oracle openworld sf 2015: the secure cloud - larry ellison, executive chairman and chief technology...
TRANSCRIPT
The Cloud: A New Era of Utility Computing All Three Tiers of Computing Delivered as a Service via Global Network
• Applications: Software as a Service – SaaS
• Platform: Database, Middleware, Analytics, Integration… as a Service – PaaS
• Infrastructure: Storage, Compute and Network as a Service – IaaS
SaaS PaaS IaaS
The Cloud 2015: A New Set of Competitors Microsoft, Amazon, Salesforce, WorkDay
• Applications: Salesforce and WorkDay – Not SAP
• Platform: Microsoft – Not IBM
• Infrastructure: Amazon – Not IBM and EMC
SaaS PaaS IaaS
Oracle Cloud: Engineering All Three Tiers of Services Microsoft has three, Amazon has two, Salesforce has two, Workday has one
• SaaS: More Enterprise Applications than any Cloud Services Provider
– #1 ERP/EPM Suite, CX Suite, HCM Suite, New Supply Chain Manufacturing Suite…
• PaaS: Complete Suite of Industry Standards-Based Platform Services – #1 SQL Database, Hadoop, NoSQL, #1 Java Middleware, Node.js, Ruby…
• IaaS: Secure, Reliable, Low Cost, Standards-Based Infrastructure Services – OpenStack, Linux OS, Xen VM, Docker
Oracle Cloud: Six Design Goals Oracle Develops these Feature in all Three Tiers of the Cloud
• Cost: Lowest acquisition price – Lowest total cost of ownership
• Reliability: Fault tolerant – No single point of failure
• Performance: Fastest database, middleware, analytics…
• Standards: SQL, Hadoop, NoSQL…Java, Ruby, Node.js…Linux, Docker
• Compatibility: Easily move workloads between on-premise and Cloud
• Security: Always-on continuous defense against cyber attacks
Oracle Engineers All Three Tiers of the Cloud Next Generation of Security Should be Pushed-Down and Always-on
• Security Features Should be Pushed-Down the Stack
– Software: Database Security is inherited by all applications
– Hardware: Security in Silicon is inherited by all software
• Security Features Should Be Always-On – No on-and-off button: No choice
– Work transparently without changing existing applications
– Work with near zero performance penalty
Cyber Attacks: Data Theft Current State of the Art in Cyber Security – Not Good Enough
• Credit Card and Identity Theft Costs Billions Every Year
– Retailers’ computers hacked, millions of credit cards stolen, sold on Rescator Website
– New Credit Cards with embedded E.M.V chip with PIN: Hardware fix
• US Federal Government Office of Personnel Management – More than 20 million personnel records stolen
– Including security background checks and finger prints
– CIA pulled officers out of US Embassies…
• Heartbleed, Venom… Security Bugs Allow Intruders In – Data is stolen
– Data is changed: Stuxnet worm destroyed a thousand centrifuges…
Oracle Already Has World’s Best Security Feature Set Current Security Technology Issues: Not Always-On, Performance Penalty…
Governance Risk & Compliance , Access & Certification Review, Anomaly Detection, User Provisioning, Entitlements Management
Mobile Security, Privileged Users, Directory Services, Identity Governance, Entitlements Management, Access Management
Encryption, Enterprise Key Management, Database Firewall, Masking, Redaction, Privileged User Control, Auditing, Secure Configuration
Application + User Sandboxing, Delegated Administration, Anti-malware system, Data + Network Protection, Zero-Downtime Patching, Compliance Reporting, Secured Application Lifecycle, Secure Live Migration, Immutable Zones, Independent Control Plane Cryptographic Acceleration, Application Data Integrity, Verified Boot, Disk Encryption, Secured Backup, Storage Key Management
Applications
Middleware
Databases
Servers, Storage & Networking
Operating Systems & Virtual Machines
Infrastructure
Platform
Applications
Most Advanced Security Platform
First Converged Infrastructure in Silicon
Advancing the State-of-the-Art: Always-On Security in Silicon Always-On Memory Protection and Encryption Pushed Down the Stack into Silicon
World’s Fastest Microprocessor
Always-on Memory Intrusion Protection & wide key encryption
Hardware SQL acceleration, Compression, Encryption
More cores, threads, memory & IO Bandwidth w/lower latency
Advancing the State-of-the-Art
• Always-On Security in Silicon
– Memory intrusion detection
• High-Speed Encryption – Near zero performance impact
• SQL in Silicon – High-Speed Memory Decompression…
– Accelerates In-Memory Database
M7 Microprocessor – World’s First Implementation of Software Features in Silicon
Always-On Memory Protection in Hardware Security In Silicon – Silicon Secured Memory
• First ever hardware-based memory intrusion protection of its kind
• Always-On hardware approach has near zero performance impact
• Stops programs from accessing other applications memory – Stops Malicious Programs like Venom and Heartbleed
