security first cloud for enterprise › au › a › evt › docs › oracle-cloud... · a...

30
Security First Cloud for Enterprise Eran Feigenbaum Chief Security Officer OCI Cloud Copyright © 2019 Oracle and/or its affiliates.

Upload: others

Post on 23-Jun-2020

0 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Security First Cloud for Enterprise

Eran Feigenbaum

Chief Security Officer OCI Cloud

Copyright © 2019 Oracle and/or its affiliates.

Page 2: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Safe harbor statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.

The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation.

Confidential – © 2019 Oracle Internal/Restricted/Highly Restricted

Page 3: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Copyright © 2019 Oracle and/or its affiliates.

2011

2012

2010

Page 4: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Copyright © 2019 Oracle and/or its affiliates.

2015

2015

2016

Page 6: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Copyright © 2019 Oracle and/or its affiliates.

Cloud Adoption: Where does country rank? Gartner, August 2019

The worldwide public cloud services market is projected to grow 17.5 percent in 2019 to total $214.3 billion, up from $182.4 billion in 2018, according to Gartner, Inc.

The fastest-growing market segment will be cloud system infrastructure services, which is forecast to grow 27.5 percentin 2019 to reach $38.9 billion, up from $30.5 billion in 2018.

Nearly 60% of North American enterprises now rely on public cloud platforms, five times the percentage that did just five years ago.

2019 Predictions

Page 8: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Security Is Driving Cloud

Adoption

Source: https://www.oracle.com/a/ocom/docs/data-security-report.pdf

Page 9: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Cybercrime Damages $6 Trillion By 2021

Multi-CloudGDPR

IoT

More than half of organizations report a “problematic shortage” of cybersecurity skills, and there is no end in sight.

DevOps

Containers

Serverless

ComplianceDefense in depth

Supply Chain

The State of Information Security: Harder Today Than Ever

Page 10: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

What Happened?

Copyright © 2019 Oracle and/or its affiliates.

Page 11: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

OCI Is Different

Copyright © 2019 Oracle and/or its affiliates.

Page 12: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

The Place For Your Critical Workloads

Gen2 Security Architecture

Automated, always-on security controls

Deep expertise in global data protection

Confidential – Highly Restricted

Page 13: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

How are Gen 1 Clouds built:

Confidential – © 2019 Oracle

MemorySSD/HDD

Customer DB

Datacenter Network

Customer code

Core Core

Hypervisor

CPU

Gen1 Instance

DB Data &Control files

Customer TDE Keys

Cloud Vendor-Managed

Customer-Managed

Page 14: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Gen 1: Shared machines between Customers and Provider

Confidential – Highly Restricted

To / From Other Tenants

1st Generation Clouds: Most Prevalent Today

Host OS/Kernel

Network VirtualizationHypervisor

Server VirtualizationServer Virtualization

HypervisorNetwork Virtualization

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OSVM/

Guest OS

VM/ Guest

OS

VM/ Guest

OS

Host OS/Kernel

Network Virtualization

VM/ Guest OS

VM/ Guest OS

VM/ Guest OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

Page 15: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Threat Propagation

Confidential – Highly Restricted

Host OS/Kernel

Network VirtualizationHypervisor

Server VirtualizationServer Virtualization

HypervisorNetwork Virtualization

Host OS/Kernel

Server Virtualization Hypervisor

Network VirtualizationNetwork Virtualization

HypervisorServer VirtualizationServer Virtualization

HypervisorNetwork Virtualization

Server Virtualization Hypervisor

Network Virtualization

1st Generation Cloud

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OSVM/

Guest OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OSVM/

Guest OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OSVM/

Guest OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

Page 16: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Secure Design: Stronger Tenant Isolation

