Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Microsoft SQL Server wikipedia , lookup
Concurrency control wikipedia , lookup
Extensible Storage Engine wikipedia , lookup
Open Database Connectivity wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Relational model wikipedia , lookup
Functional Database Model wikipedia , lookup
Clusterpoint wikipedia , lookup
ORACLE Security Solution Overview Ray Shih Principal Sales Consultant Oracle Corporation Oracle Audit Vault (CY 2007) Oracle Data Vault (CY 2006) Database CC Security Eval #18 (10g R1) Transparent Data Encryption VPD Column Sec Policies Fine Grained Auditing (9i) 1st Database Common Criteria (EAL4) Oracle Label Security (2000 8.1.7) Virtual Private Database (1998) Enterprise User Security (8i) Database Encryption API Kerberos Support (8i) Support for PKI Radius Authentication Network Encryption (Oracle7) Oracle Advanced Security introduced First Orange Book B1 evaluation (1993) Trusted Oracle7 MLS DB Government customer Oracle - 30 Plus Years of Database Security Leadership 1977 2007 2 Database Vendor Comparison Features Average Good Best Oracle Data-at-Rest Encryption SQL Server DB2 Oracle Auditing Features SQL Server DB2 Advanced Security Features Oracle SQL Server DB2 Source: Forrester Research 3 Data Security Components User Management Access Control Core Platform Security Monitoring Data Protection 4 Data Security: Oracle Products User Management Access Control • Oracle Identity Management • Enterprise User Security • Oracle Database Vault • Oracle Label Security • Virtual Private Database Core Platform Security Monitoring • Oracle Audit Vault • EM Configuration Pack Data Protection • Oracle Advanced Security • Oracle Secure Backup 5 Overview : Oracle Identity Access management Oracle Advanced Security Application Strong Authentication Oracle Advanced Security Network Encryption Data Automatically Decrypted Through SQL Interface Data Written To Disk Automatically Encrypted Oracle Advanced Security Transparent Data Encryption Data Encrypted On Backup Files 6 Oracle IAM Products Access Control Identity Administration Directory Services Oracle Access Manager Oracle Virtual Directory Oracle Enterprise Single Sign-On Oracle Identity Manager Oracle Identity Federation Oracle Internet Directory (with Directory Integration Platform) Oracle Web Services Manager Audit & Compliance Oracle Identity & Access Management Suite Management Oracle Enterprise Manager for Identity Management 7 Database Supply Package for Encryption 1. DBMS_CRYPTO 2. DBMS_OBFUSCATION_TOOLKIT 8 9 Network Encryption Encrypts all communications with the database – – – – AES RSA RC4 (40-, 56-, 128-, 256-bit keys) DES (40-, 56-bit) and 3DES (2- and 3-key) Diffie-Hellman key exchange Data integrity with checksums – – MD5, SHA-1 Automatically detects modifications, replays, missing packets 10 Strong Authentication PKI – – PKCS #7-11-12 Support smart cards, biometrics, etc Kerberos – – Simple deployment Integrate with Kerberos Servers RADIUS – Integrate with 3rd party RADIUS compliant solutions 11 Oracle Database 10g Release 2 – Transparent Data Encryption Application ASO Network Encryption Data Decrypted Through SQL Interface Data Written To Disk Encrypted Transparent Data Encryption – – – Includes Key Management Transparent to applications Helps Address Privacy and Regulatory compliance Data Encrypted On Backup Files 12 Transparent Data Encryption 13 Create the Master Key Wallet Location sqlnet.ora Key Table Master Key 14 Open the Wallet ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY “welcome1”; 15 Create an Encrypted Column CREATE TABLE cust_payment_info (first_name VARCHAR2(11), last_name VARCHAR2(10), order_number NUMBER(13), credit_card_number VARCHAR2(20) ENCRYPT NO SALT); 16 Encrypt Clause Syntax CREATE TABLE cust_payment_info (… credit_card_number VARCHAR2(20) ENCRYPT USING ‘AES256’ IDENTIFIED BY password NO SALT); 17 TDE Restrictions (10g) No Bitmapped or Domain indexes on encrypted columns allowed No Large Objects (LOBS or CLOBS) may be encrypted Direct-Path SQL*Loader No SYS schema objects may be encrypted Other database tools and utilities that directly access data files 18 TDE 11g • Tablespace Encryption • Master key stored in HSM device • SECUREFILE LOB Encryption 19 Oracle Advanced Security Tablespace Encryption Define a new tablespace as ‘encrypted’ – – cannot convert existing, un-encrypted tablespaces however, content can be moved into encrypted tablespaces Always salted for higher security Overcomes limitation of column-based TDE: – – supports indexes other than b-tree supports foreign keys No additional management overhead – integrated into TDE key management, same wallet used as for column based Transparent Data Encryption No storage overhead (!) 