Presentation on theme: "How Much Does That Computer Really Cost The OpenVMS Advantage"— Presentation transcript:
1 How Much Does That Computer Really Cost The OpenVMS Advantage The audience of this presentation is for CFO, CIO, CTO, CISO, etc that are in charge of IT budgets. The overall costs (TCO) difference between OpenVMS and Windows/Linux is compelling (in addition to security).Eddie OrcuttEnterprise Solutions Architect
2 Agenda Introduction Hard to Calculate Lifecycle Costs (Hidden) What are we calculating & whyHard to Calculate Lifecycle Costs (Hidden)Security Threat and Associated CostsManpower/Staffing CostsTotal System Operational CostsTCO ComparisonsOther Cost Factors
3 According to Ziff Davis Enterprise “While many purchasers of IT solutions evaluate the total lifecycle costs of the solutions they are considering, the initial cost to purchase the solution is normally the single, most dominant consideration. However, a lower cost for a solution across its lifecycle -- from purchase to decommission -- normally necessitates a higher initial price point. An additional consideration is that while the initial purchase cost is specific and must be spent, the calculation of the lifecycle savings that justify it is inherently less accurate. “Tech Buyers Resource Library – Ziff Davis Enterprise
4 According to Ziff Davis Enterprise “While many purchasers of IT solutions evaluate the total lifecycle costs of the solutions they are considering, the initial cost to purchase the solution is normally the single, most dominant consideration. However, a lower cost for a solution across its lifecycle -- from purchase to decommission -- normally necessitates a higher initial price point. An additional consideration is that while the initial purchase cost is specific and must be spent, the calculation of the lifecycle savings that justify it is inherently less accurate. “Until Now!Tech Buyers Resource Library – Ziff Davis Enterprise
5 WORLDWIDE SERVER MARKET (1996-2012) Operational Costs Rise DramaticallySpending($M)WW Spending on Servers, Power and Cooling, and Management/Administration$200,000$175,000$150,000$125,000$100,000$75,000In this presentation we will define (calculate) the hidden costs in the blue oval above. 75% of IT managers do not know this number (or costs).These are real costs that an employer is paying their employees to do remedial/maintenance work instead of innovative work – forwarding the organization by adding new functionality and/or capacity to the system$50,000Hidden costs we will identify & quantify$25,000$0‘96‘97‘98‘99‘00‘01‘02‘03‘04‘05‘06‘07‘08‘09‘10‘11‘12Power & CoolingMgmt & AdministrationNew Server SpendingSource: IDC “Mission-Critical Computing and Unix Systems”, Oct 2009
7 Security Patches Per Year Lower is More SecureThis slide shows the yearly number of patch events (left graph) , the number of vulnerabilities per patch event (lower right table) and the resultant number of vulnerabilities per year (upper right graph). The lower these values the more secure the OS is, the fewer times per year it has to be patched and the more efficient in management/operations costs it is. OpenVMS is more than 10X more secure than competitor Oses based on the number of vulnerabilities in the OS per year. The OpenVMS patch rate per year is an average patch rate over the past 33 years of OpenVMS history.Some people may argue that there is safety in small numbers (OpenVMS having a smaller user base on the web that Windows/Linux). If this were true then Apache based web servers would have many times the infections than web servers based on MS IIS since Apache runs 68% of web sites. Yet this is precisely the opposite of what we find, historically IIS has long been the primary target for worms and other attacks, and these attacks have been largely successful. That raises the question as to why hackers are so successful at breaking into IIS servers but are unable to do similar damage to the most popular web server and its operating systems?What sets OpenVMS apart security wise from other Oses, is First, a secure OS architecture must have at a minimum 3 security rings or modes. This is necessary to protect the kernel from the third-party apps and the third party apps from the user. All Unix, Linux and Windows derivatives have