Database Security Overview
•Download as PPSX, PDF•
2 likes•328 views
This presentation discusses how database administrators can improve their database security knowledge and skills. It recommends that DBAs learn about concepts like CIA (confidentiality, integrity, and availability), data lifecycles, and access points. It also suggests DBAs work with security teams, architects, and auditors to understand requirements. DBAs should ask questions about sensitive data, potential risks, and compliance needs. The presentation emphasizes communication and assessing both security impacts and business impacts when making configuration changes. The overall goal is for DBAs to take an active role in database security.
![Presentation title
[To edit, click View > Slide Master > Slide Master]
Member firms and DTTL: Insert appropriate copyright
[To edit, click View > Slide Master > Slide Master]
2
@shaggyDBA
Speaker Bio
Specialist Master
Deloitte Consulting LLP
Arlington, VA
Shawn McElhinney
Shawn has spent almost 20 years delivering creative
solutions for Oracle E-Business Suite (EBS) customers. He
is passionate about learning and implementing technology
that enhances security and eases maintenance tasks for
technologists leveraging Oracle technologies.](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
Recommended
More Related Content
Viewers also liked
Viewers also liked (13)
Similar to Database Security Overview
Similar to Database Security Overview (20)
Recently uploaded
Recently uploaded (20)
Database Security Overview
- 1. Database Security How Do I Get There? Prepared By: Shawn McElhinney @shaggyDBA Specialist Master Deloitte Consulting LLP
- 2. Presentation title [To edit, click View > Slide Master > Slide Master] Member firms and DTTL: Insert appropriate copyright [To edit, click View > Slide Master > Slide Master] 2 @shaggyDBA Speaker Bio Specialist Master Deloitte Consulting LLP Arlington, VA Shawn McElhinney Shawn has spent almost 20 years delivering creative solutions for Oracle E-Business Suite (EBS) customers. He is passionate about learning and implementing technology that enhances security and eases maintenance tasks for technologists leveraging Oracle technologies.
- 3. Presentation title [To edit, click View > Slide Master > Slide Master] Member firms and DTTL: Insert appropriate copyright [To edit, click View > Slide Master > Slide Master] 3 @shaggyDBA Agenda About Deloitte Introduction What Do I Need to Know? How Do I “Get Smart”? • Websites • Social Media Who Do I Need to Work With? What Do I Need to Ask About? • STIG Example • Cryptic Writings What Should the Mindset Be? What Requirements Have Priority? Bring It All Together Closing Thoughts Questions
- 4. Presentation title [To edit, click View > Slide Master > Slide Master] Member firms and DTTL: Insert appropriate copyright [To edit, click View > Slide Master > Slide Master] 4 @shaggyDBA Federal agencies value Deloitte for our people and the insights and experience we bring to help tackle their challenges. Deloitte offers a broad range of Oracle capabilities that span diverse disciplines • Cloud Technologies • Oracle E-Business Suite • PeopleSoft • Customer Relationship Management (CRM) • Identity Management • Engineered Solutions • Service Oriented Architecture (SOA) • Data Warehousing • Business Reporting and Analytics • Master Data Management • Technical Infrastructure and Development • Application Management Services • Business Process Transformation • Upgrades and Implementations About Deloitte
- 5. Presentation title [To edit, click View > Slide Master > Slide Master] Member firms and DTTL: Insert appropriate copyright [To edit, click View > Slide Master > Slide Master] 5 @shaggyDBA Introduction The need for a security savvy DBA Think about “typical security guy” • Everything has a place • No shades of gray • Do you want this mentality dictating your database security policy? • What if you could play a more active role in that process? How does cloud change this picture? • Data-centric platform • What happens to the traditional perimeter? • What about my company’s most critical asset?
