Download Oracle Database Security FY11 6/1/2010

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
Document related concepts

Open Database Connectivity wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Relational model wikipedia , lookup

Database wikipedia , lookup

Navitaire Inc v Easyjet Airline Co. and BulletProof Technologies, Inc. wikipedia , lookup

PL/SQL wikipedia , lookup

Functional Database Model wikipedia , lookup

Clusterpoint wikipedia , lookup

Database model wikipedia , lookup

Oracle Database wikipedia , lookup

Transcript 
1
Copyright © 2010, Oracle. All rights reserved
Cyber Security / Cyber Warfare
Hype or underestimated?
Bert Oltmans
Director Defence, Justice and Public Safety
CEE&CIS Region
Agenda
• Current Environment
• Facts & Figures
• Cyber Security in Defense
3
Copyright © 2010, Oracle. All rights reserved
A Definition
Cyber Security is an extension of traditional IT security
that protects applications and data connected to the
internet and exposed to attack, including offensive
(cyber warfare) as well as defensive and proactive
security measures.
4
Copyright © 2010, Oracle. All rights reserved
Threat Environment
• Cyber Warfare is a reality
Georgia
2008
Operation
Aurora
2009/2010
Iran
Stuxnet
Worm
2010
Estonia
2007
• And many incidents more…and growing
5
Copyright © 2010, Oracle. All rights reserved
The Battlefield Today
The network is the battlefield
JXTATM Overlay
Peer-to-Peer
Network
Sensor
Grid
Virtual
Mapping
Internet
• The network has become the battlefield
• Used for Communications, collaboration, decision support,
simulation and modeling
• Provides content delivery & information sharing
6
Copyright © 2010, Oracle. All rights reserved
SCF / Field
Command
The Warfighter Challenge
NATO Doctrine:
• Network Centric Operations require a “Share-to-Win”
attitude
Share-to-win
Needto-know
• Cyber Security Policies mandate a “need to know”
strategy
7
Copyright © 2010, Oracle. All rights reserved
The Transformation in Defense
• Cyber Security is becoming a National
concern
• US Cyber Command (USCYBERCOM)
created on May 21, 2010
• “The admiral said he believes a cyber attack could
trigger a response in accordance with Article 5 of the
NATO Charter, which states that an attack on any
alliance member is an attack on all alliance members”
Navy Adm. James G. Stavridis, 29 November 2010 – Time Interview
8
Copyright © 2010, Oracle. All rights reserved
Regional Cyberspace
2010 Data Breach Investigations Report
© 2010 Oracle Corporation
9
Role of Governments
• Increased importance of National Entities like CERT’s
to monitor the Nation’s Critical Infrastructures and
provide guidance
© 2010 Oracle Corporation
10
FACTS & FIGURES
© 2010 Oracle Corporation
11
Two Thirds of Sensitive and Regulated Data
Resides in Databases…
Amount of Data in
Databases Doubles Yearly
1,800 Exabytes
2011
Source: IDC, 2008
12
Copyright © 2010, Oracle. All rights reserved
Over 900M Breached Records Resulted from
Compromised Database Servers
Type
Category
% Breaches % Records
Database Server
Servers & Applications
25%
92%
Desktop Computer
End-User Devices
21%
1%
2010 Data Breach Investigations Report
13
Copyright © 2010, Oracle. All rights reserved
How do Database Breaches Occur?
Bad Guys Exploit Your Weaknesses!
48% involved privilege misuse
40% resulted from hacking
38%
28%
15%
utilized malware
employed social tactics
comprised physical attacks
2010 Data Breach Investigations Report
14
Copyright © 2010, Oracle. All rights reserved
Cyber Security in Defense
Some thoughts
1. Design/Procure Information Systems geared to
Threat Environment (including Cyberspace)
2. Treat Information Technology as Mission Critical –
not - Mission Enabling
3. Have Policies and Doctrines that acknowledge
Cyber Warfare
15
Copyright © 2010, Oracle. All rights reserved
Information Systems in Cyberspace
It starts with a secure product
A model for continuous improvement…
(1) Plan
(2) Do
1979:
Project ‘Oracle’ with the CIA
1994:
First vendor to complete ITSEC and
TCSEC validations
Advanced Security Option
1998:
First vendor to complete Common
Criteria EAL4 validation
Virtual Private Database
2005:
Introduction of the Critical Patch Update
2006:
Database Vault
Adoption of CVSS
(4) Act
(3) Check
……
2010
(Ref.: “PDCA Cycle”, originally developed
by Walter A. Shewhart; Sometime
referred as Deming Cycle.)
16
Copyright © 2010, Oracle. All rights reserved
Ongoing certifications
Information Systems in Cyberspace
And a Secure Implementation
PEOPLE
PROCESSES
CYBER
SPACE
TECHNOLOGY
17
Copyright © 2010, Oracle. All rights reserved
