oracle openworld sf 2015: the secure cloud - larry ellison, executive chairman and chief technology...

40

Upload: oracle

Post on 07-Jan-2017

1.319 views

Category:

Technology


3 download

TRANSCRIPT

Innovations in Security & Infrastructure as a Service Tuesday Keynote

The Cloud: A New Era of Utility Computing All Three Tiers of Computing Delivered as a Service via Global Network

• Applications: Software as a Service – SaaS

• Platform: Database, Middleware, Analytics, Integration… as a Service – PaaS

• Infrastructure: Storage, Compute and Network as a Service – IaaS

SaaS PaaS IaaS

The Cloud 2015: A New Set of Competitors Microsoft, Amazon, Salesforce, WorkDay

• Applications: Salesforce and WorkDay – Not SAP

• Platform: Microsoft – Not IBM

• Infrastructure: Amazon – Not IBM and EMC

SaaS PaaS IaaS

Oracle Cloud: Engineering All Three Tiers of Services Microsoft has three, Amazon has two, Salesforce has two, Workday has one

• SaaS: More Enterprise Applications than any Cloud Services Provider

– #1 ERP/EPM Suite, CX Suite, HCM Suite, New Supply Chain Manufacturing Suite…

• PaaS: Complete Suite of Industry Standards-Based Platform Services – #1 SQL Database, Hadoop, NoSQL, #1 Java Middleware, Node.js, Ruby…

• IaaS: Secure, Reliable, Low Cost, Standards-Based Infrastructure Services – OpenStack, Linux OS, Xen VM, Docker

Oracle Cloud: Six Design Goals Oracle Develops these Feature in all Three Tiers of the Cloud

• Cost: Lowest acquisition price – Lowest total cost of ownership

• Reliability: Fault tolerant – No single point of failure

• Performance: Fastest database, middleware, analytics…

• Standards: SQL, Hadoop, NoSQL…Java, Ruby, Node.js…Linux, Docker

• Compatibility: Easily move workloads between on-premise and Cloud

• Security: Always-on continuous defense against cyber attacks

Oracle Engineers All Three Tiers of the Cloud Next Generation of Security Should be Pushed-Down and Always-on

• Security Features Should be Pushed-Down the Stack

– Software: Database Security is inherited by all applications

– Hardware: Security in Silicon is inherited by all software

• Security Features Should Be Always-On – No on-and-off button: No choice

– Work transparently without changing existing applications

– Work with near zero performance penalty

Cyber Attacks: Data Theft Current State of the Art in Cyber Security – Not Good Enough

• Credit Card and Identity Theft Costs Billions Every Year

– Retailers’ computers hacked, millions of credit cards stolen, sold on Rescator Website

– New Credit Cards with embedded E.M.V chip with PIN: Hardware fix

• US Federal Government Office of Personnel Management – More than 20 million personnel records stolen

– Including security background checks and finger prints

– CIA pulled officers out of US Embassies…

• Heartbleed, Venom… Security Bugs Allow Intruders In – Data is stolen

– Data is changed: Stuxnet worm destroyed a thousand centrifuges…

Oracle Already Has World’s Best Security Feature Set Current Security Technology Issues: Not Always-On, Performance Penalty…

Governance Risk & Compliance , Access & Certification Review, Anomaly Detection, User Provisioning, Entitlements Management

Mobile Security, Privileged Users, Directory Services, Identity Governance, Entitlements Management, Access Management

Encryption, Enterprise Key Management, Database Firewall, Masking, Redaction, Privileged User Control, Auditing, Secure Configuration

Application + User Sandboxing, Delegated Administration, Anti-malware system, Data + Network Protection, Zero-Downtime Patching, Compliance Reporting, Secured Application Lifecycle, Secure Live Migration, Immutable Zones, Independent Control Plane Cryptographic Acceleration, Application Data Integrity, Verified Boot, Disk Encryption, Secured Backup, Storage Key Management

Applications

Middleware

Databases

Servers, Storage & Networking

Operating Systems & Virtual Machines

Infrastructure

Platform

Applications

Most Advanced Security Platform

First Converged Infrastructure in Silicon

Advancing the State-of-the-Art: Always-On Security in Silicon Always-On Memory Protection and Encryption Pushed Down the Stack into Silicon

World’s Fastest Microprocessor

Always-on Memory Intrusion Protection & wide key encryption

Hardware SQL acceleration, Compression, Encryption

More cores, threads, memory & IO Bandwidth w/lower latency

Advancing the State-of-the-Art

• Always-On Security in Silicon

– Memory intrusion detection

• High-Speed Encryption – Near zero performance impact

• SQL in Silicon – High-Speed Memory Decompression…

– Accelerates In-Memory Database

M7 Microprocessor – World’s First Implementation of Software Features in Silicon

Always-On Memory Protection in Hardware Security In Silicon – Silicon Secured Memory

