Download Document

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Microsoft Access wikipedia , lookup

Microsoft SQL Server wikipedia , lookup

Relational model wikipedia , lookup

Open Database Connectivity wikipedia , lookup

Concurrency control wikipedia , lookup

Database wikipedia , lookup

Functional Database Model wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Database model wikipedia , lookup

Clusterpoint wikipedia , lookup

PL/SQL wikipedia , lookup

Object-relational impedance mismatch wikipedia , lookup

Oracle Database wikipedia , lookup

Transcript
Miss Scarlet with a lead pipe,
in the library
Cluedo - the game
•Players: 3 to 6
•Contents: Clue game board, six suspect tokens, six murder
weapons, 21 cards, secret envelope, one die, pad of detective
notebook sheets.
•Goal: To correctly name the murderer, murder weapon, and
murder location.
•Setup - Sort the cards by type and shuffle each pile facedown. Without looking, take one suspect card, one weapon
card, and one room card, and slide them into the secret
envelope.
Cluedo - the tools
Deon Roos
Enterprise Architect
Oracle Corporation South Africa
Power Users
Report Server
End User
Prod
Quality
Assurance
Dev, QA, Test
Developer
•Sys Admin
•Network Admin
•Storage Admin
•DBA
Storage
HW Vendor
Storage
Backup Server
hAck3rs
Database Defense-in-Depth
Encryption and Masking
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Access Control
• Oracle Database Vault
• Oracle Label Security
Auditing and Monitoring
• Oracle Audit Vault
Encryption & Masking
Access Control
Auditing & Monitoring
Blocking & Logging
• Oracle Configuration Management
• Oracle Total Recall
Blocking and Logging
• Oracle Database Firewall
Database Defense-in-Depth
Encryption and Masking
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Access Control
• Oracle Database Vault
• Oracle Label Security
Auditing and Monitoring
• Oracle Audit Vault
Encryption & Masking
Access Control
Auditing & Monitoring
Blocking & Logging
• Oracle Configuration Management
• Oracle Total Recall
Blocking and Logging
• Oracle Database Firewall
End User
Power Users
SSL
Report Server
Prod
Quality
Assurance
Dev, QA, Test
Developer
•Sys Admin
•Network Admin
•Storage Admin
•DBA
Storage
HW Vendor
Storage
Backup Server
hAck3rs
Database Defense-in-Depth
Encryption and Masking
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Access Control
• Oracle Database Vault
• Oracle Label Security
Auditing and Monitoring
• Oracle Audit Vault
Encryption & Masking
Access Control
Auditing & Monitoring
Blocking & Logging
• Oracle Configuration Management
• Oracle Total Recall
Blocking and Logging
• Oracle Database Firewall
Report Server
Power Users
Sensitive
•Sys Admin
•Network Admin
•Storage Admin
•DBA
Confidential
Public
Storage
HW Vendor
End User
Prod
Quality
Assurance
Dev, QA,
Test
Developer
Storage
Backup Server
hAck3rs
Database Defense-in-Depth
Encryption and Masking
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Access Control
• Oracle Database Vault
• Oracle Label Security
Auditing and Monitoring
• Oracle Audit Vault
Encryption & Masking
Access Control
Auditing & Monitoring
Blocking & Logging
• Oracle Configuration Management
• Oracle Total Recall
Blocking and Logging
• Oracle Database Firewall
Discover
End User
Classify
Asset
Management
Dev, QA, Test
Policy
Management
Assess
Power Users
Prioritize
Vulnerability
Management
Fix
Configuration
Management
& Audit
Analysis &
Analytics
•Sys Admin
•Network Admin
•Storage Admin
•DBA
Storage
HW Vendor
Storage
hAck3rs
Monitor
Report Server
Quality
Assurance
Prod
Developer
Backup Server
Auditing vault
`
Why Audit?
• Compliance Mandates It
– SOX, PCI-DSS, HIPAA …..
• Your auditor told you to do it
• You don’t want to end up in the news
• Maintain customer trust
Business drivers
• Detective controls
– Monitor privileged application user accounts for non-compliant
activity – trust but verify
– Audit non-application access to sensitive data (credit card,
financial data, personal identifiable information, etc)
– Verify that no one is trying to bypass the application security
controls
– Line items are changed in order to avoid business processes
and approvals
• Cost of compliance
– Eliminate costly and complex scripts for reporting
– Reduce reporting costs for specific compliance audits
Standard Auditing
• Statement Auditing
• Statement auditing audits SQL statements by type of statement, not
by the specific schema objects on which the statement operates
• Data definition statements (DDL).
• Data manipulation statements (DML).
• Object Auditing
• Schema object auditing is the auditing of specific statements on a
particular schema object.
• Privilege Auditing
• Privilege auditing is the auditing of SQL statements that use a
system privilege. You can audit activities of all database users or of
only a specified list of users.
What do you need to audit?
Database
Audit Requirements
SOX
PCI
DSS
HIPAA
Basel II
FISMA
GLBA
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
Accounts, Roles & Permissions
Do you have visibility of GRANT and
REVOKE activities?
Failed Logins
Do you have visibility of failed logins and
other exception activities?
Privileged User Activity
Do you have visibility of users activities?
Access to Sensitive Data
Can you have visibility into what
information is being queried (SELECTs)?
Schema Changes
Are you aware of CREATE, DROP and
ALTER Commands that are occurring on
identified Tables / Columns?
●
Data Changes
Do you have visibility into Insert, Update,
Merge, Delete commands?
●
Health Insurance Portability Account Act - Federal Info Sec Man Act – Gramm-Leech-Bliley Act
●
Oracle Audit Vault Automated Activity Monitoring & Audit Reporting
Oracle
!
Sybase
ASE 12.5.4 - 15.0.x
Built-in
Reports
Siebel
MS SQL Server
2000, 2005, & 2008
Alerts
Audit
Data
A
Custom
Reports
HCM
Policies
DB2
8.2 - 9.5 on Linux,
Unix, Windows
Encryption in
transit
•Various DB
sources
•Adapters for
packaged
applications
•Audit warehouse
•Secured audited data
•Segregation of duties
•Completeness of audit
•Encryption at rest
•Consolidated auditing
•Performance &
scalability
•Easy to use reports
•Central provisioning of
policies
•Meet compliance
reporting
•Proactive – alerts &
notifications (SMS/email)
•Pre-defined & custom
reports
Auditor
Default reports
Out of the box - Compliance reports
Database Defense-in-Depth
Encryption and Masking
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Access Control
• Oracle Database Vault
• Oracle Label Security
Auditing and Monitoring
• Oracle Audit Vault
Encryption & Masking
Access Control
Auditing & Monitoring
Blocking & Logging
• Oracle Configuration Management
• Oracle Total Recall
Blocking and Logging
• Oracle Database Firewall
Power Users
Report Server
End User
Prod
Quality
Assurance
Dev, QA,
Test
Developer
•Sys Admin
•Network Admin
•Storage Admin
•DBA
Storage
Storage
Backup Server
hack3rs
hAck3rs
For more Information
search.oracle.com
database security
oracle.com/database/security