Secure Multitenancy on Oracle SuperCluster
0 likes276 views
- The document discusses secure multitenancy on Oracle SuperCluster systems, focusing on isolation, data protection, access control, and compliance. It describes how Oracle SuperCluster uses virtualization, encryption, role-based access controls and other methods to securely isolate workloads and protect tenant data across the hardware, network storage and software stack. The goal is to allow customers to securely deploy diverse workloads while meeting regulatory requirements for privacy and security.
![Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle ConfidenBal 12
Private Cloud Deployment
Providers View
Zone IsolaBon
Domain IsolaBon
System IsolaBon
RDS v3
RDS v3
iSCSI
NFS v4
InfiniBand Network 40 Gb/sec
[Full/Limited Membership]
10 GbE Network
[Client Access]
Electrical IsolaBon
App Domain DB Domain
Oracle ZFS Storage Appliance
Encrypted ZFS Data Sets
bin, configs, backups, logs
Oracle Exadata Storage Servers
Oracle ASM Scoped Security Disk Group(s)
Transparent Data EncrypBon
Layered Security
Read-Only Immutable Zones
Secure Silicon Memory
Fine Grained RBAC
IP Filter Firewalls
Secure Channels
Centralized Audit
Oracle Key
Manager
Secure
ConnecBon
VLAN-A
VLAN-B
Secure
ConnecBon
Oracle SuperCluster M7
Oracle Solaris Zone](https://image.slidesharecdn.com/oraclesuperclustersecuremultitenancy-170816014801/85/Secure-Multitenancy-on-Oracle-SuperCluster-12-320.jpg)
![Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle ConfidenBal 13
Cloud Consumer PerspecBve
Consumer View
ApplicaBon Storage
Database Storage
RDS v3
NFS v4
iSCSI
Oracle Database RAC
IPoIB, SDP, RDSv3
IPoIB, SDP
Secure
ConnecBon
Tenant Specific NAS Storage
Encrypted ZFS Data Sets
bin, configs, backups, logs
Tenant Specific Oracle ASM Security Groups
Transparent Data EncrypBon
Tenant Specific
Internal CommunicaDon
Infiniband Network
[Full/Limited Membership]
Oracle Traffic Director
Oracle Fusion ApplicaDons
Tamper-Proof Environment](https://image.slidesharecdn.com/oraclesuperclustersecuremultitenancy-170816014801/85/Secure-Multitenancy-on-Oracle-SuperCluster-13-320.jpg)
![Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 19
InfiniBand Network IsolaBon
App Domain DB Domain
Oracle Solaris Zones hosDng ApplicaDon
A-1
B-1
C-1
D-1
ParDDon: 0x8503
Protocol: NFS/IPoIB
Limited Membership
ParDDon: 0x8503
Protocol: NFS/IPoIB
Limited Membership
ParDDon: 0xFFFF
Protocol: RDSv3
Full Membership
ParDDon: 0xFFFF
Protocol: RDSv3
Full Membership
Oracle Solaris Zones hosDng Database
Oracle ZFS Storage Appliance
ZFS Data Set A-1
Oracle ZFS Storage Appliance
ZFS Data Set B-1
Oracle Exadata Storage Servers
Oracle ASM Disk Group C-1
Oracle Exadata Storage Servers
Oracle ASM Disk Group D-1
InfiniBand Network 40Gb/s
[Full/Limited Membership] 10GbE Network
[Client Access]
TLSv1.2
VLAN-A
Tenant-A
Tenant-B
TLSv1.2
VLAN-B
TLSv1.2
VLAN-C
Tenant-C
Tenant-D
TLSv1.2
VLAN-D
Oracle SuperCluster M7
Oracle ConfidenBal](https://image.slidesharecdn.com/oraclesuperclustersecuremultitenancy-170816014801/85/Secure-Multitenancy-on-Oracle-SuperCluster-19-320.jpg)
![Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 23
Secure Key Management
RDS v3
RDS v3
iSCSI
NFS v4
10 GbE Network
[Client Access]
TLSv1.2
App Domain DB Domain
TLSv1.2
Oracle ZFS Storage
Encrypted ZFS
Data Sets
configs, backups, logs
Oracle Exadata Storage
Oracle ASM Scoped Security
Disk Group(s)
Transparent Data EncrypBon
Oracle Key Manager
Secure ConnecBon
VLAN-A
VLAN-B
Secure ConnecBon
Tenant-A
Tenant-B
TLS
MulBple Tenant
Key Groups
Key Agent B
Key Agent A
Key Agent A
Key Agent B
Oracle SuperCluster M7
Oracle Solaris Zone
hosBng ApplicaBon
Oracle Solaris Zone
hosBng Database
Oracle ConfidenBal](https://image.slidesharecdn.com/oraclesuperclustersecuremultitenancy-170816014801/85/Secure-Multitenancy-on-Oracle-SuperCluster-23-320.jpg)
![Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 29
Private Cloud Deployment
Puwng all Together Zone IsolaBon
Domain IsolaBon
System IsolaBon
RDS v3
RDS v3
iSCSI
NFS v4
InfiniBand Network 40 Gb/sec
[Full/Limited Membership]
10 GbE Network
[Client Access]
Electrical IsolaBon
TLSv1.2
App Domain DB Domain
TLSv1.2
Oracle ZFS Storage Appliance
Encrypted ZFS Data Sets
bin, configs, backups, logs
Oracle Exadata Storage Servers
