Docstoc

Oracle Database Security Solutions

Document Sample
Oracle Database Security Solutions Powered By Docstoc
					     <Insert Picture Here>




Oracle Database Security Solutions

Eric Cheung
Senior Manager, Technology Sales Consulting

Eric.cheung@oracle.com                        May 2008
Key Drivers for Data Security

Privacy and Compliance

 •   Sarbanes-Oxley (SOX), J-SOX, GLBA
 •   Payment Card Industry (PCI)
 •   HIPAA, EU Privacy Directives
 •   Breach Disclosure Laws
 •   COSO, COBIT frameworks
 •   Separation of duty, Proof of compliance,
     Risk Assessment and Monitoring

Insider / External Threats
 • Large percentage of threats go undetected
 • Outsourcing and off-shoring trend
 • Customers want to monitor insider & DBA


                                                2
       Oracle Database Security
       Continuous Innovation
                                                Oracle Database 11g      Data Masking
                                                                     TDE Tablespace Encryption
                                                                  Oracle Total Recall
                                Oracle Database 10g
                                                       Oracle Audit Vault
                                                   Oracle Database Vault
                                               Transparent Data Encryption (TDE)
                                           Real Time Masking
                Oracle Database 9i
                                        Secure Config Scanning
                                     Fine Grained Auditing
                               Oracle Label Security
          Oracle8i        Enterprise User Security
                      Virtual Private Database (VPD)
                   Database Encryption API
             Strong Authentication
Oracle7  Native Network Encryption
      Database Auditing
  Government customer


                                                                                         3
Data Privacy and Regulatory Compliance
Database Security Challenges

               Protecting Access
              to Application Data


 Database                             Data
Monitoring                          Encryption



   De-Identifying
  Information for                  Data
      Sharing                  Classification



                                                 4
 Oracle Database Security
 Solutions for Privacy and Compliance

                   Database Vault

Configuration                            Advanced
 Management                              Security



     Total                                 Secure
    Recall                                 Backup


       Audit                            Label
       Vault                            Security
                             Data
                             Masking


                                                    5
 Oracle Database Security
 Solutions for Privacy and Compliance

                   Database Vault
Configuration                            Advanced
 Management                              Security



     Total                                 Secure
    Recall                                 Backup


       Audit                            Label
       Vault                            Security
                            Data
                            Masking


                                                    6
  Oracle Database Vault
  Highly Privileged User Controls

• Database DBA views HR                 SELECT * FROM HR.EMP
  data
   Compliance and             DBA
   protection from insiders
                                                 HR Realm

• HR APP Owner views                                   HR
                              HR App
  Fin. data
   Eliminates security                           FIN Realm
   risks from server
   consolidation                                       FIN
                              FIN App




                                                               7
Oracle Database Vault
Real Time Access Controls




               Connect ….
                                       HR

   HR Application           Unexpected IP
   User                       address

               CREATE …
                                       FIN

   FIN Application          Business hours
   DBA




                                             8
 Oracle Database Vault
 Separation of Duty

• Account Management
  • Database Vault over rides all existing administration
    privileges for creating new accounts
• Security administration
  • Database Vault administration is done using a separation
    administration account from DBA or SYSDBA
• Traditional database Administration
  • Traditional administrative tasks are separate from account
    management and security administration




                                                                 9
 Major Financial Services Company
 Use Case


• Control Privileged Users
   • Prevent DBAs from accessing sensitive data in Realms
   • Setup multiple levels of DBAs
• Control Access based upon environmental factors
   • Restrict hostnames authorized to access the DB
   • Control access based on geography
• Control use of ad-hoc query tools; Enforce maintenance periods
   • Restrict connections by ad-hoc query tools to maintenance times or
     specific users
• Control Patching activity
   • Patching activity requires another monitoring user to be logged in
• Control unauthorized database changes




                                                                          10
    Oracle Database Vault
    Application Certification

•   PeopleSoft
•   E-Business Suite
•   Siebel
•   Oracle Content DB
•   Oracle Internet Directory




                                11
 Oracle Database Security
 Solutions for Privacy and Compliance

                   Database Vault

Configuration                            Advanced
 Management
                                         Security

     Total                                 Secure
    Recall
                                           Backup
       Audit                            Label
       Vault                            Security
                             Data
                             Masking


