Oracle Security DBSC

Oracle Database Cloud Service
Security
Oracle Database Product Management (PTS)
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.

Program Agenda
1 DBCS Overview
2 OCI Classic Security Model
3 OCI Security Model
4 Autonomous Database Security Model
5 Hybrid Environments

Oracle Database Cloud Services
Full Spectrum of Database Cloud Offerings
Exadata Express Database – OCI Classic (EC) Database – OCI (BM) Exadata
Editions EE with Lockdown SE, EE, HP, EP SE, EE, HP, EP EP*
Implementation 1 PDB in Shared CDB 1 Dedicated CDB 1 Dedicated CDB 1+ Dedicated DBs
Management Oracle Customer Customer Customer
Max DB size 20GB, 50GB 50GB – 11.2TB 3.5TB – 9.2TB 42TB – 168TB
Max OCPU ~1 1 – 16 2 – 36 16 – 336
~Price/month/core $175 - $950 $300 - $2,500 $ 300 -$2,500 + IaaS $2,500
Storage Exadata, Flash: Fixed ZFS Block: $0.50 per GB Local NVMe: Fixed Exadata, Flash: Fixed

Oracle Database Cloud Service – Security Option Bundling
Standard Edition 2 Enterprise Edition (EE) EE High Performance EE Extreme Performance
• Includes Transparent Data • Includes Transparent Data • Includes Transparent Data • Includes Everything
Encryption Encryption Encryption
Adds… Adds…
• Enterprise Users • Advanced Security (Redaction,
Data Pump Encryption,
• Row-Level Security, Virtual
Encrypted DBFS, RMAN
Private Database
Backup Encryption)
• Real Application Security
• Database Vault
• Diagnostics a Tuning Packs
• Label Security
• Data Masking & Subsetting
• Lifecycle Management Pack
Pack

Oracle Autonomous Database Key Attributes
Goal - Eliminate human labor/opportunity for error
Self-Driving Self-Securing Self-Repairing

Automates all database and Protects from both Protects from all
infrastructure management, external attacks and downtime including
monitoring, tuning malicious internal users planned maintenance
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Oracle OpenWorld 2018
What is the Autonomous Database Cloud?
= + +
Policy-driven
Autonomous Database-Optimized Expanded Database
Workload Optimization
Database Infrastructure as a Service Automation
and Machine Learning
Architecture for Modern Cloud Data Warehousing
Developer BI Services &
Tools Autonomous
Data WarehouseData Warehouse Cloud
Services Advanced Analytics
(EDWs, DW, departmental marts and sandboxes)
Service Management Built-in Access Tools
Oracle Exadata Cloud Service

Oracle SQL Developer Oracle Analytics Cloud
Service Console SQL Worksheet Oracle ML
Express Cloud Service 3rd Party BI & Analytics
Data Oracle Cloud Compute
Integration
Services
3rd Party BI & Analytics
Oracle Data Integration On-premises
Platform Cloud Autonomous Database Cloud
3rd Party DI on
Oracle Cloud Compute Oracle Object Storage Cloud
Flat Files and Staging
3rd Party DI
On-premises
3rd Party Object Storage Cloud
Flat Files and Staging

Getting Started with Autonomous Data Warehouse Cloud
• Provisioning requires only 5
simple answers:
– Display name?
– Database name?
– How many CPU’s?
– How many TB’s?
– Admin password?
• New service created in <30
seconds (regardless of size)
– Ready to connect via sqlnet

OracleML: Built-in SQL Worksheet and Notebook
• Quickly start running queries with
built-in web-based notebooks
– No need to install a client query tool
• Collaborative UI for data scientists
• Initially supports SQL and PL/SQL
– More languages in the roadmap
• Based on Apache Zeppelin

Layered Security
Protects the Database
 VPN  Network Encryption, PKI

 Virtual Private Cloud  Network Port Access, IP Lists
 Direct Connect Physical Network  SSH Tunnel, Secure SQL*Net
 Firewall, Routers, DMZ
Database
12c
Security
 Identity Management
IDM/Access  Security Monitoring
 Users and Roles Control
Monitor
 Service Attacks
 Access Control
 Alerts and Logs