20 Oracle Advanced Security Master key stored in HSM device Store the Master key in an external hardware device Master key never leaves the device Standard PKCS #11 API allows customers to choose from a wide range of HSM vendors Encryption and decryption done on the database server Simplifies key management in distributed environments (data guard, RAC) 21 Oracle Advanced Security SECUREFILE LOB Encryption SECUREFILE LOB encryption All SECUREFILE LOBs in an encrypted column are encrypted – – – In-line (in table) and out-of-line (in tablespace) are both encrypted BFILEs are not encrypted Always salted for higher security 22 Oracle Advanced Security Transparent Data Encryption Manageability (11g) 23 Oracle Label Security Sensitive : ACME Application Table Store ID Revenue Department Sensitivity Label AX703 10200.34 Finance Sensitive : ACME B789C 18020.34 Engineering Sensitive : WIDGET JFS845 15045.23 Legal Highly Sensitive: ACME SF78SD 21004.45 HR Unclassified: ACME OK OK Virtual Private Database Fine-grained Access Control Row-Level security Server-enforced security policy – Associates security policies with tables or views Transparent predicate rewrite ASPs Hosting Applications SELECT * FROM ORDERS; Harry Orders Table Security Policy Dick SELECT * FROM ORDERS; Virtual Private Database Column Relevant Policies (10g) Select cust_last_name, social_security_number from accts; VPD Col Relevant Policy SOCIAL SECURITY NUMBER 431-395-9332 381-395-9223 27 Oracle Secure Backup File Systems Linux, Unix Windows, Filers Databases Oracle Secure Backup is ideal for customers seeking a low cost alternative to complex backup products Best integrated end-to-end backup of Oracle Databases – – Media manger for RMAN backup and recovery of Oracle9i and 10g databases to tape Fastest Database Backup on the market Backup Oracle Home, App Server and other file systems Oracle Secure Backup includes: – – – Centralized management of network backups Scalability to low 100’s of servers, 10’s of millions of files Easy management through Enterprise Manager Supports popular tape libraries & drives 28 Data Vault Overview 29 Why Database Vault? Regulations such as SarbanesOxley and Graham-Leach Bliley, and Basel II require Strong Internal Controls and Separation of Duty Internal threats are a much bigger concern today require enforcement of operational security policies Who, When, Where can data be accessed? Database consolidation strategy requires preventive measures against access to application data by Powerful (DBA) users 30 Oracle Data Vault A security solution to increase a customer's ability to protect sensitive information Data Vault introduces several new and very powerful security concepts: • Realms make it easy to restrict users with powerful DBA privileges to specified application schemas – Separation of Duty •Easy to create an “HR dba” or “Financials dba” • Factors extend access beyond User and Role based Access • Rules control database access based on factors in the environment •Control access based on time of day, IP address, location … Oracle Database Vault Protection Realms • Database DBA views HR data Compliance and protection from insiders • HR DBA views Fin. data Eliminates security risks from server consolidation select * from HR.emp DBA HR HR HR DBA HR Realm Fin Fin FIN DBA Fin Realm Realms can be easily applied to existing applications with transparency and minimal performance impact 32 Oracle Database Vault Transparent Multi-factor Authorization SELECT …. HR Unexpected IP address HR account CREATE … FIN Business hours FIN DBA 33 Built-in Factors Extend Authorizations Authentication_Type Client_Identifier Client_IP Database_Domain Database_Hostname Database_Instance