Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Engineered Systems - nejlepší cesta jak
zabezpečit Vaše dataAccelerate Cloud
Michal Vítek
Sales Consulting Manager
Oracle Systems CEE
April 2016

Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.
3

The New Economics of Security
Global Crime Statistics in Perspective
4
$288BILLIONGLOBAL CYBERCRIME MARKET
$30B
STOLEN
SMART
PHONES
$56B
STOLEN
VEHICLE
MARKET
$85B
COCAINE
MARKET
$114B
STOLEN
CREDIT CARD
MARKET

Reported Intrusions Increased 1,121% in Nine Years by US Government Agencies
Information Security Attacks Are on the Rise
5
0
10,000
20,000
30,000
40,000
50,000
60,000
70,000
2006 2007 2008 2009 2010 2011 2012 2013 2014
Security Incidents Reported to US Computer Emergency Readiness Team by US Federal Agencies
Source: GAO analysis of US Computer Emergency Readiness Team data for fiscal years 2006-2014, GAO-15-573T
5,503
11,911
16,843
29,999
41,776 42,854
48,562
62,214
67,168
Reported Security Incidents Worldwide
Increased 48% from 2013 to 2014
Source: Global State of Information Security Survey 2015

Poor Process Responsible for Majority of Security Incidents
6
of organizations take
3 months or more to
patch systems
Source: Verizon Data Breach Investigations Report, 2015; IIOUG Data Security Survey, 2014, Verizon’s 2015 Data Breach Investigations Report
74%
of 2014 exploits had
patches available for
more than one year
99.9% 76%
of intrusions are from
lost, stolen, or weak
credentials

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Hacking and Malware: Biggest Threats
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
HACKING
MALWARE
SOCIAL
PHYSICAL
16X
INCREASE
Source: http://www.verizonenterprise.com/DBIR/2014/
Hacking: Exploiting
software weakness

Currently...
Single EU Directive (Directive
95/46/EC) has not prevented
fragmentation in the way Data
Protection is implemented
Outdated: Not prepared for the
Cloud, Big Data & Social
Tough to be competitive in a
market where compliance is not
streamlined
Oracle Confidential – Internal 8

EU Global Data Protection Regulation
Regulation/Law not a Directive
Immediate effect on 28 EU members
after 2 year transition period
Does not require any enabling
legislation to be passed by
governments
Extends the scope to all foreign
companies processing data of EU
residents
Unify Data Protection within
the EU with a single law

EU Global Data Protection Regulation
Aims
Oracle Confidential – Internal 10
Improve business
opportunities by
facilitating the free flow
of personal data in the
digital single market
Enhance data protection
rights of individuals

Key Points
• 204 page legal document
that took 4 years to agree
• Applies to companies
having > 250 staff
• Applies to EU citizen data
inside or outside the EU
• Focus on personal data
• No reference to privacy in
latest document (data
protection instead)
• Rights for data-subjects
• Strict obligations for data-
owners
• Strict obligations for data-
processors
• Right to rectification
• Right to erasure (to be forgotten)
• Right to restriction of processing
• Right to data portability
• Right to object
• Right to not have decisions based
on profiling
• ...
• Data protection by design and
default
• Notification of a personal breach
to the supervisory authority
• Communication of a personal
breach to the data subject
Oracle Confidential

EU General Data Protection Regulation
Need to be able to detect data-breach and respond within 72 hours
http://www.emeeting.europarl.europa.eu/committees/agenda/201512/LIBE/LIBE%282015%291217_1/sitt-1739884
Document: Miscellaneous - 3_consolidated_text- Consolidated text (outcome of the trilogue of 15/12/2015)

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Corporation - Confidential 13
http://www.emeeting.europarl.europa.eu/committees/agenda/201512/LIBE/LIBE%282015%291217_1/sitt-1739884
Document: Miscellaneous - 3_consolidated_text- Consolidated text (outcome of the trilogue of 15/12/2015)
EU General Data Protection Regulation
Fine of up to 4% of global revenue

