security in a cloudy architecture

27
Security in a Cloudy Architecture Geri Born Enterprise Solutions Group

Upload: bob-rhubart

Post on 06-May-2015

2.820 views

Category:

Technology


9 download

DESCRIPTION

As presented by Geri Born at Oracle Technology Network Architect Day, Dallas TX, May `13, 2010.

TRANSCRIPT

Page 1: Security in a Cloudy Architecture

Security in a Cloudy Architecture

Geri Born

Enterprise Solutions Group

Page 2: Security in a Cloudy Architecture

The following is intended to outline our general

product direction. It is intended for information

purposes only, and may not be incorporated into any

contract. It is not a commitment to deliver any

material, code, or functionality, and should not be

relied upon in making purchasing decisions.

The development, release, and timing of any

features or functionality described for Oracle’s

products remain at the sole discretion of Oracle.

2© 2010 Oracle Corporation

Page 3: Security in a Cloudy Architecture

Agenda

• Introduction

• Security Challenges

• Identity and Access Management

• Database Security

• Conclusion

• Q&A

© 2010 Oracle – Proprietary and Confidential3

Page 4: Security in a Cloudy Architecture

Enterprise Evolution to Cloud

Private Cloud Evolution

Public Cloud Evolution PaaS

SaaS

IaaS

Public Clouds

Hybrid

• Federation with public clouds

• Interoperability

• Cloud bursting

App1 App2 App3

Private IaaS

Private PaaS

Virtual Private Cloud

Hybrid

PaaS

SaaS

IaaS

Private Cloud

• Self-service

• Policy-based resource mgmt

• Chargeback

• Capacity planning

App2 App3

Private IaaS

Private PaaS

App1

Silo’d Grid

• Physical

• Dedicated

• Static

• Heterogeneous

• Virtual

• Shared services

• Dynamic

• Standardized appliances

App1 App2 App3

App1 App2 App3

Private IaaS

Private PaaS

4© 2010 Oracle Corporation

Page 5: Security in a Cloudy Architecture

74% 74% rate cloud security

issues as ―very

significant‖

Source: IDC

• Data privacy

• Compliance

• Access control

Key Barriers to Cloud Computing

© 2010 Oracle – Proprietary and Confidential5

Page 6: Security in a Cloudy Architecture

PrivateCloud

HybridCloud

PublicCloud

• Data breaches

• Multi-tenancy

• Data location

• Compliance

• IT agility

• B2B collab

• Access control complexity

• Privileged user access

• Interop

• User experience

• Workload portability

• SLA

Cloud Security Challenges

© 2010 Oracle – Proprietary and Confidential6

Page 7: Security in a Cloudy Architecture

Cloud Architecture & Management

Cloud Management Layer

Cloud Infrastructure Layer

Chargeback & Capacity Planning

Policy Manager (SLA Mgmt, DRS, DPM)

Monitoring Provisioning Config. Mgmt.

Self Service Provisioning

Software LibraryIntegrate with external

billing system

Self Service Interface

Assembly Builder

Integrate with external CMDB

Oracle Virtualization PluginExternal

Cloud Plugin e.g., Amazon

Zone A Zone B

Server Pool

Tightly coupled cluster (HA, Live Migration)

Server Pool

Tightly coupled cluster (HA, Live Migration)

Server Pool

Loose grouping of individual machines (no HA or Live Migration)

Storage Array Storage Array

Storage Array

Storage Array

Storage Array (optional)

8© 2010 Oracle Corporation

Page 8: Security in a Cloudy Architecture

9

Enterprise

Architecture

1

2

3

4

Enterprise Architecture: Process for Securing the Cloud

IT-as-a-Service

FBT PAY GNTS

TRDS

Client

Customs

RREIPS Integrated A/C

Refunds

RBADef

PaymentsExcise

CR

PKI

ECI ADD AWA ELS

Client StaffRemote

StaffTAX

AGENTS

GCI

Call Centres

WOC

CCD

TASS

StaffPhone

ComplianceStaff

BOA

Refmaterial

Bus. Intel

NTS A/c

BEP

CDCCCWMS

BANK

DDDR

1

Data…….

