cross domain security express (cdse) domain security express (cdse) july 2016 ... soa, xml,...
TRANSCRIPT
Cross Domain Security Express (CDSE)
July 2016
Patrick SackChief Technology Officer Oracle National Security Group
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.2
Program Agenda
Introduction
Architecture Overview
Deployment Options
Summary
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.3
IntroductionOracle Multi Domain Database Extension of the Enterprise Edition Oracle Database (11g/12c)
First and only accredited Multi Domain Database
Exclusive to Oracle National Security Group (ITAR Controlled)
Multiple Accreditations under DCID 6/3
ICD 503 (800-53) migration
Listed on Unified Cross Domain Services Management Office (UCDSMO) Baseline (as CDSE)
Supports entire corpus of the CAPCO Register (everything)
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.4
Integrating Intelligence Across Domains
Security by separation results in duplicate infrastructures and O&M costs
Challenges to Replicated Copies of Data• Replication complexity, failures and time delays• Multiple versions of data with difficulties in finding the true Master copy
Domain A + B + C Domain B Domain C
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.5
Multi-Domain Database
Replicated Instances• Higher Cost• Lower Mission Performance• Redundant Copies of Data• Additional Sustainment Staff• Replication Complexity and Errors• Added Configuration Management Costs• Added Power, Space and Cooling Needs• No comprehensive auditing with a focus on
the security posture of the enterprise
Multiple Databases Single Database
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.6
Single Copy Data Store Serving Many Security Domains Reduces Costs, Improves Intel
Multi-Domain Data Store Allows Secure Information Sharing
• Accurate Intelligence• Data changes instantly everywhere with zero
data inconsistency and zero latency
• One sustainment cost & effort• Costs reduction N:1
• Supports all major standards and data types
• REST, SOA, XML, GeoSpatial, Key/Value, JSON, Text, Graph, Documents, SQL
• UCDSMO baseline approved • Multiple accreditations
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.7
How It’s Done1. Reduced Domain Exposure
– Multi-Level Networking & Isolation– One way Networking – Connect In, No insecure path out– Physical and logical security for data and system messaging
2. Mitigate Information Leakage– Data Tagging for Visibility, Isolation and Release– Data Assurance– Trusted Integration between Database and OS
3. Mandatory Security Controls for all Privileged Users – OS Administration– DB Administration– Privileged User Administration
4. Tamper-proof Auditing– Collection– Filtering and Reporting / Situational Awareness– Monitoring and Alerting
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.8
Layered Security
Notional Classification Markings
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.9
Oracle Label Security (OLS)• NSTISSP 11 Compliant • FIPS/CC Evaluated• Over 100 IC and DoD Deployments• CAPCO Compliant Labels• Set up the OLS Policy Once
• Mission data is labeled• User connects• User ID shared with the DBMS• User (or App) formulates SQL Query• OLS filters data
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.10
Oracle Label Security (simplified view)
Network + Authorizations + Security Label = Data
Example
Oracle Multi Domain Database
2-5
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.11
Oracle Database Vault (DBV)
Implemented with– Realms– Factors– Command Rules
• Keep privileged database users from abusing their powers
• Address Separation of Duties requirements
• Enforce security policies and block unauthorized database activities
• Prevent application by-pass to protect application data
http://techbus.safaribooksonline.com
Unclassified
DataOwner
Security Admin
Security Reams
CDR_RAW
DBASeparation of Duties
Planning Data
Intel Reports
Messages
select * from PlanningData Where Location = ‘SYRIA’
select * from PlanningData Where Location = ‘SYRIA’
ApplicationUsers
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.12
Oracle Advanced Security
Transparent Data Encryption– Maintains encryption of data on storage
automatically– Numerous encryption algorithms including
AES256 Network Encryption – between application and
database
Disk
Backups
Exports
Off-SiteFacilities
• Strong Authentication – beyond login / password– Kerberos– PKI (certificate-based authentication and
encryption)– RADIUS (Remote Authentication Dial-In User
Service)
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.13
Technical Architecture
Key Components
Simplified architecture, lower cost, faster deployment
Optional X86 architecture available
Scalable processing & storage2-12 networks supported
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.14
Standardized Architecture
Standardized Hardware– Sparc T5 Servers Solaris– Deployments use same, reducing complexity – Contained with single half rack ( 24U typical)
Simplified Licensed Software set– Reduced cost
Standardized Hardware and Software configurations
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.15
Virtualized instance of SDS architecture on single server
Reduced license and hardware costs Ideal for integration and development
testing Building block for system lifecycle :
Dev->Test->Production
Integration & Development System (IDS)
Deployment
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.16
Enterprise implementation of standard MDDB with supporting documentation
Standardized hardware architecture configuration
Standardized deployment process that provides full lockdown and security configurations
Scalable storage and database nodes Production MDDB that supports full
program lifecycle
Standard Deployment System(SDS)
Deployment
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.17
Standard interfaces (JDBC, WS, JMS) Supports integration with enterprise
identity and authorization stores –Active Directory, LDAP, Attribute Services, etc Supports legacy, GOTS, and COTS
applications w/limited modifications
Ease of Integration
Application Integration
Current integrations: Custom web applications Messaging Systems (M3) PeopleSoft HCM applications (eZHR) Siebel CRM Oracle Webcenter ECM Oracle Business Intelligence (OBIEE)
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.18
Leverages Core Oracle Products on IC-CLA
Oracle Database Enterprise Edition 11g/12c• Oracle Real Application Clusters (RAC)• Oracle Advanced Security - Encryption
• Oracle Database Vault - Insider threat
• Oracle Label Security - Data tagging/labeling
• Oracle Spatial - Spatial, graph & rdf
• Oracle Partitioning - Query acceleration
Oracle Enterprise Manager 12c/13c• Diagnostics - Automatically Introspect Issues
• Tuning - Automatically fix Issues
• Lifecycle Management - Compliance
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle’s SPARC Servers
.
