Harden and Standardize Your Database Configurations Across Clouds CON6978

Size: px

Start display at page:

Download "Harden and Standardize Your Database Configurations Across Clouds CON6978"

Leo Garrett
5 years ago
Views:

Administrator Wells Fargo Madhav Ravipati Lead/Supervisor Database Administrator PG&E

2 Harden and Standardize Your Database Configurations Across Clouds CON6978 Martin Peña Senior Director, Product Management Oracle Enterprise Manager Tim Albrecht Database Administrator Wells Fargo Madhav Ravipati Lead/Supervisor Database Administrator PG&E September 22, 2016 Copyright 2016, Oracle and/or its affiliates. All rights reserved.

3 Session : CON6978 Title : Harden and Standardize Your Database Configurations Across Clouds Description : Do you think your database environments are secure? This presentation examines how to really be sure by using Oracle Enterprise Manager 13c database lifecycle management functionality. It provides the ability to evaluate various targets along with Oracle's engineered systems, as they relate to business best practices for configuration, security, and storage. In this session see the tools available to enforce standardization on your IT landscape, including Oracle Database 12c security technical implementation guide checks, ORAchk/EXAchk functionalities, and ways to build gold images of your environment to check configuration management, drift, and consistency. Copyright 2016, Oracle and/or its affiliates. All rights reserved.

4 Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. Copyright 2016, Oracle and/or its affiliates. All rights reserved. 4

5 Program Agenda 1 Managing Growing Complexity 2 Compliance Management 3 Customer Use Case Study : PG&E 4 Configuration Management 5 Customer Use Case Study: Wells Fargo 6 Conclusion Copyright 2016, Oracle and/or its affiliates. All rights reserved.

6 Program Agenda 1 Managing Growing Complexity 2 Compliance Management 3 Customer Use Case Study : PG&E 4 Configuration Management 5 Customer Use Case Study: Wells Fargo 6 Conclusion Copyright 2016, Oracle and/or its affiliates. All rights reserved.

growth Complexity of database environments has increased Security issues being raised as a major concern Source: 2016

7 Managing Growing Complexity Database administrators and managers are stretched to the limit Substantial portion of enterprises not adding staff to keep up with database challenges Companies are expanding, resulting in high data growth Complexity of database environments has increased Security issues being raised as a major concern Source: 2016 Unisphere Research Survey on Database Lifecycle Management Copyright 2016, Oracle and/or its affiliates. All rights reserved.

Oracle Enterprise Manager Compliance Across

Leverage existing IT investments Copyright

8 Oracle Enterprise Manager Compliance Across Clouds Manage configuration and compliance across private and public cloud via single pane of glass Simple, secure deployment Leverage existing IT investments Copyright 2016, Oracle and/or its affiliates. All rights reserved. 8

Database Cloud & Lifecycle Management Benefits Consolidation Standardization Track assets across data

pollution and help build a fleet of database services front-ended by a Service Catalog Manage Drift and

operations like provisioning, cloning, patching, upgrade Leverage resource optimization techniques like

9 Database Cloud & Lifecycle Management Benefits Consolidation Standardization Track assets across data centers and integrating with Consolidation Workbench for migrating the instances Detect configuration pollution and help build a fleet of database services front-ended by a Service Catalog Manage Drift and Compliance Admin End Users Automation at Scale Optimization Automate time-consuming and error prone operations like provisioning, cloning, patching, upgrade Leverage resource optimization techniques like storage snapshotting to save on CAPEX and OPEX wherever applicable Copyright 2016, Oracle and/or its affiliates. All rights reserved. 9

10 Enterprise Manager Configuration and Compliance Continuous Drift and Configuration Auditing Ready to use Standards Copyright 2016, Oracle and/or its affiliates. All rights reserved. Automated Remediation 10

11 Program Agenda 1 Managing Growing Complexity 2 Compliance Management 3 Customer Use Case Study : PG&E 4 Configuration Management 5 Customer Use Case Study: Wells Fargo 6 Conclusion Copyright 2016, Oracle and/or its affiliates. All rights reserved.

