Upload
others
View
17
Download
0
Embed Size (px)
Citation preview
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Encrypt Your Crown Jewels and Manage Keys Efficiently with Oracle Key Vault Data Encryption and Key Management
Saikat Saha Product Director Database Security, Oracle October 03, 2017
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
2
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Program Agenda
Overview of Oracle Transparent Data Encryption (TDE)
What’s new in Oracle Transparent Data Encryption (TDE)
Overview of Oracle Key Vault
What’s new in Oracle Key Vault
Sharing a real-life deployment experience
1
2
3
4
5
3
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Program Agenda with Highlight
Overview of Oracle Transparent Data Encryption (TDE)
What’s new in Oracle Transparent Data Encryption (TDE)
Overview of Oracle Key Vault
What’s new in Oracle Key Vault
Sharing a real-life deployment experience
1
2
3
4
5
4
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Disks Exports
Backups
Transparent Data Encryption
Encrypted Storage
d$f8#;!90Wz@Yg#3
Redacted Applications
Data Redaction
Oracle Advanced Security
5
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Critical Requirements for Data-at-Rest Encryption
6
Requirements Details
Transparency No changes to the application stack
Performance Impact Minimal
Wallet Management SSO (Auto-login), use wallets to share keys in RAC, GoldenGate, ADG
Master Key Management Master Key is externalized for physical separation from encrypted data
Full-Stack Integration DB Technology: REDO/TEMP Logs, RAC, Multi-Tenant, GoldenGate, Active Data Guard, Exadata
Migration of Data Offline and Online Tablespace conversion from clear text data
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Oracle Advanced Security Transparent Data Encryption (TDE)
7
Disks
Exports
Off-Site Facilities
• Encrypts columns or entire tablespaces
• Protects the database files on disk and on backups
• High-speed performance
• Transparent to applications, no changes required
• Integrated with Oracle DB technologies
Applications
Encrypted Data
Backups
Clear Data
d$f8#; !90Wz Yg#3R qR+% @Ue#3
R+%K# *HH$7 #9Vlka
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
TDE Integration with Oracle Database
8
Database Technologies Example Points of Integration TDE
Support
High-Availability Clusters Oracle Real Application Clusters (RAC), Data Guard, Active Data Guard
Backup and Restore Oracle Recovery Manager (RMAN), Oracle Secure Backup
Export and Import Oracle Data Pump Export and Import
Database Replication Oracle Golden Gate
Pluggable Databases Oracle Multitenant Option
Engineered Systems Oracle Exadata Smart Scans
Storage Management Oracle Automatic Storage Management (ASM)
Data Compression Oracle Standard, Advanced , and Hybrid Columnar Compression
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Data-At-Rest Encryption for Exadata
• Oracle Advanced Security Transparent Data Encryption (TDE) to protect database columns and tablespaces
– Performance boost from leveraging Smart Scans and CPU-based cryptographic acceleration
• Oracle ASM Cluster File System (ACFS) encryption to protect log and configuration files on Exadata
• Oracle Key Vault to centrally manage Oracle Wallets/Master Keys and TDE/ACFS master keys on Exadata
Integrations and Optimizations
9
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
TDE Key Architecture
10
• Data encryption keys are created and managed by TDE automatically
• A master encryption key encrypts the data encryption keys
• The master key is stored in a Keystore such as Oracle Wallet or Oracle Key Vault
Oracle Key Vault
Oracle Wallet
Tablespace Key
Table Key
Master Key
TDE Encrypted Columns
TDE Encrypted Tablespace
OR
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Program Agenda with Highlight
Overview of Oracle Advanced Security
What’s new in Oracle Advanced Security
Overview of Oracle Key Vault
What’s new in Oracle Key Vault
Allianz’s Experience
1
2
3
4
5
11
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Innovations in Oracle Database 12c Release 2
• Tablespace conversion from clear-text to encrypted
– Online tablespace encryption in background with no downtime
– Offline tablespace conversion with no storage overhead
• Regional encryption algorithms
– ARIA and SEED for South Korean customers, GOST for Russian customers
• FIPS 140-2 Level 1 Cryptographic Module
– Uses approved encryption suites for SSL/TLS and TDE
12
Transparent Data Encryption (TDE)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Online vs. Offline Tablespace Conversion
13
Functionality Offline Encryption Online Encryption
When can I run the conversion? Offline tablespace OR Database in mount stage
Online tablespace AND Database is open in read write mode
Do I need to plan for downtime?
Requires temporarily taking the tablespace offline, unless using Data Guard
No, encrypts tablespace in background with no downtime
Do I need additional storage space?
