Wednesday, December 3, 2014

The new HP NonStop – I want an X box for Christmas!

There’s been a lot of buzz, starting with NonStop Technical Boot Camp (TBC) last year, then through 2014, culminating with the HP Discover event currently being held in Barcelona, about the new x86-based NonStop server line.  At the NonStop TBC last month we heard that the new line of servers would be called “HP Integrity NonStop X”, and just today we’ve seen confirmation from HP that these machines should be available in March of 2015. Exciting times indeed!

The introduction of the NonStop X range removes the last vestiges of proprietary NonStop hardware from the architecture, while maintaining the NonStop fundamentals (availability, scalability, fault tolerance) that we’ve come to expect from the platform.  NonStop X will support Infiniband, which replaces ServerNet as the platform’s interconnect fabric.  This move should see the platform’s costs continue to decrease, while taking advantage of the greatly increased throughput that Infiniband provides.

At HP Discover this week, Randy Meyer, Vice President and General Manager of Integrity Servers, expanded on this thought - “With NonStop X, moving the interconnect to InfiniBand is a huge deal, because of the fact that it’s all standard,” says Meyer. “NonStop runs on completely off-the-shelf hardware; there’s no proprietary hardware in there.  And it means you can connect other kinds of applications, running on Linux or Windows, more seamlessly in a NonStop environment… Now you can have your NonStop infrastructure handling payments, reservations, trading, whatever it may be, and surround it with maybe a mobile phone handling system, or a fraud management system, and have this huge flexibility.”

Here at XYPRO, we’re enthusiastically adopting this new platform. We’ve been involved in beta testing our products with HP, and we will have “X certified” versions of our software available both through HP, and to our customers directly, when the new platform becomes available in March.

If you have any questions about XYPRO products and NonStop X, please contact your sales or support representative.

Andrew Price
VP Technology
andrew_p@xypro.com

Monday, November 24, 2014

NonStop Technical Boot Camp 2014 – The (New, More Secure!!) Way To San Jose

We’ve just returned from this years’ NonStop Technical Boot Camp – what a whirlwind!  Held for the first time at the Dolce Hayes Mansion, in the suburbs of San Jose, there was a record number of attendees, and it was a vibrant and energetic conference.  We had a busy time, with lots of great customer interaction, both on the tradeshow floor and during the evening events.  The continued and increasing focus on security was clearly  evident, from the number of security vendors exhibiting, to the large number of sessions (both customer and vendor) discussing security, data breaches and various challenges related to those issues.  Speaking of, XYPRO had folks involved in 9 (!) different sessions during the 3 ½ days:

During the pre-conference sessions on Sunday, attendees got to experience a deep dive on a variety of different topics. Rob Lesan and Terence Spies (from Voltage) covered strategies for security in today’s payments landscapes, where breaches are becoming so commonplace. The workshop spanned magnetic stripe technology right through to Apple Pay, and covered cryptographic developments and tokenization evolution, and was a valuable session for anyone wanting to learn more about these important technologies. They also had a case study on implementing tokenization in a real-world payments application, based on our recent experiences.

Then after lunch, Lee Evans, recently from Wells Fargo, and the newest addition to the XYPRO team, took an in-depth look at XYGATE Object Security, and how the powerful combination of XOS and the two authorization SEEPs help to improve NonStop security through a range of advanced options that apply across the entire NonStop environment. Lee’s very recent customer experience with XOS gives him a unique and very relatable perspective on this topic, and it was well received.

For our final pre-conference session of the day, Rob Lesan (who had a very busy conference pulling double duty as the Connect Vice President!) covered our partner database solution from Merlon, SQLXpress. Attendees learned how our many customers deploy SQLXpress to comprehensively secure, and greatly simplify the management of, their SQL/MP and SQL/MX databases.

On to the conference proper…with HP Distinguished Technologist Wendy Bartlett, and comForte’s Thomas Burg, we presented at the security-focused opening general session on Tuesday. We covered the XYPRO security solutions that are included with the NonStop Security Bundle, letting customers know the best ways to get their systems secured using these “built-in” tools.

The first of several joint presentations with Mark Bower from Voltage covered data-centric security and its importance in NonStop ecosystems.  During this session on Monday morning attendees heard a summary of data-centric security, its applicability to payments applications and other typical NonStop deployments, and how a data-centric approach can prevent gaps in data protection across the enterprise. Then on Wednesday we took a closer look at Voltage SecureData and XYGATE Data Protection (XDP), two products that work together on NonStop to implement data-centric security with no application changes required.  We got great feedback on both sessions, with the data-centric security approach resonating well with audiences.

