Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Slide 1
Document related concepts
Extensible Storage Engine wikipedia , lookup
Open Database Connectivity wikipedia , lookup
Concurrency control wikipedia , lookup
Relational model wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Functional Database Model wikipedia , lookup
Database model wikipedia , lookup
Clusterpoint wikipedia , lookup
Transcript
Privacy Insider Threats <Insert Picture Here> Compliance Oracle Database 11g Lock Down Your Data Gary Quarles Sales Consultant Key Drivers for Data Security Regulatory Compliance • • • • • • Sarbanes-Oxley (SOX), J-SOX, HIPAA GLBA Payment Card Industry (PCI) EU Privacy Directives, CA SB 1386…. Adequate IT controls, COSO, COBIT Separation of duty, Proof of compliance, Risk Assessment and Monitoring Insider/External Threats • Large percentage of threats go undetected • Outsourcing and off-shoring trend • Customers want to monitor insider/DBA Oracle Database Security 30 years of Innovation Oracle Audit Vault Oracle Database Vault DB Security Evaluation #19 Transparent Data Encryption EM Configuration Scanning Fine Grained Auditing (9i) Secure application roles Client Identifier / Identity propagation Oracle Label Security Proxy authentication Enterprise User Security Global roles Virtual Private Database (8i) 1977 Database Encryption API Strong authentication (PKI, Kerberos, RADIUS) Native Network Encryption (Oracle7) Database Auditing Government customer 2007 Data Security Components User Management Access Control Core Platform Security Monitoring Data Protection Data Security: Oracle Products User Management Access Control • Oracle Identity Management • Enterprise User Security • Oracle Database Vault • Oracle Label Security • Virtual Private Database Core Platform Security Monitoring • Oracle Audit Vault • EM Configuration Pack Data Protection • Oracle Advanced Security • Oracle Secure Backup Data Security: Oracle Products User Management • Oracle Identity Management • Enterprise User Security Access Control • Oracle Database Vault • Oracle Label Security • Virtual Private Database Core Platform Security Monitoring • Oracle Audit Vault • EM Configuration Pack Data Protection • Oracle Advanced Security • Oracle Secure Backup Enterprise User Security (EUS) • User Management for Compliance • Centralized User Management • Consolidate database accounts with shared database schemas • Centrally managed DBAs • Validated with Oracle Virtual Directory HR Database EUS Financial Database Customer Database EUS • Enterprise Strong Authentication • • • • Kerberos (MSFT, MIT) PKI (x.509v3) Password SYSDBA Strong Auth • Database Enterprise Edition Feature • Requires Oracle Identity Management • Available since Oracle 8.1.6 Oracle Identity Management Data Security: Oracle Products Access Control User Management • Oracle Identity Management • Enterprise User Security • Oracle Database Vault • Oracle Label Security • Virtual Private Database Core Platform Security Monitoring • Oracle Audit Vault • EM Configuration Pack Data Protection • Oracle Advanced Security • Oracle Secure Backup Need for Stronger and Transparent Access Control • Key Drivers • Restrict full access to data for Privileged users • Administrators • Developers/QA • Application Users • Easily implement environment based access control • User parameters • Network parameters • Database parameters • Key Requirements • • • • Applying on existing legacy applications Support for custom policies Difficult to circumvent Minimal Performance impact Oracle Database Vault Compliance and Insider Threats • Controls on privileged users • • • • • • • Protection Realms Multi-Factor Authorization Enforce data access security policies • • Restrict DBA from application data Provide Separation of Duty Security for database and Reports information consolidation Control who, when, where and how is data accessed Make decision based on IP address, time, auth… Available on Oracle Database 10g Release 2 and Oracle Database 9.2.0.8 Validated with PeopleSoft Validation for E-Business, Siebel, and others in progress Command Rules Separation of Duty Oracle Database Vault Protection Realms • Database DBA views HR data Compliance and protection from insiders • HR DBA views Fin. data select * from HR.emp DBA HR HR HR DBA Eliminates security risks from server consolidation HR Realm Fin Fin FIN DBA Realms can be easily applied to existing applications with transparency and minimal performance impact Fin Realm Oracle Database Vault Transparent Multi-factor Authorization SELECT …. HR Unexpected IP address HR account CREATE … FIN Business hours FIN DBA Oracle Database Vault Transparent Protection 1 Define Realms (Block Highly Privileged Users) 2 Add SQL Command Rules (Optional) 3 Add other security policies (Optional) 4 