security first cloud for enterprise › au › a › evt › docs › oracle-cloud... · a...
TRANSCRIPT
Security First Cloud for Enterprise
Eran Feigenbaum
Chief Security Officer OCI Cloud
Copyright © 2019 Oracle and/or its affiliates.
Safe harbor statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.
The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation.
Confidential – © 2019 Oracle Internal/Restricted/Highly Restricted
Copyright © 2019 Oracle and/or its affiliates.
2011
2012
2010
Copyright © 2019 Oracle and/or its affiliates.
2015
2015
2016
Copyright © 2019 Oracle and/or its affiliates.
2016
2017
2017
Copyright © 2019 Oracle and/or its affiliates.
Cloud Adoption: Where does country rank? Gartner, August 2019
The worldwide public cloud services market is projected to grow 17.5 percent in 2019 to total $214.3 billion, up from $182.4 billion in 2018, according to Gartner, Inc.
The fastest-growing market segment will be cloud system infrastructure services, which is forecast to grow 27.5 percentin 2019 to reach $38.9 billion, up from $30.5 billion in 2018.
Nearly 60% of North American enterprises now rely on public cloud platforms, five times the percentage that did just five years ago.
2019 Predictions
Copyright © 2019 Oracle and/or its affiliates.
Security Is Driving Cloud
Adoption
Source: https://www.oracle.com/a/ocom/docs/data-security-report.pdf
Cybercrime Damages $6 Trillion By 2021
Multi-CloudGDPR
IoT
More than half of organizations report a “problematic shortage” of cybersecurity skills, and there is no end in sight.
DevOps
Containers
Serverless
ComplianceDefense in depth
Supply Chain
The State of Information Security: Harder Today Than Ever
What Happened?
Copyright © 2019 Oracle and/or its affiliates.
OCI Is Different
Copyright © 2019 Oracle and/or its affiliates.
The Place For Your Critical Workloads
Gen2 Security Architecture
Automated, always-on security controls
Deep expertise in global data protection
Confidential – Highly Restricted
How are Gen 1 Clouds built:
Confidential – © 2019 Oracle
MemorySSD/HDD
Customer DB
Datacenter Network
Customer code
Core Core
Hypervisor
CPU
Gen1 Instance
DB Data &Control files
Customer TDE Keys
Cloud Vendor-Managed
Customer-Managed
Gen 1: Shared machines between Customers and Provider
Confidential – Highly Restricted
To / From Other Tenants
1st Generation Clouds: Most Prevalent Today
Host OS/Kernel
Network VirtualizationHypervisor
Server VirtualizationServer Virtualization
HypervisorNetwork Virtualization
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OSVM/
Guest OS
VM/ Guest
OS
VM/ Guest
OS
Host OS/Kernel
Network Virtualization
VM/ Guest OS
VM/ Guest OS
VM/ Guest OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
Threat Propagation
Confidential – Highly Restricted
Host OS/Kernel
Network VirtualizationHypervisor
Server VirtualizationServer Virtualization
HypervisorNetwork Virtualization
Host OS/Kernel
Server Virtualization Hypervisor
Network VirtualizationNetwork Virtualization
HypervisorServer VirtualizationServer Virtualization
HypervisorNetwork Virtualization
Server Virtualization Hypervisor
Network Virtualization
1st Generation Cloud
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OSVM/
Guest OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OSVM/
Guest OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OSVM/
Guest OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
Secure Design: Stronger Tenant Isolation
Confidential – Highly Restricted
Isolated Network Virtualization
To / From Other Tenants To / From Other Tenants
1st Generation Clouds: Most Prevalent Today
2nd Generation Cloud: Oracle Cloud Infrastructure-
Wide
Host OS/Kernel
Network VirtualizationHypervisor
Server VirtualizationSeparates
Network and Tenant
Environment
Server Virtualization Hypervisor
Network Virtualization
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OSVM/
Guest OS
VM/ Guest
OS
VM/ Guest
OS
Host OS/Kernel
HypervisorContainer (Optional)
VM/ Guest OS
VM/ Guest OS
VM/ Guest OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
Off-box network virtualization
Confidential – © 2019 Oracle
Off-boxvirtualization device
MemorySSD/HDD
Customer DB
Datacenter Network
Customer code
Core Core
OS/Hypervisor
CPU
Gen1 Instance
DB Data &Control files
Customer TDE Keys
Cloud Vendor-Managed
Customer-Managed
MemorySSD/HDD
Customer DB
Datacenter Network
Customer code
Core Core
OS/Hypervisor
CPU
Gen2 OCI Instance
DB Data &Control files
Customer TDE Keys
Threat Containment & Reduced Risk
Confidential – Highly Restricted
Host OS/Kernel
Network VirtualizationHypervisor
Server VirtualizationServer Virtualization
HypervisorNetwork Virtualization
Host OS/Kernel
Isolated Network Virtualization
Host OS/Kernel
HypervisorContainer (Optional)
Server Virtualization Hypervisor
Network VirtualizationNetwork Virtualization
HypervisorServer VirtualizationServer Virtualization
HypervisorNetwork Virtualization
Server Virtualization Hypervisor
Network Virtualization
1st Generation Cloud Oracle 2nd Generation Cloud
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OSVM/
Guest OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OSVM/
Guest OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
Isolated Network Virtualization Security
Prevents Lateral Movement
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OSVM/
Guest OS
VM/ Guest
OS
VM/ Guest
OSVM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
Isolated Network Virtualization
Host OS/Kernel
HypervisorContainer (Optional)
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OSVM/
Guest OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OS
VM/ Guest
OSVM/
Guest OS
VM/ Guest
OS
VM/ Guest
OS
Root of Trust:
Confidential – © 2019 Oracle
Off-boxvirtualization device
MemorySSD/HDD
Datacenter Network
Gen2 OCI Instance
DB Data &Control files
Customer TDE Keys
NIC
CPU BIOS
ILOM
Secure Design: Segmentation of Physical Layer
Confidential – Highly Restricted
Oracle Hardened Hypervisor
VM VM VM
VM VM VM
Isolated Network Virtualization
Physical Network
Physical Network Segments
Management Enclave Service Enclave Customer Enclave
Secure Design: Least Privileged Access
Confidential – Highly Restricted
Physical Network Segment
VCN
Internet
SSH Bastion
Outbound SSL Proxy
SSL Load Balancer
Service Gateway
Block Volume Traffic
Command Traffic
Service to Service Traffic Secured at Application Layer
Host to Host Traffic Isolated Via
Encapsulation
No Host to Host Traffic
Command Traffic
Management Enclave Service Enclave Customer Enclave
Telemetry
Oracle Cloud Infrastructure Global Footprint
Copyright © 2019 Oracle and/or its affiliates.
