Security in a Cloudy Architecture

3,174 views

Published on

As presented by Geri Born at Oracle Technology Network Architect Day, Dallas TX, May `13, 2010.

Published in: Technology, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,174
On SlideShare
0
From Embeds
0
Number of Embeds
24
Actions
Shares
0
Downloads
282
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Security in a Cloudy Architecture

  1. 1. Security in a Cloudy Architecture Geri Born Enterprise Solutions Group
  2. 2. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remain at the sole discretion of Oracle. © 2010 Oracle Corporation 2
  3. 3. Agenda • Introduction • Security Challenges • Identity and Access Management • Database Security • Conclusion • Q&A © 2010 Oracle – Proprietary and Confidential 3
  4. 4. Enterprise Evolution to Cloud Public Clouds Hybrid IaaS PaaS IaaS SaaS Public Cloud Evolution PaaS SaaS Private Cloud Evolution Virtual Private Cloud App1 App2 App3 App1 App2 App3 App1 App2 App3 App1 App2 App3 Private PaaS Private PaaS Private PaaS Private IaaS Private IaaS Private IaaS Silo’d Grid Private Cloud Hybrid • Physical • Virtual • Self-service • Federation with • Dedicated • Shared services • Policy-based public clouds • Static • Dynamic resource mgmt • Interoperability • Heterogeneous • Standardized • Chargeback • Cloud bursting appliances • Capacity planning © 2010 Oracle Corporation 4
  5. 5. Key Barriers to Cloud Computing 74% 74% rate cloud security issues as ―very significant‖ Source: IDC • Data privacy • Compliance • Access control © 2010 Oracle – Proprietary and Confidential 5
  6. 6. Cloud Security Challenges Private Hybrid Public Cloud Cloud Cloud • IT agility • Interop • Data breaches • B2B collab • User • Multi-tenancy • Access control experience • Data location complexity • Workload • Compliance • Privileged user portability access • SLA © 2010 Oracle – Proprietary and Confidential 6
  7. 7. Cloud Architecture & Management Self Service Interface Integrate Chargeback & Self Service Assembly Software Library with external Capacity Planning Provisioning Builder billing system Policy Manager (SLA Mgmt, DRS, DPM) Monitoring Provisioning Config. Mgmt. Integrate with external CMDB External Oracle Virtualization Plugin e.g., Amazon Cloud Plugin Cloud Management Layer Zone A Zone B Server Pool Server Pool Server Pool Tightly coupled cluster Tightly coupled cluster Loose grouping of individual (HA, Live Migration) (HA, Live Migration) machines (no HA or Live Migration) Storage Array Storage Array Storage Array (optional) Storage Array Storage Array Cloud Infrastructure Layer © 2010 Oracle Corporation 8
  8. 8. Enterprise Architecture: Process for Securing the Cloud IT-as-a-Service Optimized IT Core Service Group A Application Grid Data Grid Integration Layer Service Group B Application Grid Data Grid Service Group C Application Grid Data Grid Enterprise Transitional Security Layer Architecture Pt. to Pt. Integrations Inv SFAProduct product ERP SCM productMES- DB LMS MGMT Complexity SFA-Product SFA Stage Product ERP- Stage product Dev DB- Stage B2B B2B- B2B- Stage SFA- ERP- MES- MES- Dev Test Prod Stage Prod 1 Client SFAProduct product ERP SCM productMES- DB LMSInv DB- FBT PAY G NTS Product ERP- product Dev Stage MGMT TRDS Stage Customs NTS A/c Data……. Security Security Security Security Penalty RBA De f RRE Re funds IPS Integrate d A/C 1 Excise Payments CCD Compliance Staff CR EC I ADD AWA ELS Staff Business Phone DDDR TASS PKI CDCC CWMS GC I Bus. Intel IVR WOC Ref aterial m BOA Remote TAX Client BANK Staff Staff AG ENTS Call Centres B EP 1 Align Business & IT 3 Focus on Future State 2 Governance Model 4 Repeatable, Iterative Approach
  9. 9. The Oracle-Sun Red Stack V Third Party ISV Oracle Applications I Applications Applications R T Platform as a Service U Cloud Management Shared Services A Oracle Enterprise Manager L Integration: Process Mgmt: Security: User Interaction: I SOA Suite BPM Suite Identity Mgmt WebCenter Configuration Mgmt Z A Connect Application Grid: WebLogic Server, Coherence, Tuxedo, JRockit Policies to Controls Management Lifecycle T Database Grid: Oracle Database, RAC, ASM, Partitioning, I IMDB Cache, Active Data Guard, Database Security Application Performance Management O N Infrastructure as a Service Application Quality Management Oracle Solaris Operating Systems: OracleOracle Enterprise Linux Enterprise Linux Oracle VM for SPARC (LDom) Solaris Containers Connect Oracle VM for x86 Policies to Controls Center Ops Servers Physical and Virtual Systems Management Storage
  10. 10. Agenda • Introduction • Security Challenges • Identity and Access Management • Database Security • Conclusion • Q&A © 2010 Oracle – Proprietary and Confidential 11
  11. 11. Service-Oriented Security Identity Services for the Cloud Oracle Identity Management Identity Role Management Directory Services Authentication Authorization Federation Administration Web Services Web Services Web Services Oracle Apps 3rd Party/Custom Apps Cloud Service Providers • Enable IDM functionality - FW • Discrete, easily consumable services • Rapid app security, improved IT agility • Security woven - applications © 2010 Oracle – Proprietary and Confidential 12
