security architecture for oracle database cloudoracle database maximum security architecture apps...

33
Security Architecture For Oracle Database Cloud Tammy Bednar Sr. Director of Product Management Database Cloud Services Copyright © 2019 Oracle and/or its affiliates.

Upload: others

Post on 11-Aug-2020

33 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Security Architecture For Oracle Database Cloud

Tammy Bednar

Sr. Director of Product Management

Database Cloud Services

Copyright © 2019 Oracle and/or its affiliates.

Page 2: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation.

Statements in this presentation relating to Oracle’s future plans, expectations, beliefs, intentions and prospects are “forward-looking statements” and are subject to material risks and uncertainties. A detailed discussion of these factors and other risks that affect our business is contained in Oracle’s Securities and Exchange Commission (SEC) filings, including our most recent reports on Form 10-K and Form 10-Q under the heading “Risk Factors.” These filings are available on the SEC’s website or on Oracle’s website at http://www.oracle.com/investor. All information in this presentation is current as of September 2019 and Oracle undertakes no duty to update any statement in light of new information or future events.

Safe Harbor

Copyright © 2019 Oracle and/or its affiliates.

Page 3: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Threats to Cloud Security

• Insecure configuration of cloud resources allowing unauthorized access to data

• Skilled attackers including knowledgeable insiders with know-how of exploitable vulnerabilities in complex cloud configurations

• Complicated access control mechanisms, resulting in customers inadvertently granting overly permissive access to cloud resources

• Lack of easy-to-use security monitoring mechanisms to alert on anomalous patterns representative of security attacks

Copyright © 2019 Oracle and/or its affiliates.

Page 4: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Oracle’s Security-First Approach

Security is not about having a few silver bullets, but a well thought out and integrated layered approach beginning with securing the physical infrastructure, firmware, hardware, operating system, hypervisor, and network. Oracle is focused on not only protectingagainst that initial attack, but also with preventing any progress in an attacker’s continued attempts to steal data.

Copyright © 2019 Oracle and/or its affiliates.

Page 5: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Defense In Depth of OCI Security

5 Copyright © 2019 Oracle and/or its affiliates

Internet

DataInstance

Virtual NetworkMonitoring

Edge Services• Global PoPs• DDoS Protection• DNS Security• WAF Protection

§ 3rd Party Security§ FW§ NGFW§ IPS

§ User Monitoring§ Configuration Monitoring§ Logging§ Compliance

§ Interface Segmentation§ Security Lists§ Private Networks§ Bastion Access§ SSL Load Balancing§ FastConnect (Direct)§ FastConnect (Carrier)§ IPSec VPN

§ Tenant Isolation§ Hardened Images§ Virtual Taps§ Hardware Entropy§ SSH Keys§ Certificates§ Root-Of-Trust Card§ Signed Firmware§ Hardware Security

Modules

§ Encryption§ Authentication§ Authorization§ Auditing§ Monitoring and Blocking§ Secure Configuration§ Data Masking

§ Identity Federation§ Role-Based Policy§ Compartments & Tagging§ Instance Principals

Identity

Page 6: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

OF THE CLOUD

Secure the Cloud Platform

ON THE CLOUD

Secure Identity, Apps. and Data on the Cloud Platform

CROSS CLOUD

Protections and Monitoring Between Clouds and Premises

OCI Security Portfolio and Strategy

6

Page 7: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Designing a Secure Cloud Platform from the Ground Up

PlatformDefense-in-Depth from Bare

Metal Hardware to Customer Apps & Data

OperationsConstant Software, Hardware,

and Process Hardening

ComplianceBuilding Compliance in All Regions for All Services

OF THE CLOUD ON THE CLOUD CROSS CLOUD

Page 8: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Bare Metal Instance

Hardware-Based Root of Trust

Secure Design: Bootstrap Trust To Immutable Component

Page 9: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Bare Metal InstanceBare Metal Instance

Oracle Hardened Hypervisor

VM VM VM

VM VM VMHardware-Based Root of Trust

Hardware-Based Root of Trust

Secure Design: Give Customers Pristine Systems

Virtual Instance

Page 10: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Secure Design: Isolated Customer VLANs

Bare Metal Instance Virtual Instance

Oracle Hardened Hypervisor

VM VM VM

VM VM VM

Isolated Network Virtualization

Hardware-Based Root of Trust

12/6/19

Page 11: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Secure Design: Top Of Rack ACLs