only 2 security rings/modes. OpenVMS has 4 rings. The extra ring is used to protect the (eventually changeable) CLI from the user, and the other higher modes from the CLI. Second, all services and privileges which can be requested from a higher mode must be performed through a standardized calling standard that only permits calls where the parameters are "called by descriptor". This virtually eliminates buffer overflows as a source of attaining higher mode privileges or services for which a process was not explicitly entitled.Average Number of Vulnerabilities per Patching EventWindowsLinuxOpenVMSClients3.52.01.0Servers1.8DB Servers2.6OpenVMS is more than an order of magnitude (>10X) more secure than competitor OSesSource:
8 Security Distribution Risk Days to fix security defect – Days of Risk - DoR20OpenVMSMicrosoft25Red Hat47Debian3256MandrakeSoftThis is the average amount of time (DoR) it takes the OS manufacturer to fix a defect (once discovered) and provide a patch kit to the customer.All of the Linux variations are colored in Red – Redhat (as the most popular Linux distribution) DoR (Days of Risk) number is used in the following examplesThese values (for Linux and Windows) come from the Microsoft report referenced in slide. OpenVMS values come from OpenVMS Enginering.54SUSEThis is the average time in days to fix a defect (once discovered) and provide a patch kit to the customerSource:
9 Security Risk What do the previous slides tell us? Lower is More SecureOpenVMS has 69X – 85X less outstanding defects on any given day than competitor OSesCalculation is (days to fix defect * number of patch events per year * number of defects per patch) /Windows servers – (25 * 19 * 3.5) /Linux servers – (47 * 16 * 1.8) / Used RedHat’s DoR number hereOpenVMS servers – (20 * 0.9 * 1.0) /This is the average number of vulnerabilities per day that are unpatched on the Oses shown. This is due to the sliding window of time it takes to fix a vulnerability and the number of vulnerabilities present each year. See equation above. Since the DoR (previous slide) was given for the manufacturer and not the server type (Client, application server, DB server), the application server class was used to generate this graph.So even patching at the recommended intervals (when a patch kit is released – customer test/qual times will drive the DoR Figures even higher) you still have these number of vulnerabilities present. If a customer does not patch their systems at the rate the patch kits are released from the vendor then these numbers will be higher.On Windows servers there are an average of 4.5 vulnerabilities present on any given dayOn Linux servers there are an average of 3.7 vulnerabilities present on any given dayOn OpenVMS servers there are an average of .053 vulnerabilities present on any given day
10 Annual Cost of Security Patching (Per System – per event & per year) Average Number of Patching EventsWindowsLinuxOpenVMSClients25180.96Servers1916DB Servers12As a more secure OS (significantly fewer patches to apply), OpenVMS is less expensive to patch than Windows and Linux($7,396 - $11,852 less)For OpenVMSCost Per system per year = R(C + P)$356/yr = $40/hr × (8.6 hrs/yr hrs/yr) – For Desktop/Clients$368/yr = $40/hr × (8.6 hrs/yr hrs/yr) – For Application servers$424/yr = $40/hr × (8.6 hrs/yr + 2.0hrs/yr) – For DB ServersAnnual Cost per System per Event =( R (C + P)) / Number of patch events per year$356/yr = $40/hr × (8.6 hrs/yr hrs/yr) / 0.96 – For Desktop/Clients$368/yr = $40/hr × (8.6 hrs/yr hrs/yr) / 0.96 – For Application servers$424/yr = $40/hr × (8.6 hrs/yr + 2.0hrs/yr) / 0.96 – For DB ServersC = 8.6 = time to check for patches per yearP = 0.3 = time in hours to apply patches for one year for ClientsP = 0.6 = time in hours to apply patches for one year for Application ServersP = 2.0 = time in hours to apply patches for one year for DB ServerR = 40 = average hourly rate of IT adminPatch Rate = 0.96 per yearThe following assumptions have been made.• Checking for new OS patches takes 2 minutes per day.2 mins/business day × 5 business days/wk × 52 wks/yr × 1hr/60 mins = 8.6 hrs/yr• Applying a patch takes 20 minutes for Clients, 36 minutes for Application Server and 2 Hours for DB serverHere we are just showing the costs to patch a system per patch event and the costs to patch per year (given the stated patch rates from the vendor) – these costs are per systemSource: for Windows/LinuxOpenVMS Cost Per system = R(C + P)