September 2019: 16 Regions Live, 20 Planned
ASHBURNPHOENIX
SYDNEY
CHICAGO
TORONTO
BELO HORIZONTE
TOKYOSEOUL
MUMBAI
OSAKA
MELBOURNE
AMSTERDAM
HYDERABAD
JEDDAHDUBAI
LONDON
BAY AREA
SINGAPORE
SAUDI 2UAE 2
CHILE
Commercial
Government
Commercial Planned
Government Planned
Microsoft Azure Interconnect Planned
ISRAEL
FRANKFURT
ZURICHMONTREAL
CHUNCHEON
SOUTH AFRICA
US GOV
EUROPE
ASIA
SAO PAULO
NEWPORT,WALES
Microsoft Azure Interconnect
Automated, always-on security controls
Oracle’s Position on Security in the Cloud
• The cloud must offer a mechanism to secure your resources that adheres to 100% of our security best practices, where maximum security is a given. Always-on Security.
• The cloud must do automatic 24/7 monitoring, hunting, and elimination of threats to protect customer assets at all times. 100% automated.– It must be empowered to make changes to the environment in the face of malicious
attacks
• The cloud must offer a platform that’s built to keep your OS and applications secure and always running in the face of attacks.
Copyright © 2019 Oracle and/or its affiliates. Content as of Oracle OpenWorld 2019
Enterprise-grade Security Made Simple
Cloud Guard
• Cloud Guard constantly watches and collects data from Audit, Data
Safe, OS Management, Logging, and Network Flow Logs services.
– Gen 1 clouds don’t offer a unified system to collect data from all services.
• Cloud Guard analyzes data, and detects threats and
misconfigurations. It can alert you, and better yet,
it can kill threats with no human intervention.
– Gen 1 clouds are only reactive and alert you. You’re left with the hard, slow, and manual task of killing the threat yourself.
Copyright © 2019 Oracle and/or its affiliates. Content as of Oracle OpenWorld 2019
Pervasive Watch and Kill
Maximum Security Zones
• Oracle Maximum Security Zone is a zone within your environment where security is not a choice. It’s always on.
• Resources launched in this zone will be on dedicated infrastructure with the highest levels of data encryption and network security.
• Gen 1 clouds offer a long list of security tools that are extremely complex to set up, and very easy to screw up.
Copyright © 2019 Oracle and/or its affiliates. Content as of Oracle OpenWorld 2019
Maximum Security can be Easy and Always On
Copyright © 2019 Oracle and/or its affiliates. Content as of Oracle OpenWorld 2019
Most Secure OS for the Cloud
• Oracle Linux includes Ksplice, the only technology in the industry that patches kernel and user space programs with zero downtime.
• OS Management Service automatically manages inventory of all vulnerabilities and all running instances.
• OS Management Service automatically patches your hosts and keeps you always secure.
• Always on Security. 100% automated.
Announcing: Autonomous Linux PlatformAvailable Now
Copyright © 2019 Oracle and/or its affiliates. Content as of Oracle OpenWorld 2019
Available Now
Generally Available
• Provides a Private Database Cloud running on dedicated Exadata Infrastructure in the Public Cloud–Runs all your databases - any size, scale, or criticality
• Highest Isolation
–Multiple levels of isolation protect from noisy or hostile neighbors
• Customizable Operational Policies
–Control of provisioning, software updates, availability, density
• Will be Available as a Cloud at Customer solution in future
Autonomous Database Dedicated
Copyright © 2019 Oracle and/or its affiliates. Content as of Oracle OpenWorld 2019
Announcing: Oracle Data SafeAvailable Now
Autonomous Database | Now Even More Secure
• Unified Database Security Control Center – Security Configuration Assessment
– User Risk Assessment
– User Activity Auditing
– Sensitive Data Discovery
– Data Masking
• Saves time and mitigates security risks
• Defense in Depth for all customers
• No special security expertise needed
Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
• Unified Database Security Control Center
– Security Configuration Assessment
– User Risk Assessment
– User Activity Auditing
– Sensitive Data Discovery
– Data Masking
• Saves time and mitigates security risks
• Defense in Depth for all customers
• No special security expertise needed
35
Available with Oracle Cloud Databases at no additional cost
Announcing: Oracle Data SafeAutonomous Database | Now even more Secure
Available with Oracle Cloud Databases at no additional cost
Summary:
1. Built a different type of Cloud from the Ground up
2. Prevention is the best medicine
3. Make security easier for users