Compliance Auditing Across Clouds Audit across

Recommendations Oracle Security Guidelines

System Database Middleware Applications 1000s

Configuration, Security, Real Time Based on

recommendations Extensible and Customizable

12 Compliance Auditing Across Clouds Audit across Clouds Oracle Best Practices Oracle Recommendations Oracle Security Guidelines Continuous compliance auditing of: Operating System Database Middleware Applications 1000s of out of box checks Categories : Configuration, Security, Real Time Based on Oracle s best practices and Security recommendations Extensible and Customizable On-Premise Copyright 2016, Oracle and/or its affiliates. All rights reserved. Oracle Cloud

13 Operationalizing at Cloud Scale Managing monitoring and compliance at cloud scale requires automation Target Properties Leverage Template Collections and Admin Groups to automate New Site Target Property can be used to identify Oracle Cloud targets All Site Oracle Cloud Lifecycle Production NonProduction Copyright 2016, Oracle and/or its affiliates. All rights reserved. On Premise Production NonProduction

14 ORAchk & EXAchk Lightweight & non intrusive Health Check framework for the Oracle stack Engineered Systems EXAchk Common Framework Non Engineered Systems ORAchk Automated risk identification and proactive notification before business is impacted Health Checks based on most impactful reoccurring problems across Oracle customer base Runs in your environment no need to send anything to Oracle Scheduled Health Check reports Findings can be integrated into other tools of choice Copyright 2016, Oracle and/or its affiliates. All rights reserved. 14

View results in native EM compliance dashboards Drill down into compliance standard to see individual

15 Enterprise Manager Integration Related checks group into compliance standards View targets checked, violations and compliance scores Check results integrated into EM compliance framework via plugin View results in native EM compliance dashboards Drill down into compliance standard to see individual check results View breakdown by target Copyright 2016, Oracle and/or its affiliates. All rights reserved. 15

Intrusion detection Response and recovery Security implementation guidelines Enterprise Manager implementations Oracle

16 Security Technical Implementation Guides What is a STIG? A compendium of DoD policies, security regulations and best practices provided by DISA Goals Intrusion avoidance Intrusion detection Response and recovery Security implementation guidelines Enterprise Manager implementations Oracle Database 11g implemented in EM Oracle Database 12c implemented as sample code now, being productized in EM Copyright 2016, Oracle and/or its affiliates. All rights reserved. 16

18 Program Agenda 1 Managing Growing Complexity 2 Compliance Management 3 Customer Use Case Study : PG&E 4 Configuration Management 5 Customer Use Case Study: Wells Fargo 6 Conclusion Copyright 2016, Oracle and/or its affiliates. All rights reserved.

19 PG&E Corporation Madhav Ravipati Supervisor - Database and Middleware Solution Delivery

20 Company Profile Headquarters in San Francisco, California Provides energy to approximately 15 million people 70,000 square mile service territory PG&E SERVICE AREA IN CALIFORNIA 20

21 IT Overview 290 WebLogic Domains (versions 9.2 through ) 1200 Database instances(versions 10g through ) host servers running Linux,AIX and Windows 21

22 Challenges Decentralized Administration of Databases and WebLogic Domains (for example starting/stopping targets is done on target host) Need to Manage Configuration Information for Databases and WebLogic Domains Need to Manage Compliance With Company Standards Manual Process to Refresh Databases Manual Patching and Upgrade of databases. Manual Build process to create new databases 22

23 Efforts Underway with OEM 13c Automate host and database operations using EMCLI Using OEM Compliance Management Framework with PG&E s OWN Compliance Standards Using OEM Configuration Management Framework to Search, Report on, and Compare Configuration Information Automate Database Refresh Process Automate Patching and Upgrade of Databases Using EMCLI Automate provisioning of new databases Using DBLM and Cloud Framework 23

24 Consolidation of Enterprise Manager Cloud Control 12c Deployment Current Landscape: 2 OEM 11g environments: Prod and Pre-Prod 3 OEM 12c Environments: Prod, QA, and Dev Consolidating all into the Prod OEM Benefits: Ease of Maintenance, Efficiency, and Operations 24

25 OEM Key Use Cases Automating IT Operations Managing Compliance with PG&E Standards Managing Configuration Information Automating Database Refresh Patching and Upgrade of Databases Provisioning new Databases via DBLM and Cloud Framework 25

