Oracle Solaris Secure Cloud Infrastructure
-
Upload
otn-systems-hub -
Category
Software
-
view
370 -
download
2
Transcript of Oracle Solaris Secure Cloud Infrastructure
![Page 1: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/1.jpg)
![Page 2: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/2.jpg)
Copyright©2015, Oracleand/oritsaffiliates.Allrightsreserved.|
SecureCloudInfrastructureSecure,Compliant,HighestPerforming
ScottLynn&DarrenJMoffatSolarisCoreTechnologiesJanuary2016
![Page 3: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/3.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
200MExperianMar‘14
150MeBay
May‘14
22MEducationJuly‘14
SABanksOCT‘13
CreditCards
150M+CodeAdobeOct‘13
98MTargetDec‘13
20MCreditBureau
12MTelecom
Jan‘14
56MHomeDepot
Sep‘14
ImmigrationJune’14
PersonalRecords
76MJPMCOct‘14
TheAgeofMegaBreaches
3Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
53MSonyDec‘14
227M
80MAnthemFeb‘15
![Page 4: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/4.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
SocialAttacksCommand&
Control
BruteForceHackingMalware
SQLInjectionAttack
StolenCredentials
TypicalAttackVectors
4Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
![Page 5: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/5.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
COMMANDSERVER
ATTACKER
DOWNLOADEDMALWARE
PHISHINGATTACK
XSSORSQLINJECTIONATTACK
AnatomyofanAttack– StartswithPhishing
![Page 6: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/6.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
ESTABLISHMULTIPLEBACKDOORS
DUMPINGPASSWORDSDOMAINCONTROLLER
GATHERINGDATA
AnatomyofanAttack– EstablishesaFoothold
![Page 7: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/7.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
EXFILTRATEDATAVIASTAGINGSERVER
ANYWHEREINTHEWORLD
AnatomyofanAttack– ExfiltratesData,CoversTracks.
![Page 8: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/8.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
RisksareOutside;VulnerabilitiesWithin
8
![Page 9: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/9.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
Threat#1:StolenprivilegedusercredentialsPeople
9
![Page 10: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/10.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
100%Ofinvestigateddatabreachesinvolvedstolencredentials
10
Source:MandiantThreatReport,2015
![Page 11: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/11.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|OracleCorporation- Confidential 11OracleCompany Confidential– SharedUnderTermsofOPNNDA 11
HowtheSonyBreachChangedSecurity
![Page 12: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/12.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
OracleSolarisMitigatesCredentialAbuse/Misuse
DelegationActivity-baseduseraccess
Time-BasedControlControlwhenuserscanperformactions
RemoteAuditing,LoggingandAlertingAuditentriessenttosecureserver;can’tbetampered
12
![Page 13: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/13.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
Threat#2:UnpatchedandmisconfiguredsystemsPlatform
13
![Page 14: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/14.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
99.9%OftheexploitedvulnerabilitieswerecompromisedmorethanayearaftertheCVEwaspublished
14
Source:VerizonDataBreach InvestigationsReport,2015
![Page 15: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/15.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
ExploitedVulnerabilitiesCompromised
15
74%
OFORGANIZATIONSTAKE3MONTHS+
TOPATCH
Source:VerizonDataBreach InvestigationsReport,2015;IIOUGDataSecuritySurvey,2014
![Page 16: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/16.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
Theageof“Ifitain’tbroke,don’tfixit,”isover!
16
![Page 17: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/17.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.| 17
It’simportanttopatchquicklyandoften…Patchingonothersystemstakessignificanttimeandmoney.
Firmware
Virtualization
OS
Database
Application OtherSystems:• Differenttools• Differentpatches• Possibleconflicts• Downtimes• ManualRollback
![Page 18: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/18.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
DramaticallySimplerLifecycleManagementSolvingpatchingandconfigurationvulnerabilities.
1818
Firmware
Virtualization
OS
Database
Application OracleSolaris:• Secure• Pre-tested• Single-sourcepatching.
1-StepSecurityPatching1-StepRollback
![Page 19: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/19.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
SimpleAdministrationMajorFinancialCustomer’sExperiencesPatchingOracleSolarisvs.RedHat
19
RedHatEnterpriseLinux
Solaris1116XServers/Admin
MANAGE
4000300020001000
250
4000
Machines/Administrator
1-StepSecurityPatching
![Page 20: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/20.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
Simple&Tailorable ComplianceReporting
20
![Page 21: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/21.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
StopMalwareBeforeItGetsInImmutableSystemsandVirtualMachines– Can’testablishafoothold– Preventadministratormistakes– Updateeventhoughit’sunwritablebyusersandapplications
TamperEvidentSoftware– FirmwaretoApplications– Installonlyknown,trustedsoftware– Notsigned;won’tinstall– VerifiedBoot
21
![Page 22: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/22.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
SecureLifecycleDoneRight
Secure• ImmutableSystemsandVirtualMachines
• TamperEvidentSoftware
• VerifiedBoot
Simple• 1-steppatching• Integratedsnapshots• 1-steprollback
Effective• Testedtogether• Fromfirmwaretoapplications
22
Firmware(
Virtualiza.on(
OS(
Database(
Applica.on(
![Page 23: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/23.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
LargeCityinGermanyAutomaticPatching
23
![Page 24: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/24.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
Threat#3:DirectdataaccessData
24
![Page 25: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/25.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
$194*Theaveragecostperrecordstoleninadatabreach.