Why do you care?
Administrative Sanctions
Oracle Confidential
€10M or 2%1
€20M or 4%1
- Doesn’t provide requested
information to a data subject
or fails to rectify or erase
- Fails to comply or process
data within legal basis.
- Doesn’t notify of a breach
1 Total Worldwide Annual Turnover

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
From Now On, Survival Depends on Security
Public 15

Engineered Systems & Appliances Portfolio
Database
Appliance X5-2
Exadata
Database
Machine
X6-2
X6-8
Exalogic
Elastic Cloud
X5-2
SuperCluster
T5-8
&
M7
Exalytics In
Memory
Machine
X5-4
Big Data
Appliance
X6-2
Private Cloud
Appliance
X5-2
Zero Data
Loss
Recovery
Appliance
X6

Cybersecurity Building Blocks for
Engineered Systems
17
Creative Commons Image Courtesy: Holger Zscheye @
Flickr

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 18
Engineered Systems Common Components
COMPUTE STORAGE NETWORK DATABASE

Oracle Security Focus Areas
Secure
Isolation
Access
Control
Data
Protection
Compliance,
Monitoring
and Auditing

Oracle Security Technologies
Compute Storage Network Database
Secure
Isolation
 Physical
 Electrical
 Hypervisor-Mediated
 Kernel-Mediated
 Physical
 ASM Instances
 ZFS Data Sets
 Physical (Ethernet)
 Ethernet VLANs
 InfiniBand Partitions & Limited
Memberships
 Multitenant
 Instances
 Schema
 Labels
Access
Control
 Solaris Role-based Access
Control
 Delegated LDOM & Zone
Administration
 Trusted Path Login
 ZFS and NFS ACLs
 iSCSI Security
 ASM and Database Scoped
Security
 IP Filter / iptables
 Switch ACLs
 Audit Vault and Database
Firewall
 Exadata Host-based Access
Control
 Roles and Privileges
 Database Vault
 Virtual Private DBs
Data
Protection
 Immutable Zones
 Delegated ZFS Administration
 Oracle Key Manager
 Silicon Secured Memory
 ZFS Encryption
 LOFI Encryption
 Oracle TDE
 SSH
 TLSv1.2
 IPsec / IKE
 Oracle TDE
 Data Masking and Redaction
Compliance,
Monitoring
and Auditing
 Solaris & Linux Auditing
 BART / AIDE
 Compliance
 ZFS Logging
 Exadata Storage Auditing
 Compliance
 Switch Logs
 Compliance
 Database Auditing
Firewall
 Compliance

Building the Layers
Securing every layer
21

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |4/20/2016 22
Ogres are like Onions. Onions have layers.Security is like an Ogre. Security has layers too.

The Goal
• Tenants must be unable to see or detect the other tenants
– No visibility of other tenants processes running on the same system
– No visibility of network traffic. Inability to snoop
– No visibility of other tenants storage
– Inability to break out of their environment
• Service Provider must be unable to view or decipher tenant data
– Tenants data must be protected, not just from other tenants, but from the service provider as well
– The must be “some” trust between the service provider and the tenant, but the surfaces for potential
data leakage need to be minimised
– The level of security at this level depends on the contract between the SP and the tenant
Provide the illusion of a dedicated system per tenant
23

Encryption Everywhere
• The most secure way of transporting or storing data is to encrypt it
• In many environments, encryption creates performance overhead which usually means
that expensive out of band encrypt/decrypt devices within the network, and within the
storage framework are used
• This often means that data is only encrypted at the perimeters of the system, and
unencrypted throughout
• SPARC processors contain Hardware based encryption and decryption which allows data
to be encrypted with almost no performance penalty
• The security model leverages this SPARC capability heavily
SPARC Differentiation
24

SuperCluster M7: Crypto Faster than x86 & Power8
IBM Power8 does NOT have AES-CFB hardware, CFB required by Oracle Database
www.ibm.com/developerworks/ibmi/library/i-ibmi-7_2-and-ibm-power8 (fig 2)
AES-CBC
7.8 GB/s
22.1 GB/s
83.1 GB/s
IBM Power8
6core
x86 E5 v3
2.3 GHz
SPARC M7
4.13 Ghz
AES-128-CBC
DB, Cloud,..
SHA512
1.4 GB/s
4.7 GB/s
83.8 GB/s
IBM
Power7+ 8c
E5 v3 2.3
GHz AVX2
SPARC M7
4.13 GHZ
SHA512-1024
Banking,...
Oracle Confidential 254/20/2016

