Oracle Solaris Secure Cloud Infrastructure
0 likes1,250 views
The document discusses the security vulnerabilities and data breach statistics of various organizations, emphasizing the critical risks posed by stolen credentials, unpatched systems, and direct data access. It highlights the inefficiencies of traditional patching methods and presents Oracle Solaris as a solution with integrated security features for managing vulnerabilities. Key features include immutable systems, tamper-evident software, automated patching, and hardware-based memory protection to enhance overall security.
Oracle Solaris Secure Cloud Infrastructure
- 11. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |Oracle Corporation - Confidential 11Oracle Company Confidential – Shared Under Terms of OPN NDA 11 How the Sony Breach Changed Security
- 17. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 17 It’s important to patch quickly and often… Patching on other systems takes significant time and money. Firmware Virtualization OS Database Application Other Systems: • Different tools • Different patches • Possible conflicts • Downtimes • Manual Rollback
- 18. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | Dramatically Simpler Lifecycle Management Solving patching and configuration vulnerabilities. 1818 Firmware Virtualization OS Database Application Oracle Solaris: • Secure • Pre-tested • Single-source patching. 1-Step Security Patching1-Step Rollback
- 21. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | Stop Malware Before It Gets In Immutable Systems and Virtual Machines – Can’t establish a foothold – Prevent administrator mistakes – Update even though it’s unwritable by users and applications Tamper Evident Software – Firmware to Applications – Install only known, trusted software – Not signed; won’t install – Verified Boot 21
- 22. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | Secure Lifecycle Done Right Secure • Immutable Systems and Virtual Machines • Tamper Evident Software • Verified Boot Simple • 1-step patching • Integrated snapshots • 1-step rollback Effective • Tested together • From firmware to applications 22 Firmware( Virtualiza.on( OS( Database( Applica.on(
- 27. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | Only Platform to Protect Applications in Memory Silicon Secured Memory • First ever hardware based memory protection • Stops attackers from accessing application memory inappropriately • Always on without compromise • Improved efficiency & more secure and higher available applications • Compatible with current applications 27 Application Memory Pointer “B” GO M7 Processor Pointer “A” GO Pointer “Y”
- 28. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | • No performance loss • Automatically accelerates Java, Oracle Database, OpenSSL/TLS, and custom applications • Meet compliance with high performance disk encryption • SPARC M7 Silicon Secured Memory • Integrates with Oracle Key Manager 28 Affordably Encrypt Everything, Everywhere, All the Time Applications Java Oracle Database Operating System Utilities Storage Virtualization Firmware Protected at rest, in motion, and in memory
- 30. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | Modernising Firewall in Oracle Solaris 11.3 • OpenBSD PF firewall ported and integrated into Oracle Solaris • Choose either IPfilter or PF – only one can be active – pkg:/network/firewall – pkg:/network/firewall/ftp-proxy – pkg:/network/firewall/pflog • Rules in pf.conf(4) • Logging is via new dladm(1M) controlled links • SMF svc:/network/firewall • Start Transition: IPfilter is now Obsolete & may be removed in a future release 30
- 31. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | Modernising SSH • Oracle Solaris 9 added first OpenSSH version, become forked SunSSH over time. • OpenSSH (+ some patches) in Oracle Solaris 11.3 – GSS credential storage – PAM Service Name per SSH userauth method as per SunSSH (PAM can’t be disabled) – DisableBanneroption for ssh client • Install either SunSSH or OpenSSH or both – only one can be default ssh(1) and sshd(1M) , either or both can be installed – Set default via pkg mediator when both installed • SMF svc:/network/openssh • Start Transition: SunSSH is now Obsolete & may be removed in a future release 31
- 32. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | Oracle Security Inside and Out Layers of the Stack Oracle Corporation - Confidential 32 S EC UR I TY S EC UR I TY S EC UR I TY S EC UR I TY S EC UR I TY S EC UR I TY S E C U R I T Y Governance Risk & Compliance Access & Certification Review, Anomaly Detection, User Provisioning, Entitlements Management Mobile Security, Privileged Users Directory Services, Identity Governance Entitlements Management, Access Management Encryption, Masking, Redaction, Key Management Privileged User Control, Big Data Security, Secure Config Application + User Sandboxing, Delegated Admin Anti-malware system, Data + Network Protection Compliance Reporting, Secured App Lifecycle Secure Live Migration Immutable Zones Independent Control Plane Cryptographic Acceleration Application Data Integrity Verified Boot Disk Encryption, Secured Backup, Enterprise Key Management SPARC/Solaris
- 33. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 33 BUILT-IN SECURITY INSIDE AND OUT SAVES TIME, MONEY AND REDUCES RISK Mitigates credential abuse/misuse Secure lifecycle done right Encrypt everything, everywhere, all the time