oracle modern cloud day · 2019. 11. 21. · oracle tde oracle dataguard in-transit-crypto ssl/tls...
TRANSCRIPT
Oracle Modern Cloud Day
Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Oracle Modern Cloud Day
1
1
OCI, the True Security-First Cloud
Randy Noh, Solutions Engineering Director
Move & Improve Team
Julien Lehmann, Product Management Director
OCI Security Group
진정한 보안 우선 클라우드인 오라클 클라우드 인프라스트럭처
Safe harbor statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.
The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation.
2 Copyright © 2019 Oracle and/or its affiliates
Prologue
Program agenda
1
2
3
4
5
The True Security-First Cloud
Data Safe
Demo
Epilogue
3 Copyright © 2019 Oracle and/or its affiliates
Prologue
Program agenda
1
4 Copyright © 2019 Oracle and/or its affiliates
보안,
클라우드도입의
핵심원인입니다!
Copyright © 2019 Oracle and/or its affiliates5
Program agenda
2 The True Security-First Cloud
6 Copyright © 2019 Oracle and/or its affiliates
Copyright © 2019 Oracle and/or its affiliates7
OCI, 진정한보안우선클라우드
데이터보안에대한염려가있는기업에대한
플랫폼을설계하기위해
기존과는다른기술적접근방식을취했습니다.
Don JohnsonEVP, Oracle Cloud Infrastructure
Copyright © 2019 Oracle and/or its affiliates8
OCI, 보안최우선의기업용업무처리에최적화된클라우드
뛰어난경제성뛰어난성능 보안최우선 개방성확보기업용환경
Copyright © 2019 Oracle and/or its affiliates9
핵심업무를위한가장안전한공간확보목표
보안우선설계
선별적이고
자동화된
보안제어기능
신뢰의문화기반
Copyright © 2019 Oracle and/or its affiliates10
Core-to-Edge 보안을위한체계적이고종합적인실행방안
DetectSecurity Analytics
CollectSecurity
Infrastructure
RemediateVulnerability Management
RespondIncident
Response
Hardware Hacking
Security Research
Red Teaming
Penetration Testing
Defensive Security Offensive Security
Copyright © 2019 Oracle and/or its affiliates11
OCI의계층화된심층방어
▪ DDoS Protection▪ Data Intelligence▪ Threat Intelligence▪ Behavioral Analysis
▪ DNS Security▪ DNSKEY▪ IPSECKEY
SSHFP
▪ Web Application Firewall▪ Bot Management▪ Malware Protection▪ API Security
Edge
▪ Optional 3rd Party Security▪ FW▪ NGFW▪ IPS
▪ User Activity Monitoring▪ Configuration Change Monitoring▪ Logging
▪ Compliance
Monitoring
▪ Interface Segmentation▪ Security Lists▪ Private Networks▪ Bastion Access
▪ Load Balancing▪ SSL Termination▪ SSL Tunneling
▪ Interconnect▪ FastConnect (Direct)▪ FastConnect (Carrier)▪ IPSec VPN
Network
▪ Tenant Isolation▪ Hardened Images▪ Virtual Taps▪ Hardware Entropy
▪ SSH Keys▪ Certificates
▪ Root-Of-Trust Card▪ Signed Firmware▪ Hardware Security ModulesInstance
▪ At-Rest-Crypto▪ Oracle TDE▪ Oracle DataGuard
▪ In-Transit-Crypto▪ SSL/TLS▪ Oracle NNE
▪ Keys▪ Managed Keys▪ Custom Keys▪ Managed Vault
Data
▪ Identity Federation▪ Role-Based Policy▪ Compartments & Tagging▪ Instance Principals
Identity
Copyright © 2019 Oracle and/or its affiliates12
OCI 보안을위한포트폴리오및전략
OF THE CLOUD
클라우드플랫폼보호
ON THE CLOUD
클라우드의계정,
애플리케이션, 데이터보호
CROSS CLOUD
하이브리드환경에대한
모니터링및보호
