Beruflich Dokumente
Kultur Dokumente
Security
1 DBCS Overview
2 OCI Classic Security Model
3 OCI Security Model
4 Autonomous Database Security Model
5 Hybrid Environments
Exadata Express Database – OCI Classic (EC) Database – OCI (BM) Exadata
Editions EE with Lockdown SE, EE, HP, EP SE, EE, HP, EP EP*
Implementation 1 PDB in Shared CDB 1 Dedicated CDB 1 Dedicated CDB 1+ Dedicated DBs
Management Oracle Customer Customer Customer
Max DB size 20GB, 50GB 50GB – 11.2TB 3.5TB – 9.2TB 42TB – 168TB
Max OCPU ~1 1 – 16 2 – 36 16 – 336
~Price/month/core $175 - $950 $300 - $2,500 $ 300 -$2,500 + IaaS $2,500
Storage Exadata, Flash: Fixed ZFS Block: $0.50 per GB Local NVMe: Fixed Exadata, Flash: Fixed
• Includes Transparent Data • Includes Transparent Data • Includes Transparent Data • Includes Everything
Encryption Encryption Encryption
Adds… Adds…
• Enterprise Users • Advanced Security (Redaction,
Data Pump Encryption,
• Row-Level Security, Virtual
Encrypted DBFS, RMAN
Private Database
Backup Encryption)
• Real Application Security
• Database Vault
• Diagnostics a Tuning Packs
• Label Security
• Data Masking & Subsetting
• Lifecycle Management Pack
Pack
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Oracle OpenWorld 2018
What is the Autonomous Database Cloud?
= + +
Policy-driven
Autonomous Database-Optimized Expanded Database
Workload Optimization
Database Infrastructure as a Service Automation
and Machine Learning
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Oracle OpenWorld 2018
Architecture for Modern Cloud Data Warehousing
Developer BI Services &
Tools Autonomous
Data WarehouseData Warehouse Cloud
Services Advanced Analytics
(EDWs, DW, departmental marts and sandboxes)
Service Management Built-in Access Tools
3rd Party DI on
Oracle Cloud Compute Oracle Object Storage Cloud
Flat Files and Staging
3rd Party DI
On-premises
3rd Party Object Storage Cloud
Flat Files and Staging
1 DBCS Overview
2 OCI Classic Security Model
3 OCI Security Model
4 Autonomous Database Security Model
5 Hybrid Environments
Backup
Network
On- Premise
Security List
On-Premise
Security Rule
Public Internet
Protocol, Port DBCS Instance
IP (White) Lists
SSH
Internet EM Express on 5500
localhost:5700 :5700
localhost:1526 :1526
SQL*Net on 1521
Your computer
SSH Tunnel
SSH
Internet SSH
DBCS Instance
Public IP Address
Internet 1521
Public IP Address
IP White List
Protocol: SQLNet, Port: 1521
55.2.10.9
55.2.11.2
On-Premise or Another Oracle Cloud
55.2.12.5
Cloud
Encryption algorithms
permitted by server
1 DBCS Overview
2 OCI Classic Security Model
3 OCI Security Model
4 Autonomous Database Security Model
5 Hybrid Environments
Subnet-A Subnet-n
AVAILABILITY
DOMAIN-1
IGW
FastConnect AVAILABILITY
Subnet-B Subnet-n1 Provisioned
DOMAIN-2 bandwidth
Customer Load Balancing
Datacenter IGW
VPN
Subnet-C Subnet-n2 End customers
AVAILABILITY
DOMAIN-3
Console or API-driven; same 25Gbps network for all core services; <500µs one-way latency between Availability Domains
Gray Packet
Red Packet Customer packet isolation,
Multiple security checks for
every packet in VCN
Physical Network
• Private subnets
– No internet access
• Security Lists
– Stateful & stateless firewalls
– Control packet traffic into and of your instances
• Routing Table and Rules
– Control route traffic to and from your subnets
• Stateful rule tracks the response back to the originator regardless of the
egress rules
• Stateless rule: If you add a stateless rule to the security list, and want a
response to incoming traffic, you must explicitly define an egress rule
No public IP
No public IP
Public Internet IGW
Web Server Database Server
No public IP
VIRTUAL CIRCUIT #1
EDGE EDGE
PRIVATE SUBNET 10.2.2.0/24
FASTCONNECT LOCATION 1 AVAILABILITY DOMAIN 1
PROVIDER
CUSTOMER C P E DRG
NETWORK
NETWORK
10.0.0.0/16 VIRTUAL CIRCUIT #2
EDGE EDGE
FASTCONNECT LOCATION 2
1 DBCS Overview
2 OCI Classic Security Model
3 OCI Security Model
4 Autonomous Database Security Model
5 Hybrid Environments
Automated
Patching &
Upgrades
Autonomous
Database Encrypted by
