Private Clouds: Opportunity to Improve Data Security and Lower Costs

InfoTRAMS InfoTRAMS „„ Fusion Tematyczny, Bazy Danych, Kariera I Prywatny SprzFusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęęt W Pracyt W Pracy ””

Private Clouds: Opportunity to Improve Data Securit y and Lower Costs

Michał Jerzy Kostrzewa ( Michal.Kostrzewa@Oracle.com )ECE Business Development Manager

Agenda

• Challenges of Securing Data Today• Data Security in Cloud Environments• Private v. Public Clouds• Securing Database Clouds• Q&A

Easy to Lose Track of Sensitive Data In Traditional Computing Environments

• Silos of dedicated hardware and software for each application

• Organizations typically unsure which silos contain sensitive data

• Securing every silo is too costly and complex

• Organizations typically protect the only shared resource - the network

• Data and database infrastructure vulnerable to attack from within the network perimeter

Data and Databases Vulnerable

28% uniformly encrypt sensitive data in all databases

Data can be read/tampered with by any system user or admin with access to database files or storage

24%can prevent privileged database users from reading/modifying data

Data can be accessed by DBAs or anyone with privileged database user credentials

44% allow database users to access data directly

Users can by-pass application security policies to read or modify data directly within database

68% can not detect if database users are abusing privileges

Database users can perform unauthorized activities undetected

66% not sure if applications subject to SQL injection

Data can be manipulated by hackers who compromise applications

48% copy sensitive production data to non-production environments

Data can be accessed by developers, testers, etc.

The 2010 IOUG Data Security Report

Over 900M (92%) Breached Records from Compromised Databases Servers

48% involved privilege misuse40% resulted from hacking

38% utilized malware28% employed social tactics15% comprised physical attacks

2010 Data Breach Investigations Report

Cloud Computing Environments Allow Securing Sensitive Data Efficiently

• Clouds are shared pools of standardized computing resources

• Oracle Exadata is a pre-integrated, highly optimized Database Cloud platform that maximizes ROI

• All data now managed in the Database Cloud - securing Database Clouds is not optional!

• Securing Database Clouds results in efficient and consistent protection for all data

• Database Clouds enable better security at lower cost and complexity

8

Exadata and ExalogicExtreme Performance, Engineered Systems

• Database and middle tier machines• Unmatched performance, simplified deployment,

lower total cost• Building blocks for private and public PaaS

9

Oracle Exadata Extreme Performance

Teradata2650

NetezzaTwinFin 12

Exadata

Flash

Disk

75 GB/sec

• Faster Than DW Appliances• Faster query throughput• Fastest disk throughput• Much faster with Flash

• More Bandwidth than High-End Arrays• Storage Arrays can’t deliver disk bandwidth

• No extra bandwidth from Flash• No CPU offload• No Columnar Compression• No InfiniBand

• More Data Capacity• More disk drives/rack• Larger disk drives• Much better compression

Query Throughput GB/sec Uncompressed Data

Single Rack

Storage Data Bandwidth(Uncompressed GB/sec)

Teradata2650

NetezzaTwinFin 12

ExadataEMCVMAX

Systems with Equal User DataAll with Largest Disks,

Best Compression

IBMXIV

NetApp6080

ExadataIBMDS8700

HitachiUSP V

EMCVMAX

1020

2.5 <6

Flash

Disk9 11 ???

1.4x3x

2-4x

75 GB/sec

10x

10

Oracle Exalogic Extreme Performance

• Internet Applications• 12X improvement• Over 1 Million HTTP Requests/Sec.• FaceBook’s Web Traffic on 2 Full Racks

• Messaging Applications• 4.5X improvement• Over 1.8 Million Messages/Sec.• All Chinese Rail Ticketing on 1 Rack

• Database Applications• 1.4X improvement• Almost 2 million JPA Operations/Sec.• All E-Bay Product Searches on 1/2 Rack

Exalogic

Exalogic

Exalogic

Alternative

Alternative

Alternative

Biggest Barrier to Cloud Computing Adoption? Security!

74%74%74% rate cloud security issues

as “very significant”

Source: IDC

The Reality of Cloud ComputingCloud Computing Often Confused with Outsourcing…

Public Clouds• Cloud operated by a vendor• Security (and compliance??)

becomes outsourced• Not an option for certain

organizations, industries

Private Clouds• Evolution of IT Services• Still responsible for ensuring

security and compliance• Cost-effective option to protect

data for all organizations!

