This document discusses how to deliver a multi-tenant and PCI compliant Exalogic platform. It outlines the challenges of a shared platform including compliance with regulations like PCI-DSS. It then explains how Exalogic addresses these challenges through automation, isolation across storage, network and virtualization layers, and other security controls. Key aspects covered include per-tenant provisioning, encryption, firewalling, patching, and auditing to ensure isolation and compliance for different tenants including those processing credit card data.

1. How we delivered a Multi-Tenant
and PCI compliant Exalogic
platform

2. Valve’s online game
service Steam hit by
hackers
35M CREDIT CARD RECORDS EXPOSED
The Steam video game service, used by 35 million people, has
been compromised by hackers.
Its owner and operator, Valve, uncovered an intrusion into a user
database while investigating a security breach of its discussion
forums.
The attackers used login details from the forum hack to access a
database that held ID and credit card data.

3. Hackers hit companies
like Nasdaq, 7-Eleven
for $300 million,
prosecutors say
Wall Street was crumbling, Main Street was bleeding money —
and Russian computer hackers were making out like bandits.
Over seven years, five Russians and a Ukrainian used
sophisticated hacking techniques to steal more than 160 million
credit and debit card numbers, target more than 800,000 bank
accounts and penetrate servers used by the Nasdaq stock
exchange, federal prosecutors said Thursday.

4. Millions exposed
by Facebook data
glitch
Personal details of about six million people have been inadvertently
exposed by a bug in Facebook’s data archive.
The bug meant email and telephone numbers were accidentally
shared with people who would not otherwise have had access to the
information.
So far, there was no evidence the data exposed was being
exploited for malicious ends, said Facebook.

5. And they are not alone...

6. EU Law: 4% of the worldwide turnover
as potential penalty for a data leak

7. That’s why this
presentation might be
relevant!
René Simoons
Consultant, Simtech Consulting
Eugene van der Voort
Oracle Consultant, AMIS

8. Case
An online company with multiple
datacenters, hosting multiple businesses
on shared Exalogic systems.
Some of these businesses are
processing credit card data and have to
meet
PCI-DSS regulations.
Some of these businesses might
have different local law and
regulations to comply with.
The Exalogic systems had to be
implemented inline with the above
constraints.

9. Agend
a Welcome
Introduction
Platform challenges today
Cloud versus dedicated infrastructure (tablenen)
What is multitenancy?
Software vs Infrastructure
Consumers vs operators (Perspectief
plaatje)42
What are the benefits?
What about cloud and
security?
Challenges around a shared platform
Compliancy
PCI-DSS key concepts and controls
Our client case
Weapon of choice:
ExaLogic How

10. Platform
challenges today
• IT needs to be cost effective
• The need for agility of services
• Standardization vs Customizations
• Data everywhere
• Security and data compliancy regulations

11. How cloud computing fits in
Cloud provides (The promise)
• Elasticity
• On Demand Capacity
• Measured Services
• Resource Pooling
• Pay per use
• Self Service
Which would translate into
Agile IT service delivery
Rapid provisioning Reduced
deployment times Optimized
cost
Higher server and storage utilization
Lower power and cooling costs
Reduced capital expenditures (CapEx) and
operating expenses (OpEx)
Reduced total cost of ownership (TCO)

12. Cloud Flavours
IaaS
Infrastructure-as-a-
service
host
PaaS
Platform-as-a-
service
build
SaaS
Software-as-a-
service
consume

13. Cloud versus dedicated
infrastructure
Share
d
Public cloud Private clouds
Datacentre
Dedicated
servers
Dedicated

14. Back to the case
An online company with multiple
datacenters, hosting multiple businesses
on shared Exalogic systems.
Some of these businesses are
processing credit card data and have to
meet
PCI-DSS regulations.
Some of these businesses might
have different local law and
regulations to comply with.
The Exalogic systems had to be
implemented inline with the above
constraints.

15. What is multi-tenancy
Common
characteristics
A single shared platform serving clients in perfect
isolation across each layer within the stack
Multiple “tenants” that use the same application/set of applications.
A shared architecture across all tenants.
Distinct separation between the instances run for each tenant.

17. What Multi-Tenancy brings
to the business
Scalability
Release once deploy to
man
Flexibility
Reduced
cost
Reduced time to market
Focus on core expertise
Reducing cost of IT
deployment and operation

18. Back to the case
An online company with multiple
datacenters, hosting multiple businesses
on shared Exalogic systems.
Some of these businesses are
processing credit card data and have to
meet
PCI-DSS regulations.
Some of these businesses might
have different local law and
regulations to comply with.
The Exalogic systems had to be
implemented inline with the above
constraints.

19. Perspective of multi-tenancy
Datacentre

20. What is this PCI-DSS standard?
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard
Mandated by the major card schemes (VISA, MasterCard and American Express.
Why has it been initiated?
The standard was created to increase controls around cardholder data to reduce credit card fraud
How is it enforced?
Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) or by Self-Assessment
Questionnaire (SAQ) for companies handling smaller volumes.