– Helps Developers Find Difficult Bugs
M7 Silicon Secured Memory (SSM): How it Works Always-On Memory Intrusion Detection
• Terabytes of data in highly vulnerable servers main memory
• Hidden memory color key and lock set on memory allocation
• Hidden color bits added to pointers (key), and content (lock)
• Pointer color key matches content color lock or program aborted
• Key changed when the memory is freed
• Prevents access off end of structure, stale pointer access, malicious attacks – plus improves developer productivity
Memory Pointers
Memory Content
STOP
• Memory access vulnerability discovered in the open source Quick Emulator hypervisor platform (QEMU)
• Allows malicious code inside a VM guest to execute code in the host machine’s hypervisor security context. The code then escape the guest VM to gain control over the entire host
• Caused by a buffer over-write condition that allows data to be stored beyond allocated buffer limits
Venom Vulnerability - Impacted Servers Using QEMU
Host System
Sales Server VM
Database Server VM
Web server VM
VM Hypervisor
Host Hardware
Hacker exploits VENOM to escape VM
VENOM executes instructions in hypervisor and gains control of host hardware
Venom escape
M7 SSM Would Have Detected Venom in Real-Time
• When the QEMU driver attempted to write data beyond its allotted buffer limits (buffer over-write), M7’s Always-on Memory Intrusion Detection would have stopped the access and generated a signal
• The signal handler then could have terminated the offending process
Heartbleed - Impacted Websites Using OpenSSL
Heartbeat request sent to victim
Type Payload_size Payload
HB_REQUEST 65535 Hello
Victim responds with requested payload size (64K bytes)
Type Payload_size Payload
HB_RESPONSE 65535 Hello ………. ………………….
Payload_size does not match Payload Unauthorized data
returned to requestor
M7 SSM Would Have Detected Heartbleed in Real-Time
• When the hacker request attempted to read data beyond its allotted buffer limits (buffer over-read), SSM would have stopped the access and generated a signal
• The signal handler could have responded by flushing the data and terminating the offending connection
The M7 Microprocessor Can Protect the Entire Cloud Even if 90% of the Microprocessors are not M7s
• Even a few deployed M7 systems can detect an attack on the entire compute cloud
• Once an attack is discovered, the other unprotected systems then can be patched
Ksplice For Userspace Only Oracle Linux Offers Kernel and Userspace Zero-Downtime Patching
Zero-downtime operating system diagnostic and patching • Easily diagnose issues in production environments without
impacting running systems
• Apply updates (bug and security errata or diagnostic builds) without rebooting the system
– Linux kernel
– Critical userspace libraries such as glibc and OpenSSL
• Rapidly patch zero-day attacks like Heartbleed with no downtime
• Enforce security standards by keeping critical systems patched with latest errata with no impact to production workloads
• Flexible deployment options to complement existing operational processes
Transparent Data Encryption Always On Data Encryption Prevents Loss of Clear-Text Data
• Encrypts tablespaces to secure data at rest
• Built-in two-tier key management
• Requires no application changes
• “Near Zero” overhead with Silicon Encryption
• Integrated with Oracle Database technologies ─ Log files, Compression, ASM, DataPump
• Disks • Backups • Exports • Off-Site Facilities
*7#$%!!@!%afb
##<>*$#@34
Data Encryption
Oracle Key Vault Centralized On-Premise Key Manager for the Enterprise
Manage encryption keys, Oracle Wallets, Java Keystores, and credential files
• Manages key creation, sharing, rotation, and expiration
• Integrated with Transparent Data Encryption
• Stops all access to cloud data if needed
• Audits all access to keys and key lifecycle changes
Oracle Database Vault DBAs Administer Technology Resources but Cannot see Applications Data
Secure Separation of Duties
• Restrict privileged users from accessing application data
• Control database commands based on multiple factors
• Analyze run-time to discover redundant privileges and roles; Reduce attack-surface
• Monitor activity with Audit Vault
Region, Year
Size-based
Data Subsetting
ssn:423-55-3571
dob: 12/01/1987
Data Masking
Avoid Exposing Sensitive Data To Test, Development, and Partners
• Mask sensitive data with format libraries
• Retain application integrity
• Reduce risk exposure by condition-based subsetting
• Mask/subset in Oracle Cloud with On-Prem Enterprise Manager
Mask and Subset Data Part of Database Cloud Service
Oracle Audit Vault Audit Trails Managed by Customer Using On-Premises System
Audit Vault logs database & network traffic for Oracle databases
