ActiveBase

QoS Assurance, Management & Security of Large Oracle Database Centers

About US

Founded 2002 by an experienced team of Oracle

veterans

Innovative technology protected by patents First production sites in 2004 Among our customers:

Oracle Production Centers challenges

CONTEXT> More Data, More Users, More Tools, changing environment but Budget & Resources do not always grow and Expertise is scarce HOW CAN I > Take Preemptive measures that will enable me to: Guarantee SLA
Important tasks get served first

Improve QoS Reduce response time, accelerate performance Secure Database Access Comply to regulations Prevent Data Leakage Hide, Scramble, Mask data to both internal & external users Without modifying the applications or the databases?

SO THAT > These measures will be applicable across applications?

ActiveBase Solution Suite

AB*Performance Suite: Database Performance Management

1. Database Server Prioritization of online users, reports, batch and OS processes. 2. Database Usage Optimization: manage and improve overall database performance.

AB*Security: Data Leakage Prevention and Security Compliance

Proactive Database Activity Monitoring and compliance solution for the data center

ActiveBase Priority

Challenge - Guarantee SLA

Exponential data growth and growing application usage

cause resource-stress and peak-times

During peak-times application performance

deteriorates and Quality of Service declines

Response time deterioration causes productivity loss

and user dissatisfaction

6

The Solution : ActiveBase Priority

ActiveBase monitors database server resources and maps them in real-time to business transactions It manages server CPU and I/O consumption by Oracle and server OS processes, aligning them to transaction importance using server process throttling ActiveBase includes user-defined, custom policies and predefined Knowledge Packs for immediate ROI ActiveBase Result - throughput increase of 25% - 50%, while business transactions run x2 faster

Automatic rule examples

When avg. on-line user response time > 5 sec., all batch and reporting processes will consume 25% less resources or not more than 30% of all server

resources
Guarantee at least 40% Server CPU and I/O to call-center on-line transactions

When Server CPU > 85%, restrict Analyst group to 20% CPU load and up to 50 parallel query servers
Reduce Server Operating System process by 50% (e.g., Export) when Server CPU>85%

ActiveBase Priority Architecture

ActiveBase Management software Auditing, reporting and dashboards

ERP, CRM, DW Database servers

Rule Engine
Identification functions: Server CPU and I/O, Instance and session CPU, Session info, SQL syntax patterns, Database Router time of day, define user grouping Priority Actions: Reduce process resources, Limit process resource consumption

Database activity and OS monitor Site environment configuration Administration users and roles Database server agent

Resource management process flow

Users/ applications
Incoming SQL statement management: parallel setting or blocking

Incoming Application Requests

Sessions
Session Classification: Ad-hoc or rule based Session/ group Classification

Database activity and OS monitor Site environment configuration Administration users and roles

Session/ resource management

Group/ resource10 management and limits

Implementation
Installation and configuration in less than a day Installed with Knowledge packs containing expandable Priority rules, providing immediate ROI Scalable and central management supporting hundreds of ActiveBase installations on site with rule propagation Easy, clear and friendly GUI enables quick one-day concise administration training No code rewrites or data changes required

11

Rules provide immediate performance results

12

ActiveBase complements for Oracle Resource Manager

1. AB*Priority can prioritize several Oracle instances on the same server and server Operating System (OS) processes that cause server slowdown 2. It can apply prioritization policies before reaching resource outage 3. AB*Priority can prioritize based on SQL patterns (e.g., prioritize user requests starting with select% with large fact tables) 4. Simple-to-use GUI (even for system operators), with powerful policy tree 5. No database overhead 6. Supports Oracle versions 9 to 11g
13

Next: ActiveBase Performance

Improve Reporting and DW response time

MORE SPEED: accelerates response times from hours to minutes, minutes to seconds MORE PERFORMANCE STABILITY: Prioritizes user groups during peak-loads and ensures ETL process completion MANAGE USER ACTIVITIES:

warns or blocks query-from-hell, Notifies users during

high-load

15

ActiveBase Performance

Improves response time x5-x50 by applying SQL optimization rules in real-time Rules include applying SQL rewrites and hints without touching reports and restricting ad-hoc queries Guides and trains users for correct usage with automated messages
16

Active Base Performance Architecture

ActiveBase Management Servers
External Input for Rules such as LDAP (ActiveDirectory)

ActiveBase Database Routers

Rule Engine Identification functions: SQL syntax, explain plan,
Oracle cost, no. of partitions, time of day

Performance Actions: SQL rewrite, Add Oracle hint,

block, offload to replication,

Users/ applications

Get explain plans

Dynamic Database Switch Database Protocol Analyzer

Incoming Application Requests

17

Examples
When report/ad-hoc query uses nested-loop on a specific fact scanning, change into /*+ use_hash*/

When running on another fact with index range change into partition range scan
Change month=xxx condition into date between 1-xxx and end-of-month (as date column is partitioned) Block all requests running on more then 1000 partitions and return a message the user

Change driving site of a report to use historical database when report requires old date
18

Step 1: Router Configuration

Step 1: Router Configuration Level Define your databases. Clients will connect via ActiveKnowledge host and listener port to the Oracle listener.

