• Save
All About Oracle Database Security
Upcoming SlideShare
Loading in...5
×
 

All About Oracle Database Security

on

  • 784 views

Oracle Day 2011

Oracle Day 2011

Statistics

Views

Total Views
784
Views on SlideShare
784
Embed Views
0

Actions

Likes
1
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

All About Oracle Database Security All About Oracle Database Security Presentation Transcript

  • Month, Day, Year Venue City Oracle’s Maximum Database Security Architecture Marcin Kozak1 Software Architect, Security Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8
  • Program Agenda • The State of Security • Oracle Maximum Database Security Architecture • Protecting Enterprise Databases – What is the threat? – How is it exploited? – How can you protect against it? • Q&A2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • Why Maximum Security? Two Thirds of Sensitive and Regulated Information now Resides in Databases … and Doubling Every Two Years Classified Govt. Info. Trade Secrets Competitive Bids Corporate Plans Credit Cards Source Code HR Data Customer Data Bug Database Citizen Data Financial Data3 Copyright © 2011, Oracle and/or its affiliates. All rights Source: "Effective Data Leak Prevention Programs: Start by Protecting Data at reserved. the Source — Your Databases", IDC, August 2011
  • The 2000-2010 Decade Landscape • IT Landscape – Highly available and scalable – Outsourcing, offshoring, Third Party Service Providers • Threat Landscape – SQL Injection introduced (Oct 2000), Insider Threats – Advanced Persistent Threats (APT), Organized Crime, State Sponsored,…. • Regulatory Landscape – SOX (2002), C-SOX (2003), J-SOX (2006), Australian CLERP-9 (2004), … – Payment Card Industry (2.0 in Oct 2010), Breach disclosure laws4 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • Landscape Looking Ahead • IT Landscape – Vanishing perimeter dissolves insider/outsider differences – Data consolidation, massive warehouses – Public/private cloud, partner, globalization • Threat Landscape – Sophisticated hacking tools, bot networks, supply chain – Cyber terrorism and warfare sponsored by nation states – Databases to become a prime target • Regulatory Landscape – Moving from pure detective controls to preventive controls – All countries and states joining in protecting PII data5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • Is IT Security Addressing Databases? Network Security―Forrester estimatesthat although 70% Authentication Endpoint Security Securityof enterprises havean information security plan, only 20%of enterprises have a Databasedatabase security plan.‖ Security Vulnerability Email Security Management 6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Source: Creating An Enterprise Database Security Plan, Forrester Reseach Inc. July 2010
  • Database Security – Big Picture Compliance Data Vulnerability Scan Discovery Scan Patch Activity Audit Automation Auditing Encrypted DatabaseApplications Authorization Data Masking Authentication Network SQL Monitoring and Blocking Unauthorized Multi-factor DBA Activity authorization 7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • Sources of Vulnerability Attacks can come from anywhere • SQL Injection attack Applications • Application Bypass • Access to production data in non-secure environment Test and Dev • Access to production systems for trouble shootingAdministrative Account • System admin, DBA, Application admins Misuse • Stolen credential, Inadequate training, Malicious Insiders • Lost / Stolen Backups Operations • Direct OS Access8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • Sources of Vulnerability Attacks can come from anywhere • SQL Injection attack Application Users • Application Bypass • Access to production data in non-secure environment Test and Dev • Access to production systems for trouble shootingAdministrative Account • System admin, DBA, Application admins Misuse • Stolen credential, Inadequate training, Malicious Insiders • Lost / Stolen Backups Operations • Direct OS Access9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • Operations • Data files can be accessed directly at the operating system What (OS) level, bypassing all database controls • Gain access to OS root account, Oracle software account, How Oracle DBA account • Copy or search raw database files Protection • Encrypt database files • OS level auditing Strategy • Limit accounts on production servers10 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • Transparent Data Encryption Oracle Advanced Security Disk Backups Exports Application Off-Site Facilities • Protects from unauthorized OS level or network access • Efficient encryption of all application data • Built-in key lifecycle management • No application changes required11 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • Account Misuse • SQL Injection Applications • Application Bypass • Access to production data in non-secure environment Test and Dev • Access to production systems for trouble shooting • System admin, DBA, Application admins Administrative Account • Stolen credential, Inadequate training, Malicious Misuse Insiders • Lost / Stolen Backups Operations • Direct OS Access12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • Account Misuse What • Privileged accounts are a targets of attack How • Privileged accounts have unfettered access Protection • Limit administrative account access to the database • Audit privileged user activity Strategy • Preventive controls around application data13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • Database Operational Controls Oracle Database Vault Procurement HR Application select * from Finance finance.customers DBA• Limit powers of privileged users, and enforce SoD• Protect application data and prevent application by-pass• Enforce who, where, when, and how using rules and factors• Securely consolidate application data• No application changes required14 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • Audit Consolidation & Reporting Oracle Audit Vault ! Alerts HR Data Built-in CRM/ERP Data Audit Reports Data Custom Custom App Reports Policies Auditor • Consolidate audit data into secure repository • Detect and alert on suspicious activities • Out-of-the box compliance reporting15 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • Test and Dev • SQL Injection attack Applications • Application Bypass • Access to production data in non-secure environment Test and Dev • Access to production systems for trouble shootingAdministrative Account • System admin, DBA, Application admins Misuse • Stolen credential, Inadequate training, Malicious Insiders • Lost / Stolen Backups Operations • Direct OS Access16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • Test and Dev • Product data frequently copied to development and test What • PII data unnecessarily exposed • Test and dev systems may not be as well monitored or How protected as production systems Protection • Mask sensitive production data before transferring Strategy • Restrict connectivity between test/dev and production17 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • Irreversible De-Identification Oracle Data Masking Production Non-ProductionLAST_NAME SSN SALARY LAST_NAME SSN SALARYAGUILAR 203-33-3234 40,000 ANSKEKSL 111—23-1111 40,000BENSON 323-22-2943 60,000 BKJHHEIEDK 222-34-1345 60,000 • Reduce scope of audit with irreversible de-Identification on non- production databases • Referential integrity preserved so applications continue to work • Extensible template library and policies for automation 18 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • Applications • SQL Injection attack Applications • Application Bypass • Access to production data in non-secure environment Test and Dev • Access to production systems for trouble shooting Administrative Account • System admin, DBA, Application admins Misuse • Stolen credential, Inadequate training, Malicious Insiders • Lost / Stolen Backups Operations • Direct OS Access19 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • Applications • Applications may be vulnerable to SQL Injection attacks What • Legacy applications particularly vulnerable How • Application input fields can be misused Protection • Monitor in-bound application SQL Strategy • Block unauthorized SQL before it reaches the database20 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • First Line of Defense on the Network Oracle Database Firewall Allow Log Alert SubstituteApplications Block Alerts Built-in Custom Policies Reports Reports • Monitors database activity, and prevents attacks and SQL injections • White-list, black-list, and exception-list based security policies based upon highly accurate SQL grammar based analysis • In-line blocking and monitoring, or out-of-band monitoring modes 21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • Issues to Ponder? 1 Is our IP secured? 2 Can we defend against APTs and other attacks? 3 Would we know if we were breached? 4 Do privileged users know what they should not? 5 Are we in compliance with all regulations?22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • Q&A23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 24 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 25 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.