Penalty

Business

IVR

1

FBT PAY GNTS

TRDS

Client

Customs

RREIPS Integrated A/C

Refunds

RBADef

PaymentsExcise

CR

PKI

ECI ADD AWA ELS

Client StaffRemote

StaffTAX

AGENTS

GCI

Call Centres

WOC

CCD

TASS

StaffPhone

ComplianceStaff

BOA

Refmaterial

Bus. Intel

NTS A/c

BEP

CDCCCWMS

BANK

DDDR

1

Data…….

Penalty

Business

IVR

1

Complexity

Transitional

Security

SFAProduct LMSInv

MGMTB2Bproduct SCM product DBERP

MES-

Dev

SFASFA-

Test

SFA-

Stage

Product

Product

ERP-

StageERP-

Prod

MES-

StageMES-

Prod

productDB-

Stage B2B-

StageB2B-

Dev

Security Security Security

Pt. to Pt. Integrations

SFAProduct LMSInv

MGMT

product SCM product DBERPMES-

DevProduct ERP-

Stage

productDB-

Stage

Optimized IT Core

Service Group A

Data Grid Data GridData Grid

Service Group B Service Group C

Integration Layer

Security Layer

Application Grid Application Grid Application Grid

Governance Model

Align Business & IT Focus on Future State

Repeatable, Iterative Approach

Page 9: Security in a Cloudy Architecture

The Oracle-Sun Red Stack

Platform as a Service

Infrastructure as a Service

Oracle VM for x86

Operating Systems: Oracle Enterprise Linux

Cloud Management

Oracle Enterprise Manager

Configuration Mgmt

Lifecycle Management

Application PerformanceManagement

Application QualityManagement

Database Grid: Oracle Database, RAC, ASM, Partitioning,IMDB Cache, Active Data Guard, Database Security

Application Grid: WebLogic Server, Coherence, Tuxedo, JRockit

Shared Services

Integration:SOA Suite

Security:Identity Mgmt

Process Mgmt:BPM Suite

User Interaction:WebCenter

Oracle Enterprise LinuxOracle Solaris

Oracle VM for SPARC (LDom)Solaris Containers

Servers

Storage

Physical and VirtualSystems Management

Ops Center

Oracle ApplicationsThird Party Applications

ISVApplications

V

I

R

T

U

A

L

I

Z

A

T

I

O

N

Connect Policies to Controls

Connect Policies to Controls

Page 10: Security in a Cloudy Architecture

Agenda

• Introduction

• Security Challenges

• Identity and Access Management

• Database Security

• Conclusion

• Q&A

© 2010 Oracle – Proprietary and Confidential11

Page 11: Security in a Cloudy Architecture

Service-Oriented SecurityIdentity Services for the Cloud

© 2010 Oracle – Proprietary and Confidential12

FederationAuthorizationAuthenticationDirectory ServicesRole ManagementIdentity

Administration

Oracle Apps 3rd Party/Custom Apps Cloud Service Providers

• Enable IDM functionality - FW

• Discrete, easily consumable services

• Rapid app security, improved IT agility

• Security woven - applications

Web Services Web Services Web Services

Oracle Identity Management

Page 12: Security in a Cloudy Architecture

Identity Management Challenges in the

Private Cloud

© 2010 Oracle – Proprietary and Confidential13

Mind The Gap

Cloud model requires identity infrastructure:

