oracle key vault...engineered systems oracle exadata smart scans high-availability clusters oracle...
TRANSCRIPT
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Oracle Key Vault Centralized Key and Wallet Management
Rainer Meisriemler Leitender Systemberater Tel: 0711/72840162 Email: [email protected]
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
3
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Agenda
1
2
Herausforderungen mit Verschlüsselung und Key Management
Zentralisiertes Key Management mit Oracle Key Vault
Supported use cases
Zusammenfassung
Q&A
3
4
4
5
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Agenda
1
2
Herausforderungen mit Verschlüsselung und Key Management
Zentralisiertes Key Management mit Oracle Key Vault
Supported use cases
Zusammenfassung
Q&A
3
5
4
5
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Regulatory Drivers
3.5 Store cryptographic keys in a secure form (3.5.2), in the fewest possible locations (3.5.3) and with access restricted to the fewest possible custodians (3.5.1)
3.6 Verify that key-management procedures are implemented for
periodic key changes (3.6.4) And more!
PCI DSS v3.0 November 2013
6 6
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. 7
The Challenges of Key Management
Management
• Verbreitung von Encryption wallets und Keys
• Authorized sharing of keys
• Key Verfügbarkeit und Sicherung
• Historisierung der Keys und Key-files
Regulations
• Physikalisch Trennung der Keys von den Daten
• Periodische Key Rotations
• Monitoring und Auditing der Keys
• Langfristige Aufbewahrung der Keys und Daten
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Management Challenges:
8
Primary Data Center
Failover Data Center
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Agenda
1
2
Herausforderungen mit Verschlüsselung und Key Management
Zentralisiertes Key Management mit Oracle Key Vault
Supported use cases
Zusammenfassung
Q&A
3
9
4
5
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Oracle Advanced Security Transparent Data Encryption (TDE)
10
Disks
Exports
Off-Site Facilities
• Verschlüsselung auf Spalten oder Tablespace Ebene
• Schützt Databank Files auf Disk und Backups
• High-speed performance
• Integriert mit allen Oracle DB Optionen
• Transparent für alle Applikationen, keine Änderung nötig
Applications
Encrypted Data
Backups
Clear Data
d$f8#; !90Wz Yg#3R qR+% @Ue#3
R+%K# *HH$7 #9Vlka
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
TDE Key Architecture
11
• Data encryption keys werden von TDE automatisch erzeugt und verwaltet
• Der Master encryption key dient zur Verschlüsselung der eigentlichen Encryption keys für die Daten
• Der Master Key wird normalerweise im Oracle Wallet oder Oracle Key Vault gespeichert.
Oracle Key Vault
Oracle Wallet
Tablespace Key
Table Key
Master Key
TDE Encrypted Columns
TDE Encrypted Tablespace
OR
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
TDE Integration with Oracle Database
12
Database Products and Technologies Example Points of Integration TDE
Support
Engineered Systems Oracle Exadata Smart Scans
High-Availability Clusters Oracle Real Application Clusters (RAC), Active Data Guard
Backup and Restore Oracle Recovery Manager (RMAN), Oracle Secure Backup
Export and Import Oracle Data Pump Export and Import
Pluggable Databases Oracle Multitenant Option
Database Replication Oracle Golden Gate
Storage Management Oracle Automatic Storage Management (ASM)
Data Compression Oracle Advanced Compression
* Integration with TDE tablespace encryption and/or key management as of Oracle Database 12c
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Common Use Case
13
Oracle Confidential – Restricted
Key Constituents: • 20+ EBS databases
Average size 1- 1.5TB
• 20+ Non-EBS databases From 500MB to 5TB
• 10-30 RAC databases • 10 DataGuard
databases (3 active) • RMAN and Data
Pump • EM 12c/13c
Primary DataCenter Secondary DataCenter
Active Data Guard X 4 - 2
512 GB X 4 - 2
512 GB
Non - Production
Production Production - DR
Production
Active Data Guard
X 5 - 2 1024 GB
All Oracle Databases
( Shared )
Flex Config
X 4 - 2 & X 5 - 2
3584 GB
All Oracle DG Databases
( Shared )
All Oracle Databases ( Shared )
Data Warehouse ( Only )
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Key Management with Oracle Key Vault
• Zentrale Verwaltung von Keys, Oracle Wallets, Java Keystores, credential files (z.B. SSH Keys, Kerberos Files) und mehr
• Optimiert für den Oracle Stack (Database, Middleware, Systems) z.B. Advanced Security
• Robust, sicher und Standard basierender (OASIS KMIP) Key Manager
14
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Oracle Key Vault High-Level Architecture
Standby
Administration Console, Alerts,
Reports
Secure Backups
= Credential File
= Oracle Wallet
= Server Password = Java Keystore
= Certificate
Databases
Servers
Middleware
15
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Agenda
1
2
Herausforderungen mit Verschlüsselung und Key Management
Zentralisiertes Key Management mit Oracle Key Vault
Supported use cases
Zusammenfassung
Q&A
3
16
4
5
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Oracle Advanced Security Transparent Data Encryption (TDE) Oracle Wallet Upload/Download Scenarios
17
Single Instance
GoldenGate
Multiple DBs Same Machine
RAC
Data Guard
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Oracle Key Vault High-Level Architecture
Standby
Administration Console, Alerts, Reports
Secure Backups
= Credential File
= Oracle Wallet
= Server Password = Java Keystore
= Certificate
Databases
Servers
Middleware
18
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Oracle Advanced Security Transparent Data Encryption (TDE) Online Master Key Scenarios
19
Single Instance
Multiple DBs Same Machine
RAC
Data Guard
GoldenGate
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Oracle Key Vault Software Appliance Platform
• Full-stack solution basierend auf einer gehärteten Konfiguration – Einfachst zu installieren, konfigurieren, auszurollen und zu Patchen
– Open x86-64 Hardware benötigt
• Integrierte Nutzung der Oracle Database Security Optionen – Transparent Data Encryption, Database Vault
• Separation of duties für Admin User
• Auditing und Alerts
• Preconfigured Out-Of-The-Box Reports
20
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Konfiguration und Verwalten der Endpoints
21
1. One-time enrollment token
2. Endpoint package
3. Endpoint installation and configuration 4. Results: Endpoint
certificate, binaries and configuration file
5. Sharing
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Management Berichte – Endpoint Activity
22
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Endpoint Entitlement Endpoint Entitlement Summary View Endpoint Entitlement Details
23
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Aktivitäten
24
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Agenda
1
2
Herausforderungen mit Verschlüsselung und Key Management
Zentralisiertes Key Management mit Oracle Key Vault
Supported use cases
Zusammenfassung
Q&A
3
25
4
5
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Oracle Key Vault Ecosystem Supported Endpoints
26
Oracle Wallet Upload & Download
Oracle Database TDE Direct
Connect
ASM Storage Nodes
ASM Cluster File Systems (Encrypted) Direct Connect
Credential File Upload & Download
Java Keystore Upload & Download
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Zusammenfassung Oracle Key Vault
Modernes, skalierbares und robustes Key Management
Sichern, gemeinsames Nutzen und Verwalten von Keys und Credentials
Verwaltet Oracle Wallets und Java Keystores (+++ )
Optimiert für die Oracle Db mit Oracle Advanced Security TDE
Schlüsselfertige Software Appliance
Open industry standards basiert
Engineered für den Oracle stack
27
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. 28