Copyright © 2019 Oracle and/or its affiliates13
최고의보안을위해
설계단계부터고안된아키텍처제공
Security
1세대클라우드서버자원공유
Oracle Cloud Infrastructure클라우드컨트롤서버분리
Intel CPU
User Code
RAM & Flash Storage
Network Port
Non-Intel CPU
RAM & Flash Storage
Cloud Control Computer
“Bare Metal” User Computer
Intel CPU
User Code + Cloud Control Code
Shared CPU, Memory, Storage
Shared Network Port
Shared User + Cloud Control Computer
• 오라클은고객데이터에접근불가• 어떠한사용자도클라우드제어컴퓨터접근불가
• 클라우드공급자의사용자데이터접근가능• 사용자코드가클라우드제어코드접근가능
Ref: https://blogs.oracle.com/cloudsecurity/exploring-oracles-gen-2-cloud-infrastructure-security-architectures%3a-isolated-network-virtualization
Customer Network
Customer Network
Customer Network
Your Network
Copyright © 2019 Oracle and/or its affiliates14
안전한설계 : 더강력한테넌트격리 (Isolation)
완전히분리된네트워크가상화
다른테넌트와의통신 다른테넌트와의통신
1세대클라우드: 현재가장많이사용됨
2세대클라우드:오라클클라우드인프라스트럭처
Host OS/Kernel
Network VirtualizationHypervisor
Server Virtualization 네트워크및테넌트
환경분리
Server Virtualization Hypervisor
Network Virtualization
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OSVM/
Guest OS
VM/ Guest
OS
VM/ Guest
OS
Host OS/Kernel
Network Virtualization
Host OS/Kernel
HypervisorContainer (Optional)
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OSVM/
Guest OS
VM/ Guest
OS
VM/ Guest
OS
Copyright © 2019 Oracle and/or its affiliates15
위협억제및위험감소
Host OS/Kernel
Network VirtualizationHypervisor
Server VirtualizationServer Virtualization
HypervisorNetwork Virtualization
Host OS/Kernel
완전히분리된네트워크가상화
Host OS/Kernel
HypervisorContainer (Optional)
Server Virtualization Hypervisor
Network VirtualizationNetwork Virtualization
HypervisorServer VirtualizationServer Virtualization
HypervisorNetwork Virtualization
Server Virtualization Hypervisor
Network Virtualization
1세대클라우드 오라클의 2세대클라우드
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OSVM/
Guest OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OSVM/
Guest OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
격리된네트워크가상화를통한보안으로
위험확산방지
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OSVM/
Guest OS
VM/ Guest
OS
VM/ Guest
OSVM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
완전히분리된네트워크가상화
Host OS/Kernel
HypervisorContainer (Optional)
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OSVM/
Guest OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OSVM/
Guest OS
VM/ Guest
OS
VM/ Guest
OS
Copyright © 2019 Oracle and/or its affiliates16
안전한설계 : 최소권한접근 (Least Privileged Access)
VCN
Internet
SSH Bastion
Outbound SSL Proxy
SSL Load Balancer
Service Gateway
Block Volume Traffic
Command Traffic
Service to Service Traffic Secured at Application Layer
Host to Host Traffic Isolated Via
Encapsulation
No ILOM to ILOM Traffic
Command Traffic
ILOM Service Enclave Substrate
물리적네트워크분할
Copyright © 2019 Oracle and/or its affiliates17
애플리케이션및데이터보안
Identity
접근권한의세부화및최소화
Network & Apps.
