Download 11gR2_security - Oracle DBA – Tips and Techniques

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
Document related concepts

SQL wikipedia , lookup

Extensible Storage Engine wikipedia , lookup

Open Database Connectivity wikipedia , lookup

Concurrency control wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Relational model wikipedia , lookup

Functional Database Model wikipedia , lookup

Database wikipedia , lookup

PL/SQL wikipedia , lookup

Database model wikipedia , lookup

Clusterpoint wikipedia , lookup

Oracle Database wikipedia , lookup

Transcript 
1
<Insert Picture Here>
Oracle Database 11g Release 2 Security Update and Plans
Defense-in-Depth
Vipin Samar
Vice President, Oracle Database Security
Program Agenda
•
•
•
•
•
•
Today’s Threat Landscape
Defense-in-Depth Approach
Oracle Database Security Solutions
Oracle Database Firewall New!
Summary
Q&A
<Insert Picture Here>
3
Why Secure the Database?
• Exploding Data
• Highly available Data
• Sophisticated hackers
• Opportunistic insiders
What’s new
now?
Lot at stake
• Customer, Employee,
Citizen, Corporate data
• Reputation
• Fines & Penalties
•
•
•
•
Audit findings
Outsourcing/offshoring
Data consolidation
Data breaches in sector
Deployment
triggers
4
Security Technologies Deployed
End Point Security
Other Security
Employee
email Security
Customer
Vulnerability Mgmt
Citizen
Network Security
DB Security?
Authentication
Identity Management
5
How Data Gets Compromised?
Source: Verizon 2010 Data Breach Investigations Report
6
6
Where Losses Come From?
92% of Records from Compromised Databases
2010 Data Breach
Investigations Report
7
Top Attack Techniques
% Breaches and % Records
2010 Data Breach
Investigations Report
Most records lost through
‘Stolen Credentials” & “SQL Injection”
8
Existing Security Solutions Not Enough
Key Loggers
Malware
Phishing
SQL Injection
Botware
Espionage
Social Engineering
Web Users
Application
Users
Application
Database
Administrators
Data Must Be Protected in depth
9
Database Security
Defense-In-Depth Approach
•
•
•
•
•
Monitor and block threats before they reach databases
Control access to data within the databases
Track changes and audit database activity
Encrypt data to prevent direct access
Implement with
– Transparency – no changes to existing applications
– High Performance – no measurable impact on applications
– Accuracy – minimal false positives and negatives
10
Oracle Database Security
Defense-in-Depth
Encryption and Masking
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Access Control
• Oracle Database Vault
• Oracle Label Security
Auditing and Tracking
• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall
Monitoring and Blocking
• Oracle Database Firewall
11
Oracle Database Security
Defense-in-Depth
Encryption and Masking
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
12
12
Oracle Advanced Security
End–to–end Encryption
Disk
Backups
Exports
Application
Off-Site
Facilities
• Efficient encryption of all application data
• Built-in key lifecycle management
• No application changes required
• Works with Exadata and Oracle Advanced
Compression
13
Oracle Advanced Security
Integrated with Oracle Enterprise Manager
14
14
TDE Column Encryption
Integrated with Oracle Enterprise Manager
15
15
Oracle Advanced Security
What’s New and Coming?
• Hardware Acceleration Support
– Performance already < 10% for most applications
– 7-10x performance gain with Intel Advanced Encryption
Standard New Instructions (AES-NI) and Oracle SPARC T-3
• Key Management and HSM Support
