How Secure Is Your Data Be Safe, or Be Sorry

(1)

(2)

John Szlendak

Principal Product Manger

Oracle ZFS Storage

29 October, 2015

How Secure Is Your Data

Be Safe, or Be Sorry

(3)

Focus on

Security

(4)

200M

Experian

Mar ‘14

150M

eBay

May ‘14

22M

Education

July ‘14

SA Banks

OCT ‘13

Credit

Cards

150M + Code

Adobe Oct ‘13

98M

Target

Dec‘13

20M

Credit Bureau

12M

Telecom

Jan ‘14

56M

Home Depot

Sep ‘14

Immigration

June’14

Personal

Records

76M

JPMC

Oct ‘14

4

53M

Sony

Dec ‘14

227M

80M

Anthem

Feb ‘15

Mega Breaches

The Past 18 Months

Insider Access

Password Theft

Malware

SQL Injection

Zero-day-attacks

No Auditing/Monitoring

No Configuration Control

Poor Access Control

Poor Application Design/patching

No Encryption

(5)

Why Data Security

Alarming increases in cyber attacks, data breaches and their cost

• Over

1 billion

records compromised from 2002-2012, now

same in just 12 months

(Verizon Data Breach Reports)

• Over

46 days to discover

and resolve a data breach

(Ponemon Institute Study, 2015)

• 97% preventable

with basic controls & data encryption

(Verizon Data Breach Reports)

• Average data breach cost $3.5M

, and $201 per stolen

record, and rising

(Ponemon Institute, 2014)

• 45%

of Senior Executives say their companies

experience

cyber attacks hourly or daily

(Ponemon Institute, 2015)

• Cyber crime is $400B today

, but

could reach $3T in 10

years

, if nothing is done

(McKinsey Report)

(6)

Impact of Data Security Breaches

Customer Data Company Data Loss of Customers

Employee Data Digital Assets Fines

Direct Losses

#1

Indirect Losses

#2

Loss of Sales/Market Share Competitive Disadvantage

_{Negative Brand Impact Loss of Customer Trust}

Ongoing Expenses

#3

Corruption of Data

_{Recovery Costs}

_{Continuity Costs}

Notification Costs

Legal Exposure

#4

Regulations Violation Executive Liabilities

_{Disclosure Requirements Lawsuits / Settlements}

6

Ever-increasing Risk and Cost !

$3.5M avg. data breach cost

(7)

What Are You Doing To Secure Your Data

Parameter/Network Security Alone is Not Enough

Increasing Data Security Incidents and Risks in today’s data

driven hyper connected world

• Over 10,000 data breaches last year

• Over 1 Billion records compromised

• _{Billons of dollars in cost and brand damage}

• Billions of new access points to worry about

• Remote, Mobile, IoT (40 billion by 2020)

(8)

Oracle Security Inside and Out

Parameter Security Not Enough To Protect Your Data

Built-in Security At

Each Layer of the Stack

Oracle Corporation - Confidential 8

S E C U R I T Y

Governance Risk & Compliance

Access & Certification Review, Anomaly Detection,

User Provisioning, Entitlements Management

Mobile Security, Privileged Users

Directory Services, Identity Governance

Entitlements Management, Access Management

Encryption, Masking, Redaction, Key Management

Privileged User Control, Big Data Security, Secure Config

Application + User Sandboxing, Delegated Admin

Anti-malware system, Data + Network Protection

Compliance Reporting, Secured App Lifecycle

Secure Live Migration

Immutable Zones

Independent Control Plane

Cryptographic Acceleration

Silicon Secured Memory

Application Data Integrity, Verified Boot

Encryption, Access Controls,

Enterprise Key Management,

Secured Backup and DR

(9)