• First ever hardware-based memory intrusion protection of its kind

• Always-On hardware approach has near zero performance impact

• Stops programs from accessing other applications memory – Stops Malicious Programs like Venom and Heartbleed

– Helps Developers Find Difficult Bugs

M7 Silicon Secured Memory (SSM): How it Works Always-On Memory Intrusion Detection

• Terabytes of data in highly vulnerable servers main memory

• Hidden memory color key and lock set on memory allocation

• Hidden color bits added to pointers (key), and content (lock)

• Pointer color key matches content color lock or program aborted

• Key changed when the memory is freed

• Prevents access off end of structure, stale pointer access, malicious attacks – plus improves developer productivity

Memory Pointers

Memory Content

STOP

• Memory access vulnerability discovered in the open source Quick Emulator hypervisor platform (QEMU)

• Allows malicious code inside a VM guest to execute code in the host machine’s hypervisor security context. The code then escape the guest VM to gain control over the entire host

• Caused by a buffer over-write condition that allows data to be stored beyond allocated buffer limits

Venom Vulnerability - Impacted Servers Using QEMU

Host System

Sales Server VM

Database Server VM

Web server VM

VM Hypervisor

Host Hardware

Hacker exploits VENOM to escape VM

VENOM executes instructions in hypervisor and gains control of host hardware

Venom escape

M7 SSM Would Have Detected Venom in Real-Time

• When the QEMU driver attempted to write data beyond its allotted buffer limits (buffer over-write), M7’s Always-on Memory Intrusion Detection would have stopped the access and generated a signal

• The signal handler then could have terminated the offending process

Heartbleed - Impacted Websites Using OpenSSL

Heartbeat request sent to victim

Type Payload_size Payload

HB_REQUEST 65535 Hello

Victim responds with requested payload size (64K bytes)

Type Payload_size Payload

HB_RESPONSE 65535 Hello ………. ………………….

Payload_size does not match Payload Unauthorized data

returned to requestor

M7 SSM Would Have Detected Heartbleed in Real-Time

• When the hacker request attempted to read data beyond its allotted buffer limits (buffer over-read), SSM would have stopped the access and generated a signal

• The signal handler could have responded by flushing the data and terminating the offending connection

The M7 Microprocessor Can Protect the Entire Cloud Even if 90% of the Microprocessors are not M7s

• Even a few deployed M7 systems can detect an attack on the entire compute cloud

• Once an attack is discovered, the other unprotected systems then can be patched

Ksplice For Userspace Only Oracle Linux Offers Kernel and Userspace Zero-Downtime Patching

Zero-downtime operating system diagnostic and patching • Easily diagnose issues in production environments without

impacting running systems

• Apply updates (bug and security errata or diagnostic builds) without rebooting the system

– Linux kernel

– Critical userspace libraries such as glibc and OpenSSL

• Rapidly patch zero-day attacks like Heartbleed with no downtime

• Enforce security standards by keeping critical systems patched with latest errata with no impact to production workloads

• Flexible deployment options to complement existing operational processes

Transparent Data Encryption Always On Data Encryption Prevents Loss of Clear-Text Data

• Encrypts tablespaces to secure data at rest

• Built-in two-tier key management

• Requires no application changes

• “Near Zero” overhead with Silicon Encryption

• Integrated with Oracle Database technologies ─ Log files, Compression, ASM, DataPump

• Disks • Backups • Exports • Off-Site Facilities

*7#$%!!@!%afb

##<>*$#@34

Data Encryption

Oracle Key Vault Centralized On-Premise Key Manager for the Enterprise

Manage encryption keys, Oracle Wallets, Java Keystores, and credential files

• Manages key creation, sharing, rotation, and expiration

• Integrated with Transparent Data Encryption

• Stops all access to cloud data if needed

• Audits all access to keys and key lifecycle changes

Oracle Database Vault DBAs Administer Technology Resources but Cannot see Applications Data

Secure Separation of Duties

• Restrict privileged users from accessing application data

• Control database commands based on multiple factors

• Analyze run-time to discover redundant privileges and roles; Reduce attack-surface

• Monitor activity with Audit Vault

Region, Year

Size-based

Data Subsetting

ssn:423-55-3571

dob: 12/01/1987

Data Masking

Avoid Exposing Sensitive Data To Test, Development, and Partners

• Mask sensitive data with format libraries

• Retain application integrity

• Reduce risk exposure by condition-based subsetting

• Mask/subset in Oracle Cloud with On-Prem Enterprise Manager

Mask and Subset Data Part of Database Cloud Service

Oracle Audit Vault Audit Trails Managed by Customer Using On-Premises System

Audit Vault logs database & network traffic for Oracle databases

• Analyze audit and event data to raise alerts

• Create out-of-the-box compliance reports

• Detect breaches with trending and anomaly reports

Database Firewall Transparently Block Threats

Transparently block threats including SQL injection attacks and unauthorized connections