– Certified with SafeNet, Thales, Utimaco using PKCS #11
– Planned support for Oracle’s Key Management System
16
Oracle Data Masking
Irreversible De-Identification
Production
Non-Production
LAST_NAME
SSN
SALARY
LAST_NAME
SSN
SALARY
AGUILAR
203-33-3234
40,000
ANSKEKSL
111—23-1111
40,000
BENSON
323-22-2943
60,000
BKJHHEIEDK
222-34-1345
60,000
• Mask sensitive data for test and partner systems
• Sophisticated masking: Condition-based, compound,
deterministic
• Extensible template library and policies for automation
• Leverage masking templates for common data types
• Integrated masking and cloning
• Masking of heterogeneous databases via database gateways New
• Command line support for data masking tasks New
17
17
Oracle Data Masking
What’s Coming?
• Sensitive data identification based on privacy attributes
• Application Masking templates for
• E-Business Suite
• Fusion Applications
18
Oracle Database Security
Defense-in-Depth
Encryption and Masking
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Access Control
• Oracle Database Vault
• Oracle Label Security
19
19
Oracle Database Vault
Separation of Duties & Privileged User Controls
Procurement
DBA
HR
Application
Finance
select * from finance.customers
• Restricts application data from privileged users
• DBA separation of duties
• Securely consolidate application data
• No application changes required
• Works with Oracle Exadata
20
20
Oracle Database Vault
Multi-Factor Access Control Policy Enforcement
Procurement
HR
Application
Rebates
• Protect application data and prevent application by-pass
• Enforce who, where, when, and how using rules and factors
•
•
•
•
User Factors: Name, Authentication type, Proxy Enterprise Identity
Network Factors: Machine name, IP, Network Protocols
Database Factors: IP, Instance, Hostname, SID
Runtime Factors: Date, Time
21
21
Oracle Database Vault
Out-of-the Box Protections For Applications
• Pre-built policies with further
possible customization
Oracle E-Business Suite
11i / R12
• Complements application security
PeopleSoft Applications
• Transparent to existing applications
• Minimal performance overhead
• Certifications Underway:
– Oracle Hyperion
– Oracle Tax and Utilities
Siebel, i-Flex, Retek
JD Edwards EnterpriseOne
SAP
Infosys Finacle
22
22
Oracle Label Security
Data Classification for Access Control
Sensitive
Transactions
Confidential
Report Data
Public
Reports
Confidential
Sensitive
• Classify users and data based on business drivers
• Database enforced row level access control
• Users classification through Oracle Identity Management Suite
• Classification labels can be factors in Database Vault
23
23
Oracle Database Security
Defense-in-Depth
Encryption and Masking
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Access Control
• Oracle Database Vault
• Oracle Label Security
Auditing and Tracking
• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall
24
24
Oracle Audit Vault
Automated Audit Collection and Reporting
!
HR Data
Built-in
Reports
CRM Data
ERP Data
Alerts
Audit
Data
Custom
Reports
Policies
Databases
Auditor
• Consolidate audit data into a secure warehouse
• Create/customize compliance and entitlement reports
• Detect and raise alerts on suspicious activities
• Centralized audit policy management
• Integrated audit trail cleanup
25
25
Oracle Audit Vault
Consolidated Reports Span Enterprise Databases
26
26
Oracle Audit Vault 10.2.3.2
Default Reports
27
27
Oracle Configuration Management
Secure Configuration & Change Tracking
Out-of-box
Policies