21. PCI Data Security Standard -
High Level Overview

22. We had to merge Multi tenancy and PCI
Multi tenancy PCI

23. Tech specs Client case
Asset Description
Exalogic 1/8 rack
ZFS Backup
Appliance
Encrypted backups
2 Weblogic
applications
Custom Java
OTD SSL offloading, WAF &
Loadbalancing
Online 24/7/365
Asset Description
2x Exalogic 1/8 rack
1x ZFS Backup
Appliance
Encrypted backups
2 Weblogic
applications
Custom Java
OTD SSL offloading, WAF &
Loadbalancing
Online 24/7/365
Active – Active
100+ transactions per second
While Oracle handles the hardware maintenance, failed disks will not be returned to Oracle
but shred by a PCI compliant waist processor
US DC EU DC
• 300+ network firewall rules
• 30+ storage ACL’s
• File integrity control
• Anti-Virus on linux
• Weekly Security scans
• Fully automated
• Infra as code
• Audits by PCI-DSS
• Monitored by ACS and client

24. And this is what we did
Storage
• Per tenant ZFS Projects and shares
• Per tenant roles and credentials
• Storage provisoning as part of the
automated provisioning
Network
• Per tenant client access using VLAN
• Per tenant private network
• Per layer and tenant a external firewall
• Network provisioning as part of the
automated provisioning

25. And this is what we did
Virtualization
• Per tenant group of vServers
• Per tenant quota for VCP, memory and storage
• Per tenant acces rules, roles, groups and credentials
• Per tenant audit logs and reporting

26. Exalogic

27. Storage layer
Multitenancy
• Data separation: Projects and shares
• Separate data owners
• Explicit automation to enforce storage provisioning
for tenants
PCI DSS
• Encryption on storage layer
• Role Based Access Control
• LDAP integrated
• Dedicated backup network
• Encrypted backup

28. MT A: project
MT A: project
MT B: project
MT B: project
Automation
Backup networkMT A:
encrypt backup
MT B:
encrypt backup
MT A:
encrypt backup
MT B:
encrypt backup
ZFS Backup Storage ApplianceExalogic ZFS SA

29. Network layer
Multitenancy
• Dedicated VLAN / IB Partitions
• Separation of network access per tenant
• Dedicated OTD
• Per tenant NTP, DNS, LDAP
PCI DSS
• Encrypted traffic
• Explicit firewall rules
• Removal of insecure protocols
• CA signed certificates
• Security scans
• Auditing

30. vServer vServer
vServer vServer
Exalogic ZFS SA
OTD
vServer vServer
vServer vServer
OTD
Storage network
Firewall
Exalogic

31. Virtualization layer
Multitenancy
• Dedicated resource pools
• Shared virtualization capacity
• SLA contract
• Self Service
PCI DSS
• Dedicated resource pools per tenant
• Strict resource limitation via accounts and quota

32. Account
Tenant A
Account
Tenant B
Account: container for virtual resources within a server pool.
Quota enforced on CPU, Memory, Storage and network
Server pools: dedicated compute nodes

33. vServers
Multitenancy
• vServer template per tenant
• Deny all, unless
• Permissions set per tenant scope
• Patch strategy per tenant
• Enforced security patches
PCI DSS
• NSA / STIG
• SSH
• Minimal OS
• Removal of insecure protocols and services
• RBAC

34. Middleware
Multitenancy
• Dedicated binaries
• Dedicated configuration per tenant
enforced
• Automated deployment
• LCM on tenant level
PCI DSS
• Hardening on middleware
• RBAC
• Security patches
• Quarterly patch cycle

35. Monitoring
Multitenancy
• RBAC on tenant level
• Dedicated application and host monitoring per
tenant
• Shared monitoring on platform level
PCI DSS
• Central audit and logging
• Reporting via EM and ASR

36. Automation
Multitenancy
• Multi-tenancy enforced via automation, not
accessible from tenant context
• Automated provisioning and deployments
PCI DSS
• RBAC to provision and deployment

37. Maintenance
Multitenancy
• RBAC per tenant
• Administrators per tenant
• Isolation enforced via automated
config validation
PCI DSS
• Quarterly patch cycle
• Hardening enforced via automated
config validation
• Administrator roles per tenant
• Administrator roles for hardware

38. The bigest challenge we had to solve…
To include sufficient variability in the automated PAAS layer while
maintaining scalability and perfect isolation.

39. Take away
Start within the design phase with variability
Each type of cloud has different multi-tenancy requirements
Multi-Tenancy and PCI are complementary
Automation is key
Exalogic and secure multi-tenancy are a good fit

40. Q & A

41. Thank you
René Simoons
Consultant, Simtech Consulting
Rene@simtech.nl
Eugene van der Voort
Oracle Consultant, AMIS
eugene.van.der.voort@amis.nl