- 6. Presentation title [To edit, click View > Slide Master > Slide Master] Member firms and DTTL: Insert appropriate copyright [To edit, click View > Slide Master > Slide Master] 6 @shaggyDBA What Do I Need to Know? As much as possible! CIA Data Lifecycle Data Access Points/Communication Channels Development Methodology Change Management Processes
- 7. Presentation title [To edit, click View > Slide Master > Slide Master] Member firms and DTTL: Insert appropriate copyright [To edit, click View > Slide Master > Slide Master] 7 @shaggyDBA How Do I “Get Smart”? Formal Education Numerous options • MS program vs. Graduate Certificate? • On-campus vs. online Professional Certification/Training • (ISC)2: CISSP, CSSLP, CCSP, etc. • CSA: CCSK • SANS – not recommended in this situation • Oracle: Database Specialist/Expert designations Websites – SANS, (ISC)2, CSA, ISACA, Pythian, OTN, Oracle Security Social Media
- 8. Presentation title [To edit, click View > Slide Master > Slide Master] Member firms and DTTL: Insert appropriate copyright [To edit, click View > Slide Master > Slide Master] 8 @shaggyDBA Websites https://www.pythian.com/blog/ http://www.slideshare.net/Pythian/2016-1160-paneppt http://www.oracle.com/us/technologies/security/overview/index.html http://www.oracle.com/technetwork/index.html https://www.youtube.com/user/Oracle https://www.youtube.com/watch?v=EdI_ltexovQ https://www.sans.org/ https://cloudsecurityalliance.org/ https://www.isc2.org/ https://www.isaca.org/Pages/default.aspx https://www.cybrary.it/ https://krebsonsecurity.com/
- 9. Presentation title [To edit, click View > Slide Master > Slide Master] Member firms and DTTL: Insert appropriate copyright [To edit, click View > Slide Master > Slide Master] 9 @shaggyDBA Who to Follow (check their blogs too!)
- 10. Presentation title [To edit, click View > Slide Master > Slide Master] Member firms and DTTL: Insert appropriate copyright [To edit, click View > Slide Master > Slide Master] 10 @shaggyDBA Who Do I Need to Work With? “It takes a village” • Data Stewards • Security Team/Policy Makers • Architects • Network Team • Developers • PMO/Change Management • Auditors
- 11. Presentation title [To edit, click View > Slide Master > Slide Master] Member firms and DTTL: Insert appropriate copyright [To edit, click View > Slide Master > Slide Master] 11 @shaggyDBA What Do I Need to Ask About? Always fall back on CIA (not CYA) Confidentiality • What sensitive data do we have? • How is it stored? • How is it managed through the data lifecycle? • What is the anticipated cost of a compromise? • How do users access this data? Integrity • Where is my data at risk to be intercepted? • Where can my data be manipulated? • Are my applications architected to ensure data integrity?
- 12. Presentation title [To edit, click View > Slide Master > Slide Master] Member firms and DTTL: Insert appropriate copyright [To edit, click View > Slide Master > Slide Master] 12 @shaggyDBA What Do I Need to Ask About? (cont.) Always fall back on CIA (not CYA) Availability • Does an SLA exist? • How much does it cost if we go offline? • How much downtime can we afford? (think mean time to recover) Are there any established requirements? Baseline configurations? Are the requirements clear and concise or are you reading tea leaves? • Security Technical Implementation Guides (STIGs)
- 13. Presentation title [To edit, click View > Slide Master > Slide Master] Member firms and DTTL: Insert appropriate copyright [To edit, click View > Slide Master > Slide Master] 13 @shaggyDBA STIG Example Define “secured”? DoD/vendor/commercially accepted practices? Where applicable?
- 14. Presentation title [To edit, click View > Slide Master > Slide Master] Member firms and DTTL: Insert appropriate copyright [To edit, click View > Slide Master > Slide Master] 14 @shaggyDBA Cryptic Writings… Lots of room for interpretation Communication is KEY Make sure the various teams (security, infrastructure, development, etc.) speak a common language Question EVERYTHING!
- 15. Presentation title [To edit, click View > Slide Master > Slide Master] Member firms and DTTL: Insert appropriate copyright [To edit, click View > Slide Master > Slide Master] 15 @shaggyDBA What Should the Mindset Be? Downstream impact of security configurations Don’t make this a “check the box” exercise Assess what meeting a security requirement could mean • If I revoke a privilege from PUBLIC, how will it impact interfacing systems, patches, upgrades, diagnostics, etc.? Avoid disaster & think ahead
- 16. Presentation title [To edit, click View > Slide Master > Slide Master] Member firms and DTTL: Insert appropriate copyright [To edit, click View > Slide Master > Slide Master] 16 @shaggyDBA What Requirements Have Priority? Federal Agencies – STIG compliance is king; specifically mitigation of CAT I & II findings Commercial – Industry will drive key requirements (PII, PHI, PCI-DSS, etc.) then risk appetite and financial impact
- 17. Presentation title [To edit, click View > Slide Master > Slide Master] Member firms and DTTL: Insert appropriate copyright [To edit, click View > Slide Master > Slide Master] 17 @shaggyDBA Bring It All Together Identify • Change default passwords • Revoke access to SYS objects from PUBLIC Prioritize • What risk is introduced if left unchanged? • What is the potential impact if the risk is realized? Mitigate • Fix • Avoid • Accept Level of Effort • Time, resources, etc. Cost • Licensing • Knowledge • Hardware
- 18. Presentation title [To edit, click View > Slide Master > Slide Master] Member firms and DTTL: Insert appropriate copyright [To edit, click View > Slide Master > Slide Master] 18 @shaggyDBA Closing Thought There is rarely only ONE way to solve a problem. Remember that it takes a village to find the best solution for the business. Don’t be a “Macho Man”, always consult the village people and make an informed decision!