On Monday afternoon, Rob Lesan’s superior presentation skills and direct experience were exploited to explain the database management services we provide, and the database tools that we utilize to provide those services, including Discover, MARS and SQLXpress.

On Tuesday morning, we took a slightly different approach to the typical vendor track presentation.  In a follow-up to a popular ten-part blog series that Ken Scudder has published over the last couple of months, “HP NonStop Security: The Top 10 Things You Need to Know” we covered the highest priority things NonStop users should do to better protect their NonStop servers. We surprised the audience by having 10 different members of our sales and professional services team present, with each of them giving their own distinct spin on their specific topic.  A highlight was our AP Sales Manager, Feng Lin, greeting the audience in at least 6 different languages from his region!

On Wednesday audiences were treated to our Chief Architect, Scoff Uroff, helping to present a customer-centric view of our two products that are included in the HP NonStop security bundle on all new NonStop servers: XYGATE Merged Audit and XYGATE User Authentication. This session, based on input from TELUS in Canada, showed how they use these solutions to get a handle on their audit data and simplify their user authentication—conveniently with products bundled with the NonStop OS!

All this, along with early starts on the trade show floor, combined with evening festivities, meant that we had 18 very tired XYPRO conference attendees by the time the show closed around midday on Wednesday.  I suspect we weren’t the only ones!  Still, a fantastic conference, and we’re already looking forward to doing it all again next year, wherever in San Jose it happens to be.

Monday, September 22, 2014

Breaching Bad and the Cost of Incident Response

Last month, we explored data breaches involving memory scraping - how payment card information can get into the hands of thieves by siphoning off unencrypted data directly from system memory of the POS system. Since then, several widely publicized breaches hit the news, and speculation is that they were all victims of this same type of memory scraping malware. Because of this, I’ve been issued a slew of new credit cards and have to go through the joy of having to check my credit reports weekly – and I know I’m not alone there. Thanks a lot!

But what if you, as the administrator, did the due diligence, changed your default credentials, implemented two factor authentication, enabled account lockout settings and you were still breached?  What happened?  The likely culprit is an Advanced Persistent Threat, or APT, that’s what.  APTs are a set of stealth, continuous hacking processes executed by a group or organization with a lot of patience.  They know what they’re targeting and they’ll take their time to do it right, and be nearly impossible to detect.  As the old saying goes, we as security professionals need to be right 100% of the time, the attacker only needs to be right once.

APTs demonstrate that the security landscape is changing quickly.  The approach of focusing efforts and security budgets strictly on a “defense first” strategy is no longer sustainable.  Determined attackers will keep coming and keep coming until they get what they’re looking for.  So what do you do?

Detection goes a long way in putting up that fortifiable barrier between you and the attack and empowering you with the security intelligence needed to take the next steps.  XYPRO tools like  Merged Audit and Compliance PRO help you achieve that level of security on the HP NonStop server.  XYPRO’s Top 10 list on NonStop Security Monitoring takes a deeper dive into the techniques and best practices for accomplishing this.

At the BlackHat USA conference in August, nearly all the sessions were focused on offense and attacks.  From hacking a hotel’s network to hacking mobile phones to USB devices- offense was the name of the game.  So it was quite a pleasant change of pace to hear famed cryptographer and security expert, Bruce Schneier, taking time to discuss something we aren’t always thinking about, likely because we’re hoping to never get there – Incident Response.

Incident response is something we all know we need to be prepared to do, but why is there so little effort put into it?  Take a look at the cyber security market.  We’re inundated with defense and detection products.  We spend billions of dollars per year to protect against attacks, but give little thought about what would happen if that expensive hardware with the flashy lights fails to do what we paid it to do.

Response products and budgets are not growing at anywhere near the same pace.  Schneier indicated this is because of the way people assume response works.  Defense and detection can be mostly accomplished with intelligent software and expensive hardware, whereas incident response is more people-centric and less automated.

A proper security program needs to consider both areas.  Defense and response need to work together to detect the breach, limit your exposure, protect you and your customers’ assets and protect your brand.  These seem like huge reasons to focus efforts on incident response, but we still see very slow and uncoordinated execution in response to a breach.