적정사용을위한네트워크제한
Bot에대한관리및모니터링
OF THE CLOUD ON THE CLOUD CROSS CLOUDCROSS CLOUD
Copyright © 2019 Oracle and/or its affiliates18
한차원더진화된통제 : 심층방어 + 확장된영역방어
AD1
AD2
AD3
OCI REGIONVirtual Cloud Network
IGW
위협요소사전탐지기능을갖춘
WAF
자동화된DDoS 방어
신뢰할수있는정보를제공하는DNS
FastConnectw/ IPSec option
IPSec VPN
서브넷수준의가상방화벽
CASB 서비스
• vFirewalls – IN/OUT에대한 접근통제• Distributed Denial of Service (DDoS) – 네트워크 계층공격 방지• Web Application firewall (WAF) – 애플리케이션 계층공격 방지• Cloud Access Security Broker (CASB) – 가시성, 컴플라이언스, 제어권에 대한변경 경고• Virtual Private Network (VPN) – 인터넷, 개인 링크를 통한전송 시암호화된 가상의 터널을 통한 보호• Domain Name Service (DNS) – OCI 고객을 위한 Oracle의 관리형 DNS• Identity & Access Management (IAM) – OCI 리소스에 대한접근 및관리를 실행하는 사람에 대한 제어
OCI IAM
Copyright © 2019 Oracle and/or its affiliates19
기존온프레미스아키텍처및보안도구재활용
Cross Cloud Hybrid Your Security
멀티클라우드사용환경에서도
안전성보장
클라우드와온프레미스사이의
보안환경통일화
기존보안환경및자산을
OCI에서그대로사용
OF THE CLOUD ON THE CLOUD CROSS CLOUD
Copyright © 2019 Oracle and/or its affiliates20
온프레미스자산재활용
VCN
Customer Enclave
Subnet
Subnet
Firewall
ASAv
Fortigate
VM-Series
Cloudguard
사용자영역에서
3자업체보안도구사용
모든 SIEM 솔루션에로그제공
(Control Plane, Sign-On, WAF, etc…)
CASB DNSWAF
자체계정관리또는
오라클과연결된 ID 페더레이션이용
Oracle Console Oracle IDCS
SCIM System for Cross Domain
Identity Management
Customer Estate
Customer Estate
Program agenda
3 Data Safe
21 Copyright © 2019 Oracle and/or its affiliates
Copyright © 2019 Oracle and/or its affiliates22
데이터보안의핵심인데이터베이스보안
Source: Verizon Security Report Source: IDC Report
DB 보안이 적용되지 않은 DB에서 발생한데이터 유출 사고 비율
기밀정보 DB 저장비율
Copyright © 2019 Oracle and/or its affiliates23
클라우드에서의데이터베이스보안
클라우드공급자가책임져야할보안영역
• 네트워크보안및모니터링
• OS, VM, 컨테이너보안및패치
• 데이터베이스보안패치및업그레이드
• 규정준수
클라우드공급자가제공하는추가적보안장치
• 관리자역할분리
• 데이터암호화및키관리
• 관리자활동모니터링
클라우드사용자가책임져야할보안영역
• 구성오류에의한위험
• 위험한사용자탐지
• 데이터보호
• 사용자행동감사
Copyright © 2019 Oracle and/or its affiliates24
신규출시 - Oracle Data Safe
통합데이터베이스보안컨트롤센터위험대시보드 : 구성, 데이터, 사용자
사용자활동모니터링
테스트및개발을위한마스크데이터
앞으로더많은기능…
특장점보안위험사항완화및관련해결시간단축
모든고객을위한심층방어
특별한보안전문지식불필요
오라클 DB 클라우드사용자에게무료제공
Databases in Oracle Cloud
Audit …..Users DiscoverAssess Mask
Data Safe
Copyright © 2019 Oracle and/or its affiliates25
데이터베이스보안평가
불필요한위험을초래할수있는잘못된구성에대한즉각적인정보제공
• 종합적인평가
– 보안파라미터
– 사용중인 보안통제내용
– 사용자역할및권한
• 모범사례로부터참고할내용제공
• 실행가능한보고
– 우선순위에의한실행사항추천
– 컴플라이언스 매핑 (EU-GDPR, CIS)
Copyright © 2019 Oracle and/or its affiliates26
사용자위험도평가
역할 / 권한및정책을관리하여사용자위험감소
• 과도한권한을가진위험한사용자식별
