Rock Solid Security
NonStop Technical Bootcamp
San Jose, CA – November 18, 2015
About Us
• Mission-Critical Security Specialists• Key XYGATE Software Bundled with all HP Servers• Global support with more NonStop security depth than
any other organization.
Agenda
• Object Security 101• Industry trends in NonStop Security• Addressing Safeguard limitations – real world examples• Simple solutions to complex problems• Open forum, time permitting.
Traditional User Grouping
• NonStop users are identified by the combination of:a. A Group (Support, Development, Security, Application,
Super, etc.)b. A User (First Name, Last Name, Employee Number, Manager)
• NonStop aliases are identified by:a. A relationship/link to a Group and a User (Support.Manager)b. A name (First Name, Last Name, Employee Number,
Manager)
Traditional Object Security
• NonStop Objects are identified by the combination of:a. A name (up to 8 characters)b. A type (File, Subvolume, Volume, Process, Device, etc.)
• NonStop Objects are secured by the combination of:a. The object name (up to 8 characters)b. An Access Control List (ACL) – R,W,E,P,C,O (DENY)
User to Object – Security Vector
APPL JOE
SUPPORT MARY
DEV MANAGER
FILE R, E
SUBVOLUME
R,W,C
PROCESS
R,W,E,P,C,O
R, E
R,W,C
R,W,E,P,C,O
R, E
R,W,C
R,W,E,P,C,O
More Typical Safeguard ACL’s
Safeguard Security is “Good” but…..
Is complexIs complex
Is syntax Intensive
Is not intuitive
Has limitations
Is syntax Intensive
Is not intuitive
Has limitations
GUI Solutions Help Safeguard ManagementGraphical, easy-to-use and intuitiveGraphical, easy-to-use and intuitive
Eliminate syntax and errors
Can manage multiple systems
Have extended functionality
Eliminate syntax and errors
Can manage multiple systems
Have extended functionality
Provide extensive reportingProvide extensive reporting
Manage both Users and ObjectsManage both Users and Objects
GUI Managers are “Better” but….
Are still limited to native securityAre still limited to native security
The Economics of Safeguard Alone
1990 1995 2000 2005 2010 20150
500
1000
1500
2000
2500
3000
3500
NonStop Security Supply and Demand
Security Needs Available Resources Safeguard Capabilities
A few Safeguard limitations
7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities
7.2 Establish an access control system for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed
8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts
Credit Card Company – Real World Case• Challenge• Manageability of more than 1,000,000 Safeguard ACLs across
24 NonStop servers
• Problem• Insufficient staff and knowledge to maintain security levels
efficiently
• Solution• XYGATE Object Security (XOS)• 1,000,000 ACLs replaced by 300 XOS rules
Brokerage Firm – Real World Case• Challenge
• Meet corporate security policy to deny write access by developers on production systems
• Problem• To enable “Deny”, Safeguard requires ACLs (Several thousand in
this case). There is no default “Deny All” functionality in Safeguard
• Solution• XYGATE Object Security (XOS)• 1 XOS rule
Payments Processor – Real World Case• Challenge
• Guarantee all non-application SQL DB access is audited to original user
• Problem• Safeguard cannot differentiate between application access and user access• Safeguard can only secure SQL/MP to the Subvolume level• Safeguard can only secure based on the name of the subvolume
• Solution• XYGATE Object Security (XOS)• 2 XOS rules (1 to provide application access to SQL DB, 1 to enforce user
keystroke audited process when accessing SQL DB)
Top 5 US Bank – Real World Case
• Challenge:• Secure millions of OSS objects, Audit OSS user activity and have a
common security model for both Safeguard and OSS
• Problem:• Overwhelming and unattainable with POSIX and OSS ACLs• OSS Audit insufficient and impractical• Safeguard and OSS security are vastly different
• Solution:• XYGATE Object Security (XOS)• XOS rules for both OSS and Safeguard
XYGATE Object Security (XOS)
• Rules based object security. A single rule can replace an unlimited # of Safeguard ACL’s)• Security decision is applied at the time of access
request. Security dynamically adjusts as the environment changes• Object security vector can include multiple object
attributes. Name, requesting object, file code, age, etc.• Same benefits exist for both Guardian and OSS objects• Relied on for securing many of the world’s largest (as
well as smaller) NonStop customers
XYGATE Object Security (XOS)
• Concerns?• Can be implemented without risk and phased in over time• Complete warning mode and what-if/explain functionality• Supports “Deny All” default setting• Does not supersede Safeguard• Availability is as reliable as your NonStop• Changes/updates are instantaneous• No cold load required
XYGATE OS is simply the “Best” security solution for today, and tomorrow.
Top Related