Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Session S311342: Do you have a Database Security Plan? Roxana Bradescu Sr. Director, Database Security Oracle With Guest Speaker: Noel Yuhanna Principal Analyst Forrester Research Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Agenda • • • • Introduction Your Database Security Plan Oracle Database Security Solutions Q&A Oracle Confidential 4 Why Enterprises Need a Plan Over 150 Global Data Insiders Now Regulations Pose Greatest Risk Over 500M Data Records Breached Data Growing 3x Yearly Data Security #1 Priority 2009 IT Security Budgets Flat or Reduced 5 Do You Have A Database Security Plan? Noel Yuhanna Principal Analyst Forrester Research 6 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Agenda • Database Security Drivers And Trends • Enterprise Database Security Strategy • Building A Comprehensive Database Security Plan • Recommendations 7 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Database security drivers and trends • Most organizations still have “gaps” in security approaches, especially in databases, leaving back-door open for attacks. • Increasing sophisticated attacks seen and is likely to continue in near-future, with Internal threat remains high. • Regulatory compliance pressure continues — PCI, SOX, HIPAA, GLBA, and EU, with many still behind. • Security group becoming more prominent across industries – new Database Security Analyst role seen in large companies. • Most organizations looking for a broader security framework, focusing on single vendor solutions that cover all bases. 8 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Databases remain vulnerable 2 Privileged users Internal users 1 File server Firewall External users 5 Load balancer Type of threat 1. 2. 3. 4. 5. 6. 9 4 File server External users Internal users Files/Web servers Administrators/DBAs/developers Database vulnerability Data backup Entire contents © 2009 Forrester Research, Inc. All rights reserved. Web server App server Databases ERP 3 6 Backups Insider threats a concern: 75% of threats come from insiders 60% of internal threats are undetected Security measures taken by organizations are improving but most still behind 10 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Database security challenges continue to grow • Lack of understanding of business data/private data. • Lack of understanding of what needs to be done and where to start. • Lack of expertise in database security. • No clear separation of duties – among security group, DBA and architects. • Privileged users have access to all data • Lack of strong security process and procedures • Weak data security policies – inconsistent and ad-hoc • Lack of resources and time spent on database security 11 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Your Enterprise Database Security Strategy 2010 12 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Foundation Preventive Vulnerability Assessment Security Monitoring Database Auditing Change Management Data Masking Network & Data-at-Rest Encryption Patch Management Authentication, Authorization Access Control Discovery & Classification Three Key Pillars Essential For Any Enterprise Database Security Detection Common Database Security Policies & Standards 13 Information Security Policies & Standards Regulatory Compliances – PCI, SOX, HIPAA, EU Entire contents © 2009 Forrester Research, Inc. All rights reserved. Role Separation Reporting Availability • Discovery and classification – Know your databases Patch Management Authentication, Authorization Access Control Discovery & Classification Building a strong foundation is critical • Authentication, Authorization and Access control – Make the foundation as strong as possible.. • Patch management – Other measures are not effective until patches are deployed Foundation 14 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Change Management Data Masking Network & Data-at-Rest Encryption Preventive builds on top of the foundation • Network and Data-at-rest Encryption – Protects production databases • Data masking – Protects your non-production databases • Change management Preventive 15 Entire contents © 2009 Forrester Research, Inc. All rights reserved. – Protects critical structures of your database Detection completes your strategy Vulnerability Assessment Security Monitoring Database Auditing • Database auditing – Alerts on data anomalies • Security monitoring – Defends against real-time threats • Vulnerability assessment Detection 16 Entire contents © 2009 Forrester Research, Inc. All rights reserved. – Checks integrity and configuration of your database Foundation Preventive Vulnerability Assessment Security Monitoring Database Auditing Change Management Data Masking Network & Data-at-Rest Encryption Patch Management Authentication, Authorization Access Control Discovery & Classification Policies, Role Separation and Availability are part of the Strategy Detection Common Database Security Policies & Standards 17 Information Security Policies & Standards Entire contents © 2009 Forrester Research, Inc. All rights reserved. Regulatory Compliances – PCI, SOX, HIPAA, EU Role Separation Reporting Availability Taking Your Strategy Into Action: Database Security Plan 18 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Database security plan “Although, most enterprises have a data security or information security plan, but only 20 percent have a database security plan” – Forrester Research 19 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Top five reasons why most don’t have a database security plan 1. Most organizations don’t know how to create one the content, structure or format. 2. Security group don’t have the expertise to build one. 3. DBAs don’t have the time. 4. Many organizations feel that data security plan alone is good enough, so why bother. 