Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security for heterogeneous enviroments

1,591 views

Published on

Security, Oracle

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security for heterogeneous enviroments

  1. 1. 1
  2. 2. <Insert Picture Here>Security for Heterogeneous EnvironmentsFederman HoyosIT Solution Architect
  3. 3. The following is intended to outline our generalproduct direction. It is intended for informationpurposes only, and may not be incorporated into anycontract. It is not a commitment to deliver anymaterial, code, or functionality, and should not berelied upon in making purchasing decisions.The development, release, and timing of anyfeatures or functionality described for Oracle’sproducts remains at the sole discretion of Oracle. 3
  4. 4. Your Information Assets Across Heterogeneous Databases Customer Product EmployeeFinance Clinical Trials 4
  5. 5. Your Information Asset Lifecycle Shared with 3rd Parties • Almost 50% of all organizations exposed Production data in non-Production environments • Only 16% have a system in place for deidentifying sensitive dataClinical IT Service Market Business ApplicationResearch Providers Research partners Developers 5
  6. 6. Your Information Asset Protection Challenge • Ensure comprehensive protection of your information assets across heterogeneous enterprise databases • Reduce information lifecycle costs through automationClinical IT Service Market Business ApplicationResearch Providers Research partners Developers 6
  7. 7. Secure Test System Deployments Production TestLAST_NAME SSN SALARY LAST_NAME SSN SALARYAGUILAR 203-33-3234 40,000 SMITH 111—23-1111 60,000BENSON 323-22-2943 60,000 MILLER 222-34-1345 40,000 7
  8. 8. How Secure Test System Deployments Production TestLAST_NAME SSN SALARY LAST_NAME SSN SALARYAGUILAR 203-33-3234 40,000 SMITH 111—23-1111 60,000BENSON 323-22-2943 60,000 MILLER 222-34-1345 40,000 • Deploy secure test system by masking sensitive data • Sensitive data never leaves the database • Extensible template library and policies for automation • Sophisticated masking: Condition-based, compound, deterministic • Integrated masking and cloning • Leverage masking templates for common data types
  9. 9. Data Masking using Oracle Enterprise ManagerCentrally controlled. Globally managed. • Monitoring • Performance Diagnostics • Patching & Provisioning • Configuration Management • Data Masking 9
  10. 10. Data Masking Methodology Production Non-ProductionLAST_NAME SSN SALARY LAST_NAME SSN SALARYAGUILAR 203-33-3234 40,000 SMITH 111—23-1111 40,000BENSON 323-22-2943 60,000 JOHNSON 222-34-1345 60,000 • Find: Catalog and identify sensitive data across enterprise databases • Assess: Define the optimal data masking techniques • Secure: Automate non-production systems through data masking • Test: Ensure the integrity of applications through testing 10
  11. 11. FIND: Catalog and identifysensitive data across enterprisedatabasesASSESSSECURETEST 11
  12. 12. Catalog Sensitive Data in Your Enterprise DatabasesPerson Name Bank Account NumberMaiden Name Card Number (Credit or Debit Card Number)Business Address Tax Registration Number or National Tax ID • Business-drivenBusiness Telephone Number Person Identification NumberBusiness Email Address Welfare Pension Insurance Number • Criteria:Custom Name Unemployment Insurance NumberEmployee Number Government Affiliation ID – Violate governmentUser Global Identifier Military Service ID regulationsParty Number or Customer Number Social Insurance NumberAccount Name Pension ID Number – Violate businessMail Stop Article Number regulationsGPS Location Civil Identifier NumberStudent Exam Hall Ticket Number Hafiza Number – Damage shareholderClub Membership IDLibrary Card Number Social Security Number Trade Union Membership Number value through loss ofIdentity Card Number Pension Registration Number • Market capitalInstant Messaging Address National Insurance Number • ValuationWeb site Health Insurance NumberNational Identifier Personal Public Service Number • ReputationPassport Number Electronic Taxpayer Identification Number • CustomersDriver’s License Number Biometrics Data • LawsuitsPersonal Address Digital IDPersonal Telephone Number Citizenship Number • Business-drivenPersonal Email Address Voter Identification NumberVisa Number or Work Permit Residency Number (Green Card) 12
  13. 13. FINDASSESS: Define the optimaldata masking techniquesSECURETEST 13
  14. 14. Comprehensive Mask Formats Mask Primitives and User-extensible Mask Formats• Mask primitives – Simple mask formats • ALPHA • NUMERIC • DATE – Simple mask techniques • SHUFFLE • RANDOMIZE • LOOKUP TABLEMask formats for common sensitive data Accelerates solution deployment of maskingExtensible mask routines Enables customization of business rulesDefine once, apply everywhere Ensures consistent enforcement of policies 14
  15. 15. Mask DefinitionAssociate Mask Formats with Identified Sensitive Columns • Automatic discovery and enforcement of referential integrity • Registration and enforcement of referential integrity when entered as related columns – Application-enforced referential integrity – Business-process based data relationships – Non-Oracle database based referential integrity • Imported via XML generated via SQL against meta data 15
