Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Extensible Storage Engine wikipedia , lookup
Open Database Connectivity wikipedia , lookup
Concurrency control wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Relational model wikipedia , lookup
Functional Database Model wikipedia , lookup
Database model wikipedia , lookup
1 <Insert Picture Here> Oracle Database 11g Release 2 Security Update and Plans Defense-in-Depth Vipin Samar Vice President, Oracle Database Security Program Agenda • • • • • • Today’s Threat Landscape Defense-in-Depth Approach Oracle Database Security Solutions Oracle Database Firewall New! Summary Q&A <Insert Picture Here> 3 Why Secure the Database? • Exploding Data • Highly available Data • Sophisticated hackers • Opportunistic insiders What’s new now? Lot at stake • Customer, Employee, Citizen, Corporate data • Reputation • Fines & Penalties • • • • Audit findings Outsourcing/offshoring Data consolidation Data breaches in sector Deployment triggers 4 Security Technologies Deployed End Point Security Other Security Employee email Security Customer Vulnerability Mgmt Citizen Network Security DB Security? Authentication Identity Management 5 How Data Gets Compromised? Source: Verizon 2010 Data Breach Investigations Report 6 6 Where Losses Come From? 92% of Records from Compromised Databases 2010 Data Breach Investigations Report 7 Top Attack Techniques % Breaches and % Records 2010 Data Breach Investigations Report Most records lost through ‘Stolen Credentials” & “SQL Injection” 8 Existing Security Solutions Not Enough Key Loggers Malware Phishing SQL Injection Botware Espionage Social Engineering Web Users Application Users Application Database Administrators Data Must Be Protected in depth 9 Database Security Defense-In-Depth Approach • • • • • Monitor and block threats before they reach databases Control access to data within the databases Track changes and audit database activity Encrypt data to prevent direct access Implement with – Transparency – no changes to existing applications – High Performance – no measurable impact on applications – Accuracy – minimal false positives and negatives 10 Oracle Database Security Defense-in-Depth Encryption and Masking • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking Access Control • Oracle Database Vault • Oracle Label Security Auditing and Tracking • Oracle Audit Vault • Oracle Configuration Management • Oracle Total Recall Monitoring and Blocking • Oracle Database Firewall 11 Oracle Database Security Defense-in-Depth Encryption and Masking • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking 12 12 Oracle Advanced Security End–to–end Encryption Disk Backups Exports Application Off-Site Facilities • Efficient encryption of all application data • Built-in key lifecycle management • No application changes required • Works with Exadata and Oracle Advanced Compression 13 Oracle Advanced Security Integrated with Oracle Enterprise Manager 14 14 TDE Column Encryption Integrated with Oracle Enterprise Manager 15 15 Oracle Advanced Security What’s New and Coming? • Hardware Acceleration Support – Performance already < 10% for most applications – 7-10x performance gain with Intel Advanced Encryption Standard New Instructions (AES-NI) and Oracle SPARC T-3 • Key Management and HSM Support – Certified with SafeNet, Thales, Utimaco using PKCS #11 – Planned support for Oracle’s Key Management System 16 Oracle Data Masking Irreversible De-Identification Production Non-Production LAST_NAME SSN SALARY LAST_NAME SSN SALARY AGUILAR 203-33-3234 40,000 ANSKEKSL 111—23-1111 40,000 BENSON 323-22-2943 60,000 BKJHHEIEDK 222-34-1345 60,000 • Mask sensitive data for test and partner systems • Sophisticated masking: Condition-based, compound, deterministic • Extensible template library and policies for automation • Leverage masking templates for common data types • Integrated masking and cloning • Masking of heterogeneous databases via database gateways New • Command line support for data masking tasks New 17 17 Oracle Data Masking What’s Coming? • Sensitive data identification based on privacy attributes • Application Masking templates for • E-Business Suite • Fusion Applications 18 Oracle Database Security Defense-in-Depth Encryption and Masking • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking Access Control • Oracle Database Vault • Oracle Label Security 19 19 Oracle Database Vault Separation of Duties & Privileged User Controls Procurement DBA HR Application Finance select * from finance.customers • Restricts application data from privileged users • DBA separation of duties • Securely consolidate application data • No application changes required • Works with Oracle Exadata 20 20 Oracle Database Vault Multi-Factor Access Control Policy Enforcement Procurement HR Application Rebates • Protect application data and prevent application by-pass • Enforce who, where, when, and how using rules and factors • • • • User Factors: Name, Authentication type, Proxy Enterprise Identity Network Factors: Machine name, IP, Network Protocols Database Factors: IP, Instance, Hostname, SID Runtime Factors: Date, Time 21 21 Oracle Database Vault Out-of-the Box Protections For Applications • Pre-built policies with further possible customization Oracle E-Business Suite 11i / R12 • Complements application security PeopleSoft Applications • Transparent to existing applications • Minimal performance overhead • Certifications Underway: – Oracle Hyperion – Oracle Tax and Utilities Siebel, i-Flex, Retek JD Edwards EnterpriseOne SAP Infosys Finacle 22 22 Oracle Label Security Data Classification for Access Control Sensitive Transactions Confidential Report Data