Post on 11-Aug-2020
transcript
Security Architecture For Oracle Database Cloud
Tammy Bednar
Sr. Director of Product Management
Database Cloud Services
Copyright © 2019 Oracle and/or its affiliates.
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation.
Statements in this presentation relating to Oracle’s future plans, expectations, beliefs, intentions and prospects are “forward-looking statements” and are subject to material risks and uncertainties. A detailed discussion of these factors and other risks that affect our business is contained in Oracle’s Securities and Exchange Commission (SEC) filings, including our most recent reports on Form 10-K and Form 10-Q under the heading “Risk Factors.” These filings are available on the SEC’s website or on Oracle’s website at http://www.oracle.com/investor. All information in this presentation is current as of September 2019 and Oracle undertakes no duty to update any statement in light of new information or future events.
Safe Harbor
Copyright © 2019 Oracle and/or its affiliates.
Threats to Cloud Security
• Insecure configuration of cloud resources allowing unauthorized access to data
• Skilled attackers including knowledgeable insiders with know-how of exploitable vulnerabilities in complex cloud configurations
• Complicated access control mechanisms, resulting in customers inadvertently granting overly permissive access to cloud resources
• Lack of easy-to-use security monitoring mechanisms to alert on anomalous patterns representative of security attacks
Copyright © 2019 Oracle and/or its affiliates.
Oracle’s Security-First Approach
Security is not about having a few silver bullets, but a well thought out and integrated layered approach beginning with securing the physical infrastructure, firmware, hardware, operating system, hypervisor, and network. Oracle is focused on not only protectingagainst that initial attack, but also with preventing any progress in an attacker’s continued attempts to steal data.
Copyright © 2019 Oracle and/or its affiliates.
Defense In Depth of OCI Security
5 Copyright © 2019 Oracle and/or its affiliates
Internet
DataInstance
Virtual NetworkMonitoring
Edge Services• Global PoPs• DDoS Protection• DNS Security• WAF Protection
§ 3rd Party Security§ FW§ NGFW§ IPS
§ User Monitoring§ Configuration Monitoring§ Logging§ Compliance
§ Interface Segmentation§ Security Lists§ Private Networks§ Bastion Access§ SSL Load Balancing§ FastConnect (Direct)§ FastConnect (Carrier)§ IPSec VPN
§ Tenant Isolation§ Hardened Images§ Virtual Taps§ Hardware Entropy§ SSH Keys§ Certificates§ Root-Of-Trust Card§ Signed Firmware§ Hardware Security
Modules
§ Encryption§ Authentication§ Authorization§ Auditing§ Monitoring and Blocking§ Secure Configuration§ Data Masking
§ Identity Federation§ Role-Based Policy§ Compartments & Tagging§ Instance Principals
Identity
OF THE CLOUD
Secure the Cloud Platform
ON THE CLOUD
Secure Identity, Apps. and Data on the Cloud Platform
CROSS CLOUD
Protections and Monitoring Between Clouds and Premises
OCI Security Portfolio and Strategy
6
Designing a Secure Cloud Platform from the Ground Up
PlatformDefense-in-Depth from Bare
Metal Hardware to Customer Apps & Data
OperationsConstant Software, Hardware,
and Process Hardening
ComplianceBuilding Compliance in All Regions for All Services
OF THE CLOUD ON THE CLOUD CROSS CLOUD
Bare Metal Instance
Hardware-Based Root of Trust
Secure Design: Bootstrap Trust To Immutable Component
Bare Metal InstanceBare Metal Instance
Oracle Hardened Hypervisor
VM VM VM
VM VM VMHardware-Based Root of Trust
Hardware-Based Root of Trust
Secure Design: Give Customers Pristine Systems
Virtual Instance
Secure Design: Isolated Customer VLANs
Bare Metal Instance Virtual Instance
Oracle Hardened Hypervisor
VM VM VM
VM VM VM
Isolated Network Virtualization
