Rock Solid Security

NonStop Technical Bootcamp

San Jose, CA – November 18, 2015

About Us

• Mission-Critical Security Specialists• Key XYGATE Software Bundled with all HP Servers• Global support with more NonStop security depth than

any other organization.

Agenda

• Object Security 101• Industry trends in NonStop Security• Addressing Safeguard limitations – real world examples• Simple solutions to complex problems• Open forum, time permitting.

Traditional User Grouping

• NonStop users are identified by the combination of:a. A Group (Support, Development, Security, Application,

Super, etc.)b. A User (First Name, Last Name, Employee Number, Manager)

• NonStop aliases are identified by:a. A relationship/link to a Group and a User (Support.Manager)b. A name (First Name, Last Name, Employee Number,

Manager)

Traditional Object Security

• NonStop Objects are identified by the combination of:a. A name (up to 8 characters)b. A type (File, Subvolume, Volume, Process, Device, etc.)

• NonStop Objects are secured by the combination of:a. The object name (up to 8 characters)b. An Access Control List (ACL) – R,W,E,P,C,O (DENY)

User to Object – Security Vector

APPL JOE

SUPPORT MARY

DEV MANAGER

FILE R, E

SUBVOLUME

R,W,C

PROCESS

R,W,E,P,C,O

R, E

R,W,C

R,W,E,P,C,O

R, E

R,W,C

R,W,E,P,C,O

More Typical Safeguard ACL’s

Safeguard Security is “Good” but…..

Is complexIs complex

Is syntax Intensive

Is not intuitive

Has limitations

Is syntax Intensive

Is not intuitive

Has limitations

GUI Solutions Help Safeguard ManagementGraphical, easy-to-use and intuitiveGraphical, easy-to-use and intuitive

Eliminate syntax and errors

Can manage multiple systems

Have extended functionality

Eliminate syntax and errors

Can manage multiple systems

Have extended functionality

Provide extensive reportingProvide extensive reporting

Manage both Users and ObjectsManage both Users and Objects

GUI Managers are “Better” but….

Are still limited to native securityAre still limited to native security

The Economics of Safeguard Alone

1990 1995 2000 2005 2010 20150

500

1000

1500

2000

2500

3000

3500

NonStop Security Supply and Demand

Security Needs Available Resources Safeguard Capabilities

A few Safeguard limitations

7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities

7.2 Establish an access control system for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed

8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts

Credit Card Company – Real World Case• Challenge• Manageability of more than 1,000,000 Safeguard ACLs across

24 NonStop servers

• Problem• Insufficient staff and knowledge to maintain security levels

efficiently

• Solution• XYGATE Object Security (XOS)• 1,000,000 ACLs replaced by 300 XOS rules

Brokerage Firm – Real World Case• Challenge

• Meet corporate security policy to deny write access by developers on production systems

• Problem• To enable “Deny”, Safeguard requires ACLs (Several thousand in

this case). There is no default “Deny All” functionality in Safeguard

• Solution• XYGATE Object Security (XOS)• 1 XOS rule

Payments Processor – Real World Case• Challenge

• Guarantee all non-application SQL DB access is audited to original user

• Problem• Safeguard cannot differentiate between application access and user access• Safeguard can only secure SQL/MP to the Subvolume level• Safeguard can only secure based on the name of the subvolume

• Solution• XYGATE Object Security (XOS)• 2 XOS rules (1 to provide application access to SQL DB, 1 to enforce user

keystroke audited process when accessing SQL DB)

Top 5 US Bank – Real World Case

• Challenge:• Secure millions of OSS objects, Audit OSS user activity and have a

common security model for both Safeguard and OSS

• Problem:• Overwhelming and unattainable with POSIX and OSS ACLs• OSS Audit insufficient and impractical• Safeguard and OSS security are vastly different

• Solution:• XYGATE Object Security (XOS)• XOS rules for both OSS and Safeguard

XYGATE Object Security (XOS)

• Rules based object security. A single rule can replace an unlimited # of Safeguard ACL’s)• Security decision is applied at the time of access

request. Security dynamically adjusts as the environment changes• Object security vector can include multiple object

attributes. Name, requesting object, file code, age, etc.• Same benefits exist for both Guardian and OSS objects• Relied on for securing many of the world’s largest (as

well as smaller) NonStop customers

XYGATE Object Security (XOS)

• Concerns?• Can be implemented without risk and phased in over time• Complete warning mode and what-if/explain functionality• Supports “Deny All” default setting• Does not supersede Safeguard• Availability is as reliable as your NonStop• Changes/updates are instantaneous• No cold load required

XYGATE OS is simply the “Best” security solution for today, and tomorrow.