Oracle SuperCluster M7 Platform Security Principles and Capabilities O R A C L E T E C H N I C A L W H I T E P A P E R N O V E M B E R

Transcription

1 Oracle SuperCluster M7 Platform Security Principles and Capabilities O R A C L E T E C H N I C A L W H I T E P A P E R N O V E M B E R

2 Table of Contents Introduction 1 Product Security Principles 1 Survivability 2 Defense in Depth 2 Least Privilege 3 Accountability 3 Compliance 3 Product Security Capabilities 4 Secure Isolation 5 Workload Isolation 5 Network Isolation 6 Database Isolation 7 Storage Isolation 7 Access Control 8 Workload Access Control 8 Network Access Control 8 Database Access Control 8 Storage Access Control 9 Data Protection Services 9 Workload Data Protection Services 10 Network Data Protection Services 10 Database Cryptographic Services 10 ORACLE SUPERCLUSTER M7 PLATFORM SECURITY PRINCIPLES AND CAPABILITIES

3 Monitoring and Auditing 11 Workload Monitoring and Auditing 11 Database Monitoring and Auditing 11 Quality of Service 12 Workload Quality of Service 12 Network Quality of Service 12 Database Quality of Service 12 Storage Quality of Service 13 Compliance Reporting 13 FIPS-140 Compliance 14 Security Management 14 Oracle ILOM 14 Oracle Enterprise Manager 14 Oracle Identity Management 15 Oracle Key Manager 15 General Recommendations and Considerations 16 Architectural Best Practices 16 Deployment Best Practices 16 Operational Best Practices 17 Conclusion 17 References 17 Product Security Guides 17 Security White Papers and Documentation 18 ORACLE SUPERCLUSTER M7 PLATFORM SECURITY PRINCIPLES AND CAPABILITIES

4 Oracle VM Server for SPARC 18 Oracle Solaris 11 Operating System 18 Oracle Database 18 Oracle Middleware 18 ORACLE SUPERCLUSTER M7 PLATFORM SECURITY PRINCIPLES AND CAPABILITIES

5 Introduction Oracle SuperCluster M7 is a secure cloud infrastructure for application and database consolidation. It is well suited to delivering secure multitenant private cloud services. As a complete integrated system incorporating Oracle s SPARC M7 server technology, Oracle ZFS Storage Applicance, InfiniBand, Oracle Exadata Storage Servers for Oracle Database 11g Release 2 or later, Oracle VM Server for SPARC, Oracle Enterprise Manager, and Oracle Solaris, the Oracle SuperCluster M7 system enjoys a level of security synergy not often found in today s IT architectures. Stemming from its high degree of engineering innovation and integration, the security posture and potential of this system is truly greater than the sum of its individual components. In this paper, the security principles and capabilities of the Oracle SuperCluster M7 system are discussed to highlight the comprehensive set of security controls that can be employed to meet even the most challenging security demands. While these capabilities are discussed individually, it is important to understand that each capability offers an opportunity to be layered with the others to create reinforced security postures. Additional architectural, deployment, and operational guidance is also offered to help organizations understand where and how the system can be integrated into their existing IT security environment for consolidating databases and applications and delivering secure multitenant private cloud services. Product Security Principles Before discussing the individual security capabilities of the Oracle SuperCluster M7 system, it is important to highlight the principles that guided the development of this engineered system. The security principles of survivability, defense in depth, least privilege, accountability, and compliance sit at the very heart of the system s security architecture. The Oracle SuperCluster system embodies these time-tested principles and delivers a wellintegrated collection of security capabilities that helps organizations address their most pressing security requirements and concerns. 1 ORACLE SUPERCLUSTER M7 PLATFORM SECURITY PRINCIPLES AND CAPABILITIES

6 Figure 1. Oracle SuperCluster M7 hardware architecture Survivability Organizations selecting integrated hardware and software systems for their mission-critical workloads must be assured that the systems they select can prevent or minimize the damage caused from both accidental and malicious actions taken by internal users or external parties. The Oracle SuperCluster M7 system supports the principle of survivability by:» Ensuring that the components used by system have been designed, engineered, and tested to work well together in support of secure deployment architectures. The system and its constituent subsystems support secure isolation, access control, cryptographic services, monitoring and auditing, quality of service (QoS), and secure management.» Reducing the default attack surface of its constituent products to help minimize the overall exposure of the system. Organizations can then customize the security posture of the system based upon their policies and needs.» Protecting the system, including its operational and management interfaces, using a complement of open and vetted protocols and APIs that are capable of supporting the traditional security goals of strong authentication and access control, confidentiality, integrity, and availability. Defense in Depth The Oracle SuperCluster M7 system employs multiple, independent, and mutually reinforcing security controls to help organizations create a secure operating environment for their workloads and data. Properly employed, the principle of defense in depth ensures that a layered set of defenses exists, helping organizations continue secure operations even after a vulnerability or the failure of a single security control. The system supports the principle of defense in depth by:» Offering a strong complement of protections to secure information in transit, in use, and at rest. Security controls are available at the server, storage, network, virtualization, database, and application layers. More importantly, each layer s unique security controls can be integrated with the others to enable the creation of strong, layered security architectures. 2 ORACLE SUPERCLUSTER M7 PLATFORM SECURITY PRINCIPLES AND CAPABILITIES