12 Staffing System Windows Linux OpenVMS Clients 75:1 – 100:1 30:1 - 40:1 Clients – End Users supported per System ManagerServers – Servers managed per System ManagerSystemWindowsLinuxOpenVMSClients75:1 – 100:130: :150:1 – 60:1Servers10:1 – 20:130:1 – 40:1DB ServersThis is the ratio of servers to system managers. Linux desktop numbers came from the Yankee Group report – in 2005For OpenVMSSource: NASA, MSFC – Huntsville Operations Support CenterThese are industry best practice numbers. Some shops may be higher and some lower. If much higher then these tend to be sweat shops that burn their people out in a hurry. Also these numbers should remain near constant even in a virtualized environment as most of the work associated with a server is really to the instance of the OS running on it. Virtualizing does not reduce the number of OS instances.Yankee group Report North American Linux and Windows TCO Comparison, Part 1 – Windows/LinuxComputer World OpenVMS - Source: NASA, MSFC – Huntsville Operations Support Center
13 Staffing Costs (System Manager) US national average per yearSalary in some US cities may be higherThis is the 2010 national average cost for a MS Windows System Manager as reported by SimplyHired.comThis is the 2010 national average cost for a MS Windows DB System Manager as reported by SimplyHired.comThis is the 2010 national average cost for a Linux System Manager as reported by SimplyHired.comThis is the 2010 national average cost for a Linux DB System Manager as reported by SimplyHired.comThis is the 2010 national average cost for a OpenVMS system Manager as reported by SimplyHired.comThese are national average salaries. Some cities pay more and some cities pay less.
14 Staffing Costs Example For Windows:30 Servers would require 2 System $58K each10 DB Servers would require 1 additional system $73K eachFor Linux:40 Servers would require 1 System $75K each10 DB Servers would require 1 additional system $87K eachFor OpenVMS:40 Servers would require 1 system manager10 DB server would require 0 additional system managers as 1 system manager can manage total serversHere we are computing how many system managers it would take to manager 50 total servers (40 application servers plus 10 DB servers). Please see previous slide (2 slides back) on number of systems manager per system manager on how the number of system managers was figured. This number is shown (above) in the table in the lower right of the slideSystemManagersWindowsLinuxOpenVMSServers(40)21DB Servers(10)Number of System Managers and their costs to manage 40 Application servers and 10 DB serversOpenVMS ($69,000) is less expensive to manage than Windows ($189,000) and Linux ($162,000)
16 Yearly Operational Costs (From Previous Example) As a more secure OS, VMS is significantly less expensive to patch than Windows and Linux -($414,000 - $464,960 less)For 40 application servers and 10 DB serversHere we are showing the total patching costs per year for our example of 40 application servers and 10 DB servers and the yearly costs to manage these systemsWith the highest server to system Manager ratio, VMS requires fewer System Managers which reduces personnel costs significantly - ($93,000 - $120,000 less)
17 Total Yearly Operational Costs (From Previous Example) For 40 application servers and 10 DB serversThese are the management and operational costs that 75% of IT managers can not define/calculate. There are other costs not address above (See next section on Other Costs). OpenVMS is 7.7 times costs effective than Windows and 6.8 times more cost effective to staff and manage than Linux.OpenVMS is 6.7X more cost effective to operate than Linux and 7.6X more cost effective to operate than Windows
18 5 Year Lifecycle Operational Costs (From Previous Example) For 40 application servers and 10 DB serversThese are the 5-year lifecycle management and operational costs. A typical enterprise customer refreshes technology every 5 years (although we do have OpenVMS customers who refresh on much longer cycles of years)With OpenVMS you can cut $2.53M – $2.92M from the IT budget or provide this amount of business innovation back to your organization over the lifecycle of your system