Oracle Security Inside and Out

Parameter Security Not Enough To Protect Your Data

Built-in Security At

Each Layer of the Stack

Oracle Corporation - Confidential 9

S E C U R I T Y

Governance Risk & Compliance

Access & Certification Review, Anomaly Detection,

User Provisioning, Entitlements Management

Mobile Security, Privileged Users

Directory Services, Identity Governance

Entitlements Management, Access Management

Encryption, Masking, Redaction, Key Management

Privileged User Control, Big Data Security, Secure Config

Application + User Sandboxing, Delegated Admin

Anti-malware system, Data + Network Protection

Compliance Reporting, Secured App Lifecycle

Secure Live Migration

Immutable Zones

Independent Control Plane

Cryptographic Acceleration

Silicon Secured Memory

Application Data Integrity, Verified Boot

Encryption, Access Controls,

Enterprise Key Management,

Secured Backup and DR

Where Most Critical Data

Resides

Where Most Data

Resides

Biggest data risk

targets (IDC)

New SPARC

M7

(10)

Redaction, Masking and

Subsetting

DB and Privileged User

Controls

Encryption

PREVENTIVE

Activity Monitoring

Database Firewall

Auditing and Reporting

DETECTIVE

ADMINISTRATIVE

Privilege & Data Discovery

Configuration Management

Key Management

Oracle

Database Security

Oracle Public

Oracle Database security provides Threat Anticipation, Mapping Controls,

Data and User Classification

10

(11)

Transparent Data Encryption (TDE)

Off-Site Facilities

• _{Encrypts columns or entire application tablespaces}

• Protects the database files on disk, networks and backups*

• _{Transparent to applications, no changes required}

• Tight Integration with Oracle DB Compression, RMAN, Data

Pump, RAC, ASM, Active Data Guard and Golden Gate

• Centrally managed encryption keys (Key Vault)

Disks

Exports

Applications

Encrypted

Data

Backups

Clear

Data

11

Component of Oracle’s

Advanced Security

(12)

Data

Redaction

ssn:xxx-xx-4321

dob:xx/xx/xxxx

Applications

Users

*7#$%!!@!%afb

##<>*$#@34

Data

Encryption

12

Preventive

Database Security Controls

Oracle Public

Key Vault

DB

Controls

Access denied

“Insufficient

Privilege”

Privileged Users

Region, Year

Size-based

Data

Subsetting

Dev/Test

Partners, BI

ssn:

123-34-6789

dob:

11/11/1111

Data

Masking

(13)

Oracle ZFS Storage for On-Premise, Private and Public Clouds

(14)

Adaptive Throttle Algorithm Determines Pipe Size

2TB

DRAM

80 Cores

Processing

Power

12.8TB

Read Flash

10.5TB

Write Flash

Oracle ZFS Storage

Engineered for Extreme Performance, efficiency and security



Automated, real-time data migration from DRAM

to multi-class flash, to multi-class disk storage



Software specifically engineered for multi-level

flash and disk storage

Most Horsepower Possible

Dynamic Storage Tiering (HSP)

2TB DRAM 12TB READ FLASH

4 W

ri

te

S

SD

s

p

er

T

ra

y

(max

)

7.2K

SAS-2

10K

SAS-2

10K

SAS-2

Adaptive

I/O Staging

2T

B

D

R

A

M

MLC NAND

L2ARC

READ FLASH

SAS-2

(15K, 10K, 7K)

WRITE FLASH

LRU

MRU

LFU

MFU

SLC NAND

Sync I/O Only

(15)

ZFS Storage

Data Security

and Protection

• Access Security

• All access authenticated and conducted over secure networks and protocols

• Use of LDAP, NIS and Active Directory for user identification & authentication

• Encrypted network communication (SSL/TLS) for replication

• Access Controls

• Fine-grained file access and administrative controls based on authorizations

and permissions

• Defined role based authorization controls for user access

• ACLs for setting access, permissions and limits on files and directories

• Data Encryption

–

Highly secure two -tier AES 256-bit storage encryption

–

Granular, scalable and highly efficient

–

High availability local and remote key management

• End-to-End Data Integrity and Protection

–

Advanced checksum protection throughout the data path to eliminate any

silent data corruption. Automatic, self healing architecture

–

Fast and efficient backup and DR (unlimited snapshots, intelligent replication)