A report put out earlier this year by the Ponemon Institute outlined that half of the 674 IT and security professionals surveyed indicated that less than 10% of their security budget is dedicated to incident response and that budget has not increased in the past two years, even though the cost of data breaches keeps increasing.  The same report indicated that the average cost of a data breach to a company is $3.5 million (US) and that’s up 15% from last year.

In a world where cloud computing is becoming the norm, we have less control of our data and IT infrastructure than we ever have, which makes planning for incident response all the more necessary.  Attackers are becoming more sophisticated and organized, even being sponsored by nation-states.  Schneier indicated “We have to bring people, process and technology together in a way that hasn't been done before to protect and respond against these types of attacks.”

Focusing on incident response is just not a bridge to “cross if you get there” anymore, but pointing out data breach costs can help executives make the case that a strong security posture that includes a proper incident response can result in a financially stronger company.

Next month, we’ll take a deeper dive into how to prepare your incident response plan, not for “if it happens”, but unfortunately for “when it happens”.

Steve Tcherchian, CISSP
XYPRO Technology

Monday, August 25, 2014

BlackHat 2014 Part 1: Memory Scraping - That’s Gonna Leave a Mark

Over 8,000 security professionals and enthusiasts gathered in Las Vegas this month for a very successful BlackHat 2014 US Conference. Deemed one of the top security conferences of the year, researchers, federal agencies, security firms, critical infrastructure, foreign governments and just plain old hackers met to discuss and demonstrate the threats we're all currently facing and the outlook of the cyber-security landscape.

You’re never more than a few steps away from a sign reminding you you’re at a security conference, and due to the “exploratory” nature of (some) of our fellow attendees, you're warned to keep your Wi-Fi & Bluetooth disabled and other communications devices off unless you really want to cause yourself some grief. Story after story about phones being wiped or hijacked could be heard walking down the hallways. Some people consider it fun, others are unsuspecting while others are simply gluttons for punishment. I wasn’t taking any chances, especially after seeing some of the demonstrations of what’s capable first hand. My devices were off. If you need to get a hold of me, grab a pen and a pad of paper!

Here a Breach, There a Breach...
We're all well aware of the weekly (sometimes daily) breach reports of payment card data, and there was no shortage of discussion of these topics at BlackHat. 2 million account numbers here, 80 million PANs there. How are thieves getting this data? How can we stop them? How do they keep coming back? Why is the sky blue? Slava Gomzin, Payments Technologist at HP and author of the book "Hacking Point of Sale" outlined these points in his session at the TripWire booth. PCI's Point to Point Encryption recommendations are intended to protect card holder data throughout the transaction. Technologies such as XYPRO's Data Protection (XDP), which provide Format Preserving Encryption (FPE) and Secure Stateless Tokenization (SST), go even further to secure that precious data while at rest.

Say Hello to Memory Scraping
These types of advancements naturally leads to thieves seeking out new attack vectors and more creative methods to get access to the data while in transit at specific points that aren’t encrypted.

Memory scraping, or RAM scraping is, quite simply, an advanced form of skimming. Memory scraping involves installing malware on the retailer’s POS system which then exfiltrates payment card data directly from system memory. Nearly undetectable, it sits quietly as it siphons off card data as it’s swiped in plain text format. Memory scraping is not new and retailers aren’t the only target. Multiple industries from healthcare to hospitality to food service and others have, at one point or another, been the target of these attacks, but retailers get the most press because of the sheer volume card numbers and the value of the data.

What Do We Do?
We have to protect sensitive data and XYPRO’s top 10 list describes how this can be accomplished on the HP NonStop server, but what other attack vectors are thieves using to compromise POS systems? To look at this, we’ll have to look at how the POS is connected to the rest of the network and how its access is managed. The United States Department of Homeland Security recently put out an advisory warning of the attack vectors used for installing memory scraping malware. Default weak credentials of remote desktop or remote access software are the prime targets of attackers as well as vulnerabilities in software running on internet exposed servers. Once the credentials to the remote connection are compromised using alternate methods, attackers can install software, including memory scraping software, on that system. .

Overcompensating?
There are currently no reliable methods to detect memory scraping malware, so security and antivirus companies are quickly scrambling to come up with a solution. In the meantime we rely on compensating controls outlined in PCI-DSS requirements to protect the systems that hold any type of card data. These include using hardened credentials with two factor authentication, using account lockout setting and firewall rules, limiting access to what the logged on user can do and changing the port remote desktop is listening on as well as several others. These types of small, but obviously powerful changes can and should significantly reduce the attack vector these thieves can target.

