secure cloud infrastructure: enterprise grade for …...enterprise cloud strategy engineered for...
TRANSCRIPT
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Secure Cloud Infrastructure: Enterprise Grade for the Modern Cloud
Giuseppe Russo Chief Technologist Oracle Cloud Infrastructure
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. | Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
Cloud Impacts Every Industry and Every Geography
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
Different Clouds, Different Purposes
• Line of business decides • Pure OpEx model • No need to own data centers • Rich data services, global
distribution and greater elasticity
Businesses Need Both So Public and Private Clouds Will Need to Work Together
• IT control • CapEx or OpEx model • Cost-effective when fully utilized • Easier data sovereignty,
governance and compliance
PRIVATE PUBLIC
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
Cloud adoption raised the Security bar
MORE THREATS Attack Vectors Growing in Number, Complexity and Sophistication Commercial Hacking is Big Business
MORE REGULATIONS Broader and Deeper Legislation Increased Demands to Prove Compliance
HIGHER SECURITY DILIGENCE
‘Due Diligence’ High Water Mark Continues to Rise Lack of Diligence Risks Brand and Financial Assets
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
Social Engineering
Command & Control
Brute Force Hacking
Malware
SQL Injection Attack
Stolen Credentials
Typical Attack Vectors, mainly on premise
5
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
COMMAND SERVER
ATTACKER
DOWNLOADED MALWARE
PHISHING ATTACK
XSS OR SQL INJECTION ATTACK
Anatomy of an Attack – Starts with Phishing
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
ESTABLISH MULTIPLE BACKDOORS
DUMPING PASSWORDS DOMAIN CONTROLLER
GATHERING DATA
Anatomy of an Attack – Establishes a Foothold
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
EXFILTRATE DATA VIA STAGING SERVER
ANYWHERE IN THE WORLD
Anatomy of an Attack – Exfiltrates Data, Covers Tracks
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
• Side-channel attacks
• Cloud Resource ransom
• Cloud weaponization
• Attacks vs cloud administrators
• Man in the Cloud (MitC) attacks
• Ddos Cloud Services
• Disclosing secrets on public sites
• Pivot back attacks
• Modifying Cloud data
New threats against cloud Infrastructure Attacks will follow your data
I.T. Security Professionals Are in a Really Tough Spot
How to manage:
• My Security needs in this new scenario
• On Premise Secure aligned with Cloud Security
• My compliance needs with a combination of On Premise and Public Clous security
10
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
Comprehensive Cyber Security is Designed In Oracle Security is not a “bolt on” thing
Security Applied to Optimized Solutions
Designed into Each Layer
Co-Engineered Across the Layers
Security Innovation Defense-in-Depth Secure Implementation
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
Applications Applications Governance Risk and Compliance, Access and Certification Review, Anomaly Detection, User Provisioning, Entitlements Management
Platform
Mobile Security, Privileged Users, Directory Services, Identity Governance, Entitlements Management, Access Management Middleware
Database Encryption, Enterprise Key Management, Database Firewall, Masking, Redaction, Privileged User Control, Auditing, Secure Configuration
Infrastructure
Operating Systems and Virtual Machine
Servers, Storage and Networking
Application + User Sandboxing, Delegated Administration, Anti-Malware System, Data + Network Protection, Zero-Downtime Patching, Compliance Reporting, Secured Application Lifecycle, Secure Live Migration, Immutable Zones, Independent Control Plane
Cryptographic Acceleration, Application Data Integrity, Verified Boot, Disk Encryption, Secured Backup, Storage Key Management
Oracle Has the Industry’s Broadest Security Portfolio Comprehensive Security Engineered Together from Data Center to Cloud
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
UNIVERSALLY ENCRYPT REDUCE SURFACE AREA
Implementing a On Premise to Cloud Security Strategy
HARDEN AND PROTECT
1010001001101001010101010001010101001010 1010001001101001010101010001010101001010
1010001001101001010101010001010101001010
1010001001101001010101010001010101001010
1010001001101001010101010001010101001010 1010001001101001010101010001010101001010
1010001001101001010101010001010101001010 1010001001101001010101010001010101001010 1010001001101001010101010001010101001010
1010001001101001010101010001010101001010
1010001001101001010101010001010101001010 1010001001101001010101010001010101001010