25
Source:Symantechttp://www.databreachcalculator.com/GetStarted.aspx
![Page 26: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/26.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
52%
34%
11%
4%
Database
Network
Application
Middleware
ITLayersMostVulnerableToAttacks
67%
15%
15%
3%
Database
Network
Application
Middleware
AllocationofResourcesToSecureITLayer
Source:CSOOnlineMarketPulse,2013
NetworkSecurityisNotEnough:ProtecttheData!
![Page 27: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/27.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
OnlyPlatformtoProtectApplicationsinMemorySiliconSecuredMemory
• Firsteverhardwarebasedmemoryprotection• Stopsattackersfromaccessingapplicationmemoryinappropriately• Alwaysonwithoutcompromise• Improvedefficiency&moresecureandhigheravailableapplications• Compatiblewithcurrentapplications
27
Application Memory
Pointer“B”GO
M7Processor
Pointer“A”GO
Pointer“Y”
![Page 28: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/28.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
• Noperformanceloss• Automatically acceleratesJava,OracleDatabase,OpenSSL/TLS,andcustomapplications• Meetcompliancewithhighperformancediskencryption• SPARCM7SiliconSecuredMemory• IntegrateswithOracleKeyManager
28
AffordablyEncryptEverything,Everywhere,AlltheTime
Applications
Java
OracleDatabase
OperatingSystemUtilities
Storage
Virtualization
Firmware
Protectedatrest,inmotion,andinmemory
![Page 29: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/29.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
NewExploitmitigationfeatures:sxadm(1M)
NXSTACKNonExecutableStack
BeenaroundsinceSolaris2.6butnowcontrolledviasxadm(1M)NowonbydefaultTagatbuildtimewith:-znxstack=enable|disable
NXHEAPNonExecutableHeap
Newin11.3,notenabledbydefaultsincethereareasmallnumberoflegitimateusesforanexecutableHEAP.Tagatbuildtimewith:-znxheap=enable|disable
ASLRAddressSpaceLayoutRandomisation
Added11.1
sxadmget-p Parsablestatusoutputsxadmdelcust GobacktovendordelivereddefaultsInstallTimePolicy svccfg extractsecurity-extensions
29
![Page 30: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/30.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
ModernisingFirewallinOracleSolaris11.3• OpenBSD PFfirewallportedandintegratedintoOracleSolaris• ChooseeitherIPfilter orPF– onlyonecanbeactive– pkg:/network/firewall– pkg:/network/firewall/ftp-proxy– pkg:/network/firewall/pflog
• Rulesinpf.conf(4)• Loggingisvianewdladm(1M)controlledlinks• SMFsvc:/network/firewall• StartTransition: IPfilter isnowObsolete&mayberemovedinafuturerelease
30
![Page 31: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/31.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
Modernising SSH• OracleSolaris9addedfirstOpenSSH version,becomeforkedSunSSH overtime.• OpenSSH (+somepatches)inOracleSolaris11.3– GSScredentialstorage– PAMServiceNameperSSHuserauthmethodasperSunSSH (PAMcan’tbedisabled)– DisableBanneroptionforssh client
• InstalleitherSunSSH orOpenSSH orboth– onlyonecanbedefaultssh(1)andsshd(1M),eitherorbothcanbeinstalled– Setdefaultviapkg mediatorwhenbothinstalled
• SMFsvc:/network/openssh• StartTransition:SunSSH isnowObsolete&mayberemovedinafuturerelease
31
![Page 32: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/32.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
OracleSecurityInsideandOutLayersoftheStack
OracleCorporation- Confidential 32
S ECUR I TYS ECUR I TY
S ECUR I TY
S ECUR I TY
S ECUR I TY
S ECUR I TY
S E CUR I T Y
GovernanceRisk&ComplianceAccess&CertificationReview,AnomalyDetection,UserProvisioning,EntitlementsManagementMobileSecurity,PrivilegedUsersDirectoryServices, IdentityGovernanceEntitlementsManagement,AccessManagementEncryption,Masking,Redaction,KeyManagementPrivilegedUserControl,BigDataSecurity,SecureConfigApplication+UserSandboxing,DelegatedAdminAnti-malwaresystem,Data+NetworkProtectionComplianceReporting,SecuredAppLifecycleSecureLiveMigrationImmutableZonesIndependentControlPlaneCryptographicAccelerationApplicationDataIntegrityVerifiedBootDiskEncryption,SecuredBackup,EnterpriseKeyManagement
SPARC/Solaris
![Page 33: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/33.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.| 33
BUILT-IN SECURITY INSIDE AND OUT SAVES TIME, MONEY AND REDUCES RISK
Mitigatescredentialabuse/misuse
Securelifecycledoneright
Encrypteverything,everywhere,allthetime
![Page 34: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/34.jpg)
Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|
Q&A
34
![Page 35: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/35.jpg)
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.| 35
![Page 36: Oracle Solaris Secure Cloud Infrastructure](https://reader034.fdocuments.us/reader034/viewer/2022052514/587b9ab81a28ab4e4f8b765b/html5/thumbnails/36.jpg)