Next time we’ll dig deeper into some of the other more popular BlackHat discussions including the vulnerabilities with USB devices, the OMA-DM protocol on mobile devices and Bruce Schneier’s review on the State of Incident Response.

Steve Tcherchian, CISSP
XYPRO Technology

Continuously Monitor Security Compliance: #2 on XYPRO’s Top 10 List of NonStop Security Fundamentals

Because high-availability and fault-tolerant systems need strong security

Alright, so let’s assume that you’ve followed the best practices described in items #3 to #10 of XYPRO’s Top 10 NonStop Security Fundamentals, as well as security recommendations from HP and other sources, and you’ve established strong security procedures for your HP NonStop system—how can you actually assess the strength of your security configuration and verify compliance with corporate policy, industry best practices and regulations, like PCI DSS or SOX? And equally important, how do you re-assess and maintain that strong security configuration over time as changes occur?

Those questions bring us to #2 on our Top 10 List:

#2: Continuously monitor security compliance

Defining a security policy and applying it to your system is essential to protecting your NonStop system and complying with government and commercial regulations. Of course, applying a security policy is not a one-time event. Managing system settings, access rules and security configurations is an on-going requirement that must account for new users, new objects, new rules or other system changes.

In a complex payments environment, for example, there may be thousands of security parameters that need to be measured, managed and reported to auditors—manually monitoring and measuring security compliance is not really feasible, it’s time consuming, a resource hog and prone to human error. XYPRO recommends a systematic approach using NonStop-specific compliance monitoring software. There are a few 3rd-party vendor compliance solutions for the NonStop, including XYGATE Compliance PRO (XSW).

Whichever solution you choose, it should enable you to easily research the security on your HP NonStop server, report the information found, build policies that monitor the state of the security rules in your environment and compare your existing security against supplied PCI, SOX, HIPAA and standard best practice policy recommendations. Furthermore, the solution should allow you to analyze configuration data for security, audit and system management information in the current snapshot, compared over time or compared against a set of absolute rules. Of course, this compliance information is important to auditors (both internal and external) so the solution should have the ability to automate investigations and report generation for security and system configuration information.

An effective compliance monitoring program should include, at least, the following aspects:

• Monitor compliance with Corporate Security Policy
   and Standards.
• Systematically review security settings vs. NonStop best
   practices.
• Assess compliance with applicable government or industry
   regulations (e.g., PCI, SOX, HIPAA).
• Monitor security configuration changes.
• Enable security compliance alerting.
• Conduct periodic integrity checking of operating system and
   application object files to ensure that only authorized
   and tested versions are in use.
• Obtain file access maps for Safeguard, Guardian, and access
   management software , such as XYGATE Object Security (XOS)
   and XYGATE Access Control (XAC).
• Report compliance with key regulations (like PCI DSS, SOX or
   HIPAA) and your own information security policy.


A quick note on “Best Practices”: we’ve referenced them quite a bit in this article and throughout our Top 10 list, so what are NonStop best practices? NonStop best practices typically document the expected (i.e., recommended) value of a single characteristic of a single object. These best practices are positive system configuration parameters that can be measured and tested. For example, a best practice can consist of the following: “The Safeguard parameter NAME-LOGON must be set to YES”. While there are many sources of best practice information, a comprehensive resource for NonStop security information can be found in the books “Securing Your HP NonStop Server: A Practical Handbook” and “Securing HP NonStop Servers in an Open Systems World”.

So, that’s #2: Continuously monitor security compliance. Ensuring compliance is a critical aspect of any IT security program and compliance monitoring solutions provide the means to systematically measure, manage and report on a complex and dynamic NonStop security environment.

Stay tuned to the XYPRO blog site—next up on our list is NonStop Security Fundamental #1. Also, get notified automatically when new XYPRO blogs come out by following XYPRO on LinkedIn or Twitter.

If you’d like additional information or help with NonStop security, please contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).

Friday, July 18, 2014

Protect Sensitive Data: #3 on XYPRO’s Top 10 List of NonStop Security Fundamentals

Because high-availability and fault-tolerant systems need strong security

Over the last several months, we’ve covered some very important concepts in our Top 10 countdown of NonStop security fundamentals— you can review items #4 to #10 on XYPRO’s website and LinkedIn page. Now, we’ve reached #3 on the list.