Database_IP Database_Name Domain Language Machine Module Network_Protocol OS_User Program ProxyUser Session_User Terminal 34 Protect and Secure Applications 1 2 Create Realm 3 Authorize Users Realm Apply Realm Realm Orders Contracts Suppliers Parts Line Items 35 Data Vault Solution DBA Privileged Application Owner Application User SQL*Plus Application Bypass Data Vault Enforcement Other Application Oracle Data Dictionary E-Business Suite Oracle Database 10g Release 2 Data Vault Security Protects Database and Applications 36 Audit Vault Overview 37 Customer Problems Regulatory compliance and configuration audit monitoring Audit information resides in silos across the enterprise Audit information needs strong protection 38 Regulatory and Compliance Audit Monitoring Demonstrate to auditors that your environment is well maintained and secure Demonstrate who accessed sensitive data in multiple databases Report on database access during financial reporting periods 39 Customer Need A single repository for audit data Centralized audit policies and audit settings Audit data and policy to be secure and tamper evident Analyze and monitor audit data Manage high volume of audit data Minimal impact on production systems Audit Challenges Security – – Separation of duty and data Tamper proof/evident audit data Large Volume of Data – – Scalability, reliability, high availability Need intelligent archival process Analysis and Reports – – – Efficient correlation mechanisms Forensic analysis and intrusion detection Compliance & Insider Threat requirements Audit Data Format – – Diverse audit sources, different content/formats No well established industry standard audit format 41 Oracle Audit Vault Overview Trust-but-Verify • • • • • Collect and Consolidate Audit Data • Oracle 9i Release 2 and higher Simplify Compliance Reporting • Built-in reports Monitor • Custom reports Detect and Prevent Insider Threats Reports • Alert suspicious activity Scale and Security • Robust Oracle Database technology • Database Vault, Advanced Security • Partitioning Oracle 9iR2 Lower IT Costs with Audit Policies 10gR1 • Centrally manage/provision audit settings Policies Security 10gR2 (Future) Other Sources, Databases 42 Oracle Audit Vault Key Messages Protect and monitor audit data through consolidation – – Eliminate audit silos Reporting Monitor audit data associated with powerful users – Report on audited DBA activity centrally Monitor database changes by privileged users – Run reports on user logins, user create statements 43 Key Message Summary Data Vault Protect Applications with flexible and dynamic security controls Application data from DBA Database from adhoc changes by privileged users Audit Vault Protect and Monitor Audit data from multiple databases centrally Audit data associated with powerful users centrally Database changes by privileged users 44 Audit Vault Architecture: Overview Audit Vault Server Audit Settings Management Management and Monitoring Audit Data Collection Security Infrastructure Data Warehouse Reports Alerts AV Admin Administration Audit data Configuration metrics Audit Vault Agent AV Auditor Collectors REDO, DBAUD, OSAUD Reporting and alerts Audit sources Audit Vault Framework Audit Vault Agent Audit Vault Server OC4J OC4J Audit Vault Console Agent HTTP Listener Management Service Policy Service Audit Service Stop/start agent Management Service Stop/start collector Policy Service AV Web Application Collect metrics EM Database Control Collector Manager Database Audit data repository Collectors DBAUD OSAUD Configuration data REDO Alert service/alert queue Source Redo logs Audit trail records Apply module for REDO Oracle Audit Vault: Security Components Audit Vault Agent Audit Vault Server OC4J OC4J Database client Configuration/management tools HTTP policy settings and management commands Database client Config/management tools Logs Logs Collectors DBAUD OSAUD SQL*Net Audit trail data Collector attributes Audit repository Source Wallet password: Agent user password SQL*Net Policy provision Wallet password: AV admin password Oracle Database Collectors: DBAUD Audit Vault Agent Audit Vault Server OC4J OC4J Database client Database client Configuration/management tools Config/management tools