19 Patching Effort – Man-Hours per Year (From Previous Example) For 40 application servers, 10 DB serversThis is the amount of time System Managers spend annually doing remedial/patching work instead of providing innovation for the organizationOpenVMS System Managers can spend 12X – 15X more time on innovation (less time on patching)OpenVMS – 8.6 hours + (number of systems x .3,.6,2.0 hours) * 0.9 (only 0.9 patch events per year average)8.6 hours - is the yearly set up time for checking for patches and downloading.3 hours – is the average time in hours to patch a system – Desktop.6 hours – is the average time in hours to patch a system – Application Server2.0 hours – is the average time in hours to patch a system – DB ServerTo get months – divide hours by 40 hours per week and then 4.33 weeks per monthOpenVMS system managers can spend a lot more time on growing the business instead of remedial work (wasted time) – 12X – 15X more timeWindows – Server + DB Server time is 669 hours or 3.8 monthsLinux – Server + DB Server time is 856 hours or 4.9 monthsOpenVMS – Server + DB Server time is 55 hours or 0.31 monthsSource: for Windows/LinuxOpenVMS – Patch Set up time + (Number of Systems x patch time) * patches per year
20 5-Year Life Cycle Patching Effort (Man-Hours Total From Previous Example) For 40 application servers, 10 DB serversThis is the amount of time System Managers spend over the 5-year lifecycle of the server doing remedial/patching work instead of providing innovation for the organizationWindows - 31% Wasted TimeLinux - 41% Wasted TimeOpenVMS – 2.6% Wasted TimeOpenVMS – 8.6 hours + (number of systems x .3,.6,2.0 hours) * 0.9 (only 0.9 patch events per year average)8.6 hours - is the yearly set up time for checking for patches and downloading.3 hours – is the average time in hours to patch a system – Desktop.6 hours – is the average time in hours to patch a system – Application Server2.0 hours – is the average time in hours to patch a system – DB ServerTo get months – divide hours by 40 hours per week and then 4.33 weeks per monthOver the 5 year lifecycle of the system the wasted remedial work time is huge for Windows and Linux (31% - 41% of their time is wasted). 2 years out of 5 is wasted for Linux and almost 20 months (more than 1.5 years) wasted on Windows. Contrast that to 1.5 months for OpenVMS.Windows – Server + DB Server time is 3345 hours or 19.2 monthsLinux – Server + DB Server time is 4280 hours or 24.6 monthsOpenVMS – Server + DB Server time is 275 hours or 1.58 monthsSource: for Windows/LinuxOpenVMS – Patch Set up time + (Number of Systems x patch time) * patches per year
22 5-Year TCO Server Configuration Prices are US listWindows Linux* OpenVMSBL620 with 8-cores32 GB Memory2 – 146GB Internal DisksRAID 1Dual Port FC HBAWindows 2008 R2BL620 with 8-cores32 GB Memory2 – 146GB Internal DisksRAID 1Dual Port FC HBARHEL 5BL860i2 with 8-cores32 GB Memory2 – 146GB Internal DisksRAID 1Dual Port FC HBAOpenVMS BOE10 DB Servers$398,965$328,635$448,809BL460 with 4-cores16 GB Memory2 – 146GB Internal DisksRAID 1Dual Port FC HBAWindows 2008 R2BL460 with 4-cores CPU16 GB Memory2 – 146GB Internal DisksRAID 1Dual Port FC HBARHEL 5BL860i2 with 4-cores16 GB Memory2 – 146GB Internal DisksRAID 1Dual Port FC HBAOpenVMS BOE40 Application Servers$874,365$592,085$1,077,644$1,273,330$920,720$1,526,453List PriceAll configurations used 42U Racks, Rack PDUs, C7000 Blade Enclosures, ProCurve 6120 Ethernet Blade Switches and B-Series 8/12 FC Switches and 5-Year 24x7 Warranty on HW & SW* Linux SW Warranty only 3-year 24x7
23 5-Year TCO Comparison (From Previous Example) For 40 application servers, 10 DB serversTotals Bolded$3,895,520OpenVMS is:49% less than Linux57% less than Windows$1,966,253You can buy 1.98 OpenVMS systems for the price of 1 Linux system. You can buy 2.35 OpenVMS systems for the price of 1 Windows system. A system in this case is defined as per our example - 40 application servers and 10 DB serversOpenVMS is $1.92M less expensive than Linux and $2.67M less than Windows over a 5 year lifecycle period