  12. 12. Identity Management Challenges in the Private Cloud Cloud model requires identity infrastructure: • Service-oriented • Standards-based • Loosely coupled Mind The Gap © 2010 Oracle – Proprietary and Confidential 13
  13. 13. Identity Management Considerations in the Public Cloud IAM Service Provider Business Service Provider Identity Identity Identity Identity Assurance Admin Assurance Admin Business Service Consumer Identity Identity Federation Assurance • User lifecycle mgmt • Federated authN • Fraud prevention & risk mitigation © 2010 Oracle – Proprietary and Confidential 14
  14. 14. User Provisioning Oracle Identity Manager Provisioning Self Registration Audit, Reporting, Attestation Integration Framework with Adapter Factory • Comprehensive lifecycle admin & mgmt • Delegated admin & self-service reduce overhead • Automated compliance reporting © 2010 Oracle – Proprietary and Confidential 15
  15. 15. Entitlements Management Oracle Access Management Suite Custom Apps Employees Fine-grained Authorization App App Centralized Administration Partners Portals/SharePoint Distributed Enforcement App Customers Web Services • Externalization of authZ policy mgmt • Distributed policy enforce • FGA © 2010 Oracle – Proprietary and Confidential 16
  16. 16. Identity Federation Federated Single Sign-On Oracle Identity Federation On-Premise  SAML 1.x Applications Employees/Partners/  SAML 2.0 Customers  Windows CardSpace  WS-Fed  OpenID Business Affiliates/Subsidiaries Cloud Applications • SSO between on-premise & cloud apps • Standards-based federation enables interop • Rapid deployment © 2010 Oracle – Proprietary and Confidential 17
  17. 17. Identity Assurance Risk-Based Access Control Oracle Access Management Suite Secure Mutual Risk-Based Risk Scoring Authentication Authorization Device Employees/Partners/ Customer Geography Cloud Apps Time Activity Fraudster On-Premise Apps • Out-of-band authN • Identity proofing • Real-time fraud prevention © 2010 Oracle – Proprietary and Confidential 18
  18. 18. Agenda • Introduction • Security Challenges • Identity and Access Management • Database Security • Conclusion • Q&A © 2010 Oracle – Proprietary and Confidential 19
  19. 19. Multi-Tenant Data Management Option 1 Option 2 Option 3 Shared (Virtualized) Hardware Shared Database Shared Schema RISK • Privileged database user • Lost backups containing sensitive data or PII • Application exploits & by-pass • Regulatory infractions © 2010 Oracle – Proprietary and Confidential 20
  20. 20. Database Security Defense-In-Depth Encryption & Masking • Advanced Security • Secure Backup • Data Masking Access Control • Database Vault • Label Security Monitoring • Audit Vault Encryption & Masking • Configuration Management • Total Recall Access Control Monitoring User/Role Management User/Role Management • Oracle Identity Management © 2010 Oracle – Proprietary and Confidential 21
  21. 21. Oracle Advanced Security Comprehensive Standards-Based Encryption Disk Backups Exports Off-Site Facilities • Data stays encrypted when backed up • Encryption for data in transit • Strong authN of users & servers © 2010 Oracle – Proprietary and Confidential 22
  22. 22. Oracle Data Masking Irreversible De-Identification Production Non-Production LAST_NAME SSN SALARY LAST_NAME SSN SALARY AGUILAR 203-33-3234 40,000 ANSKEKSL 111—23-1111 60,000 BENSON 323-22-2943 60,000 BKJHHEIEDK 222-34-1345 40,000 • Remove sensitive data from non-prod DBs • Ref Integ preserved • Sensitive data never leaves the database © 2010 Oracle – Proprietary and Confidential 23
  23. 23. Oracle Database Vault Privileged User Access Control & Multi-Factor Authorization Procurement DBA HR Application Finance select * from finance.customers • Privileged DB users perform admin • Address SoD reqmts • Enforce security policies & block unauth DB activities © 2010 Oracle – Proprietary and Confidential 24
  24. 24. Oracle Configuration Management Vulnerability Assessment & Secure Configuration Monitor Discover Classify Assess Prioritize Fix Monitor Asset Configuration Policy Vulnerability Analysis & Management Management Management Management Analytics & Audit • DB discovery • Continuous scanning best practices & industry standards • Detect & prevent unauthZ config changes • Change mgmt compliance reports © 2010 Oracle – Proprietary and Confidential 26
  25. 25. Agenda • Introduction • Security Challenges • Identity and Access Management • Database Security • Conclusion • Q&A © 2010 Oracle – Proprietary and Confidential 27
  26. 26. Regulatory Considerations for Cloud Security ENFORCE MONITOR Enforce Controls CONTROLS CONTROLS Monitor Controls Oracle Security Solutions Streamline Processes AUTOMATE STREAMLINE REPORTING PROCESSES Automate Reporting © 2010 Oracle – Proprietary and Confidential 28
  27. 27. 29 © 2010 Oracle Corporation 29

×