Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Innovations in Security &
Infrastructure as a Service
Tuesday Keynote
The Cloud: A New Era of Utility Computing
All Three Tiers of Computing Delivered as a Service via Global Network
• Applica...
The Cloud 2015: A New Set of Competitors
Microsoft, Amazon, Salesforce, WorkDay
• Applications: Salesforce and WorkDay – N...
Oracle Cloud: Engineering All Three Tiers of Services
Microsoft has three, Amazon has two, Salesforce has two, Workday has...
Oracle Cloud: Six Design Goals
Oracle Develops these Feature in all Three Tiers of the Cloud
• Cost: Lowest acquisition pr...
Oracle Engineers All Three Tiers of the Cloud
Next Generation of Security Should be Pushed-Down and Always-on
• Security F...
Cyber Attacks: Data Theft
Current State of the Art in Cyber Security – Not Good Enough
• Credit Card and Identity Theft Co...
Oracle Already Has World’s Best Security Feature Set
Current Security Technology Issues: Not Always-On, Performance Penalt...
Most Advanced
Security Platform
First Converged
Infrastructure in Silicon
Advancing the State-of-the-Art: Always-On Securi...
Advancing the State-of-the-Art
• Always-On Security in Silicon
– Memory intrusion detection
• High-Speed Encryption
– Near...
Always-On Memory Protection in Hardware
Security In Silicon – Silicon Secured Memory
• First ever hardware-based memory in...
M7 Silicon Secured Memory (SSM): How it Works
Always-On Memory Intrusion Detection
• Terabytes of data in highly vulnerabl...
• Memory access vulnerability
discovered in the open source Quick
Emulator hypervisor platform (QEMU)
• Allows malicious c...
M7 SSM Would Have Detected Venom in Real-Time
• When the QEMU driver attempted to write data beyond its allotted buffer li...
Heartbleed - Impacted Websites Using OpenSSL
Heartbeat request sent
to victim
Type Payload_size Payload
HB_REQUEST 65535 H...
M7 SSM Would Have Detected Heartbleed in Real-Time
• When the hacker request attempted to read data beyond its allotted bu...
The M7 Microprocessor Can Protect the Entire Cloud
Even if 90% of the Microprocessors are not M7s
• Even a few deployed M7...
Ksplice For Userspace
Only Oracle Linux Offers Kernel and Userspace Zero-Downtime Patching
Zero-downtime operating system ...
Transparent Data Encryption
Always On Data Encryption Prevents Loss of Clear-Text Data
• Encrypts tablespaces to secure da...
Oracle Key Vault
Centralized On-Premise Key Manager for the Enterprise
Manage encryption keys, Oracle Wallets, Java Keysto...
Oracle Database Vault
DBAs Administer Technology Resources but Cannot see Applications Data
Secure Separation of Duties
• ...
Region, Year
Size-based
Data
Subsetting
ssn:423-55-3571
dob: 12/01/1987
Data
Masking
Avoid Exposing Sensitive Data To Test...
Oracle Audit Vault
Audit Trails Managed by Customer Using On-Premises System
Audit Vault logs database & network traffic f...
Database Firewall
Transparently Block Threats
Transparently block threats including SQL injection attacks and
unauthorized...
Summary: End-To-End Encryption
Oracle Manages Cloud Technology – Customer Controls Access to Data
SM;|A4mp>}r$M*Lij&Q;|d9y...
Infrastructure As A Service
Oracle Infrastructure-as-a-Service
Secure, Reliable, Low Cost Cloud Infrastructure Services
Storage
Elastic Storage
Comput...
Optimized for Large Enterprises
• Completely Dedicated Compute Zone per Tenant
• Predictable Performance
• Complete Networ...
Announcing: Oracle Private Cloud Machine for PaaS & IaaS
IaaS
PaaS
Compute • Storage
• Integration
Java
• MobileDeveloper
...
Private Cloud Machine for PaaS and IaaS
100% Compatible Oracle Private Cloud Machine and Oracle Public Cloud Service
Oracl...