Step 1: Define Applications/Clients

Define your applications / clients using program name, host or OS User. Set the routing action to be applied on connections

Policy manager matchers and actions

Match incoming statements and apply actions on them (e.g., rewrite/block etc.) Matcher types include:
Syntax based statement matching From Clause Object Execution plan subset Execution plan step Partition range Text string matching PL/SQL function Time based matching Oracle cost matching

Policy Tree and Actions

Actions include:
Reduce resources by % Limit resource by % Add an Oracle Hint, Rewrite SQL, Block/Notify, Use aggregate, Offload to alternate DB, Delay until available capacity Audit trail

Policy example

The Policy tree

ActiveBase Expert Utility

Step 2: SQL Optimization Expert 1. Identifies problematic SQL statements. 2. Generates all applicable Oracle hints, benchmarks them and highlights the best alternative.

Simulator
allows to test policy before applying.

Create New Policy with a

single-click.

ActiveBase Knowledge Pack

Set of 20-30

Performance Rules adaptable

by Customers to match their specific needs.

Rules Export and Import in XML and are

shareable across installations.

24

Easy implementation and Quick ROI

Improving both PERFORMANCE and SECURITY in a single comprehensive solution boosts adoption, ROI and lowers TCO

Flexible architecture with negligible footprint (e.g., only 3% from all SQL throughput require ActiveBase parse)
AB installed within a day on DB server or dedicated server (hub)

Gradual deployment can start with only development tools, reporting and applications in test, QA and prod
No programming and no application changes required for optimizing incoming SQL requests

25

Easy Implementation and Quick ROI (2)

Policies are easily and centrally managed, with Policy templates (Knowledge Packs) for quick ROI

Installation includes Knowledge Packs

Scalable and central management supporting hundreds of ActiveBase site installations with rule propagation

Easy, clear and friendly GUI enables concise one-day training

Reliability guaranteed using Oracle failover, Transparent Application Failover (TAF) and clustering

26

Next: ActiveBase Security : Data Leakage Prevention and Compliance solutions

27

The Challenge

Leakage and unauthorized data changes: Major issue

Sensitive and Personal Information (SPI) leakage is a major threat to organizations with high cost of remediation Integrity of SPI affects key decisions and financial reporting Risk of downtime

Most organizations have security policies, but...

Policies cannot be enforced on all DBA & development tools unsecured, uncontrolled with unlimited access

Why Native Database are not practical

Performance overhead No separation of duties Not secure audit trail Massive storage requirement Does not provide granularity required Does not provide proactive security (batch approach vs. real-time intervention) - before offensive requests reach the database

The Ultimate Security Solution >> ActiveBase Security

Traceability: ActiveBase audits, controls and alerts on access to SPI or changing user grants and account information

Audit, control or block all users NOT even passing through it

On-line masking/scrambling to personal and sensitive data
From reporting tools, development and DBA tools in Production, Testing and QA environments Quick ROI by automating the discovery and masking of data

Restricts access to sensitive information

Hide and restrict access on row or columns, add VPD filters

Prevents SQL injections, buffer overflow and applies virtual Critical Patch Update enforcement
30

ActiveBase Security Architecture

ActiveBase Management Servers
External Input for Rules such as LDAP (ActiveDirectory)

ActiveBase Database Routers

Rule Engine Identification functions: SQL syntax, SQL injection patterns, Oracle Critical Patches, explain plan, time of day, access patterns Security Actions: hiding sensitive info, scrambling, block, delay (quarantine), alert, SNMP, e-mail, OS cmd Dynamic Database Switch Database Protocol Analyzer

Users/ applications

Incoming Application Requests

31

Access Control : Privileged users, QA, Outsourced IT

Prevents SPI leakage by applying preventive Controls on internal and outsourced operations complements detective controls (alerting and auditing) Blocks, scrambles, restricts access of privileged users from: Accessing SPI Changing application schemas Creating new DB accounts or elevating privileges Enforces separation of duties without: Risk of blocking legitimate access Impacting DBA ability to perform routine admin tasks

32

Sensitive Information masking

Anonymize access to personal or confidential data by securing application read
requests (management of DATA IN MOTION and DATA IN USE) No need to scramble your databases (long , tedious and no Undo) Cannot anonymize production data where in many cases DBAs and developers enter at will and are exposed to production sensitive data!

Data mask format library (masking templates) include random number and string, sub string and user functions Define once & apply on many across applications and databases No risk to application or data integrity masking only select requests Data masking can be applied selectively based on request patterns or user profiles
33

Sensitive Information -- blocking

Prevents privileged users (e.g., DBAs, application developers) from viewing sensitive data, without touching databases or application code AB*Security is the only Applicative Blocking solution blocking a specific request while allowing (when predefined) to continue without killing the session

Implement robust preventive controls without the risk of blocking legitimate business access.

