5 steps to reduce risk and improve database security

2,581 views

Published on

Event: Oracle Day Estonia 2012
Date: 8.03.2012
Country: ESTONIA
Speaker: – Edgars Rungis (Oracle)

Published in: Technology, News & Politics
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,581
On SlideShare
0
From Embeds
0
Number of Embeds
287
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

5 steps to reduce risk and improve database security

  1. 1. 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  2. 2. 5 Steps to reduce Risk and improve Database Security Edgars Ruņģis, Technology Consultant2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  3. 3. Why Increase Database Security?3 Copyright © 2011, Oracle and/or its affiliates. All rights Source: "Effective Data Leak Prevention Programs: Start by Protecting Data at reserved. the Source — Your Databases", IDC, August 2011
  4. 4. How Secure Are Your Databases ? 2011 IOUG Data Security Survey Results4 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. http://www.oracle.com/us/products/database/2011-ioug-data-security-survey-516534.pdf
  5. 5. IT Security Not Addresing Database Security –Only 20% Have A Plan5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  6. 6. 5 Steps to Reduce Risk and Improve Database Security 1. Mitigate Database Bypass 2. Prevent Account Misuse 3. Consolidated Auditing and Compliance Reporting 4. Monitor Database Traffic and block Threats 5. Protect non-production Environments6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  7. 7. How can we access data bypassing Database?• Restore DB from unprotected backup copy• Access data stored in database files by IT staff/OS users and read the information 7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  8. 8. What about Oracle Database Data Files ?8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 8
  9. 9. Mitigate Database Bypass Oracle Advanced Security for authentication and encryption Disk Backups Exports Application Off-Site Facilities• Prevents access to data stored in database files, on tape, etc. by IT staff/OS users• Efficient application data encryption without changes• Strong authentication of database users for greater identity assurance• Built-in key management for Seperation of Duties 9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  10. 10. Mitigate Database Bypass Transparent Data Encryption Key Architecture Hardware Security Module Tablespace Table Key Key Standard Wallet Master Key Auto-Open Wallet Local Auto-Open Oracle Wallet Wallet TDE Tablespace TDE Column Encryption Encryption10 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  11. 11. Prevent Account Misuse What privileged users (DBA) can do ? – Access, delete, or change ANY application data • Change salary ? Why not! – Turn off auditing (!!!) • Change salary without audit trail ? Why not! – Modify audit trails to hide tracks – Intentional or accidental harmful changes • DB link from test to production system...? It happens! – Add unauthorized user accounts or modify existing accounts • Create new account for your best “friend” and grant DBA privileges ... – ...11 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  12. 12. Prevent Account Misuse Oracle Database Vault to enforce privileged user access Procurement Applications HR select * from Finance finance.customers DBA• Restrict highly privileged users from application data and DBA seperation of duties• Enforce who, where, when and how data is accessed using rules and factors • Enforce least privilege for privileged database users • Prevent application by-pass• Securely consolidate application data or enable multi-tenant data management 12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  13. 13. Prevent Account Misuse Example: Privileged User Access Fin Oracle DB DBA13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 13
  14. 14. Prevent Account Misuse Example: Complete the Definition of the Realm14 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 14
  15. 15. Prevent Account Misuse Example: Privileged User Access, Again Fin Oracle DB DBA15 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 15
  16. 16. Prevent Account Misuse Some Use Cases of Oracle Database VaultRequirement Database Vault SolutionRestrict DBA access to sensitive data Realm around application data allowing only the authorized application owner to access dataEnforce application access through middle tier processes Rule restricting database access based on middle tier server IP(Prevent application bypass) addressesProtect mission-critical business data from intentional or Rule restricting dropping or wiping out associated databaseaccidental harmful changes structuresRestrict users access data outside standard working Rule restricting users’ login to working hourshoursEnforce patching and backup to specific maintenance Rule restricting database maintenance DBA’s login toperiods and monitor the patching process. maintenance day/time Rule requiring two DBAs to authenticate during maintenance periods from internal IP addresses 16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  17. 17. Consolidated Auditing and Compliance Reporting17 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  18. 18. Questions to consider• How do you consolidate your audit data ?• How do you detect and alert on suspicious activities ?• Do You run reports over audit data ?• Is Your audit data protected ? What about power users (DBAs)?• How do you cleanup/archive audit data ? 18 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  19. 