Download Jerry Held

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
Document related concepts

Microsoft Jet Database Engine wikipedia , lookup

Relational model wikipedia , lookup

Database wikipedia , lookup

Functional Database Model wikipedia , lookup

Clusterpoint wikipedia , lookup

Oracle Database wikipedia , lookup

Database model wikipedia , lookup

Transcript 
Session id: 40176
Security and the Data Warehouse
Kristy Edwards
Principle Product Manager, Security
Oracle Corporation
George Lumpkin
Director Product Management, DW
Oracle Corporation
Agenda
 Data warehousing security issues
 Data Warehouse security strategy
–
–
Secure the entire DW environment
Oracle database security is the foundation of a
DW security strategy
 Summary: Customer success stories
3
Technical challenges
 More valuable data since current and historical
records are stored from all parts of the organization
–
–
–
Customer profiles
Company’s financial history
Quarterly sales information
 Performance is paramount
–
Security cannot adversely affect performance
 More users have direct, ad-hoc query access to a
data warehouse
 Sensitive data stored in data marts and ETL servers
4
Business challenges
 How can I consolidate multiple data marts in
the same database?
 How can I share the information in my data
warehouse with partners and customers?
 How can I ensure that my data warehouse
obeys laws and regulations regarding data
privacy?
5
Agenda
 Data warehousing security issues
 Data Warehouse security strategy
–
–
Secure the entire DW environment
Oracle database security is the foundation of a
DW security strategy
 Summary: Customer success stories
6
Oracle Strategy for DW Security
 End-to-End Security
–
–
Secure the entire DW process
From ETL all the way through the end-user
 Consolidation
–
Leverage consolidation to increase security
 Secure Foundation
–
Oracle database security is the foundation of a
DW security strategy
7
Consolidation Provides Better
Security





Centrally managed by an expert
Fewer points of attack
Apply security patches quickly in one place
Enforce security consistently
Protect the data itself
8
Agenda
 Data warehouse security issues
 Data warehouse security strategy
–
–
Secure the entire DW environment
Oracle database security is the foundation of a
DW security strategy
 Summary: Customer success stories
9
Layers of Security





Physical
Policies
Perimeter and Network
Applications and RDBMS
OS
10
Security Trends
Identity
Management
Audit
Fine-grained
Access Control
OLTP
Network Crypto
Data
Warehousing
Access Control
Authentication
Time
Oracle Database 10g Provides the
Security Foundation
 Security built into the server cannot be bypassed
–
–
Consistent security policy regardless of the tool or interface
used to access data
Oracle preserves the identity of the user
 Security is transparent to tools and applications
Discoverer
Business Objects
Oracle DB 10g
Identical
Data Access
Policies
SQL*Plus
12
Assurance of Oracle Database 10g
Security
X
 Builds on 15 17 independent security
evaluations
 Effective way to validate vendor’s security
assertions
–
–
–
NCR Teradata has 0 evaluations
IBM DB2 has 0 evaluations
SQL Server has 1 evaluation
13
Leverage Oracle Database 10g
Security
6
5
4
Audit
Protect
stored
data
2
3
Access
Control Authorize
Protect
data in
transit
u35nhnti3
1
Authenticate
Marketing
Finance
Sales
Enterprise Data
Warehouse
7
Identity Management
14
Row-level Security Benefits for
Data Warehousing
 Consolidation
–
with assurance of data separation
 Lower cost of ownership
–
Build security once, not within multiple applications
 Minimizes risks through database-enforced security
 Highly scalable without performance impact
 Leverage RLS to protect private information in data
warehouses
15
Security Issue #2
Accountability
 Keep users accountable for their actions
 Identify misuse of legitimate user privilege
–
E.g., data snoopers (e.g., why is a user
accessing his own record from June 29 so
often?)
 Support intrusion detection
16
Solution:
Fine-grained Auditing