• Detect breaches with trending and anomaly reports

Summary: End-To-End Encryption Oracle Manages Cloud Technology – Customer Controls Access to Data

SM;|A4mp>}r$M*Lij&Q;|d9y

• Your data encrypted in transit and at rest

• Keys managed by customer with on-premises Key Vault

• Customers monitor & audit data access via on-premises Audit Vault

Oracle Cloud

On-Premises

Infrastructure As A Service

Oracle Infrastructure-as-a-Service Secure, Reliable, Low Cost Cloud Infrastructure Services

Storage Elastic Storage

Compute Elastic Compute

Network Software-defined Network

IaaS: General Purpose, Engineered Systems

Optimized for Large Enterprises

• Completely Dedicated Compute Zone per Tenant

• Predictable Performance

• Complete Network Isolation

• Site to Site VPN

• 500, 1000, 1500, 2000 Cores

Optimized for Departments and Dev-Test

• Shared Compute Zone

• Dedicated Core Capacity: 50 and 100 Cores

• Some Isolation via Resource Management across Tenants but noisy neighbors can impact others

Compute Dedicated Compute

Infrastructure as a Service: Compute Cloud Services Oracle Dedicated Compute HALF PRICE Amazon Shared Compute

Announcing: Oracle Private Cloud Machine for PaaS & IaaS

IaaS

PaaS

Compute • Storage

• Integration

Java

• Mobile Developer

• Documents • Process • Identity

• Messaging

Identical PaaS and IaaS Software to Oracle Public Cloud

• On-premises Oracle Cloud Platform 100% compatible with Oracle Cloud

• Addresses business or regulatory requirements, data control, or geo preference

• Easiest way to create compatible private and public cloud infrastructure

A NEW ENGINEERED

SYSTEM

Private Cloud Machine for PaaS and IaaS 100% Compatible Oracle Private Cloud Machine and Oracle Public Cloud Service

Oracle Cloud

CoExistence and Migration

Same Architecture

Identical Software

Identical Hardware *Optional

Transparently move workloads between on-premises and public cloud

Private Cloud

Hybrid Public Cloud / Private Cloud Compatibility and Coexistence LIVE DATABASE MIGRATION DEMO

Management Cloud: Like Splunk…But in the Cloud Next Generation Cloud-Based Monitoring and Analytics Solution

• Unified data platform stores all types of machine data, that is automatically correlated

• Scalable data processing pipeline ingests, processes large data volumes at line speed

• Real-time analysis and deep insights across technical and business events

• Manages your on premises systems and your cloud systems

Unified Big Data Platform

Application Performance Monitoring

Log Analytics IT Analytics

Unified Big Data Platform

Data Pipeline

Archive Storage Cloud Service Ideal for Large Data Sets

• On-demand capacity, scales to petabytes

• Multiple redundant data copies for the highest availability

• All data can be encrypted at rest for security

• Automatic data integrity checks for durability

• Industry standard RESTful APIs

Archive

$0.001 /GB/Month. Lowest cost per gigabyte in the industry.

Archive

Announcing: Hierarchical Storage Manager Auto-Tier to the Cloud for Huge Cost Savings

Disk Archive Flash Storage Tape Archive

• Auto-tiering data from on-premises to Archive Storage Cloud for best resource utilization – Automatic data access as the business requires – OpenStack Swift-compliant

• Set policies to tier data to the Cloud based on access patterns, sizes, age of the data • Proven scalability greater than all competitors

Hierarchical Storage Manager

Oracle Strategy: Offer the Same Technology On-Premises and in the Cloud Storage Portfolio – On-Premises and in the Cloud

Oracle All Flash FS StorageTek Tape Zero Data Loss

Recovery Appliance Oracle ZFS

Block SAN Storage

Files, Databases

Network Attached Storage

Files, Databases Extreme Data Protection

Oracle Database

Lowest Cost Mass Storage

Archive

Zero Data Loss Recovery Appliance Completely Automated Backup & Recovery

• Eliminates data loss

– Real-time redo transport

• Minimal production impact – Sends changes, not full backups

• Changes enable restore to any time

• Starts small, scales-out to petabytes

Single rack is twice as fast as Data Domain’s biggest backup appliance.

Engineered Systems Customer Momentum On-Premises and in the Cloud: Exadata, Private Cloud Machine, ZDLR Appliance…

• 15,267 Engineered Systems shipped to Customers

─ 10,628 in October 2014

• 7,321 Exadata units shipped to Customers

─ 5,579 in October 2014

2015: A Year of Innovation in the Cloud

• SaaS: World’s First Complete Integrated Set of Enterprise Cloud Applications

• PaaS: Easy Migration of Applications and Databases to the Public Cloud

• IaaS: Always-On Security and Fault-Tolerant Reliability at Commodity Prices