Hybrid Public Cloud / Private Cloud
Compatibility and Coexistence
LIVE DATABASE MIGRATION DEMO
Management Cloud: Like Splunk…But in the Cloud
Next Generation Cloud-Based Monitoring and Analytics Solution
• Unified dat...
Archive Storage Cloud Service
Ideal for Large Data Sets
• On-demand capacity, scales to petabytes
• Multiple redundant dat...
Archive
Announcing: Hierarchical Storage Manager
Auto-Tier to the Cloud for Huge Cost Savings
Disk ArchiveFlash Storage Ta...
Oracle Strategy: Offer the Same Technology On-Premises and in the Cloud
Storage Portfolio – On-Premises and in the Cloud
O...
Zero Data Loss Recovery Appliance
Completely Automated Backup & Recovery
• Eliminates data loss
– Real-time redo transport...
Engineered Systems Customer Momentum
On-Premises and in the Cloud: Exadata, Private Cloud Machine, ZDLR Appliance…
• 15,26...
2015: A Year of Innovation in the Cloud
• SaaS: World’s First Complete Integrated Set of Enterprise Cloud Applications
• P...
Oracle OpenWorld SF 2015: The Secure Cloud - Larry Ellison, Executive Chairman and Chief Technology Officer, Oracle
Oracle OpenWorld SF 2015: The Secure Cloud - Larry Ellison, Executive Chairman and Chief Technology Officer, Oracle
Upcoming SlideShare
Loading in …5
×

Oracle OpenWorld SF 2015: The Secure Cloud - Larry Ellison, Executive Chairman and Chief Technology Officer, Oracle

2,036 views

Published on

Oracle OpenWorld San Francisco 2015 - Keynotes. Larry Ellison's Keynote presentation. Tuesday, October 27, 2015. The Secure Cloud - Larry Ellison, Executive Chairman and Chief Technology Officer, Oracle.

Published in: Technology
  • Be the first to comment

Oracle OpenWorld SF 2015: The Secure Cloud - Larry Ellison, Executive Chairman and Chief Technology Officer, Oracle

  1. 1. Innovations in Security & Infrastructure as a Service Tuesday Keynote
  2. 2. The Cloud: A New Era of Utility Computing All Three Tiers of Computing Delivered as a Service via Global Network • Applications: Software as a Service – SaaS • Platform: Database, Middleware, Analytics, Integration… as a Service – PaaS • Infrastructure: Storage, Compute and Network as a Service – IaaS SaaS PaaS IaaS
  3. 3. The Cloud 2015: A New Set of Competitors Microsoft, Amazon, Salesforce, WorkDay • Applications: Salesforce and WorkDay – Not SAP • Platform: Microsoft – Not IBM • Infrastructure: Amazon – Not IBM and EMC SaaS PaaS IaaS
  4. 4. Oracle Cloud: Engineering All Three Tiers of Services Microsoft has three, Amazon has two, Salesforce has two, Workday has one • SaaS: More Enterprise Applications than any Cloud Services Provider – #1 ERP/EPM Suite, CX Suite, HCM Suite, New Supply Chain Manufacturing Suite… • PaaS: Complete Suite of Industry Standards-Based Platform Services – #1 SQL Database, Hadoop, NoSQL, #1 Java Middleware, Node.js, Ruby… • IaaS: Secure, Reliable, Low Cost, Standards-Based Infrastructure Services – OpenStack, Linux OS, Xen VM, Docker
  5. 5. Oracle Cloud: Six Design Goals Oracle Develops these Feature in all Three Tiers of the Cloud • Cost: Lowest acquisition price – Lowest total cost of ownership • Reliability: Fault tolerant – No single point of failure • Performance: Fastest database, middleware, analytics… • Standards: SQL, Hadoop, NoSQL…Java, Ruby, Node.js…Linux, Docker • Compatibility: Easily move workloads between on-premise and Cloud • Security: Always-on continuous defense against cyber attacks
  6. 6. Oracle Engineers All Three Tiers of the Cloud Next Generation of Security Should be Pushed-Down and Always-on • Security Features Should be Pushed-Down the Stack – Software: Database Security is inherited by all applications – Hardware: Security in Silicon is inherited by all software • Security Features Should Be Always-On – No on-and-off button: No choice – Work transparently without changing existing applications – Work with near zero performance penalty
