1. How Much Does That Computer Really Cost The OpenVMS Advantage
The audience of this presentation is for CFO, CIO, CTO, CISO, etc that are in charge of IT budgets. The overall costs (TCO) difference between OpenVMS and Windows/Linux is compelling (in addition to security).
Eddie Orcutt
Enterprise Solutions Architect

2. Agenda Introduction Hard to Calculate Lifecycle Costs (Hidden)
What are we calculating & why
Hard to Calculate Lifecycle Costs (Hidden)
Security Threat and Associated Costs
Manpower/Staffing Costs
Total System Operational Costs
TCO Comparisons
Other Cost Factors

3. According to Ziff Davis Enterprise
“While many purchasers of IT solutions evaluate the total lifecycle costs of the solutions they are considering, the initial cost to purchase the solution is normally the single, most dominant consideration. However, a lower cost for a solution across its lifecycle -- from purchase to decommission -- normally necessitates a higher initial price point. An additional consideration is that while the initial purchase cost is specific and must be spent, the calculation of the lifecycle savings that justify it is inherently less accurate. “
Tech Buyers Resource Library – Ziff Davis Enterprise

4. According to Ziff Davis Enterprise
“While many purchasers of IT solutions evaluate the total lifecycle costs of the solutions they are considering, the initial cost to purchase the solution is normally the single, most dominant consideration. However, a lower cost for a solution across its lifecycle -- from purchase to decommission -- normally necessitates a higher initial price point. An additional consideration is that while the initial purchase cost is specific and must be spent, the calculation of the lifecycle savings that justify it is inherently less accurate. “
Until Now!
Tech Buyers Resource Library – Ziff Davis Enterprise

5. WORLDWIDE SERVER MARKET (1996-2012)
Operational Costs Rise Dramatically
Spending
($M)
WW Spending on Servers, Power and Cooling, and Management/Administration
$200,000
$175,000
$150,000
$125,000
$100,000
$75,000
In this presentation we will define (calculate) the hidden costs in the blue oval above. 75% of IT managers do not know this number (or costs).
These are real costs that an employer is paying their employees to do remedial/maintenance work instead of innovative work – forwarding the organization by adding new functionality and/or capacity to the system
$50,000
Hidden costs we will identify & quantify
$25,000 $0
‘96
‘97
‘98
‘99
‘00
‘01
‘02
‘03
‘04
‘05
‘06
‘07
‘08
‘09
‘10
‘11
‘12
Power & Cooling
Mgmt & Administration
New Server Spending
Source: IDC “Mission-Critical Computing and Unix Systems”, Oct 2009

6. Security Threats
and
Associated Costs

7. Security Patches Per Year
Lower is More Secure
This slide shows the yearly number of patch events (left graph) , the number of vulnerabilities per patch event (lower right table) and the resultant number of vulnerabilities per year (upper right graph). The lower these values the more secure the OS is, the fewer times per year it has to be patched and the more efficient in management/operations costs it is. OpenVMS is more than 10X more secure than competitor Oses based on the number of vulnerabilities in the OS per year. The OpenVMS patch rate per year is an average patch rate over the past 33 years of OpenVMS history.
Some people may argue that there is safety in small numbers (OpenVMS having a smaller user base on the web that Windows/Linux). If this were true then Apache based web servers would have many times the infections than web servers based on MS IIS since Apache runs 68% of web sites. Yet this is precisely the opposite of what we find, historically IIS has long been the primary target for worms and other attacks, and these attacks have been largely successful. That raises the question as to why hackers are so successful at breaking into IIS servers but are unable to do similar damage to the most popular web server and its operating systems?
What sets OpenVMS apart security wise from other Oses, is First, a secure OS architecture must have at a minimum 3 security rings or modes. This is necessary to protect the kernel from the third-party apps and the third party apps from the user. All Unix, Linux and Windows derivatives have only 2 security rings/modes. OpenVMS has 4 rings. The extra ring is used to protect the (eventually changeable) CLI from the user, and the other higher modes from the CLI. Second, all services and privileges which can be requested from a higher mode must be performed through a standardized calling standard that only permits calls where the parameters are "called by descriptor". This virtually eliminates buffer overflows as a source of attaining higher mode privileges or services for which a process was not explicitly entitled.
Average Number of Vulnerabilities per Patching Event
Windows
Linux
OpenVMS
Clients
3.5
2.0
1.0
Servers
1.8
DB Servers
2.6
OpenVMS is more than an order of magnitude (>10X) more secure than competitor OSes
Source:

