Cross Domain Security Express (CDSE) Domain Security Express (CDSE) July 2016 ... SOA, XML,...

Cross Domain Security Express (CDSE)

July 2016

Patrick SackChief Technology Officer Oracle National Security Group

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.2

Program Agenda

Introduction

Architecture Overview

Deployment Options

Summary

Unclassified


IntroductionOracle Multi Domain Database Extension of the Enterprise Edition Oracle Database (11g/12c)

First and only accredited Multi Domain Database

Exclusive to Oracle National Security Group (ITAR Controlled)

Multiple Accreditations under DCID 6/3

ICD 503 (800-53) migration

Listed on Unified Cross Domain Services Management Office (UCDSMO) Baseline (as CDSE)

Supports entire corpus of the CAPCO Register (everything)

Unclassified


Integrating Intelligence Across Domains

Security by separation results in duplicate infrastructures and O&M costs

Challenges to Replicated Copies of Data• Replication complexity, failures and time delays• Multiple versions of data with difficulties in finding the true Master copy

Domain A + B + C Domain B Domain C

Unclassified


Multi-Domain Database

Replicated Instances• Higher Cost• Lower Mission Performance• Redundant Copies of Data• Additional Sustainment Staff• Replication Complexity and Errors• Added Configuration Management Costs• Added Power, Space and Cooling Needs• No comprehensive auditing with a focus on

the security posture of the enterprise

Multiple Databases Single Database

Unclassified


Single Copy Data Store Serving Many Security Domains Reduces Costs, Improves Intel

Multi-Domain Data Store Allows Secure Information Sharing

• Accurate Intelligence• Data changes instantly everywhere with zero

data inconsistency and zero latency

• One sustainment cost & effort• Costs reduction N:1

• Supports all major standards and data types

• REST, SOA, XML, GeoSpatial, Key/Value, JSON, Text, Graph, Documents, SQL

• UCDSMO baseline approved • Multiple accreditations

Unclassified


How It’s Done1. Reduced Domain Exposure

– Multi-Level Networking & Isolation– One way Networking – Connect In, No insecure path out– Physical and logical security for data and system messaging

2. Mitigate Information Leakage– Data Tagging for Visibility, Isolation and Release– Data Assurance– Trusted Integration between Database and OS

3. Mandatory Security Controls for all Privileged Users – OS Administration– DB Administration– Privileged User Administration

4. Tamper-proof Auditing– Collection– Filtering and Reporting / Situational Awareness– Monitoring and Alerting

Unclassified


Layered Security

Notional Classification Markings

Unclassified


Oracle Label Security (OLS)• NSTISSP 11 Compliant • FIPS/CC Evaluated• Over 100 IC and DoD Deployments• CAPCO Compliant Labels• Set up the OLS Policy Once

• Mission data is labeled• User connects• User ID shared with the DBMS• User (or App) formulates SQL Query• OLS filters data

Unclassified


Oracle Label Security (simplified view)

Network + Authorizations + Security Label = Data

Example

Oracle Multi Domain Database

2-5

Unclassified


Oracle Database Vault (DBV)

Implemented with– Realms– Factors– Command Rules

• Keep privileged database users from abusing their powers

• Address Separation of Duties requirements

• Enforce security policies and block unauthorized database activities

• Prevent application by-pass to protect application data

http://techbus.safaribooksonline.com

Unclassified

DataOwner

Security Admin

Security Reams

CDR_RAW

DBASeparation of Duties

Planning Data

Intel Reports

Messages

select * from PlanningData Where Location = ‘SYRIA’

select * from PlanningData Where Location = ‘SYRIA’

ApplicationUsers


Oracle Advanced Security

Transparent Data Encryption– Maintains encryption of data on storage

automatically– Numerous encryption algorithms including

AES256 Network Encryption – between application and

database

Disk

Backups

Exports

Off-SiteFacilities

• Strong Authentication – beyond login / password– Kerberos– PKI (certificate-based authentication and

encryption)– RADIUS (Remote Authentication Dial-In User

Service)