Throughout much of the first seven security fundamentals, the focus was on effectively managing access to the HP NonStop server and controlling and monitoring user access and activity. Obviously, those are absolutely must-have security requirements for mission-critical systems. Now, however, let’s consider the data that’s being processed or stored on NonStop systems.

Given the high-value business applications and processes that are often run on NonStop servers (such as those related to payments, financial services, telco, healthcare, energy, manufacturing, etc.), it’s likely that there is a significant amount of sensitive data that must be protected. And this data—whether it’s credit card information, payment transactions, health information, social security numbers, customer details or some other type of sensitive information—is the most high-value target for hackers and cyber-criminals. 

Keeping sensitive data safe is the topic for NonStop Security Fundamental #3.

#3: Protect sensitive data 

Two very effective approaches to protecting data-at-rest and in-transit are encryption and tokenization:

1. Encryption. Encryption is the process of using an algorithm to securely transform data into a meaningless form using a secret key. Data can only be accessed in live form by the trusted system that has the appropriate authority to use the private or secret key to decrypt it. Encryption of electronic data typically uses the Advanced Encryption Standard (AES). AES is an industry-proven standard that was announced in 2001, by the U.S. National Institute of Standards and Technology (NIST). Traditional modes of AES significantly alter the original format of the data and so have a big impact on data structures, schemas, and applications. For example, encrypting a standard credit card number with traditional AES-CBC mode will result in a string containing non-numeric data, which may also vary in length from the original card number. This obviously creates a major implementation problem for companies seeking to use AES. To address this issue, a new mode of AES, called “Format-Preserving Encryption” (FPE), or AES-FFX mode, has been introduced which strongly encrypts live data while retaining the original format of the data. This replaces the data in the live system with a functional equivalent field which cannot be reversed without the associated key. With the FPE mode of AES, data can be encrypted without having to then change database schemas and applications to accommodate the encrypted data. FPE is often used for “Personally Identifiable Information” in transit and storage as a standards-recognized protection and compliance control, or for credit card capture from POS ecosystems or e-commerce platforms.

2. Tokenization. Tokenization does not transform data but instead randomly maps a live data field to a functionally equivalent surrogate value (i.e., a “token”) which replaces the real data. Since tokens do not represent actual data, they can be shared and stored without risk of data loss. To convert a token back to real data, a system (or application) needs to use the tokenization server which hosts the random mapping table to return the token to its original value. First generation tokenization systems used a database for this mapping approach. Tokens can also retain the original format requirements so the impact on existing data structures and applications is mitigated and, since the token can only be reversed exclusively by the token server itself, systems using tokens may be taken out of scope for compliance purposes (e.g., PCI-DSS compliance). However, a major disadvantage of traditional tokenization has been the complexity of managing token databases (such as handling token “collisions”, backup and recovery, scalability and performance). Next generation tokenization solutions are available that address these issues. For example, XYPRO offers Voltage Security “Secure Stateless Tokenization” (SST) which removes the need for a token database and enables higher-performance, lower costs and simplified deployment. Also, by eliminating token databases, SST takes away high-value data targets for hackers and reduces the risk of data breach. Notably, Voltage SST runs natively on HP NonStop, IBM z/OS and Open systems.

For some companies, modifying their NonStop application (like BASE24 or Connex) to use encryption or tokenization is a major challenge and has prevented them from fully protecting their data. For these types of NonStop server users, XYPRO has developed XYGATE Data Protection (XDP) which enables NonStop applications to use Voltage encryption and tokenization without changes to the application.

So, that’s #3: Protect Sensitive Data. Data can be an organization’s most valuable treasure and it’s a major target for cyber-criminals. News headlines are full of stories about data breaches and stolen information—often from some of the world’s leading technology companies. Encryption and/or tokenization are critical solutions for protecting sensitive data, reducing the scope of regulatory compliance, and neutralizing the impact of a data breach. 

Stay tuned to the XYPRO blog site—next up on our list is NonStop Security Fundamental #2. Also, get notified automatically when new XYPRO blogs come out by following XYPRO on LinkedIn or Twitter.

For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL. 

You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).

Tuesday, June 24, 2014

Why We Love Summer Internships (And You Should, Too!)

For the last several years here at XYPRO, we have been developing a summer internship program and we’re thrilled with the results!

