Your SlideShare is downloading. ×
Month, Day, Year                                                                                                          ...
Program Agenda    • The State of Security    • Oracle Maximum Database Security      Architecture    • Protecting Enterpri...
Why Maximum Security?    Two Thirds of Sensitive and Regulated    Information now Resides in Databases    … and Doubling E...
The 2000-2010 Decade Landscape    • IT Landscape          – Highly available and scalable          – Outsourcing, offshori...
Landscape Looking Ahead    • IT Landscape          – Vanishing perimeter dissolves insider/outsider differences          –...
Is IT Security Addressing Databases?                                                                                      ...
Database Security – Big Picture                                                                                    Complia...
Sources of Vulnerability    Attacks can come from anywhere                                                                ...
Sources of Vulnerability    Attacks can come from anywhere                                                                ...
Operations                                                                  • Data files can be accessed directly at the o...
Transparent Data Encryption     Oracle Advanced Security                                                                  ...
Account Misuse                                                                  • SQL Injection                   Applicat...
Account Misuse                    What                                          • Privileged accounts are a targets of att...
Database Operational Controls     Oracle Database Vault                                                                  P...
Audit Consolidation & Reporting     Oracle Audit Vault                                                                   !...
Test and Dev                                                                  • SQL Injection attack                  Appl...
Test and Dev                                                                  • Product data frequently copied to developm...
Irreversible De-Identification       Oracle Data Masking                           Production                             ...
Applications                                                                   • SQL Injection attack                     ...
Applications                                                                  • Applications may be vulnerable to SQL Inje...
First Line of Defense on the Network      Oracle Database Firewall                                                        ...
Issues to Ponder?                                                                  1   Is our IP secured?                 ...
Q&A23   Copyright © 2011, Oracle and/or its affiliates. All rights     reserved.
24   Copyright © 2011, Oracle and/or its affiliates. All rights     reserved.
25   Copyright © 2011, Oracle and/or its affiliates. All rights     reserved.
Upcoming SlideShare
Loading in...5
×

All About Oracle Database Security

709

Published on

Oracle Day 2011

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
709
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "All About Oracle Database Security "

