Lucw lsec-securit-20110907-4-final-5
Upcoming SlideShare
Loading in...5
×
 

Lucw lsec-securit-20110907-4-final-5

on

  • 342 views

This is a public presentation I gave in 2011 @ www.lsec.be wrt cloud security. Even the content is "Oracle tagged", it reflects my opinions at that time wrt cloud security. ...

This is a public presentation I gave in 2011 @ www.lsec.be wrt cloud security. Even the content is "Oracle tagged", it reflects my opinions at that time wrt cloud security.
The pdf of this presentation is publicly available @ http://www.lsec.be/upload_directories/documents/110908_CloudTrust/8_Wijns_Luc_Oracle_110908.pdf

Statistics

Views

Total Views
342
Views on SlideShare
341
Embed Views
1

Actions

Likes
0
Downloads
9
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Lucw lsec-securit-20110907-4-final-5 Lucw lsec-securit-20110907-4-final-5 Presentation Transcript

  • <Insert Picture Here>
  • <Insert Picture Here> Data Security in the Cloud Luc Wijns Chief Technologist Systems Benelux
  • The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. © 2011 Oracle Corporation 3
  • NIST Definition of Cloud Computing Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of: 5 Essential Characteristics • On-demand self-service • Resource pooling • Rapid elasticity • Measured service • Broad network access ©Source: NIST Corporation Cloud Computing v15 2011 Oracle Definition of 3 Service Models • SaaS • PaaS • IaaS 4 Deployment Models • Public Cloud • Private Cloud • Community Cloud • Hybrid Cloud 4
  • Fear, Uncertainty & Doubt: FUD • …”Cloud Computing is not Secure”… ? • Can Cloud Computing be as Secure as on-premises Data Centers ? • Can Cloud Computing be Compliant ? • What About: “Cloud Computing cannot meet the Common Needs Because Customers won’t let their Data leave their Country.” ? • “We must move all to the Clouds or we won’t be competitive anymore…”?!? • …..etc …. © 2011 Oracle Corporation 5
  • In the Cloud Threats do not Change Security guru Bruce Schneier says that whatever cloud computing is, the security issues and conversations around it are nothing new. The key, he says, always comes down to trust and transparency. By Dahna McConnachie Technology & Business March 31, 2009 http://www.schneier.com/news-083.html © 2011 Oracle Corporation 6
  • Security Concerns Don’t Change Identification Authentication Authorization Accountability Confidentiality Integrity Privacy Non-repudiation Availability © 2011 Oracle Corporation 7 7
  • Which is “Best” for which Context ? © 2011 Oracle Corporation 8
  • Service Models and Transparency Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure IaaS PaaS PaaS SaaS SaaS SaaS Cloud Infrastructure Cloud Infrastructure IaaS PaaS Cloud Infrastructure IaaS © 2011 Oracle Corporation PaaS Software as a Service (SaaS) Architectures Platform as a Service (PaaS) Architectures Infrastructure as a Service (IaaS) Architectures 9
  • Road To Security Maturity Infrastructure Maturity Governance Performance Management Level 5 Business Value Management Automation Level 4 IT Service Management Virtualization Level 3 IT Operation Management Level 2 IT Component Management End-to-end services provisioning Infrastructure on demand Infrastructure virtualization Industrialization Standardization Consolidation Level 1 Crisis Control Business Value © 2011 Oracle Corporation 10
  • Oracle Cloud Computing Strategy Our objectives: • Ensure that cloud computing is fully enterprise grade • Support both public and private cloud computing – give customers choice Oracle Applications Oracle On Demand Public Clouds SaaS SaaS PaaS PaaS IaaS IaaS Oracle Technology in public clouds © 2011 Oracle Corporation I N T E R N E T Private Cloud I N T R A N E T Apps SaaS PaaS PaaS IaaS IaaS Users Oracle Private PaaS 11
  • Oracle On Demand – Security (SaaS) • Compliance Rules are implemented Everywhere • Example: HIPAA Service Provider for Healthcare • Compliant with the Technical, Physical and Administrative Safeguards • HITECH Requires Business Associates (Services Providers) to be Compliant • ISO27000 Certificate 1/2 © 2011 Oracle Corporation 12
  • Compliance Requirements FERPA Student Records Federal Educational Rights & Privacy Act © 2011 Oracle Corporation Data privacy laws HR Most US states + foreign countries PCI-DSS Orders Payment Card Industry-Data Security Standards SOX Finance Sarbanes-Oxley HIPAA/ HITECH Patient Records Health Information Technology for Economic & Clinical Health Act 13
  • Oracle Private Cloud Solution Applications 3rd Party Apps Cloud Management Oracle Apps Oracle Enterprise Manager ISV Apps Application Performance Mgmt Platform as a Service Integration: SOA Suite Process Mgmt: BPM Suite Security: Identity Mgmt User Interaction: WebCenter Application Grid: WebLogic Server, Coherence, Tuxedo, JRockit Database Grid: Oracle Database, RAC, ASM, Partitioning, IMDB Cache, Active Data Guard, Database Security Lifecycle Management Configuration Management Application Quality Mgmt Infrastructure as a Service Oracle Solaris Operating Systems: Oracle Enterprise Linux Oracle Oracle VM for SPARC (LDom) Solaris Containers Ops Center Oracle VM for x86 Servers Physical & Virtual Systems Mgmt Storage © 2011 Oracle Corporation 14