A XYPRO Internship is not an ordinary “fetch coffee” internship. The XYPRO Internship Program provides motivated and qualified students an opportunity to gain real, hands-on experience, receive valuable on-the-job training and to learn about the variety of roles involved in running a software development company. We also value mentorship as an extremely important function of a successful internship. Mentors allow interns to develop and grow in the areas they’re most interested in. Each one of our interns are partnered with a mentor, either a developer, engineer, administrator or manager to best guide them down their areas of interest. 

We have happily discovered that the type of student that applies for an internship is generally a self-starter already. At XYPRO, we are very lucky to be surrounded by many colleges and universities from which we recruit for our intern program and for several years now, we have been enjoying the benefits of recruiting from a pool of highly motivated students that bring enthusiasm, curiosity and boundless energy into the company. With their youth comes a perspective and life experience that has never NOT used computers in their everyday life. In their minds, literally anything can be accomplished with technology.

Many of our interns have ended up staying on for an extended period of time while they finish school and some have even been brought on board and are now full-time employees! It’s a win-win situation. XYPRO benefits from their go-get-em attitude while at the same time introducing a whole new generation to the world of HP NonStop and Information Security.

 Steve Tcherchian, CISSP XYPRO Technology

Pictured are some of our current and former XYPRO interns, including Drew (center) my former intern and new IT Systems Administrator

Monday, April 21, 2014

XYPRO NonStop Security Fundamentals Top 10 List – #4

Because high-availability and fault-tolerant systems need strong security Alright, we’ve reached #4 on our list of Top 10 NonStop Security Fundamentals—items #5 to #10 are posted on XYPRO’s website and LinkedIn page.

Previously, in the #5 entry, we discussed how to strengthen access management using Role-based Access Control (RBAC). RBAC was about managing users’ access rights—now let’s take the discussion a step further and talk about securing NonStop system resource objects, such as volumes, subvolumes, files, devices, subdevices, processes and subprocesses. How to protect those objects takes us to the #4 item in our Top 10 List:

#4: Dynamically secure all NonStop system resource objects

Safeguard provides the ability to tightly restrict access to Guardian operating system objects, but can become a major management challenge to administer. OSS operating system objects can be secured with standard UNIX “rwx” security or with POSIX ACLs, but these approaches also create a lot of management overhead, have signifi¬cant shortcomings and do not result in a totally secure system.

To fully secure NonStop system resource objects and reduce administrative workload, we recommend these steps:

1. Use wildcarding to reduce the number of ACLs needed and proactively protect objects. Rather than trying to manage with static, reactive Safeguard mechanisms, use dynamic rules with wildcarding that can vary based on the characteristics of each access attempt. Wildcarding greatly increases the flexibility of ACL rules and reduces the number of ACL rules needed.

Third-party solutions, like XYGATE Object Security (XOS), can deliver this type of wildcarding and dynamic rule functionality. XOS provides grouped object access records that contain wildcard security rule specifications which are applied consistently to objects in the group. Importantly, the security rules apply even to objects that may not yet even exist when you set your security policy—thus enabling the proactive protection of new objects (as opposed to retroactively applying security rules to objects after they’ve been created).

One North American credit card company manages their entire network of HP NonStop servers with XOS with less than 300 XOS access control rules. Previously, when using Safeguard, over a million Safeguard ACLs were required.

2. Secure objects with any object attribute. Traditional security ACLs are applied against objects based on the object name alone. This is a limiting approach and ignores many other factors of an object that may be relevant to applying security, such as object age or object type. However, third-party solutions like XOS allow for objects to be secured not only by name, but by any other object attribute (alone or in conjunction with others). For example, using XOS, authorization to purge saveabend files could be given to users based on multiple criteria (OBJECT name, OBJECT age, and OBJECT type). A similar rule using Safeguard, Guardian, or OSS would not be possible or practical. With this approach, a single XOS rule can take the place of tens, hundreds, and even thousands of Safeguard ACLs.

3. Use the OSS SEEP to increase security protection for OSS. As of February 2013, with the H06.26/J06.15 release of the NonStop operating system, HP now includes a Security Event Exit Process (SEEP) within the OSS environment. The OSS SEEP can be used by third-party solutions, like XOS, to provide NonStop OSS security that is more flexible and granular than previously available. Now, OSS subsystems can take advantage of the same levels of security and configurability that have been used for many years on the Guardian subsystem. In fact, with XOS, Guardian and OSS object security can be maintained together in a single file.