Relevant
column
Audit for accountability
Audit with precision
Monitor data access based on content
Attach audit policy to table or view
–
–
–
–
with ‘WHERE’ condition
Relevant column
PL/SQL package DBMS_FGA to apply
policies to table/view
Exact query text in audit record
 Data warehouses cannot afford to audit
too broadly
FGA
Policy
17
Fine-grained Auditing
Audit Policy
AUDIT_CONDITION:
‘name != USER’
AUDIT_COLUMN = DIAGNOSIS
Audit Record
Not audited
SELECT name, job,
deptno FROM patients
SELECT name, diagnosis
FROM patients WHERE
name=‘KING’
SELECT name, diagnosis
FROM patients WHERE
name = ‘KING’,
<timestamp>, <userid>,
etc.
Send Alert!
18
Benefits for Data Warehousing
 Audit analysis
–
–
–
Fewer, but more precise, audit records
Reduce false or misleading audits makes it
easier to analyze audit records
SQL text gives insight to intent of the query
 Accountability and deterrence
–
Minimizes security risks if a user knows he/she
being monitored
 Supports fact tables and materialized views
19
Security Issue #3
Protect Data In Transit
 Stored data has inherent protection of user
authentication, access control, audit
 Data traveling over network does not have
these protections
 80% of data loss is to insiders
20
Solution: Network Encryption
 Oracle Advanced Security encrypts all
communication with the database
–
Uses standard algorithms