Encryption Everywhere
• We can enable encryption of all data in motion
– All network traffic encrypted via ssl/ipsec
• We can enable encryption of all data at rest
– All filesystems encrypted, and all databases encrypted using Transparent Data Encrytption
• All with minimal performance overhead due to the onboard encryption H/W
• But what about memory?
• We can’t encrypt that
26

Security In Silicon: Silicon Secured Memory
Applications Memory
Pointer “Y”
Pointer “R”
GO
Pointer “B”
GO
• Protects data in memory
• Hidden “color” bits added to
pointers (key), and content (lock)
• Pointer color (key) must match
content color or program is aborted
• Set on memory allocation, changed on
memory free’
• Protects against access off end of
structure, stale pointer access and
malicious attacks
M7 Processor

Silicon Secured Memory
Revolutionary Improvement in Memory Architecture
• Database In-memory places terabytes of data in memory
– More vulnerable to corruption by bugs/attacks than storage
• SPARC M7 Application Data Integrity prevents malicious
attacks, invalid/stale references, buffer overflows
– Buffer Overflow
– Freed or Stale Pointers (Silent Data Corruption)
• Enables applications to inspect faulting references, diagnose
and take appropriate recovery actions
• Can be used in optimized production code and by using ADI
enabled libraries
• Oracle Studio 12.4 supports ADI: Higher quality code and
shorter development time
28
Buffer Overflow
Data Corruption

A Couple of Famous Examples: Heartbleed & Venom
Buffer Over-Read Attack Buffer Over-Write Attack
Silicon Secured Memory completely neutralises these threats

Encryption Everywhere (except in memory)
• We can enable encryption of all data in motion
– All network traffic encrypted via ssl/ipsec
• We can enable encryption of all data at rest
– All filesystems encrypted, and all databases encrypted using Transparent Data Encrytption
• All with minimal performance overhead due to the onboard encryption H/W
• Memory secured using Silicon Secured Memory.
30

Securing Compute
• Each tenant runs in usually 4 or more Zones. (2 in the Application Domains,
and 2 in the DB Domains)
• The Zones themselves provide complete security isolation and resource
management from other zones on the domain, and the global zone itself.
• RBAC (Role Based Access Control) configured so tenant never actually gets
full “root” privileges
• Optionally Immutable Zones can be used
• Solaris Auditing configured, and logs stored remotely
Solaris Zones
31

Securing Storage
• Zonepaths for booting the Zones encrypted
• NFS Filesystems mounted from the Zones accessible only via unique IB
partition
• ASM and DB Scoped Security enabled so that the Tenant DB Zones can only
see their own grid disks
• TDE (Transparent Data Encryption) used to encrypt all DB data. Makes use
of hardware based cryptographic acceleration
Exadata Storage Cells, and ZFS
32

Securing Network
• Each Zone configured with dedicated IP stack, and each tenant on a
different vlan
• Dedicated IB partition for Tenant Zone – Zone communication
• Outbound traffic all configured with SSL
• IPsec configured for all traffic on common Exadata Storage Cell partition
• IPfilter to limit outbound communication on Management network and
connection to ZFS Appliance (RBAC stops tenant from changing it)
• IPfilter logging enabled to detect attempts to be naughty.
Client Access, Internal IB, Management
33

Securing Database
• Database access is essentially protected by all of the aforementioned
techniques, but adding another layer provides even more protection, not
necessarily from other tenants, but to limit access to legitimate users
• Roles and Privileges to control who can see what. (Especially important
when DB instances are being managed by Service Provider)
• Data Redaction fits seamlessly into the above
• Database Vault, Audit Vault and Firewall all add even more defenses
Oracle 12c Security Features
34

