Paul Tatum Director Systems Engineering
Download
Report
Transcript Paul Tatum Director Systems Engineering
Secure Your Data Center:
From the Infrastructure to
the Operating System
Paul Tatum
Director
Systems Engineering
253,488,925
253,488,925
Reported number of “records” that have been
compromised since 2005 - privacyrights.org
Agenda
> The
IT Challenge
> Threats and Vulnerabilities
> Evaluating Your Security Posture
> Mitigating the Risk
> Monitoring the Threat
> Secure and Open
What is Driving Infrastructure Demand?
New Consumers.
New Content.
New Devices.
New Services.
New Missions.
On the
Network...
Drives
Infrastructure
Demand.
Sun Infrastructure Powers
the Network Economy
Our Vision:
The
Network
is the
Computer
• 1.5+ billion people on the Net today
• 390 gigabytes of data created every second
• 50% new data growth
1.5 Billion
Internet
Users
TIME
1995
2000
2005
2010
Everyone and everything participates on the network
Why does Security Matter?
FBI's 'human firewall' warns of
computer crimes - 3/2/09, WorldNews
Shawn Henry of the FBI calls computer
crimes "the most critical threat to
our way of life other than weapons of
mass destruction."
FAA suffers massive data breach;
More than 45,000 affected -2/10/09 - FCW
The FAA has notified employees that one
of its computers was hacked, and the
personally identifiable information of more
than 45,000 employees and retirees was
stolen electronically.
IE security breach spurs emergency fix - 12/27/08 - AP
Microsoft Corp. is taking the unusual step of issuing an emergency fix
for a security hole in its Internet Explorer software that has exposed
millions of users to having their computers taken over by hackers.
Top 10 Cyber Security Menaces
•
•
•
•
•
•
•
•
•
•
Sophisticated Web Attacks (i.e. Conficker)
Botnets (i.e. Storm Worm)
Cyber Espionage (Military & Economic)
Mobile Phones / VOIP
Insider Attacks
Identity Theft from Persistent Bots (collectors)
Malicious Spyware
Web Applications
Blended Phishing
Supply Chain (thumb drives, CDs, GPS)
http://www.sans.org/2008menaces
Threats and Vulnerabilities
DILBERT: © Scott Adams/Dist. by United Feature Syndicate, Inc.
Security @ Sun
• 30,000 Employees
• 10,000 Consultants
• 100+ Countries
• 5 Data Centers
• 1000's of Suppliers
• 6000 IT Servers
• 5,800 Subnets
• 130,000 ports
Evaluating Your Security Posture
Balancing Multiple, Competing Business Priorities
Corporate
Governance
Portals
Extranets
Web
Services
Become
More
Secure
Improve
Access and
Service
Internal
Threats
External
Threats
Reduce
Costs
Dynamic
User Base
Operations
Legal
Mandates
Integration
Help Desk
Development
Security Control Best Practice Guide
- ISO 27002
• Risk Assessment
• Security Policy
• Assessment Management
• HR Security
• Physical Security
• Communications
• Access Control
• IT Acquisition
Take A Systemic Approach
Policy Process People Product
Policy
•
•
•
•
•
•
•
•
•
Data Classification/Handling
Least Privileged
Separation of Duties
Data Encryption
Device Shredding
Strong Authentication
Session Logging, Auditing
User Provisioning
Patch Management
Process
On Ramp
Establish the
Boundary
Validate
the
Architecture
Gather and
Analyze
Requirements
Develop and
Execute the
Plan
Perform a
Threat Risk
Analysis
Secure
the
Architecture
Process – Auditor's Top Violations
“Show me processes for prevention AND show me proof”
• Unidentified segregation of duties
• OS/DB access to critical apps or portal not secure
• Staff can run business transactions in production
• Unauthorized access to “super user”
• Previous employees have system access
• Custom programs are not secured
• Procedures for manual processes do not exist
• System docs do not match actual process
Source: Ken Vander Wal, Partner, National Quality Leader, E&YISACA Sarbanes Conference, 4/6/04
People - Importance of Roles
Who is accessing
what data and
which applications?
Who approved the
access assigned
to users?
How can we
enforce access
control policies?
EMPLOYEES
ACCESS MANAGEMENT
APPS & DATA
People - Identity Management
Product – Avoiding the Threat
SunRay Thin Client - No Local Data, Nothing Cached, No Viruses
• Display and manipulate
sensitive data without it
ever leaving the server
• Data is never cached
• No hard disk or
addressable flash memory
• No intellectual property risk
if a client is lost or stolen
• No local operating system,
no client virus issues
Product – Monitoring the Threat
Solaris 10 TX (Trusted Operating System)
Product – Exposing the Threat
Open Source Software – Secure through examination
Software Vulnerability Data
PROPRIETARY
OPEN SOURCE
Solaris
SunSun
Solaris
MySQL
MySQL
75
Java Only 7
Java
OracleOracle
# Vulnerabilities
0
200
0
> 1M
Less
Vulnerabilities
=
More Security
> 110M
> 6B
1280
Microsoft
Windows
Microsoft
Windows
VMWare
VMWare
> 14M
480
Xen Only 10
Xen
Distribution #
> 500M
68
> 13M
580
600
800
1000
500
1000
http://nvd.nist.gov/nvd.cfm
400
> 10M
1200
1400
1500
More Information
• Sun Security Home
> http://www.sun.com/security
• Sun Inner Circle
> http://www.sun.com/newsletters/
• Sun Security BluePrints
> http://www.sun.com/blueprints
Ensuring Datacenter Security
Categorize your Data & People
Develop Sound Processes & Procedures
Comprehensive Identity Management
Think Thin Client
Go Open Source, It's More Secure
Use Multiple Layers in Securing Everything
Thank you
[email protected]