                                                    12
   Oracle Advanced Security
   Transparent Data Encryption

• Protect application data
   • Easily encrypt sensitive data
   • Protect entire application tables
     or specific data (credit card)
   • No changes to existing
                                                  75000      ^#^ *
     applications
                                                              Data
• Built-in key management                    Data
                                         Transparently    Transparently
   • Keys automatically generated          Decrypted        Encrypted

     and managed
   • Integrates with Hardware
     Security Modules (HSM)




                                                                     13
Transparent Data Encryption
Point-And-Click Deployment




                              14
Oracle Advanced Security
Encrypting Columns


• Encrypt a column in an existing table:
 alter table credit_rating modify (person_id encrypt)


• Create a new table with an encrypted column:
 create table orders (
 order_id         number (12),
 customer_id      number(12),
 credit_card      varchar2(16) encrypt);


 Note - Default algorithm is AES 192


                                                 15
 Oracle Advanced Security
 Encrypting Tablespaces

• Create new tablespace with keyword "Encrypt"


     CREATE TABLESPACE securespace2
     DATAFILE
     '/home/user/oradata/secure01.dbf'
     SIZE 150M ENCRYPTION
     DEFAULT STORAGE(ENCRYPT);




  Note - Default algorithm is AES 128


                                                 16
          Oracle Advanced Security
          Key Management Architecture

                                                 Oracle Data
  Master key stored                        Dictionary stores
                                                  & encrypts
  in PKCS#12 wallet                             column keys
                                           using master key



                                            FIN application
                                            data encrypted
                                             using column
                             Transparent                key
Security DBA                    Data
opens wallet                 Encryption
containing master
key
                                             HR application
                                             data encrypted
                                              using column
                    Application users                   key




                                                         17
          Oracle Advanced Security
          Key Management Architecture withHSM

                                                      Oracle Data
  Master key stored                             Dictionary stores
                                                       & encrypts
  in HSM                                             column keys
                                                using master key



                                                 FIN application
                                                 data encrypted
                                                  using column
                               Transparent                   key
Security DBA                      Data
opens wallet                   Encryption
containing master
key
                                                  HR application
                                                  data encrypted
                                                   using column
                      Application users                      key




                                                              18
  Oracle Secure Backup
  Integrated Tape Backup Management

• Improved Security and
  Manageability                            Oracle Databases       File System Data
  • Backup encryption for file systems
    added                                                         UNIX      Linux
                                            Integration with
  • Automated backup of OSB catalog                               Windows     NAS
                                                RMAN
  • Policy-based migration from Virtual
    Tape Library (VTL) to tape
• Advanced media management
  • Vaulting provides automatic rotation     Oracle Secure Backup
    of tapes between multiple locations    Centralized Tape Backup Management
  • Tape duplication based on policies
  • Sun StorageTek ACSLS support
• Improved Performance
  • No backup (and reads) of committed
    undo                                                       Tape

                                                                              19
 Oracle Database Security
 Solutions for Privacy and Compliance

                   Database Vault

Configuration                            Advanced
 Management                              Security



     Total                                Secure
    Recall                                Backup


       Audit                            Label
       Vault                            Security
                             Data
                             Masking


                                                    20
   Oracle Label Security
   Access Control by Data Classification                                   Data

                                                                     Highly Sensitive
• Additional access control check
  • Database verifies requestor has                                      Sensitive
    table privileges first (select,update,insert,.)
  • Label Security mediates additional                                  Confidential
    access based on sensitivity
    assigned to the data or operation
  • Specialized security solution
• Components
  •   Users label authorizations
  •   Data labels
                                                            Sensitive             Highly Sensitive
  •   Special user privileges
  •   Enforcement options                             User Label Authorization "Security Clearance"



                                                                                              21
  Sensitivity Label Components
  More Than Just levels


Sensitivity Level

      Highly
     Sensitive



     Sensitive




    Confidential



                    Sensitive

                                 22
  Sensitivity Label Components
  More Than Just levels


Sensitivity Level   Plus Zero or More Compartments
      Highly
                     HR     PII    FIN    LEGAL
     Sensitive