PL/SQL scripts to deploy security policies 5 Test your application 6 Consider application maintenance Major Financial Services Company Use Case • Control Privileged Users • Prevent DBAs from accessing sensitive data in Realms • Setup multiple levels of DBAs • Control Access based upon environmental factors • Restrict hostnames authorized to access the DB • Control access based on geography • Control use of ad-hoc query tools; Enforce maintenance periods • Restrict connections by ad-hoc query tools to maintenance times • Control Patching activity • Patching activity requires another monitoring user to be logged in • Control unauthorized database changes Noel Yuhanna Research Analyst, Forrester “The Database Vault features will be in demand, especially for databases that contain private data. Enterprises want their administrators to manage their databases, not data. Oracle is leading the pack of database makers with the new access restriction features. Microsoft, IBM and Sybase don't have anything like this.” Oracle wants to rein in database admins ZDnet News, April 25, 2006 Data Security: Oracle Products Access Control User Management • Oracle Identity Management • Enterprise User Security • Oracle Database Vault • Oracle Label Security • Virtual Private Database Core Platform Security Monitoring • Oracle Audit Vault • EM Configuration Pack Data Protection • Oracle Advanced Security • Oracle Secure Backup Need for Label Authorizations • Key Driver • Extended security authorizations for need-to-know enforcement • Payment Card Industry (PCI) requirement • Protection of PII data • Multi-level security (Government & Defense) • Key Requirements • • • • Transparent Performant Highly Adaptable Evaluated (Government & Defense) Oracle Label Security Label Based Access Control • Extend security authorizations • Label authorizations • Data Classification • Sensitivity labels Sensitive: PII Oracle Label Security Access Mediation Confidential Public • Flexible and Adaptable • • • • Database & Application users Multiple enforcement options Built-in mediation routines Available since Oracle8i User Label Authorization Confidential Oracle Label Security Additional Factors for Database Vault Oracle Label Security Multi-level (row level) Security Government & Defense Case Operation Status Pacific Alpha Project Secure Border Latin America Operation Desert Storm Border Protection Alpha Secure Flights See OLS Best Practices for Government and Defense TWP on OTN Start Sensitivity Date Label Secret Top Secret Secret Secret Top Secret Public Oracle Label Security Manageability •Comprehensive API Available •Integrated with Oracle Identity Management Graciela Mucci CIO, ARTEAR “Instead of maintaining security policies in our applications and database, Oracle Label Security allowed us to apply these access controls where it matters most: the centralized database on a scalable Oracle RAC system.” Sept. ‘06 Oracle Label Security Deployment Guide 1 Identify and define labels based on company programs and/or data 2 Provision user label authorizations New ones can be defined later Database or Oracle Identity Management - database or application users 3 Apply OLS functions in applications or database 4 Use GUI or API to protect application tables (optional) 5 Label data (optional) Extend Database Vault Factors, Command rules, Separation of Duty, VPD Required only if you want transparent access mediation for multi-level security Required only if you want transparent access mediation for multi-level security Data Security: Oracle Products Access Control User Management • Oracle Identity Management • Enterprise User Security • Oracle Database Vault • Oracle Label Security • Virtual Private Database Core Platform Security Monitoring • Oracle Audit Vault • EM Configuration Pack Data Protection • Oracle Advanced Security • Oracle Secure Backup Need for Fine-grained Access Control Database enforced query modification • Key Driver • Data consolidation requires stronger security • Large warehouses need to logically partitioned information • Database enforced security simplifies applications • Key Requirements • Transparent • Performant • Highly Adaptable Virtual Private Database Policy-based query modification • Database enforced security policies for query modification • Introduced in Oracle8i • Attach to table, view, table + column SOCIAL SECURITY NUMBER Added by VPD Select * from employees 431-395-9332 where account_mgt_id = 148 381-395-9223 Virtual Private Database Column Relevant Policies (10g) Select cust_last_name, social_security_number from accts; VPD Col Relevant Policy SOCIAL SECURITY NUMBER 431-395-9332 381-395-9223 Data Security: Oracle Products User Management • Oracle Identity Management • Enterprise User Security Access Control • Oracle Database Vault • Oracle