oracle key vault...engineered systems oracle exadata smart scans high-availability clusters oracle...

Copyright © 2015 Oracle and/or its affiliates. All rights reserved.

Oracle Key Vault Centralized Key and Wallet Management

Rainer Meisriemler Leitender Systemberater Tel: 0711/72840162 Email: [email protected]


Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3


Agenda

1

2

Herausforderungen mit Verschlüsselung und Key Management

Zentralisiertes Key Management mit Oracle Key Vault

Supported use cases

Zusammenfassung

Q&A

3

4

4

5


Agenda

1

2



Supported use cases

Zusammenfassung

Q&A

3

5

4

5


Regulatory Drivers

3.5 Store cryptographic keys in a secure form (3.5.2), in the fewest possible locations (3.5.3) and with access restricted to the fewest possible custodians (3.5.1)

3.6 Verify that key-management procedures are implemented for

periodic key changes (3.6.4) And more!

PCI DSS v3.0 November 2013

6 6

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. 7

The Challenges of Key Management

Management

• Verbreitung von Encryption wallets und Keys

• Authorized sharing of keys

• Key Verfügbarkeit und Sicherung

• Historisierung der Keys und Key-files

Regulations

• Physikalisch Trennung der Keys von den Daten

• Periodische Key Rotations

• Monitoring und Auditing der Keys

• Langfristige Aufbewahrung der Keys und Daten


Management Challenges:

8

Primary Data Center

Failover Data Center


Agenda

1

2



Supported use cases

Zusammenfassung

Q&A

3

9

4

5


Oracle Advanced Security Transparent Data Encryption (TDE)

10

Disks

Exports

Off-Site Facilities

• Verschlüsselung auf Spalten oder Tablespace Ebene

• Schützt Databank Files auf Disk und Backups

• High-speed performance

• Integriert mit allen Oracle DB Optionen

• Transparent für alle Applikationen, keine Änderung nötig

Applications

Encrypted Data

Backups

Clear Data

d$f8#; !90Wz Yg#3R qR+% @Ue#3

R+%K# *HH$7 #9Vlka


TDE Key Architecture

11

• Data encryption keys werden von TDE automatisch erzeugt und verwaltet

• Der Master encryption key dient zur Verschlüsselung der eigentlichen Encryption keys für die Daten

• Der Master Key wird normalerweise im Oracle Wallet oder Oracle Key Vault gespeichert.

Oracle Key Vault

Oracle Wallet

Tablespace Key

Table Key

Master Key

TDE Encrypted Columns

TDE Encrypted Tablespace

OR


TDE Integration with Oracle Database

12

Database Products and Technologies Example Points of Integration TDE

Support

Engineered Systems Oracle Exadata Smart Scans

High-Availability Clusters Oracle Real Application Clusters (RAC), Active Data Guard

Backup and Restore Oracle Recovery Manager (RMAN), Oracle Secure Backup

Export and Import Oracle Data Pump Export and Import

Pluggable Databases Oracle Multitenant Option

Database Replication Oracle Golden Gate

Storage Management Oracle Automatic Storage Management (ASM)

Data Compression Oracle Advanced Compression

* Integration with TDE tablespace encryption and/or key management as of Oracle Database 12c


Common Use Case

13

Oracle Confidential – Restricted

Key Constituents: • 20+ EBS databases

Average size 1- 1.5TB

• 20+ Non-EBS databases From 500MB to 5TB

• 10-30 RAC databases • 10 DataGuard

databases (3 active) • RMAN and Data

Pump • EM 12c/13c

Primary DataCenter Secondary DataCenter

Active Data Guard X 4 - 2

512 GB X 4 - 2

512 GB

Non - Production

Production Production - DR

Production

Active Data Guard

X 5 - 2 1024 GB

All Oracle Databases

( Shared )

Flex Config

X 4 - 2 & X 5 - 2

3584 GB

All Oracle DG Databases

( Shared )

All Oracle Databases ( Shared )

Data Warehouse ( Only )


Key Management with Oracle Key Vault

• Zentrale Verwaltung von Keys, Oracle Wallets, Java Keystores, credential files (z.B. SSH Keys, Kerberos Files) und mehr

• Optimiert für den Oracle Stack (Database, Middleware, Systems) z.B. Advanced Security

• Robust, sicher und Standard basierender (OASIS KMIP) Key Manager

14


Oracle Key Vault High-Level Architecture

Standby

Administration Console, Alerts,

Reports

Secure Backups

= Credential File

= Oracle Wallet

= Server Password = Java Keystore

= Certificate

Databases

Servers

Middleware

15


Agenda

1

2



Supported use cases

Zusammenfassung

Q&A

3

16

4

5


Oracle Advanced Security Transparent Data Encryption (TDE) Oracle Wallet Upload/Download Scenarios

17

Single Instance

GoldenGate

Multiple DBs Same Machine

RAC

Data Guard


Oracle Key Vault High-Level Architecture

Standby

Administration Console, Alerts, Reports

Secure Backups

= Credential File

= Oracle Wallet

= Server Password = Java Keystore

= Certificate

Databases

Servers

Middleware

18


Oracle Advanced Security Transparent Data Encryption (TDE) Online Master Key Scenarios

19

Single Instance

Multiple DBs Same Machine

RAC

Data Guard

GoldenGate


Oracle Key Vault Software Appliance Platform

• Full-stack solution basierend auf einer gehärteten Konfiguration – Einfachst zu installieren, konfigurieren, auszurollen und zu Patchen

– Open x86-64 Hardware benötigt

• Integrierte Nutzung der Oracle Database Security Optionen – Transparent Data Encryption, Database Vault

• Separation of duties für Admin User

• Auditing und Alerts

• Preconfigured Out-Of-The-Box Reports

20


Konfiguration und Verwalten der Endpoints

21

1. One-time enrollment token

2. Endpoint package

3. Endpoint installation and configuration 4. Results: Endpoint

certificate, binaries and configuration file

5. Sharing


Management Berichte – Endpoint Activity

22


Endpoint Entitlement Endpoint Entitlement Summary View Endpoint Entitlement Details

23


Aktivitäten

24


Agenda

1

2



Supported use cases

Zusammenfassung

Q&A

3

25

4

5


Oracle Key Vault Ecosystem Supported Endpoints

26

Oracle Wallet Upload & Download

Oracle Database TDE Direct

Connect

ASM Storage Nodes

ASM Cluster File Systems (Encrypted) Direct Connect

Credential File Upload & Download

Java Keystore Upload & Download


Zusammenfassung Oracle Key Vault

Modernes, skalierbares und robustes Key Management

Sichern, gemeinsames Nutzen und Verwalten von Keys und Credentials

Verwaltet Oracle Wallets und Java Keystores (+++ )

Optimiert für die Oracle Db mit Oracle Advanced Security TDE

Schlüsselfertige Software Appliance

Open industry standards basiert

Engineered für den Oracle stack

27

oracle key vault...engineered systems oracle exadata smart scans high-availability clusters oracle...

Documents