Scribd
Upload
18 views37 pages

Oracle DB Cloud & Security

Uploaded by

1981dsc1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views37 pages

Oracle DB Cloud & Security

Uploaded by

1981dsc1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 37

Oracle Database Cloud & Security Overview

Stone Lee
Oracle Taiwan 1
Agenda

• Oracle Cloud Platform


• Oracle Database Cloud (DBaaS)
• Oracle Database Security Solution

2
2
Oracle Cloud Offerings
Private Cloud Solutions Public Cloud Solutions
• Applications on a shared platform • Oracle Cloud Services
• Database & middleware for PaaS • Oracle on 3rd party public clouds
• Hardware & systems for IaaS • Powering 3rd party public clouds

Private Cloud Public Clouds


I I
Apps N N SaaS
T T
R E
PaaS A R PaaS
N N
E E
IaaS T T IaaS

Cloud Management, Security, Integration


• Management, security and integration
spanning private and public clouds
3
Oracle Cloud Platform
Cloud Management
Applications
Oracle Enterprise
Manager 12c
3rd Party Apps Oracle Apps ISV Apps
Application
Performance Mgmt
Platform as a Service
Security: Lifecycle
Integration: Process Mgmt: User Interaction:
Identity Mgmt WebCenter Management
SOA Suite BPM Suite
Configuration
Application Grid: WebLogic Server, Coherence, Tuxedo, JRockit
Management
Database Grid: Oracle Database, RAC, ASM, Partitioning,
IMDB Cache, Active Data Guard, Database Security Application
Quality Mgmt

Infrastructure as a Service
Oracle Solaris
Operating OracleLinux
Systems: Oracle Enterprise Linux
Oracle VM for SPARC (LDom)
Ops Center
Solaris Containers Oracle VM for x86 Physical & Virtual
Servers Systems Mgmt
Storage

4
4
Oracle Enterprise Manager 12c
• Solution Overview

5
Complete Lifecycle Management
Comprehensive coverage across all lifecycle phases
Plan
• Meter resource utilization and Optimize • Identify all IT assets
cloud usage • Decide apps, cost models,
• Optionally chargeback to policies, roles…
application owners, end-users, Setup • Consolidation planning (P2V, P2E,
and/or business departments Meter & DB, App..)
• Optimize cloud performance, Charge • Setup infrastructure…
capacity, QOS, agility, geography, • Setup shared services (IaaS,
people, costs… Applications and DBaaS, PaaS, Apps)
Business Services
Platform as a Service
DBaaS MWaaS
Manage Build
• Self-Service resource
management Infrastructure as a Service
• Cloud resource and request
monitoring
• Application to Disk stack
Test • Assemble using shared
management
components
• Centralized incident and
configuration management Monitor • Test applications
• Deploy apps through self service
• End-user , business-level ,
GUI/API
application monitoring
Deploy

6
Agenda

• Oracle Cloud Platform


• Oracle Database Cloud (DBaaS)
• Oracle Database Security Solution

7
7
Broadest, Most Complete Range of Enterprise
Services
Self-Service Application/ APIs
App 1 App 2 App3
VM VM VM DB DB DB Java Platform

Oracle VM Exadata/non-Exadata Exalogic/non-Exalogic

Infrastructure-as-a-Service Database-as-a-Service Platform-as-a-Service


(IaaS) (DBaaS) (PaaS)
Increasing Enterprise Value
8
Oracle Database Cloud Case Study
Sharing
–IT Distribution & logistics Company (資訊
產品通路行銷公司)

9
9
客戶需求

• R&D 部門需求
– R&D 部門現有開發系統資源不足
– 能最大化系統資源使用率
– 提供資料庫 Redundant 環境
– 開發環境需與未來上線環境相符合

10
10
R&D 部門所需架構(平均需求
部門所需架構 平均需求 )

R&D Team 1 R&D Team 2 R&D Team 3


Win Win Win

Middle Tier
Web A Web B Web C Web D Web E Web F

Oracle RAC
DB Server
DB A DB B DB C DB D DB E DB F

Team 1 Team 2 Team 3


WLS A
... WLS A
... WLS A
...
NAS/SAN Storage
Team 1 Team 2 Team 3
DB
... DB
... DB A
...

11
11
部門需求 – Team 1 & Team 2
R&D部門需求

R&D Team 1 R&D Team 2 R&D Team 3


Win Win Win

Middle Tier
Web A Web B Web C Web D Web E Web F

Oracle RAC
DB Server DB A DB B DB C DB D DB E DB F

Team 1 Team 2 Team 3


WLS A
... WLS A
... WLS A
...
NAS/SAN Storage
Team 1 Team 2 Team 3
DB
... DB
... DB A
...

12
12
部門需求 – Team 1 & Team 2(release)
R&D部門需求

R&D Team 1 R&D Team 2 R&D Team 3


Win Win Win

Middle Tier
Web A Web B Web C Web D Web E Web F

Oracle RAC
DB Server DB A DB B DB C DB D DB E DB F

Team 1 Team 2 Team 3


WLS A
... WLS A
... WLS A
...
NAS/SAN Storage
Team 1 Team 2 Team 3
DB
... DB
... DB A
...