8. Security Distribution Risk
Days to fix security defect – Days of Risk - DoR 20
OpenVMS
Microsoft 25
Red Hat 47
Debian 32 56
MandrakeSoft
This is the average amount of time (DoR) it takes the OS manufacturer to fix a defect (once discovered) and provide a patch kit to the customer.
All of the Linux variations are colored in Red – Redhat (as the most popular Linux distribution) DoR (Days of Risk) number is used in the following examples
These values (for Linux and Windows) come from the Microsoft report referenced in slide. OpenVMS values come from OpenVMS Enginering. 54
SUSE
This is the average time in days to fix a defect (once discovered) and provide a patch kit to the customer
Source:

9. Security Risk What do the previous slides tell us?
Lower is More Secure
OpenVMS has 69X – 85X less outstanding defects on any given day than competitor OSes
Calculation is (days to fix defect * number of patch events per year * number of defects per patch) /
Windows servers – (25 * 19 * 3.5) /
Linux servers – (47 * 16 * 1.8) /  Used RedHat’s DoR number here
OpenVMS servers – (20 * 0.9 * 1.0) /
This is the average number of vulnerabilities per day that are unpatched on the Oses shown. This is due to the sliding window of time it takes to fix a vulnerability and the number of vulnerabilities present each year. See equation above. Since the DoR (previous slide) was given for the manufacturer and not the server type (Client, application server, DB server), the application server class was used to generate this graph.
So even patching at the recommended intervals (when a patch kit is released – customer test/qual times will drive the DoR Figures even higher) you still have these number of vulnerabilities present. If a customer does not patch their systems at the rate the patch kits are released from the vendor then these numbers will be higher.
On Windows servers there are an average of 4.5 vulnerabilities present on any given day
On Linux servers there are an average of 3.7 vulnerabilities present on any given day
On OpenVMS servers there are an average of .053 vulnerabilities present on any given day

10. Annual Cost of Security Patching (Per System – per event & per year)
Average Number of Patching Events
Windows
Linux
OpenVMS
Clients 25 18
0.96
Servers 19 16
DB Servers 12
As a more secure OS (significantly fewer patches to apply), OpenVMS is less expensive to patch than Windows and Linux
($7,396 - $11,852 less)
For OpenVMS
Cost Per system per year = R(C + P)
$356/yr = $40/hr × (8.6 hrs/yr hrs/yr) – For Desktop/Clients
$368/yr = $40/hr × (8.6 hrs/yr hrs/yr) – For Application servers
$424/yr = $40/hr × (8.6 hrs/yr + 2.0hrs/yr) – For DB Servers
Annual Cost per System per Event =( R (C + P)) / Number of patch events per year
$356/yr = $40/hr × (8.6 hrs/yr hrs/yr) / 0.96 – For Desktop/Clients
$368/yr = $40/hr × (8.6 hrs/yr hrs/yr) / 0.96 – For Application servers
$424/yr = $40/hr × (8.6 hrs/yr + 2.0hrs/yr) / 0.96 – For DB Servers
C = 8.6 = time to check for patches per year
P = 0.3 = time in hours to apply patches for one year for Clients
P = 0.6 = time in hours to apply patches for one year for Application Servers
P = 2.0 = time in hours to apply patches for one year for DB Server
R = 40 = average hourly rate of IT admin
Patch Rate = 0.96 per year
The following assumptions have been made.
• Checking for new OS patches takes 2 minutes per day.
2 mins/business day × 5 business days/wk × 52 wks/yr × 1hr/60 mins = 8.6 hrs/yr
• Applying a patch takes 20 minutes for Clients, 36 minutes for Application Server and 2 Hours for DB server
Here we are just showing the costs to patch a system per patch event and the costs to patch per year (given the stated patch rates from the vendor) – these costs are per system
Source: for Windows/Linux
OpenVMS Cost Per system = R(C + P)

