Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This chapter is going to outline the prior context to Cloud computing, what it actually means in practice, what the issues are with deployment, and how EM12c enables a transition to using private or public clouds. You’ll see how to manage both identity and privileged access during that process by using the integrated capability between EM12c and BeyondTrust’s PowerBroker tool.

Everybody’s talking about moving to “the cloud,” and even Mr Ellison has reformed his initial skepticism, stating that Oracle’s main competitor is now Amazon. According to sources within Oracle, “Cloud” will become the single greatest income stream in the very near future. What is the cloud, why and what are the issues? How is this relevant to a DBA team? But first, the background context.

Historical Context to the Cloud

The Harvard Business Review published just over 10 years ago about the commoditization of IT (find it at http://hbswk.hbs.edu/archive/3520.html ). Centralized commoditization is one contributing factor to what we understand as cloud computing, but it is not the whole story. There is a larger battle here—the battle between local disk storage and centralized servers. Going back a few decades, Microsoft and Sun Microsystems had very different models. One was based on local disk storage and the other was based on the “network as the machine.” Cloud is really the extension of that debate. The enabler of cloud is having a reliable network bandwidth for mobile, home, and work so that local storage is needed less, and thus the potential of using applications based on the network is now being realized.

What Is the Cloud?

Essentially, the cloud is a form of outsourcing to a shared infrastructure, usually from a vendor that used to supply software to be used locally, but that now supplies the service of using that software on their cloud platform.

The major categories of cloud design are:

  1. 1.

    Public – an Internet-accessible version of previously internally accessible applications that are hosted by Oracle; see https://cloud.oracle.com/home

  2. 2.

    Private – internally consolidated and centrally provisioned applications benefitting from cloud-oriented versions of the same applications that had been previously de-centralized. 12c database and quickly provisioned VM-based applications form internal capability.

  3. 3.

    Hybrid – both of the above. Public and private applications that are integrated so that an organization can test the water and have internal capability in case of migration issues. Also allows division of sensitivity, i.e., commodity IT can be outsourced while keeping sensitive BI-type applications in-house (BI is Business Intelligence).

  4. 4.

    Cloud-to-Cloud – integration of web-based services

The technology that is being provided through a solution termed as “Cloud” includes:

  • SaaS – Software as a Service

  • DBaaS – Database as a Service

  • PaaS – Platform as a Service

  • IaaS – Infrastructure as a Service

Benefits of Cloud Computing

The benefits of adopting a vendor-provided cloud solution are:

  1. 1.

    Economies of scale

  2. 2.

    Hardware spare capacity can be fully utilized

  3. 3.

    Smoothing out many peaks of demand; elasticity through internal virtualization

  4. 4.

    Vendor infrastructure can be used to piggy back the client organization’s mobile apps – mass localization of previously internal applications

  5. 5.

    Vendor derives value from the data that they can pass onto the users in terms of lowering costs e.g. salesforce.com selling client information through data.com. Though this may be seen as a security disadvantage.

  6. 6.

    Fast startup – scalability

  7. 7.

    Can act as competitive lever to enable a company to gain better value from internal functions

Issues Agreeing and Implementing Cloud

There are several objections to and problems with cloud.

Private terms of agreement :

  • Setting measurable SLAs for performance, resilience, dependency, reliability, and security

  • Agreeing to terms of liability in case of issues with the above

Legal and regulatory terms :

  • Data location and export; residency of the data and local applicable laws

  • Data subject rights

  • Confidentiality and rights to monitor

  • Security and compliance, who is responsible for audits and what is to be done if there is a breach?

  • Which security policy is to be used? That of vendors or clients?

  • Data retention and portability

  • Termination events – how to extract oneself from the agreement; avoiding lock-in

  • Intellectual property rights. To whom does the data belong?

    (Please see this excellent paper for more details on cloud contract negotiation: http://stlr.stanford.edu/pdf/cloudcontracts.pdf )

The major concern for me with Cloud is that I do not trust another company to not take advantage of me once they have power over my critical systems. I have been involved with a number of companies that have entrusted the software and database that represent critical components of their system to the cloud, then had legal issues negotiating a fair rate and difficulty extricating themselves from the agreement.

Those among us who have been in IT for a while will remember GeoCities X drive functionality, which was a remote network hard drive given free of charge at first. But after the files had been read by the supplier, and the user had become used to the service, the drive became a chargeable service. GeoCities ultimately folded, but it was a precursor to future aspects of cloud provision. GeoCities was a consumer service and small scale, but for large business systems once cloud becomes integrated into the critical path then licensing negotiation could be a bit one sided if the vendor has the ultimate power to pull the plug on a company’s systems.

This same issue has played out in the software world. The growth of software escrow companies like NCC in the United Kingdom, which have made good profit from holding copies of source code for commercial software “in trust” as a third party for a software vendor and a user of that software, shows that this power balance is of great concern. What does a large company do if their software supplier goes out of business or becomes unreasonable? The user of the software has no recourse – unless a software escrow business can be the intermediary, thus ensuring fair play and covering the eventuality of the software vendor going out of business.

