Monday Apr 15, 2013

DoD customer receives authority to operate SparcSupercluster

Recently, one of our good U.S. DoD customers purchased a SPARC SuperCluster system and received their "Interim Authority to Operate" on the DoD network.  Why is this a big deal?  First, allow me provide an overview of the SPARC SuperCluster system.

SPARC SuperCluster is a relatively new engineered system from Oracle consisting of:

This engineered system is designed to provide extremely high performance on database and applications while also reducing "time to mission" and cost of operations.  Because it is engineered in the factory by Oracle, it reduces the amount of vendor finger pointing, tuning, integration and incompatibilities.  It is also 100% compatible with Solaris/SPARC applications written for Solaris 11, 10, 9 and 8.

Getting the authority to operate on a DoD network means that our customer showed to their security auditors that they can properly and securely operate this large, complex, virtualized super-server in compliance with DoD standards. 

To my knowledge, this is the first instance of Solaris 11 being accredited in the US DoD.  As readers of my blog may know, the Defense Information Systems Agency (DISA) creates Security Technical Implementation Guides (STIGs) for various products and technologies.  You can find the Solaris 10 STIG documents at the DISA site, for example.  There is currently no DISA STIG document written for Solaris 11 although I am working to create one with DISA.  Because they are going through a lengthy transition from scripted compliance auditing to SCAP based auditing, the STIG for Solaris 11 is being re-written from scratch using their new Security Resource Guide for Operating systems as a baseline requirement.  Watch this site for updates on the Solaris 11 STIG process.

If there is no STIG for Solaris 11, how did this customer complete their accreditation?  DISA's guidance has alway's been, "In the absence of a DISA provided STIG, the customer may use vendor or industry recommended security practices." There are several resources publicly available for Solaris 11 and the SPARC SuperCluster:

In addition, with the help of my colleague, Kevin Rohan, I have been able to provide customers with two additional resources:

  • A spreadsheet mapping the current Solaris 10 STIG to Solaris 11 features
  • A set of scripts that can be used to configure the most common security settings.  This tool take advantage of advance Solaris 11 features such as alternate boot environments, Image Packaging System (IPS) and System Management Facility (SMF).

These tools are available from the Oracle DoD hardware sales team and not publicly posted at this time.

To summarize, I would like to remind our customers that:

  • A DISA STIG is not required to complete accreditation.
  • Solaris 11 and the SPARC SuperCluster has received an IATO from the DoD  
  • Other DoD customers have received accreditation for Exadata, Exalogic and Database Appliance engineered systems
  • Oracle can provide support to help you complete accreditation for SuperCluster, Exadata, Exalogic and Oracle Database Appliance.
  • Oracle's Engineered systems can help you reduce costs, speed time to mission and simply your operations.

Please contact me: jim dot laurent at oracle dot com for additional information.

Tuesday Sep 11, 2012

Oracle SPARC SuperCluster and US DoD Security guidelines

I've worked in the past to help our government customers understand how best to secure Solaris.  For my customer base that means complying with Security Technical Implementation Guides (STIGs) from the Defense Information Systems Agency (DISA).  I recently worked with a team to apply both the Solaris and Oracle 11gR2 database STIGs to a SPARC SuperCluster.  The results have been published in an Oracle White paper.

The SPARC SuperCluster is a highly available, high performance platform that incorporates:

  • SPARC T4-4 servers
  • Exadata Storage Servers and software
  • ZFS Storage appliance
  • InfiniBand interconnect
  • Flash Cache 
  • Oracle Solaris 11
  • Oracle VM for SPARC
  • Oracle Database 11gR2

It is targeted towards large, mission critical database, middleware and general purpose workloads. 

Using the Oracle Solution Center we configured a SSC applied DoD security guidance and confirmed functionality and performance of the system.  The white paper reviews our findings and includes a number of security recommendations.  In addition, customers can contact me for the itemized spreadsheets with our detailed STIG reports.

Some notes:

  • There is no DISA STIG  documentation for Solaris 11.  Oracle is working to help DISA create one using their new process. As a result, our report follows the Solaris 10 STIG document and applies it to Solaris 11 where applicable.
  • In my conversations over the years with DISA Field Security Office they have repeatedly told me, "The absence of a DISA written STIG should not prevent a product from being used.  Customer may apply vendor or industry security recommendations to receive accreditation."

Thanks to the core team: Kevin Rohan, Gary Jensen and Rich Qualls as well as the staff of the Oracle Solution Center and Glenn Brunette for their help in creating the document.  You should also review SPARC SuperCluster T4-4 Platform Security Principles and Capabilities by Glenn and others in Oracle's Enterprise Solution Group.

About

Jim Laurent is an Oracle Sales consultant based in Reston, Virginia. He supports US DoD customers as part of the North American Public Sector hardware organization. With over 17 years experience at Sun and Oracle, he specializes in Solaris and server technologies. Prior to Oracle, Jim worked 11 years for Gould Computer Systems (later known as Encore).

Search

Archives
« July 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today