Private Clouds: Opportunity to Improve Data Security and Lower Costs InfoTRAMS Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt t W Pracy
Private Clouds: Opportunity to Improve Data Security and Lower Costs Michał Jerzy Kostrzewa (Michal.Kostrzewa@Oracle.com) ECE Business Development Manager
Agenda Challenges of Securing Data Today Data Security in Cloud Environments Private v. Public Clouds Securing Database Clouds Q&A
Easy to Lose Track of Sensitive Data In Traditional Computing Environments Silos of dedicated hardware and software for each application Organizations typically unsure which silos contain sensitive data Securing every silo is too costly and complex Organizations typically protect the only shared resource - the network Data and database infrastructure vulnerable to attack from within the network perimeter
Data and Databases Vulnerable The 2010 IOUG Data Security Report 28% 24% 44% 68% 66% 48% uniformly encrypt sensitive data in all databases can prevent privileged database users from reading/modifying data allow database users to access data directly can not detect if database users are abusing privileges not sure if applications subject to SQL injection copy sensitive production data to non-production environments Data can be read/tampered with by any system user or admin with access to database files or storage Data can be accessed by DBAs or anyone with privileged database user credentials Users can by-pass application security policies to read or modify data directly within database Database users can perform unauthorized activities undetected Data can be manipulated by hackers who compromise applications Data can be accessed by developers, testers, etc.
Over 900M (92%) Breached Records from Compromised Databases Servers 48% involved privilege misuse 40% resulted from hacking 2010 Data Breach Investigations Report 38% utilized malware 28% employed social tactics 15% comprised physical attacks
Cloud Computing Environments Allow Securing Sensitive Data Efficiently Clouds are shared pools of standardized computing resources Oracle Exadata is a pre-integrated, highly optimized Database Cloud platform that maximizes ROI All data now managed in the Database Cloud - securing Database Clouds is not optional! Securing Database Clouds results in efficient and consistent protection for all data Database Clouds enable better security at lower cost and complexity
Exadata and Exalogic Extreme Performance, Engineered Systems Database and middle tier machines Unmatched performance, simplified deployment, lower total cost Building blocks for private and public PaaS 8
Oracle Exadata Extreme Performance Faster Than DW Appliances Faster query throughput Fastest disk throughput Much faster with Flash Query Throughput GB/sec Uncompressed Data Single Rack 10 Teradata 2650 20 Netezza TwinFin 12 75 GB/sec Flash Disk Exadata More Bandwidth than High-End Arrays Storage Arrays can t deliver disk bandwidth No extra bandwidth from Flash No CPU offload No Columnar Compression No InfiniBand 2.5 <6 IBM XIV Storage Data Bandwidth (Uncompressed GB/sec) NetApp 6080 9 11??? IBM DS8700 Hitachi USP V EMC VMAX 75 GB/sec Flash Disk Exadata More Data Capacity More disk drives/rack Larger disk drives Much better compression Systems with Equal User Data All with Largest Disks, Best Compression 1.4x Teradata 2650 3x EMC VMAX 2-4x Netezza TwinFin 12 10x Exadata 9
Oracle Exalogic Extreme Performance Internet Applications 12X improvement Over 1 Million HTTP Requests/Sec. FaceBook s Web Traffic on 2 Full Racks Alternative Exalogic Messaging Applications 4.5X improvement Over 1.8 Million Messages/Sec. All Chinese Rail Ticketing on 1 Rack Alternative Exalogic Database Applications 1.4X improvement Almost 2 million JPA Operations/Sec. All E-Bay Product Searches on 1/2 Rack Alternative Exalogic 10
Biggest Barrier to Cloud Computing Adoption? Security! 74% 74% rate cloud security issues as very significant Source: IDC
The Reality of Cloud Computing Cloud Computing Often Confused with Outsourcing Public Clouds Cloud operated by a vendor Security (and compliance??) becomes outsourced Not an option for certain organizations, industries Private Clouds Evolution of IT Services Still responsible for ensuring security and compliance Cost-effective option to protect data for all organizations!