  16. 16. FINDASSESSSECURE: Automate non-production systems through datamaskingTEST 16
  17. 17. Test System Setup for Oracle DatabasesCreating Test Databases from Production Business T1 BusinessT1 T2 T3 T2 T3 data data T4 T5 T4 T5 Clone App Meta data App Meta data DB dictionary data DB dictionary data Production DB Test DB • Enterprise Manager out-of-the-box workflows • RMAN-based clone-and-masking (Recommended) • Export-Import • Backup and Restore • Transportable Tablespace
  18. 18. Test System Setup for non-Oracle Databases Creating Test Databases from Production using Oracle Gateways Business T1 1 BusinessT1 T2 T3 T2 T3 data Clone data T4 T5 T4 T5Production DB App Meta data App Meta data Test DB DB dictionary data DB dictionary data 2 Database 4 gatewayMasking Process1. Production data copied to Test2. Sensitive data copied to Staging3. Sensitive data masked in Staging BusinessT1 34. Masked data copied from Staging to Test T2 T3 data5. Truncate Data in Stage Database T4 T5 Staging DB
  19. 19. FINDASSESSSECURETEST: Ensure the integrity ofapplications through testing
  20. 20. Auditing your Database Information Sybase Oracle ASE IBM Database Microsoft DB2 SQL Server
  21. 21. Why Audit?• Its all about protecting sensitive data, maintaining customer trust, and protecting the business• Trust-but-verify that your employees are only performing operations required by the business • Detective controls to monitor what is really going on • Reduce the curiosity seekers from looking at data • Compliance demands that privileged users be monitored• Know what is going on before others tell you• Cost of compliance • Eliminate costly and complex scripts for reporting • Reduce reporting costs for specific compliance audits • SOX, PCI, HIPAA, SAS 70, STIG 22
  22. 22. Database Auditing and Applications Why Auditors Want to Audit Databases• Monitor privileged application user accounts for non- compliant activity • Audit non-application access to sensitive data (credit card, financial data, personal identifiable information, etc)• Verify that no one is trying to bypass the application controls/security • PO line items are changed so it does not require more approvals• Verify shared accounts are not be abused by non- privileged users • Application bypass - Use of application accounts to view application data 23
  23. 23. What Do You Need To Audit? Database PCI HIPAA/ SOX Basel II FISMA GLBA Audit Requirements DSS HITECHAccounts, Roles & GRANT changes ● ● ● ● ● ●Failed Logins and other Exceptions ● ● ● ● ● ●Privileged User Activity ● ● ● ● ● ●Access to Sensitive Data (SELECTs…) ● ● ● ● ●Data Changes (INSERT, UPDATE, …) ● ●Schema Changes (DROP, ALTER…) ● ● ● ● ● ● 24
  24. 24. Oracle Audit Vault Trust-but-Verify Consolidate and Secure Audit Data Out-of-the Box Compliance Reports Alert on Security Threats Sybase ASELower IT Costs WithEntitlements & Audit Policies IBM Oracle DB2 Database Microsoft SQL Server 25
  25. 25. Oracle Audit Vault Oracle Database Audit Support• Database Audit Tables • Collect audit data for standard and fine-grained auditing• Oracle audit trail from OS files • Collect audit records written in XML or standard text file• Operating system Windows Event Viewer & SYSLOG • Collect Oracle database audit records• Redo log • Extract before/after values and DDL changes to table• Database Vault specific audit records 27
  26. 26. 28
  27. 27. The Access Reportsfilter the audit contentbased on event andcategories, such asData Access: select,insert, update, delete..,and User Sessions:login, logout, etc. TheOracle Audit VaultAuditor’s Guide list theevents that arecollected and mappedto the categories. 29
  28. 28. The Entitlement Reportscan be used forinternal/external auditorsto view Oracle databaseusers and their privileges.You can view all Oracledatabases and their usersor filter by an individualdatabase to view theprivileges.The compare capabilityprovides a report onchanges to user privilegesfrom one snapshot time toanother. 30
  29. 29. The Alerts Report content can be accessed from the Dashboard or you can view all alerts that have been generated at oneAlerts can be defined for time. The critical and warning •Directly viewing sensitive columns alert reports track •Creating users on sensitive systems critical and warning •Role grants on sensitive systems alerts. An alert is raised •“DBA” grants on all systems when data in a single •Failed logins for application user audit record matches a predefined alert rule condition. 31
  30. 30. Oracle Audit Vault Audit Trail Clean-Up: DBMS_AUDIT_MGMT • Automatically deletes Oracle audit trails from target after they are securely inserted into Audit Vault • Reduces DBA manageability challenges with audit trails Database 1) Transfer audit trail data3) Delete older 2) Update last inserted record audit records 32
  31. 31. Setting Client Identifier with Applications• Any application running on Oracle database can set the client identifier Application sets client_info to User AUser Aconnects Oracle Audit Record Application uses Server client_identifier Application resets client_info to User B OracleUser B Databaseconnects 33
  32. 32. Protecting access to your Databases