24 IT’s biggest challenge The growing gap between business demands and IT’s ability to deliverOpenVMS provides the monetary and human payback to close this gapExplosive growth in business applications and supporting infrastructureWe talk to a lot of customers and what they’ve been telling us is that they’re seeing a major shift taking place today in business and in IT.This observation is backed up by research from the leading analyst firms, industry publications and, most recently, a survey conducted by the Economist Intelligence Unit.Businesses are shifting from consolidation and cost cutting to growth initiatives to drive new revenue opportunities and competitive advantage.And since IT automates 90% of business processes, CEOs are turning to CIOs to help them drive this growth agenda with strategic initiatives such as SOA and Web-enabled services.But here’s the catch*** – no new money is being allocated to IT to support these initiatives – the research tells us budgets are flat or growing only marginally.***The fact is, there’s a growing gap between what the business expects and IT’s capability and capacity to deliver. OpenVMS can help shrink this gap.versusIT’s investment to enable more effective service deliveryApplicationsEnterprise upgradesNew architectures (SOA)Rich media applicationsInfrastructure2x servers every 5 years2x storage every yearVirtualizationIT managementLimited budget growthTribal organizationsManual processes
26 Other Cost Factors The Result? Server Lifecycle OpenVMS Servers X86 servers5 years3 yearsX86 servers are typically replaced by a customer every 3 years whereas OpenVMS servers are replaced by a customer at a minimum every 5 yearsThe Result?3.0X$5,911,260Totals Bolded$4,816,240If x86 servers are upgraded or refreshed at 3 year lifecycles (typical in industry) then you can buy 2.4 OpenVMS systems for the price of 1 Linux system. You can buy 3.0 OpenVMS systems for the price of 1 Windows system. A system in this case is defined as per our example - 40 application servers and 10 DB servers. This update/refresh cycle is driven by two causes 1) Software upgrades no longer supporting older hardware and 2) server vendors refresh x86 server lines every 3 years (can no longer buy them new).59% less than Linux and 66% less than Windows2.4XIn a 5 year lifecycle you will have to buy an x86 hardware 2 times, further increasing the costs of an x86 solution. You will have to buy OpenVMS hardware only once.$1,966,253
27 Consequences of not Patching (Downtime & Downtime Costs) According to Absolute Software ½ of your systems will become infected!With a per server restore time of:These are average time to restore values for multiple server use types - Windows average; Linux 17.08Per Yankee Group Report the average costs per hour for multiple server use types are - Windows $ per hour average; Linux $ per hour averageAccording to the Yankee Report, Windows server downtime costs companies two to three times as much as Linux server downtime. This is not due to any inherent flaws in the Windows Server OS, but rather reflects the crucial nature of the data and applications running on Windows servers.Also per whitepaper ½ (half) of un-patched computers will become infectedEquates to the following costs per server per year:* There are no known viruses for OpenVMSYankee group Report North American Linux and Windows TCO Comparison, Part 1 – Windows/Linux
28 Consequences of not Patching (Downtime Costs From Previous Example) According to Absolute Software ½ of your systems will become infected!Yearly Restore costsFor 40 application servers, 10 DB serversWith 25 of them infectedThese costs are base on average time to restore values and average hourly down time costs for multiple server use types - Windows average; Linux Per Yankee Group Report the average costs per hour for multiple server use types are - Windows $ per hour average; Linux $ per hour averageAccording to the Yankee Report, Windows server downtime costs companies two to three times as much as Linux server downtime. This is not due to any inherent flaws in the Windows Server OS, but rather reflects the crucial nature of the data and applications running on Windows servers.Also per whitepaper ½ (half) of un-patched computers will become infected5 year lifecycle restore costs* There are no known viruses for OpenVMSYankee group Report North American Linux and Windows TCO Comparison, Part 1 – Windows/Linux