Hardware-Based Root of Trust
12/6/19
Secure Design: Top Of Rack ACLs
Oracle Hardened Hypervisor
VM VM VM
VM VM VM
Physical Network
Isolated Network Virtualization
27001 : 27017 : 27018
Level 1
Compliance for ALL Regions and ALL Services
EXTENSIVE LIST OF ACCREDIDATIONS
BSI C5
https://www.oracle.com/cloud/cloud-infrastructure-compliance/
Secure Your Applications and Data
IdentityProvide Access to Those Who Need
It, Keep Out Those Who Don’t
DataProtect Data at Rest and In Motion
Network & Apps.Restrict Access to Warranted Use
and Monitor
OF THE CLOUD ON THE CLOUD CROSS CLOUD
Cloud Access Security Broker for SaaS and IaaS
Oracle CASB Cloud Service
Cloud Infrastructure
Access Management | Data Loss Prevention | Compliance | Visibility
COMPUTE STORAGE & DATABASE
NETWORK & CONTENT DELIVERY
SECURITY, IDENTITY & COMPLIANCE
Layers of Protection To Access Your Data
AD1
AD2
AD3
OCI REGIONVirtual Cloud Network
IGW
WAF with Proactive
ThreatDetection
Automated, DDoS
Protection
AuthoritativeDNS with
Internet Intelligence
FastConnect
IPSec VPN
SubnetLevel Virtual
Firewalls
Virtual FirewallUse VCN Security lists
Internet routing gatewayRouting tables can be used with NAT & 3rd
Party firewall devices
Dynamic Routing GatewayVirtual router provide a path for private traffic
Web Application Firewall250 pre-defined OWASP and compliance rulesUse IAM for WAF management
Data Encryption In Transit
AD1
AD2
AD3
CUSTOMER REGION 1
AD1
AD2
AD3
CUSTOMER REGION 2
MACSec Encryption
• Customer managed keys (KMS)• KMS through OCI services and in your apps directly
Database Defense in DepthüPrevent access by non-database usersüIncrease database user identity assuranceüControl access to data within databaseüAudit database activityüMonitor database traffic and prevent threats from reaching the databaseüEnsure database production environment is secure and prevent driftüRemove sensitive data fromnon-production environments
Oracle Database Maximum Security Architecture
Apps
TransparentDataEncryption
Key Vault
###-##-5100Data Redaction Database
Firewall
Privilege Analysis
Data Masking010-11-5100
022-22-5001
Audit Vault
Audit Data
Test Dev Partners
DatabaseVault
DB Security Assessment Tool
Maximum Security Architecture – in-Cloud
Network Encryption
Transparent Data Encryption
DF11233 U*1$5Ha1qui %H1HSKQ112 A14FASqw34 £$1DF@£!1ah HH!DA45S& DD1
Test Dev
Database Vault
Users
Applications
Data Safe• Collect & Configure Audit• Assess security & users• Discover, classify, and mask
sensitive data
Default
Default(Ops Control)
• Delivers unified set of essential security services on the cloud
• Mitigates user, data, configuration risk• Unified database security dashboard• Addresses customer responsibilities• Requires no special security expertise
Available with Oracle Cloud Database Subscription at No Additional Cost*
* includes 1M audit/records per month; Data retention up to 12 months Databases in Oracle Cloud
Audit …..Users DiscoverAssess Mask
Copyright © 2019 Oracle and/or its affiliates.
New - Oracle Data SafeSecurity for Cloud Databases
Security Zones of Control
** unique to Oracle
PKI, KerberosRadius (pluggable)
Proxy UsersOracle & Active Directory
Users
Crypto ToolkitVirtual Private Database
Label SecurityReal Application Security**
Data
Encryption & Key ManagementData Masking*, Data Redaction Database Vault**
Prevent
Activity Auditing*Reporting/Alerting*Audit VaultDatabase Firewall**
Detect
Data Discovery*Security Assessment*User Assessment*Privilege Analysis**
Assess
Data & Users
6/19 *now offered in Oracle Data Safe included
with your Oracle Cloud Databases
Confidential – Highly Restricted
Confidential – Highly Restricted
Copyright © 2019 Oracle and/or its affiliates.
Copyright © 2019 Oracle and/or its affiliates.
Copyright © 2019 Oracle and/or its affiliates.