Implementing
Putting it all together
35

Metering, Limiting and Charging
Tenant Self Provisioning
Resource Management
Role Based Access
Workload Isolation
Multitenant Cloud Architecture – Principals of Design
4/20/2016 Oracle Confidential 36

Multi-Tenant Consolidation
Tenant Viewpoint
Secure Configuration Steps
• Implement Multiple Service
Workload Recommendations
• Enhance Operating System Security
– Restrict Tenant Access to Solaris Zones
– Implement Tenant Administrator Role
– Implement Immutable Firewall Policy
– Implement Immutable Auditing Policy
• Enhance Network Security
– Implement IPsec/IKE for RAC Interconnect
with Tenant Specific Keys
– Implement IP Filter on Application Zones
– Restrict Tenant Access to SuperCluster
Management Network and Services
Client
Access
Network
Oracle Database Cluster (RAC)
Tenant Specific
Immutable Zone
Oracle Database
Tenant Specific
Immutable Zone
Oracle Database
RDSv3
IPoIB
SDP
IPoIB
SDP
SSL
SSH
Oracle WebLogic Cluster
Tenant Specific
Immutable Zone
Oracle WebLogic
Tenant Specific
Immutable Zone
Oracle WebLogic
Tenant
Specific
VLANs
Tenant
Specific
InfiniBand
Network
Partition
Tenant-Specific
Internal
Communications
Oracle Exadata Storage Servers
RDSv3
Oracle Exadata Storage and RAC
Specific Communications
Tenant Specific Disk Group(s)
Exadata Storage Partition
InfiniBand Network
ZFS Volumes/Data Sets
Oracle
Sun ZFS
Storage
Appliance
Binaries
Configurations
Backups
Logs
Tenant-Specific NAS Storage
NFS
iSCSI

Multi-Tenant Environment on SuperCluster
Secure
Isolation
 Physical
 Electrical
 Hypervisor-Mediated
 Kernel-Mediated
 Physical
 ASM Instances
 ZFS Data Sets
 Physical (Ethernet)
 Ethernet VLANs
 InfiniBand Partitions & Limited
Memberships
 Multitenant
 Instances
 Schema
 Labels
Access
Control
 Solaris Role-based Access
Control
 Delegated LDOM & Zone
Administration
 Trusted Path Login
 ZFS and NFS ACLs
 iSCSI Security
 ASM and Database Scoped
Security
 Switch ACLs
Firewall
 Exadata Host-based Access
Control
 Roles and Privileges
 Database Vault
 Virtual Private DBs
Data
Protection
 Immutable Zones
 Delegated ZFS Administration
 Silicon Secured Memory
 ZFS Encryption
 LOFI Encryption
 Oracle TDE
 SSH
 TLSv1.2
 IPsec / IKE
 Oracle TDE
 Data Masking and Redaction
Compliance,
Monitoring
and Auditing
 Solaris & Linux Auditing
 BART / AIDE
 Compliance
 ZFS Logging
 Exadata Storage Auditing
 Compliance
 Switch Logs
 Compliance
 Database Auditing
Firewall
 Compliance
Secure Multi-tenancy on Oracle SuperCluster: A
Technical Deployment Cookbook

Secure Multi-tenancy On SuperCluster
Database
Mgmt
Compute
Network
Storage
OS
MgmtApplication
Database
ComputeNetwork
StorageOS Mgmt
Application Database
ComputeNetwork Storage
OS Mgmt
Application
Database
OS
Customer (C)
Customer (A)
Customer (D)
Customer (D)
Customer (E)

• Secure system spanning both application and
database tiers
• M7 Application Data Integrity memory
protection Software-in-Silicon
• Built-in compliance report automation
• Restricted management console access
• Pervasive near-zero-overhead encryption
• Anti-malware protection
• Comprehensive administrative action audit trail
Monitoring the Security and Compliance
Oracle Confidential 404/20/2016