Software Security
End User Perspectives
Vendor patch issuance practices
are most visible with customers,
Security Patches
… BUT…
Service Packs
Release QA
Secure Development
Producing secure software
requires
Security Testing
• Focused attention as early as
the design phase
• Ongoing commitment
throughout the entire
development and pre-release
phases
• Effective remediation
procedures
Coding Practices
Coding Standards
Design Requirements
18
Copyright © 2010, Oracle. All rights reserved
Make IT Mission Critical
Include Deployment and Support
Access Control
• Controlling Privileged Users
• Custom Security Policies
• RBAC & LBAC Implementation
User Management
• Strong Authentication
• Fine-grained Authorizations
Monitoring
• Enterprise-Wide Auditing
• Configuration
Core Platform
Security
Data Protection
• Network Encryption
• Data Encryption
• Backup Encryption
Secure Operating Environment
• Multi-Level Security
• Fault Tolerance
• Ubiquitous Support
19
Copyright © 2010, Oracle. All rights reserved
Policies & Doctrines
• Cover Defensive and Offensive
measures
• Implement down to single combat
unit
20
Copyright © 2010, Oracle. All rights reserved
JICPAC Supports Coalition Forces with
Access to Secure Information
OVERVIEW
• Joint Intelligence Center of the Pacific
(JICPAC) is located within the US Pacific
Command (PACOM) Pearl Harbor, HI
CHALLENGES / OPPORTUNITIES
• Security was preserved through air-gap
networks (entirely disconnected) yet analyst
required multiple networks and therefore 1 to 1
mapping of multiple desktop clients creating
clutter and manual process
• Logging of audit trails was mostly on the
“honor-system” with manual documentation
• Local clients meant far more maintenance and
chance for degradation of information
assurance levels
21
SOLUTIONS
JICPAC Trusted Workstation (TWS):
• SunRay Ultra-thin client
• Trusted Extensions for Solaris
• CC EAL4 Certification on NEBS-certified Sun Servers
RESULTS
• Reduced acquisition costs and power
consumption through the consolidation of
multiple PC clients into a single Sun Ray
ultra-thin client
• Improved end-user operational efficiencies
in the secure information workflows with
complete audit trails through simultaneous
connection to multiple networks
• Compatible with existing applications since
they run in a Solaris open environment
Copyright © 2010, Oracle. All rights reserved
Albanian MoD Safeguards Classified Data
to Prepare for NATO Accession
OVERVIEW
• Agency responsible for implementing the govt’s
defense & foreign policy objectives, & protecting
the security of 3.6 million Albanian people
• Industry: Public Sector
• Employees: 500
CHALLENGES / OPPORTUNITIES
• Consolidate all structured and unstructured
classified data on a secure, scalable, electronic
platform prior to the April 2009 accession to the
North Atlantic Treaty Organization (NATO)
CUSTOMER PERSPECTIVE
“Oracle’s unbreakable security platform
enables us to guarantee the integrity of
sensitive defense data without impeding
access to it by authorized personnel. We
now have our data consolidated on a secure,
scalable platform - enabling us to prepare
for the accession to NATO.”
Genci Kokoshi,
Chief of Information Technology
• Enforce the highest internationally recognized
standards for providing & auditing authorized access
to classified Ministry of Defense (MoD) information
• Protect the integrity of sensitive military documents
relating to Albania’s role in NATO operations
assurance levels
SOLUTIONS
• Oracle Universal Content Management
• Oracle Identity Management
• Oracle Virtual Directory
• Oracle Access Manager
22
RESULTS
• Provided a secure Web-based data
storage platform to create and publish
classified content
• Offered 100 users a single sign on and
secure, seamless access to
job-appropriate data
• Enabled the organization to set up
user accounts in only a few hours
Copyright © 2010, Oracle. All rights reserved
For More Information
oracle.com/database/security
search.oracle.com
database security
23
Copyright © 2010, Oracle. All rights reserved
[email protected]
24
Copyright © 2010, Oracle. All rights reserved
25
Copyright © 2010, Oracle. All rights reserved
26
Copyright © 2010, Oracle. All rights reserved
Oracle Advanced Security
Protect Data from Unauthorized Users
Disk
Backups
Application
Exports
Off-Site
Facilities
• Complete encryption for application data at rest to prevent direct access to
data stored in database files, on tape, exports, etc. by IT Staff/OS users
• Efficient application data encryption without application changes