Oracle ASM Scoped Security Disk Group(s)
Transparent Data EncrypBon
Layered Security
Read-Only Immutable Zones
Dedicated IB ParBBon
Fine Grained RBAC
IP Filter Firewalls
IPSec/IKE Channels
Centralized Audit
Oracle Key
Manager
Secure ConnecBon
VLAN-A
VLAN-B
Secure ConnecBon Tenant-A
Tenant-B
Oracle SuperCluster M7
Oracle Solaris Zone
Oracle ConfidenBal](https://image.slidesharecdn.com/oraclesuperclustersecuremultitenancy-170816014801/85/Secure-Multitenancy-on-Oracle-SuperCluster-29-320.jpg)
Secure Multitenancy on Oracle SuperCluster
- 4. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 4 Everything! Know Your Data! What’s at Stake? Non Personal InformaAon Market SensiAve InformaAon External Facing Network Core UAliAes Infrastructure Customer Data Intellectual Property Payment Card Data Oracle ConfidenBal
- 10. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle ConfidenBal 10 Secure MulBtenancy on Oracle SuperCluster ‒ Success of the business relies on workload deployments in a secure agile environment ‒ Ensuring high security requires complex setups and it is a Bme consuming process ‒ Nonstandard procedures can be error-prone, expensive against aGacks and compromises Challenge ‒ IsolaBon, data protecBon, access control, automated monitoring & logging with audit & compliance ‒ Encrypted datacenter with high security measures throughout the enterprise SoluAon ‒ Always-On protecBon helps data confidenBality and privacy in-use, in-transit, and at-rest ‒ Business can meet today’s tough regulatory industry compliance mandates with ease Benefits
- 11. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | § ZS3 Mixed-use Storage • 160 TB (raw) storage for Virtual Machine and system data § QDR InfiniBand Unified Ultra-fast Network • 40Gb/s QDR InfiniBand IO backplane § M7 Servers for Databases & ApplicaAons • 1 or 2 M7 Chassis per system (ElasBc ConfiguraBons) • 2 Physical Domains per M7 chassis, 1 - 4 processors ea. • Up to 8TB RAM per rack § Exadata Storage Servers for Oracle Database § From 3 to 11 per configuraBon (Flex. Config.) § High Capacity (96TB raw disk ea.) § Extreme Flash (12.8TB raw flash ea.) SuperCluster M7: Hardware Architecture Oracle ConfidenBal 11 SuperCluster M7 8/15/17
- 16. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | • Sandboxed Workload Environment • Containment of Resources • Controlled/Monitored Environment • High Secure Deployment • Prevents aGacks against: – Compute, Storage, Network Oracle ConfidenBal 16 End-To-End Secure IsolaBon Tenant Oracle SuperCluster Engineered System Oracle Private Cloud
- 17. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 17 Secure IsolaBon Oracle Solaris Zone ApplicaBon HosBng Oracle Solaris Zone Oracle Weblogic Fusion ApplicaBon Oracle Weblogic Oracle Database 11gR2 Root Domain DB Domain 2 App Domain DB Domain 1 DB I/O Domain 1 App I/O Domain 2 Physical Domain 2 Physical Domain 1 Oracle Database 12c Oracle Database 12c Oracle SuperCluster M7 Oracle Traffic Director Electrical IsolaBon Fusion ApplicaBon Oracle ConfidenBal
- 21. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle ConfidenBal 21 Comprehensive Data ProtecBon Silicon Secured Memory Encrypted Network Traffic Encrypted Storage Medium In Transit – In the Network At Rest – In the Storage In Use – In the Memory
- 22. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 22 Data ProtecBon Hardware-Assisted Cryptography, Silicon Secured Memory Oracle Solaris Cryptographic Framework DB Domain Oracle Exadata Storage Server Oracle ZFS Storage Appliance RDS v3 Intel AES-NI Hardware Crypto Accelerator Oracle ASM Disk Group A-1 Encrypted Tablespaces Encrypted ZFS Data Set A-1 bin, configs, backups, logs TLSv1.2 Secure ConnecBon NFS v4 A-1 SDP TLS App Domain Solaris PKCS#11 Keystore A-1 A-1 Tenant-A Oracle Solaris Zone hosDng ApplicaDon Oracle Solaris Zone hosDng Database Instance Oracle SuperCluster M7 Oracle ConfidenBal
- 24. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 24 Per Tenant Scoped Security RAC DB1 Tenant D Tenant B Tenant C Tenant D Tenant A Zone 1 Tenant A Zone 2 App Domain App Domain DB Domain DB Domain Oracle Exadata Storage Servers Oracle ZFS Storage Appliance Tenant B Disk Group 4 Tenant A Disk Group 1 Tenant A Disk Group 2 Tenant A Disk Group 3 Tenant C Disk Group 4 Tenant C Disk Group 5 /common /u01 rpool Tenant D Tenant B Tenant A Zone 1 Tenant A Zone 2 Tenant C Tenant D /common /u01 rpool /common /u01 rpool /common /u01 /common /u01 /common /u01 rpool rpool rpool Oracle SuperCluster M7 Oracle Solaris Zone Oracle ConfidenBal
