Analysis of Security and Compliance using Sun UltraSPARC T-Series Servers Ramesh Nagappan, Principal Security Engineer Chad Prucha, Principal Solutions Manager

<Insert Picture Here>

Agenda

•  Oracle Security and Compliance Portfolio –  Technologies Overview

•  Security using Oracle T-Series Servers –  Enabling On-chip Cryptographic Acceleration –  Role of Solaris Crypto Framework –  Applied scenarios in Oracle Database and Middleware –  Role of Sun Crypto Accelerator 6000

•  Performance Characteristics •  Achieving Compliance Goals –  HIPPA, PCI-DSS….

•  Summary

The Perfect Storm: IT Insecurity Security has taken unprecedented importance ….everywhere!

 Security is one of today’s most critical IT business challenges. o  Cyber threats, attacks and associated data exposures are the fastest

growing crimes ! o  Greater business impacts due to increasing threats and exploits.

 Regulatory statutes enforce organizations act proactively to secure information lifecycle. o  PCI DSS, SOX, HIPAA, FISMA, EU Data Protection and more. o  Mandates organizations to enforce data confidentiality, integrity and

compliance in critical business processes and Web applications.

 Stronger demand for high-performance security in applications, data, communications and networks.

  Encryption is becoming crucial to IT Security   Deliver predictable scalability, end-to-end latencies and response

times including security, virtualization and QoS characteristics.

IT Security: Pre-judicial Barriers  Security is often considered as an afterthought or a retrofit

solution. o  Many of them late to realize…..“NO ROLLBACK” for a security breach. o  After a breach…all post-mortem reactive measures hardly recover any damage. o  Ignorance and blind assumptions often leads to underestimating security risks.

 Security options are commonly ignored as “Performance Overheads”. o  Performance benchmarks usually do not include real-world application characteristics o  Cryptographic operations, access control & authentication schemes, non-deterministic

payloads, content-encoding schemes burdens CPU & Network. •  2X+ slowdowns are widely common after going secure ! •  Crypto overheads vary by content/usage scenario – tuning don’t make sense!

o  Lack of understanding to security technologies  Growing IT costs and complexity to identify and defend

applications against known risks and vulnerabilities. o  Higher costs hindering adoption of security technologies

Security & Compliance Who is behind the scene

Security & Compliance Infrastructure Security Components of a Oracle SPARC Enterprise T-Series Server

Exploring Security

Role and Relevance of Cryptography Adopting Cryptography for IT Security

 Cryptography plays a vital role in IT Security. o  Securing the Network, Applications,

Communications and Data •  Confidentiality and Integrity of data and

communication •  Non-repudiation of transactions •  Access control and Availability

o  Data privacy and regulatory compliance

 Cryptographic algorithms and operations contributes to all levels of application security. o  Network-layer Security o  Transport-level Security o  Message-level security o  Application-layer security

Adopting Cryptography: Pain Points

 Cryptographic functions tends to be computationally-intensive and requires lot of CPU and Network bandwidth. o  Applications slowdown while performing cryptographic operations

 How to avoid performance degradation using cryptographic accelerators or Hardware Security Modules (HSM). o  Eliminate performance overheads associated with cryptographic functions.

 How to enable applications to incorporate cryptographic functions for application-level security.

  May use non-invasive mechanisms (ex. using PKCS11) … or go intrusive with tight integration of proprietary frameworks.

 Understanding the usage of relevant cryptographic algorithms and its application scenarios. o  There is no silver bullet – It is critical to know the applied scenario and how the crypto

mechanism is being used.

Common challenges and stumbling issues

Applied Cryptography

 SSL o  De-facto standard for securing HTTP in Web applications and Browser based VPNs o  Based on public-key algorithms

  IPSec o  Widely used in enabling Site-to-Site/Host-to-Host VPN o  Based on symmetric-key encryption and message digest algorithms

 SSH   Remote authentication to hosts using a secure channel using public-key encrption.

 WS-Security   OASIS Standard for securing XML Web Services and SOA applications   XML Encryption and Signature use Public-key Cryptography

 PKI based Applications. o  Identity Management and Assurance, Telco (3G/4G/WiMAX), Digital signature based

DRM, Smartcards and Biometrics

Common security applications using Crypto mechanisms

Security vs. Performance Understanding the overheads with Cryptography – SOA Scenario

SSL using RSA-2048 and WS-SecurityPolicy using Basic128Sha256Rsa15 (Algorithm suite).

Significant performance slowdown occurs after using SSL and WS-Security.

Anatomy of SSL Ciphers vs. Execution times

“Significant time” spent on cryptographic functions with specified ciphers.

Effect of Cryptographic Acceleration Understanding the performance gains for an SSL scenario

Significant performance GAINS can be achieved only using Hardware SSL accelerator.

