Because high-availability and fault-tolerant systems need strong security
Previously, in the #5 entry, we discussed how to strengthen access management using Role-based Access Control (RBAC). RBAC was about managing users’ access rights—now let’s take the discussion a step further and talk about securing NonStop system resource objects, such as volumes, subvolumes, files, devices, subdevices, processes and subprocesses. How to protect those objects takes us to the #4 item in our Top 10 List:
#4: Dynamically secure all NonStop system resource objects
Safeguard provides the ability to tightly restrict access to Guardian operating system objects, but can become a major management challenge to administer. OSS operating system objects can be secured with standard UNIX “rwx” security or with POSIX ACLs, but these approaches also create a lot of management overhead, have signifi¬cant shortcomings and do not result in a totally secure system.
To fully secure NonStop system resource objects and reduce administrative workload, we recommend these steps:
1. Use wildcarding to reduce the number of ACLs needed and proactively protect objects. Rather than trying to manage with static, reactive Safeguard mechanisms, use dynamic rules with wildcarding that can vary based on the characteristics of each access attempt. Wildcarding greatly increases the flexibility of ACL rules and reduces the number of ACL rules needed.
Third-party solutions, like XYGATE Object Security (XOS), can deliver this type of wildcarding and dynamic rule functionality. XOS provides grouped object access records that contain wildcard security rule specifications which are applied consistently to objects in the group. Importantly, the security rules apply even to objects that may not yet even exist when you set your security policy—thus enabling the proactive protection of new objects (as opposed to retroactively applying security rules to objects after they’ve been created).
One North American credit card company manages their entire network of HPE NonStop servers with XOS with less than 300 XOS access control rules. Previously, when using Safeguard, over a million Safeguard ACLs were required.
2. Secure objects with any object attribute. Traditional security ACLs are applied against objects based on the object name alone. This is a limiting approach and ignores many other factors of an object that may be relevant to applying security, such as object age or object type. However, third-party solutions like XOS allow for objects to be secured not only by name, but by any other object attribute (alone or in conjunction with others). For example, using XOS, authorization to purge saveabend files could be given to users based on multiple criteria (OBJECT name, OBJECT age, and OBJECT type). A similar rule using Safeguard, Guardian, or OSS would not be possible or practical. With this approach, a single XOS rule can take the place of tens, hundreds, and even thousands of Safeguard ACLs.
3. Use the OSS SEEP to increase security protection for OSS.As of February 2013, with the H06.26/J06.15 release of the NonStop operating system, HPE now includes a Security Event Exit Process (SEEP) within the OSS environment. The OSS SEEP can be used by third-party solutions, like XOS, to provide NonStop OSS security that is more flexible and granular than previously available. Now, OSS subsystems can take advantage of the same levels of security and configurability that have been used for many years on the Guardian subsystem. In fact, with XOS, Guardian and OSS object security can be maintained together in a single file.
While we’re on OSS, let’s quickly talk about auditing. OSS object access auditing can be done in Safeguard if “audit-client-oss” is turned on. However, that Safeguard function is unnecessarily broad (it’s really an all or nothing type of capability) and using it creates a massive amount of audit data—access to all OSS objects is audited. A better option is to use a third-party solution, such as XOS, that allows for very granular auditing of OSS object access.
4. Unify NonStop security management across different nodes and operating systems. Effectively maintaining common security rules across homogenous production systems is very important but can be very difficult to manage with just Safeguard. Maintaining consistency using Safeguard requires keeping ACLs consistent across every node and the same ACL change must be made separately to every node. Furthermore, with Safeguard there is no good way to make sure that the ACLs across nodes are consistent. However, with a NonStop security solution like XOS, all the rules are in a single file; that file can be easily maintained on one node and then moved to all the other nodes when a change is required. Also, if a new node is brought up, instead of having to create thousands of Safeguard ACLs to properly secure the new node, the single XOS file can be installed and the new node is instantly (and consistently) protected.
It’s worth emphasizing the need for unified security management in NonStop. To properly secure the NonStop system without a third-party solution, security admins have to deal with Guardian file security, Safeguard ACLs, OSS standard security, and OSS POSIX ACLs—that’s a lot of complexity to manage and increases costs and security risks. On the other hand, with solutions like XOS, security admins can secure both Guardian and OSS from a single point.
So, that’s #4: Dynamically secure all NonStop system objects.Obviously, resource objects are key parts of your NonStop system and must be fully secured. While Safeguard provides some capabilities to do this, a best practice approach is to use a third-party tool that enables rule flexibility, expands security attributes and provides strong security to not just the Guardian subsystem but OSS, as well.
For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HPE NonStop Server Security: A Practical Handbook and Securing HPE NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL.
You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).