5. Many don’t have budget or resources available to build one. 20 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Without a database security plan – you are running a high-risk environment!! • Basic level database security is not good enough any more! • Without a database security plan: – Gaps are likely to exist, making your environment highly vulnerable – Likely to spend more time and efforts on piecemeal approaches that creates inconsistent environment – End-to-end security implementations are often weak. 21 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Database security plan workflow DBA Manager DSA, Security Officer Database Environment Database Security Plan <Company> Data/Information Security Policies policies Compliances 22 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Seven steps in building a successful database security plan Step 1. Establishing a team Step 2. Understanding data security policies and compliances Step 3. Understanding your database environment Step 4. Establishing security policies Step 5. Training and accountability Step 6. Baseline and risk assessment Step 7. Refining security plan 23 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Step 1. Establishing a team • Without a team, security planning is likely to fail, since it requires collaboration amongst various roles and groups. • The team should comprise of the following: – Security: CISO or Security Director/Officer – Database: DBA Manager or Data Management Manager – Application: Apps Manager (optional) – Architecture: Enterprise or Data Architect (optional) – Infrastructure: Infrastructure or Systems Mgr (optional) 24 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Step 2. Understanding data security policies and compliance requirements • Organizations should leverage data security/information security policies to build a database security plan. • Understand data security policies and only use those that are applicable to databases or your environment– such as changing passwords every quarterly. • Understand the impact of various compliances such as PCI, HIPAA, GLBA, SOX and EU on databases, but act on all, not one at a time. • Get security group involved in data security and compliance discussions. 25 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Step 3. Understanding database environment – Discovery & Classification • Understand which DBMSes and releases are deployed. • Take a full inventory of all databases deployed including production and non-production - test, development, Q&A, staging, HA and DR. • Understand platforms used by databases – Operating system, hardware and virtualized environments. • Understand which databases contain sensitive data, classify them, based on classification policies. • Classification categories: #1 – highly sensitive (E.g. credit card numbers), #2 sensitive (E.g. Names and addresses) and #3- not sensitive. 26 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Step 4. Establishing security policies • Develop security policies over time focusing on key areas such as: – Authentication and Authorization – Data access – users, privileged users and DBAs – Database administration procedures – Encryption and data masking – Non-production database security – Installations, upgrades and migrations – Security patches – Detecting and recovering from attacks – Etc. 27 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Security policies: Database backup • Typical security policies for database backups for critical databases containing sensitive data would include: – Backup procedure policy: How database backups should be taken? Who should take backups? What is the frequency of backups? How is the backup moved to tape? Where should the tapes be stored? – Backup encryption policy: Which databases should be encrypted? And what are the levels of encryption to be used? – Backup retention policy: How long should backups be stored? When and how should data on tapes be removed? 28 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Security policies: Data-at-rest database encryption • Typical security policies for database encryption for critical databases containing sensitive data would include: – Keys management: How are keys generated? Where are the keys stored in the database or external – such as an appliance or file? How many keys are required? What encryption level is used? – Approach: What encryption approach needs to be taken column-level, table-level, tablespace-level, or file-level? Which databases should implement encryption? 29 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Security Policies: Data Masking • Typical security policies for data masking for critical databases containing sensitive data would include: – Approach: Extract mask and load (EML) or Extract load and mask (ELM) approach to take. – Masking algorithm: What algorithm to use – shuffling, randomize, new data generation, increment, decrement, look-up, etc. – Columns to mask: What category columns to mask? 30 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Security Policies: Auditing • Typical security policies for Auditing for critical databases containing sensitive data would include: – Approach: How will the data be audited? What all things need to be audited? Frequency of auditing? Should logs be centralized in a repository? – Databases: Which databases should be audited? Which columns, users, tables to audit? – Reports: What reports to generate? Frequency? Alerts to be generated? 31 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Step 5. Training and accountability • All DBAs and privileged users that access critical databases should be given training on how to protect data and databases, and measures that are being taken in the database security plan to limit data access, restrict certain processes and other measures. • Take suggestions from DBAs, developers, testers, and others on how to improve security. • Individuals should be held accountable for any unauthorized usage or access. 32 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Step 6. Establishing baseline with risk assessment • Without baseline, its difficult to measure success or failure of your database security plan. • Each of the security policies should have a threat level assigned – High, medium or low based depending on the assessment of the environment. • Risk assessment should be performed on a regular basis – weekly or even daily for high-risk databases depending on the classification level. 33 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Step 7. Refine database security plan on a regular basis • Database security is an ongoing initiative not a one time process, it requires refining database security plan on a regular basis – monthly or quarterly to adapt to new technologies, compliances and business requirements. • The database security team should meet on a regularly basis at least weekly if not more to determine risk levels, and improving database security policies and procedures. 