how to use the powerpoint template...change management 变更管理 基础平台运维 i have the...
TRANSCRIPT
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
构建一个安全的云基础架构始终在线,持续合规
张国华资深系统架构师Oracle Linux & VirtualizationOctober,2017
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
3
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 4
Source : https://www.theregister.co.uk , https://www.bleepingcomputer.com
Erebus Linux
Ransomware
HBO Breach
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 5
Source :https://www.fireeye.com/cyber-map/threat-map.html
在我们讨论的时候,全球正在发生着数千次安全攻击
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
安全没有 “银弹” 想想“纵深防御”,尤其是在当今软件定义的世界里
边界
主机*/
云平台
应用
数据
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
根据最新调查,Top50的应用中,92.5%会在漏洞发布的当天发布相关补丁
在所有的已知漏洞中,81% 已经具有安全补丁
老的挑战在云时代仍然存在在漏洞和弱点上进行防御
7
Source: https://info.flexerasoftware.com/SVM-WP-Vulnerability-Review-2017
92.5% 81%
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
My applications is in production and we are working on a release which is
going next month. I cannot give any
downtime
应用维护
You have to patch the system as
recommended by Security Operations
Center, but follow the Change Management
变更管理
基础平台运维
I have the latest security patches but
how can I fix it without Disrupting
Applications and wait for Change
Management.
修复漏洞的挑战如何平衡所有的相关团队需求
8
With Oracle:
• 通过持续的风险防范技术增强IT主管的能力。
• 获得100%的业务正常运行时间,同时仍然保持安全。
• 改善整体安全态势,减轻压力
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
更多的考虑新技术保持云基础架构的持续安全,简化运维
Patching
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Oracle Linux 的Ksplice技术
• Ksplice 技术打补丁时无需重启系统–不重启补丁的优势:• 改进安全性-不重启应用安全补丁
• 可靠性(合规性)-更新整个系统
• 降低运维成本 - 无需周末的定期维护或应急的为计划维护
• 迅速支持修复 - 修复确切的系统状态
• 100% 覆盖当前内核
• 也能对系统基础软件库进行热补丁– Glibc
–OpenSSL
确保合规、安全,并且没有宕机时间
10
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
避免传统的补丁程序重启是破坏性的,造成停机时间,造成延误
Security Update Released
1. System administrator negotiates with management to schedule outage windows
2. System administrator schedules downtime the following week
3. System administrator notifies users of planned downtime
…And Another 4 Hours Later
1. Updates applied and tested
2. Back in business after first notification of security update - typically over one week has passed
1. Shut down application server
2. Shut down database
3. Apply Linux OS update
4. Start up database
5. Start up application server
6. Sanity check application
…One Week Later
11
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
使用Ksplice的三大业务原因
• 对服务器提供100% 合规支持–对用户空间的补丁提供支持–对内核和系统空间的补丁提供支持–不需要重启系统,并且100%对系统合规
• CVE安全漏洞修复–迅速修复安全更新或errata–不需要重启系统并且100%安全
• 修复支持–通过Oracle Support获得问题系统上的Ksplice程序–在运行的系统上安装Ksplice–不需要重启,也不需要重置问题的组件
生产力等同于企业盈利能力
12
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
您的系统需要保持合规
• 您的信息安全团队告诉您修补系统
• 您确定用户空间的补丁
• 您确定内核补丁程序–不会影响到您的业务用户,您确定Ksplice环境可以提供相应的内核补丁程序
• 您安装内核空间和用户空间的Ksplice补丁
• 结果是您获得了100%合规的系统,不需要重启
• 您的用户并没有注意到任何中断
• 您告知信息安全团队验证系统的合规性
场景:使用Ksplice确保您的系统100%合规
13
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
您的系统有一个没有修复的CVE漏洞
• 您的信息安全团队确定系统具有一些CVE漏洞
• 您确定Ksplice可以解决这些漏洞并提供修复
• 您安装目标的ksplice补丁从而修复CVE漏洞
• 结果是您的服务器100%安全,不需要重启
• 您的用户并没有注意到任何中断
• 您告知信息安全团队验证系统的安全性
场景:使用Ksplice修复常见漏洞和更新
14
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
需要评估并修复一个退化的系统
• 您的系统开始显现一些退化的迹象–性能下降 ‒ 间歇性丢失IO
–内存消耗过大 ‒ 最开始报告一些错误或警告
• 您呼叫Oracle支持团队,提出一个服务请求来解决这些问题–您和支持团队定位了问题可能在上游社区或新版本中已经被修复
–您希望知道这些修复是否能够修复您的系统
• 您提出请求提供一个针对此问题的Ksplice补丁
• 一个Ksplice补丁被构建,下载并且安装、运行
• 结果是您的系统恢复正常
场景: 使用Ksplice支持在线并持续工作的服务器
15
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 16
Linux在线修复漏洞的业务影响没有Ksplice是的管理和业务流程
ScheduleDowntime
ShutdownStack
PatchOS
Start UpStack
TriageChangeMgmt.
Validate &Release
LinuxAdmin
Database Admin
MiddlewareAdmin
ApplicationDBA
BusinessUser
Typical Patching Cycle Tasks
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 17
标准补丁*流程的风险和影响如果您的补丁计划是在1、4、7、10月份,那么现在呢?
* - Source CVEDETAILS.COM
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 18
Linux在线的Ksplice补丁的业务影响Ksplice改进了管理和业务流程– 降低了资源成本
ScheduleDowntime
ShutdownStack
PatchOS
Start UpStack
TriageChangeMgmt.
Validate &Release
LinuxAdmin
Database Admin
MiddlewareAdmin
ApplicationDBA
BusinessUser
60% ReductionIn Task Resources
Ksplice Patching Cycle Tasks
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 19
例子: 修复心脏滴血(Heart Bleed)安全漏洞Ksplice for userspace
Heartbleed导致数以千计的供应商重新发行安全证书,估计费用为500万美元
• 没有补丁所需的计划停机时间,可以大大减少攻击的影响,如心脏滴血(Heart Bleed)
数百万受影响用户和数不清的成本
Ksplice使客户能够马上修补
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 20
ksplice.oracle.com/try/trial
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 21
Ksplice Inspector
Source: http://ksplice.oracle.com/inspector
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
An IDC Interview:
Progressive Insurance Secures Servers with Ksplice
Compliantwith timely security updates
450servers secured
100%uptime
Copyright © 2017 Oracle and/or its affiliates. All rights reserved. 22
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 23
Oracle Linux 补丁可使用所有环境
保护下一代的数据中心.
– Physical
– Virtual
– Public Cloud
– Private Cloud
– Hybrid Cloud
–Openstack
– Containers
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 24
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 25
千里之行始于足下
99.9% of vulnerability intrusions in 2014 could have been stopped by a patch that had been released more than a year prior*
* Source: Verizon Data Breach Investigations Report, 2015
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 26
Stay Connected
Or visit us at: www.oracle.com/linux
@OracleLinux
Blogs.oracle.com/linux
Facebook.com/OracleLinux
Oracle Linux Experts Group
YouTube.com/OracleLinuxChannel
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Q & A