private cloud security - issa
TRANSCRIPT
Private Clouds: Opportunity to Improve Data Security and Lower Costs
InfoTRAMS InfoTRAMS „„ Fusion Tematyczny, Bazy Danych, Kariera I Prywatny SprzFusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęęt W Pracyt W Pracy ””
Private Clouds: Opportunity to Improve Data Securit y and Lower Costs
Michał Jerzy Kostrzewa ( [email protected] )ECE Business Development Manager
Agenda
• Challenges of Securing Data Today• Data Security in Cloud Environments• Private v. Public Clouds• Securing Database Clouds• Q&A
Easy to Lose Track of Sensitive Data In Traditional Computing Environments
• Silos of dedicated hardware and software for each application
• Organizations typically unsure which silos contain sensitive data
• Securing every silo is too costly and complex
• Organizations typically protect the only shared resource - the network
• Data and database infrastructure vulnerable to attack from within the network perimeter
Data and Databases Vulnerable
28% uniformly encrypt sensitive data in all databases
Data can be read/tampered with by any system user or admin with access to database files or storage
24%can prevent privileged database users from reading/modifying data
Data can be accessed by DBAs or anyone with privileged database user credentials
44% allow database users to access data directly
Users can by-pass application security policies to read or modify data directly within database
68% can not detect if database users are abusing privileges
Database users can perform unauthorized activities undetected
66% not sure if applications subject to SQL injection
Data can be manipulated by hackers who compromise applications
48% copy sensitive production data to non-production environments
Data can be accessed by developers, testers, etc.
The 2010 IOUG Data Security Report
Over 900M (92%) Breached Records from Compromised Databases Servers
48% involved privilege misuse40% resulted from hacking
38% utilized malware28% employed social tactics15% comprised physical attacks
2010 Data Breach Investigations Report
Cloud Computing Environments Allow Securing Sensitive Data Efficiently
• Clouds are shared pools of standardized computing resources
• Oracle Exadata is a pre-integrated, highly optimized Database Cloud platform that maximizes ROI
• All data now managed in the Database Cloud - securing Database Clouds is not optional!
• Securing Database Clouds results in efficient and consistent protection for all data
• Database Clouds enable better security at lower cost and complexity
8
Exadata and ExalogicExtreme Performance, Engineered Systems
• Database and middle tier machines• Unmatched performance, simplified deployment,
lower total cost• Building blocks for private and public PaaS
9
Oracle Exadata Extreme Performance
Teradata2650
NetezzaTwinFin 12
Exadata
Flash
Disk
75 GB/sec
• Faster Than DW Appliances• Faster query throughput• Fastest disk throughput• Much faster with Flash
• More Bandwidth than High-End Arrays• Storage Arrays can’t deliver disk bandwidth
• No extra bandwidth from Flash• No CPU offload• No Columnar Compression• No InfiniBand
• More Data Capacity• More disk drives/rack• Larger disk drives• Much better compression
Query Throughput GB/sec Uncompressed Data
Single Rack
Storage Data Bandwidth(Uncompressed GB/sec)
Teradata2650
NetezzaTwinFin 12
ExadataEMCVMAX
Systems with Equal User DataAll with Largest Disks,
Best Compression
IBMXIV
NetApp6080
ExadataIBMDS8700
HitachiUSP V
EMCVMAX
1020
2.5 <6
Flash
Disk9 11 ???
1.4x3x
2-4x
75 GB/sec
10x
10
Oracle Exalogic Extreme Performance
• Internet Applications• 12X improvement• Over 1 Million HTTP Requests/Sec.• FaceBook’s Web Traffic on 2 Full Racks
• Messaging Applications• 4.5X improvement• Over 1.8 Million Messages/Sec.• All Chinese Rail Ticketing on 1 Rack
• Database Applications• 1.4X improvement• Almost 2 million JPA Operations/Sec.• All E-Bay Product Searches on 1/2 Rack
Exalogic
Exalogic
Exalogic
Alternative
Alternative
Alternative
Biggest Barrier to Cloud Computing Adoption? Security!
74%74%74% rate cloud security issues
as “very significant”
Source: IDC
The Reality of Cloud ComputingCloud Computing Often Confused with Outsourcing…
Public Clouds• Cloud operated by a vendor• Security (and compliance??)
becomes outsourced• Not an option for certain
organizations, industries
Private Clouds• Evolution of IT Services• Still responsible for ensuring
security and compliance• Cost-effective option to protect
data for all organizations!