Cryptographic Acceleration Using Oracle SPARC Enterprise T-Series Servers

On-chip Crypto Accelerators: Evolution

 UltraSPARC T1 – 8 Crypto Accelerators o  8 Cores with One accelerator per core o  Introduced industry-first on-chip cryptographic accelerators o  Cryptographic accelerators run in parallel with clock-speed o  Introduced “Public-key Encryption” algorithms (ex. RSA)

 UltraSPARC T2/T2+ – 8 Crypto Accelerators o  8 Cores with One accelerator per core o  Introduced support for Bulk-encryption (AES,3DES/DES, RC4)

and Message digests (MD5, SHA-1, SHA-2) o  Introduced support for Elliptic-curve Cryptography (ECC)

 UltraSPARC T3 – 16 Crypto Accelerators o  16 cores with One accelerator per core o  Additional algorithms for Message digests (SHA-512) o  Introduced support for Kasumi algorithm.

The UltraSPARC T-Series Processor Family

16

Cryptographic Capabilities and Algorithms T3 Processor

On-Chip Crypto Accelerators

 Crypto Accelerators operate in parallel with CPU speed delivering encryption and decryption

  Accelerators are shared by all the core’s strands  T1/T2/T2+/T3 provide light-weight accelerator drivers for

Solaris o  /dev/ncp0

o  Handles Public-key Encryption Algorithms o  /dev/n2cp0

o  Handles Bulk Encryption and Hash algorithms

o  /dev/n2rng0 o  Handles Random Number Generation

o  Communicates via Memory-based Word Queue o  Stateless communication, just fire and forget. o  Consumer is informed when the operation is complete

 Access to accelerators are controlled using Solaris Cryptographic Framework and Kernel Modules o  Using PKCS#11 standard interfaces and Solaris Kernel modules

System Characteristics

On-chip vs Off-chip Accelerators Comparison with Commercial Accelerators

19

SPARC T-Series – Onchip Crypto Comparison with Commercial Accelerators/HSMs

SPARC Enterprise T3-1

+ = 6 Crypto Unit Up to Six Virtual

Machines with Full Crypto Capability

Six card slots filled (maximum)

= 16 Crypto Units

Up to 16 Virtual Machines with Full

Crypto

All card slots available 2x Capacity

Accessing On-chip Crypto Accelerators Operational Characteristics

 Access to accelerators are managed using Solaris Cryptographic Framework (SCF). o  SCF acts as an intermediary gateway

between applications and cryptographic providers.

o  Applications use Sun PKCS#11 Provider to access accelerator

o  Java Sun-PKCS#11 o  OpenSSL PKCS#11 Engine o  NSS/JSS APIs using PKCS11

 Solaris Kernel Modules can directly access accelerators. o  Kernel SSL (KSSL) o  IPSec

Sun Cryptographic Accelerator 6000 – PCIe Card

 A full-fledged Hardware Security Module (HSM) o  Secure Key Storage (Escrow and Recovery) o  High-performance cryptographic accelerator o  FIPS-140-3 Compliant o  Supports Solaris SPARC/X64 and Linux

 NIST approved cryptographic algorithms

  RSA, DSA, DH, ECC   AES, DES, 3DES   MD5, SHA-1, SHA-512

  Intended for Financial and Government applications where Secure Key Storage is critical. o  Oracle Advanced Security, Financials, etc. o  PIN and Card Verification Functions

SCA 6000 – Usage Scenarios

 Tested and Certified for use in FIPS and NON-FIPS modes o  Oracle Database Advanced Security Scenarios

o  TDE Master Key Management o  TDE Network Encryption and Acceleration

o  Oracle Fusion Middleware (SOA and XML Web Services Security) o  Oracle Web Services Manager (SSL and WS-Security scenarios) o  Oracle WebLogic (SSL and WS-Security scenarios)

Enabling Cryptographic Acceleration

Applied Techniques and Usage Scenarios

Solaris Cryptographic Framework  Common framework for

performing /consuming / integrating cryptographic providers. o  Hardware or Software. o  Kernel or Userland. o  Extensible in order to permit custom functions o  Facilitates PKCS#11 for consumer and

providers

 By default, supports major NIST approved algorithms o  Encryption: AES, Blowfish, RC4, DES, 3DES,

RSA. o  Digests: MD5, SHA-1, SHA-256, SHA-384,

SHA-512. o  MAC: DES MAC, MD5 HMAC, SHA1 HMAC,

SHA-256 HMAC, SHA-384 HMAC, SHA-512 HMAC

o  Optimized for SPARC, Intel and AMD

Solaris KSSL  Facilitates an SSL Proxy service for applications and performs

SSL operations right in the Solaris Kernel. o  Integrates Solaris Cryptographic Framework and its supporting ciphers.

 Makes use of underlying Hardware based Cryptographic accelerators and Hardware Security Modules (HSM). o  Automatically makes use of cryptographic accelerators for SSL operations, no additional

configuration. o  Use PKCS#11 for supporting HSMs for private key storage.

  Non-intrusive SSL configuration, independent of relying applications. o  Managed via Solaris Service Management Facility (SMF)

 Can act as SSL proxy for Non-SSL aware applications that does not provide PKCS#11 support.

