GSScredentialstorage– PAMServiceNameperSSHuserauthmethodasperSunSSH (PAMcan’tbedisabled)– DisableBanneroptionforssh client
• InstalleitherSunSSH orOpenSSH orboth– onlyonecanbedefaultssh(1)andsshd(1M),eitherorbothcanbeinstalled– Setdefaultviapkg mediatorwhenbothinstalled
• SMFsvc:/network/openssh• StartTransition:SunSSH isnowObsolete&mayberemovedinafuturerelease
31
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
OracleSecurityInsideandOutLayersoftheStack
OracleCorporation- Confidential 32
S ECUR I TYS ECUR I TY
S ECUR I TY
S ECUR I TY
S ECUR I TY
S ECUR I TY
S E CUR I T Y
GovernanceRisk&ComplianceAccess&CertificationReview,AnomalyDetection,UserProvisioning,EntitlementsManagementMobileSecurity,PrivilegedUsersDirectoryServices, IdentityGovernanceEntitlementsManagement,AccessManagementEncryption,Masking,Redaction,KeyManagementPrivilegedUserControl,BigDataSecurity,SecureConfigApplication+UserSandboxing,DelegatedAdminAnti-malwaresystem,Data+NetworkProtectionComplianceReporting,SecuredAppLifecycleSecureLiveMigrationImmutableZonesIndependentControlPlaneCryptographicAccelerationApplicationDataIntegrityVerifiedBootDiskEncryption,SecuredBackup,EnterpriseKeyManagement
SPARC/Solaris
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.| 33
BUILT-IN SECURITY INSIDE AND OUT SAVES TIME, MONEY AND REDUCES RISK
Mitigatescredentialabuse/misuse
Securelifecycledoneright
Encrypteverything,everywhere,allthetime
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
Q&A
34
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.| 35