This presentation discusses how database administrators can improve their database security knowledge and skills. It recommends that DBAs learn about concepts like CIA (confidentiality, integrity, and availability), data lifecycles, and access points. It also suggests DBAs work with security teams, architects, and auditors to understand requirements. DBAs should ask questions about sensitive data, potential risks, and compliance needs. The presentation emphasizes communication and assessing both security impacts and business impacts when making configuration changes. The overall goal is for DBAs to take an active role in database security.
1. Database Security
How Do I Get There?
Prepared By:
Shawn McElhinney
@shaggyDBA
Specialist Master
Deloitte Consulting LLP
2. Presentation title
[To edit, click View > Slide Master > Slide Master]
Member firms and DTTL: Insert appropriate copyright
[To edit, click View > Slide Master > Slide Master]
2
@shaggyDBA
Speaker Bio
Specialist Master
Deloitte Consulting LLP
Arlington, VA
Shawn McElhinney
Shawn has spent almost 20 years delivering creative
solutions for Oracle E-Business Suite (EBS) customers. He
is passionate about learning and implementing technology
that enhances security and eases maintenance tasks for
technologists leveraging Oracle technologies.
3. Presentation title
[To edit, click View > Slide Master > Slide Master]
Member firms and DTTL: Insert appropriate copyright
[To edit, click View > Slide Master > Slide Master]
3
@shaggyDBA
Agenda
About Deloitte
Introduction
What Do I Need to Know?
How Do I “Get Smart”?
• Websites
• Social Media
Who Do I Need to Work With?
What Do I Need to Ask About?
• STIG Example
• Cryptic Writings
What Should the Mindset Be?
What Requirements Have
Priority?
Bring It All Together
Closing Thoughts
Questions
4. Presentation title
[To edit, click View > Slide Master > Slide Master]
Member firms and DTTL: Insert appropriate copyright
[To edit, click View > Slide Master > Slide Master]
4
@shaggyDBA
Federal agencies value Deloitte for our people and the insights
and experience we bring to help tackle their challenges.
Deloitte offers a broad range of Oracle
capabilities that span diverse disciplines
• Cloud Technologies
• Oracle E-Business Suite
• PeopleSoft
• Customer Relationship
Management (CRM)
• Identity Management
• Engineered Solutions
• Service Oriented
Architecture (SOA)
• Data Warehousing
• Business Reporting and
Analytics
• Master Data
Management
• Technical Infrastructure
and Development
• Application Management
Services
• Business Process
Transformation
• Upgrades and
Implementations
About Deloitte
5. Presentation title
[To edit, click View > Slide Master > Slide Master]
Member firms and DTTL: Insert appropriate copyright
[To edit, click View > Slide Master > Slide Master]
5
@shaggyDBA
Introduction
The need for a security savvy DBA
Think about “typical security guy”
• Everything has a place
• No shades of gray
• Do you want this mentality dictating your database security policy?
• What if you could play a more active role in that process?
How does cloud change this picture?
• Data-centric platform
• What happens to the traditional perimeter?
• What about my company’s most critical asset?
6. Presentation title
[To edit, click View > Slide Master > Slide Master]
Member firms and DTTL: Insert appropriate copyright
[To edit, click View > Slide Master > Slide Master]
6
@shaggyDBA
What Do I Need to Know?
As much as possible!
CIA
Data Lifecycle
Data Access Points/Communication Channels
Development Methodology
Change Management Processes
7. Presentation title
[To edit, click View > Slide Master > Slide Master]
Member firms and DTTL: Insert appropriate copyright
[To edit, click View > Slide Master > Slide Master]
7
@shaggyDBA
How Do I “Get Smart”?
Formal Education
Numerous options
• MS program vs. Graduate Certificate?
• On-campus vs. online
Professional Certification/Training
• (ISC)2: CISSP, CSSLP, CCSP, etc.
• CSA: CCSK
• SANS – not recommended in this situation
• Oracle: Database Specialist/Expert designations
Websites – SANS, (ISC)2, CSA, ISACA, Pythian, OTN, Oracle Security
Social Media
9. Presentation title
[To edit, click View > Slide Master > Slide Master]
Member firms and DTTL: Insert appropriate copyright
[To edit, click View > Slide Master > Slide Master]
9
@shaggyDBA
Who to Follow (check their blogs too!)