Label Security • Virtual Private Database Core Platform Security Monitoring • Oracle Audit Vault • EM Configuration Pack Data Protection • Oracle Advanced Security • Oracle Secure Backup The Need for Encryption • Key Drivers • Millions of records lost and many more vulnerable • Worldwide privacy, security and compliance regulations • Personal privacy data: Credit Cards, Social ID, … • PCI, California SB 1386, Country-specific laws • Key Requirements • Encrypting data in existing applications with minimal perf impact • Automated Key Management Customer Credit Card Numbers Disks replaced for maintenance Laptops stolen Backups lost Oracle Advanced Security Transparent Encryption and Strong Authentication Strong Authentication (PKI, Kerberos) Transparent Network Encryption Data Transparently Decrypted Through SQL Interface With RMAN Can Encrypt Entire Backups Sent to Disk Data Written To Disk Transparently Encrypted Transparent Data Encryption Oracle Advanced Security Transparent Data Encryption Manageability (11g) Oracle Advanced Security Oracle Database 11g Enhancements • Tablespace Encryption • Define a new tablespace as ‘encrypted’ • No need to specify columns • Even more transparent than existing column TDE • Supports range scans • Supports foreign keys • Existing content can be moved into encrypted tablespaces • SECUREFILE LOB encryption • Hardware Security Module Integration • Generate, store and manage master key in an external hardware device • Standard PKCS #11 API allows customers to choose from HSM vendors Transparent Data Encryption Easy Uptake • No changes to existing applications • No triggers, no views • Minimal performance impact • Built-in key management • No crash-course needed in encryption or key management; just focus on business logic • Simple alter table statement • Include changes in a script TDE supported by Oracle E-Business Suite and SAP Transparent Data Encryption Deployment Guide for Column Encryption 1 Identify columns holding sensitive data 2 Verify TDE supports the datatype? 3 Verify column is not part of a Foreign Key? 4 Encrypt existing and new data Credit Cards, SSN… TDE supports most all commonly used datatypes Simple Data Dictionary Query SQL*Developer GUI or Command line DDL, Alter Table….. Visit OTN for a complete list of data types and more Transparent Data Encryption Deployment Guide for Tablespace Encryption (11g) 1 Identify tables holding sensitive data 2 Create new encrypted tablespaces 3 Move tables into new encrypted tablespaces Credit Card Numbers, SSN, other personally identifiable data (PII) Using EM or command line Data Security: Oracle Products User Management • Oracle Identity Management • Enterprise User Security Access Control • Oracle Database Vault • Oracle Label Security • Virtual Private Database Core Platform Security Monitoring • Oracle Database Auditing • Oracle Audit Vault • EM Configuration Pack Data Protection • Oracle Advanced Security • Oracle Secure Backup Need for Auditing Database Activity • Key Drivers • Regulatory Compliance (SOX, PCI, Privacy, …) • Risk assessment and compensating controls • Demonstrate controls for compliance • Security • Detect misuse of privileges • Key Requirements • • • • • Collect Audit trail data from many audit silos Automate review of the audit trail logs, and raise alerts Centralize audit policy management Secure the audit trail Minimize performance impact on production systems Auditing in the Oracle Database Robust, Flexible, and High Fidelity Audit • Industry’s most advanced • Robust auditing since Oracle 7 (1993) • Audit statement, privileges, statement event, failure or success, SYS auditing • Fine grained auditing introduced in Oracle9i (2001) • Flexible format supporting XML, SYSLOG, database tables, Windows event viewer • Use by customer’s today in nearly all markets • Finance • Healthcare • Government Oracle Database Auditing Overview • Statement auditing • Selective auditing of related groups of DDL/DML statements regarding a particular type of database structure or schema object • Can be specified for all users or for only a select list • Privilege auditing • Auditing of statements that require the use of a system privilege • Can be specified for all users or for only a select list • Schema object auditing • Auditing of all SELECT and DML statements that require the use of schema object privileges • For all users; cannot be set for a specific list of users Oracle Database Auditing Overview • Fine Grained Auditing • • • • Introduced in Oracle9i Policy / condition based auditing Audit policies stored in database, associated with tables Policy invoked (audit condition tested) when table is accessed; can audit when specific column is accessed Enforce ... Audit Policy in Database Where Salary > 500000 AUDIT COLUMN = Salary Select