While we’re on OSS, let’s quickly talk about auditing. OSS object access auditing can be done in Safeguard if “audit-client-oss” is turned on. However, that Safeguard function is unnecessarily broad (it’s really an all or nothing type of capability) and using it creates a massive amount of audit data—access to all OSS objects is audited. A better option is to use a third-party solution, such as XOS, that allows for very granular auditing of OSS object access.

4. Unify NonStop security management across different nodes and operating systems. Effectively maintaining common security rules across homogenous production systems is very important but can be very difficult to manage with just Safeguard. Maintaining consistency using Safeguard requires keeping ACLs consistent across every node and the same ACL change must be made separately to every node. Furthermore, with Safeguard there is no good way to make sure that the ACLs across nodes are consistent. However, with a NonStop security solution like XOS, all the rules are in a single file; that file can be easily maintained on one node and then moved to all the other nodes when a change is required. Also, if a new node is brought up, instead of having to create thousands of Safeguard ACLs to properly secure the new node, the single XOS file can be installed and the new node is instantly (and consistently) protected.

It’s worth emphasizing the need for unified security management in NonStop. To properly secure the NonStop system without a third-party solution, security admins have to deal with Guardian file security, Safeguard ACLs, OSS standard security, and OSS POSIX ACLs—that’s a lot of complexity to manage and increases costs and security risks. On the other hand, with solutions like XOS, security admins can secure both Guardian and OSS from a single point.

So, that’s #4: Dynamically secure all NonStop system objects. Obviously, resource objects are key parts of your NonStop system and must be fully secured. While Safeguard provides some capabilities to do this, a best practice approach is to use a third-party tool that enables rule flexibility, expands security attributes and provides strong security to not just the Guardian subsystem but OSS, as well.

Stay tuned to the XYPRO blog site—next up on our list is NonStop Security Fundamental #4. Also, get notified automatically when new XYPRO blogs come out by following XYPRO on LinkedIn or Twitter.

For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL.

You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).

Friday, March 14, 2014

XYPRO NonStop Security Fundamentals Top 10 List – #5

Because high-availability and fault-tolerant systems need strong security Okay, so now we’re to the top five items on our list—items #6 to #10 are posted on XYPRO’s website and LinkedIn page.

Throughout the earlier items on our Top 10 List, the concept of access control came up rather frequently (either directly or indirectly), so let’s focus a bit more on it. As described in XYPRO’s HP NonStop Server Security Handbook, “Access Control is the whole array of tools and procedures used to limit, control, and monitor access to information and utilities. Access control is based on a user’s identity and membership in predefined groups. Access control makes it possible to control the use, availability, integrity, and confidentiality of objects and information on the HP NonStop Server.”

Clearly, access management is very important. However, it can be a daunting challenge to individually manage all the various access privileges for every user. The effectiveness of even an excellent security access management plan can be weakened when its corresponding administrative overhead is too high. With this in mind, we come to the #5 NonStop Security Fundamental:

#5: Strengthen access management with role-based access control (RBAC)

Role-based access control (RBAC) is a security approach in which system access and permission rights are grouped according to user roles and then individual users are assigned to a role. The security system then makes access decisions according to the user’s role.

The idea here is quite simple: using role-based access can reduce management overhead and facilitate the implementation and enforcement of standardized access rules—all of which strengthens security access management.

While possible, setting up RBAC with Safeguard requires extensive administration. Third-party solutions, like XYGATE Access Control (XAC), provide a more manageable method of implementing RBAC. The single, major difference between XAC and Safeguard RBAC is the ability to define control by job function in XAC. Safeguard simply isn’t architected for role-based control whereas a solution like XAC is designed for it.

Using ACLGROUPs for RBAC. As with all XYPRO products, XAC is developed around the concept of ACLGROUPs. ACLGROUPs allow you to define control based on job function (database administrator, systems administrator, security administrator, etc.). You start by defining roles THEN you add users to those roles. Users can have zero or more roles. Access is granted based on the role as opposed to the user.

For example, ACLGROUPS can be used to provide different access rights, based on role, to SQLCI functions. Let’s say all database administrators are assigned to the “DBA” group and need full access to SQLCI functions. To enable this, a rule is written in the DBA ACLGROUP to allow this role unfettered access to SQLCI and all other database manipulation functions and utilities. However, system administrators may only need read-only access to SQLCI; therefore, their ACLGROUP (let’s call it “SYSADMIN”) is written to allow just read-only access to SQLCI (with PURGE, UPDATE, DROP, ALTER and CREATE disabled) . Now, managing individual users’ access is as simple as assigning them the appropriate roles—ACLGROUP rules will then correctly determine access rights.