7 » Supporting the use of well-defined and open standards, protocols, and interfaces. This means that the system can also be integrated into an organization s existing security policies, architectures, practices, and standards. Integration such as this is critical because applications and devices do not exist in isolation, and the security of an IT architecture is only as strong as its weakest component. Least Privilege Ensuring that applications, services, and users have access to the capabilities that they need to perform their tasks is only one side of the least-privilege coin. It is equally important to ensure that access to unnecessary capabilities, services, and interfaces is limited. The principle of least privilege is rooted in a very simple concept: namely, do not expose capabilities that should not be used. The Oracle SuperCluster M7 system promotes the principle of least privilege by:» Ensuring that access to individual server, storage, virtualization, operating system, database, and other components can be granted based upon the role of each user and administrator. The use of role-based and multifactor access control models with fine-grained privileges ensures that access can be limited to only what is needed.» Constraining applications so that their access to information, underlying resources, network communications, and even local or remote service access is restricted based upon need. Whether caused by an accident or a malicious attack, applications, too, can misbehave, and without enforcement of least privilege, those applications might be able to cause harm far beyond their intended use. Accountability In most cases, it is insufficient to simply prevent a security incident. It is equally important to be able to detect the incident, report the incident, and understand how it was prevented. Similarly, when an incident cannot be prevented, it is imperative that an organization be able to detect that the incident occurred so that proper responses can be taken. Organizations concerned with accountability seek to answer questions such as: What security incident occurred?, When did it happen?, Where did it take place?, Who caused the event?, Who was the target? and What was the impact? The Oracle SuperCluster M7 system supports the principle of accountability through the following:» Each product used within the system supports activity auditing and monitoring, including the ability to record login and logout events, administrative actions, and often other events specific to each of the products. Collecting and reviewing this kind of information is an important part of maintaining secure operations and can help with rootcause analysis in the event of a security incident.» Two of the products used in the system deserve special mention for their extensive ability to audit and monitor activity. The Oracle Solaris operating system and Oracle Database both support very fine-grained configurations when it comes to auditing. This allows organizations to tune audit configurations in response to their standards and goals to ensure that critical information is captured, while at the same time minimizing the noise of unnecessary or inappropriate audit events. Compliance Compliance is an administrative mechanism designed to reduce risk and ensure that internal or external security and privacy requirements are being met. Meeting regulatory compliance requirements ensures an organization s ability to operate in agreement with established laws, industry standards, and specifications. Systems that comply with security standards provide more-secure computing environments and, in addition, they are easier to test, maintain, and protect. All the effort required to produce compliance reports could be better spent in doing activities that make a functional difference. Oracle SuperCluster M7 leverages Oracle Solaris compliance reporting features, which provide support for system configuration validation that enables an organization to adhere to external and internal security policies and industry mandates. 3 ORACLE SUPERCLUSTER M7 PLATFORM SECURITY PRINCIPLES AND CAPABILITIES

8 The Oracle SuperCluster M7 system is an excellent option for organizations deploying mission-critical services because of its inherent ability to deliver on each of these and other security principles, including the secure by default and reduced attack surface principles. The secure deployment architectures enabled by the system s comprehensive set of security capabilities make the system an ideal choice for hosting mission-critical applications and databases in a multitenant private cloud environment. Product Security Capabilities The Oracle SuperCluster M7 system is a multipurpose engineered system that combines the computing power of Oracle s SPARC M7 processor, the efficient virtualization capabilities of Oracle VM Server for SPARC, the performance and scalability of the Oracle Solaris operating system, the optimized database performance of Oracle Database integrated with Oracle Exadata Storage Servers, and the innovative network-attached storage capabilities of Oracle ZFS Storage Appliance. Each of these core components is connected over a redundant InfiniBand fabric that enables low latency and high-performance network communications between all of the components. In addition, a 10 GbE network is employed allowing clients to access services running on the Oracle SuperCluster system. Finally, GbE network provides the conduit through which all of the system s components can be managed. The SPARC M7 processor in the system features hardware-assisted virtualization that facilitates ready-to-run secure virtual machines for cloud infrastructure, always-on hardware-assisted cryptographic functionality that helps Oracle SuperCluster hosted entities to protect their information with high-performance data protection at rest, in use, and in transit. The processor also features the Silicon Secured Memory capability, which detects and prevents attacks related to memory data corruptions and memory scraping, thereby ensuring the integrity of application data. By default, Oracle SuperCluster M7 is preconfigured with out-of-box security controls that reduce the attack surface of the system by disabling services, ports, and protocols that are not absolutely necessary and by configuring the exposed services to accept only trusted connections. The system supports a variety of configuration and deployment options. Figure 2 illustrates a typical deployment that consolidates Oracle Database and Oracle WebLogic applications workloads. 4 ORACLE SUPERCLUSTER M7 PLATFORM SECURITY PRINCIPLES AND CAPABILITIES

9 Figure 2. Typical deployment of software workloads on an Oracle SuperCluster M7 system It is important to have an appreciation for the security capabilities that are exposed by each of the core components engineered into the Oracle SuperCluster M7 architecture. To simplify the presentation of these capabilities in the following sections, they have been grouped into seven distinct categories: namely, secure isolation, access control, data protection services, monitoring and auditing, quality of service, compliance reporting (for example, PCI-DSS, FIPS-140), and security management. This list is not exhaustive, but rather it is intended to highlight the security capabilities most often employed by organizations seeking to deploy a layered security strategy. Secure Isolation Isolating services, users, data, communications, and storage is important for many organizations wanting to consolidate IT infrastructure, implement shared service architectures, and deliver secure multitenant services. The Oracle SuperCluster M7 system enables secure isolation at the workload, network, database, and storage levels, allowing organizations the flexibility to implement various isolation policies and strategies based upon their needs. Workload Isolation Oracle SuperCluster M7 supports a number of workload isolation strategies, each with its own unique set of capabilities provided by the SPARC M7 processor and Oracle Solaris. They are designed specifically for ensuring the isolation of virtualized runtime environments, and they support three types of partitioning and virtualization technologies: physical domains (PDoms), Oracle VM Server for SPARC logical domains (dedicated domains and root domains), and Oracle Solaris Zones. These are layered virtualization approaches in which these technologies are combined to optimize security, availability, performance, and manageability. While each implementation strategy can be used independently, they can also be used together in a hybrid approach to deploy architectures that can more effectively balance their security, performance, and availability needs, as well as other needs. 5 ORACLE SUPERCLUSTER M7 PLATFORM SECURITY PRINCIPLES AND CAPABILITIES

