Paul TatumDirectorSystems Engineering

Secure Your Data Center: From the Infrastructure to the Operating System

253,488,925

253,488,925Reported number of “records” that have been compromised since 2005 - privacyrights.org

> The IT Challenge> Threats and Vulnerabilities> Evaluating Your Security Posture> Mitigating the Risk> Monitoring the Threat> Secure and Open

Agenda

DrivesInfrastructure

Demand.On the

Network...New Consumers.

New Content.

New Devices.New Services.New Missions.

Sun Infrastructure Powersthe Network Economy

What is Driving Infrastructure Demand?

1995 2000 2005 2010TIME

Our Vision:

TheNetworkis the Computer

Internet Users

• 1.5+ billion people on the Net today• 390 gigabytes of data created every second• 50% new data growth

1.5 Billion

Everyone and everything participates on the network

Why does Security Matter?

FBI's 'human firewall' warns of computer crimes - 3/2/09, WorldNews

FAA suffers massive data breach;More than 45,000 affected -2/10/09 - FCW

Shawn Henry of the FBI calls computer crimes "the most critical threat to our way of life other than weapons of mass destruction."

The FAA has notified employees that one of its computers was hacked, and the personally identifiable information of more than 45,000 employees and retirees was stolen electronically.

IE security breach spurs emergency fix - 12/27/08 - AP

Microsoft Corp. is taking the unusual step of issuing an emergency fix for a security hole in its Internet Explorer software that has exposed millions of users to having their computers taken over by hackers.

http://www.sans.org/2008menaces

• Sophisticated Web Attacks (i.e. Conficker)• Botnets (i.e. Storm Worm)• Cyber Espionage (Military & Economic)• Mobile Phones / VOIP• Insider Attacks• Identity Theft from Persistent Bots (collectors)• Malicious Spyware• Web Applications• Blended Phishing• Supply Chain (thumb drives, CDs, GPS)

Top 10 Cyber Security Menaces

Threats and Vulnerabilities

DILBERT: © Scott Adams/Dist. by United Feature Syndicate, Inc.

Security @ Sun

• 30,000 Employees• 10,000 Consultants• 100+ Countries• 5 Data Centers• 1000's of Suppliers• 6000 IT Servers• 5,800 Subnets• 130,000 ports

Reduce Costs

Web Services

ExtranetsPortals

DynamicUser Base

Operations

Help Desk DevelopmentIntegration

CorporateGovernance Internal

Threats

ExternalThreats

LegalMandates

Improve Access and

Service

Become More

Secure

Evaluating Your Security PostureBalancing Multiple, Competing Business Priorities

Security Control Best Practice Guide- ISO 27002• Risk Assessment• Security Policy• Assessment Management• HR Security• Physical Security• Communications • Access Control• IT Acquisition

Take A Systemic Approach

Policy Process People Product

Policy• Data Classification/Handling• Least Privileged• Separation of Duties• Data Encryption• Device Shredding• Strong Authentication• Session Logging, Auditing• User Provisioning• Patch Management

Establish theBoundary

Gather andAnalyze

Requirements

Securethe

Architecture

Perform aThreat Risk

Analysis

Validatethe

Architecture

Develop andExecute the

Plan

On Ramp

Process

Process – Auditor's Top Violations“Show me processes for prevention AND show me proof”

• Unidentified segregation of duties• OS/DB access to critical apps or portal not secure• Staff can run business transactions in production• Unauthorized access to “super user” • Previous employees have system access• Custom programs are not secured• Procedures for manual processes do not exist• System docs do not match actual process

Source: Ken Vander Wal, Partner, National Quality Leader, E&YISACA Sarbanes Conference, 4/6/04

People - Importance of Roles

Who is accessingwhat data and

which applications?

Who approved the access assigned

to users?

How can we enforce access control policies?

EMPLOYEES APPS & DATAACCESS MANAGEMENT

People - Identity Management

Product – Avoiding the Threat

• Display and manipulate sensitive data without it ever leaving the server

• Data is never cached• No hard disk or

addressable flash memory• No intellectual property risk

if a client is lost or stolen• No local operating system,

no client virus issues

SunRay Thin Client - No Local Data, Nothing Cached, No Viruses

Product – Monitoring the Threat Solaris 10 TX (Trusted Operating System)

Product – Exposing the ThreatOpen Source Software – Secure through examination

Software Vulnerability Data

Sun Solaris

Xen

MySQL

Java

Microsoft Windows

VMWare

Oracle

0 200 400 600 800 1000 1200 1400

Distribution #

Less Vulnerabilities

=More Security

480

Only 10

Sun Solaris

Xen

MySQL

Java

Microsoft Windows

VMWare

Oracle

> 1M

> 110M

> 6B

> 500M

> 13M

> 10M

> 14M

75

Only 7

1280

68

580

# Vulnerabilities

OP

EN

SO

UR

CE

PR

OP

RIE

TA

RY

0 500 1000 1500 http://nvd.nist.gov/nvd.cfm

• Sun Security Home>http://www.sun.com/security

• Sun Inner Circle>http://www.sun.com/newsletters/

• Sun Security BluePrints>http://www.sun.com/blueprints

More Information

Categorize your Data & People Develop Sound Processes & Procedures Comprehensive Identity Management Think Thin Client Go Open Source, It's More Secure Use Multiple Layers in Securing

Everything

Ensuring Datacenter Security

paul.tatum@sun.com

Thank you