34

35

Blocking example within ERP screens

36

Automatic access profile learning

During a learning period: ActiveBase audits all DBA/IT operation user access into access profiles :
includes classification of workday/weekend, time, program, hostname and OS User

As it completes (2-4 weeks), ActiveBase detects automatically deviant action from access profile, proposing following steps

Apply on-line masking/scrambling to personal and sensitive data

Block the request and send alert and/or a user notification Quarantine - block all session requests and new connections from the same machine or user for X minutes Apply delays between each request Kill session
37

Summary
Comply with existing and new REGULATIONS (SOX,) Control the flow (data in motion and in use) of sensitive and private information in your production systems to employees, customers and partners Protect against SQL injection and published Oracle vulnerabilities (CPUs) Prevent data leakage and secure non-production systems populated with production data including SPI

Centralized security rules applicable on any application, even if source code not available
38

Implementation
Installation and configuration in less than a day Installation includes Knowledge packs for quick ROI Scalable and central management supporting hundreds of ActiveBase site installations with rule propagation Easy, clear and friendly GUI enables concise one-day training

No code rewrites or data changes required for scrambling or hiding sensitive information
With both performance and security in a single comprehensive solution, ActiveBase boosts adoption, ROI and lowers Total Cost of Ownership
39

Summary

ActiveBase, other Applicability

PERFORMANCE DW ETL project: Enhance the DW availability and enlarge reporting time window to on-line users by implementing an ETL synchronization and prioritization project DW Archive\history project: Prevent performance degradation due to exponential data growth by implementing a transparent data archive/history project Migration Project: Improve response performance, ensure data consistency and result compliance, adjust Capacity Planning parameters for current usage and future growth SECURITY Compliance project: comply with new and evolving data security regulations to existing business applications
41

Where it fits: Across the Enterprise

ERP

Business applications
CRM Web

Billing etc

DW & App. Reporting

BI applications

AB Suite Provides:

AB Suite Provides:

1. QoS improvement & guarantee 1. Performance improvement using prioritization of resources by x10 on reports and ad-hoc during performance spikes queries QoS 1. Security & auditing 2. improvement & guarantee Data leakage prevention, learning 3. Security & auditing mode usage, alerting, SQL Injection prevention, Oracle CPU protection

Where it fits: Across the Enterprise

QA\Dev Environments
ERP CRM Web Billing

AB Suite Provides: Security and Data Leakage Prevention (DLP)

Auditing and controlling access, while scrambling/ hiding sensitive information from QA and Developers

Customer Cellcom

(Telco)

Over 2000 users: on-line Billing applications and BI (Cognos). AB*Performance is used in Data Warehouse environment, on a 64 CPU Superdome database server with over 30 Tera of data, delivering performance stability and report acceleration
It blocks offensive requests (e.g., that scan more than X partitions) It accelerates reports and ad-hoc query response time by x10 and more

AB* Security is used across the data center for auditing all access to sensitive data by various applications and tools
Audited information is analyzed by customers security employees

44

Customer Orange

(Telco)

Over 3000 users: Billing applications and Business Objects.

AB*Performance is used in Data Warehouse environment, on a 64 CPU Sun

database server with over 25 Tera of data, delivering performance stability and report acceleration. It accelerates reports and ad-hoc query response time, reducing overall reporting response time from 8 to 4 minutes It uses AB*Performance for fixing Orange Billing batch, that could not be tuned in any other way. It rewrites requests to use a small replicated object instead of the original object, speeding from 14 hours to hour
Using ActiveBase software made our business reporting 10 times faster and more efficient, saving substantial resources and enabling us to expand, while still maintaining our existing server."
Limor Malay, DW Division Manager, Orange (IL)
45

Orange: Summary of tests report

Orange: Summary of tests report

Customer MNB (Bank)

AB*Performance is used in Data Warehouse environment and Business Objects, with a two times overall performance boost. The work and needs of the analysts are better understood through ActiveBase logs connected to ad hoc reporting.

It audits all user access for security and compliance

Important business reporting was accelerated by 27 times! The security policies proved to be highly effective
S vltos Lajos, Data mart Manager, National Bank of Hungary
48

UNIQUE VALUE PROPOSITION

PREVENTIVE as well as CURATIVE

REAL-TIME fixing based on RULES

NON INTRUSIVE

RESILIENT, HIGH PERFORMANCE

OPERATOR (vs. programmer) DRIVEN A SINGLE Product for managing and controlling Performance, Priority and Security
49

SUMMARY of BENEFITS
For the Enterprise
Save on Control Improve Budget SLA QoS
Design & Implementation Data-Center Administrators Known-how & Expertise
50

For IT
Simplify Empower Capitalize

Thank you!