11. Staffing Cost

12. Staffing System Windows Linux OpenVMS Clients 75:1 – 100:1 30:1 - 40:1
Clients – End Users supported per System Manager
Servers – Servers managed per System Manager
System
Windows
Linux
OpenVMS
Clients
75:1 – 100:1
30: :1
50:1 – 60:1
Servers
10:1 – 20:1
30:1 – 40:1
DB Servers
This is the ratio of servers to system managers. Linux desktop numbers came from the Yankee Group report – in 2005
For OpenVMS
Source: NASA, MSFC – Huntsville Operations Support Center
These are industry best practice numbers. Some shops may be higher and some lower. If much higher then these tend to be sweat shops that burn their people out in a hurry. Also these numbers should remain near constant even in a virtualized environment as most of the work associated with a server is really to the instance of the OS running on it. Virtualizing does not reduce the number of OS instances.
Yankee group Report North American Linux and Windows TCO Comparison, Part 1 – Windows/Linux
Computer World OpenVMS - Source: NASA, MSFC – Huntsville Operations Support Center

13. Staffing Costs (System Manager)
US national average per year
Salary in some US cities may be higher
This is the 2010 national average cost for a MS Windows System Manager as reported by SimplyHired.com
This is the 2010 national average cost for a MS Windows DB System Manager as reported by SimplyHired.com
This is the 2010 national average cost for a Linux System Manager as reported by SimplyHired.com
This is the 2010 national average cost for a Linux DB System Manager as reported by SimplyHired.com
This is the 2010 national average cost for a OpenVMS system Manager as reported by SimplyHired.com
These are national average salaries. Some cities pay more and some cities pay less.

14. Staffing Costs Example
For Windows:
30 Servers would require 2 System $58K each
10 DB Servers would require 1 additional system $73K each
For Linux:
40 Servers would require 1 System $75K each
10 DB Servers would require 1 additional system $87K each
For OpenVMS:
40 Servers would require 1 system manager
10 DB server would require 0 additional system managers as 1 system manager can manage total servers
Here we are computing how many system managers it would take to manager 50 total servers (40 application servers plus 10 DB servers). Please see previous slide (2 slides back) on number of systems manager per system manager on how the number of system managers was figured. This number is shown (above) in the table in the lower right of the slide
System
Managers
Windows
Linux
OpenVMS
Servers
(40) 2 1
DB Servers
(10)
Number of System Managers and their costs to manage 40 Application servers and 10 DB servers
OpenVMS ($69,000) is less expensive to manage than Windows ($189,000) and Linux ($162,000)

15. System Operational Costs

16. Yearly Operational Costs (From Previous Example)
As a more secure OS, VMS is significantly less expensive to patch than Windows and Linux -
($414,000 - $464,960 less)
For 40 application servers and 10 DB servers
Here we are showing the total patching costs per year for our example of 40 application servers and 10 DB servers and the yearly costs to manage these systems
With the highest server to system Manager ratio, VMS requires fewer System Managers which reduces personnel costs significantly - ($93,000 - $120,000 less)

17. Total Yearly Operational Costs (From Previous Example)
For 40 application servers and 10 DB servers
These are the management and operational costs that 75% of IT managers can not define/calculate. There are other costs not address above (See next section on Other Costs). OpenVMS is 7.7 times costs effective than Windows and 6.8 times more cost effective to staff and manage than Linux.
OpenVMS is 6.7X more cost effective to operate than Linux and 7.6X more cost effective to operate than Windows

18. 5 Year Lifecycle Operational Costs (From Previous Example)
For 40 application servers and 10 DB servers
These are the 5-year lifecycle management and operational costs. A typical enterprise customer refreshes technology every 5 years (although we do have OpenVMS customers who refresh on much longer cycles of years)
With OpenVMS you can cut $2.53M – $2.92M from the IT budget or provide this amount of business innovation back to your organization over the lifecycle of your system

