secure cloud infrastructure: enterprise grade for …...enterprise cloud strategy engineered for...

27
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Secure Cloud Infrastructure: Enterprise Grade for the Modern Cloud Giuseppe Russo Chief Technologist Oracle Cloud Infrastructure

Upload: others

Post on 07-Jun-2020

13 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |

Secure Cloud Infrastructure: Enterprise Grade for the Modern Cloud

Giuseppe Russo Chief Technologist Oracle Cloud Infrastructure

Page 2: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Copyright © 2016 Oracle and/or its affiliates. All rights reserved. | Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |

Cloud Impacts Every Industry and Every Geography

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |

Page 3: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |

Different Clouds, Different Purposes

• Line of business decides • Pure OpEx model • No need to own data centers • Rich data services, global

distribution and greater elasticity

Businesses Need Both So Public and Private Clouds Will Need to Work Together

• IT control • CapEx or OpEx model • Cost-effective when fully utilized • Easier data sovereignty,

governance and compliance

PRIVATE PUBLIC

Page 4: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |

Cloud adoption raised the Security bar

MORE THREATS Attack Vectors Growing in Number, Complexity and Sophistication Commercial Hacking is Big Business

MORE REGULATIONS Broader and Deeper Legislation Increased Demands to Prove Compliance

HIGHER SECURITY DILIGENCE

‘Due Diligence’ High Water Mark Continues to Rise Lack of Diligence Risks Brand and Financial Assets

Page 5: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |

Social Engineering

Command & Control

Brute Force Hacking

Malware

SQL Injection Attack

Stolen Credentials

Typical Attack Vectors, mainly on premise

5

Page 6: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |

COMMAND SERVER

ATTACKER

DOWNLOADED MALWARE

PHISHING ATTACK

XSS OR SQL INJECTION ATTACK

Anatomy of an Attack – Starts with Phishing

Page 7: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |

ESTABLISH MULTIPLE BACKDOORS

DUMPING PASSWORDS DOMAIN CONTROLLER

GATHERING DATA

Anatomy of an Attack – Establishes a Foothold

Page 8: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |

EXFILTRATE DATA VIA STAGING SERVER

ANYWHERE IN THE WORLD

Anatomy of an Attack – Exfiltrates Data, Covers Tracks

Page 9: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |

• Side-channel attacks

• Cloud Resource ransom

• Cloud weaponization

• Attacks vs cloud administrators

• Man in the Cloud (MitC) attacks

• Ddos Cloud Services

• Disclosing secrets on public sites

• Pivot back attacks

• Modifying Cloud data

New threats against cloud Infrastructure Attacks will follow your data

Page 10: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

I.T. Security Professionals Are in a Really Tough Spot

How to manage:

• My Security needs in this new scenario

• On Premise Secure aligned with Cloud Security

• My compliance needs with a combination of On Premise and Public Clous security

10

Page 11: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |

Comprehensive Cyber Security is Designed In Oracle Security is not a “bolt on” thing

Security Applied to Optimized Solutions

Designed into Each Layer

Co-Engineered Across the Layers

Security Innovation Defense-in-Depth Secure Implementation

Page 12: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |

Applications Applications Governance Risk and Compliance, Access and Certification Review, Anomaly Detection, User Provisioning, Entitlements Management

Platform

Mobile Security, Privileged Users, Directory Services, Identity Governance, Entitlements Management, Access Management Middleware

Database Encryption, Enterprise Key Management, Database Firewall, Masking, Redaction, Privileged User Control, Auditing, Secure Configuration

Infrastructure

Operating Systems and Virtual Machine

Servers, Storage and Networking

Application + User Sandboxing, Delegated Administration, Anti-Malware System, Data + Network Protection, Zero-Downtime Patching, Compliance Reporting, Secured Application Lifecycle, Secure Live Migration, Immutable Zones, Independent Control Plane

Cryptographic Acceleration, Application Data Integrity, Verified Boot, Disk Encryption, Secured Backup, Storage Key Management

Oracle Has the Industry’s Broadest Security Portfolio Comprehensive Security Engineered Together from Data Center to Cloud

Page 13: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |

UNIVERSALLY ENCRYPT REDUCE SURFACE AREA

Implementing a On Premise to Cloud Security Strategy

HARDEN AND PROTECT

1010001001101001010101010001010101001010 1010001001101001010101010001010101001010

1010001001101001010101010001010101001010

1010001001101001010101010001010101001010

1010001001101001010101010001010101001010 1010001001101001010101010001010101001010

1010001001101001010101010001010101001010 1010001001101001010101010001010101001010 1010001001101001010101010001010101001010

1010001001101001010101010001010101001010

1010001001101001010101010001010101001010 1010001001101001010101010001010101001010

