Encrypt Your Crown Jewels and Manage Keys Efficiently with ... · Encrypt Your Crown Jewels and Manage Keys Efficiently with Oracle Key Vault Data Encryption and Key Management

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Encrypt Your Crown Jewels and Manage Keys Efficiently with Oracle Key Vault Data Encryption and Key Management

Saikat Saha Product Director Database Security, Oracle October 03, 2017


Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

2


Program Agenda

Overview of Oracle Transparent Data Encryption (TDE)

What’s new in Oracle Transparent Data Encryption (TDE)

Overview of Oracle Key Vault

What’s new in Oracle Key Vault

Sharing a real-life deployment experience

1

2

3

4

5

3


Program Agenda with Highlight

Overview of Oracle Transparent Data Encryption (TDE)

What’s new in Oracle Transparent Data Encryption (TDE)




1

2

3

4

5

4


Disks Exports

Backups

Transparent Data Encryption

Encrypted Storage

d$f8#;!90Wz@Yg#3

Redacted Applications

Data Redaction

Oracle Advanced Security

5


Critical Requirements for Data-at-Rest Encryption

6

Requirements Details

Transparency No changes to the application stack

Performance Impact Minimal

Wallet Management SSO (Auto-login), use wallets to share keys in RAC, GoldenGate, ADG

Master Key Management Master Key is externalized for physical separation from encrypted data

Full-Stack Integration DB Technology: REDO/TEMP Logs, RAC, Multi-Tenant, GoldenGate, Active Data Guard, Exadata

Migration of Data Offline and Online Tablespace conversion from clear text data


Oracle Advanced Security Transparent Data Encryption (TDE)

7

Disks

Exports

Off-Site Facilities

• Encrypts columns or entire tablespaces

• Protects the database files on disk and on backups

• High-speed performance

• Transparent to applications, no changes required

• Integrated with Oracle DB technologies

Applications

Encrypted Data

Backups

Clear Data

d$f8#; !90Wz Yg#3R qR+% @Ue#3

R+%K# *HH$7 #9Vlka


TDE Integration with Oracle Database

8

Database Technologies Example Points of Integration TDE

Support

High-Availability Clusters Oracle Real Application Clusters (RAC), Data Guard, Active Data Guard

Backup and Restore Oracle Recovery Manager (RMAN), Oracle Secure Backup

Export and Import Oracle Data Pump Export and Import

Database Replication Oracle Golden Gate

Pluggable Databases Oracle Multitenant Option

Engineered Systems Oracle Exadata Smart Scans

Storage Management Oracle Automatic Storage Management (ASM)

Data Compression Oracle Standard, Advanced , and Hybrid Columnar Compression


Data-At-Rest Encryption for Exadata

• Oracle Advanced Security Transparent Data Encryption (TDE) to protect database columns and tablespaces

– Performance boost from leveraging Smart Scans and CPU-based cryptographic acceleration

• Oracle ASM Cluster File System (ACFS) encryption to protect log and configuration files on Exadata

• Oracle Key Vault to centrally manage Oracle Wallets/Master Keys and TDE/ACFS master keys on Exadata

Integrations and Optimizations

9


TDE Key Architecture

10

• Data encryption keys are created and managed by TDE automatically

• A master encryption key encrypts the data encryption keys

• The master key is stored in a Keystore such as Oracle Wallet or Oracle Key Vault

Oracle Key Vault

Oracle Wallet

Tablespace Key

Table Key

Master Key

TDE Encrypted Columns

TDE Encrypted Tablespace

OR



Overview of Oracle Advanced Security

What’s new in Oracle Advanced Security



Allianz’s Experience

1

2

3

4

5

11


Innovations in Oracle Database 12c Release 2

• Tablespace conversion from clear-text to encrypted

– Online tablespace encryption in background with no downtime

– Offline tablespace conversion with no storage overhead

• Regional encryption algorithms

– ARIA and SEED for South Korean customers, GOST for Russian customers

• FIPS 140-2 Level 1 Cryptographic Module

– Uses approved encryption suites for SSL/TLS and TDE

12

Transparent Data Encryption (TDE)


Online vs. Offline Tablespace Conversion

13

Functionality Offline Encryption Online Encryption

When can I run the conversion? Offline tablespace OR Database in mount stage

Online tablespace AND Database is open in read write mode

Do I need to plan for downtime?

Requires temporarily taking the tablespace offline, unless using Data Guard

No, encrypts tablespace in background with no downtime

Do I need additional storage space?

No Yes, storage overhead is only 2x the largest tablespace file

Can I run encryption operations in parallel?

Yes, enables simultaneous encryption of multiple data files across multiple cores

Yes, at the tablespace level with multiple sessions running

Can data encryption keys be rekeyed or rotated?

