data protection with oracle key managerkonferenz-nz.dlr.de/pages/storage2018/present/1... ·...
Post on 23-Mar-2020
2 Views
Preview:
TRANSCRIPT
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Data Protection with Oracle Key ManagerDr. Dirk GebhPrincipal Storage Sales ConsultantOracle DeutschlandJune 2018
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Ntrqn
• Qngn cebgrpgvba naq nepuvivat
• Qngn rapelcgvoa
• Xrl znantszrag
• Benpvr xrl znantrzrag fbyhgvba
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Ntrqn
• Qngn cebgrpgvba naq nepuvivat
• Qngn rapelcgvoa
• Xrl znantszrag
• Benpvr xrl znantrzrag fbyhgvba
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Ntrqn
• Qngn cebgrpgvba naq nepuvivat
• Qngn rapelcgvoa
• Xrl znantszrag
• Benpvr xrl znantrzrag fbyhgvba
A B C D E F G H I J K L M N O P Q R S T U V W X Y ZA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Ntrqn
• Qngn cebgrpgvba naq nepuvivat
• Qngn rapelcgvoa
• Xrl znantszrag
• Benpvr xrl znantrzrag fbyhgvba
A B C D E F G H I J K L M N O P Q R S T U V W X Y ZA B C D E F G H I J K L M N O P Q R S T U V W X Y ZA B C D E F G H I J K L M
N O P Q R S T U V W X Y Z
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Ntrqn
• Qngn cebgrpgvba naq nepuvivat
• Qngn rapelcgvoa
• Xrl znantszrag
• Benpvr xrl znantrzrag fbyhgvba
A B C D E F G H I J K L M N O P Q R S T U V W X Y ZA B C D E F G H I J K L M N O P Q R S T U V W X Y ZA B C D E F G H I J K L M
N O P Q R S T U V W X Y Z
Agenda
• Data protection and archiving
• Data encryption
• Key management
• Oracle key management solution
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Agenda
• Data protection and archiving
• Data encryption
• Key management
• Oracle key management solution
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Data Protection and Archiving
• Online storageBackupArchive
• Data retention time
• Sometimes data needs to be deleted immediately after data retention time
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Data Encryption
Confidential – Oracle Internal/Restricted/Highly Restricted
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Encryption
• Data encryption transforms plaintext into ciphertext
• Satisfy Customer or regulatory requirements
• Protection from both off-site and on-premise information loss
• Secure shipment of data
• Time-based data expiration
• Secure data disposal
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
It’s All About the Keys
• Encryption keys determine the functional output of an encryption algorithm
• Keys must be ‘strong’
– Randomly and securely generated
– Securely managed
– The longer the key length, the more secure the encryption method
• Advanced Encryption Standard (Rjindael)AES 256 is most secure encryption standard available today
– Symmetric, block cipher-based method
– 256 bit key length
– Substitution, permutation, XOR
– 14 round different keys (AES 256)
Lose the keys and you lose the data!