Program Agenda
1 DBCS Overview

Embedded DBCS Security Features
• Network encryption is on by default (REQUIRED)

– Algorithms list: AES256, AES192, AES128
• Oracle Wallet is automatically pre-created in DBCS databases, including
password-based and auto-login wallet. TDE master key is pre-created.
• New user tablespaces in DBCS are automatically encrypted by default.
This is governed by “encrypt_new_tablespaces” parameter in init.ora
• The TDE master key can be rotated using SQL commands or DBCS utility
dbaascli tde rotate masterkey

DBCS – OCI Classic Security Model
White list model: enter only if you have the key
Backup
Network
On- Premise
Admin (SSH) Firewall Java Service

Public key Database Service
DBCS
Compute Service
Private key
Databases encrypted by default

VM isolates hardware from Tenant

White List Model (OCI Classic)
 Security List  Security Application (Protocol + Port)
 Security Rules  Security IP List
Security List
On-Premise
Security Rule
Public Internet
Protocol, Port DBCS Instance
IP (White) Lists

Default rules allow to open
database ports
To public internet

SSH Tunnel
Localhost Port Forwarding
Oracle
Compute Cloud
Service
SSH Tunnel on port 22 Database Monitor on 8181

SSH
localhost:8181 :8181
SSH
Internet EM Express on 5500
SQL*Net on 1521

Accessing the Cloud Management Consoles
Your computer
SSH Tunnel
SSH
Internet SSH
DBCS Instance
Public IP Address

Security IP List : Create Your White List
Oracle Database Cloud
Remote Application Service
Internet 1521
Public IP Address
IP White List
Protocol: SQLNet, Port: 1521
55.2.10.9
55.2.11.2
On-Premise or Another Oracle Cloud
55.2.12.5
Cloud

Standard Edition DBCS

C/S encryption enforced in
sqlnet.ora
Encryption algorithms
permitted by server

wallet storing master keys
for tablespace encryption

Wallet automatically
created as an “autologin”
wallet

New parameter !

No need to specify an
encryption clause!

Program Agenda
1 DBCS Overview

Virtual Network: High-Fidelity Private Networks and Access
Secure, reliable connectivity: IPSec VPN, FastConnect Deep VCN control: Subnets, routing rules, IP address space, firewall rules
ORACLE CLOUD DATA CENTER REGION

Virtual Cloud Network
Subnet-A Subnet-n
AVAILABILITY
DOMAIN-1
IGW
FastConnect AVAILABILITY
Subnet-B Subnet-n1 Provisioned
DOMAIN-2 bandwidth
Customer Load Balancing
Datacenter IGW
VPN
Subnet-C Subnet-n2 End customers
AVAILABILITY
DOMAIN-3
Console or API-driven; same 25Gbps network for all core services; <500µs one-way latency between Availability Domains

Oracle Cloud Network Security
Multiple Layers of Customer Isolation
On-Premise Network On-Premise Network
Gray Packet
Red Packet Customer packet isolation,
Multiple security checks for
every packet in VCN
Physical Network

VCN Security
Layers of security
• Private subnets
– No internet access
• Security Lists
– Stateful & stateless firewalls
– Control packet traffic into and of your instances
• Routing Table and Rules
– Control route traffic to and from your subnets
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | 30

Security List Security List
Ingress 129/ TCP 80 Allow Ingress 10.2.2/24 TCP 1521 Allow
Egress 0/0 TCP All Allow
VCN Security Egress 10.2.2/24 TCP 1521 Allow
Security Lists (Virtual Firewalls)
Web Server Database Server
Public Internet IGW

PUBLIC SUBNET PRIVATE SUBNET

10.2.2.0/24 10.2.3.0/24
AVAILABILITY DOMAIN 1
VCN 10.2/16
REGION

Security Lists
• Provides a virtual firewall for your subnet resources, ie: compute

• Configure at the subnet level
• A subnet automatically has a default security list
• All instances in that subnet will use the security list rules
• Ingress and Egress rules specify type of traffic in and out