- 19. Presentation title [To edit, click View > Slide Master > Slide Master] Member firms and DTTL: Insert appropriate copyright [To edit, click View > Slide Master > Slide Master] 19 @shaggyDBA Questions?
Editor's Notes
- Welcome Please mute cell phones Presentation overview Focus on how to become more engaged in with enterprise security planning. Goal is to establish a relationship with the security team to maximize the security of database systems We DO NOT address implementation specifics, more of a general model of how to maximize your engagement
- A little about me Husband and father of 3 My professional focus has been on AppsDBA/core DBA, EBS supporting technologies, and security architecture Spend a great deal of time evaluating software and designing software portfolios to help clients make the most of the technologies they have invested in
- As a DBA, why do we need to be “smart” on security? Consider your image of the typical security analyst Meticulous Binary solutions (pass/fail) Is this really how we view our databases? Can greater engagement help create more holistic security solutions? Consider how the push to move to the cloud changes security posturing Designed to expedite data access Security perimeter has essentially disappeared How do we protect our data???
- With this in mind, what do DBAs need to know about Security? Get smart quick & prepare for continuous learning Realize that security truly boils down to CIA Not talking about the agency, talking about the security “triad” Confidentiality Integrity Availability These should already be familiar topics to a DBA Where is data at risk in the data lifecycle? How is data being accessed (URL, interface, batch loads, etc.)? What ports/protocols are used? Where does security get injected in the development lifecycle? How is CM leveraged by projects and how can it help ensure security?
- I’ve posed a number of questions. How do you position yourself to provide valuable input in the process? Formal education is probably the most obvious. There’s a big time commitment here, but universities are increasing their flexibility on this front. Certifications – look impressive, can open doors, but ultimately provide a snapshot of your knowledge. (ISC)2 certs – gold standard, think OCM vs. OCP CSA – cloud security concepts, losing credibility now that CCSP is available. SANS – focus on specific security “execution” areas: PenTest, Ethical Hacking, Incident Response, etc. Oracle – Domain expertise in areas like database security or MAA. Check websites and make connections on social media, which we will delve into a little deeper now
- What websites should you check frequently? Assuming everyone is on IOUG and ODTUG! Great content & webinars (12 months of 12c) Do yourself a favor & subscribe to Pythian’s blogs Keep an eye out for presentations too. Simon Pane did a phenomenal database security presentation at Collaborate 16. Oracle Security & OTN Great information to help you understand Oracle’s security offerings Don’t forget to check the Communities menu – Oracle on youtube has interviews with knowledgeable database security resources like Rob Lockhart SANS Certification may not be a “fit” for a DBA, but the site has a wealth of information across various security domains. Create an account & you can get newsletter emailed to you. CSA Great material on cloud-centric security requirements/issues (ISC)2 TONS of security information across all security domains Access Control; Bus. Continuity/DR; cryptography; governance/risk mgmt.; legal; opsec; physical sec; architecture/design; software dev sec; telco/network sec ISACA Audit/security management focused CYBRARY Online infosec training (some free) KREBS ON SECURITY Commentary and insight on security issues/trends
- These are the most useful security-related handles I follow. I’ve grouped them to better discuss. Media Outlets – great information. Also tend to send info on upcoming webinars/conferences that you may not know about. Security Organizations – get the latest info from the major players in INFOSEC Consulting Services – News from SI’s/feet on the ground. People – INFOSEC superheros & DB security masterminds. Technology – tools/software to enhance security posture. Why EM? – think compliance & configuration management Delphix – game changer; data confidentiality isn’t only for production! OTN/Oracle Security/Oracle Database – self-explanatory IOUG – know what is going on in the user community MAA? – There’s the “A” in “CIA”
- You have all this great information, so who do you share it with to develop a robust security plan? No different than any other requirements gathering process – the more people you engage, the more complete the requirement. Stewards – data owner. Who has ultimate responsibility for a specific type of data? Security folks – what are the latest trends & internal policies we need to adhere to? Architects – how is the solution being built? Network – data access points & data in-transit. Where is it vulnerable? Developers – secure design, don’t bolt-on. PMO/CM – how is security being integrated into our processes? Auditors – assuming you can get info out of them, how do you design for “continuous security improvement”? Remember – adversaries don’t focus on “check the box” security requirements. They are looking to exploit the boxes that haven’t even been created yet!