19. Patching Effort – Man-Hours per Year (From Previous Example)
For 40 application servers, 10 DB servers
This is the amount of time System Managers spend annually doing remedial/patching work instead of providing innovation for the organization
OpenVMS System Managers can spend 12X – 15X more time on innovation (less time on patching)
OpenVMS – 8.6 hours + (number of systems x .3,.6,2.0 hours) * 0.9 (only 0.9 patch events per year average)
8.6 hours - is the yearly set up time for checking for patches and downloading
.3 hours – is the average time in hours to patch a system – Desktop
.6 hours – is the average time in hours to patch a system – Application Server
2.0 hours – is the average time in hours to patch a system – DB Server
To get months – divide hours by 40 hours per week and then 4.33 weeks per month
OpenVMS system managers can spend a lot more time on growing the business instead of remedial work (wasted time) – 12X – 15X more time
Windows – Server + DB Server time is 669 hours or 3.8 months
Linux – Server + DB Server time is 856 hours or 4.9 months
OpenVMS – Server + DB Server time is 55 hours or 0.31 months
Source: for Windows/Linux
OpenVMS – Patch Set up time + (Number of Systems x patch time) * patches per year

20. 5-Year Life Cycle Patching Effort (Man-Hours Total From Previous Example)
For 40 application servers, 10 DB servers
This is the amount of time System Managers spend over the 5-year lifecycle of the server doing remedial/patching work instead of providing innovation for the organization
Windows - 31% Wasted Time
Linux - 41% Wasted Time
OpenVMS – 2.6% Wasted Time
OpenVMS – 8.6 hours + (number of systems x .3,.6,2.0 hours) * 0.9 (only 0.9 patch events per year average)
8.6 hours - is the yearly set up time for checking for patches and downloading
.3 hours – is the average time in hours to patch a system – Desktop
.6 hours – is the average time in hours to patch a system – Application Server
2.0 hours – is the average time in hours to patch a system – DB Server
To get months – divide hours by 40 hours per week and then 4.33 weeks per month
Over the 5 year lifecycle of the system the wasted remedial work time is huge for Windows and Linux (31% - 41% of their time is wasted). 2 years out of 5 is wasted for Linux and almost 20 months (more than 1.5 years) wasted on Windows. Contrast that to 1.5 months for OpenVMS.
Windows – Server + DB Server time is 3345 hours or 19.2 months
Linux – Server + DB Server time is 4280 hours or 24.6 months
OpenVMS – Server + DB Server time is 275 hours or 1.58 months
Source: for Windows/Linux
OpenVMS – Patch Set up time + (Number of Systems x patch time) * patches per year

21. TCO Comparison

22. 5-Year TCO Server Configuration
Prices are US list
Windows Linux* OpenVMS
BL620 with 8-cores
32 GB Memory
2 – 146GB Internal Disks
RAID 1
Dual Port FC HBA
Windows 2008 R2
BL620 with 8-cores
32 GB Memory
2 – 146GB Internal Disks
RAID 1
Dual Port FC HBA
RHEL 5
BL860i2 with 8-cores
32 GB Memory
2 – 146GB Internal Disks
RAID 1
Dual Port FC HBA
OpenVMS BOE
10 DB Servers
$398,965
$328,635
$448,809
BL460 with 4-cores
16 GB Memory
2 – 146GB Internal Disks
RAID 1
Dual Port FC HBA
Windows 2008 R2
BL460 with 4-cores CPU
16 GB Memory
2 – 146GB Internal Disks
RAID 1
Dual Port FC HBA
RHEL 5
BL860i2 with 4-cores
16 GB Memory
2 – 146GB Internal Disks
RAID 1
Dual Port FC HBA
OpenVMS BOE
40 Application Servers
$874,365
$592,085
$1,077,644
$1,273,330
$920,720
$1,526,453
List Price
All configurations used 42U Racks, Rack PDUs, C7000 Blade Enclosures, ProCurve 6120 Ethernet Blade Switches and B-Series 8/12 FC Switches and 5-Year 24x7 Warranty on HW & SW
* Linux SW Warranty only 3-year 24x7