• Service-oriented

• Standards-based

• Loosely coupled

Page 13: Security in a Cloudy Architecture

Identity Management Considerations in the

Public Cloud

© 2010 Oracle – Proprietary and Confidential14

Identity

Admin

IAM Service Provider

Identity

Assurance

Identity

Federation

Identity

Assurance

Identity

Assurance

Identity

Admin

Business Service Provider

Business Service Consumer

• User lifecycle mgmt

• Federated authN

• Fraud prevention & risk mitigation

Page 14: Security in a Cloudy Architecture

• Comprehensive lifecycle admin & mgmt

• Delegated admin & self-service reduce overhead

• Automated compliance reporting

User Provisioning

© 2010 Oracle – Proprietary and Confidential15

Self Registration

Provisioning

Integration Framework withAdapter Factory

Audit, Reporting, Attestation

Oracle Identity Manager

Page 15: Security in a Cloudy Architecture

App

Entitlements Management

© 2010 Oracle – Proprietary and Confidential16

• Externalization of authZ policy mgmt

• Distributed policy enforce

• FGA A

pp

App

Customers

Partners

Employees

Custom Apps

Centralized Administration

Distributed Enforcement

Oracle Access Management Suite

Fine-grained Authorization

Web Services

Portals/SharePoint

Page 16: Security in a Cloudy Architecture

Business Affiliates/Subsidiaries

Employees/Partners/ Customers

SAML 1.x

SAML 2.0

Windows CardSpace

WS-Fed

OpenID

Oracle Identity Federation

• SSO between on-premise & cloud apps

• Standards-based federation enables interop

• Rapid deployment

Cloud Applications

On-Premise

Applications

Identity FederationFederated Single Sign-On

© 2010 Oracle – Proprietary and Confidential17

Page 17: Security in a Cloudy Architecture

• Out-of-band authN

• Identity proofing

• Real-time fraud prevention

Employees/Partners/Customer

Fraudster

Secure Mutual Authentication

Risk-Based Authorization

Risk Scoring

Oracle Access Management Suite

Device

Geography

Time

Activity

Cloud Apps

On-Premise Apps

Identity AssuranceRisk-Based Access Control

© 2010 Oracle – Proprietary and Confidential18

Page 18: Security in a Cloudy Architecture

Agenda

• Introduction

• Security Challenges

• Identity and Access Management

• Database Security

• Conclusion

• Q&A

© 2010 Oracle – Proprietary and Confidential19

Page 19: Security in a Cloudy Architecture

Multi-Tenant Data Management

• Privileged database user

• Lost backups containing sensitive data or PII

• Application exploits & by-pass

• Regulatory infractions

Shared (Virtualized) Hardware Shared Database Shared Schema

Option 1 Option 2 Option 3

RISK

© 2010 Oracle – Proprietary and Confidential20

Page 20: Security in a Cloudy Architecture

Database Security Defense-In-Depth

Monitoring

Access Control

Encryption & Masking

Access Control

• Database Vault

• Label Security

• Advanced Security

• Secure Backup

• Data Masking

Encryption & Masking

Monitoring

• Audit Vault

• Configuration Management

• Total Recall

User/Role Management • Oracle Identity Management

User/Role Management

© 2010 Oracle – Proprietary and Confidential21

Page 21: Security in a Cloudy Architecture

Oracle Advanced SecurityComprehensive Standards-Based Encryption

Disk

Backups

Exports

Off-Site

Facilities

• Data stays encrypted when backed up

• Encryption for data in transit

• Strong authN of users & servers

© 2010 Oracle – Proprietary and Confidential22

Page 22: Security in a Cloudy Architecture

Oracle Data MaskingIrreversible De-Identification

• Remove sensitive data from non-prod DBs

• Ref Integ preserved

• Sensitive data never leaves the database

LAST_NAME SSN SALARY

ANSKEKSL 111—23-1111 60,000

BKJHHEIEDK 222-34-1345 40,000

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

Production Non-Production

© 2010 Oracle – Proprietary and Confidential23

Page 23: Security in a Cloudy Architecture

Oracle Database VaultPrivileged User Access Control & Multi-Factor Authorization

Procurement

HR

Finance

Application

select * from finance.customers

DBA

• Privileged DB users perform admin

• Address SoD reqmts

• Enforce security policies & block unauth DB activities

© 2010 Oracle – Proprietary and Confidential24

Page 24: Security in a Cloudy Architecture

Oracle Configuration ManagementVulnerability Assessment & Secure Configuration

• DB discovery

• Continuous scanning best practices & industry standards

• Detect & prevent unauthZ config changes

• Change mgmt compliance reports

Monitor

ConfigurationManagement

& Audit

Vulnerability

Management

Fix

Analysis &

Analytics

Prioritize

PolicyManagement

AssessClassify MonitorDiscover

AssetManagement

© 2010 Oracle – Proprietary and Confidential26

Page 25: Security in a Cloudy Architecture

Agenda

• Introduction

• Security Challenges

• Identity and Access Management

• Database Security

• Conclusion

• Q&A

© 2010 Oracle – Proprietary and Confidential27

Page 26: Security in a Cloudy Architecture

Oracle

Security Solutions

ENFORCE

CONTROLS

STREAMLINEPROCESSES

MONITORCONTROLS

AUTOMATEREPORTING

Enforce Controls

Streamline Processes

Automate Reporting

Monitor Controls

Regulatory Considerations for Cloud

Security

© 2010 Oracle – Proprietary and Confidential28

Page 27: Security in a Cloudy Architecture

2929© 2010 Oracle Corporation