29 Consequences of not Patching (Downtime From Previous Example) According to Absolute Software ½ of your systems will become infected!Yearly Restore TimeFor 40 application servers, 10 DB serversWith 25 of them infectedThese restore times are the amount of time these servers are off line not doing any productive work.Also per whitepaper ½ (half) of un-patched computers will become infected5 year Lifecycle Restore Time* There are no known viruses for OpenVMS
30 Average Costs per Data Breach Average organizational cost of a data breach,For the fifth year in a row, data breach costs have continued to rise: Data breaches continue to cost organizations more every year. The average organizational cost of a data breach this year increased to $7.2 million, up 7 percent from $6.8 million in 2009 and 9 percent from $6.7 million in our 2008 study. Data breaches in 2010 cost their companies an average of $214 per compromised record, up $10 (5 percent) from last year and $12 (6 percent) from 2008.Total breach costs have grown every year since Data breaches are costing more at both ends of the scale, but particularly the top. The most expensive data breach included in this year’s study cost a company $35.3 million to resolve, up $4.8 million (15 percent) from last year. The least expensive data breach was $780,000, up $30,000 (4 percent) from 2009.Breach size this year ranged from nearly 4,200 to 105,000 lost or stolen records. As in prior years, data breach cost appears to be directly proportional to the number of records compromised. Therefore, larger breaches continue to be a more serious cause for concern than smaller breaches.
31 Average Data Breach Costs (by Cost Activity) Average data breach cost by cost activity,Customer turnover in direct response to breaches remains the main driver of data breach costs: For the second straight year, abnormal churn or turnover of customers after data breaches appears to be the dominant factor in data breach cost.This year’s Cost of a Data Breach cost activity figures may reflect the increased focus on regulatory compliance. Compliance with data protection regulations requires organizations to do more to find, disclose and fix breach-related problems. These tasks correspond with the detection and escalation, notification and ex-post response cost activities, respectively. Strong growth in both detection and escalation and in ex-post response could reflect increased compliance activities, as those two stages often require more investment than the notification process.
32 Customer Churn RatesAbnormal churn rates following data breaches by industry classification,Customer turnover in direct response to breaches remains the main driver of data breach costs: For the second straight year, abnormal churn or turnover of customers after data breaches appears to be the dominant factor in data breach cost.This chart shows the customer churn rate vs. the industry segment they are in.Customer turnover in direct response to breaches remains the main driver of data breach costs
35 VMS Security Model Reference Monitor Concept The reference monitor enforces the security policy by authorizing the creation of subjects, by granting subjects access to objects based on the information in a dynamic authorization database, and by recording events, as necessary, in the audit trail.The reference monitor must meet the following three requirements:• Mediate every attempt by a subject to gain access to an object• Provide a tamperproof database and audit trail that are thoroughly protected from unauthorized observation and modification• Remain a small, simple, and well-structured piece of software so that it is effective in enforcing security requirementsThese are the requirements proposed for systems that are secure even against penetration. In such systems, the reference monitor is implemented by a security-related subset, or security kernel, of the operating system.While the OpenVMS operating system does not implement the reference monitor as a security-related subset, or security kernel, its interface to users and system managers does mirror the basic structure dictated by the reference monitor concept. Experience shows that incorporating such a structure is the best way to build a system resistant to probing and to most attempts at penetration.