Public Reports Confidential Sensitive • Classify users and data based on business drivers • Database enforced row level access control • Users classification through Oracle Identity Management Suite • Classification labels can be factors in Database Vault 23 23 Oracle Database Security Defense-in-Depth Encryption and Masking • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking Access Control • Oracle Database Vault • Oracle Label Security Auditing and Tracking • Oracle Audit Vault • Oracle Configuration Management • Oracle Total Recall 24 24 Oracle Audit Vault Automated Audit Collection and Reporting ! HR Data Built-in Reports CRM Data ERP Data Alerts Audit Data Custom Reports Policies Databases Auditor • Consolidate audit data into a secure warehouse • Create/customize compliance and entitlement reports • Detect and raise alerts on suspicious activities • Centralized audit policy management • Integrated audit trail cleanup 25 25 Oracle Audit Vault Consolidated Reports Span Enterprise Databases 26 26 Oracle Audit Vault 10.2.3.2 Default Reports 27 27 Oracle Configuration Management Secure Configuration & Change Tracking Out-of-box Policies User-defined Policies & Groups Real-Time Change Detection Industry & Regulatory Frameworks Compliance Dashboard Optimized for Oracle with Industry Specific Compliance Dashboards • Continuous scanning against best practices and gold baselines • 200+ out-of-the-box policies spanning host, database, and middleware • Real-time detect changes to processes, files, etc • Violations can trigger emails, and create tickets • Compliance reports mapped to compliance frameworks 28 28 Oracle Database Security Defense-in-Depth Encryption and Masking • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking Access Control • Oracle Database Vault • Oracle Label Security Auditing and Tracking • Oracle Audit Vault • Oracle Configuration Management • Oracle Total Recall Monitoring and Blocking • Oracle Database Firewall 29 Oracle Database Firewall First Line of Defense Allow Log Alert Substitute Applications Block Alerts Built-in Reports Custom Reports Policies • Prevent unauthorized activity, application bypass and SQL injections • Highly accurate SQL grammar based analysis • Flexible enforcement options • Built-in and custom compliance reports 30 Oracle Database Firewall Security Model White List Allow Applications Block • White-list based policies enforce normal or expected behavior • Evaluate factors such as time, day, network, app, etc. • Easily generate white-lists for any application • Log, alert, block or substitute out-of-policy SQL statements • Black lists to stop unwanted SQL commands, user, or schema access • Superior performance and policy scalability based upon clustering 31 Oracle Database Firewall Deployment Architecture In-Line Blocking and Monitoring Out-of-Band Monitoring Inbound SQL Traffic HA In-Line Mode Management Management Server Server Policy Analyzer • In-line blocking and monitoring, or out-of-band monitoring modes • Monitoring of remote databases by forwarding network traffic • Centralized policy management and reporting • High availability options for Database firewalls and Management Servers • Support for multiple Oracle/non-Oracle Databases with the same firewall 32 Oracle Database Security – Big Picture Audit consolidation Allow Sensitive Procurement Log Alert Substitute Applications HR Confidential Rebates Public Unauthorized Local Activity DB Consolidation Security Local DBA Privilege Mis-Use Block Network SQL Monitoring and Blocking Encrypted Database Encrypted Encrypted Backups Exports Data Masking 33 Oracle Database Security Key Differentiators Transparent Performant Certified with Applications Best-in-Class Defense-inDepth 34 More Oracle Database Security Presentations • Monday: – 12:30 pm: Making a Business Case for Information Security – 3:30 pm: Oracle Database 11g Release 2 Security: Defense-in-Depth MS 300 MS 103 • Tuesday: – – – – – 12:30 pm: Real-World Deployment and Best Practices : Oracle Audit Vault 2:00 pm: Real-World Deployment and Best Practices : Oracle Advanced Security 2:00 pm: Best Practices for Ensuring the Highest Enterprise Database Security 3:30 pm: Database Security Event Management : Oracle Audit Vault and ArcSight 5:00 pm: Real-World Deployment and Best Practices :Oracle Database Vault MS 104 MS 300 MS 304 MS 300 MS 303 • Wednesday: – 10:00 am: Protect Data and Save Money: Aberdeen – 11:30 am: Preventing Database Attacks With Oracle Database Firewall – 4:45 pm: Centralized Key Management and Performance :Oracle Advanced Security MS 306 MS 306 MS 306 • Thursday: – 10:30 am: Deploying Oracle Database 11g Securely on Oracle Solaris MS 104 MS = Moscone South 35 Oracle Database Security Hands-on-Labs • Monday: – Database Vault 11:00AM | Marriott Marquis, Salon 10 / 11 – Database Vault 5:00PM | Marriott Marquis, Salon 10 / 11 Check Availability Check Availability • Tuesday: – Database Security 11:00AM | Marriott Marquis, Salon 10 / 11 Check Availability • Thursday – Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11 – Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11 Check Availability Check Availability 36 Oracle Database Security Demo Grounds Moscone West • • • • • • Oracle Database Firewall Oracle Database Vault Oracle Label Security Oracle Audit Vault Oracle Advanced Security Oracle Database 11g Release2 Security Exhibition Hours Monday, September 20 9:45 a.m. - 5:30 p.m. Tuesday, September 21 9:45 a.m. - 5:30 p.m. Wednesday, September 22 9:00 a.m. - 4:00 p.m. 37 The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 38 For More Information search.oracle.com database security oracle.com/database/security 39 39 40 40