Download Oracle Database Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
Document related concepts
no text concepts found
Transcript 
1
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Who defines security in your
company?
How do you stress test?
Ursula Koski
Senior Principal Architect
Database Security Development
Over 1.1B Served
3
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
%
67
Records breached
from servers
%
76
Breached using weak
or stolen credentials
69%
Discovered by an
external party
%
97
Preventable with
basic controls
Why Are Systems Vulnerable?
80% of IT Security Programs Don’t Address Database Security
Forrester Research
Network
Security
“Enterprises are taking on risks that
they may not even be aware of.”
“Especially as more and more
attacks against databases exploit
legitimate access by compromising
applications and user credentials.”
4
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Authentication &
User Security
SIEM
Database
Security
Email Security
Endpoint
Security
Take A
PREVENTIVE
DATABASE
GOVERNANCE
DETECTIVE
ADMINISTRATIVE
5
Copyright © 2012,
2013, Oracle and/or its affiliates. All rights reserved.
Take A
PREVENTIVE
DETECTIVE
ADMINISTRATIVE
6
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Encryption is the Foundation
Preventive Control for Oracle Databases
Advanced Security
Disk
 Encrypts tablespaces or columns
Backups
 Prevents access to data at rest
Exports
 Built-in two-tier key management
Off-Site
Facilities
 Requires no application changes
 “Near Zero” overhead with hardware
 Integrated with Oracle technologies
–
7
Log files, Compression, ASM, DataPump
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Applications
Redaction of Sensitive Data Displayed
Preventive Control for Oracle Database 12c
Advanced Security
 Real-time redaction of application data
based upon user name, IP, application
context, and other session factors
Credit Card Numbers
4451-2172-9841-4368
5106-8395-2095-5938
7830-0032-0294-1827
Redaction Policy
 Full, partial, fixed redaction
 Library of redaction policies and point-
and-click policy definition
xxxx-xxxx-xxxx-4368
4451-2172-9841-4368
Call Center Application
Billing Department
 Transparent to typical applications
 No impact on operational activities
8
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Application Screen Before Redacting
9
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Application Screens After Redacting
DBMS_REDACT.ADD_POLICY(
object_schema => 'CALLCENTER',
object_name
=> 'CUSTOMERS'
column_name
=> 'SSN'...
10
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Masking Data for Non-Production Use
Preventive Control for Oracle and non-Oracle Databases
Production
Oracle Data Masking
LAST_NAME
 Replace sensitive application data
SSN
SALARY
AGUILAR
203-33-3234
40,000
BENSON
323-22-2943
60,000
 Extensible template library and formats
 Referential integrity detected/preserved
 Application templates
 Integrates with Subsetting and Real
Non-Production
Application Testing
LAST_NAME
Production
11
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
SSN
SALARY
ANSKEKSL
323—23-1111
40,000
BKJHHEIEDK
252-34-1345
60,000
Test
Dev
12
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Oracle Database Vault
Privileged User and Operational Controls
Procurement
HR
Application
Finance
• Limit default powers of privileged users
• Enforce policy rules inside the database
• Violations audited, secured and sent to Oracle Audit Vault
• No application changes required
13
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
select * from
finance.customers
DBA
Oracle Database Vault
Realms Block DBA Privileges
 Block privileged database users from
accessing application data
 Block threats from compromised
privileged accounts
 Block application users from
accessing other applications inside the
same database
 Securely consolidate and use private
or public cloud computing
14
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Oracle Database Vault 12c
New Mandatory Realms Block Direct Object Grants
 Provide additional security check
before allowing authorized users to
access application data
 Enable application DBA control by
allowing patching while denying
access to sensitive application data
 Freeze security settings identified by
Privilege Analysis: roles, grants, …
 Temporarily seal off entire application
data in the event of a cyber threat
15
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Take A
PREVENTIVE
DETECTIVE
ADMINISTRATIVE
16
Copyright © 2012,
2013, Oracle and/or its affiliates. All rights reserved.
Conditional Auditing
Detective Control for Oracle Databases
Framework for Conditional Auditing
My Audit Policy
Name
ACTIONS ALL
What
WHEN IP !=
''10.288.241.88''
When
 Audit based upon database session
factors
 Audit only what is needed
 Group audit settings for
manageability
 Out of the box policies
17
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Except HR
Exceptions
Audit Database Activity
Detective Control for Oracle and non-Oracle Databases
Oracle Audit Vault and
Database Firewall
 Collect, Analyze audit/event data
 Centralized secure repository
Alerts
 Consolidated multi-source reporting
 Secure, scalable software appliance
18
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
!
OS &
Storage
!
Directories
Reports
 Out-of-the box and custom reports
 Fine-grain separation of duties
Audit Data &
Event Logs
SOC
Databases
Policies
Auditor
Custom
Audit Vault
Database Activity Monitoring and Firewall
Detective Control for Oracle and non-Oracle Databases
Oracle Audit Vault and
Database Firewall
 Monitor network traffic, detect and block
unauthorized database activity
 Detect/stop SQL injection attacks
Users
Allow
Log
Alert
Substitute
Block
Apps
 Highly accurate SQL grammar analysis
 Whitelist approach to enforce activity
 Blacklists for managing high risk activity
 Scalable secure software appliance
19
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
SQL
Analysis
Policy
Factors
Whitelist
Blacklist
Oracle Audit Vault and Database Firewall
Detective Control for Oracle and non Oracle Databases
Database Firewall
Firewall
Events
Users
Alerts
!
AUDIT
DATA
Reports
Policies
AUDIT VAULT
20
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Operating Systems
File Systems
Directories
Custom Audit Data
Take A
PREVENTIVE
DETECTIVE
ADMINISTRATIVE
21
Copyright © 2012,
2013, Oracle and/or its affiliates. All rights reserved.
Configuration Management
Administrative Control for Oracle Databases
Oracle Database Lifecycle Management
Discover
 Discover and classify databases
 Scan for secure configuration
 Follow compliance frameworks
 Detect unauthorized changes
Scan & Monitor
 Patching and provisioning
Patch
22
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
23
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Discover Use of Privileges and Roles
Administrative Control for Oracle Database 12c
Oracle Database Vault
 Turn on privilege capture mode
 Report on actual privileges and roles
used in the database
 Helps revoke unnecessary privileges
Privilege
Analysis
Create…
Drop…
Update…
DBA role
APPADMIN role
 Enforce least privilege and reduce risks
 Increase security without disruption
Update
APPADMIN
…..
24
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Oracle Database Vault
Privilege Analysis Demo
25
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Oracle Database Vault
Privilege Analysis Demo
26
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Discover Sensitive Data and Databases
Administrative Control for Oracle Database 12c
Oracle Enterprise Manager 12c
 Scan Oracle for sensitive data
 Built-in, extensible data definitions
 Discover application data models
 Protect sensitive data appropriately:
encrypt, redact, mask, audit…
27
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Take A
PREVENTIVE
DATABASE
GOVERNANCE
DETECTIVE
ADMINISTRATIVE
28
Copyright © 2012,
2013, Oracle and/or its affiliates. All rights reserved.
What really matters?
29
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Oracle Database Security Resources
www.oracle.com/database/security
 Data Sheets
 Whitepapers
 Webcasts
 Case Studies
 Events
 News
 and more…
30
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Questions?
Q&A
31
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
32
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
33
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Related documents