     Sensitive




    Confidential



                    Sensitive : HR

                                                  23
  Sensitivity Label Components
  More Than Just levels


Sensitivity Level   Plus Zero or More Compartments
      Highly
                     HR        PII            FIN            LEGAL
     Sensitive


                      Plus Zero or More Groups
     Sensitive

                          US         Europe         Global


    Confidential



                    Sensitive : HR : US

                                                                     24
Oracle Enterprise Manager




                            25
   Oracle Label Security
   Flexible Policy Model

                  HR Policy           Law            Government
                                  Enforcement          Policy
               Confidential     Level 1            Confidential
   Levels      Sensitive        Level 2            Secret
               Highly Sensitive Level 3            Top Secret

               PII Data         Internal Affairs   Desert Storm
Compartments   Investigation    Drug               Border
                                Enforcement        Protection
               HR REP           Local              NATO
               Senior HR REP    Jurisdiction       Homeland
   Groups                       FBI                Security
                                Justice

                                                                  26
 Oracle Label Security
 Additional Use Cases
• Embed in Database Vault Command Rules
  • Compare label authorization in command rules for separation
    of duty customization


• Embed in Data Masking decisions
  • Use with VPD column real time data masking to decide
    whether to NULL out PII data returned in query


• Notate application users current working label
  authorization on information portals



                                                                  27
 Oracle Database Security
 Solutions for Privacy and Compliance

                   Database Vault

Configuration                            Advanced
 Management                              Security



     Total                                 Secure
    Recall                                 Backup


       Audit                            Label
       Vault                            Security

                             Data
                             Masking
                                                    28
 Off-Line Data Masking
 Oracle Enterprise Manager


• Automates production data
  masking                            LAST_NAME    SSN            SALARY

                                     AGUILAR      203-33-3234       40,000
  • Easily mask existing
                                     BENSON       323-22-2943       60,000
    application data
  • No impact on production       Production                     Cloned
    database                       Database                     Database
• Built-in data relationship
  discovery
  • Use foreign key definitions
                                     LAST_NAME    SSN            SALARY
  • Define custom data               ANSKEKSL     111—23-1111       40,000

    relationships                    BKJHHEIEDK   111-34-1345       60,000




                                                                          29
 Real-Time Data Masking
 Virtual Private Database Masking

• Null out or clear table columns for all or
  specific table rows

            Select * from                                    olic
                                                                 y
                                                           DP
              customers;                                 VP


               VPD        where account_mgr_id =
                     sys_context('APP','CURRENT_MGR');
                                                            APP
                            SSN

                        701-495-2123   25000
                        121-791-4212   15000
                        181-095-1232   10000
                        581-295-7603   12000
                        431-395-9332   17000
                        381-395-9223   15000
                        483-562-0912
                        461-978-8212




                                                                     30
    Oracle Database Security
    Solutions for Privacy and Compliance

                      Database Vault

                                            Advanced
Configuration                               Security
 Management

                                              Secure
      Total                                   Backup
     Recall
                                           Label
       Audit                               Security
       Vault                    Data
                                Masking


                                                       31
 Auditing in the Oracle Database
 Robust, Flexible, and High Fidelity Audit

• Industry’s most advanced
  • Statement - audit DDL / DML based structure type or schema object
  • Privilege - audit statements that use system privileges
  • Specific user or group of users
• Fine grained auditing (Oracle9i)
  • Enterprise Edition conditional auditing feature
  • Select statements only (Oracle9i)
  • Updates, inserts, and delete statements (Oracle Database 10g)
• Flexible
  • Audit table and OS file destinations (OS is most performant)
  • Supports XML format
  • Windows event viewer & SYSLOG

                                                                    32
    Oracle Audit Vault
    Protect Your Enterprise With Auditing

• Manage Audit Data
  • Centrally secure audit data from
    Oracle databases                       Report Monitor Enforce Secure
  • Centrally manage Oracle
    database audit settings
• Detect suspicous activities
  • Monitor database users –
    especially privileged users        Oracle Database
                                         9i Release 2                               (Future)
  • Alert on unauthorized activities                                            Other Sources,
                                          Oracle Database 10g                     Databases
                                                                    Oracle Database
• Simplify compliance reporting                Release 1
                                                         Oracle Database
                                                                          11g
                                                          10g Release 2
  • Built-in compliance reports
  • Define custom reports