No Yes, storage overhead is only 2x the largest tablespace file
Can I run encryption operations in parallel?
Yes, enables simultaneous encryption of multiple data files across multiple cores
Yes, at the tablespace level with multiple sessions running
Can data encryption keys be rekeyed or rotated?
No Yes, supports live re-encryption of tablespace data (a.k.a. data key rotation)
Which encryption is supported? AES128 only AES128 and AES256
Backported to earlier release Releases 12.1.0.2 and 11.2.0.4 No (only DB 12c Release 2)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Innovations in Oracle Database 18c
• BYOK - Bring Your Own TDE master encryption Key into the database
– Supports AES256, ARIA256, SEED128, GOST256
• Allow separate keystores for each Pluggable Database – Each PDB can now optionally manage its own keystore (in “isolated mode”)
• Ability to restore clear or encrypted on-prem data to the cloud (automatically encrypted) using RMAN backup/restore
14
Transparent Data Encryption (TDE)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Critical Requirements for Data-at-Rest Encryption
15
Requirements Details TDE
Transparency No changes to the application stack
Performance Impact Minimal
Wallet Management SSO (Auto-login), use wallets to share keys in RAC, GoldenGate, ADG
Master Key Management Master Key is externalized for physical separation from encrypted data
Full-Stack Integration DB Technology: REDO/TEMP Logs, RAC, Multi-Tenant, GoldenGate, Active Data Guard, Exadata
Migration of Data Offline and Online Tablespace Conversion from clear text data New
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Program Agenda with Highlight
Overview of Oracle Advanced Security
What’s new in Oracle Advanced Security
Overview of Oracle Key Vault
What’s new in Oracle Key Vault
Sharing a real-life deployment experience
1
2
3
4
5
16
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Critical Requirements for Centralized Key Management
17
Requirements Details
Manage Wallet and Java KeyStore Centrally store, retrieve, and share in RAC, GoldenGate, ADG
Online TDE master key Removes wallet management operations, provides physical separation
Support endpoints Oracle Databases, Middleware, MySQL TDE, Solaris Crypto, ACFS
Availability Primary and Standby, Standby automatically becomes Primary
Scalability Manage multiple hundreds of databases
Hybrid Cloud Key Management Maintain control and visibility of Cloud Keys from on-premise Key Vault
Integration with HSM Support hardware security module as root-of-trust (SafeNet/Gemalto Luna SA 7000 and Thales nShield Connect 6000+)
Persistent Cache Improves Database continuity when Key Vault server is not reachable
Read-only Restricted Mode Improves Database continuity, ensures no key loss by limiting updates
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Oracle Key Vault Use Cases
18
Oracle Wallet Upload & Download
Oracle Database Online Master
Key
ASM Storage Nodes
ASM Cluster File Systems (Encrypted) Online Master Key
Credential File Upload & Download
Java Keystore Upload & Download
MySQL Keys
Solaris Crypto Keys
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Oracle Key Vault High-Level Architecture
Standby
Administration Console, Alerts,
Reports
Secure Backups
= Credential File
= Oracle Wallet
= Server Password = Java Keystore
= Certificate
Databases
Servers
Middleware
19
OASIS KMIP
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Oracle Key Vault 12.2 Highlights
• Target Platforms: Linux, Solaris, AIX, HP-UX (IA), Windows 2008, 2012
• Preconfigured reports: End point activity, Key expiration, Entitlement
• Operational:
– Endpoint enrollment and provisioning automation leveraging RESTful interfaces
– Remote monitoring via SNMP v3
– One-click log download on server/client
• Security:
– Third-party CA support for Management Console
– Automatic email notification for alerts
– Audit consolidation using Oracle Audit Vault
– Certification - STIG compliance
20
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Restricted 21
OKV Deployment Architecture
Primary
Standby (Data Guard)
SNMP
SMTP server
SCP Remote backup
file system
TDE online master key
Wallet upload/
download
Email notifications
PK
CS#
11
KMIP
KMIP
okvutil
Audit Vault or
Syslog
Encryption Clients
HSM
Audit logs
Monitoring
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Reports
Alerts !