No Yes, supports live re-encryption of tablespace data (a.k.a. data key rotation)

Which encryption is supported? AES128 only AES128 and AES256

Backported to earlier release Releases 12.1.0.2 and 11.2.0.4 No (only DB 12c Release 2)


Innovations in Oracle Database 18c

• BYOK - Bring Your Own TDE master encryption Key into the database

– Supports AES256, ARIA256, SEED128, GOST256

• Allow separate keystores for each Pluggable Database – Each PDB can now optionally manage its own keystore (in “isolated mode”)

• Ability to restore clear or encrypted on-prem data to the cloud (automatically encrypted) using RMAN backup/restore

14

Transparent Data Encryption (TDE)


Critical Requirements for Data-at-Rest Encryption

15

Requirements Details TDE

Transparency No changes to the application stack

Performance Impact Minimal

Wallet Management SSO (Auto-login), use wallets to share keys in RAC, GoldenGate, ADG

Master Key Management Master Key is externalized for physical separation from encrypted data

Full-Stack Integration DB Technology: REDO/TEMP Logs, RAC, Multi-Tenant, GoldenGate, Active Data Guard, Exadata

Migration of Data Offline and Online Tablespace Conversion from clear text data New








1

2

3

4

5

16


Critical Requirements for Centralized Key Management

17

Requirements Details

Manage Wallet and Java KeyStore Centrally store, retrieve, and share in RAC, GoldenGate, ADG

Online TDE master key Removes wallet management operations, provides physical separation

Support endpoints Oracle Databases, Middleware, MySQL TDE, Solaris Crypto, ACFS

Availability Primary and Standby, Standby automatically becomes Primary

Scalability Manage multiple hundreds of databases

Hybrid Cloud Key Management Maintain control and visibility of Cloud Keys from on-premise Key Vault

Integration with HSM Support hardware security module as root-of-trust (SafeNet/Gemalto Luna SA 7000 and Thales nShield Connect 6000+)

Persistent Cache Improves Database continuity when Key Vault server is not reachable

Read-only Restricted Mode Improves Database continuity, ensures no key loss by limiting updates


Oracle Key Vault Use Cases

18

Oracle Wallet Upload & Download

Oracle Database Online Master

Key

ASM Storage Nodes

ASM Cluster File Systems (Encrypted) Online Master Key

Credential File Upload & Download

Java Keystore Upload & Download

MySQL Keys

Solaris Crypto Keys


Oracle Key Vault High-Level Architecture

Standby

Administration Console, Alerts,

Reports

Secure Backups

= Credential File

= Oracle Wallet

= Server Password = Java Keystore

= Certificate

Databases

Servers

Middleware

19

OASIS KMIP


Oracle Key Vault 12.2 Highlights

• Target Platforms: Linux, Solaris, AIX, HP-UX (IA), Windows 2008, 2012

• Preconfigured reports: End point activity, Key expiration, Entitlement

• Operational:

– Endpoint enrollment and provisioning automation leveraging RESTful interfaces

– Remote monitoring via SNMP v3

– One-click log download on server/client

• Security:

– Third-party CA support for Management Console

– Automatic email notification for alerts

– Audit consolidation using Oracle Audit Vault

– Certification - STIG compliance

20

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Restricted 21

OKV Deployment Architecture

Primary

Standby (Data Guard)

SNMP

SMTP server

SCP Remote backup

file system

TDE online master key

Wallet upload/

download

Email notifications

PK

CS#

11

KMIP

KMIP

okvutil

Audit Vault or

Syslog

Encryption Clients

HSM

Audit logs

Monitoring


Reports

Alerts !

On-premise

Key Vault

Oracle Cloud

Key Vault Hybrid Deployment

GATEWAY

SSH TUNNEL

Users

Applications

22








1

2

3

4

5

23


Persistent Master Key Cache Details

• Goal: Databases continue to work when OKV server is unavailable

• Challenge: Database needs to contact OKV for every new process or redo log switch in addition to database startup

• Solution: Persistent Cache

– Persistent implies working across database processes

– Implemented in OKV PKCS#11 library, no need for database patching in 11.2.0.4 and 12.1.0.2

– Cache period/duration is defined by PKCS11_PERSISTENT_CACHE_TIMEOUT user-configurable parameter in okvclient.ora. Default value 1440 for one day

– Cache persisted in a Oracle Wallet file

24


HSM Integration

• HSM as root-of-trust – SafeNet Luna 7000

– Thales nShield 6000+

• Root-of-trust remains in HSM – Three tier hierarchy

– HSM root of trust protects wallet password which protects TDE master key

• HSMs should also be deployed in HA configuration – OKV continues to function after HSM

disconnected until next restart

• HSM does not store customer keys

PK

CS#

11

HSM Ecosystem

Primary HSM

Secondary HSM

OKV HA Cluster

Backup HSM

25


OKV 12.2 BP5 Update

• Availability and Scalability

– Primary OKV continues in read-only restricted mode when Standby becomes unavailable