Summary
• Security is underpinned by enabling encryption for all data in motion and at
rest
• The only place where data is NOT encrypted (memory), is protected by
Silicon Secured Memory
• Fully integrated and layered security model covering compute, storage,
networking and database
• Supported by a robust compliance and auditing framework, so that
attempted breaches can be identified and defended against
• It’s all about the layers!
Oracle provides a complete and integrated solution
41

Engineered Systems Security Summary
Complete Tested
ü ü
ü ü
Integrated
Trusted

Backup slides
45
Creative Commons Image Courtesy: Holger Zscheye @
Flickr

Engineered Systems Common Components

Engineered Systems Security Focus Areas
Secure
Isolation
Access
Control
Data
Protection
Monitoring
and Auditing

Secure Workload Isolation
Physical
Isolation
Domain 1
Database
Domain 1
SPARC
T5-8
Server
1
SPARC
T5-8
Server
2
Database
Zones
Isolation
Domain 1
SPARC
T5-8
Server
Zone A
Database
Zone B
Database
Zone C
Database
Zone D
Database
POSIX
Isolation
Domain 1
SPARC
T5-8
Server
Database
Database
Database
Database
Hypervisor
Isolation
Domain 1
Database
Domain 2
Database
Hypervisor!
SPARC
T5-8
Server
Electrical
Isolation
Domain 1
Database
Domain 2
Database
SPARC
M6-32
Server

Secure Database Isolation
Instance
Isolation
Schema
Isolation
Label
Isolation
Container
Isolation
Domain 1
Server
Database
Database
Database
Database
Domain 1
Server
Container
Database
Pluggable
Database
Pluggable
Database
Pluggable
Database
Pluggable
Database
Domain 1
Server
Database
Schema
Schema
Schema
Schema
Domain 1
Server
Database
Schema

Secure (Ethernet) Network Isolation
Domain 1
Domain 2
SPARC
T5-8
Server
Zone A
Client
Access
Network
Client
A-1
Zone C
VLAN
C
Database C-1
Client
C-1 IPsec / SSL
Zone B
Database A-1
IPMPA-1
VLAN A-1-0
VLAN A-1-1
Database B-1
Adding
Cryptographic
Isolation
Layer 2
VNIC and VLAN
Isolation
IPMPB-1
VNIC B-1-0
VNIC B-1-1
net1
net0
Client
B-1
VLAN
A
Network
B

Secure (InfiniBand) Network Isolation
ASM Disk Groups
ASM Disk Group A
Oracle Exadata
Storage Servers
ZFS Data Sets
ZFS Data Set
C-1
ZFS Data Set
D-1
Sun ZFS Storage Appliance
InfiniBand
Network
Partition: 0xFFFF
Protocol: RDSv3
Partition: 0x8503
Protocol: NFS / IPoIB
Oracle VM Server for SPARC
Database Domain
Oracle Solaris 11 Zone
(Zone A)
Oracle Database
11g Release 2
Instance A-1
Oracle Database
11g Release 2
Instance A-2
Application Domain
Zone C
Oracle Database
11g Release 2
Instance C-1
Zone D
Oracle Database
11g Release 2
Instance D-1

End to End Access Control
Compute
Strong
Authentication
Role-based
Access Control
Privileged User
Access Control
Storage
ASM Security
NFS Access
Controls
iSCSI Access
Controls
Network
Boundary
Hardening
Network
Partitioning
Packet Filtering
Database
Strong
Authentication
Role-based
Access Control
Privileged User
Access Control

End to End Data Protection
Database Domain
SPARC T5 Hardware
Assisted Cryptography
Zone A
Oracle Database
A-1
Client
Access
Network
SSL
InfiniBand
Network
Partition
Intel AES-NI Hardware
Client
A-1
Oracle PKCS#11 Wallet
(Oracle Solaris PKCS#11 Softtoken)
SSL
Certificate
A-1
Oracle Solaris
Cryptographic Framework
ASM Disk Groups
Disk Group A-1
Oracle
Exadata
Storage
Servers
Encrypted
Tablespaces
ZFS Data Sets
Data Sets A-1
Encrypted
Backups
Export Files
Sun ZFS
Storage
Appliance
RDSv3
NFSv4
TDE
Master Key
A-1