• Built-in two-tier key management for SoD with support for centralized key
management using HSM/KMS
• Strong authentication of database users for greater identity assurance
© 2010 Oracle Corporation
27
Oracle Database Vault
Enforce Security Policies Inside the Database
Security
DBA
Procurement
Application
Application
DBA
HR
Finance
select * from finance.customers
DBA
• Automatic and customizable DBA separation of duties and protective realms
• Enforce who, where, when, and how using rules and factors
• Enforce least privilege for privileged database users
• Prevent application by-pass and enforce enterprise data governance
• Securely consolidate application data or enable multi-tenant data management
© 2010 Oracle Corporation
28
Oracle Audit Vault
Audit Database Activity in Real-Time
!
HR Data
CRM Data
ERP Data
Databases
Audit
Data
Alerts
Built-in
Reports
Custom
Reports
Policies
Auditor
• Consolidate database audit trail into secure centralized repository
• Detect and alert on suspicious activities, including privileged users
• Out-of-the box compliance reports for SOX, PCI, and other regulations
• E.g., privileged user audit, entitlements, failed logins, regulated data changes
• Streamline audits with report generation, notification, attestation, archiving, etc.
© 2010 Oracle Corporation
29
Oracle Total Recall
Track Changes to Sensitive Data
select salary from emp AS OF TIMESTAMP
'02-MAY-09 12.00 AM‘ where emp.title = ‘admin’
• Transparently track application data changes over time
• Efficient, tamper-resistant storage of archives in the database
• Real-time access to historical application data using SQL
• Simplified incident forensics and recovery
© 2010 Oracle Corporation
30
Oracle Database Firewall
First Line of Defense
Allow
Log
Alert
Substitute
Applications
Block
Alerts
Built-in
Reports
Custom
Reports
Policies
• Monitor database activity to prevent unauthorized database access, SQL
injections, privilege or role escalation, illegal access to sensitive data, etc.
• Highly accurate SQL grammar based analysis without costly false positives
• Flexible SQL level enforcement options based on white lists and black lists
• Scalable architecture provides enterprise performance in all deployment modes
• Built-in and custom compliance reports for SOX, PCI, and other regulations
© 2010 Oracle Corporation
31
Oracle Configuration Management
Secure Your Database Environment
Monitor
Discover
Asset
Management
Classify
Policy
Management
Assess
Prioritize
Vulnerability
Management
Fix
Configuration
Management
& Audit
Monitor
Analysis &
Analytics
• Discover and classify databases into policy groups
• Scan databases against 400+ best practices and industry standards, custom
enterprise-specific configuration policies
• Detect and event prevent unauthorized database configuration changes
• Change management dashboards and compliance reports
© 2010 Oracle Corporation
32
Oracle Data Masking
Irreversibly De-Identify Data for Non-Production Use
Production
Non-Production
LAST_NAME
SSN
SALARY
LAST_NAME
SSN
SALARY
AGUILAR
203-33-3234
40,000
ANSKEKSL
111—23-1111
60,000
BENSON
323-22-2943
60,000
BKJHHEIEDK
222-34-1345
40,000
Data never leaves Database
• Make application data securely available in non-production environments
• Prevent application developers and testers from seeing production data
• Extensible template library and policies for data masking automation
• Referential integrity automatically preserved so applications continue to work
© 2010 Oracle Corporation
33
Oracle Database Defense In Depth
• Oracle Advanced Security
• Oracle Identity Management
• Oracle Database Vault
• Oracle Label Security
Data
• Oracle Audit Vault
• Oracle Total Recall
• Oracle Database Firewall
• Oracle Configuration Management
• Oracle Data Masking
© 2010 Oracle Corporation
34
Related documents
Big Data Gives Artificial Intelligence Something to Think About
Big Data Gives Artificial Intelligence Something to Think About
Slide 1
Slide 1
Course flyer
Course flyer
Exam preparation session
Exam preparation session
JO US! IN
JO US! IN
Database Administrator
Database Administrator
Info
Info
post conditional offer contingencies
post conditional offer contingencies
Oracle Application Express
Oracle Application Express
Talk by Mr. Jnana Ranjan Dash, Executive Consultant in Silicon
Talk by Mr. Jnana Ranjan Dash, Executive Consultant in Silicon
Finding Petroleum - Oracle
Finding Petroleum - Oracle
Oracle vs. SQL Server
Oracle vs. SQL Server
Blue Lines and Gradients
Blue Lines and Gradients
Slide 1
Slide 1
Document
Document
INSYS365: Week 4, Class 1
INSYS365: Week 4, Class 1