Unclassified


Technical Architecture

Key Components

Simplified architecture, lower cost, faster deployment

Optional X86 architecture available

Scalable processing & storage2-12 networks supported

Unclassified


Standardized Architecture

Standardized Hardware– Sparc T5 Servers Solaris– Deployments use same, reducing complexity – Contained with single half rack ( 24U typical)

Simplified Licensed Software set– Reduced cost

Standardized Hardware and Software configurations

Unclassified


Virtualized instance of SDS architecture on single server

Reduced license and hardware costs Ideal for integration and development

testing Building block for system lifecycle :

Dev->Test->Production

Integration & Development System (IDS)

Deployment

Unclassified


Enterprise implementation of standard MDDB with supporting documentation

Standardized hardware architecture configuration

Standardized deployment process that provides full lockdown and security configurations

Scalable storage and database nodes Production MDDB that supports full

program lifecycle

Standard Deployment System(SDS)

Deployment

Unclassified


Standard interfaces (JDBC, WS, JMS) Supports integration with enterprise

identity and authorization stores –Active Directory, LDAP, Attribute Services, etc Supports legacy, GOTS, and COTS

applications w/limited modifications

Ease of Integration

Application Integration

Current integrations: Custom web applications Messaging Systems (M3) PeopleSoft HCM applications (eZHR) Siebel CRM Oracle Webcenter ECM Oracle Business Intelligence (OBIEE)

Unclassified


Leverages Core Oracle Products on IC-CLA

Oracle Database Enterprise Edition 11g/12c• Oracle Real Application Clusters (RAC)• Oracle Advanced Security - Encryption

• Oracle Database Vault - Insider threat

• Oracle Label Security - Data tagging/labeling

• Oracle Spatial - Spatial, graph & rdf

• Oracle Partitioning - Query acceleration

Oracle Enterprise Manager 12c/13c• Diagnostics - Automatically Introspect Issues

• Tuning - Automatically fix Issues

• Lifecycle Management - Compliance

Unclassified

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |

Oracle’s SPARC Servers

.

Oracle Cross Domain Infrastructure . M7

.

S7 .

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.20 Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Security in Silicon

Wide key encryption and Silicon Secured Memory

Breakthrough hardware SQL acceleration and decompression for

Oracle Database In‐Memory

SQL in Silicon

More cores, more threads, more bandwidth, lower latency – Extreme performance for apps and cloud

World’s Fastest Microprocessor

20

SPARC M7 With Oracle’s Software in Silicon architecture

Billions of Records Scanned Per Second3x Faster with Encryption On

32 Crypto Accelerators per Processor

Clear Data In

Encrypted Data Out

Modern CDSE Hardware for Secure Computing

Unclassified


SQL in Silicon: Database In-Memory Acceleration Engines

SIMD Vectors instructions are fast, but were designed for graphics, not database

New SPARC M7 chip has 32 optimized database acceleration engines (DAX) built on chip Independently process streams of columns

– E.g. find all values that match ‘California’

– Up to 170 Billion rows per second! Like adding 32 additional specialized cores to chip

– Using less than 1% of chip space

Core

Shared Cache

Core Core Core

DB Accel

DB Accel

DB Accel

DB Accel

SPARC M7

Unclassified


Silicon Secured Memory: Always-On Intrusion Protection

Unique hardware-based memory protection Stops malicious programs from accessing

other application memory. Ex: HeartBleed, Venom Can be always on: hardware approach

has negligible performance impact Easily activated for existing applications Extremely efficient for software

development

Breakthrough security and reliability for applications

Memory Pointers Memory

GO

GO

2Unclassified


Security in Silicon, Data Analytics Acceleration, Fastest for Database & Enterprise Apps