Secured Architectures on Engineered
Systems
54
Creative Commons Image Courtesy: Guillermo @ Flickr

Single Service Workload
Oracle Exadata Database Machine Example
Sample Secure Configuration Steps
• Implement Exadata Hardening
• Apply Security Updates
– Site-Specific Security Hardening
– Authentication and Access Policies
– System Auditing Policy
• Enhance Database Security
– Site-Specific Security Hardening
– Enable Encrypted Communications
– Configure Transparent Data Encryption
– Configure Database Vault
• Enhance Management Security
– Change Default Passwords
– Site-Specific Hardening
– Replace Self-Signed Certificates
InfiniBand
Network
Oracle
Exadata
Storage
Servers
Oracle Linux 5
Oracle Linux 5
Sun
X4-2
Server
Sun
X4-2
Server
ASMASMClient
Access
Network
SSL
SSL
Oracle
Database 11g
Release 2
Oracle
Database 11g
Release 2
RAC
Cluster
Disk Group A
Disk Group B
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
ASM Cluster
RDSv3
RDSv3

Single Service Tier Consolidation
Oracle Exadata Database Machine Example
• Implement Single Service Workload
Recommendations
– Implement Database-specific Users/Roles
– Implement POSIX Isolation of Instances
– Implement Resource Controls
• Enhance Storage Security
– Implement Exadata Security
– Implement Resource Controls
InfiniBand
Network
Oracle
Exadata
Storage
Servers
Oracle Linux 5
Oracle Linux 5
Sun
X4-2
Server
Sun
X4-2
Server
ASMASMClient
Access
Network
SSL
SSL
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
ASM Cluster
Oracle Database
11g Release 2
Oracle Database
11g Release 2
SSL
Tablespace
Tablespace
RDSv3
RDSv3
RDSv3
DiskGroupDiskGroupDiskGroup
Oracle Database
11g Release 2

Multiple Service Tier Consolidation
Oracle SuperCluster Example – Secure Isolation View
Web
Tier
Network
IPoIB/SDP
InfiniBand
Network
Partition
Exadata
Tier
Network
RDSv3
InfiniBand
Network
Partition
Client
Access
Network
SSL/TLS
10GbE
Network
Database
Tier
Network
IPoIB/SDP
InfiniBand
Network
Partition
Oracle Traffic Director
Cluster
OTD Zone 1
Oracle Traffic
Director 11g
OTD Zone 1
Oracle Traffic
Director 11g
Oracle WebLogic
Server Cluster
WLS Zone 1
Oracle WebLogic
Server 12c
Oracle WebLogic
Server 12c
WLS Zone 2
Oracle WebLogic
Server 12c
Oracle WebLogic
Server 12c
Oracle Database
Cluster
DB Zone 1
Oracle Database 11g
Release 2
DB Zone 2
Oracle Database 11g
Release 2
Physical Server 1
Application Domain 1 Application Domain 1 Database Domain 1
Physical Server 2
Application Domain 2 Application Domain 2 Database Domain 2

Oracle SuperCluster Example – Data Protection View
InfiniBand
Network
Partition
#1
SPARC T5 Hardware
Client
Access
Network
Database Domain
Oracle Solaris
Zone C
Oracle Database
11g Release 2
Oracle PKCS#11 Wallet
(Oracle Solaris PKCS#11 Softtoken)
SSL
Certificate
TDE
Master Key
Intel AES-NI Hardware
ASM Disk Groups
Oracle
Exadata
Storage
ServersENCRYPTED
Tablespaces
ENCRYPTED
Sun ZFS
Storage
Appliance
Binaries
Configurations
BackupsApplication Domain
Zone B
Oracle WebLogic
Server 12c
Oracle Solaris
Zone A
Oracle Traffic
Director 11g
SSL InfiniBand
Network
Partition
#2
RDSv3
InfiniBand
Network
Partition
#3
iSCSI,
NFS
SSL
SSL