10. Presentation title
[To edit, click View > Slide Master > Slide Master]
Member firms and DTTL: Insert appropriate copyright
[To edit, click View > Slide Master > Slide Master]
10
@shaggyDBA
Who Do I Need to Work With?
“It takes a village”
• Data Stewards
• Security Team/Policy Makers
• Architects
• Network Team
• Developers
• PMO/Change Management
• Auditors
11. Presentation title
[To edit, click View > Slide Master > Slide Master]
Member firms and DTTL: Insert appropriate copyright
[To edit, click View > Slide Master > Slide Master]
11
@shaggyDBA
What Do I Need to Ask About?
Always fall back on CIA (not CYA)
Confidentiality
• What sensitive data do we have?
• How is it stored?
• How is it managed through the data lifecycle?
• What is the anticipated cost of a compromise?
• How do users access this data?
Integrity
• Where is my data at risk to be intercepted?
• Where can my data be manipulated?
• Are my applications architected to ensure data integrity?
12. Presentation title
[To edit, click View > Slide Master > Slide Master]
Member firms and DTTL: Insert appropriate copyright
[To edit, click View > Slide Master > Slide Master]
12
@shaggyDBA
What Do I Need to Ask About? (cont.)
Always fall back on CIA (not CYA)
Availability
• Does an SLA exist?
• How much does it cost if we go offline?
• How much downtime can we afford? (think mean time to recover)
Are there any established requirements?
Baseline configurations?
Are the requirements clear and concise or are you reading tea leaves?
• Security Technical Implementation Guides (STIGs)
13. Presentation title
[To edit, click View > Slide Master > Slide Master]
Member firms and DTTL: Insert appropriate copyright
[To edit, click View > Slide Master > Slide Master]
13
@shaggyDBA
STIG Example
Define “secured”?
DoD/vendor/commercially accepted practices?
Where applicable?
14. Presentation title
[To edit, click View > Slide Master > Slide Master]
Member firms and DTTL: Insert appropriate copyright
[To edit, click View > Slide Master > Slide Master]
14
@shaggyDBA
Cryptic Writings…
Lots of room for interpretation
Communication is KEY
Make sure the various teams (security, infrastructure, development, etc.) speak
a common language
Question EVERYTHING!
15. Presentation title
[To edit, click View > Slide Master > Slide Master]
Member firms and DTTL: Insert appropriate copyright
[To edit, click View > Slide Master > Slide Master]
15
@shaggyDBA
What Should the Mindset Be?
Downstream impact of security configurations
Don’t make this a “check the box” exercise
Assess what meeting a security requirement could mean
• If I revoke a privilege from PUBLIC, how will it impact interfacing systems,
patches, upgrades, diagnostics, etc.?
Avoid disaster & think ahead
16. Presentation title
[To edit, click View > Slide Master > Slide Master]
Member firms and DTTL: Insert appropriate copyright
[To edit, click View > Slide Master > Slide Master]
16
@shaggyDBA
What Requirements Have Priority?
Federal Agencies – STIG compliance is king; specifically mitigation of CAT I & II findings
Commercial – Industry will drive key requirements (PII, PHI, PCI-DSS, etc.) then risk
appetite and financial impact
17. Presentation title
[To edit, click View > Slide Master > Slide Master]
Member firms and DTTL: Insert appropriate copyright
[To edit, click View > Slide Master > Slide Master]
17
@shaggyDBA
Bring It All Together
Identify
• Change default passwords
• Revoke access to SYS objects from PUBLIC
Prioritize
• What risk is introduced if left unchanged?
• What is the potential impact if the risk is
realized?
Mitigate
• Fix
• Avoid
• Accept
Level of Effort
• Time, resources, etc.
Cost
• Licensing
• Knowledge
• Hardware
18. Presentation title
[To edit, click View > Slide Master > Slide Master]
Member firms and DTTL: Insert appropriate copyright
[To edit, click View > Slide Master > Slide Master]
18
@shaggyDBA
Closing Thought
There is rarely only ONE way to solve a problem.
Remember that it takes a village to find the best solution for the business.
Don’t be a “Macho Man”, always consult the village people and make an
informed decision!
Welcome
Please mute cell phones
Presentation overview
Focus on how to become more engaged in with enterprise security planning.
Goal is to establish a relationship with the security team to maximize the security of database systems
We DO NOT address implementation specifics, more of a general model of how to maximize your engagement
A little about me
Husband and father of 3
My professional focus has been on AppsDBA/core DBA, EBS supporting technologies, and security architecture
Spend a great deal of time evaluating software and designing software portfolios to help clients make the most of the technologies they have invested in
As a DBA, why do we need to be “smart” on security?