13
13
部門需求 – Team 1 & Team 3
R&D部門需求

R&D Team 1 R&D Team 2 R&D Team 3


Win Win Win

Middle Tier
Web A Web B Web C Web D Web E Web F

Oracle RAC
DB Server
DB A DB B DB C DB D DB E DB F

Team 1 Team 2 Team 3


WLS A
... WLS A
... WLS A
...
NAS/SAN Storage
Team 1 Team 2 Team 3
DB
... DB
... DB A
...

14
14
部門需求建議方案
R&D部門需求建議方案
• 整合資料庫資源並提高使用率
R&D Team 1 R&D Team 2 R&D Team 3 • 提供資料庫 Redundant 環境
Win Win Win
• 可依系統需求增加資料庫主機
Middle Tier • 開發環境需上線環境相符合
Web A Web B Web C Web D Web E Web F

R&D Team 1
Oracle RAC R&D Team 2
DB Server DB A DB B DB C

Team 1 Team 2 Team 3


WLS A
... WLS A
... WLS A
...
NAS/SAN Storage
Team 1 Team 2 Team 3
DB
... DB
... DB A
...

15
15
Database Cloud Models
Overview
Infrastructure Cloud Database Cloud
Database Cloud
DW CRM ERP DW ERP CRM DW ERP CRM
DB

DB

DB

DB

DB

DB

DB
OS OS OS

Hypervisor OS OS OS OS

Server Database Schema


Deploy in dedicated VMs Databases share server pool Shared database schemas
Server virtualization RAC RAC
16
Database as a Service
Key Features and Benefits

• 單一資料庫資源的共同分享觀念
• 快速建置應用系統及資料庫
• 提供高擴充性及高可用性資料庫功能
• 彈性調配資料庫 Pool 資源
• 提供 “DaaS” 資料庫使用計價及付費功能

17
17
Database Cloud Architectures
Common building block is a server and storage pool
Infrastructure Cloud Database Cloud
ERP DW ERP Sales ERP Sales DW
Sales CRM DW

DB DB
DB DB DB DB DB DB
OS OS OS OS OS OS OS OS
Hypervisor Cluster Cluster

Storage Pool Storage Pool Storage Pool

Server Database Schema


• Oracle •多套 Oracle 資料庫( Single or
資料庫被建置於相對 • 多套 Schema 建置於單一
應 Virtual Machine 當中 RAC ) 被建置在 Oracle Cluster 環 Oracle RAC 資料庫
• 透過 Server Virtualization 境中 • Enabled by RAC
方式建置 • Enabled by RAC
18
Oracle RAC for Database Cloud
應用系統 A 應用系統B 應用系統C 應用系統D 應用系統E

平均使用率
工作負載
<20%

• 需求 : 資料庫主機(數量
資料庫主機 數量/效能
數量 效能)可以依實際
效能 可以依實際
Server A Server B Server C Server D Server E
應用系統所需而擴充或縮減,
應用系統所需而擴充或縮減 且不影響應
雲端運算 用系統運作
Oracle Shared Instance • 效益 : 節省應用系統所使用資料庫主機資
應用系統 A, B, C, D, E 源(各應用系統資料庫主機資源分享
各應用系統資料庫主機資源分享)
各應用系統資料庫主機資源分享

工作負載 平均使用率
>70%

節省主機
Server A Server B Server C Server D Server E
19
Oracle RAC 高擴充性 & 高可用性 for Database Cloud
高擴充性 高可用性
Oracle Shared Instance Oracle Shared Instance

應用系統 A, B, C, D, E 應用系統 A, B, C, D, E

實際工作 實際工作
如果主機不敷使用,
負載 負載
可直接增加主機

Server A Server B Server C Server D Server A Server B Server C Server D Server E

可依系統實際需求而增加主機 高效能及高可用性解決方案
• 平衡負載 • 主機備援機制
• 依系統需求 增加/移除 資料庫主機
• 容錯機制的主機轉移 • 滾動資料庫昇級
• 資料庫主機擴充後, 實際工作負載相對增加
• Active-Active 操作模式

20
資料庫彈性調配資源
Instance Caging
• Enables cpu core limits for instances on
shared server(限制CPU個數使用於DB 或是
HR
Share Server 中) cpu count=2
• Protects service levels by preventing
runaway cpu consumption(透過 CPU 的限制 Sales
來確保服務等級) cpu count=2
• Can be adjusted dynamically, while
databases are online. (可動態調整)
– Controlled by cpu_count parameter ERP
– Supports partitioning and overprovisioning cpu cpu count=4
• Works with Resource Manager(透過
Resource Manager 來進行細項控制) 8 core server
21
CPU Usage Without Instance Caging