Securing Database Clouds Defense In Depth Prevent access by non-database users Increase database user identity assurance Control access to data within database Audit database activity Monitor database traffic and prevent threats from reaching the database Ensure database production environment is secure and prevent drift Remove sensitive data from non-production environments 13 Copyright 2010, Oracle. All rights reserved
Oracle Advanced Security Protect Data from Unauthorized Users Disk Backups Application Exports Off-Site Facilities Complete encryption for application data at rest to prevent direct access to data stored in database files, on tape, exports, etc. by IT Staff/OS users Efficient application data encryption without application changes Built-in two-tier key management for SoD with support for centralized key management using HSM/KMS Strong authentication of database users for greater identity assurance 14
Oracle Database Vault Enforce Security Policies Inside the Database Security DBA Application Procurement HR Application DBA Finance select * from finance.customers DBA Automatic and customizable DBA separation of duties and protective realms Enforce who, where, when, and how using rules and factors Enforce least privilege for privileged database users Prevent application by-pass and enforce enterprise data governance Securely consolidate application data or enable multi-tenant data management 15
Oracle Audit Vault Audit Database Activity in Real-Time HR Data! Alerts CRM Data ERP Data Audit Data Built-in Reports Custom Reports Databases Policies Auditor Consolidate database audit trail into secure centralized repository Detect and alert on suspicious activities, including privileged users Out-of-the box compliance reports for SOX, PCI, and other regulations E.g., privileged user audit, entitlements, failed logins, regulated data changes Streamline audits with report generation, notification, attestation, archiving, etc. 16
Oracle Total Recall Track Changes to Sensitive Data select salary from emp AS OF TIMESTAMP '02-MAY-09 12.00 AM where emp.title = admin Transparently track application data changes over time Efficient, tamper-resistant storage of archives in the database Real-time access to historical application data using SQL Simplified incident forensics and recovery 17
Oracle Database Firewall First Line of Defense Allow Log Alert Applications Substitute Block Alerts Built-in Reports Custom Reports Policies Monitor database activity to prevent unauthorized database access, SQL injections, privilege or role escalation, illegal access to sensitive data, etc. Highly accurate SQL grammar based analysis without costly false positives Flexible SQL level enforcement options based on white lists and black lists Scalable architecture provides enterprise performance in all deployment modes Built-in and custom compliance reports for SOX, PCI, and other regulations 18
Oracle Configuration Management Secure Your Database Environment Monitor Discover Classify Assess Prioritize Fix Monitor Asset Management Policy Management Vulnerability Management Configuration Management & Audit Analysis & Analytics Discover and classify databases into policy groups Scan databases against 400+ best practices and industry standards, custom enterprise-specific configuration policies Detect and event prevent unauthorized database configuration changes Change management dashboards and compliance reports 19
Oracle Data Masking Irreversibly De-Identify Data for Non-Production Use Production LAST_NAME SSN SALARY AGUILAR 203-33-3234 40,000 BENSON 323-22-2943 60,000 Non-Production LAST_NAME SSN SALARY ANSKEKSL 111 23-1111 60,000 BKJHHEIEDK 222-34-1345 40,000 Data never leaves Database Make application data securely available in non-production environments Prevent application developers and testers from seeing production data Extensible template library and policies for data masking automation Referential integrity automatically preserved so applications continue to work 20
Oracle Database Defense In Depth Solution Summary Oracle Advanced Security Oracle Identity Management Oracle Database Vault Oracle Label Security Oracle Audit Vault Oracle Total Recall Oracle Database Firewall Oracle Configuration Management Oracle Data Masking Comprehensive Transparent Easy to Deploy Proven! 21
Next Steps. Protect sensitive data and database infrastructure ASAP! Database Clouds enable better security at lower cost and complexity Start evolving your existing IT infrastructure into a Private Cloud Secured Oracle Exadata servers provide the secure database cloud building block you need Securing your databases will allow you to outsource/take advantage of Public Clouds with less risk 22
For More Information oracle.com/database/security search.oracle.com database security