• Analyze audit and event data to raise alerts
• Create out-of-the-box compliance reports
• Detect breaches with trending and anomaly reports
Database Firewall Transparently Block Threats
Transparently block threats including SQL injection attacks and unauthorized connections
• Detect breaches with trending and anomaly reports
Summary: End-To-End Encryption Oracle Manages Cloud Technology – Customer Controls Access to Data
SM;|A4mp>}r$M*Lij&Q;|d9y
• Your data encrypted in transit and at rest
• Keys managed by customer with on-premises Key Vault
• Customers monitor & audit data access via on-premises Audit Vault
Oracle Cloud
On-Premises
Oracle Infrastructure-as-a-Service Secure, Reliable, Low Cost Cloud Infrastructure Services
Storage Elastic Storage
Compute Elastic Compute
Network Software-defined Network
IaaS: General Purpose, Engineered Systems
Optimized for Large Enterprises
• Completely Dedicated Compute Zone per Tenant
• Predictable Performance
• Complete Network Isolation
• Site to Site VPN
• 500, 1000, 1500, 2000 Cores
Optimized for Departments and Dev-Test
• Shared Compute Zone
• Dedicated Core Capacity: 50 and 100 Cores
• Some Isolation via Resource Management across Tenants but noisy neighbors can impact others
Compute Dedicated Compute
Infrastructure as a Service: Compute Cloud Services Oracle Dedicated Compute HALF PRICE Amazon Shared Compute
Announcing: Oracle Private Cloud Machine for PaaS & IaaS
IaaS
PaaS
Compute • Storage
• Integration
Java
• Mobile Developer
• Documents • Process • Identity
• Messaging
Identical PaaS and IaaS Software to Oracle Public Cloud
• On-premises Oracle Cloud Platform 100% compatible with Oracle Cloud
• Addresses business or regulatory requirements, data control, or geo preference
• Easiest way to create compatible private and public cloud infrastructure
A NEW ENGINEERED
SYSTEM
Private Cloud Machine for PaaS and IaaS 100% Compatible Oracle Private Cloud Machine and Oracle Public Cloud Service
Oracle Cloud
CoExistence and Migration
Same Architecture
Identical Software
Identical Hardware *Optional
Transparently move workloads between on-premises and public cloud
Private Cloud
Management Cloud: Like Splunk…But in the Cloud Next Generation Cloud-Based Monitoring and Analytics Solution
• Unified data platform stores all types of machine data, that is automatically correlated
• Scalable data processing pipeline ingests, processes large data volumes at line speed
• Real-time analysis and deep insights across technical and business events
• Manages your on premises systems and your cloud systems
Unified Big Data Platform
Application Performance Monitoring
Log Analytics IT Analytics
Unified Big Data Platform
Data Pipeline
Archive Storage Cloud Service Ideal for Large Data Sets
• On-demand capacity, scales to petabytes
• Multiple redundant data copies for the highest availability
• All data can be encrypted at rest for security
• Automatic data integrity checks for durability
• Industry standard RESTful APIs
Archive
$0.001 /GB/Month. Lowest cost per gigabyte in the industry.
Archive
Announcing: Hierarchical Storage Manager Auto-Tier to the Cloud for Huge Cost Savings
Disk Archive Flash Storage Tape Archive
• Auto-tiering data from on-premises to Archive Storage Cloud for best resource utilization – Automatic data access as the business requires – OpenStack Swift-compliant
• Set policies to tier data to the Cloud based on access patterns, sizes, age of the data • Proven scalability greater than all competitors
Hierarchical Storage Manager
Oracle Strategy: Offer the Same Technology On-Premises and in the Cloud Storage Portfolio – On-Premises and in the Cloud
Oracle All Flash FS StorageTek Tape Zero Data Loss
Recovery Appliance Oracle ZFS
Block SAN Storage
Files, Databases
Network Attached Storage
Files, Databases Extreme Data Protection
Oracle Database
Lowest Cost Mass Storage
Archive
Zero Data Loss Recovery Appliance Completely Automated Backup & Recovery
• Eliminates data loss
– Real-time redo transport
• Minimal production impact – Sends changes, not full backups
• Changes enable restore to any time
• Starts small, scales-out to petabytes
Single rack is twice as fast as Data Domain’s biggest backup appliance.
Engineered Systems Customer Momentum On-Premises and in the Cloud: Exadata, Private Cloud Machine, ZDLR Appliance…
• 15,267 Engineered Systems shipped to Customers
─ 10,628 in October 2014
• 7,321 Exadata units shipped to Customers
─ 5,579 in October 2014
2015: A Year of Innovation in the Cloud
• SaaS: World’s First Complete Integrated Set of Enterprise Cloud Applications
• PaaS: Easy Migration of Applications and Databases to the Public Cloud
• IaaS: Always-On Security and Fault-Tolerant Reliability at Commodity Prices