Logs Logs Collectors DBAUD Audit repository OSAUD Source AUD$ FGA_LOG$ Audit trail records Using the DBAUD Collector – – – – Collects audit records from the audit trail when AUDIT_TRAIL is set to DB,EXTENDED Collects data from the SYS.AUD$ and SYS.FGA_LOG$ tables Collects: DDL and DML statements SQL text Successes and/or failures as specified in audit settings Can be remote from the source database and the Audit Vault Server Oracle Database Collectors: OSAUD Audit Vault Agent Audit Vault Server OC4J OC4J Database client Database client Configuration/management tools Config/management tools Logs Logs Collectors DBAUD Audit repository OSAUD Source OS files Audit trail records Using the OSAUD Collector – Collects audit records from the audit trail when AUDIT_TRAIL is set to AUDIT_TRAIL = OS – Collects mandatory audit records from the operating system audit trail Collects: DDL and DML statements SYS privilege usage – – Successes and/or failures as specified in audit settings Independent process running on source host Oracle Database Collectors: REDO Audit Vault Agent Audit Vault Server OC4J OC4J Database client Database client Configuration/management tools Config/management tools Logs Logs Collectors Source Redo logs LCRs Audit repository Streams apply Streams capture Streams propagate Oracle Database Collectors: REDO – – Uses Streams technology to retrieve logical change records (LCRs) from the redo log files Collects: Committed DDL and DML statements SYS privilege usage Before-and-after values (successes only) Alert Processing Audit Vault Server Defines Audit alerts Audit Policy System AV Auditor Evaluates audit record Collectors DBAUD OSAUD REDO Audit trail records Audit Repository Alert queue Meets alert criteria Audit Vault Console Subscribes AV Auditor Enabling and Disabling Alert Processing AV Administrator Creating an Alert Rule AV Auditor Specifying the Basic Alert Condition AV Auditor Specifying an Advanced Alert Condition AV Auditor Specifying Audit Vault Event Categories Event Category Name Description ACCOUNT MANAGEMENT Management of user/service accounts and profiles APPLICATION MANAGEMENT Management of applications or code on a system AUDIT COMMAND Management of Audit service DATA ACCESS Association with a data item or resource for its content or services EXCEPTION Error conditions or exceptional events INVALID AUDIT RECORD Collection of an invalid audit record OBJECT MANAGEMENT Creation and management of data items and resource elements Specifying Audit Vault Event Categories Event Category Name Description PEER ASSOCIATION Management of association with peer systems (DBLINKs) ROLE AND PRIVILEGE MANAGEMENT Management of roles and privileges granted to users or services SERVICE AND APPLICATION ACCESS Use of services or applications SYSTEM MANAGEMENT Management of services that are system level UNKNOWN Anything that does not belong to the other categories USER SESSION Creation and use of user sessions on the system Viewing Alert information About the Overview Page AV Auditor Audit Vault Data Warehouse: Overview AV Auditor Raw audit data table Audit warehouse Audit Vault Server database Analysis Reporting Mining Audit Vault Data Warehouse: Schema CLIENT_HOST_DIM EVENT_DIM TIME_DIM CONTEXT_DIM CLIENT_TOOL_DIM AUDIT_EVENT_FACT SOURCE_DIM USER_DIM TARGET_DIM PRIVILEGES_DIM Scheduling Data Warehouse Operations and Viewing Historical Information The Audit Vault Administrator performs the following tasks to manage the data warehouse: – – – – Manages the data warehouse refresh schedule Manages the retention period for data in the data warehouse Performs one-time operations: Load Refresh Purge Views historical information about data warehouse loading, refreshing, and purging AV Administrator Viewing Account Management Activity AV Auditor Viewing User Session Activity AV Auditor Viewing the Activity Overview Report AV Auditor Viewing Details from the Activity Overview Report AV Auditor Viewing Alert Reports AV Auditor Viewing Alert Report Details AV Auditor Creating Custom Reports Use Oracle reporting tools such as the following to create custom reports: – – Oracle Business Intelligence Suite Enterprise Edition Oracle BI Publisher AV Auditor Q U E S T I O N S A N S W E R S 72