Data

Integrity

(16)

16 ZFS Storage Encryption

Storage-based Data-at-Rest Encryption for All Data

• Simple

• Granular encryption for better efficiency, controls and

manageability

• Project level, Share level or LUN level

• Easy and flexible to use and manage vis BUI or CLI

• Allows Encrypted and Clear Text data in same system

• Secure

• Strong AES 256-bit encryption keys

• Integrated local key management

• _{Centralized key management (OKM)}

• Two tier encryption key architecture

• Authorization and access controls

• Available

• High Availability architecture

• DR and Backup support

• Capacity and drive independent

• Minimal key latency

(17)

Centralized Key Management (Oracle Key Manager)

Oracle

Key

Manager

Enterprise-class OKM 3 system

• Simple to Install and Operate

• Automated, policy driven system

• Server, OS, Application neutral

• Secure

• Strong encryption (AES-256-bit) end-to-end

• Strong key protection mechanisms

• FIPS compliant

• Scalable

• Supports multiple encryption devices

• Supports up to 1 million keys and 2000 devices (Disk,

Tape, Java, Oracle DB, etc.)

• High Performance

• Key latency less than 250 milliseconds

• No storage server CPU cycles used

• High Availability

• Clustering – up to 20 OKM appliances

• DR and Backup support – for encryption keys

T10000

SL 8500

LTO 5

T10000

(18)

ZFS Storage Encryption Benefits

Best Performance

Data isolation decides which Share

to encrypt to get best performance

Storage Efficiency

Share level encryption helps optimize

storage efficiency

Granularity

Strong Authentication

Access to encrypted data with LDAP

authentication with policy adherence

Effective Access Control

Access Control protects your encrypted

data from insider attacks

Security

Reduced Costs

Reduced Risk

(19)

Just Announced:

T7-1

T7-2

T7-4

M7-16

M7-8

SuperCluster M7

The Most Advanced Platform for

Secure Computing

Scalability from 32 to 512 cores

19

First Ever Software in Silicon Architecture

Most Advanced Security

Wide key encryption and

silicon secured memory

World’s Fastest

Microprocessor

(20)

The Ultimate Software Optimization: Hardware

Revolution,

Not Evolution!

Software

in Silicon

SPARC M7

Performance

In-Memory Query

Acceleration

Security

Encryption Acceleration,

Silicon Secured Memory

Efficiency

In-line

Decompression

Huge Leap in Security & Performance Over Traditional Processor Architectures

• Always-on Encryption

• Always-on Memory

Intrusion Protection

*

10X

faster

* Stops malicious programs from accessing other

application memory. Ex: HeartBleed, Venom

(21)

Designed for Security

• _{15 Software-in-Silicon Crypto}

Algorithms

• With 25 user level crypto

instructions

• 32 Crypto Accelerators per

Processor

• To Accelerate:

–

Asymmetric (Public Key Encryption)

–

Symmetric Key (Bulk Encryption)

–

Message Digest (Hash Functions)

Clear

Data In

Encrypted

_{Data Out}

AES

Camillia

CRC32c

DES

3DES

DH

DSA

ECC

MD5

RSA

SHA-1

SHA-244

SHA-256

SHA-384

SHA-512

M7 Core

(22)

Security in Silicon: Encryption Acceleration

Secure Multi-Tier Enterprise Database and Java Performance Delivered

22

Near Zero

Performance

Difference

Secure

Nominal Performance Impact

Zero Additional Hardware Cost

(23)

Cyber Attacks and Data Breaches

Things you need to know

23

1. Cyber crime is accelerating, so is its cost and risk

• Bad guy are getting much more sophisticated and persistent

2. Don’t assume it won’t happen to you… It will

• Even the CIA (US) got hacked and 20M personnel records compromised

• Most larger companies have already been hacked, many don’t yet know (NSA)

3. Parameter/Network Security alone can not protect your data. It needs

to be secured inside out

• Architected and built-in into every layer of the compute stack to protect your