  1. 1. Month, Day, Year Venue City Oracle’s Maximum Database Security Architecture Marcin Kozak1 Software Architect, Security Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8
  2. 2. Program Agenda • The State of Security • Oracle Maximum Database Security Architecture • Protecting Enterprise Databases – What is the threat? – How is it exploited? – How can you protect against it? • Q&A2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  3. 3. Why Maximum Security? Two Thirds of Sensitive and Regulated Information now Resides in Databases … and Doubling Every Two Years Classified Govt. Info. Trade Secrets Competitive Bids Corporate Plans Credit Cards Source Code HR Data Customer Data Bug Database Citizen Data Financial Data3 Copyright © 2011, Oracle and/or its affiliates. All rights Source: "Effective Data Leak Prevention Programs: Start by Protecting Data at reserved. the Source — Your Databases", IDC, August 2011
  4. 4. The 2000-2010 Decade Landscape • IT Landscape – Highly available and scalable – Outsourcing, offshoring, Third Party Service Providers • Threat Landscape – SQL Injection introduced (Oct 2000), Insider Threats – Advanced Persistent Threats (APT), Organized Crime, State Sponsored,…. • Regulatory Landscape – SOX (2002), C-SOX (2003), J-SOX (2006), Australian CLERP-9 (2004), … – Payment Card Industry (2.0 in Oct 2010), Breach disclosure laws4 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  5. 5. Landscape Looking Ahead • IT Landscape – Vanishing perimeter dissolves insider/outsider differences – Data consolidation, massive warehouses – Public/private cloud, partner, globalization • Threat Landscape – Sophisticated hacking tools, bot networks, supply chain – Cyber terrorism and warfare sponsored by nation states – Databases to become a prime target • Regulatory Landscape – Moving from pure detective controls to preventive controls – All countries and states joining in protecting PII data5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  6. 6. Is IT Security Addressing Databases? Network Security―Forrester estimatesthat although 70% Authentication Endpoint Security Securityof enterprises havean information security plan, only 20%of enterprises have a Databasedatabase security plan.‖ Security Vulnerability Email Security Management 6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Source: Creating An Enterprise Database Security Plan, Forrester Reseach Inc. July 2010
  7. 7. Database Security – Big Picture Compliance Data Vulnerability Scan Discovery Scan Patch Activity Audit Automation Auditing Encrypted DatabaseApplications Authorization Data Masking Authentication Network SQL Monitoring and Blocking Unauthorized Multi-factor DBA Activity authorization 7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  8. 8. Sources of Vulnerability Attacks can come from anywhere • SQL Injection attack Applications • Application Bypass • Access to production data in non-secure environment Test and Dev • Access to production systems for trouble shootingAdministrative Account • System admin, DBA, Application admins Misuse • Stolen credential, Inadequate training, Malicious Insiders • Lost / Stolen Backups Operations • Direct OS Access8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  9. 9. Sources of Vulnerability Attacks can come from anywhere • SQL Injection attack Application Users • Application Bypass • Access to production data in non-secure environment Test and Dev • Access to production systems for trouble shootingAdministrative Account • System admin, DBA, Application admins Misuse • Stolen credential, Inadequate training, Malicious Insiders • Lost / Stolen Backups Operations • Direct OS Access9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  10. 10. Operations • Data files can be accessed directly at the operating system What (OS) level, bypassing all database controls • Gain access to OS root account, Oracle software account, How Oracle DBA account • Copy or search raw database files Protection • Encrypt database files • OS level auditing Strategy • Limit accounts on production servers10 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  11. 11. Transparent Data Encryption Oracle Advanced Security Disk Backups Exports Application Off-Site Facilities • Protects from unauthorized OS level or network access • Efficient encryption of all application data • Built-in key lifecycle management • No application changes required11 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  12. 12. Account Misuse • SQL Injection Applications • Application Bypass • Access to production data in non-secure environment Test and Dev • Access to production systems for trouble shooting • System admin, DBA, Application admins Administrative Account • Stolen credential, Inadequate training, Malicious Misuse Insiders • Lost / Stolen Backups Operations • Direct OS Access12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  13. 13. Account Misuse What • Privileged accounts are a targets of attack How • Privileged accounts have unfettered access Protection • Limit administrative account access to the database • Audit privileged user activity Strategy • Preventive controls around application data13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  14. 14. Database Operational Controls Oracle Database Vault Procurement HR Application select * from Finance finance.customers DBA• Limit powers of privileged users, and enforce SoD• Protect application data and prevent application by-pass• Enforce who, where, when, and how using rules and factors• Securely consolidate application data• No application changes required14 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  15. 15. Audit Consolidation & Reporting Oracle Audit Vault ! Alerts HR Data Built-in CRM/ERP Data Audit Reports Data Custom Custom App Reports Policies Auditor • Consolidate audit data into secure repository • Detect and alert on suspicious activities • Out-of-the box compliance reporting15 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  16. 16. Test and Dev • SQL Injection attack Applications • Application Bypass • Access to production data in non-secure environment Test and Dev • Access to production systems for trouble shootingAdministrative Account • System admin, DBA, Application admins Misuse • Stolen credential, Inadequate training, Malicious Insiders • Lost / Stolen Backups Operations • Direct OS Access16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  17. 17. Test and Dev • Product data frequently copied to development and test What • PII data unnecessarily exposed • Test and dev systems may not be as well monitored or How protected as production systems Protection • Mask sensitive production data before transferring Strategy • Restrict connectivity between test/dev and production17 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  18. 18. Irreversible De-Identification Oracle Data Masking Production Non-ProductionLAST_NAME SSN SALARY LAST_NAME SSN SALARYAGUILAR 203-33-3234 40,000 ANSKEKSL 111—23-1111 40,000BENSON 323-22-2943 60,000 BKJHHEIEDK 222-34-1345 60,000 • Reduce scope of audit with irreversible de-Identification on non- production databases • Referential integrity preserved so applications continue to work • Extensible template library and policies for automation 18 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  19. 19. Applications • SQL Injection attack Applications • Application Bypass • Access to production data in non-secure environment Test and Dev • Access to production systems for trouble shooting Administrative Account • System admin, DBA, Application admins Misuse • Stolen credential, Inadequate training, Malicious Insiders • Lost / Stolen Backups Operations • Direct OS Access19 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  20. 20. Applications • Applications may be vulnerable to SQL Injection attacks What • Legacy applications particularly vulnerable How • Application input fields can be misused Protection • Monitor in-bound application SQL Strategy • Block unauthorized SQL before it reaches the database20 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  21. 21. First Line of Defense on the Network Oracle Database Firewall Allow Log Alert SubstituteApplications Block Alerts Built-in Custom Policies Reports Reports • Monitors database activity, and prevents attacks and SQL injections • White-list, black-list, and exception-list based security policies based upon highly accurate SQL grammar based analysis • In-line blocking and monitoring, or out-of-band monitoring modes 21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  22. 22. Issues to Ponder? 1 Is our IP secured? 2 Can we defend against APTs and other attacks? 3 Would we know if we were breached? 4 Do privileged users know what they should not? 5 Are we in compliance with all regulations?22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  23. 23. Q&A23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  24. 24. 24 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  25. 25. 25 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

×