10 PDoms excel for situations in which tenant hosts are running applications and databases that must be physically isolated from other workloads. Dedicated physical resources might be required for a deployment due to its criticality to the organization, the sensitivity of the information it contains, compliance mandates, or even simply because the database or application workload will fully utilize the resources of an entire physical system. A logical domain is a type of virtual machine that can be created using Oracle VM Server for SPARC (a Type 1 hypervisor) that runs in firmware (as opposed to software) and mediates access to hardware resources ensuring strong isolation between individual logical domains running on the system. Logical domains are typically configured as either Oracle Database domains or application domains. Each application domain or Oracle Database domain has its own assigned physical CPU, memory, I/O devices, database or application storage, and console and hosts its own instance of the Oracle Solaris operating system. Application domains can run any applications supported on the Oracle Solaris 11 operating system (including business applications, middleware, and even databases), whereas Oracle Database domains must run Oracle Database 11g Release 2 or later. In addition, Oracle SuperCluster M7 allows customers to create one special type of logical domain referred to as a root domain, which uses single-root I/O virtualization (SR-IOV) technology to provide virtual InfiniBand devices to a type of dynamic virtual machine known as an I/O domain. Root domains own one or two InfiniBand HCAs, 10 GbE NICs, or other I/O devices. Application domains, Oracle Database domains, and root domains are created at the time the system is installed. By contrast, users can choose to dynamically create or destroy I/O domains while the system is in operation. Oracle Solaris Zones technology allows customers to further isolate applications that are running under the same operating system kernel. By design, zones offer unique capabilities that effectively and efficiently sandbox different applications running on the same operating system, protecting them from unintentional or malicious activities happening in other zones. Despite running on the same kernel, each zone has its own identity and enjoys security as well as resource, namespace, and process isolation. Essentially, zones provide built-in virtualization with strong isolation and flexible resource controls at a smaller CPU and memory footprint than traditional virtual machines running on Type 1 hypervisors. While domains and Oracle Solaris Zones both support application isolation goals, organizations are encouraged to view them as complementary technologies. Oracle Database domains, application domains, and I/O domains are predominantly used to isolate operating systems (into different domains), whereas Oracle Solaris Zones are used to isolate groups of processes. While these technologies can be used independently, their value is compounded when they are used to together to deploy application workloads securely and efficiently. Network Isolation At a physical network level, client access is isolated from both device management and inter-device communication. Client access is provided over a redundant 10 GbE network that ensures reliable, high-speed access to services running on the system. Similarly, management access is also provided over a physically separate GbE network, allowing organizations to create a hard separation between their operational and management networks. Finally, inter-device communication is achieved over a redundant InfiniBand network to create a high-performance, low-latency backplane through which the individual devices can communicate. To improve the isolation of network communications over the client access Ethernet network, organizations are encouraged to leverage a strategy of physical isolation as well as the use of virtual LANs (VLANs) in order to compartmentalize network traffic. Similarly, when using InfiniBand, partitions can be used to achieve isolation comparable to VLANs on Ethernet. By default, the Oracle SuperCluster M7 system is configured with a number of InfiniBand partitions to promote isolation between database domains, network-based storage, and private clustering interconnects. Additional dedicated partitions may be used, or existing ones may be adapted, to achieve site-specific isolation goals. Further, the use of encrypted protocols over InfiniBand partitions and VLANs is recommended when the confidentiality and integrity of communications must be ensured. 6 ORACLE SUPERCLUSTER M7 PLATFORM SECURITY PRINCIPLES AND CAPABILITIES

11 Both domains and Oracle Solaris 11 support the notion of virtual switches and network interfaces that can be configured to provide network access to both domains and Oracle Solaris Zones. In the case of domains, network access is mediated by the hypervisor. Similarly, for Oracle Solaris, the use of exclusive network stacks and integrated virtual network switching, enforced by the operating system kernel, ensures that access to networks is in compliance with policy. For example, this ensures that services running in one Oracle Solaris Zone are not able to snoop on the network traffic flowing in and out of other zones. In either case, the degree to which domains and zones have access to shared networks is a matter of configuration. Further, both physical and virtual network elements can be linked with existing Ethernet VLANs and IP over InfiniBand (IPoB) partitions integrating these physical and virtual worlds into a holistic network architecture. Database Isolation There are a variety of ways that database isolation can be achieved. Physical separation is generally viewed as one of the best methods and can be achieved by dedicating a single physical system to run an Oracle Database 12c or 11g Release 2 domain. Hypervisor-mediated isolation using domains is a great option when database workloads must securely share physical resources with other workloads running on the same physical system. Another isolation strategy involves the operation of multiple database instances within the same operating system image. Multi-instance database isolation is achieved through a combination of database-level controls (pluggable databases, schemas, instances) and operating system level controls, including dedicated credentials (for example, users, groups, roles, and so on), dedicated table spaces, and resource controls. Oracle Database Vault includes a mandatory access control model to enforce isolation by using logical realms within a single database. Logical realms form a protective boundary around existing application tables by blocking administrative accounts from having ad-hoc access to application data. Similarly, Oracle Database Vault command rules enable policy-based controls that limit who can access database and application data as well as when, where, and how that data is accessed, creating a trusted path to application data. Oracle Database Vault factors can be employed to further restrict access based upon time of access, source IP address, and other criteria. Oracle Virtual Private Database enables the creation of policies that enforce fine-grained access to database tables and views at the row and column levels. Oracle Virtual Private Database provides security portability because policies are associated with database objects and are automatically applied no matter how the data is accessed. Oracle Virtual Private Database can, therefore, be used to provide isolation at the database tablespace level. Finally, Oracle Label Security is used to classify data and mediate access to that data based upon its classification. Organizations can define classification strategies that best support their needs, whether they are hierarchical or disjoint. This capability allows information stored at different classification levels to be isolated at the row level within a single table space. Storage Isolation The Oracle Exadata Storage Servers in the Oracle SuperCluster M7 system are isolated from the rest of the architecture through the use of InfiniBand partitioning. By default, these servers are assigned to a partition that is accessible only by Oracle Database domains. The storage managed by the Oracle Exadata Storage Servers can be further subdivided using the Oracle Automatic Storage Management facility of Oracle Database to create individual realms that each can have their own security policies. The system s Oracle ZFS Storage Appliance leverages a similar strategy by using InfiniBand partitions to isolate the domains and zones with which it is able to communicate. By default, the Oracle ZFS Storage Appliance is placed into its own InfiniBand partition separate from the Oracle Exadata Storage Servers. The use of ZFS pools, data sets, and volumes allows organizations to further carve up storage into more-granular units that can have their own security policies. 7 ORACLE SUPERCLUSTER M7 PLATFORM SECURITY PRINCIPLES AND CAPABILITIES

