Presentación sobre el lifecycle management, y cómo desde la consola de Enterprise Cloud Control podemos ser capaces de gestionar una base de datos de principio a fin.
4. Key Challenges and Solutions
Oracle Database meetups para BBAs y Arquitectos 4
Unmanaged asset sprawl Configuration Pollution
• 28% have an annual database
instance growth of more than
20%
• Less than 50% have consolidated
• Too many versions, patch levels
and sizes
• 1400 variants across 3
major releases for a large
telecom customer
Slow time to delivery
• Days to Weeks to provision
database services for key projects
• Weeks to clone a complete
middleware stack, such as
SOA
Consolidation Standardization Automation
5. Database Lifecycle Management
How Do All These Come Together
Oracle Database meetups para BBAs y Arquitectos 5
Advise
AnalyzeAct
Audit
Real-Time Monitoring – Who/When
Compliance Score
Best Practices
Oracle Recommendations
Regulatory (STIG)
Report
Inventory &Trend
Automatic Change Reconciliation
Authorized vs Unauthorized
Patch Advisories via MOS
Upgrade Advisories from MOS
Configuration Policy
Violations
Patch/Upgrade database and GI
Mass deployment/Provisioning
Cloning/migration of binaries and
database (incl’ pluggable)
Schema Synchronization
Settings, Drift & Policy Actions
Configuration Changes
Topology guided Impact Analysis
Config Comparison for Drift Analysis
To Gold & Baseline
1 to 1, 1 to N
Target and System
DB Change Management
Data Comparison
Data Governance
Patch Plans: Conflict & PreReq
Analysis
Discover
y
&
Collectio
n
7. • Mass Deployment of Oracle Software
(Database, Real Application Clusters)
• Supports all versions up to 12.2 including
Pluggable Databases
• Gold Image cloning and standardized software
deployment via Profiles
• Lock down access for controlled and error free
deployments
Databases Cloning using Oracle Enterprise Manager 13c Provisioning
Database Provisioning
Oracle Database meetups para BBAs y Arquitectos 7
Source DB systems Target DB Systems
Software Library Storage
Save Gold image (and
optionally data) from source
systems to EM software
library
Deploy saved Image and
data to target systems
with customizations
8. • Create CDBs with
multiple PDBs
• Unplug and plug full
data and application
• Useful for Upgrade
Testing
• Functional Testing
• Agile development
• Storage efficient
snapshots within a
container database
Multitenant Database Provisioning
Oracle Enterprise Manager Enables Fast, Flexible Copy and Snapshot of Pluggable Databases
Oracle Database meetups para BBAs y Arquitectos 8
18. Overview: Patch Automation Solution
Oracle Database meetups para BBAs y Arquitectos 18
Engineered SystemsTraditional Estate Multi-Tenant
adds…
Self Service maintenance
Simple Subscription using “Gold-
Image”
Real time Patch Tracking which
helps in real time compliance
adds… Plug/unplug
Container DB Patching
Continuous Drift and
Configuration Auditing for
PDB’s
adds…
Extending Patching beyond the
Database software
Patch the database grid
Patch storage grid
Cloud
• Automated Patching
via Patch Plans
• Advice/recommend
patches based on
configuration
• Minimize Downtime,
identify issues with pre
requisite check
• Patch Templates and
Compliance
Standards
• EMCLI Support
Patch InfiniBand network
Patch recommendations for the
Quarterly Full Stack Download
Patch.
Comprehensive dashboard of
the maintenance status and
needs.
19. Patch Management with Oracle Enterprise Manager 13c
Oracle Database meetups para BBAs y Arquitectos 19
• Detect and verify patching success
• Detect drift from existing gold images and rebuild
them for future software rollouts
• Patch Compliance tracking and reporting
• Revert to previous version in
case of regression**
• Support Rolling patches for RAC,
Pluggable DBs**
• Support out-of-place patching/upgrade
for
single instance databases**
• Support patching Exadata Database
Cluster Stack**
• Support Group based patching**
• Push button Patching by “Operators”
• Create Patch Plans & templates to
apply
multiple patches in a single downtime**
• Detect conflicts and file merge
requests
• Perform pre-flight dependency and
impact analysis**
**New or Significantly Enhanced
• Advise/recommend patches based
on configuration
• Provides patch rating and
community
feedback
Patch
Rollout
Patch
Verification
& Reporting
Patch
Planning
Patch
Advice
20. • Comprehensive overview of the maintenance status and needs.