34 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Database Security Plan Template 35 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Sample database security plan template • Executive Summary: Overview and vision. • Team involved: List personnel involved • Database classifications and alerts: How to classify them, alert levels, what data is sensitive.. • Database security policies: This is the core of the plan • Risk Assessment and baseline: How to assess risk and develop a baseline, reporting and alerting. • Recovering from attack: Process and procedures to follow • Best practices: Typically not covered as a policy • Exceptions: Override on security policy xxx based on approval from xxx 36 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Typical database security policy template: Policy: Database password change control • DSP control number:…. DSP 34… • Ref number (Data/Info Security): IT849 • Date created:…..<date>…. • Data modified:…<date> • Summary: ….. <info> • Risk level: ….<High/Medium/Low> • Implementation: – Applies to Databases: …<certain groups/category> – Approach to take: … <run script… or tool etc> – Frequency to run: …. < daily, weekly…> ..... 37 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Security policy example: Policy: Database password change control • DSP control # DSP 34… Ref #(Data/Info Security): IT849 • Date created: 8/1/2009 Data modified: 8/1/2009 • Description: All user passwords should be triggered to change every quarter, including administrator level passwords. This is a corporate level security requirement ….. • Risk level: Medium • Implementation: – Applies to Databases: All Category-1 databases on Oracle, SQL Server and DB2 – Approach to take: For Oracle, change parameter to trigger password change, to be done by DBA. – Frequency to run: For every new account created, parameter needs to be set.’ – Assessment: Run weekly reports on Category-1 databases… 38 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Recommendations • Database security strategy is essential for all enterprises, start out with the foundation and build with preventive and detection layers. • Start out building a database security plan with few polices, refining and expanding over time. • Build enterprise-wide database security plan, not just for a department or region. • Remember the best database security plan is one that’s unique, create one that’s relevant to your organization. • Database security plan cannot be successful without security group being involved or without incorporating data security policies. 39 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Thank you Noel Yuhanna Principal Analyst Forrester Research 40 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Oracle Database Security Solutions Encryption & Masking • Advanced Security • Secure Backup • Data Masking Monitoring Access Control • Database Vault • Configuration Management • Label Security • Audit Vault • Total Recall Detection Oracle Confidential 41 Oracle Advanced Security Disk Backups Exports Off-Site Facilities • Efficient encryption of all application data • Standard-based encryption for data in transit • Standard-based encryption for data in transit • No application changes required 42 Oracle Data Masking Production Non-Production LAST_NAME SSN SALARY LAST_NAME SSN AGUILAR 203-33-3234 40,000 ANSKEKSL 111—23-1111 60,000 BENSON 323-22-2943 60,000 BKJHHEIEDK 222-34-1345 40,000 • Remove sensitive data from non-production databases • Referential integrity preserved so applications continue to work • Sensitive data never leaves the database • Extensible template library and policies for automation 43 SALARY Oracle Database Vault Procurement DBA HR Application Finance select * from finance.customers • Limit powers of privileged users – enforce Separation of Duties • Enforce who, where, when, and how using rules and factors • Protect application data by preventing application by-pass • Out-of-the box policies for Oracle applications 44 Oracle Audit Vault ! HR Data CRM Data ERP Data Audit Data Databases Alerts Built-in Reports Custom Reports Policies • Consolidate audit data into secure repository • Detect and alert on suspicious activities • Out-of-the box compliance reporting • Centralized audit policy management Auditor Oracle Total Recall select salary from emp AS OF TIMESTAMP '02-MAY-09 12.00 AM‘ where emp.title = ‘admin’ • Transparently track data changes • Efficient, tamper-resistant storage of archives • Real-time access to historical data • Simplified forensics and error correction Oracle Confidential 46 Oracle Configuration Management Monitor Discover Asset Management Classify Policy Management Assess Prioritize Vulnerability Management Fix Configuration Management & Audit Monitor Analysis & Analytics • Database discovery • Continuous scanning against 375+ best practices and industry standards, extensible • Detect and prevent unauthorized configuration changes • Change management compliance reports Oracle Confidential 47 Oracle Solutions Key to Your Database Security Plan • • • • Comprehensive Integrated Transparent Cost-Effective Encryption & Masking Access Control Monitoring Oracle Confidential 48 Oracle Confidential 49 Oracle Database Security Learn More At These Oracle Sessions S311340 Classify, Label, and Protect: Data Classification and Security with Oracle Label Security Monday 14:30 - 15:30 Moscone South Room 307 S308113 Oracle Data Masking Pack: The Ultimate DBA Survival Tool in the Modern World Tuesday 11:30 - 12:30 Moscone South Room 102 S311338 All About Data Security and Privacy: An Industry Panel Tuesday 13:00 - 14:00 Moscone South Room 103 S311455 Tips/Tricks for Auditing PeopleSoft and Oracle EBusiness Suite Applications from the Database Tuesday 14:30 - 15:30 Moscone South Room 306 S311339 Meet the Database Security Development Managers: Ask Your Questions Tuesday 16:00 - 17:00 Moscone South Room 306 S311345 Database Auditing Demystified: The What, the How, and the Why Tuesday 17:30 - 18:30 Moscone South Room 306 S311342 Do You Have a Database Security Plan? Wednesday 11:45 - 12:45 Moscone South Room 102 S311332 Encrypt Your Sensitive Data Transparently in 30 Minutes or Less Wednesday 13:00 - 13:30 Moscone South Room 103 S311337 Secure Your Existing Application Transparently in 30 Minutes or Less Wednesday 13:45 - 14:15 Moscone South Room 103 S311344 Securing Your Oracle Database: The Top 10 List Wednesday 17:00 - 18:00 Moscone South Room 308 S311343 Building an Application? Think Data Security First Thursday 13:30 - 14:30 Moscone South Room 104 For More Information search.oracle.com database security or oracle.com/database/security