Oracle Autonomous DatabasePrevents Data Theft: Applies Security Patches while Running
• Automatic continuous threat monitoring and detection• Immediate security patching and remediation while running• 99.995% Availability: total downtime less than 2.5 minutes per month
Protecting Your Existing Architecture and Security
Cross Cloud Hybrid Your SecuritySecure interaction across and within
clouds Align security between cloud and on-
premises environments Bring your existing security stack and
policies to your OCI estate
OF THE CLOUD ON THE CLOUD CROSS CLOUD
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Enterprise Cloud Interoperability Partnership
Migrate and run mission-critical enterprise workloads across
Microsoft Azure and Oracle Cloud
InteroperabilityCross-cloud SSO and Interconnect
• Oracle Cloud Infrastructure• Oracle Autonomous Database• Oracle Exadata• Oracle Applications• Oracle RAC• Oracle Analytics Cloud• And other services…
• Azure DevOps• Azure Stream Analytics• Azure Databricks • Azure Kubernetes Service• And other services…
Microsoft Azure
Internet
CorporateNetwork
30
Security Connectivity Pattern (Hybrid)
VCN1 (Region 1)
DatabaseSubnet
(Private)
Application Subnet
(Private)
LBSubnet(Public)
ServicesN
etwork
Dynamic Routing Gateway
Internet Gateway AD1/FD1 AD2/FD2
LoadBalancer
(Secondary)
LoadBalancer(Primary)
LoadBalancer
(Secondary)
LoadBalancer(Primary)
VPN
FastConnect
Customer Premises
Equipment
ComputeInstance
ComputeInstance
ComputeInstance
ComputeInstance
Database Instance
Database Instance
Database Instance
Database Instance
Security Lists
Route Table
Service Gateway
Virtual Cloud
Network
Customer Data Center
IT AdminsUsers
VCN1 (R2)
RemotePeeringGateway
EdgeServices
WAF SecureDNS
Backbone(Encrypted)
BastionHost
DDoS Protection
ID & AccessManagement
LegendLocal TrafficEncrypted TrafficPrivate TrafficInternet Traffic
Key Management
Service Traffic Inter-Region Traffic
Cross-ConnectTraffic
Internet Traffic(Unsanitized)
Internet Traffic(Sanitized)
Object Storage
Telemetry/Monitoring
Your Security
VCN
Customer Enclave
Subnet
Subnet
Firewall
ASAv
Fortigate
VM-Series
Cloudguard
Deploy 3rd party security within Customer Enclave
Send logs (Control Plane, Sign-on, WAF Data plane, ect.) to ANY SIEM Solution
CASB DNSWAF
Use Local or Federated Authenticators in Coordination with Oracle
Oracle Console Oracle IDCS
SCIM System for Cross Domain
Identity Management
Customer Estate
Customer Estate
Shared Responsibility and How We DifferApplication Compliance
Application Data Security Identity Access Security
VCN Security Database Security
Compute Security
Data Security
Console & API Security
Storage Security
Infrastructure Compliance
Operator Access Security
Control Plane Host Security Server Hardware Security
Network Security Data Center Security
Oracle Controlled
Customer Controlled & Oracle Supported
Confidential – Highly Restricted32
OCI Security: Integrated & Layered Approach
33 Copyright © 2019 Oracle and/or its affiliates
Internet
DataInstance
Virtual NetworkMonitoring
Edge Services• Global PoPs• DDoS Protection• DNS Security• WAF Protection
§ 3rd Party Security§ FW§ NGFW§ IPS
§ User Monitoring§ Configuration Monitoring§ Logging§ Compliance
§ Interface Segmentation§ Security Lists§ Private Networks§ Bastion Access§ SSL Load Balancing§ FastConnect (Direct)§ FastConnect (Carrier)§ IPSec VPN
§ Tenant Isolation§ Hardened Images§ Virtual Taps§ Hardware Entropy§ SSH Keys§ Certificates§ Root-Of-Trust Card§ Signed Firmware§ Hardware Security
Modules
§ Encryption§ Authentication§ Authorization§ Auditing§ Monitoring and Blocking§ Secure Configuration§ Data Masking
§ Identity Federation§ Role-Based Policy§ Compartments & Tagging§ Instance Principals
Identity