The notion of escrow for cloud service provision is an interesting one. Will vendors like Oracle or Microsoft allow for the safe storage of cloud source code in a third-party escrow vault? More to the point, how does one verify that it is the running code? Perhaps the escrow solution is impractical for cloud, hence the growth of the cloud contract law negotiation field previously discussed.

The other major concern that should be considered before migrating currently internal applications to a cloud provider is the speed of the software. This is termed as latency. You must test the latency between a cloud provider and the client systems. In my experience, the data center location has an enormous effect on how responsive the network will be. As an example, Oracle’s main competitor for cloud software provides much of its UK cloud services from Dublin, Ireland, which results in a significant latency to mainland Britain. Oracle, on the other hand, when supplying cloud services to central Europe, has deployed data centers to that local geographical location in order to keep latency at a minimum.

Latency Testing

If you would like to measure latency on the desktop there is a handy tool freely available at this URL: http://www.nirsoft.net/utils/network_latency_view.html . It also includes free GeoIP tools. The easy-to-use free GUI is shown in Figure 19-1.

Figure 19-1.
figure 1figure 1

Network latency tool (free)

Full size image

For commercial due diligence you will need to move to professional DB load-testing applications such as RAT by Oracle (similar in many ways to http://dominicgiles.com/swingbench.html ). You could also consider network companies like IXIA that provide well-regarded solutions.

So there are legitimate concerns with cloud migrations, but in the final analysis I think cloud makes sense for commodity data because applications that were previously only accessible internally or over VPN from a laptop can now be made fully mobile. With upcoming productivity tablets (21” tablets and 12” tablets with 2500 resolutions, 3G, and styli) and more emails being answered on mobile than on PC, the world is changing to mobile hardware and mobile web access as the primary platform. More work emails are now answered mobily than from PC. Cloud enables more work to be done on mobile, a term sometimes called “Mass Localisation.”

There are two main business processes here, which are quite different from each other:

  1. 1.

    New cloud customers

There are new businesses that can start and scale rapidly using cloud services rather than having to hire an IT department. This is reasonably straightforward.

  1. 2.

    Cloud migrations

Large IT departments where the employer is considering a move to using the shared infrastructure of the software vendor, i.e., moving to the cloud. This second scenario is not as straightforward but is quite interesting—especially in terms of privileged access control, as we shall see.

Oracle has not been regarded as a market leader in cloud technology, having lost significant ground to Salesforce.com. Gartner does not rank Oracle highly at this time, but in my view Oracle is the natural company to lead cloud offerings due to their expertise in large performant systems largely based on *nix technology and OpenStack software. Oracle has the business relationships with current customers and the expertise to run larger datacenters. Most importantly, Oracle has the credibility, trust, and reputation to be able to assuage the trust objections discussed earlier. Oracle knows this and has been busy buying innovative new cloud companies such as:

Eloqua - https://secure.eloqua.com/e/f2

Vitrue - http://www.oracle.com/us/solutions/social/vitrue/index.html

RightNow - http://www.oracle.com/us/solutions/customer-experience/oracle-customer-experience/overview/index.html

And there may be other cloud innovators on the horizon like https://www.huddle.com .

For new IT requirements these companies provide an easy solution. For a startup company starting to use IT systems, growing functionality from a cloud vendor is going to be a lot quicker, easier, and cheaper than hiring an internal IT department.

Alternatively, for migrations of current IT functionalities to a cloud service provider the bridging tool is already with us in the form of EM12c cloud control.

Moving to Oracle Cloud with EM12c

EM12c has functionality for controlling remotely hosted database resources, as well as a methodology for charging for shared infrastructure usage (Figure 19-2).

Figure 19-2.
figure 2figure 2

EM12c shared infrastructure/cloud chargeback functionality

Full size image

EM12c Consolidation Planner

EM12c also contains a built-in migration planning and implementation tool. You can think of it as a cloud migration wizard (Figure 19-3).

Figure 19-3.
figure 3figure 3

EM12c consolidation planner screenshot

Full size image

Additionally, once migrated, the components of a cloud service can be monitored as a “system” from EM, even to the point where the performance of a web service in South America could be measured from North America, by the use of beacons. Beacons are local agents that sit in the geographical region of the service being tested and are a very useful tool for detecting bottlenecks.

For a more in-depth look at the cloud consolidation process from the perspective of Enterprise Manager, I recommend reading “Expert Oracle Enterprise Manager 12c,” which can be found at http://www.apress.com/9781430249382 .

This point and click cloud migration functionality may be a taste of what is to come, but before businesses can really control their IT they have to have control over the administrative privilege. Just as privileged access control on the database was a prerequisite to consolidation, being able to control high privileges in EM is a prerequisite to moving to the cloud.

Privileged Access Control in the Cloud with EM12c and PowerBroker

We have already looked at the > Security > Administrators > view that “Super Administrators” gain in EM12c, and we have seen how it can benefit from improvement in terms of segregating those administrators (as they can demote each other and lock each other out). Well help is at hand as Oracle has quite wisely built in some added expertise from a specialist company that deals in privileged access control—namely, BeyondTrust (previously Symark).

