Comprehensive Data Protection on Oracle SuperCluster M7
by Ramesh Nagappan
This article describes how Oracle SuperCluster M7 provides a superior platform for deployment of enterprise-scale applications and database workloads and multitenant private cloud services by protecting information while at rest, in use, and in transit.
The Oracle SuperCluster engineered system is a comprehensive platform—including servers, storage, networking, and integrated software components—that provides a superior platform for the deployment of enterprise-scale applications and database workloads. Oracle SuperCluster enables organizations to host multiple applications and database service workloads for development purposes, for operational purposes, and to host different lines of business-critical workloads as private cloud services on a single platform with enterprise-grade security and scalability. Oracle SuperCluster provides an isolated environment for different sets of autonomous legal entities that reside on a single platform while meeting service-level agreements (SLAs) for performance, availability, scalability, security, and compliance. As an engineered system, Oracle SuperCluster is ideally suited for database and application consolidation and can be used to create a multitenant private cloud environment capable of supporting infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).
Protecting information—while at rest, in use, and in transit—for the multiple entities that operate on a single platform is a key challenge, and the data protection requirement to secure and validate information is often grounded upon the use of cryptographic services. From encryption and decryption to digital fingerprinting and certificate validation, cryptography is one of the most widely deployed security controls in modern IT organizations. Oracle SuperCluster includes a wealth of capabilities to deliver complete, efficient, and high-performance end-to-end cryptographic services.
Oracle SuperCluster Overview
Oracle SuperCluster M7 combines the computing power of Oracle's SPARC M-Series processors, the efficient virtualization capabilities of Oracle VM Server for SPARC, the performance and scalability of the Oracle Solaris operating system, the optimized database performance of Oracle Database integrated with Oracle Exadata Storage Servers, and the innovative network-attached-storage (NAS) capabilities of Oracle ZFS Storage Appliance. Each of these core components is connected over a redundant InfiniBand fabric that enables low-latency and high-performance network communication between all components. In addition, a 10 GbE network is employed allowing clients to access services running on Oracle SuperCluster. Finally, a 1 GbE network provides the conduit through which all Oracle SuperCluster components can be managed.
Oracle SuperCluster supports a range of half-rack and full-rack configurations. For more information on the Oracle SuperCluster family of engineered systems, please visit oracle.com/engineered-systems/supercluster.
Key components that provide cryptographic capabilities in Oracle SuperCluster M7 include:
- Oracle's SPARC servers. The SPARC M-Series family of processors, which is designed with an integrated on-chip cryptographic acceleration feature to enable strong cryptographic services without sacrificing performance and with the Silicon Secured Memory feature for ensuring hardware-based memory protection. The SPARC M7 processor can accelerate the performance of 15 industry-standard cryptographic algorithms in addition to securely generating random numbers. These capabilities can be delivered to operating systems running directly on SPARC M7 processors or they can be passed through to individual virtual machines—Oracle Solaris Zones and dedicated domains (LDOMs). Silicon Secured Memory performs dynamic pointer checking that can detect memory reference errors. This technology safeguards against bad pointers, invalid or stale references, and buffer overruns, preventing memory scraping, silent data corruption, and application problems that can consume significant development time to diagnose and correct.
- Oracle Solaris. Oracle Solaris Cryptographic Framework enables applications to directly access the hardware accelerated on-core cryptographic functions—without requiring the use of special drivers, the kernel environment, or root permissions. The Oracle Solaris Cryptographic Framework libraries provide a set of cryptographic services and APIs for both kernel- and user-level applications and OpenSSL libraries. Oracle Solaris 11 Cryptographic Framework enables ZFS encryption and automatically leverages the SPARC M-Series processor–based hardware-assisted cryptographic acceleration to deliver encryption of data stored in Oracle ZFS Storage Appliance. Data can be encrypted at the project, share, or LUN level for granular efficiency and control.
- Oracle Database. Oracle Database features Transparent Data Encryption (TDE), which provides the ability to encrypt sensitive application data on storage media completely transparent to the application itself. TDE enables encryption of individual table columns and the entire tablespace. TDE automatically leverages hardware-assisted cryptographic acceleration using SPARC T-Series or M-Series processors in Oracle SuperCluster for offloading cryptographic processing associated with tablespace encryption, network encryption, and master key–based operations.
With its inherent SPARC hardware and Oracle Solaris and Oracle Database security capabilities, Oracle SuperCluster offers high-performance cryptographic capabilities from the ground up for delivering data protection for application deployment architectures. For example, as shown in Figure 1, data in transit is protected with Transport Layer Security (TLS). In addition, data at rest is protected with TDE and Oracle Solaris Cryptographic Framework, and it is encrypted with strong encryption. From enabling encryption and decryption of all information to ensuring secure key management, Oracle SuperCluster supports comprehensive data protection security controls intended for securing modern IT organizations.