Default
At Rest & In Motion
Separation of
Duties &
Auditing
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Oracle OpenWorld 2018
The high cost of patching
• Very large Oracle • SMB Oracle customer
customer with more than with 20 databases
15,000 databases • 4 quarterly patches per
– 4 quarterly patches per year year
– Average of 45 minutes per
database to apply the • Average of 45 minutes
patches (0.75 hours) per database to apply the
– 4*.75*15,000 = 45,000 patches (0.75 hours)
hours per year spent in
patching*
• 4*.75*20 = 60 hours per
year spent on patching
– 22 skilled DBAs required
JUST to apply patches! • More than a week just to
keep up with patches!
* Does not include OS patches
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Oracle OpenWorld 2018
The exorbitant cost of NOT patching
• of [database] •
cyberattacks are on databases that cost to Experian of last year’s data
administrators have failed to patch breach, blamed on an unpatched
for more than 9 months vulnerability in Apache Struts
– Mark Hurd, CEO Oracle
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Oracle OpenWorld 2018
Autonomous Database Security – Patching is automatic
• Security patches applied every
quarter
– Patching can also occur off-cycle if a
zero-day exploit is discovered
• Patches are applied without
application downtime – further
reducing the cost of patching
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Oracle OpenWorld 2018
Autonomous Database Security - Encryption at rest & in motion
• Encryption for Data at Rest • Encryption for Data in Motion
– Automatically configured – all – Automatically configured – all network
application data is encrypted within the access is encrypted to and from the
database database
– Database Backups are also encrypted – Choice of two methods
• Oracle Native Network Encryption
• Transport Layer Security (TLS) v1.2 (default)
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Oracle OpenWorld 2018
Autonomous Database Client Connection Security
• a PDB in a hosted Exadata environment
• SQL*Net connections encrypted and mutually authenticated using TLS 1.2
• Downloadable client credentials package
– sqlnet.ora (must have a WALLET_LOCATION to point to the wallet)
– a wallet with trusted certificates
• DigiCert Global Root CA
• Autonomous Data Warehouse Cloud CA
• DigiCert SHA2 Secure Server CA
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 47
Autonomous Database Separation of Duties
• No access to the Database Node or
File system
• Service Administration (by Oracle)
isolated from Database use and
administration (service consumer)
– Multi-Tenant
– Database Vault
• Database Vault Operations Control later this
year
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Oracle OpenWorld 2018
Autonomous Data Security - Auditing
• Autonomous Database leverages
Oracle Unified Audit to capture
security-relevant activity
– Login failures
– Changes to users, including creation of
new accounts, grants of privileges or
roles
– Changes to database structures,
including tables, procedures, and
synonyms
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Oracle OpenWorld 2018
Controlling Human Error
• Automation
– Most Database Administration tasks
fully automated
– Zero human interaction reduces
opportunities for human error
• Service-appropriate Restrictions
– Service Consumers not allowed to run
many Oracle Database administrative
commands and parameters
– Remove the ability to inadvertently
damage or impact performance
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Oracle OpenWorld 2018
Program Agenda
1 DBCS Overview
2 OCI Classic Security Model
3 OCI Security Model
4 Autonomous Database Security Model
5 Hybrid Environments
Users
Oracle Cloud
On-premise
AV AGENT
Applications AV AGENT
Alerts !
AV AGENT
Reports
AV AGENT
Users
GATEWAY
Oracle Cloud
On-premise
Alerts !
Reports
Key Vault
Other Clouds
Or
On Premise Database
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Data Subsetting & Masking Scenarios
On Premises
On Premises