36 VMS SecurityOpenVMS was designed from day one with the aim of making a “crash proof” system4 access modes – user / supervisor / exec/ kernelIsolates trusted system code from un-trusted user code“Firewall” system components to limit the impact of bugsOpenVMS was designed from day one to be secure! Look at slides 7-9 for proof.
37 VMS Security – Hierarchical Protection Domains (Protection Rings) Kernel – executes the VMS kernel including memory management, interrupt handling and I/OExecutive – executes many system service calls including file and record management servicesSupervisor – executes other system services and user commands (DCL)User – executes user programs and utilities such as compilers, editors, linkers and debuggersKernelExecutiveSupervisorUser[From Wikipedia] In computer science, hierarchical protection domains, often called protection rings, are a mechanism to protect data and functionality from faults (fault tolerance) and malicious behaviour (computer security).Computer operating systems provide different levels of access to resources. A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level. Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero - Kernel) to least privileged (least trusted, usually with the highest ring number - User). On most operating systems, Ring 0 (Kernel) is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory.Many modern CPU architectures (including the popular Intel x86 architecture) include some form of ring protection, although the Windows NT operating system, like Unix, does not fully exploit this feature. Its predecessor, OS/2, did to some extent, as it used three rings: ring 0 for kernel code and device drivers, ring 2 for privileged code (user programs with I/O access permissions), and ring 3 for unprivileged code (nearly all user programs), and OpenVMS uses four modes called (in order of decreasing privileges) Kernel, Executive, Supervisor and User.Linux and WindowsUses 2 rings – Supervisor and User
38 VMS System Layering User Kernel Executive Supervisor System Services Development ToolsText editorsMacroCompilersLinkerCommand Language InterpreterPrivileged ImagesProtected shareable imagesProtected subsystemsPrivileged serverprocessesRMS &System ServicesSystem ServicesMemoryManagementSubsystemI/ORun Time Library(General)Math libraryString handlingScreen managementMisc LIB functionsUserSystem-wideProtectedData StructuresAdditional detail from previous slideProcess &Time ManagementRun Time Library(Language-specific)CRTLFORTRANPASCALBASICAssorted UtilitiesCOPYHELPDIRECTORYSORTKernelExecutiveSupervisor
39 OpenVMS Security Privileges: None: No privileges OpenVMS has 39 separate user privileges that are divided in 7 categories. Privileges restrict the use of certain system functions to processes created on behalf of authorized users.None: No privilegesNormal: Minimum privileges to use the system effectivelyGroup: Potential to interfere with members of the same groupDevour: Potential to consume noncritical systemwide resourcesSystem: Potential to interfere with normal system operationObjects: Potential to compromise object securityAll: Potential to control the systemThese restrictions protect the integrity of the operating system's performance and, thus, the integrity of service provided to users.
41 Vendor Vulnerability Rank Rank of Top-10 Vendors with Most VulnerabilitiesRanking of the Top-10 vendors with most vulnerabilities per year. Oracle also includes vulnerabilities from Sun Microsystems and BEA logicSource
42 Security Distribution Risk is Increasing DoR – Days of Risk
43 Server to System Manager Ratio From ComputerWorld:“One enterprise IT manager told us the ratio for physical servers was roughly 50:1, another working for a government organisation said 15-20:1, and an IT director at a research and development outfit noted that in a mid-size organisation a system administrator could maintain servers per week or if their role was merely maintenance (i.e. no projects, no debugging, etc) then they could look after servers per week.”
