Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.
-
Upload
lindsay-tate -
Category
Documents
-
view
214 -
download
0
Transcript of Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.
![Page 1: Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.](https://reader038.fdocuments.us/reader038/viewer/2022110213/5697c01a1a28abf838ccf0f4/html5/thumbnails/1.jpg)
Rock Solid Security
NonStop Technical Bootcamp
San Jose, CA – November 18, 2015
![Page 2: Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.](https://reader038.fdocuments.us/reader038/viewer/2022110213/5697c01a1a28abf838ccf0f4/html5/thumbnails/2.jpg)
About Us
• Mission-Critical Security Specialists• Key XYGATE Software Bundled with all HP Servers• Global support with more NonStop security depth than
any other organization.
![Page 3: Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.](https://reader038.fdocuments.us/reader038/viewer/2022110213/5697c01a1a28abf838ccf0f4/html5/thumbnails/3.jpg)
Agenda
• Object Security 101• Industry trends in NonStop Security• Addressing Safeguard limitations – real world examples• Simple solutions to complex problems• Open forum, time permitting.
![Page 4: Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.](https://reader038.fdocuments.us/reader038/viewer/2022110213/5697c01a1a28abf838ccf0f4/html5/thumbnails/4.jpg)
Traditional User Grouping
• NonStop users are identified by the combination of:a. A Group (Support, Development, Security, Application,
Super, etc.)b. A User (First Name, Last Name, Employee Number, Manager)
• NonStop aliases are identified by:a. A relationship/link to a Group and a User (Support.Manager)b. A name (First Name, Last Name, Employee Number,
Manager)
![Page 5: Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.](https://reader038.fdocuments.us/reader038/viewer/2022110213/5697c01a1a28abf838ccf0f4/html5/thumbnails/5.jpg)
Traditional Object Security
• NonStop Objects are identified by the combination of:a. A name (up to 8 characters)b. A type (File, Subvolume, Volume, Process, Device, etc.)
• NonStop Objects are secured by the combination of:a. The object name (up to 8 characters)b. An Access Control List (ACL) – R,W,E,P,C,O (DENY)
![Page 6: Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.](https://reader038.fdocuments.us/reader038/viewer/2022110213/5697c01a1a28abf838ccf0f4/html5/thumbnails/6.jpg)
User to Object – Security Vector
APPL JOE
SUPPORT MARY
DEV MANAGER
FILE R, E
SUBVOLUME
R,W,C
PROCESS
R,W,E,P,C,O
R, E
R,W,C
R,W,E,P,C,O
R, E
R,W,C
R,W,E,P,C,O
![Page 7: Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.](https://reader038.fdocuments.us/reader038/viewer/2022110213/5697c01a1a28abf838ccf0f4/html5/thumbnails/7.jpg)
More Typical Safeguard ACL’s
![Page 8: Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.](https://reader038.fdocuments.us/reader038/viewer/2022110213/5697c01a1a28abf838ccf0f4/html5/thumbnails/8.jpg)
Safeguard Security is “Good” but…..
Is complexIs complex
Is syntax Intensive
Is not intuitive
Has limitations
Is syntax Intensive
Is not intuitive
Has limitations
![Page 9: Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.](https://reader038.fdocuments.us/reader038/viewer/2022110213/5697c01a1a28abf838ccf0f4/html5/thumbnails/9.jpg)
GUI Solutions Help Safeguard ManagementGraphical, easy-to-use and intuitiveGraphical, easy-to-use and intuitive
Eliminate syntax and errors
Can manage multiple systems
Have extended functionality
Eliminate syntax and errors
Can manage multiple systems
Have extended functionality
Provide extensive reportingProvide extensive reporting
Manage both Users and ObjectsManage both Users and Objects
![Page 10: Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.](https://reader038.fdocuments.us/reader038/viewer/2022110213/5697c01a1a28abf838ccf0f4/html5/thumbnails/10.jpg)
GUI Managers are “Better” but….