Additional Security Controls and Technologies
COMPUTE
Oracle VM Server for
SPARC
Solaris Non-Global and
Immutable Zones
Solaris RBAC and Fine-
Grained Privileges
STORAGE
Encrypted ZFS Data Sets
and Volumes
iSCSI Authentication
iSCSI and NFS Access
Controls
NETWORK
Full and Limited
Membership InfiniBand
Partitions
Solaris IP Filter and
IPsec/IKE

Multiple Tenant Consolidation
Oracle SuperCluster Example – Tenant Viewpoint
• Implement Multiple Service
Workload Recommendations
– Restrict Tenant Access to Solaris Zones
– Implement Tenant Administrator Role
– Implement Immutable Firewall Policy
– Implement Immutable Auditing Policy
• Enhance Network Security
– Implement IPsec/IKE for RAC Interconnect
with Tenant Specific Keys
– Implement IP Filter on Application Zones
– Restrict Tenant Access to SuperCluster
Management Network and Services
Client
Access
Network
Oracle Database Cluster (RAC)
Tenant Specific
Immutable Zone
Oracle Database
Tenant Specific
Immutable Zone
Oracle Database
RDSv3
IPoIB
SDP
IPoIB
SDP
SSL
SSH
Oracle WebLogic Cluster
Tenant Specific
Immutable Zone
Oracle WebLogic
Tenant Specific
Immutable Zone
Oracle WebLogic
Tenant
Specific
VLANs
Tenant
Specific
InfiniBand
Network
Partition
Tenant-Specific
Internal
Communications
Oracle Exadata Storage Servers
RDSv3
Oracle Exadata Storage and RAC
Specific Communications
Tenant Specific Disk Group(s)
Exadata Storage Partition
InfiniBand Network
Oracle
Sun ZFS
Storage
Appliance
Binaries
Configurations
Backups
Logs
Tenant-Specific NAS Storage
NFS
iSCSI

Multiple Tenant Consolidation
Oracle SuperCluster Example – Provider Viewpoint
Client
Access
Network
Application Domain
Database Domain
SPARC
T5-8
Server
Tenant A Zone 2
Oracle Database
Tenant B Zone 2
Oracle Database
Tenant B Zone 1
Application
Tenant A Zone 1
Application
VLAN B
Tenant
B
HTTPS
VLAN A
HTTPS
Tenant
A
RDSv3
Tenant B Network
Partition
Tenant A
Network
Partition
NFSv4
iSCSI
Application B
Storage
Application A
Storage
Database A
Storage
Database B
Storage
Sun ZFS
Storage
Appliance
InfiniBand
Network
Tenant A
Disk Groups
Tenant B
Disk Groups
Exadata
Storage
Servers

Engineered Systems Security Capability Summary
Secure
Isolation
§ Physical
§ Electrical
§ Hypervisor-Mediated
§ Kernel-Mediated
§ Physical
§ ASM Instances
§ ZFS Data Sets
§ Physical (Ethernet)
§ Ethernet VLANs
§ InfiniBand Partitions
§ Multitenant
§ Instances
§ Schema
§ Labels
Access
Control
§ RBAC / Privileges
§ LDOM Administration
§ Zone Administration
§ ZFS ACLs
§ Exadata Security
§ NFS Security
§ IP Filter / iptables
§ Switch ACLs
§ Audit Vault and
Database Firewall
§ Roles and Privileges
§ Real Application
Security
§ Database Vault
Data
Protection
§ Immutable Zones
§ Read-Only Mounts
§ ZFS Administration
§ ZFS Encryption
§ LOFI Encryption
§ TDE
§ SSH
§ SSL / TLS
§ IPsec / IKE
§ Virtual Private DB
§ Data Masking
§ Redaction
Monitoring
and Auditing
§ Solaris Auditing
§ Linux Auditing
§ BART / AIDE
§ ZFS Storage
Appliance Logs
§ Exadata Storage
Auditing
§ IP Filter / iptables
§ Switch Logs
§ Database Auditing
§ Audit Vault and
Database Firewall

Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud

Similar to Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud (20)

More from MarketingArrowECS_CZ

More from MarketingArrowECS_CZ (20)

Recently uploaded

Recently uploaded (20)

Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud