To protect application data, workloads, and the underlying infrastructure where it runs, MiniCluster offers comprehensive yet flexible access control capabilities for both users and administrators. MiniCluster leverages Oracle Solaris for a variety of access control methods for users and applications accessing system services. While traditional user name and password pairs are still widely used, you can integrate stronger methods of authentication using the Oracle Solaris pluggable authentication modules (PAM) architecture, allowing the use of LDAP, Kerberos, and public key authentication. The MiniCluster compute environment builds on a comprehensive role-based access control (RBAC) facility that allows organizations the flexibility to delegate user and administrative access as needed.
By eliminating the notion of a super-user, the RBAC capability in Oracle Solaris enables separation of duty and supports the notion of administrative roles, authorizations, fine-grained privileges, and rights profiles that collectively are used to assign rights to users and administrators. RBAC is integrated with other core Oracle Solaris services, including the Oracle Solaris Service Management Facility (SMF) and the VMs, to provide a consistent architecture to support all OS–level access control needs. MiniCluster leverages the RBAC capability of Oracle Solaris as a foundation for their access control architecture, allowing organizations to manage, control, and audit OS and virtualization management access from a centralized authority. All critical operations are carried out using a separation-of-duties principle supported by a multi-person authorization workflow. The system requires that two or more people approve every security sensitive operation. Collectively, these capabilities can be used to provide a high degree of assurance for the identity of users and the way critical business operations are handled.
All of the devices in MiniCluster system include the ability to limit network access to services either using architectural methods (for example, network isolation), or by using packet filtering or access control lists to limit communication to, from, and between physical and virtual devices as well as to the services exposed by the system. MiniCluster deploys a secure-by-default posture whereby no network services except Secure Shell (SSH) are enabled to accept inbound network traffic. Other enabled network services listen internally for requests within the Oracle Solaris OS (VM or zone). This ensures that all network services are disabled by default or are set to listen for local system communications only. You can customize this configuration based upon your requirements. MiniCluster is pre-configured with a network and transport layer (stateful) packet filtering using the Oracle Solaris packet filtering feature.