The RBAC in this example requires only a small number of rules in XAC that can be applied to zero or more users using wildcards/regular expressions—and that can be extended to aliases. Once the rules are in place, you can add or remove users’ access to functions at any time.

Doing this in Safeguard requires a unique rule per user per subsystem/binary/program. Safeguard does NOT have the ability to limit access to specific commands within a subsystem as XAC does. So, while possible, RBAC in Safeguard, requires extensive manual intervention and an enormous amounts of rules—and every change introduces an opportunity for human error that could lead to stability issues.

Don’t forget auditing! Using XAC for RBAC provides another important benefit: XAC auditing can also be done at a much lower level. Safeguard can record what userid accessed what object at what time, but little else. With XAC, exact commands and output can be logged with non-repudiation (XAC can be configured to prompt for the users password before allowing sensitive commands).

A major note for alias users: Safeguard auditing and protection are always based on the underlying userid. Safeguard does not treat aliases as unique, only the underlying userid. XAC (and all XYGATE modules) can differentiate between aliases and grant/revoke access and audit based on userid and/or alias.

Alright, well that’s #5: Strengthen access management with role-based access control (RBAC). RBAC simplifies security administration and can enable a greater degree of security and control for your HP NonStop systems.

Stay tuned to the XYPRO blog site—next up on our list is NonStop Security Fundamental #4. Also, get notified automatically when new XYPRO blogs come out by following XYPRO on LinkedIn or Twitter.

For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL.

You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).

Saturday, February 15, 2014

XYPRO Engineering Team Building – doing the Robot!

As part of our annual corporate kick-off event, this year the entire engineering team took part in a full day team building exercise. Taking over all the available space at our Simi Valley headquarters, we were split up into color-coded groups, each of which included members of different parts of the engineering team. Armed with a Lego Mindstorm EV3 kit, each group was presented with a series of tasks (requirements), which consisted of pre-constructed courses on which the robots needed to navigate a maze and move obstacles around the course . The challenge? Design and build a robot that would be able to complete the tasks by the end of the day.



Structured roughly along the lines of our Software Development Life Cycle (SDLC), time was allocated for requirements definition, project planning, design, development and unit testing, QA testing, and deployment.




Things got off to an energetic start with each team doing a good job of dealing with 600+ Lego pieces, learning the software used to program the robots, and planning out the approach. Would some teams jump straight into robot building, with others spending more time documenting requirements and planning? Each team allocated their tasks well so everyone was kept busy, but what factor would planning things out early play? Would those who made that early effort see a payoff later in the day…?



As the day progressed, some very different approaches were becoming apparent, and the teams were realizing that completing all three challenges was going to be difficult, if not impossible. The teams naturally started with challenge #1 which wasn’t necessarily the easiest. Some gentle “guidance” by the mentors to evaluate all the challenges and focus on the easiest challenge first proved helpful and soon each team was making solid progress on that challenge.

With 90 minutes to go before “deployment”, each team was given some time to QA their robots on the actual challenge courses. Some teams’ robots completed the challenge on the first try, others needed tweaking, but all had something ready to attempt the challenges. Each team returned back to their workshops to complete final tweaks before deployment .



The moment of truth, the “Deployment Phase.” Each team must now present their robot, outline the approach they took to the challenges, and detail what worked (and what didn’t!). Scores were based on how well they worked together as a team, how well they presented their solution, and of course, how well their robots completed the challenges.



Each team gave an entertaining and informative presentation describing their efforts during the day, the approach they’d taken, and the robot they’d designed. Some of the teams that jumped straight into building their robots found that some more time on initial design would’ve been helpful. Each team presented a robot that was able to complete at least one of the challenges, and as such, all should be very proud of their efforts.

This exercise reinforced the importance of planning, particularly when confronted with such a daunting task (600+ pieces! Understanding requirements!!! A new programming environment!! Difficult challenges!!! Ridiculously short timeframes!!!). It also reminded us of the value of working together as a team, which really was the main point.





At the end of the day, the Blue team (or “Team Teal” as they renamed themselves) won, narrowly defeating the Yellow team by only one point! Congratulations to all the teams, on what was a fun and very constructive day. Bring on Kick-Off Challenge 2015