                                                                                       33
Audit Vault Reports
Out-of-the-box Audit Assessments & Custom Reports

• Out-of-the-box reports            • User-defined reports
  • Privileged user activity          • What privileged users did
  • Access to sensitive data            on the financial database?
  • Role grants, DDL activity         • What user ‘A’ did across
                                        multiple databases?
• Custom reports
                                      • Who accessed sensitive
  • Published warehouse schema          data?
  • Use Oracle or 3rd party tools




                                                                     34
 Oracle Audit Vault
 Manageability
• Audit Vault Dashboard
   •   Enterprise overview
   •   Alerts on audit events
   •   Drill down reports
   •   Audit Vault administration


• Audit Vault Policies
   • Collection of audit settings for
     databases
   • Provision database audit settings
     centrally for compliance policies
   • Compare against existing audit
     settings on source
   • Demonstrate compliance with internal
     mandates

                                            35
Oracle Audit Vault Respository
Scalable, Flexible & Secure

• Performance and Scalability
  • Scale to Terabytes with partitioning
  • Data warehouse enables business
    intelligence and analysis
• Security
  • Separation of duty
  • Privileged users can't modify audit data
  • Data protected in transit from source to
    Audit Vault




                                               36
  Introducing Oracle Total Recall
  Tamper-Resistant Real-Time Database Archiving

• Automated table “snapshots” record changes to data
  • Complements auditing – who v. what
  • Optimized to minimize performance overhead
• Historical data can be retained as long as needed for
  regulatory compliance and forensic analysis
  • Automatically prevents end users from changing historical data
• Seamless access to archived historical data
  • Historical data stored in the database for real-time access
  • Stored in compressed form to minimize storage requirements

     select * from product_information AS OF TIMESTAMP
     '02-MAY-05 12.00 AM‘ where product_id = 3060


                                                                     37
Tracking Compliance Over Time
Compliance Trend across IT infrastructure




                                            38
    Example of Security Policy Rules
    Over 250 Built-in Policy Rules
Database Services                                      Host
•    Enable listener logging                           •   Detect open ports
•    Password-protect listeners                        •   Detect insecure services
                                                       •   Ensure NTFS file system type (Windows)
•    Disallow default listener name
•    Ensure listener log file is valid and owned by    Application Server
     Oracle                                            •   HTTPD has minimal privileges
•    Ensure listener host name is specified with IP    •   Use HTTP/S
Database File Permissions                              •   Apache logging should be on
                                                       •   Demo applications disabled
•    Init.ora should have restricted file permission
                                                       •   Disable default banner page
•    Files in $OH/bin should be owned by Oracle
                                                       •   Disable access to unused directories
•    Data files should be owned by Oracle
                                                       •   Disable directory indexing
Database Profile/Configuration                         •   Forbid access to certain packages
•    Default Passwords                                 •   Disable packages not used by DAD owner
•    Disallow access to objects by a fixed user link   •   Remove unused DAD configurations
•    Disallow default tablespace set to SYSTEM         •   Password complexity enabled
•    Set password_grace_time
•    Limit or deny access to DBMS_LOB
•    Set password_reuse_max
•    Avoid using utl_file_dir parameter


                                                                                                    39
Learn More

   http://search.oracle.com
    database security


   Technology Overview
   • Visit: oracle.com/database/security
     • View Whitepapers and webinars


   Technical Information, Demos, Software
   • Visit OTN: otn.oracle.com -> products ->
     database -> security and compliance


                                                40
41
          Release Wide Map of Security Products
                                                          Oracle        Oracle         Oracle          Oracle      Oracle
                                         Oracle
           Solution                                      Database      Database       Database       Database     Database
                                            8i
                                                           9iR1          9iR2          10g R1          10g R2      11gR1

Database Auditing

Network Encryption

Virtual Private Database

Label Security

Privileged User Controls

Enterprise User Security

Fine Grained Auditing

Client Identifier
EM Configuration Scanning

TDE Column Encryption

TDE Tablespace Encryption

EM Data Masking


Data Masking is available starting with EM 10.2.0.4 and works against Oracle Database 9.2 and higher databases.     42
43

				
DOCUMENT INFO