Most Advanced Platform for Secure Computing

2

SPARC M7SPARC M7 SPARC T7SPARC T7 SPARC S7SPARC S7

Secure Enterprise to Tactical Deployments

Unclassified


Two Systems, Five Enclosures, Shared Design

SPARC S7-2 and SPARC S7-2L Servers

SPARC S7‐2L, 2U 12x 3.5‐inch and 2x 2.5‐inch drives2U; 2 processors; 16 DIMMs; 1,024 GB DDR4; 6 PCIe 3.0 slots; ~100 TB storage (12x 3.5‐inch drives plus 2x 2.5‐inch SAS‐3 drives)

SPARC S7‐2L, 2U 26x 2.5‐inch drives2U; 2 processors; 16 DIMMs; 1,024 GB DDR4; 6 PCIe 3.0 slots; 39 TB storage (24x plus 2x 2.5‐inch SAS‐3 drives, 4x NVMe‐enabled bays)

SPARC S7‐2L, 2U 8x 2.5‐inch drives2U; 2 processors; 16 DIMMs; 1,024 GB DDR4; 6 PCIe 3.0 slots; 17 TB storage (8x 2.5‐inch SAS‐3 drives, 4x NVMe‐enabled bays)

SPARC S7‐2, 1U 8x 2.5‐inch drives1U; 1 or 2 processors; 16 DIMMs; 1,024 GB DDR4; 3 PCIe 3.0 slots; 17 TB storage (8x 2.5‐inch SAS‐3 drives, 4x NVMe‐enabled bays)

SPARC S7‐2L, 2U 12x 2.5‐inch NVMe flash drives2U; 2 processors; 16 DIMMs; 1,024 GB DDR4; 4 PCIe 3.0 slots; 38 TB NVMe flash storage (12x 2.5‐inch NVMe drives)

2Unclassified


Mission Benefits Single source of truth (1 copy of data) for

Integrated Intelligence Zero data latency - data is instantly

accessible though release process Data security labels (tagged data) enable

sharing – increases data value Single Information Environment (SIE)

provides comprehensive data store for mission operations and analytics

Relational, XML, Json, Spatial, Graph, Files SQL, REST, Advanced Analytics and R

Information sharing with external organizations - controlled access

Summary - Multi-Domain Database Benefits

Cost SavingsData store consolidation reduces: License & Hardware Storage (many to one) O&M LOE Backup & recovery infrastructure Datacenter footprint (power & cooling) Configuration management LOE Greater economies of scale as more

networks connected

Unclassified


Backup Slides


Example: Multi-Domain Content Management System

System details– MS SharePoint integration (web services interface)– Windows desktop drag & drop file access– Full Enterprise Content Management capabilities

– Open Standards interfaces supporting over 600 file types– Ozone Widget Framework/REST support– DoD 5015.2V3 Records Management Certified

Unclassified


Oracle Virtual Private Database

VPD column policies mask out sensitive data– Policy enforced only if specific columns are referenced– Increases row level security granularity

where account_mgr_id = sys_context('APP','CURRENT_MGR');

Select * from customers;

381-35-9223

431-39-9332

483-56-0912461-97-8212

581-29-7603181-09-1232121-79-4212701-49-2123

1500017000

1200010000

1500025000

SSN

VPD

MGR ID = 148

Unclassified


Transparent Data EncryptionAdvanced Protection for the Oracle Database

Disk

Backups

Exports

Off-SiteFacilities

Encrypts columns or entire application tablespaces Protects the database files on disk and on backups Securely manages the keys, assists with key rotation Supports Oracle Exadata engineered systems Compatible with applications, no changes required

Applications

Encrypted Data

Managed Keys

Unclassified

Cross Domain Security Express (CDSE) Domain Security Express (CDSE) July 2016 ... SOA, XML,...

Documents

Transcript of Cross Domain Security Express (CDSE) Domain Security Express (CDSE) July 2016 ... SOA, XML,...