23. 5-Year TCO Comparison (From Previous Example)
For 40 application servers, 10 DB servers
Totals Bolded
$3,895,520
OpenVMS is:
49% less than Linux
57% less than Windows
$1,966,253
You can buy 1.98 OpenVMS systems for the price of 1 Linux system. You can buy 2.35 OpenVMS systems for the price of 1 Windows system. A system in this case is defined as per our example - 40 application servers and 10 DB servers
OpenVMS is $1.92M less expensive than Linux and $2.67M less than Windows over a 5 year lifecycle period

24. IT’s biggest challenge
The growing gap between business demands and IT’s ability to deliver
OpenVMS provides the monetary and human payback to close this gap
Explosive growth in business applications and supporting infrastructure
We talk to a lot of customers and what they’ve been telling us is that they’re seeing a major shift taking place today in business and in IT.
This observation is backed up by research from the leading analyst firms, industry publications and, most recently, a survey conducted by the Economist Intelligence Unit.
Businesses are shifting from consolidation and cost cutting to growth initiatives to drive new revenue opportunities and competitive advantage.
And since IT automates 90% of business processes, CEOs are turning to CIOs to help them drive this growth agenda with strategic initiatives such as SOA and Web-enabled services.
But here’s the catch*** – no new money is being allocated to IT to support these initiatives – the research tells us budgets are flat or growing only marginally.
***The fact is, there’s a growing gap between what the business expects and IT’s capability and capacity to deliver. OpenVMS can help shrink this gap.
versus
IT’s investment to enable more effective service delivery
Applications
Enterprise upgrades
New architectures (SOA)
Rich media applications
Infrastructure
2x servers every 5 years
2x storage every year
Virtualization
IT management
Limited budget growth
Tribal organizations
Manual processes

25. Other Costs

26. Other Cost Factors The Result? Server Lifecycle OpenVMS Servers
X86 servers
5 years
3 years
X86 servers are typically replaced by a customer every 3 years whereas OpenVMS servers are replaced by a customer at a minimum every 5 years
The Result?
3.0X
$5,911,260
Totals Bolded
$4,816,240
If x86 servers are upgraded or refreshed at 3 year lifecycles (typical in industry) then you can buy 2.4 OpenVMS systems for the price of 1 Linux system. You can buy 3.0 OpenVMS systems for the price of 1 Windows system. A system in this case is defined as per our example - 40 application servers and 10 DB servers. This update/refresh cycle is driven by two causes 1) Software upgrades no longer supporting older hardware and 2) server vendors refresh x86 server lines every 3 years (can no longer buy them new).
59% less than Linux and 66% less than Windows
2.4X
In a 5 year lifecycle you will have to buy an x86 hardware 2 times, further increasing the costs of an x86 solution. You will have to buy OpenVMS hardware only once.
$1,966,253

27. Consequences of not Patching (Downtime & Downtime Costs)
According to Absolute Software ½ of your systems will become infected!
With a per server restore time of:
These are average time to restore values for multiple server use types - Windows average; Linux 17.08
Per Yankee Group Report the average costs per hour for multiple server use types are - Windows $ per hour average; Linux $ per hour average
According to the Yankee Report, Windows server downtime costs companies two to three times as much as Linux server downtime. This is not due to any inherent flaws in the Windows Server OS, but rather reflects the crucial nature of the data and applications running on Windows servers.
Also per whitepaper ½ (half) of un-patched computers will become infected
Equates to the following costs per server per year:
* There are no known viruses for OpenVMS
Yankee group Report North American Linux and Windows TCO Comparison, Part 1 – Windows/Linux