12 Access Control Controlling access to systems, services, and information is paramount for most customers. Organizations need to be able to define flexible access policies to ensure that their users and administrators have the right levels of access available to them at the right time. To protect application data, workloads, and the underlying infrastructure on which it all runs, the Oracle SuperCluster M7 system offers comprehensive yet flexible access control capabilities for both users and administrators. Workload Access Control Oracle Solaris includes a variety of methods to authenticate users accessing system services. While traditional user name and password pairs are still widely used, stronger methods of authentication can be easily integrated using the Oracle Solaris pluggable authentication modules (PAM) architecture, allowing the use of LDAP, Kerberos, and public key authentication. The framework can further be extended to enable the use of smart cards, secure tokens, and other devices, enabling Oracle Solaris to integrate into an organization s existing identity and access management architecture. Oracle Solaris supports a comprehensive role-based access control (RBAC) facility allowing organizations the flexibility of delegating user and administrative access based upon need. Eliminating the notion of an all-powerful super-user, the RBAC capability in Oracle Solaris enables separation of duty and supports the notion of administrative roles, authorizations, fine-grained privileges, and rights profiles that collectively are used to assign rights to users and administrators. RBAC is integrated with other core Oracle Solaris services including the Oracle Solaris Service Management Facility (SMF) and Oracle Solaris Zones to provide a consistent architecture to support all operating system level access control needs. Further, domains leverage the RBAC capability in Oracle Solaris as a foundation for their access control architecture, allowing organizations to manage, control, and audit operating system and virtualization management access from a centralized authority. Network Access Control Beyond simple network-level isolation, fine-grained access control policies can be instituted at the device level. All of the devices in the Oracle SuperCluster system include the ability to limit network access to services either using architectural methods (for example, network isolation) or using packet filtering and/or access control lists to limit communication to, from, and between physical and virtual devices as well as to the services exposed by the system. Oracle Solaris supports a "secure by default" posture whereby no network services except Secure Shell are enabled to accept inbound network traffic. Other enabled network services listen internally for requests within the Oracle Solaris operating system (or zone). This ensures that all network services are disabled by default or are set to listen for local system communications only. Organizations are free to customize this configuration based upon their requirements. When using Ethernet or IP over InfiniBand, Oracle Solaris supports network and transport layer (stateful) packet filtering using the Oracle Solaris IP Filter feature. IP Filter offers a wide array of host-based network capabilities including stateful packet filtering, network address translation, and port address translation. Database Access Control At the operating system level, it is important to use different accounts to ensure job role separation for database instances and storage administrators, including those supporting Oracle Automatic Storage Management functions. Within Oracle Database, users can be assigned specific privileges and roles to ensure users have access to only those data objects to which they are authorized. This keeps data from being shared across databases or among schemas unless explicitly permitted. 8 ORACLE SUPERCLUSTER M7 PLATFORM SECURITY PRINCIPLES AND CAPABILITIES