Default Security List
• Comes with initial set of Stateful rules
• Default stateful ingress rules
– Allow TCP traffic on port 22 (SSH), from any source 0.0.0.0/0, from any source port
– Allow ICMP traffic type 3 code 4 from source 0.0.0.0/0, from any source port
– Allow ICMP traffic type 3 (all codes) from source = your VCN’s CIDR and any source
port
• Default stateful egress rule
– Allow all traffic to any destination
• No default for Windows RDP
– Create stateful ingress rule for RDP to port 3389

Stateful and Stateless
• Stateful rule tracks the response back to the originator regardless of the
egress rules
• Stateless rule: If you add a stateless rule to the security list, and want a
response to incoming traffic, you must explicitly define an egress rule

VCN Security
Private subnets
No public IP
No public IP
Public Internet IGW
No public IP

10.2.2.0/24 10.2.3.0/24
VCN 10.2/16
REGION

VCN Security
Routing table and rules for subnets

Rroute Rule
VCN-local  VCN
129/8  Internet
DST IP: 129.1.2.2 Route Rule
VCN-local  VCN
Public Internet IGW
Load Balancing Service

10.2.2.0/24 10.2.3.0/24
VCN 10.2/16
REGION

Security Precedence
• Private subnets can not be accessed from the internet

– Even if you have route table and rule to the internet
– Even if you have your security list set up with source from the internet
• Public subnets must have
– Security list with source from internet if you want your instances to be accessible
from the internet, and
– Route rule to the internet gateway

VCN Connectivity
Flexible connectivity options
• Internet
– Enables customers to connect from anywhere in the world
• IPSec VPN
– Provides standards-based IPSec encryption over the public Internet
– Multiple, redundant data center VPN tunnel endpoints
• FastConnect
– Dedicated, private connectivity with more reliable, flexible and high bandwidth
options than Internet

VCN Connectivity
FastConnect & IPSec VPN: Redundant, dedicated, private connectivity
Public Internet IPSec VPN CONNECTION
VIRTUAL CIRCUIT #1
EDGE EDGE
PRIVATE SUBNET 10.2.2.0/24
FASTCONNECT LOCATION 1 AVAILABILITY DOMAIN 1
PROVIDER
CUSTOMER C P E DRG
NETWORK
NETWORK
10.0.0.0/16 VIRTUAL CIRCUIT #2
EDGE EDGE
FASTCONNECT LOCATION 2
DST IP: 0.0.0.0/0

Public Internet PRIVATE SUBNET 10.2.3.0/24
IGW AVAILABILITY DOMAIN 2
VCN
REGION

Physical Underpinnings of the Virtual Cloud Network
Performance
• Consistent and predictable network performance

– 10 Gbps network throughput between any two hosts in the AD
– Max 2 hops to high-performance Block-Storage
• Expected 64-byte one-way network latency within an AD : <100 usecs
• Expected one-way network latency between ADs: <500us in most cases

Program Agenda
1 DBCS Overview

Self-Securing
Robust Baseline Security Posture
Automated
Patching &
Upgrades
Autonomous
Database Encrypted by
Default
At Rest & In Motion
Separation of
Duties &
Auditing
The high cost of patching
• Very large Oracle • SMB Oracle customer
customer with more than with 20 databases
15,000 databases • 4 quarterly patches per
– 4 quarterly patches per year year
– Average of 45 minutes per
database to apply the • Average of 45 minutes
patches (0.75 hours) per database to apply the
– 4*.75*15,000 = 45,000 patches (0.75 hours)
hours per year spent in
patching*
• 4*.75*20 = 60 hours per
year spent on patching
– 22 skilled DBAs required
JUST to apply patches! • More than a week just to
keep up with patches!
* Does not include OS patches
The exorbitant cost of NOT patching
• of [database] •
cyberattacks are on databases that cost to Experian of last year’s data
administrators have failed to patch breach, blamed on an unpatched
for more than 9 months vulnerability in Apache Struts
– Mark Hurd, CEO Oracle
Autonomous Database Security – Patching is automatic
• Security patches applied every
quarter
– Patching can also occur off-cycle if a
zero-day exploit is discovered
• Patches are applied without
application downtime – further
reducing the cost of patching
Annual Patching costs: $0.00