28. Consequences of not Patching (Downtime Costs From Previous Example)
According to Absolute Software ½ of your systems will become infected!
Yearly Restore costs
For 40 application servers, 10 DB servers
With 25 of them infected
These costs are base on average time to restore values and average hourly down time costs for multiple server use types - Windows average; Linux Per Yankee Group Report the average costs per hour for multiple server use types are - Windows $ per hour average; Linux $ per hour average
According to the Yankee Report, Windows server downtime costs companies two to three times as much as Linux server downtime. This is not due to any inherent flaws in the Windows Server OS, but rather reflects the crucial nature of the data and applications running on Windows servers.
Also per whitepaper ½ (half) of un-patched computers will become infected
5 year lifecycle restore costs
* There are no known viruses for OpenVMS
Yankee group Report North American Linux and Windows TCO Comparison, Part 1 – Windows/Linux

29. Consequences of not Patching (Downtime From Previous Example)
According to Absolute Software ½ of your systems will become infected!
Yearly Restore Time
For 40 application servers, 10 DB servers
With 25 of them infected
These restore times are the amount of time these servers are off line not doing any productive work.
Also per whitepaper ½ (half) of un-patched computers will become infected
5 year Lifecycle Restore Time
* There are no known viruses for OpenVMS

30. Average Costs per Data Breach
Average organizational cost of a data breach,
For the fifth year in a row, data breach costs have continued to rise: Data breaches continue to cost organizations more every year. The average organizational cost of a data breach this year increased to $7.2 million, up 7 percent from $6.8 million in 2009 and 9 percent from $6.7 million in our 2008 study. Data breaches in 2010 cost their companies an average of $214 per compromised record, up $10 (5 percent) from last year and $12 (6 percent) from 2008.
Total breach costs have grown every year since Data breaches are costing more at both ends of the scale, but particularly the top. The most expensive data breach included in this year’s study cost a company $35.3 million to resolve, up $4.8 million (15 percent) from last year. The least expensive data breach was $780,000, up $30,000 (4 percent) from 2009.
Breach size this year ranged from nearly 4,200 to 105,000 lost or stolen records. As in prior years, data breach cost appears to be directly proportional to the number of records compromised. Therefore, larger breaches continue to be a more serious cause for concern than smaller breaches.

31. Average Data Breach Costs (by Cost Activity)
Average data breach cost by cost activity,
Customer turnover in direct response to breaches remains the main driver of data breach costs: For the second straight year, abnormal churn or turnover of customers after data breaches appears to be the dominant factor in data breach cost.
This year’s Cost of a Data Breach cost activity figures may reflect the increased focus on regulatory compliance. Compliance with data protection regulations requires organizations to do more to find, disclose and fix breach-related problems. These tasks correspond with the detection and escalation, notification and ex-post response cost activities, respectively. Strong growth in both detection and escalation and in ex-post response could reflect increased compliance activities, as those two stages often require more investment than the notification process.

32. Customer Churn Rates
Abnormal churn rates following data breaches by industry classification,
Customer turnover in direct response to breaches remains the main driver of data breach costs: For the second straight year, abnormal churn or turnover of customers after data breaches appears to be the dominant factor in data breach cost.
This chart shows the customer churn rate vs. the industry segment they are in.
Customer turnover in direct response to breaches remains the main driver of data breach costs

34. Backup Slides

35. VMS Security Model Reference Monitor Concept
The reference monitor enforces the security policy by authorizing the creation of subjects, by granting subjects access to objects based on the information in a dynamic authorization database, and by recording events, as necessary, in the audit trail.
The reference monitor must meet the following three requirements:
• Mediate every attempt by a subject to gain access to an object
• Provide a tamperproof database and audit trail that are thoroughly protected from unauthorized observation and modification
• Remain a small, simple, and well-structured piece of software so that it is effective in enforcing security requirements
These are the requirements proposed for systems that are secure even against penetration. In such systems, the reference monitor is implemented by a security-related subset, or security kernel, of the operating system.
While the OpenVMS operating system does not implement the reference monitor as a security-related subset, or security kernel, its interface to users and system managers does mirror the basic structure dictated by the reference monitor concept. Experience shows that incorporating such a structure is the best way to build a system resistant to probing and to most attempts at penetration.