13 In addition to the password-based authentication available in Oracle Database, Oracle Advanced Security enables organizations to implement strong authentication using public key credentials or by leveraging existing RADIUS or Kerberos infrastructures. Further, using Oracle Enterprise User Security, Oracle Database can also be integrated with existing LDAP repositories for authentication and authorization. Collectively, these capabilities can be used to provide higher assurance of the identity of users connecting to the database. Oracle Database Vault can be used to manage administrative and privileged user access, controlling how, when, and where application data can be accessed. Oracle Database Vault protects against misuse of stolen login credentials, application bypass, and unauthorized changes to applications and data, including attempts to make copies of application data. Oracle Database Vault is transparent to most applications and day-to-day tasks, and can support multifactor authorization policies, allowing for secure enforcement of policy without disrupting business operations. Separation of duties is also critical at every layer of the architecture to reduce the risk of collusive behavior and to prevent inadvertent errors. Oracle Database Vault has the ability to enforce separation of duties to ensure that account management, security administration, resource management, and other functions are granted only to those users authorized to have those privileges. Storage Access Control To minimize the attack surface, the system s Oracle Exadata Storage Servers and Oracle ZFS Storage Appliance do not support administration or customization outside of their management interfaces. There are no users defined on these systems, and it is expected that these devices will be viewed as fixed-function appliances that have been optimized and hardened for their specific purpose. Oracle Automatic Storage Management (Oracle ASM), available on the Oracle Exadata Storage Servers, supports three access control modes: open security, Oracle ASM scoped security, and database-scoped security. Open security, as the name suggests, allows any database to access any of the disks managed by Oracle ASM. Oracle ASM scoped security, on the other hand, allows multiple databases assigned to one or more Oracle ASM clusters to share specific disks. Database-scoped security, the most fine-grained level of access control, ensures that only specific databases are able to access specific disks. While organizations are encouraged to select the most appropriate model for their situation, it should be noted that it is not recommended to mix Oracle ASM scoped and database-scoped security in the same Oracle ASM environment. In addition to its overall access control mode, Oracle ASM also supports the assignment of access controls at the disk group and file levels, as well to ensure that access to content stored on disk is available only to authorized users. Of course, for organizations concerned about the confidentiality of stored database content, database (tablespace- or column-level) encryption should be considered. Oracle ZFS Storage Appliance supports a wide array of access control policies that can be applied at the data set and volume levels for individual users and groups. Further, when storage is shared by Oracle ZFS Storage Appliance, additional access controls implemented by the sharing protocol (for example, NFS) can also be applied to further limit access to authorized systems, services, and users. Data Protection Services The requirement to protect and validate data at rest, in transit, and in use is often grounded upon the use of cryptographic services. From encryption and decryption to digital fingerprint and certificate validation, cryptography is one of the most widely deployed security controls in modern IT organizations. Oracle SuperCluster M7 includes a wealth of capabilities to deliver complete, efficient, and high-performance end-to-end cryptography. 9 ORACLE SUPERCLUSTER M7 PLATFORM SECURITY PRINCIPLES AND CAPABILITIES

14 Workload Data Protection Services Oracle s SPARC T-Series and M-Series processors have been designed with integrated on-chip cryptographic acceleration to enable strong cryptographic services without sacrificing performance. The SPARC M7 processor can accelerate the performance of 16 industry-standard cryptographic algorithms in addition to accelerating the secure generation of random numbers. These capabilities can be delivered to operating systems running directly on SPARC M7 processors or individual domains. Oracle Solaris, by default, takes advantage of SPARC M7 processor (directly or virtually through Oracle VM Server for SPARC) for highly efficient cryptographic operations processed through the Oracle Solaris Cryptographic Framework. This shared framework is a gathering point for services providing or using cryptography in the Oracle Solaris operating system. Using the Cryptographic Framework, users, applications, and services can be assured that they are not only using the most optimized algorithms, but that they will also seamlessly leverage hardware cryptographic acceleration as well as hardware security modules (when used). Oracle Solaris supports a full complement of cryptographic services including Secure Shell, IPSec/IKE, Kerberos, and ZFS encryption. It also includes integrations that allow applications using OpenSSL or Java to use this common framework, including any available cryptographic acceleration. The Oracle SuperCluster M7 system leverages the Silicon Secured Memory feature of the SPARC M7 processor for ensuring hardware-based memory protection. Implemented directly on the chip, Silicon Secured Memory performs dynamic pointer checking that can detect memory reference errors. This technology safeguards against bad pointers, invalid or stale references, and buffer overruns, thereby preventing memory scraping, silent data corruption, and application data integrity problems that can consume significant development time to diagnose and correct. The ability to take advantage of Silicon Secured Memory is implemented in application-specific memory allocators, such as in the system global area (SGA) memory allocation for Oracle Database 12c applications and in general-purpose memory allocators (such as malloc) in Oracle Solaris. Network Data Protection Services While InfiniBand partitioning is supported by Oracle Solaris for network isolation, the confidentiality and integrity of communications over an InfiniBand partition should be protected using a cryptographically secure protocol. For example, Secure Shell provides secure administrative access to systems and Oracle Integrated Lights Out Manager (Oracle ILOM), IPSec/IKE (using IP over InfiniBand) can protect communications between domains or zones, and SSL/TLS can enable secure communications between applications and other services. Database Cryptographic Services Oracle Advanced Security an option commonly used with Oracle Database, Enterprise Edition encrypts information in Oracle Database using its transparent data encryption (TDE) functionality. TDE supports both the encryption of application tablespaces as well as the encryption of individual columns within a table. Data that is stored in temporary tablespaces as well as redo logs is also encrypted. Even when the database is backed up, the data remains encrypted on destination media, protecting information at rest no matter where it is physically stored. Oracle Advanced Security (including TDE) is able to take advantage of the cryptographic acceleration capabilities of the SPARC M7 processor. This allows organizations to protect to their information without having to incur the significant performance penalties typically associated with software-only encryption methods. Oracle Database also provides features to encrypt SQL*Net and JDBC traffic using either native encryption or Transport Layer Security (TLS) to protect information while it is flowing over a network. Both administrative and application connections can be protected using this mechanism to ensure that data in transit can be protected. The TLS implementation supports the standard set of authentication methods, including server-only authentication using X.509 certificates and mutual (client-server) authentication using X ORACLE SUPERCLUSTER M7 PLATFORM SECURITY PRINCIPLES AND CAPABILITIES