–
–
AES
3DES, DES
RC4
Diffie-Hellman key exchange
Supplies SSL
Secures all protocols into the database
 Net8, IIOP, Thin JDBC
21
Benefits for Data Warehousing
 Minimizes security risks since data traveling
over the network is encrypted
 Protects all network communications with
Oracle with minimal impact
 Easy to deploy
–
6 sqlnet.ora parameters
22
Security Issue #4
Protect Stored Data
 Especially sensitive information requires
additional layer of security
–
–
social security numbers
credit card numbers
 Mitigate threats
–
–
hackers compromising the OS and reading
database files
malicious DBA
23
Solution:
Stored Data Encryption
 Oracle DB 10g has a new encrypt/decrypt interface
called DBMS_CRYPTO
–
–
–
AES, 3DES and DES encryption
MD5, MD4 and SHA-1 cryptographic hashes
Supports all datatypes (LOB, BLOB, CLOB)
 Application provides key generation, management,
recovery
–
–
Encryption keys must be stored somewhere
Can be stored in a database file, on the OS, in
application, on diskette, etc.
 Don’t solve access control problem with encryption
24
Stored Data Encryption Benefits
 Minimizes security risks by storing very
sensitive data encrypted
 Oracle Database 10g supports third party
security solutions
25
Security Issue #1
Access Control
 Not all users should have access to all the
data in the data warehouse
–
–
Database must preserve user identity to
determine exactly what the user can access
Database must control access
26
Access Control
 Object-level security
–
–
Authorization
Roles and privileges
 Manage locally or centrally
–
Role-based Access Control (RBAC)
 Row-level Security (RLS)
–
–
–
–
Control access within objects
Fine-grained access control
Virtual Private Database
Oracle Label Security
27
Virtual Private Database
 Data access is managed at the database level
–
–
–
–
Fine-Grained Access Control
Application Context
Users only see data that they have access to
Row-level access control
 Add policy to any table, view or synonym
–
Administrator binds PL/SQL package with table using
Oracle-supplied API (dbms_rls)
VPD
Policy
Table or View
28
VPD for Data Warehousing
 Server dynamically rewrites SQL
–
–
Query modification based on PL/SQL package
assigned to an object
“Where” clause appended to SQL statement
Access to his/her territory’s sales
Western
Sales Rep
Product
Manager
SELECT sum(s)
FROM
SALES_HISTORY;
where terr_id=10;
where prod_id=12;
Access to one product’s
sales across all territories
1MM rows
29
VPD for Data Warehousing
 No sacrifice in SQL performance
–
All performance features (indexes, parallelism, partitioning,
etc) apply to VPD-based queries
 Fact Tables
–
–
–
Policies can be applied to very large fact tables
Most popular implementation
Secures data at the source
 Materialized Views
–
–
Policies can be applied to summaries
Materialized Views increase performance, and VPD
increases security
30
Oracle Label Security for DW
 Out-of-the-box, row level security
–
–
Built on VPD
Extends VPD by adding label-based access
control
 Same benefits as VPD, but works out of the box
 Installable product vs. “write your own”
–
Data access is based on sensitivity labels and
customizable enforcement options
 Labels can be applied to fact tables and/or
materialized views
31
Oracle Label Security for DW
Oracle Label Security authorizations
sensitive : testscore : District Schools
Superintendent
Student Fact Table
Fname Lname
Ana
Adams
Mona Patel
Jen
Chu
Ron
Alta
Score
155
150
175
145
Sensitivity Label
sensitive:testscore:JFK High
sensitive:testscore:MLK High
sensitive:testscore:MLK High
sensitive:testscore:JFK High
Oracle Label Security authorizations
sensitive : testscore : JFK High
OK
x
x
All
OK
JFK Principal
32
Agenda
 Data warehouse security issues
 Data warehouse security strategy
–
–
Secure the entire DW environment
Oracle database security is the foundation of a
DW security strategy
 Summary: Customer success stories
33
Business challenges
 How can I consolidate multiple data marts in
the same database?
 How can I share the information in my data
warehouse with partners and customers?
 How can I ensure that my data warehouse
obeys laws and regulations regarding data
privacy?
34
Case Study: Province of British
Columbia
 Business requirements
–
–
Consolidated financial information for 28 Ministries
Individual Ministry data mart look and feel
 Security issues
–
–
Confidentiality of inter-Ministry financial budgetary and
expenditure information
Users require different levels of access - Ministry staff
restricted to their data, Controller General staff have
open access for consolidated and audit reporting
 Oracle VPD solves data warehouse security issues
–
–
No separate data marts
All financial information for 28 Ministries stored in one
database
35
Business challenges
 How can I consolidate multiple data marts in
the same database?
 How can I share the information in my data
warehouse with partners and customers?
 How can I ensure that my data warehouse
obeys laws and regulations regarding data
privacy?
36
Case Study: Data Syndicator
 Business requirements
–
–
Deliver marketing research data to companies cost-effectively
Deliver timely web-based information to customers
 Security issues
–
–
Separate proprietary information between each company
Within each company, users require different levels of access
 Oracle VPD solves data warehouse security issues
–
–
–
–
Terabyte+ DW with all customer information in one table
Did not need to build complex security layer
Does not have to maintain a separate data warehouse for
each customer (30+)
Generate the same report for multiple customers quickly
37
Business challenges
 How can I consolidate multiple data marts in
the same database?
 How can I share the information in my data
warehouse with partners and customers?
 How can I ensure that my data warehouse
obeys laws and regulations regarding data
privacy?
38
Case Study: Los Angeles Unified
School District
 Business requirements
–
–
Provide its 750,000 students information about themselves
Web-based access for administrators to grades, test
scores, graduation rates and demographics
 Security and privacy issues
–
Confidentiality of student information based on California
Education Code and the Family Education Rights and
Privacy Act of 1974
 Oracle VPD solves data warehouse security issues
–
–
Student information stored the same data warehouse
Different types of users get different levels of access –
student, teacher, principal, district manager, district-wide
programs manager
39
Data Warehouse Security Summary
 Security is crucial for data warehouses
–
–
Data warehouses contain valuable data
Users have direct access to data
 Security adds value to data warehouses
–
Enables efficiency via consolidation
 Oracle’s data warehouse customers rely on
our security solutions
40
Next Steps….
Security and Identity Management Sessions
 Identity Management for
Database Applications
 Oracle Platform
Security: Solving RealWorld Problems
 Ask the Security Expert
 Unbreakable: What We
Learned
 Securing J2EE
Applications with Oracle
Identity Management
 Planning Your Oracle
Identity Management
Deployment
 Improving Information
Assurance of Linux
 Oracle and Thor: Identity
Management Provisioning
 Implementing Identity
Management at Lawrence
Livermore National Labs Thursday 3:15 Rm. 120
41
Next Steps…
Oracle DEMOgrounds
–
–
–
–
–
–
–
Virtual Private Database Column Enforcement
Oracle Label Security Directory Integration
Directory Based Database Authentication
Single Sign-On
CA & PKI Platform
Windows Integration & eBusiness Provisioning
Highly Available LDAP
42
Next Steps…
Oracle Security Command Center (Booth 1736)
Win a Dell Axim X5 handheld device