Oracle Hardened Hypervisor

VM VM VM

VM VM VM

Physical Network

Isolated Network Virtualization

Page 12: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

27001 : 27017 : 27018

Level 1

Compliance for ALL Regions and ALL Services

EXTENSIVE LIST OF ACCREDIDATIONS

BSI C5

https://www.oracle.com/cloud/cloud-infrastructure-compliance/

Page 13: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Secure Your Applications and Data

IdentityProvide Access to Those Who Need

It, Keep Out Those Who Don’t

DataProtect Data at Rest and In Motion

Network & Apps.Restrict Access to Warranted Use

and Monitor

OF THE CLOUD ON THE CLOUD CROSS CLOUD

Page 14: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Cloud Access Security Broker for SaaS and IaaS

Oracle CASB Cloud Service

Cloud Infrastructure

Access Management | Data Loss Prevention | Compliance | Visibility

COMPUTE STORAGE & DATABASE

NETWORK & CONTENT DELIVERY

SECURITY, IDENTITY & COMPLIANCE

Page 15: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Layers of Protection To Access Your Data

AD1

AD2

AD3

OCI REGIONVirtual Cloud Network

IGW

WAF with Proactive

ThreatDetection

Automated, DDoS

Protection

AuthoritativeDNS with

Internet Intelligence

FastConnect

IPSec VPN

SubnetLevel Virtual

Firewalls

Virtual FirewallUse VCN Security lists

Internet routing gatewayRouting tables can be used with NAT & 3rd

Party firewall devices

Dynamic Routing GatewayVirtual router provide a path for private traffic

Web Application Firewall250 pre-defined OWASP and compliance rulesUse IAM for WAF management

Page 16: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Data Encryption In Transit

AD1

AD2

AD3

CUSTOMER REGION 1

AD1

AD2

AD3

CUSTOMER REGION 2

MACSec Encryption

• Customer managed keys (KMS)• KMS through OCI services and in your apps directly

Page 17: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Database Defense in DepthüPrevent access by non-database usersüIncrease database user identity assuranceüControl access to data within databaseüAudit database activityüMonitor database traffic and prevent threats from reaching the databaseüEnsure database production environment is secure and prevent driftüRemove sensitive data fromnon-production environments

Page 18: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Oracle Database Maximum Security Architecture

Apps

TransparentDataEncryption

Key Vault

###-##-5100Data Redaction Database

Firewall

Privilege Analysis

Data Masking010-11-5100

022-22-5001

Audit Vault

Audit Data

Test Dev Partners

DatabaseVault

DB Security Assessment Tool

Page 19: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Maximum Security Architecture – in-Cloud

Network Encryption

Transparent Data Encryption

DF11233 U*1$5Ha1qui %H1HSKQ112 A14FASqw34 £$1DF@£!1ah HH!DA45S& DD1

Test Dev

Database Vault

Users

Applications

Data Safe• Collect & Configure Audit• Assess security & users• Discover, classify, and mask

sensitive data

Default

Default(Ops Control)

Page 20: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

• Delivers unified set of essential security services on the cloud

• Mitigates user, data, configuration risk• Unified database security dashboard• Addresses customer responsibilities• Requires no special security expertise

Available with Oracle Cloud Database Subscription at No Additional Cost*

* includes 1M audit/records per month; Data retention up to 12 months Databases in Oracle Cloud

Audit …..Users DiscoverAssess Mask

Copyright © 2019 Oracle and/or its affiliates.

New - Oracle Data SafeSecurity for Cloud Databases

Page 21: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Security Zones of Control

** unique to Oracle

PKI, KerberosRadius (pluggable)

Proxy UsersOracle & Active Directory

Users

Crypto ToolkitVirtual Private Database

Label SecurityReal Application Security**

Data

Encryption & Key ManagementData Masking*, Data Redaction Database Vault**

Prevent

Activity Auditing*Reporting/Alerting*Audit VaultDatabase Firewall**

Detect

Data Discovery*Security Assessment*User Assessment*Privilege Analysis**

Assess

Data & Users

6/19 *now offered in Oracle Data Safe included

with your Oracle Cloud Databases

Page 22: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Confidential – Highly Restricted

Page 23: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Confidential – Highly Restricted

Page 24: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Copyright © 2019 Oracle and/or its affiliates.

Page 25: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Copyright © 2019 Oracle and/or its affiliates.

