Upload
others
View
6
Download
1
Embed Size (px)
Citation preview
Helmut Bernhard – Sr. Solutions Architect
Böblingen, 9. Mai 2019
Integration von HPE NonStop in Enterprise IT-Umgebungen - 3 Fallbeispiele
Agenda
NSGit – Erfolgreiches Projektsetup
NonStop-Einbindung in Enterprise MFA, IAM und Break Glass – Prozessen
SecurDPS Enterprise Tokenization REST-API
What is NSGit all about? • NSGit is the Guardian plugin to communicate with
git on OSS as gateway to the open (development) world
• NSGit will free up NonStop development from the current island/castle existence
• Security will be greatly enhanced• No remote passwords• Separation and decoupling of different environments
and synchronisation via SSH• “Evidence of Origin” - Compliance metrics will be
achieved due to convenient and exhaustive monitoring and detecting of changes in all environments
Positioning NSGit> NSGit is a GUARDIAN front-end client to integrate HPE
Nonstop into an Open Systems git environment. > git-like interface from TACL> Dual-mode files:
> File name equivalence between OSS formats and GUARDIAN> Pattern-based and direct name mapping
> Support for Native and code 100 objects, ENSCRIBE structured files, DDL dictionary distribution, POBJ distribution, File attribute preservation
> NSGit is not a NonStop standalone version management system. It works on top of the Open System environment. OSS hierarchies map to multiple subvolumes
Risk of unsecure data is unacceptableCode must never access, modify, or transmit data inappropriatelyAll installed code must be specific in its purposeNo installed code can do anything outside of requirements
PCI related requirements
Identification of what should be installed whereClear evidence of where changes originateOnly allow change access to good playersMaintain complete audit trails of all changes in all environmentsRemove manual processes (cannot be audited)
SWIFT adds Detect and Respond to PCI Compliance
Positioning git
>Git is the leading DVCS – Distributed Version Control System> Widely accepted and used in colleges, universities, small and large corporations, and
Open Source projects> Code can move from development to production and back with full audit> Supports projects with thousands of participants> Authenticated signatures with GPG> Many non-proprietary security options for customers> Integration with:
> Build automation (Jenkins)> Code review systems (Gerrit)> and much more (GitHub, Stash/Bitbucket)
Why Git for NonStop?
> Any decent VCS product supports basic versioning> ITUGLIB has ported CVS, RCS, Git> Customers have Control, RMS/PrimeCode, ClearCase, and above> On the surface, Git is yet another version control system… but NSGit brings:
> Supports GUARDIAN EDIT, Objects, Data, Structured and Unstructured files > Preserves GUARDIAN file codes, extents, and structure> Builds are added to history including GUARDIAN artifacts> Release packages include metadata to deploy exactly what was built
Why Git for NonStop? (cont.)> Key reasons why customers should chose Git:
> Code transport is the key> Packaging from vendors> Receiving at customer sites> Merging in customizations> Pull changes into production = installation> Push changes back to development for in situ bug-fixes
NSGit - Fundamental Technology Benefits> Git, and all that it brings, including:
> Software transport> Vendor desk to customer production audit and accountability> Retrofit bug fixes as far back as needed
> GUARDIAN file system support> Dual-mode for files and directories> Reconstituting and diff of GUARDIAN attributes> Release packaging of GUARDIAN files in Git
> Independent of Git versions> Fully backed by Git repositories> Git is the standard VCS skill for new hires
NSGit Architecture
NSGit Metadata
/home/myuser/repomy working index in OSS
$data01.repo.*GUARDIAN pair where
you work.
AutomaticSync
nsgitobject osstty
gitOSS object
NonStop SSH
OpenSSH
libcurl OpenSSL
TACL
Online Helphttp
/home/randall/repo/.gitGit Repository
The Project Voodoo setup to be avoided
• If the below mentioned project setup points are ignored a voodoo project setup is the most probable outcome
• As outlined before, this project needs a cooperative setup to be successful
• Git knowledge is a MUST (git has a large user community)• DevOps experience is needed for a greater/more
sophisticated setup (e.g. full automation via Jenkins)• No holy “legacy “ cows (e.g. MLF – Multi Level Fix), i.e.
not jeopardizing the end2end approach needed for compliance reasons
• The comforte part can only cover approx. 10-30 % of the estimated project resources/tasks
NSGit advantages in a true DevOps environment (e.g. Jenkins, Nexus, etc.)