15 Monitoring and Auditing Whether for compliance reporting or incident response, monitoring and auditing are critical functions that organizations must use to gain increased visibility into their IT environment. The degree to which monitoring and auditing are employed is often based upon the risk or criticality of the environment being protected. The Oracle SuperCluster M7 system has been designed to offer comprehensive monitoring and auditing functionality at the compute, network, database, and storage layers ensuring that a wealth of information can be made available to organizations in support of their audit and compliance requirements. Workload Monitoring and Auditing Oracle Solaris has a very comprehensive auditing facility that can monitor administrative actions, command-line invocations, and even individual kernel-level system calls. This facility is highly configurable, offering global, per-zone, and even per-user auditing policies. When it is configured to use Oracle Solaris Zones, audit records for each zone can be stored in the global zone to protect them from tampering. Further, Oracle Solaris auditing supports the ability to send audit records to remote collection points using the system log (syslog) facility. Additionally, many commercial and open source intrusion detection and prevention services can consume Oracle Solaris audit records as an additional input for their analysis and reporting. Domains leverage the native Oracle Solaris auditing facility to record actions and events associated with virtualization events and domain administration. Similar to how domains use the Oracle Solaris RBAC facility for centralized access management, Oracle Solaris auditing is used to provide a centralized approach to audit record generation, management, and reporting. Database Monitoring and Auditing Oracle Database supports the notion of fine-grained auditing that allows organizations to establish policies that more selectively determine when audit records are generated. This helps organizations to sharpen their focus on more-interesting database activities and reduce the false positives that are often associated with audit activities. Oracle Audit Vault and Database Firewall centralizes the management of database audit settings and automates the consolidation of audit data into a secure repository. Oracle Audit Vault and Database Firewall includes built-in reporting to monitor a wide range of activities including privileged user activity and changes to database structures. The reports generated by Oracle Audit Vault and Database Firewall enable visibility into various application and administrative database activities and provide detailed information to support accountability of actions. Oracle Audit Vault and Database Firewall also enables the proactive detection of and generation of alerts for activities that might be indicative of attempts of unauthorized access or abuse of system privileges. These alerts can include both system and user-defined events and conditions, such as the creation of privileged user accounts or the modification of tables containing sensitive information. The Oracle Audit Vault and Database Firewall Remote Monitor can reside on an Oracle Database 11g Release 2 domain to provide real-time database security monitoring by interrogating database connections to detect malicious traffic including application bypass, unauthorized activity, SQL injection, and other threats. Using a highly accurate SQL grammar-based approach, Oracle Audit Vault and Database Firewall can help organizations to quickly identify suspicious database activity. 11 ORACLE SUPERCLUSTER M7 PLATFORM SECURITY PRINCIPLES AND CAPABILITIES

16 Quality of Service There are many ways in which applications can be attacked that are not focused simply on breaching a boundary or subverting access control policy. In fact, the availability of applications and information is often viewed as an IT security concern. The Oracle SuperCluster M7 system provides a number of capabilities that are intended to help detect and prevent resource exhaustion attacks, denial of service attacks, and accidental or intentional faults that can impact the availability of services and data. Workload Quality of Service Domains support the dynamic reconfiguration of virtual CPUs, memory, and physical I/O devices. This allows an organization to quickly respond to changes in demand, shifting resources to where they are needed. Further, by defining resource policies for each domain, organizations can ensure that activity in one domain will not starve other domains of their needed resources. Similarly, Oracle Solaris has an array of dynamic resource controls that can be employed globally as well as at a zone, project, task, or process level. Similar to domains, resource controls can be used to limit the consumption of CPUs, memory, and core file size, as well as to limit the amount of processes, file descriptors, and many other parameters. Depending on the actual configuration and needs of the organization, one or more of these parameters can be defined to help ensure that applications and services running in Oracle Solaris, including in zones, consume only their fair share of resources and do not adversely impact other services running on the system. In addition, Oracle Solaris 11 supports the ability to define bandwidth limits that apply to data link devices (such as virtual network interfaces) as well as to user-defined traffic flows, enabling organizations to apply limits to network traffic based upon predefined packet attributes. For applications running in application domains, Oracle Solaris Cluster is often used to implement failover or clustering for individual zones or domains. Oracle Solaris Cluster can help organizations reach their survivability goals by ensuring that mission-critical services are monitored and restarted upon a failure. Based upon an organization s defined policy, a failed service can be restarted locally or on another node in the cluster. Network Quality of Service Each component of the Oracle SuperCluster M7 system is configured to have multiple InfiniBand network interfaces. Further, the system includes redundant InfiniBand switches allowing each component to be connected to each switch. Each component s InfiniBand interfaces are bonded together to form a single virtual interface allowing the component to continue operating even if a single interface or switch fails. Similarly, each SPARC M7 processor node in the system includes multiple 10 GbE interfaces connected to the client access network and multiple 1 GbE interfaces for management communications. These nodes can leverage Oracle Solaris IP Multipathing (IPMP) and IEEE 802.3ad Link Aggregation for Ethernet redundancy, helping to ensure continuous network connectivity even if a single Ethernet interface or switch fails. Oracle Solaris 11 also supports a variety of network-level resource controls that allow organizations to define bandwidth limits at various data link levels, including virtual and physical NICs, link aggregations, and IP over InfiniBand. These limits can be applied to all, or just a subset of, traffic flowing through those elements. This allows organizations to categorize and prioritize their network traffic to ensure that higher priority traffic is favored over less important traffic flows. Database Quality of Service Oracle Real Application Clusters (Oracle RAC) can be used to create a clustered database with a shared cache architecture that overcomes some of the traditional limitations of shared-nothing models. As a result, Oracle RAC can be used to enable highly scalable and available database architectures. 12 ORACLE SUPERCLUSTER M7 PLATFORM SECURITY PRINCIPLES AND CAPABILITIES