Manpower required for patching: 0
Autonomous Database Security - Encryption at rest & in motion
• Encryption for Data at Rest • Encryption for Data in Motion
– Automatically configured – all – Automatically configured – all network
application data is encrypted within the access is encrypted to and from the
database database
– Database Backups are also encrypted – Choice of two methods
• Oracle Native Network Encryption
• Transport Layer Security (TLS) v1.2 (default)
Autonomous Database Client Connection Security
• a PDB in a hosted Exadata environment
• SQL*Net connections encrypted and mutually authenticated using TLS 1.2
• Downloadable client credentials package
– sqlnet.ora (must have a WALLET_LOCATION to point to the wallet)
– a wallet with trusted certificates
• DigiCert Global Root CA
• Autonomous Data Warehouse Cloud CA
• DigiCert SHA2 Secure Server CA
• SQL Developer can just point to the client credentials package
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 47
Autonomous Database Separation of Duties
• No access to the Database Node or
File system
• Service Administration (by Oracle)
isolated from Database use and
administration (service consumer)
– Multi-Tenant
– Database Vault
• Database Vault Operations Control later this
year
Autonomous Data Security - Auditing
• Autonomous Database leverages
Oracle Unified Audit to capture
security-relevant activity
– Login failures
– Changes to users, including creation of
new accounts, grants of privileges or
roles
– Changes to database structures,
including tables, procedures, and
synonyms
Controlling Human Error
• Automation
– Most Database Administration tasks
fully automated
– Zero human interaction reduces
opportunities for human error
• Service-appropriate Restrictions
– Service Consumers not allowed to run
many Oracle Database administrative
commands and parameters
– Remove the ability to inadvertently
damage or impact performance
Program Agenda
1 DBCS Overview

Database Cloud Service - Security
Oracle Cloud – Security By Default
• Oracle delivers data security

– Data encrypted by default in the Cloud
– In transit, and at rest
– Full Defense in Depth Security features
• Customer maintains control of
On Premises Oracle Cloud – Access keys using Oracle Key Vault
– Audit trails using Oracle Audit Vault

Database Security – A hybrid approach
Encryption & Redaction Data Masking Policy Definition

Access Control Key Storage
Masking Audit Data Repository & Analysis

Audit Vault Hybrid Deployment
Users
Oracle Cloud
On-premise
AV AGENT
Applications AV AGENT
Alerts !
AV AGENT
Reports
AV AGENT
Audit Vault Server Policies

Key Vault Hybrid Deployment
Users
GATEWAY
Oracle Cloud
On-premise
SSH TUNNEL, VPN, etc.

Applications
Alerts !
Reports
Key Vault

Oracle Database Cloud Services
Oracle Database 12c Multitenant
Migrate databases to other

containers – Do not forget to
export-import TDE keys
Oracle Database Cloud
Other Clouds
Or
On Premise Database
Data Subsetting & Masking Scenarios
Extract => Mask or Subset => Upload

On Premises On Premises
On Premises
On Premises

Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Oracle Security DBSC

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Oracle Security DBSC

Hochgeladen von

Copyright:

Verfügbare Formate

Oracle Database Cloud Service

Oracle Database Product Management (PTS)

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Self-Driving Self-Securing Self-Repairing

Oracle Exadata Cloud Service

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

 VPN  Network Encryption, PKI

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

• Network encryption is on by default (REQUIRED)

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Admin (SSH) Firewall Java Service

Databases encrypted by default

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

SSH Tunnel on port 22 Database Monitor on 8181

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

ORACLE CLOUD DATA CENTER REGION

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | 30

VCN Security Egress 10.2.2/24 TCP 1521 Allow

Security Lists (Virtual Firewalls)

Web Server Database Server

Public Internet IGW

Web Server Database Server

PUBLIC SUBNET PRIVATE SUBNET

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | 31

• Provides a virtual firewall for your subnet resources, ie: compute

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | 32

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | 33

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | 34

Web Server Database Server

Web Server Database Server

PUBLIC SUBNET PRIVATE SUBNET

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | 35

Web Server Database Server

Web Server Database Server

PUBLIC SUBNET PRIVATE SUBNET

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | 36

• Private subnets can not be accessed from the internet

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | 37

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | 38

Public Internet IPSec VPN CONNECTION

DST IP: 0.0.0.0/0

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | 39

• Consistent and predictable network performance

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | 40