• Proactive patch recommendations for the Quarterly Full Stack
Download Patch (QFSDP).
• Supports auto patch download and ability to patch either in
rolling and non rolling modes.
• Granular step level status tracking with real time updates , Log
monitoring and aggregation, supporting quick filing of support
issues with pre-packaged log dumps.
• Automation either at finer level on selective parts (2/7 storage
server cells) or coarse level of the complete component (all
storage servers cells)
Patch Automation for Engineered Systems
Oracle Database meetups para BBAs y Arquitectos 20
21. Oracle Database meetups para BBAs y Arquitectos 21
System State
Information
Patch
as Layers
Fine grain
Logging
Real time
tracking
Patching Process .. Add Patch >
Analyze > Deploy. Rollback.
2
1
22. • Significant Labor reduction but short of initial goal
Some customers not able to support unified patch schedules
• Enhanced productivity for patching focals
• Decreased patch cycle times
• Improved validation
• Configuration changes consistently deployed and maintained within oracle homes
• COTS vendor support for emergent patching changes
• Consistent patching process
Patch Automation
Benefits
Oracle Database meetups para BBAs y Arquitectos 22
24. • Data centers have thousands of
databases containing sensitive
data which may be unprotected
• Enterprises lack enterprise-wide
tools to scan databases
• Limited visibility into compliance
status (encryption, masking,
database vault) of sensitive data
• Hard to remediate non-compliance
Data Governance and Compliance Challenges
Oracle Database meetups para BBAs y Arquitectos 24
Protected Application 3
Protected Application 2
Unprotected Application 1
25. • Configuration Audit
Validate conformance to standards or
benchmarks using discrete logic
Best for Industry and internal standards
(STIG,CIS)
• Continuous Drift
Validate conformance to standards
using Reference configuration
Best for critical and rapidly changing
configuration settings
Continuous Drift and Configuration Auditing
Oracle Database meetups para BBAs y Arquitectos 25
26. • Available Standards based on :
Oracle’s best practices and Security recommendations
Oracle Database and WebLogic STIG Benchmarks
ORAchk for Engineered Systems and Databases
• 1,000s of checks in Compliance Library
• Automated remediation with corrective actions
• Customizable to meet Internal best practices
1. Leverage Oracle provided rules matching your own
2. Tailor Oracle provided rules with known exceptions
3. Build custom rules to exactly match requirement
Ready to Use Compliance Standards
Oracle Database meetups para BBAs y Arquitectos 26
PCI
ORAchk
27. Oracle Provided DB Compliance Content
Compliance Standards
Oracle Database meetups para BBAs y Arquitectos 27
• Pluggable Database ( NEW )
Storage Best Practices for Pluggable
Database
Configuration Best Practices for Pluggable
Database
Basic Security Configuration for Pluggable
Database
• Single Instance Database Instance ( and RAC
Instance )
DISA Security Technical Implementation Guide
(STIG) V1.8
Certification for Oracle Database
Storage Best Practices for Oracle Database
Configuration Best Practices for Oracle
Database
Basic Security Configuration for Oracle
Database
High Security Configuration for Oracle
Database
Patchable Configuration for Oracle Database
Storage Best Practices for Oracle Database
Support Policy for Oracle Database
• Cluster Database
DISA Security Technical Implementation Guide
(STIG) V1.8
Basic Security Configuration for Oracle Cluster
Database
Instance
High Security Configuration for Oracle Cluster
Database Instance
Certification for RAC Database
Configuration Best Practices for Oracle RAC
Database
Patchable Configuration for RAC Database
Storage Best Practices for Oracle RAC
Database
Support Policy for RAC Database
• Listener
Basic Security Configuration for Oracle
Listener
High Security Configuration for Oracle Listener