A4vison
Accela
Acsys Biometrics
Alert Technologies
Ascendent
Telecommunicatons
BIO-Key International
Compressus
Dell Environmax
eSpatial
nCipher









Netegrity
PCI Geomatics
PlanGraphics
3Ship Analytics
Targusinfo
Thor Technologies
Vigilos
Waveset
Xybernaut
 Applications Security (Booth 841)
 Vormetric (Booth 2243)
43
Next Steps for DW / BI
Data Warehousing DB Sessions
Monday
Tuesday
11:00 AM
#40153, Room 304
8:30 AM
#40125, Room 130
Oracle Warehouse Builder:
New Oracle Database 10g Release
Oracle Database 10g:
A Spatial VLDB Case Study
3:30 PM
#40176, Room 303
3:30 PM
#40177, Room 303
Security and the Data Warehouse
Building a Terabyte Data Warehouse,
Using Linux and RAC
4:00 PM
#40166, Room 130
5:00 PM
#40043, Room 104
Oracle Database 10g
SQL Model Clause
Data Pump in Oracle Database 10g:
Foundation for Ultrahigh-Speed Data
Movement
44
For More Info On Oracle BI/DW Go To http://otn.oracle.com/products/bi/db/dbbi.html
Next Steps for DW / BI
Data Warehousing DB Sessions
Thursday
8:30 AM
#40179, Room 304
Oracle Database 10g Data
Warehouse Backup and Recovery
Business Intelligence and Data
Warehousing Demos All Four Days
In The Oracle Demo Campground
Oracle Database 10g
Oracle OLAP
11:00 AM
#36782, Room 304
Experiences with Real-Time Data
Warehousing using Oracle 10g
1:00PM
#40150, Room 102
Oracle Data Mining
Oracle Warehouse Builder
Oracle Application Server 10g
Turbocharge your Database, Using
the Oracle Database 10g
SQLAccess Advisor
45
For More Info On Oracle BI/DW Go To http://otn.oracle.com/products/bi/db/dbbi.html
Reminder –
please complete the OracleWorld
online session survey
Thank you.
46
Related documents
Course flyer
Course flyer
Big Data Gives Artificial Intelligence Something to Think About
Big Data Gives Artificial Intelligence Something to Think About
Slide 1
Slide 1
Oracle10g - International Oracle on z Systems SIG Conference 2015
Oracle10g - International Oracle on z Systems SIG Conference 2015
Database Modeling and Implementation
Database Modeling and Implementation
Data Warehouse Concepts - Calgary Oracle Users Group
Data Warehouse Concepts - Calgary Oracle Users Group
Data Warehouse Concepts - Calgary Oracle Users Group
Data Warehouse Concepts - Calgary Oracle Users Group
Jerry Held
Jerry Held
Exam preparation session
Exam preparation session
Oracle vs. SQL Server
Oracle vs. SQL Server
Quick review of SQL
Quick review of SQL
JO US! IN
JO US! IN