Consider your image of the typical security analyst
Meticulous
Binary solutions (pass/fail)
Is this really how we view our databases? Can greater engagement help create more holistic security solutions?
Consider how the push to move to the cloud changes security posturing
Designed to expedite data access
Security perimeter has essentially disappeared
How do we protect our data???
With this in mind, what do DBAs need to know about Security?
Get smart quick & prepare for continuous learning
Realize that security truly boils down to CIA
Not talking about the agency, talking about the security “triad”
Confidentiality
Integrity
Availability
These should already be familiar topics to a DBA
Where is data at risk in the data lifecycle?
How is data being accessed (URL, interface, batch loads, etc.)? What ports/protocols are used?
Where does security get injected in the development lifecycle?
How is CM leveraged by projects and how can it help ensure security?
I’ve posed a number of questions. How do you position yourself to provide valuable input in the process?
Formal education is probably the most obvious. There’s a big time commitment here, but universities are increasing their flexibility on this front.
Certifications – look impressive, can open doors, but ultimately provide a snapshot of your knowledge.
(ISC)2 certs – gold standard, think OCM vs. OCP
CSA – cloud security concepts, losing credibility now that CCSP is available.
SANS – focus on specific security “execution” areas: PenTest, Ethical Hacking, Incident Response, etc.
Oracle – Domain expertise in areas like database security or MAA.
Check websites and make connections on social media, which we will delve into a little deeper now
What websites should you check frequently?
Assuming everyone is on IOUG and ODTUG!
Great content & webinars (12 months of 12c)
Do yourself a favor & subscribe to Pythian’s blogs
Keep an eye out for presentations too. Simon Pane did a phenomenal database security presentation at Collaborate 16.
Oracle Security & OTN
Great information to help you understand Oracle’s security offerings
Don’t forget to check the Communities menu – Oracle on youtube has interviews with knowledgeable database security resources like Rob Lockhart
SANS
Certification may not be a “fit” for a DBA, but the site has a wealth of information across various security domains. Create an account & you can get newsletter emailed to you.
CSA
Great material on cloud-centric security requirements/issues
(ISC)2
TONS of security information across all security domains
Access Control; Bus. Continuity/DR; cryptography; governance/risk mgmt.; legal; opsec; physical sec; architecture/design; software dev sec; telco/network sec
ISACA
Audit/security management focused
CYBRARY
Online infosec training (some free)
KREBS ON SECURITY
Commentary and insight on security issues/trends
These are the most useful security-related handles I follow.
I’ve grouped them to better discuss.
Media Outlets – great information. Also tend to send info on upcoming webinars/conferences that you may not know about.
Security Organizations – get the latest info from the major players in INFOSEC
Consulting Services – News from SI’s/feet on the ground.
People – INFOSEC superheros & DB security masterminds.
Technology – tools/software to enhance security posture.
Why EM? – think compliance & configuration management
Delphix – game changer; data confidentiality isn’t only for production!
OTN/Oracle Security/Oracle Database – self-explanatory
IOUG – know what is going on in the user community
MAA? – There’s the “A” in “CIA”
You have all this great information, so who do you share it with to develop a robust security plan?
No different than any other requirements gathering process – the more people you engage, the more complete the requirement.
Stewards – data owner. Who has ultimate responsibility for a specific type of data?
Security folks – what are the latest trends & internal policies we need to adhere to?
Architects – how is the solution being built?
Network – data access points & data in-transit. Where is it vulnerable?
Developers – secure design, don’t bolt-on.
PMO/CM – how is security being integrated into our processes?
Auditors – assuming you can get info out of them, how do you design for “continuous security improvement”?
Remember – adversaries don’t focus on “check the box” security requirements. They are looking to exploit the boxes that haven’t even been created yet!
The rule of thumb is to always focus on CIA for your data. If you don’t, you may be trying to CYA later.
Confidentiality will typically pertain to your security staff & data stewards. Working with a DBA the following questions should be considered:
Sensitive data?
Storage?
Data lifecycle?
User access to data? architect/developers
Cost of compromise? PMO
Integrity concerns go beyond the data steward & place greater emphasis on architects, network staff, developers, and security staff. Think about:
Points of interception
Points of data manipulation
Does the application maintain data integrity – interfaces, data loads, data entry, etc.