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Best Practices for Key Management System
Keep Your Data Secure
Always Available•Redundant Servers•Backup/Recovery
Secure•Key Storage•Access Control
Scalable•Simple setup•Easy to use
Openly Architected•Standard protocols•Multiple end-points
Traceable•Auditing/reporting tools•Alerts
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Oracle Key Manager 3
• Simple to Install and Operate
– Automated, policy-driven system
– Server, O/S, application neutral
• Secure
– Strongest encryption (AES-256) end-to-end
– Strong key protection mechanisms
– Conforms to federal security certifications (FIPS)
• Scalable
– Supports large sites & multiple storage technologies
– Easily adds more key management appliances, sites and drives
OKM is a cluster of servers (OKMs) managing keys for encrypting devices
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
OKM Architecture
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Scalability
• Scales economically– Supports multiple sites/devices concurrently
– Tested with up to 2,000 drives and 1,000,000 keys
• Transparent/non-disruptive growth
– Add more OKM appliances, sites and drives as needed
• Flexible management
– Supports managing multi-site installation from any single location
– Supports multiple user roles
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Oracle Key Manager 3 Components• Key management appliance (OKM)
– Solaris on SPARC T7-1 server
– Oracle key management software
– Hardware Security Module (optional)
• OKM cluster
– 2 to 20 OKMs, connected via Ethernet network
• OKM management server
– OKM management GUI
• Encryption end-points
– Tape drives
– ZFS
– Oracle Database
– Java applications
SPARC T7-1
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Key Management Appliance
• Security-enhanced SPARC T7-1 server with a hardened solution
• Appliance device:
– Simple installation and automatic operation
– No OS/driver administration or maintenance is required
– Scales easily and transparently
• Runs independently of backup server, operating system, applications, and device drivers
• Cluster 2 to 20 OKMs together for high availability enterprise wide key management system
OKM 3
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
OKM 3 Encryption End Points
• Tape Drives– T10K A, B, C, D & T9840D
– LTO 4, 5, 6, 7
• Java Applications
– JCE Provider
• Oracle Database
– Transparent Database Encryption
• ZFS Storage– PKCS#11 Provider
– (The PKCS #11 standard defines a platform-independent API to cryptographic tokens)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Separate Key and Data Paths
• Key communication over dedicated Ethernet port
• Drive compresses data before encrypting
• Non-disruptive
– Coexist with non-encrypting devices
– No changes/awareness required in storage server and data network
Key
Data
OKM
Storage server
Encr
ypt
Com
press
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Performance
• Data transfer rates are not affected by encryption– Encryption handled by the device
– No storage server CPU cycles used
• Dedicated key network
– No network contention
• Any OKM server can supply keys to any drive (in the same service network)
• Low key communication latency
– Typically less than 250ms
• Key pre-generation, caching & pre-fetch
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Role Based Access Control (RBAC)
• Implementing a role-based access control model
• Users may be assigned one or more roles
• System operations assigned to roles
• Support for built-in (canned) roles
– Security Officer
– Compliance Officer
– Operator
– Backup Operator
– Auditor
– Quorum Member
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Keys, KeyIDs and DataUnitID
• Each piece of media is identified by unique DataUnitID– Automatically generated at initial mount point
– Oracle Key Manager associates Volser with DataUnitID in internal database
– Allows user to select keys based on Volser for export/sharing
• Delivers policy-based access control on per tape basis
• Unique Key ID and Keys is supplied to drive from OKM as required
• KeyID is written to media along with each data block
• No encryption keys are stored on tape!
– OKM stores DataUnitID & KeyID/Key pairs in internal database
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Key Groups
• Keys are organized into key groups
• Each key group has a key retention policy assigned
• Drives are assigned to key groups
• Drives can only access key groups they are assigned to: – Drive A cannot access keys in Group 2
– Drive B can access keys in Groups 1&2
• Drive needs to have default key group to be able to create new keys
– Both drives create new keys in Group 1
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Mirroring
• Key, policy and administration changes made in single OKM are automatically propagated to all parts of the cluster
• Key database is replicated across entire cluster
– Robust fault tolerance
• Any OKM can supply keys to any device in its cluster
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Auditing and reporting
• GUI as a primary user interface to manage– Audit Events
– OKMs
– SNMP Managers
– Agents
– Logs
– Users, Key groups and policies
• User can download info from list panels (View → Save Report)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Security
• Role & access control
• Hardened solution
– No other applications, patches/upgrades and/or administration settings to compromise security
• Dedicated key management and key transport (service) networks
• Conforms to stringent federal security certifications (FIPS 140-2 level 3)
• Strong key protection mechanisms– Strong encryption (AES-256) end-to-end
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Hardened key management appliance
• Security hardened appliance – Hardened SPARC T7-1 server
– Hardened Solaris 11 OS
– FIPS compliant key generation with optional SCA 6000 card
• OKM hardware and software is engineered to work together.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Thank You for Your Attention !
The End ...
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
top related