Confidential – Highly Restricted

Isolated Network Virtualization

To / From Other Tenants To / From Other Tenants

1st Generation Clouds: Most Prevalent Today

2nd Generation Cloud: Oracle Cloud Infrastructure-

Wide

Host OS/Kernel

Network VirtualizationHypervisor

Server VirtualizationSeparates

Network and Tenant

Environment

Server Virtualization Hypervisor

Network Virtualization

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OSVM/

Guest OS

VM/ Guest

OS

VM/ Guest

OS

Host OS/Kernel

HypervisorContainer (Optional)

VM/ Guest OS

VM/ Guest OS

VM/ Guest OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

Page 17: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Off-box network virtualization

Confidential – © 2019 Oracle

Off-boxvirtualization device

MemorySSD/HDD

Customer DB

Datacenter Network

Customer code

Core Core

OS/Hypervisor

CPU

Gen1 Instance

DB Data &Control files

Customer TDE Keys

Cloud Vendor-Managed

Customer-Managed

MemorySSD/HDD

Customer DB

Datacenter Network

Customer code

Core Core

OS/Hypervisor

CPU

Gen2 OCI Instance

DB Data &Control files

Customer TDE Keys

Page 18: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Threat Containment & Reduced Risk

Confidential – Highly Restricted

Host OS/Kernel

Network VirtualizationHypervisor

Server VirtualizationServer Virtualization

HypervisorNetwork Virtualization

Host OS/Kernel

Isolated Network Virtualization

Host OS/Kernel

HypervisorContainer (Optional)

Server Virtualization Hypervisor

Network VirtualizationNetwork Virtualization

HypervisorServer VirtualizationServer Virtualization

HypervisorNetwork Virtualization

Server Virtualization Hypervisor

Network Virtualization

1st Generation Cloud Oracle 2nd Generation Cloud

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OSVM/

Guest OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OSVM/

Guest OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

Isolated Network Virtualization Security

Prevents Lateral Movement

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OSVM/

Guest OS

VM/ Guest

OS

VM/ Guest

OSVM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

Isolated Network Virtualization

Host OS/Kernel

HypervisorContainer (Optional)

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OSVM/

Guest OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OS

VM/ Guest

OSVM/

Guest OS

VM/ Guest

OS

VM/ Guest

OS

Page 19: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Root of Trust:

Confidential – © 2019 Oracle

Off-boxvirtualization device

MemorySSD/HDD

Datacenter Network

Gen2 OCI Instance

DB Data &Control files

Customer TDE Keys

NIC

CPU BIOS

ILOM

Page 20: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Secure Design: Segmentation of Physical Layer

Confidential – Highly Restricted

Oracle Hardened Hypervisor

VM VM VM

VM VM VM

Isolated Network Virtualization

Physical Network

Physical Network Segments

Management Enclave Service Enclave Customer Enclave

Page 21: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Secure Design: Least Privileged Access

Confidential – Highly Restricted

Physical Network Segment

VCN

Internet

SSH Bastion

Outbound SSL Proxy

SSL Load Balancer

Service Gateway

Block Volume Traffic

Command Traffic

Service to Service Traffic Secured at Application Layer

Host to Host Traffic Isolated Via

Encapsulation

No Host to Host Traffic

Command Traffic

Management Enclave Service Enclave Customer Enclave

Telemetry

Page 22: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Oracle Cloud Infrastructure Global Footprint

Copyright © 2019 Oracle and/or its affiliates.

September 2019: 16 Regions Live, 20 Planned

ASHBURNPHOENIX

SYDNEY

CHICAGO

TORONTO

BELO HORIZONTE

TOKYOSEOUL

MUMBAI

OSAKA

MELBOURNE

AMSTERDAM

HYDERABAD

JEDDAHDUBAI

LONDON

BAY AREA

SINGAPORE

SAUDI 2UAE 2

CHILE

Commercial

Government

Commercial Planned

Government Planned

Microsoft Azure Interconnect Planned

ISRAEL

FRANKFURT

ZURICHMONTREAL

CHUNCHEON

SOUTH AFRICA

US GOV

EUROPE

ASIA

SAO PAULO

NEWPORT,WALES

Microsoft Azure Interconnect

Page 23: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Automated, always-on security controls

Page 24: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Oracle’s Position on Security in the Cloud

• The cloud must offer a mechanism to secure your resources that adheres to 100% of our security best practices, where maximum security is a given. Always-on Security.