Figure 1. Oracle SuperCluster provides layered, comprehensive data protection to protect data in transit, in use, and at rest.
The following sections describe Oracle SuperCluster cryptographic services at the workload, database, network, and storage layers, as well as key management services.
Workload Cryptographic Services
Oracle's SPARC M-Series family of processors provides comprehensive support for industry-standard cryptographic algorithms and random-number generation. These capabilities can be delivered to operating systems running directly on SPARC M-Series processor–based servers or passed through individual domains created using Oracle VM Server for SPARC virtualization technology and Oracle Solaris Zones technology.
The Oracle Solaris operating system, by default, takes advantage of the SPARC S-Series and M-Series processors (and also Oracle VM Server for SPARC) for highly efficient cryptographic operations processed through the Oracle Solaris Cryptographic Framework and OpenSSL. This shared framework is a gathering point for services providing or using cryptography in Oracle Solaris. In practice, Oracle Solaris Cryptographic Framework acts as the core intermediary between user-level applications and the underlying hardware. Using Oracle Solaris Cryptographic Framework, users, applications, and services can be assured that they are not only using the most optimized algorithms, but they are also leveraging the hardware-assisted cryptographic capabilities of SPARC M-Series processors and key management support available via the Oracle Key Manager system.
This support enables organizations to leverage improved security and performance not only for their core database and application security services but also for administrative and support activities that run on those servers, even when they run inside an Oracle Solaris Zone. Oracle Solaris also includes integrations that allow applications using OpenSSL, Java, or Apache to use this common framework, including any available cryptographic acceleration, for improved performance.
Network Cryptographic Services
To protect information flowing to and from databases and applications, organizations are encouraged to utilize protocols that support strong authentication and encryption of network communications. This practice protects the confidentiality and integrity of communications and helps ensure that data is not exposed to unauthorized parties while in transit over the network. Cryptographic services provided by the Oracle SuperCluster platform benefit from hardware acceleration, which improves overall security without sacrificing any performance.
Protecting network traffic is important for both services deployed and services managed in the Oracle SuperCluster platform. Organizations are advised to adopt appropriate security measures for administrative and operational activities including, but not limited to, encrypting communications with stronger algorithms, for example:
- Secure Shell provides secure administrative access to Oracle SuperCluster components, including Oracle's SPARC M-Series processor–based servers, Oracle Integrated Lights Out Manager (Oracle ILOM), Oracle's Sun Datacenter InfiniBand Switch 36, Oracle ZFS Storage Appliance, Oracle Exadata Storage Servers, and the integrated Cisco Catalyst 4948 Ethernet Switch.
- IPsec/IKE (using IP over InfiniBand and IP over Ethernet) can protect communications between domains or zones.
- TLSv1.2 support can enable secure communications between applications, management consoles, and other services.
For additional security and isolation, organizations can consider assigning individual digital certificates for each instance or cluster. This provides isolated cryptographic boundaries that protect data even when it flows over a shared network.
Database Cryptographic Services
Once information has been received over the network, it is then processed and stored by the database. This information at rest must also be protected to help organizations comply with their security policies and compliance mandates. Oracle Advanced Security (an Oracle Database Security option) encrypts information in the database using its TDE functionality. TDE functionality can be leveraged to encrypt application data seamlessly including both application table columns and application tablespaces.
The Oracle Advanced Security option (including TDE) takes advantage of the cryptographic hardware acceleration capabilities that are built into the SPARC T-Series, S-Series, and M-Series processors. This allows organizations to protect all their information without the significant performance penalties typically associated with software-only encryption methods. Tablespace encryption can be used when entire tables or collections of database schema must be protected. In addition, data that is stored in temporary tablespaces and redo logs are encrypted. Even when the database is backed up, the data remains encrypted on the destination media, protecting information at rest no matter where it is physically stored. Oracle Database features secure communication support using the TLSv1.2 protocol, which can also be used to encrypt SQL*Net and JDBC traffic to protect information while it is flowing over a network. An application's administrative and operational connections can be protected using this mechanism to ensure that data in motion can be protected.
Storage Cryptographic Services
For compliance with internal security guidelines as well as government security mandates, many enterprises are required to protect user data and application data, both on disk and on tape devices. Oracle SuperCluster offers two primary storage subsystems: Oracle ZFS Storage Appliance for applications running on the Oracle SuperCluster platform and Oracle Exadata Storage Servers for databases running on the Oracle SuperCluster platform. In addition, many Oracle SuperCluster deployments include backup and recovery configurations that use tape-based storage. Encryption can be deployed at all storage levels to increase security and protect against unauthorized access of data.