Page 26: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Copyright © 2019 Oracle and/or its affiliates.

Page 27: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Oracle Autonomous DatabasePrevents Data Theft: Applies Security Patches while Running

• Automatic continuous threat monitoring and detection• Immediate security patching and remediation while running• 99.995% Availability: total downtime less than 2.5 minutes per month

Page 28: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Protecting Your Existing Architecture and Security

Cross Cloud Hybrid Your SecuritySecure interaction across and within

clouds Align security between cloud and on-

premises environments Bring your existing security stack and

policies to your OCI estate

OF THE CLOUD ON THE CLOUD CROSS CLOUD

Page 29: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

Enterprise Cloud Interoperability Partnership

Migrate and run mission-critical enterprise workloads across

Microsoft Azure and Oracle Cloud

InteroperabilityCross-cloud SSO and Interconnect

• Oracle Cloud Infrastructure• Oracle Autonomous Database• Oracle Exadata• Oracle Applications• Oracle RAC• Oracle Analytics Cloud• And other services…

• Azure DevOps• Azure Stream Analytics• Azure Databricks • Azure Kubernetes Service• And other services…

Microsoft Azure

Page 30: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Internet

CorporateNetwork

30

Security Connectivity Pattern (Hybrid)

VCN1 (Region 1)

DatabaseSubnet

(Private)

Application Subnet

(Private)

LBSubnet(Public)

ServicesN

etwork

Dynamic Routing Gateway

Internet Gateway AD1/FD1 AD2/FD2

LoadBalancer

(Secondary)

LoadBalancer(Primary)

LoadBalancer

(Secondary)

LoadBalancer(Primary)

VPN

FastConnect

Customer Premises

Equipment

ComputeInstance

ComputeInstance

ComputeInstance

ComputeInstance

Database Instance

Database Instance

Database Instance

Database Instance

Security Lists

Route Table

Service Gateway

Virtual Cloud

Network

Customer Data Center

IT AdminsUsers

VCN1 (R2)

RemotePeeringGateway

EdgeServices

WAF SecureDNS

Backbone(Encrypted)

BastionHost

DDoS Protection

ID & AccessManagement

LegendLocal TrafficEncrypted TrafficPrivate TrafficInternet Traffic

Key Management

Service Traffic Inter-Region Traffic

Cross-ConnectTraffic

Internet Traffic(Unsanitized)

Internet Traffic(Sanitized)

Object Storage

Telemetry/Monitoring

Page 31: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Your Security

VCN

Customer Enclave

Subnet

Subnet

Firewall

ASAv

Fortigate

VM-Series

Cloudguard

Deploy 3rd party security within Customer Enclave

Send logs (Control Plane, Sign-on, WAF Data plane, ect.) to ANY SIEM Solution

CASB DNSWAF

Use Local or Federated Authenticators in Coordination with Oracle

Oracle Console Oracle IDCS

SCIM System for Cross Domain

Identity Management

Customer Estate

Customer Estate

Page 32: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Shared Responsibility and How We DifferApplication Compliance

Application Data Security Identity Access Security

VCN Security Database Security

Compute Security

Data Security

Console & API Security

Storage Security

Infrastructure Compliance

Operator Access Security

Control Plane Host Security Server Hardware Security

Network Security Data Center Security

Oracle Controlled

Customer Controlled & Oracle Supported

Confidential – Highly Restricted32

Page 33: Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

OCI Security: Integrated & Layered Approach

33 Copyright © 2019 Oracle and/or its affiliates

Internet

DataInstance

Virtual NetworkMonitoring

Edge Services• Global PoPs• DDoS Protection• DNS Security• WAF Protection

§ 3rd Party Security§ FW§ NGFW§ IPS

§ User Monitoring§ Configuration Monitoring§ Logging§ Compliance

§ Interface Segmentation§ Security Lists§ Private Networks§ Bastion Access§ SSL Load Balancing§ FastConnect (Direct)§ FastConnect (Carrier)§ IPSec VPN

§ Tenant Isolation§ Hardened Images§ Virtual Taps§ Hardware Entropy§ SSH Keys§ Certificates§ Root-Of-Trust Card§ Signed Firmware§ Hardware Security

Modules

§ Encryption§ Authentication§ Authorization§ Auditing§ Monitoring and Blocking§ Secure Configuration§ Data Masking

§ Identity Federation§ Role-Based Policy§ Compartments & Tagging§ Instance Principals

Identity