Oracle's security offerings are unique from those provided in other products by their respective vendors. Oracle owns the entire stack, encompassing both the hardware and software components. Therefore, Oracle can employ cross layer and in-between layer engineering to truly implement a defense-in-depth solution against cyber threats. These enhancements are further extended in the capabilities that have been engineered into Oracle SPARC and Solaris products.
The purpose of the defense-in-depth strategy is threefold:
Prevent attacks.
Oracle systems use encryption and redaction, masking and subsetting, as well as controlling all privileged user credentials to shield themselves from attack.
Detect security breaches.
Oracle systems perform active monitoring, auditing, and reporting to record suspicious activity.
Administer all the security-related system components.
Being the owner of the total stack, Oracle offers integrated administrative tools such as key management, privilege and data recovery, and configuration management to efficiently administer security.
According to an analysis, 82% of all reported attacks is caused by the following vulnerabilities:
Abuse and misuse of credentials (50%).
Unpatched or poorly configured systems (19%).
Unprotected data (15%).
The following sections discuss how Oracle Solaris security solutions are designed to specifically address these vulnerabilities.
One hundred percent of all cyber attacks target user names and password credentials. These are the keys that enable entry to a company's infrastructure and its digital assets and intellectual property. The extent of the monetary losses due to theft of personal and company information reaches billions of dollars.
To minimize this vulnerability, Oracle Solaris systems run an array of technologies such as the following:
Immutable systems and virtual machine technology
Role based access controls
Secure by default installation
Verified boot
In combination, these technologies secure and protect user credentials by blocking malware from gaining a foothold in the data center.
System immutability minimizes administrator mistakes by preventing even superusers from writing files on the system and making configuration changes. If changes are required, these occur on the next layer down and are visible because they are audited. With verified boot, only signed boot and kernel modules can run on the system, and unauthorized or unsigned software fails. Therefore, malware code cannot alter system configurations.
Additionally, system administrators, database administrators, and others who have privileged access are granted limited rights that are directly related to their specific tasks. These rights be can controlled by time, date, and system name so that authorized system and data access are restricted only to defined days and times. Thus, 24/7 access is granted only to the most essential roles rather than to all administrators.
Role based access controls are complemented by fine-grained auditing. With remote auditing, audit records are kept elsewhere than on the system being monitored. Therefore, hackers cannot tamper with audit trails to remove evidence of a breach.
These security controls are available on all Oracle Solaris systems.
Unpatched systems are open doors into the data center. Of the reported penetration through unpatched systems, 99.9% occurred at least a year after vulnerabilities were identified and published and the patches had been made available to plug those security holes.
Failure to patch systems promptly despite official threat notices is largely due to the complexity of patching systems. The hybrid infrastructures that most enterprise environments use are particularly complex.
In a generic environment, systems and software are assembled from a variety of sources. Accordingly, patches for each layer of the stack are supplied by different vendors. Typically, vendors provide their own vendor-specific tools to apply their patches.
In this scenario, a customer deals with multiple but autonomous patches that have not been tested to run together. The customer has the responsibility to designate a time period to test the patches and ensure they do not break the operation of the system. Testing can take a significant amount of time. If failures occur during testing, patching would be delayed while emergency fixes from vendors are also tested to identify potential impacts. Postponements in applying patches increase the probability of the systems being penetrated.
The customer is also in charge of rolling out the patches to production. In a generic environment, a smooth rollout is not guaranteed. Rolling back the patches can become as complicated as the patching itself.
In short, in a heterogeneous data center, patch management can be very challenging.
Oracle Solaris security fixes, together with other feature updates, are released through support repository updates (SRU releases) and, for earlier OS versions, through patches. SRUs are released monthly. In urgent circumstances, critical fixes can made available outside of the monthly schedule.
In SRUs, all updates and security fixes are pre-bundled. Thus, SRUs are applied as a unit.
Security updates apply to all layers of the stack: applications, database, OS, virtualization, and firmware.
These updates are tested to guarantee that they work together seamlessly before they are released.
Only one tool is employed. System update (patching) is accomplished with a single command. Similarly, rollback also is a one-step operation. Both update and rollback require at most a single reboot. Therefore, very little system downtime is involved.
A critical patch update is published every quarter that delivers all new security fixes for Oracle products, including Oracle Solaris SRUs and Solaris 10 patches.
Cybercrime and other system security threats have made frequent and timely patching a necessity. With Oracle Solaris 11, system update incurs minimal downtime.
The final target of cyber theft is the company's data.
Typically, security protection is focused on "defending the perimeter": protecting the network from intrusion. In one survey, 52% of respondents said that their databases are the most vulnerable to an attack, while 34% said their network is the most vulnerable to an attack. The same survey found that 67% of security resources are allocated to secure the network, while 15% of security resources are spent on data protection.
A secure network is a vital component to guard against attacks. Spending continues toward the deployment of intrusion detection systems, anti-malware, and network firewalls. However, in the age of globalization, industries span multiple countries across the globe. Outsourcing is common practice. Company data centers are in multiple locations. More recently, businesses are turning to cloud computing and services. These developments have made the network very large. If a network is breached, then other protections need to be in place between the attacker and company data.
One protection is encryption. In Oracle Solaris systems, encryption protection begins in the firmware and extends across to kernel software, application software, and database.
A general objection to encryption is performance overhead. No such penalty exists with Oracle Solaris systems running on SPARC.
Oracle implements industry standard algorithms and optimizes their performance on the SPARC chip. With on-chip technology, algorithms are executed on the chip rather than on the CPU. Because cryptography is automatically offloaded when the algorithm is available on the chip, the processor becomes free for applications and the database to use, which accelerates their performance. The SPARC processor has more on-chip cryptography than any other processor.
The Silicon Secured Memory feature of SPARC processors adds another security layer through hardware monitoring of software access to memory. By protecting memory, it can prevent invalid operations to application data, effectively blocking malware from exploiting software vulnerabilities such as buffer overflows. This SPARC feature is faster than traditional software-based detection tools and has no impact on performance.
Encryption is built in to ZFS and SDN networking, and data is protected whether in motion or at rest. The operating system is integrated with Oracle Key Manager to secure all your keys in one place.
In summary, Oracle hardware and software technologies provide full capabilities to encrypt everything, everywhere, all the time. On Oracle Solaris systems, data protection and encryption security can be activated by default without requiring additional hardware investment.
In Oracle systems, security is part of the design, "built in, not bolted on." Security-in-depth enables companies to quickly meet their security compliance requirements. At the same time, performance is not sacrificed in favor of security. Businesses that use Oracle Solaris systems benefit equally from both at the same time.