On-premise
Key Vault
Oracle Cloud
Key Vault Hybrid Deployment
GATEWAY
SSH TUNNEL
Users
Applications
22
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Program Agenda with Highlight
Overview of Oracle Advanced Security
What’s new in Oracle Advanced Security
Overview of Oracle Key Vault
What’s new in Oracle Key Vault
Sharing a real-life deployment experience
1
2
3
4
5
23
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Persistent Master Key Cache Details
• Goal: Databases continue to work when OKV server is unavailable
• Challenge: Database needs to contact OKV for every new process or redo log switch in addition to database startup
• Solution: Persistent Cache
– Persistent implies working across database processes
– Implemented in OKV PKCS#11 library, no need for database patching in 11.2.0.4 and 12.1.0.2
– Cache period/duration is defined by PKCS11_PERSISTENT_CACHE_TIMEOUT user-configurable parameter in okvclient.ora. Default value 1440 for one day
– Cache persisted in a Oracle Wallet file
24
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
HSM Integration
• HSM as root-of-trust – SafeNet Luna 7000
– Thales nShield 6000+
• Root-of-trust remains in HSM – Three tier hierarchy
– HSM root of trust protects wallet password which protects TDE master key
• HSMs should also be deployed in HA configuration – OKV continues to function after HSM
disconnected until next restart
• HSM does not store customer keys
PK
CS#
11
HSM Ecosystem
Primary HSM
Secondary HSM
OKV HA Cluster
Backup HSM
25
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
OKV 12.2 BP5 Update
• Availability and Scalability
– Primary OKV continues in read-only restricted mode when Standby becomes unavailable
– Persistent Cache performance enhancements
• Operational – Forward OKV database audit trail to syslog server – Enables faster notification to
operations team
• Management Console UI
– Better search-ability in the management console for keys • Additional attributes on "All Items" page for improved search
26
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Critical Requirements for Centralized Key Management
27
Requirements Details Key Vault
Manage Wallet and Java KeyStore Centrally store, retrieve, and share in RAC, GoldenGate, ADG
Online TDE master key Removes wallet management operations, provides physical separation
Support endpoints Oracle Databases, Middleware, MySQL TDE, Solaris Crypto, ACFS
Availability Primary and Standby, Standby automatically becomes Primary
Scalability Manage multiple hundreds of databases
Hybrid Cloud Key Management Maintain control and visibility of Cloud Keys from on-premise Key Vault
Integration with HSM Support hardware security module as root-of-trust (SafeNet/Gemalto Luna SA 7000 and Thales nShield Connect 6000+)
Persistent Cache Improves Database continuity when Key Vault server is not reachable
Read-only Restricted Mode Improves Database continuity, ensures no key loss by limiting updates
New
New
New
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Program Agenda with Highlight
Overview of Oracle Advanced Security
What’s new in Oracle Advanced Security
Overview of Oracle Key Vault
What’s new in Oracle Key Vault
Sharing a real-life deployment experience
1
2
3
4
5
28
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Business Drivers for the Customer
• Prepare for EU-GDPR (Effective May ’18) – Encryption and Key Management
• Centralize Keystore to streamline operational complexity of managing software Wallets across a large enterprise environment
• Prevent Key Loss due to forgotten password or accidental deletion
• On-Premises Key Management for Encrypted Systems offered in Public Cloud
29
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
!
Key Vault Customer Deployment
30
Secondary DC
Primary DC
Public Cloud
Backup@ACFS Backup@ACFS
DataGuard
RAC
ACFS Replication
RAC
Primary OKV
Enterprise Manager Cloud Control 13c
Standby OKV
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Implementation Details
• Centralized Encryption Keys and Wallet Management enables managing encryption keys, wallets for a large and complex landscape
• Use Cases: Wallet Upload/Download, Password file for Oracle and DB2-LUW
• Operational Steps in Work Book for 24x7 Support – Initial Installation and periodic Upgrade, Setup/Upgrade High Availability (Primary & Standby)
– Remote Backup on ACFS including Replication, Restore from remote Backup in secondary data center
– Monitoring of Key Vault Process KMIP Daemon using Cloud Control 13cR2
– Syslog transfer to Centralized Audit Server
– Wallet Setup for Automatic Endpoint Provisioning, Setup Endpoint Groups
– Use RESTfull Utility Service for automating
• Endpoint Enrollment, Provisioning
• Defining Endpoint Access Control for Wallets
31
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Customer Experience Summary
• Databases Continue to be the Treasure Hunt for Attackers Databases continue to be the most attractive targets for Attackers because they are the information store with all the sensitive data.
To shrink the attack surface and reduce the number of ways in which attackers can access the databases, it is important to enforce separation of Keys & Master Keys from encrypted Data.
• Oracle Key Vault is the preferred Tool to simplify daily Life with encryption in such a large and complex landscape
32
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Confidential – Oracle Internal/Restricted/Highly Restricted 33
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted 34