26 Key Use Cases: Automating IT Operations Utilized Configuration Search and Job System to Automate Shutting Down/Starting Up of Databases, Listeners, ASM, GI, etc. Running on Any Single Host Saved Configuration Searches for Target Types Above Shell Script Uses EMCLI to Run Saved Search, Passing Hostname as Parameter Script Appends Targets Returned to Control Job Definition and Uses EMCLI to Run Updated Job, with Start/Stop Passed to Script as Parameter 26

27 Key Use Cases: Compliance Management Automate Auditing Facilitate DB and MW managed targets to adhere with PG&E configuration standards. Remediate Send Notification on deviation from PG&E standard configurations. Use Oracle Provided Content Map PG&E Configuration Standards into use cases for Rules, Standards and Framework integration. Leverage reusable & customizable OEM compliance rules, standards and gathered target metrics. 27

28 Custom Compliance Methodology PG&E Automation of Compliance Reporting Process: Map PG&E Configuration Standards into 3 use cases Case A Case B Case C 28

29 Key Use Case A: Compliance Management Example: Minimum of 4 Control Log files Step 1: Check for OEM Out-of-Box Compliance Rule = SUCCESS Enterprise->Compliance->Library: use search filter. Review results => Cluster/DB Inst. Rule for Min. of 3 control log files. Step 2: Create CUSTOM PG&E Compliance Rule from result. Step 3: Test NEW PG&E Compliance Rule. Step 4: Add PG&E Compliance Rule to PG&E Compliance Standard. Step 5: Set Importance, associate target(s) to Compliance Standard. Step 6: Add PG&E Compliance Standard to Compliance Framework. 29

30 Key Use Case B: Compliance Management Example: Location for $ORACLE_HOME Step 1: Check for OEM Out-of-Box Compliance Rule = NO Step 2: Check OEM repository for gathered metric of $ORACLE_HOME for target = SUCCESS. Step 3: Create CUSTOM PG&E Repository Rule from custom configuration search. (Leverage SQL Modeler) Step 4: Test NEW PG&E Compliance Rule. Step 5: Add PG&E Compliance Rule to PG&E Compliance Standard. Step 6: Set Importance, associate target(s) to Compliance Standard. Step 7: Add PG&E Compliance Standard to Compliance Framework. 30

31 Key Use Case C: Compliance Management Example: Filesystem Blocksize for select OS type Hosts Step 1: Check for OEM Out-of-Box Compliance Rule = NO Step 2: Check OEM repository for gathered metric of Filesystem Blocksize for OS Host target type = NO Step 3: Build Configuration Extension (Enterprise -> Configuration -> Configuration Extensions) Deploy to targets, create a custom rule (using the newly collected data) Step 4: Test NEW PG&E Compliance Rule. Step 5: Add PG&E Compliance Rule to PG&E Compliance Standard. Step 6: Set Importance, associate target(s) to Compliance Standard. Step 7: Add PG&E Compliance Standard to Compliance Framework. 31

32 Key Use Cases: Configuration Management Cloud Control collects configuration information for all managed targets across the enterprise Cloud Control enables you to view, save, track, compare, search, and customize collected configuration information for all managed targets known to Enterprise Manager Notes: The default collection period for host configuration information is 24 hours The default collection period for database configuration information is 12 hours 32

33 Key Use Cases: Configuration Management Currently Making Extensive Use of Configuration Search Feature to Extract Inventory Information on Hosts, Databases, WebLogic Domains, etc Planning to Make Use of Configuration Comparison Feature to Detect Inconsistencies Planning to Make Use of Configuration Snapshots to Detect Changes Over Time 33

34 Key Use Cases: Private Cloud With OEM Cloud Framework Implementing DBaaS using Database Templates Deployment Model Created Infrastructure Zone and Database Pool Creating 11g and 12c Templates User will request a new database on a new host via the command line (shell script) Script provisions new database binaries and Listener on new VMs using Deployment Procedure DBLM), via emcli Next script creates new database via Cloud APIs 34

35 Next Steps 35

36 Program Agenda 1 Managing Growing Complexity 2 Compliance Management 3 Customer Use Case Study : PG&E 4 Configuration Management 5 Customer Use Case Study: Wells Fargo 6 Conclusion Copyright 2016, Oracle and/or its affiliates. All rights reserved.