Are still limited to native securityAre still limited to native security
![Page 11: Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.](https://reader038.fdocuments.us/reader038/viewer/2022110213/5697c01a1a28abf838ccf0f4/html5/thumbnails/11.jpg)
The Economics of Safeguard Alone
1990 1995 2000 2005 2010 20150
500
1000
1500
2000
2500
3000
3500
NonStop Security Supply and Demand
Security Needs Available Resources Safeguard Capabilities
![Page 12: Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.](https://reader038.fdocuments.us/reader038/viewer/2022110213/5697c01a1a28abf838ccf0f4/html5/thumbnails/12.jpg)
A few Safeguard limitations
7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities
7.2 Establish an access control system for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed
8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts
![Page 13: Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.](https://reader038.fdocuments.us/reader038/viewer/2022110213/5697c01a1a28abf838ccf0f4/html5/thumbnails/13.jpg)
Credit Card Company – Real World Case• Challenge• Manageability of more than 1,000,000 Safeguard ACLs across
24 NonStop servers
• Problem• Insufficient staff and knowledge to maintain security levels
efficiently
• Solution• XYGATE Object Security (XOS)• 1,000,000 ACLs replaced by 300 XOS rules
![Page 14: Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.](https://reader038.fdocuments.us/reader038/viewer/2022110213/5697c01a1a28abf838ccf0f4/html5/thumbnails/14.jpg)
Brokerage Firm – Real World Case• Challenge
• Meet corporate security policy to deny write access by developers on production systems
• Problem• To enable “Deny”, Safeguard requires ACLs (Several thousand in
this case). There is no default “Deny All” functionality in Safeguard
• Solution• XYGATE Object Security (XOS)• 1 XOS rule
![Page 15: Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.](https://reader038.fdocuments.us/reader038/viewer/2022110213/5697c01a1a28abf838ccf0f4/html5/thumbnails/15.jpg)
Payments Processor – Real World Case• Challenge
• Guarantee all non-application SQL DB access is audited to original user
• Problem• Safeguard cannot differentiate between application access and user access• Safeguard can only secure SQL/MP to the Subvolume level• Safeguard can only secure based on the name of the subvolume
• Solution• XYGATE Object Security (XOS)• 2 XOS rules (1 to provide application access to SQL DB, 1 to enforce user
keystroke audited process when accessing SQL DB)
![Page 16: Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.](https://reader038.fdocuments.us/reader038/viewer/2022110213/5697c01a1a28abf838ccf0f4/html5/thumbnails/16.jpg)
Top 5 US Bank – Real World Case
• Challenge:• Secure millions of OSS objects, Audit OSS user activity and have a
common security model for both Safeguard and OSS
• Problem:• Overwhelming and unattainable with POSIX and OSS ACLs• OSS Audit insufficient and impractical• Safeguard and OSS security are vastly different
• Solution:• XYGATE Object Security (XOS)• XOS rules for both OSS and Safeguard
![Page 17: Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.](https://reader038.fdocuments.us/reader038/viewer/2022110213/5697c01a1a28abf838ccf0f4/html5/thumbnails/17.jpg)
XYGATE Object Security (XOS)
• Rules based object security. A single rule can replace an unlimited # of Safeguard ACL’s)• Security decision is applied at the time of access
request. Security dynamically adjusts as the environment changes• Object security vector can include multiple object
attributes. Name, requesting object, file code, age, etc.• Same benefits exist for both Guardian and OSS objects• Relied on for securing many of the world’s largest (as
well as smaller) NonStop customers
![Page 18: Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.](https://reader038.fdocuments.us/reader038/viewer/2022110213/5697c01a1a28abf838ccf0f4/html5/thumbnails/18.jpg)
XYGATE Object Security (XOS)
• Concerns?• Can be implemented without risk and phased in over time• Complete warning mode and what-if/explain functionality• Supports “Deny All” default setting• Does not supersede Safeguard• Availability is as reliable as your NonStop• Changes/updates are instantaneous• No cold load required
![Page 19: Rock Solid Security NonStop Technical Bootcamp San Jose, CA – November 18, 2015.](https://reader038.fdocuments.us/reader038/viewer/2022110213/5697c01a1a28abf838ccf0f4/html5/thumbnails/19.jpg)
XYGATE OS is simply the “Best” security solution for today, and tomorrow.