Wait for CPU on


O/S run queue
Oracle processes from
one Database Instance
try to use all CPUs

Running
Processes

22
22
CPU Usage With Instance Caging

Wait for CPU on


Resource Manager
run queues

Instance Caging limits


the number of Oracle
processes running at
any moment in time

Running
Processes

23
23
資料庫彈性調配資源
Database Resource Manager
• Limits resource usage within a
consolidated database(透過 Resource
manager 限制資料庫的資源使用)
– Minimum CPU shares DB Consolidation Plan #1
– Maximum CPU limits CPU Maximum
– Parallelism limits Allocation Utilization Limit
– Multi-level plans HR 50% 50%
• Resource plans can be dynamically Sales 30% 50%
changed( 資源計畫可以動態改變)
ERP 20% 50%
• Prioritizes I/O for Exadata Database
Machine( Exadata 可做到 I/O 的限制)
– Internal I/O queues in storage server
segregate requests
24
資料庫彈性調配資源
Database Resource Manager
Real-Time Queue
ETL
R-T 10%
Batch Queue
ETL Batch 10%
Request
Analytic Queue Analytic
Reports Reports
Assign 50%
OLTP Queue OLTP 5%
Requests
Ad-hoc
25%
Ad-hoc Queue
Workload

Downgrade Reject
25
© 2010 Oracle Corporation
Database Cloud Models
Comparison
Database as a
Server as a Service Schema as a Service
Service
Difficult (standardize on
Implementation Easy Easy
DB and OS version)
Application
Some All Homegrown
Suitability
Isolation Excellent Good Least
Consolidation Low (Server and High (Servers, storage, Highest (Servers, Storage,
Density Storage Only) and OS) OS, and DB)
Highest (limited use;
ROI Low High
requires app validation)
Involved (restrict resource
Management Very Easy Very Easy
usage)
26
Agenda

• Oracle Cloud Platform


• Oracle Database Cloud (DBaaS)
• Oracle Database Security Solution

27
27
Over 900M Breached Records Resulted from
Compromised Database Servers
Type Category % Breaches % Records
Database Server Servers & Applications 25% 92%
Desktop Computer End-User Devices 21% 1%

Verizon 2010 Data Breach Investigations Report 28


28
Database Security Defense In Depth
Oracle Database Security Solutions
• 監控及阻擋任何侵入資料庫的威脅
• 追蹤更改及稽核資料庫所有活動
• 控管資料及使用者權限存取
• 保護敏感資料不外洩於運作資料庫

Monitoring Auditing Access Encryption


& Blocking Control & Masking
• Database Firewall • Audit Vault • Database Vault • Advanced Security
• Total Recall • Secure Backup
• Label Security
• Configuration Mgnt • Data Masking
監控及阻擋 稽核及追蹤 資料及權限控管 資料加密及偽裝
29
Oracle Database Firewall(資料庫防火牆
資料庫防火牆 )
First Line of Defense

Allow
Log
Alert
Substitute
Applications
Block

Alerts Built-in Custom Policies


Reports Reports

• 監視資料庫活動以防止未經授權的存取資料庫、SQL
監視資料庫活動以防止未經授權的存取資料庫、 Injection、超越權限或角色、非
、超越權限或角色、非
法存取敏感性資料等。
• 通過高度精確的SQL語法分析
通過高度精確的 語法分析,
語法分析 以避免誤報。
• 透過靈活的 白名單(White
白名單 Lists) 和 黑名單(Black
黑名單 方式來允許與阻絕 SQL.
Lists) 方式來允許與阻絕
• 透過延展性的建置結構,
透過延展性的建置結構 讓企業可以靈活佈署
• 適用於SOX、
適用於 、PCI 等合規報告
30
30
權限安全(Database
權限安全 Vault)
存取控管及多條件授權

Procurement
DBA
HR
Application
Finance
select * from finance.customers

• 保護管理者不會濫用她/他的權利
• 分權分工的需求
• 強制安全原則及阻隔不被授權的動作
• 阻礙應用程式/使用者撓過保護的應用資料
31

31
資料加密(Advanced
資料加密 Security)
標準的加密
Disk

Backups

Exports

Off-Site
Facilities

•資料自動/無痛加密
•備份時資料加密
•通訊/傳輸時加密
•使用者及伺服器的加強認證 (Strong Authentication)
32

32
資料偽裝 (Data Masking)
不可逆的

實際運作端 非實際運作端
LAST_NAME SSN SALARY LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000 ANSKEKSL 111—23-1111 60,000

BENSON 323-22-2943 60,000 BKJHHEIEDK 222-34-1345 40,000

•將敏感性資料在實際運作端移除
•確保轉換後的資料依然可被原應用程式認得
•敏感性資料永遠存在運作端
•可自由擴充的彈性原則 33

33
Oracle 資料庫在個資法提供的安全解決方案
個資法需求 Oracle 產品 說 明

企業外部 防止蓄意竊取資料 Advanced 保護資料庫中的資料在備份


Security 及資料傳輸過程安全

防止公司內測試系統資料 Data 將企業真實資料轉換虛擬測


外洩 Masking 試資料以提供開發測試使用
企業內部
防止授權者公器私用 Database 建立資料庫的管理及資料權
Vault 限分權制度
舉證資料 企業需舉證有善盡資料保 Database 建立資料庫
建立資料庫中資料及管理權
資料庫中資料及管理權
管人責任 Firewall 限的存取及使用稽核記錄
限的存取及使用稽核記錄
Audit Vault
34
34
35

You might also like