37 Drift and Consistency Management Live Drift Management INTER Target Large scale and dynamic INTER target configuration difference tracking Source can be live or saved baseline Baseline Real Application Cluster Consistency Management INTRA Target Auto comparison of member targets System targets only ( Exadata, Cluster DB, etc ) Oracle Engineered System Copyright 2016, Oracle and/or its affiliates. All rights reserved.

38 Configuration Drift Management Find the needle in the haystack Compare target across Clouds Compare 1-1 or 1-Many Maintain critical configuration across lifecycle environments HR Prod HR DR On-Premise Ignore expected differences Automated notification upon drift HR Dev1 Extensible and Customizable HR Dev2 HR Test Oracle Cloud Copyright 2016, Oracle and/or its affiliates. All rights reserved.

39 Program Agenda 1 Managing Growing Complexity 2 Compliance Management 3 Customer Use Case Study : PG&E 4 Configuration Management 5 Customer Use Case Study: Wells Fargo 6 Conclusion Copyright 2016, Oracle and/or its affiliates. All rights reserved.

Albrecht Database administrator Wells Fargo September

40 Harden and standardize your database configurations across clouds using enterprise manager 12c/13c Tim Albrecht Database administrator Wells Fargo September Wells Fargo Bank, N.A. All rights reserved. For public use.

The ever changing database security landscape The all powerful Oz (DBA) credentials can be a liability Compromised sys/sydba or DBA IDs result is total data exposure Oracle Stack vulnerabilities

41 The ever changing database security landscape The all powerful Oz (DBA) credentials can be a liability Compromised sys/sydba or DBA IDs result is total data exposure Oracle Stack vulnerabilities Unauthorized binary/lib folder changes Lack of deployment standards Inconsistent database creation and setup results in performance and security issues Patching.Patching.Patching Patching inconsistencies expose security vulnerabilities and instability Nothing new here, but we need consistency and automation in all aspects of securing and standardizing database administrative activities Wells Fargo Bank, N.A. All rights reserved. For public use. 41

42 DBAs are still running the show, but roles continue to evolve Data Security Harden Access Standardize Control DB Builds Patching DBAs All powerful, but should not be all seeing. Grants performed by security team Work must be traceable and not performed with anonymous sysdba connections Software stack must be protected from possible inject attacks Consistency of database creation and definition cannot be handled manually by individual DBAs Database patching must be consistent and timely across all platforms 2016 Wells Fargo Bank, N.A. All rights reserved. For public use. 42

43 Utilizing enterprise manager 12c/13c for mandated hardening actions and required database standardization Enterprise Manager 12c/13c OVD Integration (Critical for limiting use of the sys account) LMP Specifically for SQL injection/unauthorized Binary Updates Compliance checks and Repository Metric Extension alerting OraChk/ExaChk (waiting for 13c enhancements for OraChk) DB Vault Administration Home Cloning RHP Future (12.2) Database Script Creation with 12c integration 2016 Wells Fargo Bank, N.A. All rights reserved. For public use. 43

EM12c / Oracle Virtual Directory Integration Harden How: (Doc ID 148758

44 EM12c / Oracle Virtual Directory Integration Harden How: (Doc ID ) 12c Patches may be needed if 12c is lower than Assumes Kerberos LDAP setup has been completed Benefits: DBA Specific IDs used Faceless DBA accounts eliminated 2016 Wells Fargo Bank, N.A. All rights reserved. For public use. 44

45 EM12c Database Lifecycle Management Pack Oracle Binary Modification Detection Harden LMP capabilities are huge Built in Compliance Frameworks (IE Oracle, MySQL, Engineered systems, etc.) Compliance Standards contain Standard Rules and include the ability to create new rules. Current work centers on Real-time Monitoring of Oracle binaries/lib folders Wells Fargo Bank, N.A. All rights reserved. For public use. File/Folder modification compliance standards can be created 45

46 EM12c Database Lifecycle Management Pack Oracle Binary Modification Detection Harden A Facet indicates what file or folder will be monitored in Real Time Single files, wildcards allowed, entire folders. The compliance standard indicates what file modifications will be included Wells Fargo Bank, N.A. All rights reserved. For public use. 46

