security in a cloudy architecture
DESCRIPTION
As presented by Geri Born at Oracle Technology Network Architect Day, Dallas TX, May `13, 2010.TRANSCRIPT
Security in a Cloudy Architecture
Geri Born
Enterprise Solutions Group
The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle’s
products remain at the sole discretion of Oracle.
2© 2010 Oracle Corporation
Agenda
• Introduction
• Security Challenges
• Identity and Access Management
• Database Security
• Conclusion
• Q&A
© 2010 Oracle – Proprietary and Confidential3
Enterprise Evolution to Cloud
Private Cloud Evolution
Public Cloud Evolution PaaS
SaaS
IaaS
Public Clouds
Hybrid
• Federation with public clouds
• Interoperability
• Cloud bursting
App1 App2 App3
Private IaaS
Private PaaS
Virtual Private Cloud
Hybrid
PaaS
SaaS
IaaS
Private Cloud
• Self-service
• Policy-based resource mgmt
• Chargeback
• Capacity planning
App2 App3
Private IaaS
Private PaaS
App1
Silo’d Grid
• Physical
• Dedicated
• Static
• Heterogeneous
• Virtual
• Shared services
• Dynamic
• Standardized appliances
App1 App2 App3
App1 App2 App3
Private IaaS
Private PaaS
4© 2010 Oracle Corporation
74% 74% rate cloud security
issues as ―very
significant‖
Source: IDC
• Data privacy
• Compliance
• Access control
Key Barriers to Cloud Computing
© 2010 Oracle – Proprietary and Confidential5
PrivateCloud
HybridCloud
PublicCloud
• Data breaches
• Multi-tenancy
• Data location
• Compliance
• IT agility
• B2B collab
• Access control complexity
• Privileged user access
• Interop
• User experience
• Workload portability
• SLA
Cloud Security Challenges
© 2010 Oracle – Proprietary and Confidential6
Cloud Architecture & Management
Cloud Management Layer
Cloud Infrastructure Layer
Chargeback & Capacity Planning
Policy Manager (SLA Mgmt, DRS, DPM)
Monitoring Provisioning Config. Mgmt.
Self Service Provisioning
Software LibraryIntegrate with external
billing system
Self Service Interface
Assembly Builder
Integrate with external CMDB
Oracle Virtualization PluginExternal
Cloud Plugin e.g., Amazon
Zone A Zone B
Server Pool
Tightly coupled cluster (HA, Live Migration)
Server Pool
Tightly coupled cluster (HA, Live Migration)
Server Pool
Loose grouping of individual machines (no HA or Live Migration)
Storage Array Storage Array
Storage Array
Storage Array
Storage Array (optional)
8© 2010 Oracle Corporation
9
Enterprise
Architecture
1
2
3
4
Enterprise Architecture: Process for Securing the Cloud
IT-as-a-Service
FBT PAY GNTS
TRDS
Client
Customs
RREIPS Integrated A/C
Refunds
RBADef
PaymentsExcise
CR
PKI
ECI ADD AWA ELS
Client StaffRemote
StaffTAX
AGENTS
GCI
Call Centres
WOC
CCD
TASS
StaffPhone
ComplianceStaff
BOA
Refmaterial
Bus. Intel
NTS A/c
BEP
CDCCCWMS
BANK
DDDR
1
Data…….
Penalty
Business
IVR
1
FBT PAY GNTS
TRDS
Client
Customs
RREIPS Integrated A/C
Refunds
RBADef
PaymentsExcise
CR
PKI
ECI ADD AWA ELS
Client StaffRemote
StaffTAX
AGENTS
GCI
Call Centres
WOC
CCD
TASS
StaffPhone
ComplianceStaff
BOA
Refmaterial
Bus. Intel
NTS A/c
BEP
CDCCCWMS
BANK
DDDR
1
Data…….
Penalty
Business
IVR
1
Complexity
Transitional
Security
SFAProduct LMSInv
MGMTB2Bproduct SCM product DBERP
MES-
Dev
SFASFA-
Test
SFA-
Stage
Product
Product
ERP-
StageERP-
Prod
MES-
StageMES-
Prod
productDB-
Stage B2B-
StageB2B-
Dev
Security Security Security
Pt. to Pt. Integrations
SFAProduct LMSInv
MGMT
product SCM product DBERPMES-
DevProduct ERP-
Stage
productDB-
Stage
Optimized IT Core
Service Group A
Data Grid Data GridData Grid
Service Group B Service Group C
Integration Layer
Security Layer
Application Grid Application Grid Application Grid
Governance Model
Align Business & IT Focus on Future State
Repeatable, Iterative Approach
The Oracle-Sun Red Stack
Platform as a Service
Infrastructure as a Service
Oracle VM for x86
Operating Systems: Oracle Enterprise Linux
Cloud Management
Oracle Enterprise Manager
Configuration Mgmt
Lifecycle Management
Application PerformanceManagement
Application QualityManagement
Database Grid: Oracle Database, RAC, ASM, Partitioning,IMDB Cache, Active Data Guard, Database Security
Application Grid: WebLogic Server, Coherence, Tuxedo, JRockit
Shared Services
Integration:SOA Suite
Security:Identity Mgmt
Process Mgmt:BPM Suite
User Interaction:WebCenter
Oracle Enterprise LinuxOracle Solaris
Oracle VM for SPARC (LDom)Solaris Containers
Servers
Storage
Physical and VirtualSystems Management
Ops Center
Oracle ApplicationsThird Party Applications
ISVApplications
V
I
R
T
U
A
L
I
Z
A
T
I
O
N
Connect Policies to Controls
Connect Policies to Controls
Agenda
• Introduction
• Security Challenges
• Identity and Access Management
• Database Security
• Conclusion
• Q&A
© 2010 Oracle – Proprietary and Confidential11
Service-Oriented SecurityIdentity Services for the Cloud
© 2010 Oracle – Proprietary and Confidential12
FederationAuthorizationAuthenticationDirectory ServicesRole ManagementIdentity
Administration