– Persistent Cache performance enhancements

• Operational – Forward OKV database audit trail to syslog server – Enables faster notification to

operations team

• Management Console UI

– Better search-ability in the management console for keys • Additional attributes on "All Items" page for improved search

26


Critical Requirements for Centralized Key Management

27

Requirements Details Key Vault

Manage Wallet and Java KeyStore Centrally store, retrieve, and share in RAC, GoldenGate, ADG

Online TDE master key Removes wallet management operations, provides physical separation

Support endpoints Oracle Databases, Middleware, MySQL TDE, Solaris Crypto, ACFS

Availability Primary and Standby, Standby automatically becomes Primary

Scalability Manage multiple hundreds of databases

Hybrid Cloud Key Management Maintain control and visibility of Cloud Keys from on-premise Key Vault

Integration with HSM Support hardware security module as root-of-trust (SafeNet/Gemalto Luna SA 7000 and Thales nShield Connect 6000+)

Persistent Cache Improves Database continuity when Key Vault server is not reachable

Read-only Restricted Mode Improves Database continuity, ensures no key loss by limiting updates

New

New

New








1

2

3

4

5

28


Business Drivers for the Customer

• Prepare for EU-GDPR (Effective May ’18) – Encryption and Key Management

• Centralize Keystore to streamline operational complexity of managing software Wallets across a large enterprise environment

• Prevent Key Loss due to forgotten password or accidental deletion

• On-Premises Key Management for Encrypted Systems offered in Public Cloud

29


!

Key Vault Customer Deployment

30

Secondary DC

Primary DC

Public Cloud

Backup@ACFS Backup@ACFS

DataGuard

RAC

ACFS Replication

RAC

Primary OKV

Enterprise Manager Cloud Control 13c

Standby OKV

https://www.google.de/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiCyuTnw67WAhUmOJoKHSLzB5gQjRwIBw&url=https://www.123rf.com/photo_13819245_database-security-concept-database-sign-and-padlock-vector-illustration-of-protected-database.html&psig=AFQjCNH8LVSobAXMJuUgedI0ZdEL7ZR8zw&ust=1505808388288419












https://www.google.de/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi0ppTsxK7WAhXsE5oKHfyZDnMQjRwIBw&url=https://oracle-base.com/blog/2016/10/18/oracle-enterprise-manager-cloud-control-13c-release-2-13cr2-installation-upgrade/&psig=AFQjCNFfv3cajsRpns6r0fyzt4H5h0uKjg&ust=1505817285029157

https://www.google.de/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi0ppTsxK7WAhXsE5oKHfyZDnMQjRwIBw&url=https://oracle-base.com/blog/2016/10/18/oracle-enterprise-manager-cloud-control-13c-release-2-13cr2-installation-upgrade/&psig=AFQjCNFfv3cajsRpns6r0fyzt4H5h0uKjg&ust=1505817285029157


Implementation Details

• Centralized Encryption Keys and Wallet Management enables managing encryption keys, wallets for a large and complex landscape

• Use Cases: Wallet Upload/Download, Password file for Oracle and DB2-LUW

• Operational Steps in Work Book for 24x7 Support – Initial Installation and periodic Upgrade, Setup/Upgrade High Availability (Primary & Standby)

– Remote Backup on ACFS including Replication, Restore from remote Backup in secondary data center

– Monitoring of Key Vault Process KMIP Daemon using Cloud Control 13cR2

– Syslog transfer to Centralized Audit Server

– Wallet Setup for Automatic Endpoint Provisioning, Setup Endpoint Groups

– Use RESTfull Utility Service for automating

• Endpoint Enrollment, Provisioning

• Defining Endpoint Access Control for Wallets

31


Customer Experience Summary

• Databases Continue to be the Treasure Hunt for Attackers Databases continue to be the most attractive targets for Attackers because they are the information store with all the sensitive data.

To shrink the attack surface and reduce the number of ways in which attackers can access the databases, it is important to enforce separation of Keys & Master Keys from encrypted Data.

• Oracle Key Vault is the preferred Tool to simplify daily Life with encryption in such a large and complex landscape

32


Safe Harbor Statement

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Confidential – Oracle Internal/Restricted/Highly Restricted 33

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted 34

Documents

Encrypt Your Crown Jewels and Manage Keys Efficiently with ... · Encrypt Your Crown Jewels and Manage Keys Efficiently with Oracle Key Vault Data Encryption and Key Management