name, salary from emp where... Generate Audit Record Data Security: Oracle Products User Management • Oracle Identity Management • Enterprise User Security Access Control • Oracle Database Vault • Oracle Label Security • Virtual Private Database Core Platform Security Monitoring • Oracle Database Auditing • Oracle Audit Vault • EM Configuration Pack Data Protection • Oracle Advanced Security • Oracle Secure Backup Oracle Audit Vault Trust-but-Verify • Collect and Consolidate Audit Data • Oracle 9i Release 2 and higher • Simplify Compliance Reporting • Built-in reports • Custom reports Monitor Policies Reports Security • Detect and Prevent Insider Threats • Alert suspicious activity • Scale and Security • Robust Oracle Database technology • Database Vault, Advanced Security • Partitioning • Lower IT Costs with Audit Policies • Centrally manage/provision audit settings Oracle Database 9iR2 (Future) Other Sources, Databases Oracle Database Oracle Database 10gR1 Oracle Database 11gR1 10gR2 Audit Vault Reports Out-of-the-box Audit Assessments & Custom Reports • Out-of-the-box reports • • • • • Privileged user activity Access to sensitive data Role grants DDL activity Login/logout • User-defined reports • What privileged users did on the financial database? • What user ‘A’ did across multiple databases? • Who accessed sensitive data? • Custom reports • Oracle BI Publisher, Application Express, or 3rd party tools Oracle Audit Vault Data Warehouse Scalable, Flexible & Secure • Audit Warehouse • Enable business intelligence and analysis • Performance and Scalability • Built-in partitioning • Scales to Terabytes • Security • Separation of Duty • Oracle Database Vault • Oracle Advanced Security • Oracle RAC certified Oracle Audit Vault Manageability • Audit Vault Dashboard • • • • Enterprise overview Alerts and Reports Administration Audit Policies • Audit Vault Policies • Provision database audit settings centrally for compliance policies • Collection of audit settings on the databases • Compare against existing audit settings on source • Demonstrate compliance Ari Kaplan President Independent Oracle Users Group (IOUG) "If they're smart, a DBA can modify data and cover their tracks since DBAs tend to have unlimited access to databases. The technologies in Oracle's vaulting software make that impossible since every action a DBA executes effectively goes into a lockbox that they are powerless to modify." July '07 Integrating with Oracle Audit Vault Levels of Integration • Leverage native database auditing beneath Apps • Turn ON database auditing under application for compliance specific events (DDL, DBA logins) • Low performance impact utilizing OS audit trail records • Fine-grained-audit (FGA) specific to sensitive tables • End-user Identity Propagation • Pass "Client identifier” from mid-tier or initialize after connection, recorded in Audit trail • Extensible reporting • Build customer reports against Audit Vault warehouse • Use Audit Vault SDK for application specific auditing Oracle Audit Vault Transparently collecting audit data 1 Define Audit Policies 2 Configure Collectors 3 Setup Alerts 4 Run Reports Privileged Users, DDL, Fine Grained Audit (Sensitive Data) Aud$, OS, Redo New User Creations, Sensitive Data Access Out-of-the-box or build custom using open data warehouse schema Data Security: Oracle Products User Management • Oracle Identity Management • Enterprise User Security Access Control • Oracle Database Vault • Oracle Label Security • Virtual Private Database Core Platform Security Monitoring • Oracle Audit Vault • EM Configuration Pack Data Protection • Oracle Advanced Security • Oracle Secure Backup Oracle Database 11g Core Database Security Enhancements • Secure Configuration • Continuation of Secure By Default initiative started in Oracle9i • Password management settings • Audit sensitive administrative operations by default • Stronger password verifier • Case sensitive passwords • Backward compatibility mode • Expanded Kerberos support • Support principal names up to 2000 characters in length • Cross realm support Release wide map of Security Products Solution Database Auditing Fine Grained Auditing Virtual Private Database Label Security Client Identifier Enterprise User Security Network Encryption Encryption API Transparent Data Encryption Tablespace Encryption Privileged User Controls Command Rules / Factors Oracle 8i Oracle Oracle Oracle Oracle Oracle Database Database Database Database Database 9iR1 9iR2 10g R1 10g R2 11gR1 Learn More Technology Overview • Visit: oracle.com/security View Whitepapers and webinars Technical Information, Demos, Software • Visit OTN: otn.oracle.com -> products -> database -> security and compliance • PCI matrix • Step by step examples for Database Vault, Transparent Data Encryption and more