- 26. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle ConfidenBal 26 End-to-End Access Control Compute Strong AuthenBcaBon Role-Based Access Control Privileged User Access Control Storage Oracle ASM/DB Scoped Security Host-Based Access Controls iSCSI Access Controls Network Boundary Hardening Network ParBBoning Packet Filtering Database Strong AuthenBcaBon Role-Based Access Control Privileged User Access Control
- 27. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle ConfidenBal 27 End-to-End Access Control Rigorous Controls for high security D C C D RequesDng to access other tenants’ resources Super User login request D Access Denied OS Access Denied CHAP authenDcaDon request iSCSI Access Granted Non Secure Protocol CommunicaDon Access with delegated privilege profile Malicious program knocking around doors Firewall Block D OS Access Granted Access Denied D ApplicaDon’s domain accessing Exadata Storage Access Denied D Aempt to destroy or tamper with audit log records AcDon Impossible D Unknown IP Address requesDng access Access Denied D Database access with Open Security Not Permied D SNMP traps prior to version 3.0 Not Permied D Access over SSL 3.0 and TLS 1.0 channel Not Accessible
- 30. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | SuperCluster M7: Compliance Made Easy • Get compliant faster and stay compliant more easily • SuperCluster includes automated tools leverages Solaris Compliance uBlity for Security Benchmarks – Center for Internet Security (CIS) benchmark – Security Technical InformaBon Guide (STIG) – Payment Card Industry’s PCI-DSS compliant secure mulB-tenancy Customer may ‘tailor’ policies for addiBonal security benchmarks/profiles Oracle ConfidenBal 30
- 32. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 32 Oracle SuperCluster Private Cloud Secure IsolaAon Ground-Up For MulAtenancy • Cryptographic IsolaBon • Global/Non-Global Tenant resources • Secure network isolaBon • Limited Membership on Infiniband • AnB-snoop link protecBon Tamper-proof Compute Environment • Read-only Global Zones • Domains & IO Domains • Non-Global Zones Trusted Path Access To Zones and Domains • Trusted Path To Tenant Zones and Domains • Dedicated Role and Rights • Support patches/updates without reboot Total Data ProtecAon For Tenants and Domains • Data EncrypBon at all layers (ZFS, DB, TLS) • Supports TDE, EM Agent EncrypBon Compliance Guidance and VerificaAon • Solaris Compliance guide for Security controls • Run compliance profile reports • SCAP/XCCDF, OVAL, HTML reports Comprehensive Monitoring and AudiAng • Tenant Zone(s) level logging • Accountability on audit policy enforcement Stronger Access Control At All Layers • Dedicated Rights profile and RBAC • Cloud Environment, Tenant and DB Admins • Immutable firewall and IPSec policies • Restricted access to ZFS-SA • Restricted access to Exadata Storage Centralized Tenant Key Management SoluAon • Tenant owned Keys • Key Management for TDE and ApplicaBons Oracle ConfidenBal
- 33. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle SuperCluster Security Capability Summary Compute Storage Network Database Secure Isolation ! Physical ! Electrical ! Hypervisor-Mediated ! Kernel-Mediated ! Physical ! ASM Instances ! ZFS Data Sets ! Physical (Ethernet) ! Ethernet VLANs ! InfiniBand Partitions ! Multitenant ! Instances ! Schema ! Labels Access Control ! RBAC / Privileges ! LDOM Administration ! Zone Administration ! ZFS ACLs ! Exadata Security ! NFS Security ! IP Filter / iptables ! Switch ACLs ! Audit Vault and Database Firewall ! Roles and Privileges ! Real Application Security ! Database Vault Data Protection ! Immutable Zones ! Read-Only Mounts ! ZFS Administration ! ZFS Encryption ! LOFI Encryption ! TDE ! SSH ! SSL / TLS ! IPsec / IKE ! Virtual Private DB ! Data Masking ! Redaction Monitoring and Auditing ! Solaris Auditing ! Linux Auditing ! BART / AIDE ! ZFS Storage Appliance Logs ! Exadata Storage Auditing ! IP Filter / iptables ! Switch Logs ! Database Auditing ! Audit Vault and Database Firewall 33 Oracle ConfidenBal