- "Our experience has shown we can count on XYPRO's customer support team for prompt, reliable service."
XYPRO NonStop Security Fundamentals Top 10 List – #4
April 21 2014
Because high-availability and fault-tolerant systems need strong security
Alright, we’ve reached #4 on our list of Top 10 NonStop Security Fundamentals— items #5 to #10 are posted on XYPRO’s website and LinkedIn page.
Previously, in the #5 entry, we discussed how to strengthen access management using Role-based Access Control (RBAC). RBAC was about managing users’ access rights—now let’s take the discussion a step further and talk about securing NonStop system resource objects, such as volumes, subvolumes, files, devices, subdevices, processes and subprocesses. How to protect those objects takes us to the #4 item in our Top 10 List:
#4: Dynamically secure all NonStop system resource objects
Safeguard provides the ability to tightly restrict access to Guardian operating system objects, but can become a major management challenge to administer. OSS operating system objects can be secured with standard UNIX “rwx” security or with POSIX ACLs, but these approaches also create a lot of management overhead, have signifi¬cant shortcomings and do not result in a totally secure system.
To fully secure NonStop system resource objects and reduce administrative workload, we recommend these steps:
1. Use wildcarding to reduce the number of ACLs needed and proactively protect objects. Rather than trying to manage with static, reactive Safeguard mechanisms, use dynamic rules with wildcarding that can vary based on the characteristics of each access attempt. Wildcarding greatly increases the flexibility of ACL rules and reduces the number of ACL rules needed.
Third-party solutions, like XYGATE Object Security (XOS), can deliver this type of wildcarding and dynamic rule functionality. XOS provides grouped object access records that contain wildcard security rule specifications which are applied consistently to objects in the group. Importantly, the security rules apply even to objects that may not yet even exist when you set your security policy—thus enabling the proactive protection of new objects (as opposed to retroactively applying security rules to objects after they’ve been created).
One North American credit card company manages their entire network of HP NonStop servers with XOS with less than 300 XOS access control rules. Previously, when using Safeguard, over a million Safeguard ACLs were required.
2. Secure objects with any object attribute. Traditional security ACLs are applied against objects based on the object name alone. This is a limiting approach and ignores many other factors of an object that may be relevant to applying security, such as object age or object type. However, third-party solutions like XOS allow for objects to be secured not only by name, but by any other object attribute (alone or in conjunction with others). For example, using XOS, authorization to purge saveabend files could be given to users based on multiple criteria (OBJECT name, OBJECT age, and OBJECT type). A similar rule using Safeguard, Guardian, or OSS would not be possible or practical. With this approach, a single XOS rule can take the place of tens, hundreds, and even thousands of Safeguard ACLs.
3. Use the OSS SEEP to increase security protection for OSS. As of February 2013, with the H06.26/J06.15 release of the NonStop operating system, HP now includes a Security Event Exit Process (SEEP) within the OSS environment. The OSS SEEP can be used by third-party solutions, like XOS, to provide NonStop OSS security that is more flexible and granular than previously available. Now, OSS subsystems can take advantage of the same levels of security and configurability that have been used for many years on the Guardian subsystem. In fact, with XOS, Guardian and OSS object security can be maintained together in a single file.
While we’re on OSS, let’s quickly talk about auditing. OSS object access auditing can be done in Safeguard if “audit-client-oss” is turned on. However, that Safeguard function is unnecessarily broad (it’s really an all or nothing type of capability) and using it creates a massive amount of audit data—access to all OSS objects is audited. A better option is to use a third-party solution, such as XOS, that allows for very granular auditing of OSS object access.
4. Unify NonStop security management across different nodes and operating systems. Effectively maintaining common security rules across homogenous production systems is very important but can be very difficult to manage with just Safeguard. Maintaining consistency using Safeguard requires keeping ACLs consistent across every node and the same ACL change must be made separately to every node. Furthermore, with Safeguard there is no good way to make sure that the ACLs across nodes are consistent. However, with a NonStop security solution like XOS, all the rules are in a single file; that file can be easily maintained on one node and then moved to all the other nodes when a change is required. Also, if a new node is brought up, instead of having to create thousands of Safeguard ACLs to properly secure the new node, the single XOS file can be installed and the new node is instantly (and consistently) protected.
It’s worth emphasizing the need for unified security management in NonStop. To properly secure the NonStop system without a third-party solution, security admins have to deal with Guardian file security, Safeguard ACLs, OSS standard security, and OSS POSIX ACLs—that’s a lot of complexity to manage and increases costs and security risks. On the other hand, with solutions like XOS, security admins can secure both Guardian and OSS from a single point.
So, that’s #4: Dynamically secure all NonStop system objects. Obviously, resource objects are key parts of your NonStop system and must be fully secured. While Safeguard provides some capabilities to do this, a best practice approach is to use a third-party tool that enables rule flexibility, expands security attributes and provides strong security to not just the Guardian subsystem but OSS, as well.
For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL.
You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).
An Introduction to the SEEP
April 15 2014
Safeguard is a good, solid and sometimes misunderstood subsystem that most NonStop installations rely on to ensure security and stability. Due to the nature of mission critical application that typically run on HP NonStop systems, HP needs to give careful consideration to any change to the subsystem, even to facilitate new technology. Safeguard is as fundamental as DP2, TMF and Enscribe to many of us who depend on our systems to be absolutely 100% available. We simply cannot afford to have something that controls access to our most important data misbehave or fail at a critical moment. While Safeguard provides a solid basis...
Data-Centric Security – Addressing Security Gaps Across the Enterprise
April 15 2014
As we close out 2013, a year that will likely have seen the greatest number of personal data breaches in history, and enter into 2014, with a number of high profile breaches already taken place, it seems an opportune time to take a look at the potential for those breaches to impact us in the NonStop environment, and how to reduce our exposures. 2014 brings clear dramatic challenges to every CEO, CIO, CFO and CISO in every enterprise or retailer – a dramatic rise in sophisticated attacks to IT infrastructure by criminally or nationstate motivated organizations looking to steal sensitive data assets. At the same time, there are more demands from the business to make the right data available to the right people, anytime, anywhere against a backdrop of complex privacy regulations. This presents opposing forces to the enterprise: to protect data, but also enable its use. Locking up data to protect it is not an option as this will impede the business. On the other hand, unprotected data will result in data theft. New approaches are needed to achieve a balanced approach to data risk and data access, to grow shareholder and reduce compliance costs value while reducing risk. Those of us that deal with cardholder data now have to consider the additional goals set down by PCI DSS v3.0, including – additional system scope, implementing PCI DSS as part of business-as-usual processes, and other guidance for assessors.