  7. 7. Cyber Attacks: Data Theft Current State of the Art in Cyber Security – Not Good Enough • Credit Card and Identity Theft Costs Billions Every Year – Retailers’ computers hacked, millions of credit cards stolen, sold on Rescator Website – New Credit Cards with embedded E.M.V chip with PIN: Hardware fix • US Federal Government Office of Personnel Management – More than 20 million personnel records stolen – Including security background checks and finger prints – CIA pulled officers out of US Embassies… • Heartbleed, Venom… Security Bugs Allow Intruders In – Data is stolen – Data is changed: Stuxnet worm destroyed a thousand centrifuges…
  8. 8. Oracle Already Has World’s Best Security Feature Set Current Security Technology Issues: Not Always-On, Performance Penalty… Governance Risk & Compliance , Access & Certification Review, Anomaly Detection, User Provisioning, Entitlements Management Mobile Security, Privileged Users, Directory Services, Identity Governance, Entitlements Management, Access Management Encryption, Enterprise Key Management, Database Firewall, Masking, Redaction, Privileged User Control, Auditing, Secure Configuration Application + User Sandboxing, Delegated Administration, Anti- malware system, Data + Network Protection, Zero-Downtime Patching, Compliance Reporting, Secured Application Lifecycle, Secure Live Migration, Immutable Zones, Independent Control Plane Cryptographic Acceleration, Application Data Integrity, Verified Boot, Disk Encryption, Secured Backup, Storage Key Management Applications Middleware Databases Servers, Storage & Networking Operating Systems & Virtual Machines Infrastructure Platform Applications
  9. 9. Most Advanced Security Platform First Converged Infrastructure in Silicon Advancing the State-of-the-Art: Always-On Security in Silicon Always-On Memory Protection and Encryption Pushed Down the Stack into Silicon World’s Fastest Microprocessor Always-on Memory Intrusion Protection & wide key encryption Hardware SQL acceleration, Compression, Encryption More cores, threads, memory & IO Bandwidth w/lower latency
  10. 10. Advancing the State-of-the-Art • Always-On Security in Silicon – Memory intrusion detection • High-Speed Encryption – Near zero performance impact • SQL in Silicon – High-Speed Memory Decompression… – Accelerates In-Memory Database M7 Microprocessor – World’s First Implementation of Software Features in Silicon
  11. 11. Always-On Memory Protection in Hardware Security In Silicon – Silicon Secured Memory • First ever hardware-based memory intrusion protection of its kind • Always-On hardware approach has near zero performance impact • Stops programs from accessing other applications memory – Stops Malicious Programs like Venom and Heartbleed – Helps Developers Find Difficult Bugs
  12. 12. M7 Silicon Secured Memory (SSM): How it Works Always-On Memory Intrusion Detection • Terabytes of data in highly vulnerable servers main memory • Hidden memory color key and lock set on memory allocation • Hidden color bits added to pointers (key), and content (lock) • Pointer color key matches content color lock or program aborted • Key changed when the memory is freed • Prevents access off end of structure, stale pointer access, malicious attacks – plus improves developer productivity Memory Pointers Memory Content STOP
  13. 13. • Memory access vulnerability discovered in the open source Quick Emulator hypervisor platform (QEMU) • Allows malicious code inside a VM guest to execute code in the host machine’s hypervisor security context. The code then escape the guest VM to gain control over the entire host • Caused by a buffer over-write condition that allows data to be stored beyond allocated buffer limits Venom Vulnerability - Impacted Servers Using QEMU Host System Sales Server VM Database Server VM Web server VM VM Hypervisor Host Hardware Hacker exploits VENOM to escape VM VENOM executes instructions in hypervisor and gains control of host hardware Venom escape
  14. 14. M7 SSM Would Have Detected Venom in Real-Time • When the QEMU driver attempted to write data beyond its allotted buffer limits (buffer over-write), M7’s Always-on Memory Intrusion Detection would have stopped the access and generated a signal • The signal handler then could have terminated the offending process