500+Individual Compliance Rules
28. Configuration & Compliance Management
Key Features
Oracle Database meetups para BBAs y Arquitectos 28
Setup and Maintenance
• Comparison Templates – Ignore expected
differences
• Group Association
Current and future members
Supported – Admin, Dynamic, Static
• Test Mode
Test Definition before mass deploy
Option for new group members can be
tested before results added
Operational
• Summary Dashboards
Compliance and Drift
• Side by Side Results
Compare CIs across N targets in single
view
• Incident Management Integration
Standard ruleset notification
methodology
• Corrective Actions – Manual/Auto
29. • Drift Management – INTER Target
Large scale and dynamic INTER target
configuration difference tracking
Source can be live or saved baseline
• Consistency Management – INTRA Target
Auto comparison of member targets
System targets only ( Exadata, Cluster
DB, etc )
Drift and Consistency Management
Oracle Database meetups para BBAs y Arquitectos 30
Live
Baseline
Real Application Cluster
Oracle Engineered System
30. Drift and Consistency Management
Key Customer Use Cases
Oracle Database meetups para BBAs y Arquitectos 31
Drift
• DB Initialization Parameters
Saved DB Reference to 1200+ DBs
Compare 50 DB Initialization
Parameters Only
• Application Patches
Live Fusion App Instance Ref to 1000+
Compare ONLY Patches
• Host Configuration
Live Linux Host Reference to 500+
Hosts
Compare Extended configuration
collections
Consistency
• RAC DB Instances
Consistency of instances WITHIN 500+
Cluster
DBs
• Data Guard Standbys
Consistency of Primary DB with it’s DG
Standby Databases
100s of DB systems
• Exadata Storage Cells
Consistency of Storage Cells within
Exadata
31. • “Harden” any database, middleware, host, etc
Initiate remediation Manually or Automatically
• Associate corrective actions to compliance rules
• Violation context can be passed to repair specific issue
Automated Remediation
Oracle Database meetups para BBAs y Arquitectos 32
32. • Compliance Framework
Group Compliance Standards different
Target Types
• Compliance Standard
Group of Compliance Rules
Specific to Single Target Type
• Compliance Rule
Discreet Check or Test
Specific to Target Type
• Real Time Facet
Group of related entities Files,
Processes or Users
Reusable Compliance Hierarchy
Oracle Database meetups para BBAs y Arquitectos 33
Compliance Rules
Compliance Standards
Compliance Frameworks
Compliance Manager,
Security Auditors
DBAs,
Admins, IT
Managers
Real Time Facets
34. • STIGs - Security Technical Implementation Guides
• Published by US Defense Information Systems Agency
• According to the DISA website, “The STIGs contain technical guidance to ‘lock down’
information systems/software that might otherwise be vulnerable to a malicious computer
attack.”
• Available for Operating Systems, Applications( App Svr, Databases, etc ) and much more.
• Who uses them?
Many US Government agencies are required to follow them.
Many US and non-US commercial companies voluntarily follow or base their internal standards on
these benchmarks.
About STIGs
Oracle Database meetups para BBAs y Arquitectos 35
35. • Challenges
Mainly manual effort to check/validate conformance
Drift over time can result in undetected violations until checks repeated
Very costly and resource intensive to validate
• Requirement
Automated solution to continuously validate against the STIGs
Proactive alerting of change resulting in non-conformance
STIG Implementation Issues
Oracle Database meetups para BBAs y Arquitectos 36
36. • What is it?
Turn key solution to automatically audit and report conformance of your Oracle 11g and 12c
Databases against the STIG benchmark
Based on the DISA Security Technical Implementation Guide for Oracle Database 11g Version 1.8
Rev 1.8
• What do I need to use it?
Enterprise Manager and Agent must be 12.1.0.4 or later
• How is it licensed?