SPARC

M7

APPLICATION DATA INTEGRITY

Pointer Masking

Lightweight IPC ENCRYPTION ACCELERATION

PREVENT BUFFER OVERRUNS, SECURE APPLICATION DATA

Page 14: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |

Security in Silicon is More Efficient than Security in Software Enterprise-wide encryption and unique protection of data in memory

Silicon Secured Memory

Near-zero-overhead

Cryptographic Acceleration

• Protection from attacks against data in memory, on media or transmitted over the network with virtually no performance impact

32 Cores and 32 Cryptographic

Accelerators per Chip

Page 15: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

SPARC Delivers Transformational Security and Reliability Age Old Problems of Buffer Overflow and Memory Corruption Now Solved

Memory

Other Processors

Pointer

No protection from stale pointer and off end access, buffer over-read, buffer

over-write

Memory

Pointer

SPARC Processor

H/W compares pointer “key” with memory

“lock”

In-Memory Databases REDUCE SECURITY unless Memory Protection is Enforced by CPU

Page 16: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |

High Performance Fully Encrypted Hybrid Data Center

Client Web Tier Middleware Tier

Database Tier

ZFS Storage

SSL TLS

SSL TLS

HTTPS JMS JDBC

SSL TLS

ZFS Encryption

TLS

AES

Archive

TDE

Key Manager

AES

AES

High Performance Security On-Premises or in the Cloud

Industry’s fastest Oracle Transparent Data Encryption

SPARC M7 Security in Silicon

Page 17: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |

Knowing Whether Your Applications are Secure is Critical

Oracle Confidential – Internal

Security & compliance verification framework automates regular audits

• Extensible automatic security audit framework

•Run reports at will: • PCI-DSS

• Solaris Baseline

• Solaris Recommended

Page 18: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |

Easy, Flexible Integration With Your Existing Systems

• Site-to-Site VPN – IPSec Tunnel

• FastConnect – Directly connect edge routers in

and establishing a BGP peering session directly with Oracle

– Customer must be co-located in the same datacenter as Oracle

Add powerful new capabilities without forcing change on your people and processes

Customer Network

Page 19: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Enabling a Secure Journey to Cloud

Moving Workloads Securely Between On-Premises and Public Cloud

Complete Deployment Choice

Same Standards

Same Products

Unified Management ON-PREMISES PUBLIC CLOUD

Page 20: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Not All Applications Can Run in the Public Cloud

Reasons Why Public Cloud Isn’t Always an Option

• Data sovereignty and compliance requirements

• Control of critical systems and applications

• Distance latency to back-end systems

Page 21: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

ENTERPRISE CLOUD STRATEGY

Engineered for Cloud Engineered systems,

storage and infrastructure designed

for Enterprise Applications

Complete Public Cloud Integrated enterprise

SaaS / PaaS / IaaS

Public Cloud Model on Premises

Oracle Cloud delivered for data center use

Oracle’s Unique Capabilities for Cloud Infrastructure

Page 22: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Bringing the Power of the Cloud Model to Your Data Center Complete deployment choice with public cloud benefits in your data center

On-Premises Data Center Public Cloud

Page 23: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

IaaS

PaaS

Caching Database Integration Java EE Java SE Node Messaging

Network Storage Compute

Same Standards Same Services

Unified Management

Oracle Cloud Machine

• Oracle Cloud operated and delivered as a service behind your firewall

• Same PaaS and IaaS software, same updates as Oracle Cloud

• Same cost-effective subscription pricing model as Oracle Cloud

• Conforms to regulatory, privacy, legal, and business requirements

Oracle Datacenters

Customer’s Datacenter

Complete deployment choice

Page 24: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |

Oracle Cloud Machine Secure Operations

Page 25: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Installation and Configuration

Cloud Operations and Support

Cloud Administration

Customer

OCM Cloud Operations: Roles and Responsibilities

Oracle Cloud Operations

Customer

Oracle Technical Account Manager

Page 26: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Oracle Advanced Support Platform for Cloud Machine Defense in Depth with Multiple Layers of Security Mechanisms

Customer data center

Oracle Advanced Support Gateway

and portal

SSL VPN tunnel / HTTPS

Oracle Advanced Support Portal

Oracle Cloud

Machine

ITIL procedures,

analysis, reporting

Configuration management

database (CMDB)

Firewall Firewall

Oracle back-end Oracle Continuous Connection Network

Firewall

TLS VPN tunnel / HTTPS

Remote access for management and patching of systems and gateway

Outbound connection for fault telemetry, configuration information and diagnostics

Two Factor Authentication

Page 27: Secure Cloud Infrastructure: Enterprise Grade for …...ENTERPRISE CLOUD STRATEGY Engineered for Cloud Engineered systems, storage and infrastructure designed for Enterprise Applications

Oracle Defense-in-Depth for Cloud Solutions Oracle help you in a safe path from On Premise to Cloud

Information Protection

Access Control Compliance

Reporting Secure

Operations