36. VMS Security
OpenVMS was designed from day one with the aim of making a “crash proof” system
4 access modes – user / supervisor / exec/ kernel
Isolates trusted system code from un-trusted user code
“Firewall” system components to limit the impact of bugs
OpenVMS was designed from day one to be secure! Look at slides 7-9 for proof.

37. VMS Security – Hierarchical Protection Domains (Protection Rings)
Kernel – executes the VMS kernel including memory management, interrupt handling and I/O
Executive – executes many system service calls including file and record management services
Supervisor – executes other system services and user commands (DCL)
User – executes user programs and utilities such as compilers, editors, linkers and debuggers
Kernel
Executive
Supervisor
User
[From Wikipedia] In computer science, hierarchical protection domains,[1][2] often called protection rings, are a mechanism to protect data and functionality from faults (fault tolerance) and malicious behaviour (computer security).
Computer operating systems provide different levels of access to resources. A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level. Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero - Kernel) to least privileged (least trusted, usually with the highest ring number - User). On most operating systems, Ring 0 (Kernel) is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory.
Many modern CPU architectures (including the popular Intel x86 architecture) include some form of ring protection, although the Windows NT operating system, like Unix, does not fully exploit this feature. Its predecessor, OS/2, did to some extent, as it used three rings[4]: ring 0 for kernel code and device drivers, ring 2 for privileged code (user programs with I/O access permissions), and ring 3 for unprivileged code (nearly all user programs), and OpenVMS uses four modes called (in order of decreasing privileges) Kernel, Executive, Supervisor and User.
Linux and Windows
Uses 2 rings – Supervisor and User

38. VMS System Layering User Kernel Executive Supervisor System Services
Development Tools
Text editors
Macro
Compilers
Linker
Command Language Interpreter
Privileged Images
Protected shareable images
Protected subsystems
Privileged server
processes
RMS &
System Services
System Services
Memory
Management
Subsystem
I/O
Run Time Library
(General)
Math library
String handling
Screen management
Misc LIB functions
User
System-wide
Protected
Data Structures
Additional detail from previous slide
Process &
Time Management
Run Time Library
(Language-specific)
CRTL
FORTRAN
PASCAL
BASIC
Assorted Utilities
COPY
HELP
DIRECTORY
SORT
Kernel
Executive
Supervisor

39. OpenVMS Security Privileges: None: No privileges
OpenVMS has 39 separate user privileges that are divided in 7 categories. Privileges restrict the use of certain system functions to processes created on behalf of authorized users.
None: No privileges
Normal: Minimum privileges to use the system effectively
Group: Potential to interfere with members of the same group
Devour: Potential to consume noncritical systemwide resources
System: Potential to interfere with normal system operation
Objects: Potential to compromise object security
All: Potential to control the system
These restrictions protect the integrity of the operating system's performance and, thus, the integrity of service provided to users.

40. Vulnerability Graph
Source DEFCON16 presentation

41. Vendor Vulnerability Rank
Rank of Top-10 Vendors with Most Vulnerabilities
Ranking of the Top-10 vendors with most vulnerabilities per year. Oracle also includes vulnerabilities from Sun Microsystems and BEA logic
Source

42. Security Distribution Risk is Increasing
DoR – Days of Risk

43. Server to System Manager Ratio
From ComputerWorld:
“One enterprise IT manager told us the ratio for physical servers was roughly 50:1, another working for a government organisation said 15-20:1, and an IT director at a research and development outfit noted that in a mid-size organisation a system administrator could maintain servers per week or if their role was merely maintenance (i.e. no projects, no debugging, etc) then they could look after servers per week.”