  15. 15. Heartbleed - Impacted Websites Using OpenSSL Heartbeat request sent to victim Type Payload_size Payload HB_REQUEST 65535 Hello Victim responds with requested payload size (64K bytes) Type Payload_size Payload HB_RESPONSE 65535 Hello ………. …………………. Payload_size does not match Payload Unauthorized data returned to requestor
  16. 16. M7 SSM Would Have Detected Heartbleed in Real-Time • When the hacker request attempted to read data beyond its allotted buffer limits (buffer over-read), SSM would have stopped the access and generated a signal • The signal handler could have responded by flushing the data and terminating the offending connection
  17. 17. The M7 Microprocessor Can Protect the Entire Cloud Even if 90% of the Microprocessors are not M7s • Even a few deployed M7 systems can detect an attack on the entire compute cloud • Once an attack is discovered, the other unprotected systems then can be patched
  18. 18. Ksplice For Userspace Only Oracle Linux Offers Kernel and Userspace Zero-Downtime Patching Zero-downtime operating system diagnostic and patching • Easily diagnose issues in production environments without impacting running systems • Apply updates (bug and security errata or diagnostic builds) without rebooting the system – Linux kernel – Critical userspace libraries such as glibc and OpenSSL • Rapidly patch zero-day attacks like Heartbleed with no downtime • Enforce security standards by keeping critical systems patched with latest errata with no impact to production workloads • Flexible deployment options to complement existing operational processes
  19. 19. Transparent Data Encryption Always On Data Encryption Prevents Loss of Clear-Text Data • Encrypts tablespaces to secure data at rest • Built-in two-tier key management • Requires no application changes • “Near Zero” overhead with Silicon Encryption • Integrated with Oracle Database technologies ─ Log files, Compression, ASM, DataPump • Disks • Backups • Exports • Off-Site Facilities *7#$%!!@!%afb ##<>*$#@34 Data Encryption
  20. 20. Oracle Key Vault Centralized On-Premise Key Manager for the Enterprise Manage encryption keys, Oracle Wallets, Java Keystores, and credential files • Manages key creation, sharing, rotation, and expiration • Integrated with Transparent Data Encryption • Stops all access to cloud data if needed • Audits all access to keys and key lifecycle changes
  21. 21. Oracle Database Vault DBAs Administer Technology Resources but Cannot see Applications Data Secure Separation of Duties • Restrict privileged users from accessing application data • Control database commands based on multiple factors • Analyze run-time to discover redundant privileges and roles; Reduce attack-surface • Monitor activity with Audit Vault
  22. 22. Region, Year Size-based Data Subsetting ssn:423-55-3571 dob: 12/01/1987 Data Masking Avoid Exposing Sensitive Data To Test, Development, and Partners • Mask sensitive data with format libraries • Retain application integrity • Reduce risk exposure by condition-based subsetting • Mask/subset in Oracle Cloud with On-Prem Enterprise Manager Mask and Subset Data Part of Database Cloud Service
  23. 23. Oracle Audit Vault Audit Trails Managed by Customer Using On-Premises System Audit Vault logs database & network traffic for Oracle databases • Analyze audit and event data to raise alerts • Create out-of-the-box compliance reports • Detect breaches with trending and anomaly reports
  24. 24. Database Firewall Transparently Block Threats Transparently block threats including SQL injection attacks and unauthorized connections • Detect breaches with trending and anomaly reports
  25. 25. Summary: End-To-End Encryption Oracle Manages Cloud Technology – Customer Controls Access to Data SM;|A4mp>}r$M*Lij&Q;|d9y • Your data encrypted in transit and at rest • Keys managed by customer with on-premises Key Vault • Customers monitor & audit data access via on-premises Audit Vault Oracle Cloud On-Premises
  26. 26. Infrastructure As A Service
  27. 27. Oracle Infrastructure-as-a-Service Secure, Reliable, Low Cost Cloud Infrastructure Services Storage Elastic Storage Compute Elastic Compute Network Software-defined Network IaaS: General Purpose, Engineered Systems
