Embed Size (px)
Citation preview
Oracle Database 12c Data Protection and Multitenancy on Oracle Solaris 11
Xiaosong Zhu Senior Software Engineer
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor StatementThe following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Program Agenda
Database Multi-tenancy on Solaris 11
Secure Multi-tenancy with Data Protection
HOL9762, 10/1/14, 13:15 - 14:15, Nikko Ballroom I
1
2
3
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Business DriversWhy Databases Multi-tenancy
Requirements• Tenant isolation• Security• Easy adoption• Manage as one
Economic Pressures Security Pressures
Consolidate to cut costs• Reduce power• Reduce floor space• Reduce hardware
Deliver end-to end security database• Database isolation• Resource isolation• Data security
Cloud
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Secure Database Multi-tenancy on Oracle Solaris
Solaris Zones
share servers and OS
Database 12c Multitenant
share servers, OS and database
Increasing ConsolidationIncreasing Isolation
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Using Solaris Zones to Set up a Secure Multitenant Environment
• Oracle Solaris OS built-in virtualization
• Safely and securely run multiple applications on a single system
• One OS instance for all zones• Rapidly scale to meet growing
demand
Global Zone
Oracle Solaris 11.2
dbzone2
Oracle DB11g R2
vnic
2
C2t1d
0
dbzone1
Oracle DB12c
vnic
1
C2t0d
0
C2t2d
0
C2t3d
0
CPU
Mem
CPU CPUCPU
Mem
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Oracle Database 12c Multitenant
Pluggable Databases (PDBs)
Multitenant Container Databasecdb1
Root
pdb11
12.1
pdb12
12.1
pdb13
12.1 PDBs
Root
CDB
• Oracle Database 12c offers built-in database-level multi-tenancy, supported by a unique architecture known as “Plug-able Databases”
• Plug-able databases are self-contained database instances that run on a shared Oracle 12c Database kernel instance, allowing for extreme database mobility (they may be moved from one database kernel instance to another via a simple migration operation)
• A PDB feels and operates identically to a non-CDB
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Solaris Zone and Database 12c multitenant
• Solaris Zones– Low overhead – OS isolation– Flexible resource
management– Rapid scale– Secure
Shared and Isolated
• Database 12c Multitenant
– Minimize CapEx– Minimize OpEx– Maximize Agility – Ease of Adoption
Number of Tenants
Number of Users per tenants
Per-tenant value-added services
Isolated Shared
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Program Agenda
Database Multi-tenancy on Solaris 11
Secure Multi-tenancy with Data Protection
HOL9762, 10/1/14, 13:15 - 14:15, Nikko Ballroom I
2
1
3
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 11
• A single security breach– Sutter Health data breach in 2011– More than 4 million patients
information stolen
• Massive Business Impact– Consumer confidence lost– Sued for $1 billion following data
breach
Why We Need Data Protection?
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Secure Multi-tenancy with Data Protection on SolarisTwo Levels of Data Protection
Database Encryption
Exernal Security Module
(Software/Hardware Keystore)
TDE MasterEncryption Key
Encrypt
Encrypt
File System Encryption
Database 12cpdb
Encrypted ZFS
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
DB Secure Data on Solaris Encrypted ZFS Filesystem
• On-disk encryption for ZFS data• Block-level encryption, activated at the
dataset / file system creation time• Offers:
– Protection against theft of physical storage and man-in-the- middle attacks on the SAN
– Secure deletion
• Security check against passphrase or numeric key performed when mounting the file system
At Rest Protection -- File System Encryption
ZFS
App
ZFS Encrypted ZFS
PDB
ZFS
ZFS …
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Oracle Database Transparent Data EncryptionDatabase Encryption
• Encrypts columns or entire application tablespaces• Protects the database files on disk and on backups• Compatible with applications, no changes required• Crypto acceleration Solaris 11
• Leverage hardware crypto of SPARC T4/T5 & Intel AES-NI
Encrypted Data
Managed KeysOS User
Attempt to Directly Access Tablespace File Contents
Unauthorized Access to Data Blocked By EncryptionTablespace files
(usershol.dbf)
Oracle Database
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Data Protection
• TDE and ZFS Encryption– 2-tier key architecture– Provide transparent encryption and decryption– Can leverage hardware crypto accelerator
• ZFS Encryption– Can use for other databases than Oracle Enterprise Edition
(MySQL)
• TDE– OS and File System agnostic– Agile on KeyStore (wallet) management
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Program Agenda
Database Multi-tenancy on Solaris 11
Secure Multi-tenancy with Data Protection
HOL9762, 10/1/14, 13:15 - 14:15, Nikko Ballroom I3
1
2
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
HOL9762 Oracle Database 12c Data Protection and Multitenancy on Oracle Solaris 11
• Venue / Room: Hotel Nikko - Nikko Ballroom I• Date and Time: 10/1/14, 13:15 - 14:15• Agenda:
• Exercise 1: Using Solaris Zones to Set up a Multitenant Database Environment• Exercise 2: Exploring Oracle Database 12c Multitenant• Exercise 3: Using Oracle Transparent Data Encryption with Solaris Cryptographic
Framework
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
References• Oracle Multitenant• Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10
Zones, and Resource Management• How to Manage ZFS Data Encryption• Oracle Advanced Security Transparent Data Encryption Best Practice
s• Oracle Database 12c Transparent Data Encryption
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