19. Consolidated Auditing and Compliance Reporting Oracle Audit Vault - Trust But Verify • Consolidate database audit trail into secure centralized repository • Out-of-the box compliance reports for SOX, PCI, and other regulations – E.g., privileged user audit, entitlements, failed logins, regulated data changes • Detect and alert on suspicious activities, including privileged users – Creating users on sensitive systems, role grants, “DBA” grants, failed logins .19 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  20. 20. Monitor Database Traffic and block Threats Oracle Database Firewall - First Line Of Defense • Blocks unauthorized access like SQL injections from reaching databases • SQL grammar analysis ensures accuracy, enforcment and scalability • White-list and black-list based security policies • In-line blocking and monitoring, or out-of-band monitoring modes20 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  21. 21. How to Catch Anomalous SQL with Accuracy, Performance, and Scale?SELECT * from stock where catalog-no = PHE8131 and location = 1SELECT * from stock where catalog-no = -- and location = 1SELECT * from stock where catalog-no = having 1=1 -- and location = 1SELECT * from stock where catalog-no = order by 4-- and location = 1SELECT * from stock where catalog-no = union select cardNo,customerId,0from Orders where name = John Smith-- and location = 1SELECT * from stock where catalog-no = union select min(cardNo),1,0 fromOrders where cardNo > 0-- and location = 1 21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  22. 22. Monitor Database Traffic and block Threats Oracle Database Firewall Positive Security Model SELECT * from stock White List where catalog-no=PHE8131 Allow Block Applications SELECT * from stock where catalog-no=‘ union select cardNo,0,0 from Orders --’ • “Allowed” behavior can be defined for any user or application • Automated whitelist generation for any application • Many factors to define policy (e.g. network, application, etc) • Out-of-policy Database network interactions instantly blocked22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  23. 23. Monitor Database Traffic and block Threats Oracle Database Firewall Negative Security Model SELECT * FROM Black ListDBA activity via v$sessionApplications BlockDBA activity via SELECT * FROMApproved Workstation v$session Allow + Log • Stop specific unwanted SQL interactions, user or schema access • Ensures database interactions originate from appropriate sources • Blacklist can take into account built-in factors such as time of day, day of week, network, application, etc • Provide flexibility to authorized DBAs while still monitoring activity 23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  24. 24. Protect non-production environments Questions to consider ... • 37% “live” porduction data; 48% outdated production data is being used for testing, development, support, training, etc. * • Regulations restrict use of sensitive data and mandate access control (who, where, how, and why) • Why to break in into production system if the production data is available in development / test system ? • Are developers/testers authorized users of your production data ?24 Copyright © 2011, Oracle and/or its affiliates. All rights * Source: IOUG 2010 data security survey reserved.
  25. 25. Protect non-production environments Oracle Data Masking secures Test System Deployment Production TestLAST_NAME SSN SALARY LAST_NAME SSN SALARYAGUILAR 203-33-3234 60,000 SMITH 111-23-1111 60,000BENSON 323-22-2943 40,000 MILLER 222-34-1345 40,000 • Deploy secure test system by masking sensitive data • Extensible, centralized, template library and policies for automation • Sophisticated masking: Condition-based, compound, deterministic • Integrated masking and cloning • NEW in EM 12c: Application Data Modeling • NEW in EM 12c: Sensitive Data Discovery 25 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  26. 26. Protect non-production environments Data Discovery and Modeling • Sensitive data discovery – Pattern-based – Import from pre- built templates26 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  27. 27. Why to use Data Masking ? Why not to write some scripts ? • Think about the maintance of the scripts by introducing some changes to the table structures... • What happens if your DBA leaves the organization ? • Quality of the scripts; Masking is resource intensive process; Oracle knows Oracle (optimizations) the best ;)27 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  28. 28. What’s next ?28 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  29. 29. Secure Production Database Environment Oracle Database Lifecycle Management Discover Scan and Monitor Patch • Discover and classify databases into security policy groups • Scan databases against 400+ best practices and industry standards, custom enterprise- specific configuration policies, and enforce security compliance • Detect and prevent unauthorized database configuration changes, trouble ticket tracking • Automated patching and secure provisioning29 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  30. 30. Security Homepage in Oracle Enterprise Manager 12c30 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  31. 31. Oracle Database Security Strategy Compliance Data Vulnerability Scan Discovery Scan Patch Activity Audit Automation Auditing Encrypted DatabaseApplications Authorization Data Masking Authentication Network SQL Monitoring and Blocking Unauthorized Multi-factor DBA Activity authorization 31 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  32. 32. 32 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  33. 33. 33 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

×