EM 12.1.0.3.0 has integrated PowerBroker functionality. What this means is that an individual, personally identifiable user—e.g., “Jdoe”—can be mapped to a subset of "root" privileges by PowerBroker on the target OS managed by EM. This is very cool, because PowerBroker already has a mature set of powerful features for managing privileged access. Let’s have a look at the basics.

PowerBroker consists mainly of a secure replacement for sudo. Sudo is great but when calling a command like vi or less it is possible to have that program subsequently call a new shell as root that does not have sudo controls upon it. Sudo has the NOEXEC option, but this does not work for all platforms and applications. PowerBroker has sudo-like functionality along with a secure version of bash and kshell and a secure IOLogger (keylogger). PowerBroker also supports sending its logs to the standard *nix syslog facility. This can then be integrated with our other audit trails through a log aggregator like ScienceLogic or Splunk.

Powerbroker commands are run in the same way as sudo, just replacing "sudo –u root" with pbrun.

[oracle@orlin ∼]$ sudo -u root cat /etc/shadow    (pbrun cat /etc/shadow)

[sudo] password for oracle:

root:$6$Pp/o5MEX$jD8HCZxjeKPGJKWV/zBedphihPyTEY0.9oJ8xiZqm7UL/6EsDqKC3Vpastgfwvj                          sDMVYC9Fs1axuQWDvZx3S6/:16080:0:99999:7:::

bin:*:15064:0:99999:7:::

daemon:*:15064:0:99999:7:::

The cloudcontrol.conf used by PowerBroker on the OS from EM12c is shown in Figure 19-4.

Figure 19-4.
figure 4figure 4

PowerBroker’s cloudcontrol.conf file for EM12c OS users

Full size image

For security buffs out there the key point is this: The configuration file that contains the mapping of individual users to the privileges they can run is protected from that delegated root privilege. This means that delegated root cannot administrate the PowerBroker controls itself. /etc/pb/cloudcontrol.conf should not be writeable by delegated root privilege.

The fact that this mature privileged access control is built into EM goes a long way to solving many of the PAC issues that have existed in Oracle since the beginning.

Figure 19-5 shows what the integration looks like.

Figure 19-5.
figure 5figure 5

Using PowerBroker from within Enterprise Manager 12c

Full size image

Additionally, BeyondTrust has a password vault product that can be used to automatically cycle the passwords that are stored in Enterprise Manager. EM12c on its own requires the DBA or SA to input their root/DBA passwords into the EM system for use as a named or preferred credential in the future. The problem with this is that the value needs to be changed over time to protect against brute-forcing of the value, or from the value becoming shared. Carrying out that password maintenance manually would be an inefficient task. So BeyondTrust’s integration with their password vault can take over that credential management.

There is a massive caveat to the PowerBroker usage, however. In the above screenshot it will be obvious that a user acting as plain root could edit the cloudcontrol.conf. So the system’s security depends on not giving direct root out to the DBAs. So installing YAST and running root commands as root undermines the point of having a PowerBroker install. With PowerBroker there should not be any reason to ever have to give the root password or control over that password to an Oracle DBA as long as you can list the root commands that they need. Those “root” commands can be delegated individually within the cloudcontrol.conf file. Thus, PowerBroker can handle some of the cloud-based privileged account requirements.

“With PowerBroker Identity Services, companies can securely extend an existing, on-premise Active Directory deployment to the cloud to authenticate users to cloud-based Linux servers, monitor and report on sign-on activity, and define and implement group policies to control your cloud server configurations.” http://www.beyondtrust.com/content/whitepapers/wp043_Cloud_Computing.pdf

Identity Management in the Cloud

There is a larger requirement for integrating identities for multiple websites, cloud services, and internal systems other than the PAC considerations previously discussed. What we really want to avoid is sending internal employees to external websites and having them enter their low-complexity, single-value passwords into those websites for company business. The web is a dangerous place. I have worked with ex-colleagues from Manchester University Computer Science Department for ten years on www.ukcert.org.uk to help protect the UK’s cyberspace and have been privy to over 20,000 reported incidents. These consist mostly of hacked websites being used to phish unsuspecting humans. Web browsers and HTML email are not secure mediums and unfortunately many companies do not provide clear URLs and domain names, thus making their brand open to attack. An analysis of phishing attacks in the UK is available at this URL: http://www.ukcert.org.uk/10years_analysis.pdf .

An organization representing the white hat community for cloud security is the CSA (Cloud Security Alliance), of which I have been a member since the onset. This a useful guide to cloud security in general from the CSA:

https://cloudsecurityalliance.org/wp-content/uploads/2011/11/csaguide.v3.0.pdf .

In short, humans are the weakest security link and they will simplify their passwords down to the same value for many sites to save time. Our companies have to protect our humans from being exploited due to bad password management. There is an obvious niche here for cloud-based identity management as a service, with private companies taking the lead (see http://www.okta.com/resources/tour.html ) as well as non-profit making foundations (see http://www.globalidentityfoundation.org/index.html ).

So managing the business process of consolidation and or cloud migration in a compliant way are the challenges which will be placed on the shoulders of infrastructure managers in our last chapter as well as conclusions to this book.