Oracle Cross Domain Infrastructure . M7
.
S7 .
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.20 Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Security in Silicon
Wide key encryption and Silicon Secured Memory
Breakthrough hardware SQL acceleration and decompression for
Oracle Database In‐Memory
SQL in Silicon
More cores, more threads, more bandwidth, lower latency – Extreme performance for apps and cloud
World’s Fastest Microprocessor
20
SPARC M7 With Oracle’s Software in Silicon architecture
Billions of Records Scanned Per Second3x Faster with Encryption On
32 Crypto Accelerators per Processor
Clear Data In
Encrypted Data Out
Modern CDSE Hardware for Secure Computing
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.21
SQL in Silicon: Database In-Memory Acceleration Engines
SIMD Vectors instructions are fast, but were designed for graphics, not database
New SPARC M7 chip has 32 optimized database acceleration engines (DAX) built on chip Independently process streams of columns
– E.g. find all values that match ‘California’
– Up to 170 Billion rows per second! Like adding 32 additional specialized cores to chip
– Using less than 1% of chip space
Core
Shared Cache
Core Core Core
DB Accel
DB Accel
DB Accel
DB Accel
SPARC M7
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.22
Silicon Secured Memory: Always-On Intrusion Protection
Unique hardware-based memory protection Stops malicious programs from accessing
other application memory. Ex: HeartBleed, Venom Can be always on: hardware approach
has negligible performance impact Easily activated for existing applications Extremely efficient for software
development
Breakthrough security and reliability for applications
Memory Pointers Memory
GO
GO
2Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.23
Security in Silicon, Data Analytics Acceleration, Fastest for Database & Enterprise Apps
Most Advanced Platform for Secure Computing
2
SPARC M7SPARC M7 SPARC T7SPARC T7 SPARC S7SPARC S7
Secure Enterprise to Tactical Deployments
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.24
Two Systems, Five Enclosures, Shared Design
SPARC S7-2 and SPARC S7-2L Servers
SPARC S7‐2L, 2U 12x 3.5‐inch and 2x 2.5‐inch drives2U; 2 processors; 16 DIMMs; 1,024 GB DDR4; 6 PCIe 3.0 slots; ~100 TB storage (12x 3.5‐inch drives plus 2x 2.5‐inch SAS‐3 drives)
SPARC S7‐2L, 2U 26x 2.5‐inch drives2U; 2 processors; 16 DIMMs; 1,024 GB DDR4; 6 PCIe 3.0 slots; 39 TB storage (24x plus 2x 2.5‐inch SAS‐3 drives, 4x NVMe‐enabled bays)
SPARC S7‐2L, 2U 8x 2.5‐inch drives2U; 2 processors; 16 DIMMs; 1,024 GB DDR4; 6 PCIe 3.0 slots; 17 TB storage (8x 2.5‐inch SAS‐3 drives, 4x NVMe‐enabled bays)
SPARC S7‐2, 1U 8x 2.5‐inch drives1U; 1 or 2 processors; 16 DIMMs; 1,024 GB DDR4; 3 PCIe 3.0 slots; 17 TB storage (8x 2.5‐inch SAS‐3 drives, 4x NVMe‐enabled bays)
SPARC S7‐2L, 2U 12x 2.5‐inch NVMe flash drives2U; 2 processors; 16 DIMMs; 1,024 GB DDR4; 4 PCIe 3.0 slots; 38 TB NVMe flash storage (12x 2.5‐inch NVMe drives)
2Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.25
Mission Benefits Single source of truth (1 copy of data) for
Integrated Intelligence Zero data latency - data is instantly
accessible though release process Data security labels (tagged data) enable
sharing – increases data value Single Information Environment (SIE)
provides comprehensive data store for mission operations and analytics
Relational, XML, Json, Spatial, Graph, Files SQL, REST, Advanced Analytics and R
Information sharing with external organizations - controlled access
Summary - Multi-Domain Database Benefits
Cost SavingsData store consolidation reduces: License & Hardware Storage (many to one) O&M LOE Backup & recovery infrastructure Datacenter footprint (power & cooling) Configuration management LOE Greater economies of scale as more
networks connected
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.26
Backup Slides
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.27
Example: Multi-Domain Content Management System
System details– MS SharePoint integration (web services interface)– Windows desktop drag & drop file access– Full Enterprise Content Management capabilities
– Open Standards interfaces supporting over 600 file types– Ozone Widget Framework/REST support– DoD 5015.2V3 Records Management Certified
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.28
Oracle Virtual Private Database
VPD column policies mask out sensitive data– Policy enforced only if specific columns are referenced– Increases row level security granularity
where account_mgr_id = sys_context('APP','CURRENT_MGR');
Select * from customers;
381-35-9223
431-39-9332
483-56-0912461-97-8212
581-29-7603181-09-1232121-79-4212701-49-2123
1500017000
1200010000
1500025000
SSN
VPD
MGR ID = 148
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.29
Transparent Data EncryptionAdvanced Protection for the Oracle Database
Disk
Backups
Exports
Off-SiteFacilities
Encrypts columns or entire application tablespaces Protects the database files on disk and on backups Securely manages the keys, assists with key rotation Supports Oracle Exadata engineered systems Compatible with applications, no changes required
Applications
Encrypted Data
Managed Keys
Unclassified
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.30