• The cloud must do automatic 24/7 monitoring, hunting, and elimination of threats to protect customer assets at all times. 100% automated.– It must be empowered to make changes to the environment in the face of malicious

attacks

• The cloud must offer a platform that’s built to keep your OS and applications secure and always running in the face of attacks.

Copyright © 2019 Oracle and/or its affiliates. Content as of Oracle OpenWorld 2019

Enterprise-grade Security Made Simple

Page 25: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Cloud Guard

• Cloud Guard constantly watches and collects data from Audit, Data

Safe, OS Management, Logging, and Network Flow Logs services.

– Gen 1 clouds don’t offer a unified system to collect data from all services.

• Cloud Guard analyzes data, and detects threats and

misconfigurations. It can alert you, and better yet,

it can kill threats with no human intervention.

– Gen 1 clouds are only reactive and alert you. You’re left with the hard, slow, and manual task of killing the threat yourself.

Copyright © 2019 Oracle and/or its affiliates. Content as of Oracle OpenWorld 2019

Pervasive Watch and Kill

Page 26: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Maximum Security Zones

• Oracle Maximum Security Zone is a zone within your environment where security is not a choice. It’s always on.

• Resources launched in this zone will be on dedicated infrastructure with the highest levels of data encryption and network security.

• Gen 1 clouds offer a long list of security tools that are extremely complex to set up, and very easy to screw up.

Copyright © 2019 Oracle and/or its affiliates. Content as of Oracle OpenWorld 2019

Maximum Security can be Easy and Always On

Page 27: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Copyright © 2019 Oracle and/or its affiliates. Content as of Oracle OpenWorld 2019

Most Secure OS for the Cloud

• Oracle Linux includes Ksplice, the only technology in the industry that patches kernel and user space programs with zero downtime.

• OS Management Service automatically manages inventory of all vulnerabilities and all running instances.

• OS Management Service automatically patches your hosts and keeps you always secure.

• Always on Security. 100% automated.

Announcing: Autonomous Linux PlatformAvailable Now

Page 28: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Copyright © 2019 Oracle and/or its affiliates. Content as of Oracle OpenWorld 2019

Available Now

Generally Available

• Provides a Private Database Cloud running on dedicated Exadata Infrastructure in the Public Cloud–Runs all your databases - any size, scale, or criticality

• Highest Isolation

–Multiple levels of isolation protect from noisy or hostile neighbors

• Customizable Operational Policies

–Control of provisioning, software updates, availability, density

• Will be Available as a Cloud at Customer solution in future

Autonomous Database Dedicated

Page 29: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Copyright © 2019 Oracle and/or its affiliates. Content as of Oracle OpenWorld 2019

Announcing: Oracle Data SafeAvailable Now

Autonomous Database | Now Even More Secure

• Unified Database Security Control Center – Security Configuration Assessment

– User Risk Assessment

– User Activity Auditing

– Sensitive Data Discovery

– Data Masking

• Saves time and mitigates security risks

• Defense in Depth for all customers

• No special security expertise needed

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |

• Unified Database Security Control Center

– Security Configuration Assessment

– User Risk Assessment

– User Activity Auditing

– Sensitive Data Discovery

– Data Masking

• Saves time and mitigates security risks

• Defense in Depth for all customers

• No special security expertise needed

35

Available with Oracle Cloud Databases at no additional cost

Announcing: Oracle Data SafeAutonomous Database | Now even more Secure

Available with Oracle Cloud Databases at no additional cost

Page 30: Security First Cloud for Enterprise › au › a › evt › docs › oracle-cloud... · a commitment to deliver any material, code, or functionality, and should not be relied upon

Summary:

1. Built a different type of Cloud from the Ground up

2. Prevention is the best medicine

3. Make security easier for users