  • Access Cloud Architecture – Logical View Interfaces Native Protocols Portals Custom UIs Self-Service APIs Facilities Proxy Perimeter Security Naming Balancing User Interaction / self service PaaS Data Queue Container IaaS Application Server Network Security / Policy Mgmt Model Mgmt Provisioning Customer info model Service catalog Mediation, Policy enforcement Storage Resources vDCs Logical Pools Physical Pools © 2011 Oracle Corporation Compute Compute Networks Networks Storage Storage Other Other Pool Managers Service Mgmt Monitoring Capacity mgmt. Metering & Billing Resource mgmt. Clouds Cloud Management Services SaaS Business Process Business Service External Legacy Partners 15
  • Identify Roles and Interactions Cloud Implies Changes in IT Roles Models Service App Owner User uses service Monitors & Approves Services Developer Creates Services DevOps Packages & Deploys Services Monitor/manages cloud Cloud Operator creates resources Cloud Builder © 2011 Oracle Corporation 16
  • Oracle Defense-in-Depth © 2011 Oracle Corporation 17
  • Oracle Security Inside Out Infrastructure Security • • • • Hardware Accelerated Encryption Secure Key Management and Storage Strong Workload Isolation Secure Service Delivery Platforms Database Security Infrastructure Databases Middleware Applications • • • • • • Encryption and Masking Privileged User Controls Multi-Factor Authorization Activity Monitoring and Audit Secure Configuration Monitor and Block Middleware Information • • • • • User and Role Management Access Management Virtual Directories Rights Management Identity Governance Applications • • • • © 2011 Oracle Corporation Comprehensive Compliance Mgmt. Centralized Policy Administration Access Management Track and Audit Content and Usage 18
  • Bringing Infrastructure Security Secure Infrastructure Matters ! © 2011 Oracle Corporation 19
  • Infrastructure Security Foundation © 2011 Oracle Corporation 20
  • Infrastructure and Cryptography © 2011 Oracle Corporation 21
  • Solaris Security   Secure Service Containers User and Process Rights Management   Cryptographic Framework  Comprehensive Auditing  Solaris Trusted Extensions  © 2011 Oracle Corporation Secure Network Access Common Criteria Evaluated (EAL4+) 22
  • Solaris Zones: Immutable Service Containers © 2011 Oracle Corporation 23
  • Infrastructure and Cryptography © 2011 Oracle Corporation 24
  • How to Destroy Data in a Hurry • Delete File: No • Over writing the data: No • Shoot the drive: No • Security Erase: No • De-Gaussing: No or at High Cost • Melting : No or at High Cost • Shreding : No or at High Cost © 2011 Oracle Corporation 25
  • ZFS Hybrid Storage Pool Encryption Solaris 11 Express brings Encryption to ZFS Hybrid Storage Pools • DRAM/ARC is not Encrypted – But you can protect swapped out pages (encrypted swap ZVOL) • L2ARC is always encrypted (ephemeral keys) • ZIL is always encrypted (on-disk or on-SSD) • On Disk data is always encrypted © 2011 Oracle Corporation DRAM/ ARC Write/ ZIL Flash Read/ L2ARC Flash Scalable Large Capacity SAS Disks 26
  • Full Disk Encryption (FDE)?  Almost 100% transparent to the User    You will probably to enter a password at boot time 0% performance impact if encrypt/decrypt in firmware Hardware is filesystem agnostic         © 2011 Oracle Corporation No Access to Ciphertext Is it really encrypted ? No known versions with data encryption key change Same keylen/algorithm/mode for complete disk A lot of data with same key Need HW change to change algorithm No Enterprise SSD doing Crypto Not aware of Raid Volumes 27
  • ZFS Filesystem & Dataset Encryption • More Flexibility in Software • Easiest for Key Management • Single multi-disk pool or per dataset wrapping keys • Keys are agnostic of Raid config • Wrapping and Data endryption change • Algorithm/kelen/mode change © Corporation – Proprietary and Confidential © 2010 Oracle 2011 Oracle Corporation • Integrate with SSDs (HSP) • Ciphertext is visible • Encrypt Snapshot and Clones • Compression, encryption, & deduplication work together • Integrating with the host & operating system crypto infrastructure (SW and HW) 28
  • Infrastructure and Cryptography © 2011 Oracle Corporation 29
  • Cryptographic Capabilities and Algorithms T3 Processor 30 © 2011 Oracle Corporation 30
  • Infrastructure and Cryptography © 2011 Oracle Corporation 31
  • Three Key Elements Needed for Data Encryption on Removable Media Crypto-Ready Tape Drive © 2011 Oracle Corporation Key Management Station Token to Transport Keys 32
  • Key Takeways • Public and Private Clouds share the same Security Requirements • “Cloud Thinking” wrt/Security – Increases security concerns from day one – Involves all the stakeholders from day one • Investing in “Cloud Technologies” Requires to Shift Minds and Impacts the “Complete Stack” • Whatever you think to do with “Cloud”, Infrastructure Always Matter © 2011 Oracle Corporation 33
  • Oracle Security is Complete © 2011 Oracle Corporation 34
  • Q&A © 2011 Oracle Corporation 35
  • The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. © 2011 Oracle Corporation 36
  • © 2011 Oracle Corporation 37
  • Trust in Cloud Computing with Transparent Security • Governance, Information Security and Transparency are interrelated concepts • Security Governance: can rely on an ISMS based (iso27001/2) • Transparency is related the disclosure of governance frameworks between cloud SP and users. Sources: http://blogs.barrons.com/techtraderdaily/ http://blog.talkingidentity.com © 2011 Oracle Corporation 38
  • Data Encryption Matters • The Best Way to Destroy Data in a Hurry is: Encrypt Your Data and Destroy Only the Key • The Best Way to Protect Data Efficiently is: Encrypt Your Data and Protect Only the Key • Data in Creation, Data in Transit, Data at Rest • At All Layers of the Stack © 2011 Oracle Corporation 39