• These different roles and knowledge sets need to be understood to make NSGit in a DevOps environment successful:
• NSGit – GUARDIAN bridge for git• git – the repository manager• Enterprise Git Server – holds the main
repository• Jenkins – runs jobs• Jenkins Git Plugin – detects changes in git• Jenkins NSGit Plugin – Runs NSGit activities• NEXUS – the archive• Ansible – the deployment manager
NonStop-Einbindung in Enterprise MFA, IAM/PAM und Break Glass – Prozessen
• Starting Point from a enterprise compliance standpoint
• MFA should be done in the base-network• IAM/PAM is mainly locking “root” or “admin”
credentials up in a central directory (sometimes additionally in a hardened vault like in centrify, CyberArk, etc.) and tightly controlling access to them so as to increase assurance
• A “break glass” scenario is needed for emergency access
• Implementation Option from comforte• No NonStop specific solution, development, risk, etc.
via asymmetric key cryptography and a trusted third party interface, i.e. AD via Kerberos
Windows PC runningMR-Win6530 orother compliantemulator
Microsoft ActiveDirectory Server withPolicies (e.g. IIQ, Centrify, etc.)
NonStopSystem runningHPE NonStop SSH
1. Log on to Windows
2. Log on to NonStopSystem without being prompted for user name and password
SecurDPS Enterprise Tokenization – WHY?
Endpoint & Mobile
Protection
Network & Gateway Defense
Threat & Vulnerability
Mgmt
Application Security
Cloud Security
Security Monitoring
& Operations
These measuresonly protect youagainst knownattack methods
So, even with all these defenses in place, it is not possible to prevent breaches
THE ONLY SOLUTION IS TO PROTECT THE DATA ITSELF AND NOT JUST THE PERIMETER AROUND IT
Endpoint & Mobile
Protection
Network & Gateway Defense
Threat & Vulnerability
Mgmt
Application Security
Cloud Security
Security Monitoring
& Operations
DATA PROTECTION
Data is a pervasive critical asset that crosses traditional silo boundaries on-premises and in
the cloud.
This requires a data-centric security strategy that prioritizes datasets and mitigates evolving business risks such as regulatory compliance
and threats from hacking, fraud and ransomware.
Gartner, July 2017
SOLID ARCHITECTURE YOU CAN RELY ON – COMFORTE DATA PROTECTION CLUSTER
PN
PN
PN
PN
PN
PN
EA
EA
EA
EA
EA
EAE
A
EA
EA
MC
AC
Management Console (MC) configures SDF (configuration
file) and generates token tables
MC can be stopped after cluster startup
SDF & token tables & endpoint authentication data loaded into PN
In environments with NonStop systems, NS can
run as MC and/or PN
Audit Console (AC) creates a solid audit trail and allows real-time insights into key questions around enterprise data protection
Cluster of Protection Nodes (PN)PN monitor/restart each other
Failure of single Protected Node (PN) will have no impact to the enterprise
application (EA), as another PN will automatically take over
HPE NonStop
comforteSecurDPS
Tokens
PN
EA
AC
MC
Protection Node
Enterprise Application
Audit Console
Management Console
SecurDPS Enterprise Tokenization REST-API
• The SecurDPS Enterprise REST API provides the ability to consume protection services provided by the Secur-DPS Enterprise Protection Cluster via a standard REST interface.
• This is on top of ourintercepting and API protocol suites (a customeruse case will be presentedat ETC next week)
For More Information
• Contact comforte sales
• Come see us at the booth
+49-171-6949285
Thank You!
Helmut BernhardSr. Solutions Architect