 Delivers 25% - 35% faster SSL performance.

26

Using KSSL for Transport-layer Security Applied Scenario

27

End-to-End Transaction Security Applied Use Cases

HTTP Oracle Fusion

Middleware Web Server

HTTP

SSL SSL

HTTP

SOAP

HTTP

SSL / WS-Security

SSL

Oracle Database

SQLNET

SSL

Oracle Database

Server

Archive

Encrypt/ Decrypt

SSL / WS-Security

•  SPARC T3 accelerates Oracle WebLogic SSL and Web Services Manager 11g (OWSM).

•  SSL, WS-Security scenarios •  SPARC T3 accelerates Oracle Transparent Data Encryption

(TDE) operations

Performance Studies

80%

CPU

70%

MEM

50%

CPU

25%

MEM

T3 Crypto Assist Enabled Without T3 Crypto Assist

29

Secure Performance With and Without Acceleration

^134h>96can#A*IC! Ajladsf0^HLh3f*&lJ *NHSD6%lk)+>kjh!1

3.5x Faster

4704 1234 5678 1594

80%

CPU

70%

MEM

40%

CPU

25%

MEM

T3 Crypto Assist Enabled Without T3 Crypto Assist

30

Secure Performance With and Without Acceleration

^134h>96can#A*IC! Ajladsf0^HLh3f*&lJ *NHSD6%lk)+>kjh!1

3.5x Faster

4704 1234 5678 1594

4704 1234 5678 1594

31

SPARC Enterprise T-Series Only Enterprise Server with Built-in Crypto

SPARC Enterprise T3-1

+ = 6 Crypto Unit Up to Six Virtual

Machines with Full Crypto Capability

Six card slots filled (maximum)

= 16 Crypto Units

Up to 16 Virtual Machines with Full

Crypto

All card slots available 2x Capacity

Effect of Accelerated SSL vs No SSL Weblogic SSL Performance on T3 : Using KSSL vs. JCE vs. No SSL

Oracle TDE performance using T3

•  T3 crypto speeds up query execution by 3-5x !!

Achieving Compliance

35

HIPAA-HITECH Compliance Scenario Rules of Thumb: Encrypt PHI – in transit, in situ

SSL

HTTP Oracle Fusion

Middleware

WebLogic 11g Web Services Manager 11g

Web Server HTTP

SSL SSL

HTTP

SOAP

HTTP

SSL

SSL

Oracle Database

SQLNET

SSL

Oracle Database

Server

Archive

-50% -50% -30%

36

HIPAA-HITECH Options Rules of Thumb: Mitigation Strategies

SSL

HTTP Oracle Fusion

Middleware

WebLogic 11g Web Services Manager 11g

Web Server HTTP

SSL SSL

HTTP

SOAP

HTTP

SSL

SSL

Oracle Database

SQLNET

SSL

Oracle Database

Server

Archive

-50% -50% -30%

NLB

– S

SL A

ccel

erat

or

NLB

– S

SL A

ccel

erat

or

NLB

– S

SL A

ccel

erat

or

 Add 6 RUs  Add 50% Cooling  Add 30% Power  Add 30% Admin

Aftermarket Card

Afte

rmar

ket C

ard

37

PCI-DSS Compliance Scenario Rules of Thumb: Especially in situ, Even Warehoused Data

SSL

HTTP Oracle Fusion

Middleware

WebLogic 11g Web Services Manager 11g

Web Server HTTP

SSL SSL

HTTP

SOAP

HTTP

SSL

SSL

Oracle Database

SQLNET

SSL

Oracle Database

Server

Archive

-50% -50% -40%

38

PCI-DSS Options Rules of Thumb: Mitigation Strategies

SSL

HTTP Oracle Fusion

Middleware

WebLogic 11g Web Services Manager 11g

Web Server HTTP

SSL SSL

HTTP

SOAP

HTTP

SSL

SSL

Oracle Database

SQLNET

SSL

Oracle Database

Server

Archive

-50% -50% -30%

NLB

– S

SL A

ccel

erat

or

NLB

– S

SL A

ccel

erat

or

NLB

– S

SL A

ccel

erat

or

 Add 12 RUs  Add 50% Cooling  Add 50% Power  Add 30% Admin A

fterm

arke

t Car

d

Aftermarket Card

Summary

40

The cost of security Better TCO with T3 crypto

Twice server capacity = half the footprint

Crypto overhead reduced to 10% from 30%

CPU Latency reduced by 20X

No add-ons and introduction of complexity

Simple to administrate Faster to deploy

} Lower TCO

<Insert Picture Here>

Program Agenda Example

•  Our understanding of XYZ •  Capabilities and value drivers •  Benefits and assessments •  Oracle solutions •  Oracle credentials •  Appendix

Q & A

Chad Prucha, albert.prucha@oracle.com Ramesh Nagappan, ramesh.nagappan@oracle.com