Availability should be familiar to most of us & requires a great deal of PMO engagement to understand how downtime impacts the business.
Focus on SLA requirements for uptime
Work with leaders to truly understand what costs are associated with downtime?
Based on that, how long can we afford to be down?
This will enable an architect to design an architecture that fits with the downtime requirements.
Are there any pre-existing requirements that need to be met?
Think about system baselines required to operate in production. Things like O/S and/or database hardening.
Are these requirements understood by all impacted parties?
DISA Security Technical Implementation Guides are the perfect example of requirements that can be interpreted in various ways.
Here’s a prime example of how vague some requirements can be.
Read the long name
Anyone have a magic 8-ball?
How are we defining “secure”?
How does the definition of “secure” change based on DoD, vendor, or commercially accepted practices?
Who determines where this will be applicable?
DISA STIGs are a wonderful example of cryptic requirements.
They introduce variability which, in turn introduces RISK.
How do we mitigate this?
Communication, communication, communication.
Ensure everyone speaks a common language – very likely that “secure” means very different things to a business analyst vs. an architect vs. developer vs. security officer.
Example of Pat & Chris – would occasionally use Afrikaans terms in conversation. Left everyone clueless except them. Always comical to see who would question them vs. try to figure out the context.
Don’t try to figure out the context – simply put, QUESTION EVERYTHING!
There is always the possibility of an audit finding, or worse a breach. You may be called on to explain why something was done (or not done). Responding with “I thought…” or “it was my understanding…” does not help you. If someone pushes your bellybutton about a security finding, you MUST be able to back up your decision with clear, concise facts.
You have a team, you speak a common language, and your asking questions. YAY US!
Not quite – understanding a security requirement is one thing, assessing the impact this change could have is quite different.
The last thing you want to do is make security configuration a check the box activity.
This approach creates its own issues:
You are only “secure” for a point in time
Malicious actors are looking “between” the boxes. They tend exploit what you haven’t taken care of yet.
As an example – a common security practice is to revoke rights to SYS objects from PUBLIC. That’s a very easy task. **CHECK Done!**
What happens to interfaces, diagnostic utilities, or patches/upgrades as a result of this update? High probability something will end up broken.
How do you prevent this? Get a handle on what schemas call these objects and grants access explicitly.
Consider what the results of an update will be.
Here’s a great example – limbs off tree; cutting at height to keep from falling on house; someone supporting the ladder. *thumbs up* good to go!
Not quite…
You have a strong team, generating great requirements, considering downstream impact of the requirements…
Now we all enter the cage and see who comes out on top.
But WAIT! There is a much more peaceful approach.
Consider what industry you support and look for guidelines to determine what should be critical.
For Federal agencies this typically revolves around STIG compliance. CAT I findings, not good. You may be able to squeak some CAT II findings through (depending on the auditors), but a mitigation plan & timeline will be critical.
Commercial entities don’t seem to have such a standardized approach. You’ll have guidelines concerning how you should handle PII, PHI and PCI, but there are no “teeth” for enforcement. Recent breaches are changing oversight on this, so time will tell.
Here’s some examples where companies fell short:
OPM – PII compromise. Didn’t even know it happened until a vendor discovered it!
VA – Multiple PHI compromises.
Yahoo! – 500 million accounts compromised. Stock price hit, executive compensation impacted, value of sale to Verizon cut by $350M!
VTech/CloudPets – database exposed to Internet unprotected. Impact still being assessed.
DNC Breach – Social engineering/phishing attack.
AWS S3 failures – where’s the “A” of CIA??? Turns out it was a process error!
I’ve talked to you about a number of different things:
Where to gain knowledge
Who to work with
How to identify and prioritize requirements
Making sense of the information you have
Thinking about the net effect of security changes
So, the stream of consciousness would be
Identify requirements/risks
Prioritize them
Determine a mitigation plan for them
Determine the level of effort for a given mitigation plan
Identify the costs associated with implementing a given mitigation plan
Let’s walk through a some simple examples.
Remember – there’s always more than one way to skin a cat.
Think, listen, question, understand. It will take every resources in your “security village” to make a definitive plan that EVERYONE has a vested interest in.
The biggest mistake you can make is trying to be a macho man. Speak to the village people frequently so the team can make informed decisions!
I appreciate you taking the time and hope you enjoy the rest of the conference.
Any questions?