It is part of the Oracle Database Lifecycle Management Pack
Oracle Database 11g STIG Compliance Standard
Oracle Database meetups para BBAs y Arquitectos 37
37. • Includes both Oracle Database and Oracle
Home Checklists
• Almost all “Scripted” defined checks have
been automated.
• ~20% Manual/Interview checks automated.
• Remaining require manual Attestation.
Oracle Database 12c STIG Compliance Standard
Oracle Database meetups para BBAs y Arquitectos 38
38. Compliance Rule to STIG Mapping
Oracle Database meetups para BBAs y Arquitectos 40
* Exceptions Noted in Oracle Database Compliance
Standards Reference guide in EM Documentation
Compliance Rule STIG Check
Name STIG ID + Description
Severity Severity
Description Check Long Name
Rationale Vulnerability Discussion
Configuration Extension Script
Compliance Rule Type STIG Check
Agent-Side Script
Manual Manual/Interview
39. • Findings include violation context
• Offending database
Specific Check findings
Date discovered
Guided Resolution
• Recommendation offered ( as per STIG
documentation.)
Detailed and Actionable Findings
Oracle Database meetups para BBAs y Arquitectos 41
40. • Results viewable:
Across Databases
For single Database
For single Check
• Historical trend and score information
• Schedule and Email
• Formats – PDF, HTML, CSV
Reporting – Flexible and Integrated
Oracle Database meetups para BBAs y Arquitectos 42
41. • Two Simple Steps
1. Select Standard
2. Select Targets
• Results – Almost Immediately
• Check run daily ( by default )
• Configurable Notification on violation
Simple and Easy to Use
Oracle Database meetups para BBAs y Arquitectos 43
1.
2.
42. • Highly automated
• Continuous auditing
• Proactively alert on findings and issues
• Automated remediation or guidance
• Robust and flexible reporting
Enterprise Manager – Single Compliance Solution for Cloud
For Automated Security Compliance Auditing
Oracle Database meetups para BBAs y Arquitectos 44
43. Angel Freire Ramírez
Principal Solution Architect
angel.freire@avanttic.com
Oracle Database meetups
para DBAs y Arquitectos
Database
Editor's Notes
Despliegue masivo de software de Oracle (base de datos, clústeres de aplicaciones reales)
Los centros de datos tienen miles de bases de datos que contienen datos confidenciales que pueden estar desprotegidosLas empresas carecen de herramientas para escanear bases de datos en toda la empresaVisibilidad limitada del estado de cumplimiento (cifrado, enmascaramiento, bóveda de la base de datos) de datos confidencialesDifícil remediar el incumplimiento
Anteriormente, la Lista de verificación de seguridad tradicional constaba de cinco (5) listas de comprobación secundarias que se seleccionaron para su uso en función del tipo de revisión que se realizaba. La nueva Lista de verificación de seguridad tradicional consolida todos los controles en un solo documento y es más granular tanto en el aumento en el número de cheques (151 en total versus 96 en total en las listas de verificación antiguas) como en los detalles sobre cómo realizarlos. Proporciona una lista más completa y actualizada de referencias, la relación y la autoridad para los controles relativos a la protección de los activos de la Red del Sistema de Información de Defensa (DISN), y mejorará la coherencia del revisor con la aplicación de posibles hallazgos. Si bien el número de posibles hallazgos ha aumentado y están más enfocados a un control específico, existe una granularidad adicional dentro de cada control. En muchos de los controles primarios hay consideraciones adicionales y "sub-controles". A medida que la nueva lista de verificación se desarrolle aún más, es posible que algunas de estas subcompetencias se conviertan en controles primarios adicionales independientes. El formato y el flujo de contenido de la nueva lista de verificación es similar a otras listas de verificación de la Guía de implementación técnica de seguridad derivadas de la base de datos del Sistema de gestión de vulnerabilidades (VMS), que utilizan DISA FSO, Comandos de combate, Servicios y Agencias (CC / S / A) y otras Agencias Federales con acceso a la Red de Sistemas de Información de Defensa (DISN) para documentar y dar seguimiento a los hallazgos observados durante las Inspecciones de Preparación Cibernética de Comandos (CCRI).