Using EM 12c Metric Extensions for Detection Standardization LMP great for compliance Metrics Extensions can supplement with additional alerting Repository Side Metric Extensions expose additional

47 Using EM 12c Metric Extensions for Detection Standardization LMP great for compliance Metrics Extensions can supplement with additional alerting Repository Side Metric Extensions expose additional data that can be used as metric data and therefore alerted on. Specific example: Database Parameter checks select TARGET_GUID, TARGET_NAME as Instance, Name as Exafusion_check, Value from SYSMAN.MGMT$DB_INIT_PARAMS_ALL where target_type = 'oracle_database' and Name = 'exafusion_enabled' 2016 Wells Fargo Bank, N.A. All rights reserved. For public use. 47

48 ExaChk/OraChk Standardization (maybe Harden also) EM 12c Integration is available; EM13c provides enhanced scheduling and reporting ExaChk run weekly on all Exadata Appliances at the command line to produce reports Provides System Health Score Database Server recommendations Cluster wide checks Provides the Maximum Availability Architecture (MAA) Scorecard Produces the findings needing further review report Platinum Certification Report Information on the top 10 time consuming checks OraChk provides a huge amount of data and is currently run only on demand Looking to 13c for improvements, but OraChk is used on demand 2016 Wells Fargo Bank, N.A. All rights reserved. For public use. 48

best practices for: DB OS Appliance Recommends MOS Notes that pertain to

49 ExaChk Standardization Does not provide ALL answers to Exadata best practices, but is an integral part of supporting a healthy Exadata environment Includes best practices for: DB OS Appliance Recommends MOS Notes that pertain to Exadata management 2016 Wells Fargo Bank, N.A. All rights reserved. For public use. 49

SYS (and other privileged users) will NOT have access to application data.

50 EM 12c DB Vault Integration Critical Hardening Item for DBs EM 12c will be used to support DB Vault Administration and reporting. SYS (and other privileged users) will NOT have access to application data. Also tightens control of end user access 2016 Wells Fargo Bank, N.A. All rights reserved. For public use. 50

51 Database Script Creation with EM12c Integration Standardization and Hardening Database creation has been automated with scripting to enforce database standardization for all new databases Wells Fargo uses an internally developed set of scripts to create new databases Calls DBCA Standardizes ALL database parameters Ensures internal Audit and Compliance rules are met Interfaces with EM 12c to ensure required monitoring is setup (emcli) Interfaces with internal inventory applications Supports Multitenant databases (future EM 12c/13c emcli support will be included for adding Pluggable Databases (PDBs) to OEM) 2016 Wells Fargo Bank, N.A. All rights reserved. For public use. 51

52 Harden and Standardize with 12c/13c Many current 12c features are available Take advantage of the centralized cloud management provided by 12c/13c LMP (Detections) Provisioning (Patch Consistency) DB Clones (Consistency) OVD (Most import, limit anonymous accounts) DB Vault (Management) 13c refines and adds additional capability Improved Gold images (Both DB and agent) Better Exadata - Engineered compliance checking (ExaChk, OraChk) Future is even better RHP (No patching) 2016 Wells Fargo Bank, N.A. All rights reserved. For public use. 52

53 Program Agenda 1 Managing Growing Complexity 2 Compliance Management 3 Customer Use Case Study : PG&E 4 Configuration Management 5 Customer Use Case Study: Wells Fargo 6 Conclusion Copyright 2016, Oracle and/or its affiliates. All rights reserved.

54 Program Agenda 1 Managing Growing Complexity 2 Compliance Management 3 Customer Use Case Study : PG&E 4 Configuration Management 5 Customer Use Case Study: Wells Fargo 6 Conclusion Copyright 2016, Oracle and/or its affiliates. All rights reserved.

55 Enterprise Manager Single Compliance Solution for Cloud For Automated Security Compliance Auditing Highly automated Continuous auditing Proactively alert on findings and issues Automated remediation or guidance Robust and flexible reporting Copyright 2016, Oracle and/or its affiliates. All rights reserved.

56 Additional Resources Join the Conversation Twitter.com/oracle_em Facebook.com/oracleenterprisemanager Blogs.Oracle.com/OEM Oracle.com/newsletters Copyright 2016, Oracle and/or its affiliates. All rights reserved. 56