Weitere ähnliche Inhalte Ähnlich wie Security in a Cloudy Architecture (20) Mehr von Bob Rhubart (20) Kürzlich hochgeladen (20) Security in a Cloudy Architecture1. Security in a Cloudy Architecture
Geri Born
Enterprise Solutions Group
2. The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle’s
products remain at the sole discretion of Oracle.
© 2010 Oracle Corporation 2
3. Agenda
• Introduction
• Security Challenges
• Identity and Access Management
• Database Security
• Conclusion
• Q&A
© 2010 Oracle – Proprietary and Confidential
3
4. Enterprise Evolution to Cloud
Public Clouds Hybrid
IaaS PaaS IaaS
SaaS
Public Cloud
Evolution PaaS SaaS
Private Cloud Evolution Virtual Private Cloud
App1 App2 App3 App1 App2 App3 App1 App2 App3
App1 App2 App3
Private PaaS Private PaaS Private PaaS
Private IaaS Private IaaS Private IaaS
Silo’d Grid Private Cloud Hybrid
• Physical • Virtual • Self-service • Federation with
• Dedicated • Shared services • Policy-based public clouds
• Static • Dynamic resource mgmt • Interoperability
• Heterogeneous • Standardized • Chargeback • Cloud bursting
appliances • Capacity planning
© 2010 Oracle Corporation 4
5. Key Barriers to Cloud Computing
74% 74% rate
cloud security
issues as
―very
significant‖
Source: IDC
• Data privacy
• Compliance
• Access control
© 2010 Oracle – Proprietary and Confidential
5
6. Cloud Security Challenges
Private Hybrid Public
Cloud Cloud Cloud
• IT agility • Interop • Data breaches
• B2B collab • User • Multi-tenancy
• Access control experience • Data location
complexity • Workload • Compliance
• Privileged user portability
access • SLA
© 2010 Oracle – Proprietary and Confidential
6
7. Cloud Architecture & Management
Self Service Interface
Integrate Chargeback & Self Service Assembly
Software Library
with external Capacity Planning Provisioning Builder
billing
system
Policy Manager (SLA Mgmt, DRS, DPM)
Monitoring Provisioning Config. Mgmt. Integrate with external
CMDB
External
Oracle Virtualization Plugin e.g., Amazon
Cloud Plugin
Cloud Management Layer
Zone A Zone B
Server Pool Server Pool Server Pool
Tightly coupled cluster Tightly coupled cluster Loose grouping of individual
(HA, Live Migration) (HA, Live Migration) machines (no HA or Live Migration)
Storage Array Storage Array Storage Array (optional)
Storage Array
Storage Array
Cloud Infrastructure Layer
© 2010 Oracle Corporation 8
8. Enterprise Architecture: Process for Securing the
Cloud
IT-as-a-Service
Optimized IT Core
Service Group A
Application Grid
Data Grid
Integration Layer
Service Group B
Application Grid
Data Grid
Service Group C
Application Grid
Data Grid
Enterprise
Transitional Security Layer
Architecture
Pt. to Pt. Integrations
Inv
SFAProduct product ERP SCM productMES- DB LMS MGMT
Complexity SFA-Product
SFA Stage
Product
ERP-
Stage
product Dev
DB-
Stage
B2B
B2B-
B2B- Stage
SFA- ERP- MES- MES-
Dev
Test Prod Stage Prod
1
Client
SFAProduct product ERP SCM productMES- DB LMSInv
DB-
FBT PAY G
NTS
Product ERP- product Dev Stage
MGMT
TRDS
Stage
Customs NTS A/c
Data……. Security Security Security Security
Penalty
RBA
De f
RRE Re funds
IPS Integrate d A/C
1
Excise Payments
CCD Compliance
Staff
CR EC I ADD AWA ELS
Staff
Business Phone
DDDR TASS
PKI CDCC
CWMS GC I Bus. Intel
IVR WOC
Ref aterial
m
BOA
Remote TAX
Client BANK Staff Staff AG ENTS Call Centres
B EP
1 Align Business & IT 3 Focus on Future State
2 Governance Model 4 Repeatable, Iterative Approach
9. The Oracle-Sun Red Stack
V Third Party ISV
Oracle Applications
I Applications Applications
R
T Platform as a Service
U Cloud Management
Shared Services
A
Oracle Enterprise Manager
L Integration: Process Mgmt: Security: User Interaction:
I SOA Suite BPM Suite Identity Mgmt WebCenter Configuration Mgmt
Z
A Connect
Application Grid: WebLogic Server, Coherence, Tuxedo, JRockit Policies to Controls Management
Lifecycle
T
Database Grid: Oracle Database, RAC, ASM, Partitioning,
I IMDB Cache, Active Data Guard, Database Security Application Performance
Management
O
N Infrastructure as a Service Application Quality
Management
Oracle Solaris
Operating Systems: OracleOracle Enterprise Linux
Enterprise Linux
Oracle VM for SPARC (LDom)
Solaris Containers Connect
Oracle VM for x86 Policies to Controls Center
Ops
Servers Physical and Virtual
Systems Management
Storage
10. Agenda
• Introduction
• Security Challenges
• Identity and Access Management
• Database Security
• Conclusion
• Q&A
© 2010 Oracle – Proprietary and Confidential
11
11. Service-Oriented Security
Identity Services for the Cloud
Oracle Identity Management
Identity
Role Management Directory Services Authentication Authorization Federation
Administration
Web Services Web Services Web Services
Oracle Apps 3rd Party/Custom Apps Cloud Service Providers
• Enable IDM functionality - FW
• Discrete, easily consumable services