SPARC
M7
APPLICATION DATA INTEGRITY
Pointer Masking
Lightweight IPC ENCRYPTION ACCELERATION
PREVENT BUFFER OVERRUNS, SECURE APPLICATION DATA
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Security in Silicon is More Efficient than Security in Software Enterprise-wide encryption and unique protection of data in memory
Silicon Secured Memory
Near-zero-overhead
Cryptographic Acceleration
• Protection from attacks against data in memory, on media or transmitted over the network with virtually no performance impact
32 Cores and 32 Cryptographic
Accelerators per Chip
SPARC Delivers Transformational Security and Reliability Age Old Problems of Buffer Overflow and Memory Corruption Now Solved
Memory
Other Processors
Pointer
No protection from stale pointer and off end access, buffer over-read, buffer
over-write
Memory
Pointer
SPARC Processor
H/W compares pointer “key” with memory
“lock”
In-Memory Databases REDUCE SECURITY unless Memory Protection is Enforced by CPU
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
High Performance Fully Encrypted Hybrid Data Center
Client Web Tier Middleware Tier
Database Tier
ZFS Storage
SSL TLS
SSL TLS
HTTPS JMS JDBC
SSL TLS
ZFS Encryption
TLS
AES
Archive
TDE
Key Manager
AES
AES
High Performance Security On-Premises or in the Cloud
Industry’s fastest Oracle Transparent Data Encryption
SPARC M7 Security in Silicon
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
Knowing Whether Your Applications are Secure is Critical
Oracle Confidential – Internal
Security & compliance verification framework automates regular audits
• Extensible automatic security audit framework
•Run reports at will: • PCI-DSS
• Solaris Baseline
• Solaris Recommended
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
Easy, Flexible Integration With Your Existing Systems
• Site-to-Site VPN – IPSec Tunnel
• FastConnect – Directly connect edge routers in
and establishing a BGP peering session directly with Oracle
– Customer must be co-located in the same datacenter as Oracle
Add powerful new capabilities without forcing change on your people and processes
Customer Network
Enabling a Secure Journey to Cloud
Moving Workloads Securely Between On-Premises and Public Cloud
Complete Deployment Choice
Same Standards
Same Products
Unified Management ON-PREMISES PUBLIC CLOUD
Not All Applications Can Run in the Public Cloud
Reasons Why Public Cloud Isn’t Always an Option
• Data sovereignty and compliance requirements
• Control of critical systems and applications
• Distance latency to back-end systems
ENTERPRISE CLOUD STRATEGY
Engineered for Cloud Engineered systems,
storage and infrastructure designed
for Enterprise Applications
Complete Public Cloud Integrated enterprise
SaaS / PaaS / IaaS
Public Cloud Model on Premises
Oracle Cloud delivered for data center use
Oracle’s Unique Capabilities for Cloud Infrastructure
Bringing the Power of the Cloud Model to Your Data Center Complete deployment choice with public cloud benefits in your data center
On-Premises Data Center Public Cloud
IaaS
PaaS
Caching Database Integration Java EE Java SE Node Messaging
Network Storage Compute
Same Standards Same Services
Unified Management
Oracle Cloud Machine
• Oracle Cloud operated and delivered as a service behind your firewall
• Same PaaS and IaaS software, same updates as Oracle Cloud
• Same cost-effective subscription pricing model as Oracle Cloud
• Conforms to regulatory, privacy, legal, and business requirements
Oracle Datacenters
Customer’s Datacenter
Complete deployment choice
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle Cloud Machine Secure Operations
Installation and Configuration
Cloud Operations and Support
Cloud Administration
Customer
OCM Cloud Operations: Roles and Responsibilities
Oracle Cloud Operations
Customer
Oracle Technical Account Manager
Oracle Advanced Support Platform for Cloud Machine Defense in Depth with Multiple Layers of Security Mechanisms
Customer data center
Oracle Advanced Support Gateway
and portal
SSL VPN tunnel / HTTPS
Oracle Advanced Support Portal
Oracle Cloud
Machine
ITIL procedures,
analysis, reporting
Configuration management
database (CMDB)
Firewall Firewall
Oracle back-end Oracle Continuous Connection Network
Firewall
TLS VPN tunnel / HTTPS
Remote access for management and patching of systems and gateway
Outbound connection for fault telemetry, configuration information and diagnostics
Two Factor Authentication
Oracle Defense-in-Depth for Cloud Solutions Oracle help you in a safe path from On Premise to Cloud
Information Protection
Access Control Compliance
Reporting Secure
Operations