  28. 28. Optimized for Large Enterprises • Completely Dedicated Compute Zone per Tenant • Predictable Performance • Complete Network Isolation • Site to Site VPN • 500, 1000, 1500, 2000 Cores Optimized for Departments and Dev-Test • Shared Compute Zone • Dedicated Core Capacity: 50 and 100 Cores • Some Isolation via Resource Management across Tenants but noisy neighbors can impact others ComputeDedicated Compute Infrastructure as a Service: Compute Cloud Services Oracle Dedicated Compute HALF PRICE Amazon Shared Compute
  29. 29. Announcing: Oracle Private Cloud Machine for PaaS & IaaS IaaS PaaS Compute • Storage • Integration Java • MobileDeveloper • Documents• Process • Identity • Messaging Identical PaaS and IaaS Software to Oracle Public Cloud • On-premises Oracle Cloud Platform 100% compatible with Oracle Cloud • Addresses business or regulatory requirements, data control, or geo preference • Easiest way to create compatible private and public cloud infrastructure A NEW ENGINEERED SYSTEM
  30. 30. Private Cloud Machine for PaaS and IaaS 100% Compatible Oracle Private Cloud Machine and Oracle Public Cloud Service Oracle Cloud CoExistence and Migration Same Architecture Identical Software Identical Hardware *Optional Transparently move workloads between on-premises and public cloud Private Cloud
  31. 31. Hybrid Public Cloud / Private Cloud Compatibility and Coexistence LIVE DATABASE MIGRATION DEMO
  32. 32. Management Cloud: Like Splunk…But in the Cloud Next Generation Cloud-Based Monitoring and Analytics Solution • Unified data platform stores all types of machine data, that is automatically correlated • Scalable data processing pipeline ingests, processes large data volumes at line speed • Real-time analysis and deep insights across technical and business events • Manages your on premises systems and your cloud systems Unified Big Data Platform Application Performance Monitoring Log Analytics IT Analytics Unified Big Data Platform Data Pipeline
  33. 33. Archive Storage Cloud Service Ideal for Large Data Sets • On-demand capacity, scales to petabytes • Multiple redundant data copies for the highest availability • All data can be encrypted at rest for security • Automatic data integrity checks for durability • Industry standard RESTful APIs Archive $0.001 /GB/Month. Lowest cost per gigabyte in the industry.
  34. 34. Archive Announcing: Hierarchical Storage Manager Auto-Tier to the Cloud for Huge Cost Savings Disk ArchiveFlash Storage Tape Archive • Auto-tiering data from on-premises to Archive Storage Cloud for best resource utilization – Automatic data access as the business requires – OpenStack Swift-compliant • Set policies to tier data to the Cloud based on access patterns, sizes, age of the data • Proven scalability greater than all competitors Hierarchical Storage Manager
  35. 35. Oracle Strategy: Offer the Same Technology On-Premises and in the Cloud Storage Portfolio – On-Premises and in the Cloud Oracle All Flash FS StorageTek Tape Zero Data Loss Recovery ApplianceOracle ZFS Block SAN Storage Files, Databases Network Attached Storage Files, Databases Extreme Data Protection Oracle Database Lowest Cost Mass Storage Archive
  36. 36. Zero Data Loss Recovery Appliance Completely Automated Backup & Recovery • Eliminates data loss – Real-time redo transport • Minimal production impact – Sends changes, not full backups • Changes enable restore to any time • Starts small, scales-out to petabytes Single rack is twice as fast as Data Domain’s biggest backup appliance.
  37. 37. Engineered Systems Customer Momentum On-Premises and in the Cloud: Exadata, Private Cloud Machine, ZDLR Appliance… • 15,267 Engineered Systems shipped to Customers ─ 10,628 in October 2014 • 7,321 Exadata units shipped to Customers ─ 5,579 in October 2014
  38. 38. 2015: A Year of Innovation in the Cloud • SaaS: World’s First Complete Integrated Set of Enterprise Cloud Applications • PaaS: Easy Migration of Applications and Databases to the Public Cloud • IaaS: Always-On Security and Fault-Tolerant Reliability at Commodity Prices

×