• 정적프로파일평가
– 사용자유형, 비밀번호정책등
• 동적프로파일평가
– 마지막로그인
– IP 정보
– 암호변경
– 감사데이터등
Copyright © 2019 Oracle and/or its affiliates27
사용자행동감사
강력한보고기능으로사용자작업추적및감사행위간소화
• 감사, 컴플라이언스및경고(Alert)에대한정책제공
• 데이터베이스에서감사데이터를수집하고민감한작업을추적
• 감사보고서생성
– 포렌식을 위한보고서
– 요약및상세보고서
– 컴플라이언스를 위한 PDF 보고서
Copyright © 2019 Oracle and/or its affiliates28
민감데이터검색
민감한데이터의위치, 유형및양을찾아보안을위한작업우선순위결정
• 125 가지이상의민감한데이터형태발견및분류
• 사용자정의민감데이터형태지정가능
• 변화부분에대한검색가능 (Incremental Discovery)
• 민감데이터의양및형태에대한보고서제공
3.6MSensitive Values
30Sensitive Types
18Sensitive Tables
57Sensitive Columns
Copyright © 2019 Oracle and/or its affiliates29
민감데이터마스킹
개발, 테스트, 파트너및분석데이터베이스에대한민감한데이터노출최소화
• 민감데이터로식별된데이터에대한마스킹
– 50개이상의사전정의된마스킹 형식
– 민감정보형태에따라자동형식선택가능
– 선택적사용자 정의마스킹형식사용가능
• 복잡한데이터를위한풍부한마스킹지원
• 마스킹에대한보고서지원
Program agenda
4 Demo
30 Copyright © 2019 Oracle and/or its affiliates
Copyright © 2019 Oracle and/or its affiliates31
Data Safe Demo
Program agenda
5 Epilogue
32 Copyright © 2019 Oracle and/or its affiliates
Copyright © 2019 Oracle and/or its affiliates33
진정한보안우선클라우드를위한포트폴리오및전략
OF THE CLOUD
• 별도로분리된클라우드컨트롤서버
• 더강력한테넌트격리
• 물리계층의세분화
ON THE CLOUD
• 잘정제된사용자접근제어
• 클라우드기반 Edge 서비스
• CASB를 통한위협모니터링및탐지
CROSS CLOUD
• 멀티클라우드환경의안전한상호작용지원
• 하이브리드클라우드를위한보안체계지원
• 온프레미스보안도구의효율적재사용지원
Copyright © 2019 Oracle and/or its affiliates34
진정한보안우선클라우드를위한 Data Safe
• 통합데이터베이스보안컨트롤센터
‒ 데이터베이스 보안평가
‒ 사용자위험도 평가
‒ 사용자행동감사
‒ 민감데이터검색
‒ 민감데이터마스킹
• 보안위험사항완화및관련해결시간단축
• 모든고객을위한심층방어
• 특별한보안전문지식불필요
추가비용없이오라클클라우드에서사용가능!!!
49%
19%
19%
Database Security Assessment
High Risk: 33
Medium Risk: 22
Low Risk: 13
68 Risks
49%
11%
32%
User Risk Assessment
Critical Risk: 47
High Risk: 9
Medium Risk: 2
Low Risk: 26
84Users
26%
21%19%
17%
17%
Sensitive Data Discovery
Employee Basic Data…27%
Public Identifier: 37
Address:34
Compensation data…
Oraganization Data: 30
179 Columns
Copyright © 2019 Oracle and/or its affiliates35
진정한보안우선클라우드를위한끊임없는혁신
• Maximum Security Zone : 상시보안 (Always-On Security)
‒ 암호화된 데이터만을 허용하는오브젝트 스토리지
‒ 전용버킷만지원하는 오브젝트 스토리지
‒ 데이터반출을 위한추가승인필요
• Cloud Guard : 더욱확장된감시및처리
(Pervasive Watch and Kill)
‒ 감사, 데이터 세이프, 운영체제, 로그관리로부터로그수집및모니터링
‒ 데이터분석및위협과구성오류에대한탐지
• Autonomous Linux
: 사람의실수, 누락, 또는처리지연으로인한문제발생없음
‒ Ksplice 실시간온라인 패치
Thank you
Randy Noh
Solutions Engineering DirectorMove & Improve Team
36 Copyright © 2019 Oracle and/or its affiliates
Julien Lehmann
Product Management DirectorOCI Security Group