• Rapid app security, improved IT agility
• Security woven - applications
© 2010 Oracle – Proprietary and Confidential
12
12. Identity Management Challenges in the
Private Cloud
Cloud model requires identity
infrastructure:
• Service-oriented
• Standards-based
• Loosely coupled
Mind The Gap
© 2010 Oracle – Proprietary and Confidential
13
13. Identity Management Considerations in the
Public Cloud
IAM Service Provider
Business Service Provider
Identity Identity
Identity Identity
Assurance Admin
Assurance Admin
Business Service Consumer
Identity Identity
Federation Assurance
• User lifecycle mgmt
• Federated authN
• Fraud prevention & risk mitigation
© 2010 Oracle – Proprietary and Confidential
14
14. User Provisioning
Oracle Identity Manager
Provisioning
Self Registration
Audit, Reporting, Attestation
Integration Framework with
Adapter Factory
• Comprehensive lifecycle admin & mgmt
• Delegated admin & self-service reduce overhead
• Automated compliance reporting
© 2010 Oracle – Proprietary and Confidential
15
15. Entitlements Management
Oracle Access Management
Suite
Custom Apps
Employees Fine-grained Authorization
App
App
Centralized Administration
Partners
Portals/SharePoint
Distributed Enforcement
App
Customers Web Services
• Externalization of authZ policy mgmt
• Distributed policy enforce
• FGA
© 2010 Oracle – Proprietary and Confidential
16
16. Identity Federation
Federated Single Sign-On
Oracle Identity
Federation On-Premise
SAML 1.x Applications
Employees/Partners/ SAML 2.0
Customers
Windows CardSpace
WS-Fed
OpenID
Business
Affiliates/Subsidiaries
Cloud Applications
• SSO between on-premise & cloud apps
• Standards-based federation enables interop
• Rapid deployment
© 2010 Oracle – Proprietary and Confidential
17
17. Identity Assurance
Risk-Based Access Control
Oracle Access Management Suite
Secure Mutual Risk-Based
Risk Scoring
Authentication Authorization
Device
Employees/Partners/
Customer Geography Cloud Apps
Time
Activity
Fraudster
On-Premise Apps
• Out-of-band authN
• Identity proofing
• Real-time fraud prevention
© 2010 Oracle – Proprietary and Confidential
18
18. Agenda
• Introduction
• Security Challenges
• Identity and Access Management
• Database Security
• Conclusion
• Q&A
© 2010 Oracle – Proprietary and Confidential
19
19. Multi-Tenant Data Management
Option 1 Option 2 Option 3
Shared (Virtualized) Hardware Shared Database Shared Schema
RISK
• Privileged database user
• Lost backups containing sensitive data or PII
• Application exploits & by-pass
• Regulatory infractions
© 2010 Oracle – Proprietary and Confidential
20
20. Database Security Defense-In-Depth
Encryption & Masking
• Advanced Security
• Secure Backup
• Data Masking
Access Control
• Database Vault
• Label Security
Monitoring
• Audit Vault
Encryption & Masking • Configuration Management
• Total Recall
Access Control
Monitoring
User/Role Management
User/Role Management • Oracle Identity Management
© 2010 Oracle – Proprietary and Confidential
21
21. Oracle Advanced Security
Comprehensive Standards-Based Encryption
Disk
Backups
Exports
Off-Site
Facilities
• Data stays encrypted when backed up
• Encryption for data in transit
• Strong authN of users & servers
© 2010 Oracle – Proprietary and Confidential
22
22. Oracle Data Masking
Irreversible De-Identification
Production Non-Production
LAST_NAME SSN SALARY LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000 ANSKEKSL 111—23-1111 60,000
BENSON 323-22-2943 60,000 BKJHHEIEDK 222-34-1345 40,000
• Remove sensitive data from non-prod DBs
• Ref Integ preserved
• Sensitive data never leaves the database
© 2010 Oracle – Proprietary and Confidential
23
23. Oracle Database Vault
Privileged User Access Control & Multi-Factor Authorization
Procurement
DBA
HR
Application
Finance
select * from finance.customers
• Privileged DB users perform admin
• Address SoD reqmts
• Enforce security policies & block unauth DB activities
© 2010 Oracle – Proprietary and Confidential
24
24. Oracle Configuration Management
Vulnerability Assessment & Secure Configuration
Monitor
Discover Classify Assess Prioritize Fix Monitor
Asset Configuration
Policy Vulnerability Analysis &
Management Management
Management
Management Analytics
& Audit
• DB discovery
• Continuous scanning best practices & industry standards
• Detect & prevent unauthZ config changes
• Change mgmt compliance reports
© 2010 Oracle – Proprietary and Confidential
26
25. Agenda
• Introduction
• Security Challenges
• Identity and Access Management
• Database Security
• Conclusion
• Q&A
© 2010 Oracle – Proprietary and Confidential
27
26. Regulatory Considerations for Cloud
Security
ENFORCE MONITOR Enforce Controls
CONTROLS CONTROLS
Monitor Controls
Oracle
Security Solutions
Streamline Processes
AUTOMATE STREAMLINE
REPORTING PROCESSES Automate Reporting
© 2010 Oracle – Proprietary and Confidential
28