44. Server to System Manager Ratio
Standard Ratios are highlighted (RED bar) in graph
System Manager to server ratios for several different server use types. The lower the ratio (about 10 for Standard ratios), the closer the server is to the core environment (meaning core application or core DB server). The closer to the edge (to the client) the server is used for, the higher the ratio. The average server to system manager ratio is 55 (Standard ratio) across all server use types. Standard to Basic is more representative of most customers for server type environments due to test/qualification process of patches after installation before putting in production. This makes for a more manual patching effort. If not, then customer will basically patch and pray that the patch did not break anything in the production environment.
Basic: No Automation
Standard: Some Automation
Rationalized: Considerable Automation
From: Microsoft Best Practices Report

45. OpenVMS Systems Require Fewer Human Resources
From Harvard Research Group:
Of those users surveyed, 63% said that fewer people are required to run their OpenVMS servers compared to their non-OpenVMS servers … OpenVMS servers are much easier to manage and therefore reduce the TCO by requiring less staff than the competition to keep them up and running.

46. Security Concerns From: gigasite - January 5, 2011
“With Microsoft just closing the door on its largest patch year yet, 2011 is not starting out in a positive direction,” Storms said.
Last year, Microsoft issued a record 106 security bulletins to patch a record 266 vulnerabilities.

47. Security Concerns NetworkWorld – April 12, 2011
Affected software runs the gamut. There are patches for all supported versions of Windows, including XP, Vista, Windows 7, Windows Server 2008 R2 and even the non-GUI WS2008 Server Core version.
Record-breaking Microsoft patch day affects all versions of Windows
17 security patches fix a whopping 64 holes

48. Security Concerns From: PCWorld Business Center – June 1, 2010
Sources from within Google are claiming that the online search and advertising giant is implementing an official transition away from the Microsoft Windows operating system. According to the reports, the culture shift is intended to reduce security concerns.

49. Are Antivirus Programs The Answer?
From: SiteApproved
Problems With Anti-virus Programs Found
… Vulnerabilities found recently in McAfee, Symantec, and Trend Micro software could let hackers compromise and even control computers running certain versions of their products. While most antivirus software is distributed via a network download, making it difficult for a hacker to get to the code, these flaws further highlight the problems with the antivirus industry's traditionally reactive approach to protection, …
These security products provide protection only at the application layer and not the operating system kernel.

50. Are Antivirus Programs The Answer?
From: ZDNet – February 25, 2011
Microsoft fixes hole in its antivirus engine
… "The update addresses a privately reported vulnerability that could allow elevation of privilege if the Microsoft Malware Protection Engine scans a system after an attacker with valid log-on credentials has created a specially crafted registry key," the advisory says. "An attacker who successfully exploited the vulnerability could gain the same user rights as the LocalSystem account. …
These security products provide protection only at the application layer and not the operating system kernel.

51. Are Opensource OSes the Answer?
From: hackinthebox
Open-source Could Mean an Open Door for Hackers – July 2010
The ability to access the code of open-source applications may give attackers an edge in developing exploits for the software, according to a paper analyzing two years' worth of attack data. The paper, to be presented this week at the Workshop on the Economics of Information Security, correlated 400 million alerts from intrusion detection systems with known attributes of the targeted software and vulnerabilities. The data supports the assertion that flaws in open-source software tend to be attacked more quickly and more often than vulnerabilities in closed-source software, says Sam Ransbotham, assistant professor at Boston College's Carroll School of Management and the author of the paper.

52. Is Server Virtualization the Answer?
Vulnerability disclosures over the past decade for virtualization
products provided by the following vendors:
• Citrix
• IBM
• Linux VServer
• LxCenter
• Microsoft
• Oracle
• Parallels
• RedHat
• VMware
According to Wikipedia - The use of hypervisor technology by malware and rootkits installing themselves as a hypervisor below the operating system can make them more difficult to detect because the malware could intercept any operations of the operating system (such as someone entering a password) without the antivirus software necessarily detecting it (since the malware runs below the entire operating system). Implementation of the concept has allegedly occurred in the SubVirt laboratory rootkit (developed jointly by Microsoft and University of Michigan researchers[14]) as well as in the Blue Pill malware package.
The use of hypervisor technology by malware and rootkits installing themselves as a hypervisor below the operating system can make them more difficult to detect because the malware could intercept any operations of the operating system …