By user12611852 on Apr 15, 2013
Recently, one of our good U.S. DoD customers purchased a SPARC SuperCluster system and received their "Interim Authority to Operate" on the DoD network. Why is this a big deal? First, allow me provide an overview of the SPARC SuperCluster system.
SPARC SuperCluster is a relatively new engineered system from Oracle consisting of:
- 2-4 SPARC T4-4 computing nodes
- 3-6 Exadata storage servers
- 60 TB ZFS Storage Appliance
- Infiniband networking switches connecting it all together
- Solaris 11 and Oracle VM for SPARC to provide OS and virtualization layer
- Oracle Database 11gR2
- All installed, cabled and configured in a single rack.
This engineered system is designed to provide extremely high performance on database and applications while also reducing "time to mission" and cost of operations. Because it is engineered in the factory by Oracle, it reduces the amount of vendor finger pointing, tuning, integration and incompatibilities. It is also 100% compatible with Solaris/SPARC applications written for Solaris 11, 10, 9 and 8.
Getting the authority to operate on a DoD network means that our customer showed to their security auditors that they can properly and securely operate this large, complex, virtualized super-server in compliance with DoD standards.
To my knowledge, this is the first instance of Solaris 11 being accredited in the US DoD. As readers of my blog may know, the Defense Information Systems Agency (DISA) creates Security Technical Implementation Guides (STIGs) for various products and technologies. You can find the Solaris 10 STIG documents at the DISA site, for example. There is currently no DISA STIG document written for Solaris 11 although I am working to create one with DISA. Because they are going through a lengthy transition from scripted compliance auditing to SCAP based auditing, the STIG for Solaris 11 is being re-written from scratch using their new Security Resource Guide for Operating systems as a baseline requirement. Watch this site for updates on the Solaris 11 STIG process.
If there is no STIG for Solaris 11, how did this customer complete their accreditation? DISA's guidance has alway's been, "In the absence of a DISA provided STIG, the customer may use vendor or industry recommended security practices." There are several resources publicly available for Solaris 11 and the SPARC SuperCluster:
- Solaris Security guide in the standard Oracle documentation
- Center for Internet Security Solaris 11 benchmark
- White paper on SPARC SuperCluster and STIG implementation
- White paper on SPARC SuperCluster security principles
- Best practices for deploying SPARC Supercluster
- Secure Database Consolidation on SPARC SuperCluster
In addition, with the help of my colleague, Kevin Rohan, I have been able to provide customers with two additional resources:
- A spreadsheet mapping the current Solaris 10 STIG to Solaris 11 features
- A set of scripts that can be used to configure the most common security settings. This tool take advantage of advance Solaris 11 features such as alternate boot environments, Image Packaging System (IPS) and System Management Facility (SMF).
These tools are available from the Oracle DoD hardware sales team and not publicly posted at this time.
To summarize, I would like to remind our customers that:
- A DISA STIG is not required to complete accreditation.
- Solaris 11 and the SPARC SuperCluster has received an IATO from the DoD
- Other DoD customers have received accreditation for Exadata, Exalogic and Database Appliance engineered systems
- Oracle can provide support to help you complete accreditation for SuperCluster, Exadata, Exalogic and Oracle Database Appliance.
- Oracle's Engineered systems can help you reduce costs, speed time to mission and simply your operations.
Please contact me: jim dot laurent at oracle dot com for additional information.