- The rule of thumb is to always focus on CIA for your data. If you don’t, you may be trying to CYA later. Confidentiality will typically pertain to your security staff & data stewards. Working with a DBA the following questions should be considered: Sensitive data? Storage? Data lifecycle? User access to data? architect/developers Cost of compromise? PMO Integrity concerns go beyond the data steward & place greater emphasis on architects, network staff, developers, and security staff. Think about: Points of interception Points of data manipulation Does the application maintain data integrity – interfaces, data loads, data entry, etc.
- Availability should be familiar to most of us & requires a great deal of PMO engagement to understand how downtime impacts the business. Focus on SLA requirements for uptime Work with leaders to truly understand what costs are associated with downtime? Based on that, how long can we afford to be down? This will enable an architect to design an architecture that fits with the downtime requirements. Are there any pre-existing requirements that need to be met? Think about system baselines required to operate in production. Things like O/S and/or database hardening. Are these requirements understood by all impacted parties? DISA Security Technical Implementation Guides are the perfect example of requirements that can be interpreted in various ways.
- Here’s a prime example of how vague some requirements can be. Read the long name Anyone have a magic 8-ball? How are we defining “secure”? How does the definition of “secure” change based on DoD, vendor, or commercially accepted practices? Who determines where this will be applicable?
- DISA STIGs are a wonderful example of cryptic requirements. They introduce variability which, in turn introduces RISK. How do we mitigate this? Communication, communication, communication. Ensure everyone speaks a common language – very likely that “secure” means very different things to a business analyst vs. an architect vs. developer vs. security officer. Example of Pat & Chris – would occasionally use Afrikaans terms in conversation. Left everyone clueless except them. Always comical to see who would question them vs. try to figure out the context. Don’t try to figure out the context – simply put, QUESTION EVERYTHING! There is always the possibility of an audit finding, or worse a breach. You may be called on to explain why something was done (or not done). Responding with “I thought…” or “it was my understanding…” does not help you. If someone pushes your bellybutton about a security finding, you MUST be able to back up your decision with clear, concise facts.
- You have a team, you speak a common language, and your asking questions. YAY US! Not quite – understanding a security requirement is one thing, assessing the impact this change could have is quite different. The last thing you want to do is make security configuration a check the box activity. This approach creates its own issues: You are only “secure” for a point in time Malicious actors are looking “between” the boxes. They tend exploit what you haven’t taken care of yet. As an example – a common security practice is to revoke rights to SYS objects from PUBLIC. That’s a very easy task. **CHECK Done!** What happens to interfaces, diagnostic utilities, or patches/upgrades as a result of this update? High probability something will end up broken. How do you prevent this? Get a handle on what schemas call these objects and grants access explicitly. Consider what the results of an update will be. Here’s a great example – limbs off tree; cutting at height to keep from falling on house; someone supporting the ladder. *thumbs up* good to go! Not quite…
- You have a strong team, generating great requirements, considering downstream impact of the requirements… Now we all enter the cage and see who comes out on top. But WAIT! There is a much more peaceful approach. Consider what industry you support and look for guidelines to determine what should be critical. For Federal agencies this typically revolves around STIG compliance. CAT I findings, not good. You may be able to squeak some CAT II findings through (depending on the auditors), but a mitigation plan & timeline will be critical. Commercial entities don’t seem to have such a standardized approach. You’ll have guidelines concerning how you should handle PII, PHI and PCI, but there are no “teeth” for enforcement. Recent breaches are changing oversight on this, so time will tell. Here’s some examples where companies fell short: OPM – PII compromise. Didn’t even know it happened until a vendor discovered it! VA – Multiple PHI compromises. Yahoo! – 500 million accounts compromised. Stock price hit, executive compensation impacted, value of sale to Verizon cut by $350M! VTech/CloudPets – database exposed to Internet unprotected. Impact still being assessed. DNC Breach – Social engineering/phishing attack. AWS S3 failures – where’s the “A” of CIA??? Turns out it was a process error!
- I’ve talked to you about a number of different things: Where to gain knowledge Who to work with How to identify and prioritize requirements Making sense of the information you have Thinking about the net effect of security changes So, the stream of consciousness would be Identify requirements/risks Prioritize them Determine a mitigation plan for them Determine the level of effort for a given mitigation plan Identify the costs associated with implementing a given mitigation plan Let’s walk through a some simple examples.
- Remember – there’s always more than one way to skin a cat. Think, listen, question, understand. It will take every resources in your “security village” to make a definitive plan that EVERYONE has a vested interest in. The biggest mistake you can make is trying to be a macho man. Speak to the village people frequently so the team can make informed decisions!
- I appreciate you taking the time and hope you enjoy the rest of the conference. Any questions?