13 Copyright © 2010, Oracle. All rights reserved
Securing Database CloudsDefense In Depth
� Prevent access by non-database users
� Increase database user identity assurance
� Control access to data within database
� Audit database activity
� Monitor database traffic and prevent threats from reaching the database
� Ensure database production environment is secure and prevent drift
� Remove sensitive data fromnon-production environments
14
Disk
Backups
Exports
Off-SiteFacilities
Oracle Advanced SecurityProtect Data from Unauthorized Users
• Complete encryption for application data at rest to prevent direct access to data stored in database files, on tape, exports, etc. by IT Staff/OS users
• Efficient application data encryption without application changes
• Built-in two-tier key management for SoD with support for centralized key management using HSM/KMS
• Strong authentication of database users for greater identity assurance
Application
15
Oracle Database VaultEnforce Security Policies Inside the Database
• Automatic and customizable DBA separation of duties and protective realms
• Enforce who, where, when, and how using rules and factors
• Enforce least privilege for privileged database users
• Prevent application by-pass and enforce enterprise data governance
• Securely consolidate application data or enable multi-tenant data management
Procurement
HR
Finance
ApplicationDBA
select * from finance.customersDBA
SecurityDBA
Application
16
Oracle Audit VaultAudit Database Activity in Real-Time
• Consolidate database audit trail into secure centralized repository
• Detect and alert on suspicious activities, including privileged users
• Out-of-the box compliance reports for SOX, PCI, and other regulations
• E.g., privileged user audit, entitlements, failed logins, regulated data changes
• Streamline audits with report generation, notification, attestation, archiving, etc.
CRM Data
ERP Data
Databases
HR Data
Audit Data
Policies
Built-inReports
Alerts
CustomReports
!
Auditor
17
Oracle Total RecallTrack Changes to Sensitive Data
select salary from emp AS OF TIMESTAMP
'02-MAY-09 12.00 AM‘ where emp.title = ‘admin’
• Transparently track application data changes over time
• Efficient, tamper-resistant storage of archives in the database
• Real-time access to historical application data using SQL
• Simplified incident forensics and recovery
18
Oracle Database FirewallFirst Line of Defense
PoliciesBuilt-inReportsAlerts Custom
Reports
ApplicationsBlock
Log
Allow
Alert
Substitute
• Monitor database activity to prevent unauthorized database access, SQL injections, privilege or role escalation, illegal access to sensitive data, etc.
• Highly accurate SQL grammar based analysis without costly false positives
• Flexible SQL level enforcement options based on white lists and black lists
• Scalable architecture provides enterprise performance in all deployment modes
• Built-in and custom compliance reports for SOX, PCI, and other regulations
19
Oracle Configuration ManagementSecure Your Database Environment
• Discover and classify databases into policy groups
• Scan databases against 400+ best practices and industry standards, custom enterprise-specific configuration policies
• Detect and event prevent unauthorized database configuration changes
• Change management dashboards and compliance reports
Monitor
ConfigurationManagement
& Audit
VulnerabilityManagement
Fix
Analysis &Analytics
Prioritize
PolicyManagement
AssessClassify MonitorDiscover
AssetManagement
20
Oracle Data MaskingIrreversibly De-Identify Data for Non-Production Us e
• Make application data securely available in non-production environments
• Prevent application developers and testers from seeing production data
• Extensible template library and policies for data masking automation
• Referential integrity automatically preserved so applications continue to work
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 60,000
BKJHHEIEDK 222-34-1345 40,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Non-Production
Data never leaves Database
21
Oracle Database Defense In DepthSolution Summary
• Oracle Advanced Security
• Oracle Identity Management
• Oracle Database Vault
• Oracle Label Security
• Oracle Audit Vault
• Oracle Total Recall
• Oracle Database Firewall
• Oracle Configuration Management
• Oracle Data Masking
Comprehensive – Transparent – Easy to Deploy – Proven!
22
Next Steps….
• Protect sensitive data and database infrastructure ASAP!
• Database Clouds enable better security at lower cost and complexity
• Start evolving your existing IT infrastructure into a Private Cloud
• Secured Oracle Exadata servers provide the secure database cloud building block you need
• Securing your databases will allow you to outsource/take advantage of Public Clouds with less risk