13 Copyright © 2010, Oracle. All rights reserved

Securing Database CloudsDefense In Depth

� Prevent access by non-database users

� Increase database user identity assurance

� Control access to data within database

� Audit database activity

� Monitor database traffic and prevent threats from reaching the database

� Ensure database production environment is secure and prevent drift

� Remove sensitive data fromnon-production environments

14

Disk

Backups

Exports

Off-SiteFacilities

Oracle Advanced SecurityProtect Data from Unauthorized Users

• Complete encryption for application data at rest to prevent direct access to data stored in database files, on tape, exports, etc. by IT Staff/OS users

• Efficient application data encryption without application changes

• Built-in two-tier key management for SoD with support for centralized key management using HSM/KMS

• Strong authentication of database users for greater identity assurance

Application

15

Oracle Database VaultEnforce Security Policies Inside the Database

• Automatic and customizable DBA separation of duties and protective realms

• Enforce who, where, when, and how using rules and factors

• Enforce least privilege for privileged database users

• Prevent application by-pass and enforce enterprise data governance

• Securely consolidate application data or enable multi-tenant data management

Procurement

HR

Finance

ApplicationDBA

select * from finance.customersDBA

SecurityDBA

Application

16

Oracle Audit VaultAudit Database Activity in Real-Time

• Consolidate database audit trail into secure centralized repository

• Detect and alert on suspicious activities, including privileged users

• Out-of-the box compliance reports for SOX, PCI, and other regulations

• E.g., privileged user audit, entitlements, failed logins, regulated data changes

• Streamline audits with report generation, notification, attestation, archiving, etc.

CRM Data

ERP Data

Databases

HR Data

Audit Data

Policies

Built-inReports

Alerts

CustomReports

!

Auditor

17

Oracle Total RecallTrack Changes to Sensitive Data

select salary from emp AS OF TIMESTAMP

'02-MAY-09 12.00 AM‘ where emp.title = ‘admin’

• Transparently track application data changes over time

• Efficient, tamper-resistant storage of archives in the database

• Real-time access to historical application data using SQL

• Simplified incident forensics and recovery

18

Oracle Database FirewallFirst Line of Defense

PoliciesBuilt-inReportsAlerts Custom

Reports

ApplicationsBlock

Log

Allow

Alert

Substitute

• Monitor database activity to prevent unauthorized database access, SQL injections, privilege or role escalation, illegal access to sensitive data, etc.

• Highly accurate SQL grammar based analysis without costly false positives

• Flexible SQL level enforcement options based on white lists and black lists

• Scalable architecture provides enterprise performance in all deployment modes

• Built-in and custom compliance reports for SOX, PCI, and other regulations

19

Oracle Configuration ManagementSecure Your Database Environment

• Discover and classify databases into policy groups

• Scan databases against 400+ best practices and industry standards, custom enterprise-specific configuration policies

• Detect and event prevent unauthorized database configuration changes

• Change management dashboards and compliance reports

Monitor

ConfigurationManagement

& Audit

VulnerabilityManagement

Fix

Analysis &Analytics

Prioritize

PolicyManagement

AssessClassify MonitorDiscover

AssetManagement

20

Oracle Data MaskingIrreversibly De-Identify Data for Non-Production Us e

• Make application data securely available in non-production environments

• Prevent application developers and testers from seeing production data

• Extensible template library and policies for data masking automation

• Referential integrity automatically preserved so applications continue to work

LAST_NAME SSN SALARY

ANSKEKSL 111—23-1111 60,000

BKJHHEIEDK 222-34-1345 40,000

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

Production Non-Production

Data never leaves Database

21

Oracle Database Defense In DepthSolution Summary

• Oracle Advanced Security

• Oracle Identity Management

• Oracle Database Vault

• Oracle Label Security

• Oracle Audit Vault

• Oracle Total Recall

• Oracle Database Firewall

• Oracle Configuration Management

• Oracle Data Masking

Comprehensive – Transparent – Easy to Deploy – Proven!

22

Next Steps….

• Protect sensitive data and database infrastructure ASAP!

• Database Clouds enable better security at lower cost and complexity

• Start evolving your existing IT infrastructure into a Private Cloud

• Secured Oracle Exadata servers provide the secure database cloud building block you need

• Securing your databases will allow you to outsource/take advantage of Public Clouds with less risk

For More Information

oracle.com/database/security

search.oracle.com

database security