Solaris 11.4, a secure OS to power your cloud



When I discuss cloud, I often talk about what the cloud should do and not where it runs. First and foremost, the cloud should be secure. The last thing you want, is for your business or agency to be in the news because of yet another cloud security issue. Just ask the experts at IBM X-Force, where they can documented over 1.3 billion records exposed from companies like Verizon, Dow Jones and Accenture. All of this from public cloud sources.

Why is this relative to Solaris, and the 11.4 release? The combination of Solaris and SPARC provides one of the most secure, if not the most secure, platform for your data, and Solaris 11.4 kicks it up a notch, enabling Enterprise wide security. From protecting the data with the ability to encrypt data while in rest and in motion with almost no performance impact, to the ability to provide immutable platforms for public access, and all wrapped around the ability to report and resolve compliance issues at an Enterprise scale.

Security starts with reporting, and in Solaris 11.2  the compliance command was introduced. For more information about this, check out my post here.

This ability is expanded on in 11.4 with an Enterprise Health Check, that identifies potential configuration issues and ensures your systems are setup in a compliant manner.

Compliance Reporting is also enhanced,  with the ability to have compliance results either pushed or pulled to a central location over a secure transport. The ability to graph historical compliance assessment status at the security benchmark and individual check layer is provided via compliance integration with the Oracle Solaris Web Dashboard. With
multinode compliance you can centrally gather a compliance assessment for multiple
instances which can be very beneficial for the development and deployment of
applications where you want to ensure the entire set of instances are compliant and
ready to roll out without needing to individually check each instance.

Oracle Solaris includes technologies that prevent bad actors from establishing a foothold in your datacenter. If they can not  compromise your system, they can not  establish command and control, making it significantly harder to get access to your data. This is done using a few technologies;

Application Sandboxing: With Solaris you can isolate and deploy applications securely with zones, 11.4 introduces sand boxing. This allows the admin to  to isolate and secure independently from each other, isolating data within a Virtual Machine. The Application Sandbox Management tool provides the ability to constrain both privileged and unprivileged applications, even within a single virtualized environment.

Immutable Lifecycle: Now that applications within a virtual machine can be isolated, the admin has the additional ability to make the system immutable. An immutable system can not be changed by the application, or even the root superuser. This ability is expanded in 11.4 to deliver an immutable life-cycle, allowing administrators to easily build and control immutable environments. This allows administrators to tightly control exactly what is installed and running on a system and prevent administrator mistakes. Administrations also have the ability to easily control and change immutability over the lifetime of an application, enabling patching of immutable object…something that can not be done in a docker environment. Solaris also supports the concept on a trusted services, enabling certain services with the specific trust-level needed to make changes to the immutable environment. If any changes need to be made to the immutable system, those changes happen at the next layer down and they are logged for later audit.

Tamper Evident Software: Administrators can rest assured that their Oracle Solaris
systems are protected from the firmware to the applications. Only trusted software is
installed. If software is not signed, it will not install.

Look for some real examples on how to used these new technologies when Solaris 11.4 goes into Open BETA here in the near future. When will 11.4 go to BETA? The closed BETA is just wrapping up with the Open BETA release candidate in testing, so look to be able to download Solaris 11.4 for x64 and SPARC in the very very near future.

Leave a Reply

Your email address will not be published. Required fields are marked *