Oracle ZFS Storage Appliance Encryption
Oracle SuperCluster leverages Oracle Solaris 11 for encryption for data stored on Oracle ZFS Storage Appliance. By default, ZFS uses the latest Oracle Solaris 11 cryptographic service APIs, which automatically benefit from the hardware acceleration of the AES algorithm available on the Oracle SuperCluster platform. The policy for encryption is set at the data set level when data sets (file systems or ZVOLs) are created. Each ZFS on-disk block (the smallest size is 512 bytes; the largest is 128 K) is encrypted using the AES algorithm in either CCM or GCM mode. The wrapping keys need to be provided by the Oracle Solaris administrator who creates the file system, but they can be changed at any time without taking the file system offline. The data encryption keys are randomly generated at data set creation time but can be changed, if needed.
As a general best practice, it is recommended to use Oracle Key Manager for centralized key management of all data storage encryption components. Oracle Key Manager helps ensure the wrapping keys are encrypted in storage and the keystore is protected. For detailed information and best practice recommendations using encryption on Oracle ZFS Storage Appliance, please review the Oracle technical white paper "Best Practices for Deploying Encryption and Managing Its Keys on the Oracle ZFS Storage Appliance."
Oracle Exadata Storage Server Encryption
To further improve the performance of these operations, the Oracle Exadata Storage Servers are configured by default to use the cryptographic accelerators that are part of the storage server cells. As a result, both encryption and decryption are processed without significant performance loss to the entire operations, thereby marginalizing the burden typically associated with the use of cryptography in software-only mode.
In addition to protecting data itself, it is also important to protect the encryption keys that are used to secure the data. Generating and managing encryption keys, especially for large collections of services in a big data center environment, has traditionally been a challenging scenario. Key-management systems can simplify the management and monitoring of encryption keys used to protect information at rest. Oracle Key Manager can be used to provide secure key services for Oracle SuperCluster in enterprise data center environments.
Oracle Key Manager is a comprehensive key management system (KMS) that supports enterprise-class environments with a highly scalable and available architecture—it can manage thousands of devices and millions of keys. Oracle Key Manager operates on a hardened operating environment, enforcing strong access control and role separation for key management. It allows monitoring of operations and optionally supports the monitoring and management of secure storage of keys in Oracle's Sun Crypto Accelerator 6000 PCIe Card, a secure hardware module that is compliant with FIPS 140-2.
Oracle SuperCluster enables Oracle Key Manager to securely facilitate authorizing, controlling, and managing access to encryption keys. These keys are used by Oracle Database instances and Oracle Fusion Middleware applications, and they support encrypted ZFS file systems for Oracle SuperCluster–resident tenant zones and domains. A clustered Oracle Key Manager deployment provides additional protection against encryption key loss and the resulting loss of access to data due to a key manager server failure.
Protecting information while at rest, in use, and in transit is of vital importance to any enterprise. Cryptographic services often play a key role in providing these types of protection. Oracle SuperCluster is an ideal platform that supports a wealth of capabilities to deliver a complete, efficient, and high-performing end-to-end cryptographic solution. From workload to database processing, to network communication, and on to disk storage, Oracle SuperCluster provides a comprehensive set of cryptographic capabilities designed to work together to provide the security, scalability, and performance required for any enterprise environment.
- Oracle SuperCluster
- Oracle Database Security
- Oracle ZFS Storage Appliance Encryption
- Oracle Solaris 11: Security and Compliance
- The "Encrypting ZFS File Systems section of Oracle Solaris 11.1 Administration: ZFS File Systems
- "Best Practices for Deploying Encryption and Managing Its Keys on the Oracle ZFS Storage Appliance
- The "Introduction to the Oracle Solaris Cryptographic Framework" section of Developer's Guide to Oracle Solaris 11 Security
- "Oracle SuperCluster—Secure Private Cloud Architecture Overview"
- "Oracle SuperCluster M7 Platform Security Principles and Capabilities"
About the Author
Ramesh Nagappan is a Senior Principal Software Engineer at Oracle Corporation. He currently works on security integrations for Oracle SuperCluster engineered systems and remains focused on technologies related to cloud infrastructure security, network and application security, hardware-assisted cryptography, identity management, compliance auditing, and strong authentication using PKI, smartcards, and biometrics. Previously, he held architecture and development roles as part of JavaSoft was involved with Java security and the Sun Java Center consulting practice for enterprise customers. He has coauthored five popular books and contributed several articles on topics related to security, Java EE, XML web services, and identity management. Nagappan received a master's degree in industrial automation from the Indian Institute of Science and a master's degree in applied sciences from Harvard University, and he actively holds CISSP, Certified Information Systems Auditor (CISA), and Certified in Risk and Information Systems Control (CRISC) certifications.
|Revision 1.0, 08/19/2015|