User-defined
Policies &
Groups

Real-Time Change
Detection
Industry &
Regulatory
Frameworks


Compliance
Dashboard

Optimized for Oracle with Industry Specific Compliance Dashboards
• Continuous scanning against best practices and gold baselines
• 200+ out-of-the-box policies spanning host, database, and middleware
• Real-time detect changes to processes, files, etc
• Violations can trigger emails, and create tickets
• Compliance reports mapped to compliance frameworks
28
28
Oracle Database Security
Defense-in-Depth
Encryption and Masking
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Access Control
• Oracle Database Vault
• Oracle Label Security
Auditing and Tracking
• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall
Monitoring and Blocking
• Oracle Database Firewall
29
Oracle Database Firewall
First Line of Defense
Allow
Log
Alert
Substitute
Applications
Block
Alerts
Built-in
Reports
Custom
Reports
Policies
• Prevent unauthorized activity, application bypass and
SQL injections
• Highly accurate SQL grammar based analysis
• Flexible enforcement options
• Built-in and custom compliance reports
30
Oracle Database Firewall
Security Model
White List
Allow
Applications
Block
• White-list based policies enforce normal or expected behavior
• Evaluate factors such as time, day, network, app, etc.
• Easily generate white-lists for any application
• Log, alert, block or substitute out-of-policy SQL statements
• Black lists to stop unwanted SQL commands, user, or schema access
• Superior performance and policy scalability based upon clustering
31
Oracle Database Firewall
Deployment Architecture
In-Line Blocking
and Monitoring
Out-of-Band
Monitoring
Inbound
SQL Traffic
HA In-Line
Mode
Management
Management
Server
Server
Policy
Analyzer
• In-line blocking and monitoring, or out-of-band monitoring modes
• Monitoring of remote databases by forwarding network traffic
• Centralized policy management and reporting
• High availability options for Database firewalls and Management Servers
• Support for multiple Oracle/non-Oracle Databases with the same firewall
32
Oracle Database Security – Big Picture
Audit
consolidation
Allow
Sensitive
Procurement
Log
Alert
Substitute
Applications
HR
Confidential
Rebates
Public
Unauthorized
Local Activity
DB Consolidation
Security
Local DBA
Privilege Mis-Use
Block
Network SQL
Monitoring
and Blocking
Encrypted
Database
Encrypted Encrypted
Backups
Exports
Data
Masking
33
Oracle Database Security
Key Differentiators
Transparent
Performant
Certified with
Applications
Best-in-Class
Defense-inDepth
34
More Oracle Database Security Presentations
• Monday:
– 12:30 pm: Making a Business Case for Information Security
– 3:30 pm: Oracle Database 11g Release 2 Security: Defense-in-Depth
MS 300
MS 103
• Tuesday:
–
–
–
–
–
12:30 pm: Real-World Deployment and Best Practices : Oracle Audit Vault
2:00 pm: Real-World Deployment and Best Practices : Oracle Advanced Security
2:00 pm: Best Practices for Ensuring the Highest Enterprise Database Security
3:30 pm: Database Security Event Management : Oracle Audit Vault and ArcSight
5:00 pm: Real-World Deployment and Best Practices :Oracle Database Vault
MS 104
MS 300
MS 304
MS 300
MS 303
• Wednesday:
– 10:00 am: Protect Data and Save Money: Aberdeen
– 11:30 am: Preventing Database Attacks With Oracle Database Firewall
– 4:45 pm: Centralized Key Management and Performance :Oracle Advanced Security
MS 306
MS 306
MS 306
• Thursday:
– 10:30 am: Deploying Oracle Database 11g Securely on Oracle Solaris
MS 104
MS = Moscone South
35
Oracle Database Security Hands-on-Labs
• Monday:
– Database Vault 11:00AM | Marriott Marquis, Salon 10 / 11
– Database Vault 5:00PM | Marriott Marquis, Salon 10 / 11
Check Availability
Check Availability
• Tuesday:
– Database Security 11:00AM | Marriott Marquis, Salon 10 / 11
Check Availability
• Thursday
– Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11
– Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11
Check Availability
Check Availability
36
Oracle Database Security Demo Grounds
Moscone West
•
•
•
•
•
•
Oracle Database Firewall
Oracle Database Vault
Oracle Label Security
Oracle Audit Vault
Oracle Advanced Security
Oracle Database 11g Release2 Security
Exhibition Hours
Monday, September 20
9:45 a.m. - 5:30 p.m.
Tuesday, September 21
9:45 a.m. - 5:30 p.m.
Wednesday, September 22
9:00 a.m. - 4:00 p.m.
37
The preceding is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.
38
For More Information
search.oracle.com
database security
oracle.com/database/security
39
39
40
40
Related documents
Big Data Gives Artificial Intelligence Something to Think About
Big Data Gives Artificial Intelligence Something to Think About
Slide 1
Slide 1
Course flyer
Course flyer
Exam preparation session
Exam preparation session
Lab PowerPoint - Personal Web Pages
Lab PowerPoint - Personal Web Pages
JO US! IN
JO US! IN
Why A Distributed Database?
Why A Distributed Database?
Info
Info
Oracle vs. SQL Server
Oracle vs. SQL Server
Oracle Application Express
Oracle Application Express
Database Modeling and Implementation
Database Modeling and Implementation