44 Server to System Manager Ratio Standard Ratios are highlighted (RED bar) in graphSystem Manager to server ratios for several different server use types. The lower the ratio (about 10 for Standard ratios), the closer the server is to the core environment (meaning core application or core DB server). The closer to the edge (to the client) the server is used for, the higher the ratio. The average server to system manager ratio is 55 (Standard ratio) across all server use types. Standard to Basic is more representative of most customers for server type environments due to test/qualification process of patches after installation before putting in production. This makes for a more manual patching effort. If not, then customer will basically patch and pray that the patch did not break anything in the production environment.Basic: No AutomationStandard: Some AutomationRationalized: Considerable AutomationFrom: Microsoft Best Practices Report
45 OpenVMS Systems Require Fewer Human Resources From Harvard Research Group:Of those users surveyed, 63% said that fewer people are required to run their OpenVMS servers compared to their non-OpenVMS servers … OpenVMS servers are much easier to manage and therefore reduce the TCO by requiring less staff than the competition to keep them up and running.
46 Security Concerns From: gigasite - January 5, 2011 “With Microsoft just closing the door on its largest patch year yet, 2011 is not starting out in a positive direction,” Storms said.Last year, Microsoft issued a record 106 security bulletins to patch a record 266 vulnerabilities.
47 Security Concerns NetworkWorld – April 12, 2011 Affected software runs the gamut. There are patches for all supported versions of Windows, including XP, Vista, Windows 7, Windows Server 2008 R2 and even the non-GUI WS2008 Server Core version.Record-breaking Microsoft patch day affects all versions of Windows17 security patches fix a whopping 64 holes
48 Security Concerns From: PCWorld Business Center – June 1, 2010 Sources from within Google are claiming that the online search and advertising giant is implementing an official transition away from the Microsoft Windows operating system. According to the reports, the culture shift is intended to reduce security concerns.
49 Are Antivirus Programs The Answer? From: SiteApprovedProblems With Anti-virus Programs Found… Vulnerabilities found recently in McAfee, Symantec, and Trend Micro software could let hackers compromise and even control computers running certain versions of their products. While most antivirus software is distributed via a network download, making it difficult for a hacker to get to the code, these flaws further highlight the problems with the antivirus industry's traditionally reactive approach to protection, …These security products provide protection only at the application layer and not the operating system kernel.
50 Are Antivirus Programs The Answer? From: ZDNet – February 25, 2011Microsoft fixes hole in its antivirus engine… "The update addresses a privately reported vulnerability that could allow elevation of privilege if the Microsoft Malware Protection Engine scans a system after an attacker with valid log-on credentials has created a specially crafted registry key," the advisory says. "An attacker who successfully exploited the vulnerability could gain the same user rights as the LocalSystem account. …These security products provide protection only at the application layer and not the operating system kernel.
51 Are Opensource OSes the Answer? From: hackintheboxOpen-source Could Mean an Open Door for Hackers – July 2010The ability to access the code of open-source applications may give attackers an edge in developing exploits for the software, according to a paper analyzing two years' worth of attack data. The paper, to be presented this week at the Workshop on the Economics of Information Security, correlated 400 million alerts from intrusion detection systems with known attributes of the targeted software and vulnerabilities. The data supports the assertion that flaws in open-source software tend to be attacked more quickly and more often than vulnerabilities in closed-source software, says Sam Ransbotham, assistant professor at Boston College's Carroll School of Management and the author of the paper.
52 Is Server Virtualization the Answer? Vulnerability disclosures over the past decade for virtualizationproducts provided by the following vendors:• Citrix• IBM• Linux VServer• LxCenter• Microsoft• Oracle• Parallels• RedHat• VMwareAccording to Wikipedia - The use of hypervisor technology by malware and rootkits installing themselves as a hypervisor below the operating system can make them more difficult to detect because the malware could intercept any operations of the operating system (such as someone entering a password) without the antivirus software necessarily detecting it (since the malware runs below the entire operating system). Implementation of the concept has allegedly occurred in the SubVirt laboratory rootkit (developed jointly by Microsoft and University of Michigan researchers) as well as in the Blue Pill malware package.The use of hypervisor technology by malware and rootkits installing themselves as a hypervisor below the operating system can make them more difficult to detect because the malware could intercept any operations of the operating system …