  33. 33. Existing Security Solutions Not Enough Key Loggers Malware SQL Injection Espionage Spear Phishing Botware Social Engineering DatabaseApplication Users Application Database Administrators Data Must Be Protected at the Source
  34. 34. SQL Injection Review The biggest danger to cyber security Attacks blocked!!! X Data and/or credential theft SQL command Successful Millions of attack attacks Malware injection App Server Database App Server Database Firewall• Successful attack • Implications Attacks logged • Query database • Lost data • Modify data • Monetary theft • Deliver malware • Steal credentials / deny service
  35. 35. Oracle Database Firewall First Line of Defense Allow Log Alert Substitute Applications Block Alerts Built-in Custom Policies Reports Reports• Monitor database activity to prevent unauthorized database access, SQL injections, privilege or role escalation, illegal access to sensitive data, etc.• Highly accurate SQL grammar based analysis without costly false positives• Flexible SQL level enforcement options based on white lists and black lists• Scalable architecture provides enterprise performance in all deployment modes• Built-in and custom compliance reports for SOX, PCI, and other regulations
  36. 36. Oracle Database Firewall Positive Security Model White List Allow Block Applications• “Allowed” behavior can be defined for any user or application• Whitelist can take into account built-in factors such as time of day, day of week, network, application, etc.• Automatically generate whitelists for any application• Transactions found not to match the policy instantly rejected• Database will only process data how you want and expect
  37. 37. Oracle Database Firewall Negative Security Model Black List Allow Block Applications• Stop specific unwanted SQL commands, user or schema access• Prevent privilege or role escalation and unauthorized access to sensitive data• Blacklist can take into account built-in factors such as time of day, day of week, network, application, etc.• Selectively block any part of transaction in context to your business and security goals
  38. 38. Oracle Database Firewall Policy Enforcement Log Allow SELECT * FROM Alert accounts Substitute Applications Becomes Block SELECT * FROM dual where 1=0• Innovative SQL grammar technology reduces millions of SQL statements into a small number of SQL characteristics or “clusters”• Superior performance and policy scalability• Flexible enforcement at SQL level: block, substitute, alert and pass, log only • SQL substitution foils attackers without disrupting applications• Zero day protection without false positives
  39. 39. ReportingSpeeding deployment means lowercost • Database Firewall log data consolidated into reporting database • Over 130 built in reports that can be modified/customized • Entitlement report for database attestation • Activity and privileged user reports • Supports demonstrating PCI, SOX, HIPAA, etc. • Write your own reports Unique to Oracle 43
  40. 40. Oracle Database Firewall Database Activity Masking• Prevents creating yet another database with sensitive and regulated data• Sensitive and regulated information contained in SQL statements can be masked or redacted in real-time prior to being logged• Flexible masking policies allow masking all data or just specific columns• Critical for organizations who want to monitor and log all database activity
  41. 41. Oracle Database Firewall Architecture Local Monitor Database Firewalls HA Mode Database Firewall Policy Analyzer Management Server• Low TCO Oracle Enterprise Linux based “software appliance”• Supports Intel-based hardware platforms for vertical and horizontal scalability• Policy enforcement separated from policy management and reporting for scalability and performance• Optional lightweight agents that reside within the database or the OS• Supports Oracle and non-Oracle Databases, and is application agnostic
  42. 42. Oracle Database Firewall Fast and Flexible Deployments Application Servers Users Database Out-of-Band Router Firewall Database Servers In-Line Host Based Agent• In-Line: All database traffic goes through the Oracle Database Firewall• Out-of-Band/Passive: Database Firewall connected to a SPAN port or TAP• Optional Host Based Remote or Local Monitors • Can send network traffic from the database host to the Database Firewall • Can send non-network database activity to the Database Firewall to identify unauthorized use of local console or remote sessions
  43. 43. Oracle Security Solutions Complete Defense-in-Depth • Comprehensive – single vendor addresses all your requirements • Transparent – no changes to existing applications or databases • Easy to deploy – point and click interfaces deliver value within hours • Cost Effective – integrated solutions reduce risk and lower TCO • Proven – #1 Database with over 30 years of security innovation! Monitoring Auditing Access Encryption & Blocking Control & Masking• Database • Audit Vault • Database • Data Masking Firewall Vault • Label Security • Identity Management
  44. 44. DEMODemo…
  45. 45. En el booth de Oracle Solution Specialist le podemosbrindar información sobre los servicios que ofrecemos y de Nuestras Soluciones

×