data protection with oracle key managerkonferenz-nz.dlr.de/pages/storage2018/present/1... ·...

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Data Protection with Oracle Key ManagerDr. Dirk GebhPrincipal Storage Sales ConsultantOracle DeutschlandJune 2018


Ntrqn

• Qngn cebgrpgvba naq nepuvivat

• Qngn rapelcgvoa

• Xrl znantszrag

• Benpvr xrl znantrzrag fbyhgvba


Ntrqn


• Qngn rapelcgvoa

• Xrl znantszrag


A B C D E F G H I J K L M N O P Q R S T U V W X Y Z


Ntrqn


• Qngn rapelcgvoa

• Xrl znantszrag


A B C D E F G H I J K L M N O P Q R S T U V W X Y ZA B C D E F G H I J K L M N O P Q R S T U V W X Y Z


Ntrqn


• Qngn rapelcgvoa

• Xrl znantszrag


A B C D E F G H I J K L M N O P Q R S T U V W X Y ZA B C D E F G H I J K L M N O P Q R S T U V W X Y ZA B C D E F G H I J K L M

N O P Q R S T U V W X Y Z


Ntrqn


• Qngn rapelcgvoa

• Xrl znantszrag


A B C D E F G H I J K L M N O P Q R S T U V W X Y ZA B C D E F G H I J K L M N O P Q R S T U V W X Y ZA B C D E F G H I J K L M

N O P Q R S T U V W X Y Z

Agenda

• Data protection and archiving

• Data encryption

• Key management

• Oracle key management solution


Agenda

• Data protection and archiving

• Data encryption

• Key management

• Oracle key management solution


Data Protection and Archiving

• Online storageBackupArchive

• Data retention time

• Sometimes data needs to be deleted immediately after data retention time


Data Encryption

Confidential – Oracle Internal/Restricted/Highly Restricted


Encryption

• Data encryption transforms plaintext into ciphertext

• Satisfy Customer or regulatory requirements

• Protection from both off-site and on-premise information loss

• Secure shipment of data

• Time-based data expiration

• Secure data disposal


It’s All About the Keys

• Encryption keys determine the functional output of an encryption algorithm

• Keys must be ‘strong’

– Randomly and securely generated

– Securely managed

– The longer the key length, the more secure the encryption method

• Advanced Encryption Standard (Rjindael)AES 256 is most secure encryption standard available today

– Symmetric, block cipher-based method

– 256 bit key length

– Substitution, permutation, XOR

– 14 round different keys (AES 256)

Lose the keys and you lose the data!


Best Practices for Key Management System

Keep Your Data Secure

Always Available•Redundant Servers•Backup/Recovery

Secure•Key Storage•Access Control

Scalable•Simple setup•Easy to use

Openly Architected•Standard protocols•Multiple end-points

Traceable•Auditing/reporting tools•Alerts


Oracle Key Manager 3

• Simple to Install and Operate

– Automated, policy-driven system

– Server, O/S, application neutral

• Secure

– Strongest encryption (AES-256) end-to-end

– Strong key protection mechanisms

– Conforms to federal security certifications (FIPS)

• Scalable

– Supports large sites & multiple storage technologies

– Easily adds more key management appliances, sites and drives

OKM is a cluster of servers (OKMs) managing keys for encrypting devices


OKM Architecture


Scalability

• Scales economically– Supports multiple sites/devices concurrently

– Tested with up to 2,000 drives and 1,000,000 keys

• Transparent/non-disruptive growth

– Add more OKM appliances, sites and drives as needed

• Flexible management

– Supports managing multi-site installation from any single location

– Supports multiple user roles


Oracle Key Manager 3 Components• Key management appliance (OKM)

– Solaris on SPARC T7-1 server

– Oracle key management software

– Hardware Security Module (optional)

• OKM cluster

– 2 to 20 OKMs, connected via Ethernet network

• OKM management server

– OKM management GUI

• Encryption end-points

– Tape drives

– ZFS

– Oracle Database

– Java applications

SPARC T7-1


Key Management Appliance

• Security-enhanced SPARC T7-1 server with a hardened solution

• Appliance device:

– Simple installation and automatic operation

– No OS/driver administration or maintenance is required

– Scales easily and transparently

• Runs independently of backup server, operating system, applications, and device drivers

• Cluster 2 to 20 OKMs together for high availability enterprise wide key management system

OKM 3


OKM 3 Encryption End Points

• Tape Drives– T10K A, B, C, D & T9840D

– LTO 4, 5, 6, 7

• Java Applications

– JCE Provider

• Oracle Database

– Transparent Database Encryption

• ZFS Storage– PKCS#11 Provider

– (The PKCS #11 standard defines a platform-independent API to cryptographic tokens)


Separate Key and Data Paths

• Key communication over dedicated Ethernet port

• Drive compresses data before encrypting

• Non-disruptive

– Coexist with non-encrypting devices

– No changes/awareness required in storage server and data network

Key

Data

OKM

Storage server

Encr

ypt

Com

press


Performance

• Data transfer rates are not affected by encryption– Encryption handled by the device

– No storage server CPU cycles used

• Dedicated key network

– No network contention

• Any OKM server can supply keys to any drive (in the same service network)

• Low key communication latency

– Typically less than 250ms

• Key pre-generation, caching & pre-fetch


Role Based Access Control (RBAC)

• Implementing a role-based access control model

• Users may be assigned one or more roles

• System operations assigned to roles

• Support for built-in (canned) roles

– Security Officer

– Compliance Officer

– Operator

– Backup Operator

– Auditor

– Quorum Member


Keys, KeyIDs and DataUnitID

• Each piece of media is identified by unique DataUnitID– Automatically generated at initial mount point

– Oracle Key Manager associates Volser with DataUnitID in internal database

– Allows user to select keys based on Volser for export/sharing

• Delivers policy-based access control on per tape basis

• Unique Key ID and Keys is supplied to drive from OKM as required

• KeyID is written to media along with each data block

• No encryption keys are stored on tape!

– OKM stores DataUnitID & KeyID/Key pairs in internal database


Key Groups

• Keys are organized into key groups

• Each key group has a key retention policy assigned

• Drives are assigned to key groups

• Drives can only access key groups they are assigned to: – Drive A cannot access keys in Group 2

– Drive B can access keys in Groups 1&2

• Drive needs to have default key group to be able to create new keys

– Both drives create new keys in Group 1


Mirroring

• Key, policy and administration changes made in single OKM are automatically propagated to all parts of the cluster

• Key database is replicated across entire cluster

– Robust fault tolerance

• Any OKM can supply keys to any device in its cluster


Auditing and reporting

• GUI as a primary user interface to manage– Audit Events

– OKMs

– SNMP Managers

– Agents

– Logs

– Users, Key groups and policies

• User can download info from list panels (View → Save Report)


Security

• Role & access control

• Hardened solution

– No other applications, patches/upgrades and/or administration settings to compromise security

• Dedicated key management and key transport (service) networks

• Conforms to stringent federal security certifications (FIPS 140-2 level 3)

• Strong key protection mechanisms– Strong encryption (AES-256) end-to-end


Hardened key management appliance

• Security hardened appliance – Hardened SPARC T7-1 server

– Hardened Solaris 11 OS

– FIPS compliant key generation with optional SCA 6000 card

• OKM hardware and software is engineered to work together.


Thank You for Your Attention !

The End ...


Safe Harbor Statement

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

data protection with oracle key managerkonferenz-nz.dlr.de/pages/storage2018/present/1... ·...

Documents