17 Oracle Database Quality of Service Management is an automated, policy-based solution that monitors the workload requests of an entire system. It correlates accurate runtime performance and resource metrics, analyzes the data to identify bottlenecks, and produces recommended resource adjustments to maintain performance objectives under dynamic load conditions. In addition, Oracle Database includes a variety of tools to enable multiple databases to operate under the same operating system. The Resource Manager feature of Oracle Database and its instance caging capability, for example, support the ability to dynamically control access to CPU resources using fine-grained methods to ensure that workloads running in the database have access to their fair share of compute resources. Further, Resource Manager also can control the degree of parallelism, the number of active sessions, and other shared resources to protect one database from monopolizing resources needed in shared database architectures. Storage Quality of Service To ensure reliable, high-performance access to databases stored on Oracle Exadata Storage Servers, Oracle ASM offers a variety of storage mirroring options for Oracle ASM disk groups, including: normal redundancy (two-way mirroring), high redundancy (three-way mirroring), and external redundancy (no mirroring). Typically, organizations will use external redundancy when their storage is already being mirrored or otherwise protected at the hardware level. In addition to mirroring, Oracle ASM supports the notion of failure groups that can be used to ensure that mirrored storage is placed on different Oracle Exadata Storage Servers. The I/O Resource Manager feature of Oracle s Exadata Storage Server Software is available as part of the Oracle Exadata Storage Server and is used to manage inter- and intra-database I/O resources. This feature allows not only different databases with different performance requirements to share a common Oracle Exadata Storage Server pool, but even multiple workloads within the same database can have their own resource policies. This flexible architecture allows organizations to ensure that critical workloads and databases are not I/O constrained when operating in a consolidated architecture. Compliance Reporting The Oracle SuperCluster M7 system leverages the Oracle Solaris compliance reporting feature, which helps reduce the burden of compliance reporting activities. Based on the U.S. Department of Defense Security Content Automation Protocol (SCAP) ecosystem, it provides a collection of interrelated standards for security reporting and configuration automation, and uses those tools to report on system configuration compliance objectives for both the public sector and for the enterprise market. The Oracle Solaris compliance utility is used to assess and report the compliance of an Oracle Solaris runtime environment residing in Oracle SuperCluster hosted domains and in Oracle Solaris Zones. Compliance utilities are part of Oracle Solaris and are based on the SCAP implementation. The Oracle Solaris compliance command maps the requirements of a benchmark to the code, file, or command output that verifies compliance to a specific requirement. The Oracle SuperCluster M7 system currently supports two security compliance benchmark profiles: the Oracle Solaris Compliance Recommended profile (based on the Center of Internet Security benchmark) and the Payment Card Industry Data Security Standard (PCI DSS). These profiling tools map security controls to the compliance requirements mandated by these industry standards, and the associated compliance reports can significantly reduce auditing time and costs. 13 ORACLE SUPERCLUSTER M7 PLATFORM SECURITY PRINCIPLES AND CAPABILITIES

18 In addition, the compliance feature provides guides that contain the rationale for each security check and the steps for fixing a failed check. Guides can be useful for training and as guidelines for future testing. By default, guides for each security profile are created at installation. The tenant administrator may add or change a benchmark and create a new guide. Additional scripts can be used to meet other regulatory environment standards, such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes Oxley (SOX), and the Federal Information Security Management Act (FISMA). FIPS-140 Compliance The cryptographic applications hosted on the Oracle SuperCluster M7 system rely on the Cryptographic Framework feature of Oracle Solaris, which is validated for FIPS Level 1 compliance. The Cryptographic Framework provides the central cryptographic store for Oracle Solaris, and it provides two FIPS 140 verified modules that support the user-space and kernel-level processes. These library modules provide encryption, decryption, hashing, signature generation and verification, certificate generation and verification, and message authentication functions for applications. User-level applications that call into these modules run in FIPS 140 mode. In addition to the Cryptographic Framework, the OpenSSL object module bundled with Oracle Solaris is validated for FIPS Level 1 compliance, which supports cryptography for applications based on the Secure Shell and TLS protocols. The cloud service provider may choose to enable the tenant hosts with FIPS 140 compliant modes. When running in FIPS 140 compliant modes, Oracle Solaris and OpenSSL, which are FIPS providers, enforce the use of FIPS 140 validated cryptographic algorithms. Security Management Having collections of security controls and capabilities is necessary to properly secure individual applications and services. However, it is equally important to have comprehensive management capabilities that assist organizations in sustaining the security of their deployed services and systems. The Oracle SuperCluster M7 system leverages the security management capabilities of a variety of products including Oracle ILOM, Oracle Enterprise Manager Ops Center, Oracle Enterprise Manager, and the Oracle Identity Management suite. Oracle ILOM Oracle ILOM is the service processor embedded in the Oracle SuperCluster M7 system s compute and storage servers. It is used to perform out of band management activities. Oracle ILOM offers a variety of secure mechanisms allowing organizations to perform secure lights-out management of their compute and storage servers, including web-based access protected by TLS, command-line access using Secure Shell, as well as IPMI v2.0 and SNMPv3. Oracle ILOM supports separation of duty requirements using a role-based access control model. Individual users are assigned to specific roles that limit the functions that can be performed. In this manner, organizations can decide which users need full administrative access versus those that might simply need the ability to audit Oracle ILOM settings (read-only access), access remote host consoles, or control host power. To ensure accountability, Oracle ILOM records all logins and configuration changes. Each audit log entry notes the user s actions along with a time stamp. This allows organizations to detect unauthorized activity or changes as well as attribute those actions back to specific users. Oracle Enterprise Manager The Oracle Enterprise Manager suite is a comprehensive and integrated cloud management solution that focuses on lifecycle management of applications, middleware, and databases, as well as physical and virtual infrastructure (using Oracle Enterprise Manager Ops Center). 14 ORACLE SUPERCLUSTER M7 PLATFORM SECURITY PRINCIPLES AND CAPABILITIES