Oracle Apps 3rd Party/Custom Apps Cloud Service Providers
• Enable IDM functionality - FW
• Discrete, easily consumable services
• Rapid app security, improved IT agility
• Security woven - applications
Web Services Web Services Web Services
Oracle Identity Management
Identity Management Challenges in the
Private Cloud
© 2010 Oracle – Proprietary and Confidential13
Mind The Gap
Cloud model requires identity infrastructure:
• Service-oriented
• Standards-based
• Loosely coupled
Identity Management Considerations in the
Public Cloud
© 2010 Oracle – Proprietary and Confidential14
Identity
Admin
IAM Service Provider
Identity
Assurance
Identity
Federation
Identity
Assurance
Identity
Assurance
Identity
Admin
Business Service Provider
Business Service Consumer
• User lifecycle mgmt
• Federated authN
• Fraud prevention & risk mitigation
• Comprehensive lifecycle admin & mgmt
• Delegated admin & self-service reduce overhead
• Automated compliance reporting
User Provisioning
© 2010 Oracle – Proprietary and Confidential15
Self Registration
Provisioning
Integration Framework withAdapter Factory
Audit, Reporting, Attestation
Oracle Identity Manager
App
Entitlements Management
© 2010 Oracle – Proprietary and Confidential16
• Externalization of authZ policy mgmt
• Distributed policy enforce
• FGA A
pp
App
Customers
Partners
Employees
Custom Apps
Centralized Administration
Distributed Enforcement
Oracle Access Management Suite
Fine-grained Authorization
Web Services
Portals/SharePoint
Business Affiliates/Subsidiaries
Employees/Partners/ Customers
SAML 1.x
SAML 2.0
Windows CardSpace
WS-Fed
OpenID
Oracle Identity Federation
• SSO between on-premise & cloud apps
• Standards-based federation enables interop
• Rapid deployment
Cloud Applications
On-Premise
Applications
Identity FederationFederated Single Sign-On
© 2010 Oracle – Proprietary and Confidential17
• Out-of-band authN
• Identity proofing
• Real-time fraud prevention
Employees/Partners/Customer
Fraudster
Secure Mutual Authentication
Risk-Based Authorization
Risk Scoring
Oracle Access Management Suite
Device
Geography
Time
Activity
Cloud Apps
On-Premise Apps
Identity AssuranceRisk-Based Access Control
© 2010 Oracle – Proprietary and Confidential18
Agenda
• Introduction
• Security Challenges
• Identity and Access Management
• Database Security
• Conclusion
• Q&A
© 2010 Oracle – Proprietary and Confidential19
Multi-Tenant Data Management
• Privileged database user
• Lost backups containing sensitive data or PII
• Application exploits & by-pass
• Regulatory infractions
Shared (Virtualized) Hardware Shared Database Shared Schema
Option 1 Option 2 Option 3
RISK
© 2010 Oracle – Proprietary and Confidential20
Database Security Defense-In-Depth
Monitoring
Access Control
Encryption & Masking
Access Control
• Database Vault
• Label Security
• Advanced Security
• Secure Backup
• Data Masking
Encryption & Masking
Monitoring
• Audit Vault
• Configuration Management
• Total Recall
User/Role Management • Oracle Identity Management
User/Role Management
© 2010 Oracle – Proprietary and Confidential21
Oracle Advanced SecurityComprehensive Standards-Based Encryption
Disk
Backups
Exports
Off-Site
Facilities
• Data stays encrypted when backed up
• Encryption for data in transit
• Strong authN of users & servers
© 2010 Oracle – Proprietary and Confidential22
Oracle Data MaskingIrreversible De-Identification
• Remove sensitive data from non-prod DBs
• Ref Integ preserved
• Sensitive data never leaves the database
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 60,000
BKJHHEIEDK 222-34-1345 40,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Non-Production
© 2010 Oracle – Proprietary and Confidential23
Oracle Database VaultPrivileged User Access Control & Multi-Factor Authorization
Procurement
HR
Finance
Application
select * from finance.customers
DBA
• Privileged DB users perform admin
• Address SoD reqmts
• Enforce security policies & block unauth DB activities
© 2010 Oracle – Proprietary and Confidential24
Oracle Configuration ManagementVulnerability Assessment & Secure Configuration
• DB discovery
• Continuous scanning best practices & industry standards
• Detect & prevent unauthZ config changes
• Change mgmt compliance reports
Monitor
ConfigurationManagement
& Audit
Vulnerability
Management
Fix
Analysis &
Analytics
Prioritize
PolicyManagement
AssessClassify MonitorDiscover
AssetManagement
© 2010 Oracle – Proprietary and Confidential26
Agenda
• Introduction
• Security Challenges
• Identity and Access Management
• Database Security
• Conclusion
• Q&A
© 2010 Oracle – Proprietary and Confidential27
Oracle
Security Solutions
ENFORCE
CONTROLS
STREAMLINEPROCESSES
MONITORCONTROLS
AUTOMATEREPORTING
Enforce Controls
Streamline Processes
Automate Reporting
Monitor Controls
Regulatory Considerations for Cloud
Security
© 2010 Oracle – Proprietary and Confidential28
2929© 2010 Oracle Corporation