19 In the context of the Oracle SuperCluster M7 system, it is important to highlight that the application, middleware, and database management functionality supports detailed monitoring, event notification, and patch and change management, as well as continuous configuration and compliance management and reporting. In particular, Oracle Enterprise Manager allows organizations to centrally maintain security configuration settings as well as access control and auditing policies for groups of databases. Access to these functions can be limited to authorized individuals ensuring that management access supports compliance mandates for separation of duty, least privilege, and accountability. The Oracle Enterprise Manager system also supports strong authentication using a variety of methods, fine-grained access controls, and comprehensive auditing, ensuring that the management of the Oracle SuperCluster environment can be accomplished in a secure manner. Part of the Oracle Enterprise Manager suite, Oracle Enterprise Manager Ops Center is a converged hardware management solution that provides a single administrative interface for servers, operating systems, firmware, virtual machines, zones, storage, and network fabrics. Oracle Enterprise Manager Ops Center is installed by default on the Oracle SuperCluster M7 system. From a security perspective, Oracle Enterprise Manager Ops Center can be used to assign administrative access to collections of physical and virtual systems, monitor administrator activity, and detect faults, as well as configure and manage alerts. Further, Oracle Enterprise Manager Ops Center supports a variety of reports that allow organizations to compare their systems against known configuration baselines, patch levels, and security vulnerabilities. Oracle Identity Management The Oracle Identity Management suite manages the end-to-end lifecycle of user identities and accounts across an organization. It includes support for single-sign on, web-based access control, web services security, identity administration, and strong authentication, as well as identity and access governance. In the context of the Oracle SuperCluster M7 system, Oracle Identity Management can be used as a single point for managing identity and access to not only applications and services running on the system, but also for the underlying infrastructure and services used to manage it. Oracle Key Manager Oracle Key Manager is a comprehensive key management system (KMS) designed to simplify the management and monitoring of encryption keys used to protect information at rest. Oracle Key Manager supports enterprise-class environments with a highly scalable and available architecture that can manage thousands of devices and millions of keys. It operates on a hardened operating environment, enforces strong access control and role separation for key management and monitoring operations, and optionally supports the secure storage of keys in Oracle s Sun Crypto Accelerator 6000 PCIe Card, a FIPS rated hardware-secure module. In the context of the system, Oracle Key Manager can authorize, secure, and manage access to encryption keys used by Oracle s StorageTek encrypting tape drives, Oracle Database instances encrypted using Transparent Data Encryption, and encrypted ZFS file systems available on the system and on Oracle ZFS Storage Appliance. 15 ORACLE SUPERCLUSTER M7 PLATFORM SECURITY PRINCIPLES AND CAPABILITIES

20 General Recommendations and Considerations The Oracle SuperCluster M7 system includes an impressive collection of layered security controls that can be tailored to meet an organization s specific policies and requirements. It is important that organizations understand how to best utilize these capabilities as well as integrate them into their existing IT security architecture. Further, organizations must remember that effective IT security must integrate people, process, and technology aligned by policy and vetted using solid risk management and governance practices. In this section, general recommendations and considerations will be offered to guide organizations in the architectural, deployment, and operational dimensions. Architectural Best Practices The following architecture best practices are recommended:» Organizations should leverage a unified approach to identity and access management by integrating the Oracle SuperCluster M7 system s components as well as its deployed services with an organization s existing identity and access management architecture. In particular, Oracle Solaris and Oracle Database support a wide array of open and standard protocols that allow these products to be more easily integrated with existing identity and access management deployments.» Organizations should consider the use of intrusion prevention systems to monitor network traffic flowing to and from the system. Such systems will enable the identification of suspicious communications and potential attack patterns, as well as unauthorized access attempts. Organizations looking for increased visibility within the system are encouraged to consider the use of host-based intrusion detection and prevention systems. By leveraging the fine-grained auditing capabilities of Oracle Solaris and Oracle Database, host-based systems will have a greater likelihood of detecting inappropriate actions and unauthorized activity.» Similarly, organizations are also encouraged to consider the use of application- and network-layer firewalls that can protect information flowing to and from the Oracle SuperCluster M7 system. Often, filtering network ports serves as the first line of defense in preventing unauthorized access to systems and services. Just as with host-based intrusion detection services, organizations looking to realize more fine-grained control of communications between components of the system are encouraged to consider both network-level segmentation using Ethernet VLANs or InfiniBand partitions as well as host-based firewalls to enforce inbound and outbound network policy at the host level.» Lastly, organizations should consider the use of centralized audit and log repositories to aggregate their security-relevant information for improved correlation, analysis, and reporting. Most modern security event and incident management systems support a wide array of protocols that can be used for data gathering from network devices, operating systems, databases, and applications. By collecting and storing this information in a centralized (and protected) location, organizations can also improve the quality and effectiveness of their security incident and forensic response processes. The information that is needed for this kind of analysis will be safely stored away from systems and applications that might have been compromised. It should be noted that for this kind of approach to be most effective, organizations should also leverage the network time protocol (NTP) service to ensure that time is aligned across devices, systems, and software. Deployment Best Practices The following deployment best practices are recommended:» Organizations are encouraged to utilize protocols that support strong authentication and encryption of network communications. This protects the confidentiality and integrity of communications and is important when communicating with services deployed on the Oracle SuperCluster M7 system as well as when managing the system using its administrative interfaces. Organizations should configure administrative and operational services to use encryption protocols and key lengths that align with their organizational policies. Cryptographic services provided by the system will also benefit from hardware acceleration, which improves not just security but also overall performance. 16 ORACLE SUPERCLUSTER M7 PLATFORM SECURITY PRINCIPLES AND CAPABILITIES