43
<Insert Picture Here> Oracle Database Security Solutions Eric Cheung Senior Manager, Technology Sales Consulting [email protected] May 2008
<Insert Picture Here>
Oracle Database Security Solutions
Eric CheungSenior Manager, Technology Sales Consulting
[email protected] May 2008
2
Key Drivers for Data Security
• Sarbanes-Oxley (SOX), J-SOX, GLBA
• Payment Card Industry (PCI)
• HIPAA, EU Privacy Directives
• Breach Disclosure Laws
• COSO, COBIT frameworks
• Separation of duty, Proof of compliance, Risk Assessment and Monitoring
• Large percentage of threats go undetected
• Outsourcing and off-shoring trend
• Customers want to monitor insider & DBA
Privacy and Compliance
Insider / External Threats
3
Data Masking
TDE Tablespace Encryption
Oracle Total Recall
Oracle Audit Vault
Oracle Database Vault
Transparent Data Encryption (TDE)
Real Time Masking
Secure Config Scanning
Fine Grained Auditing
Oracle Label Security
Enterprise User Security
Virtual Private Database (VPD)
Database Encryption API
Strong Authentication
Native Network Encryption
Database Auditing
Government customer
Oracle Database SecurityContinuous Innovation
Oracle7
Oracle8i
Oracle Database 9i
Oracle Database 10g
Oracle Database 11g
4
Data Privacy and Regulatory ComplianceDatabase Security Challenges
Protecting Access Protecting Access to Application Datato Application Data
Data Data ClassificationClassification
Database Database Monitoring Monitoring
DeDe--Identifying Identifying Information for Information for
SharingSharing
Data Data EncryptionEncryption
5
Oracle Database Security Solutions for Privacy and Compliance
Secure
Backup
Label
Security
Total
Recall
Data
Masking
Database Vault
Configuration
Management
Audit
Vault
Advanced
Security
6
Database Vault
Oracle Database Security Solutions for Privacy and Compliance
Data
Masking
Advanced
Security
Label
Security
Secure
BackupTotal
Recall
Audit
Vault
Configuration
Management
7
Oracle Database Vault Highly Privileged User Controls
• Database DBA views HR
data
Compliance and protection from insiders
• HR APP Owner views
Fin. data
Eliminates security risks from server consolidation
DBA
HR App
SELECT * FROM HR.EMP
HR
HR Realm
FIN
FIN Realm
FIN App
8
Oracle Database VaultReal Time Access Controls
HR Application
User
FIN Application
DBA
HR
FIN
Connect….
CREATE…
Business hours
Unexpected IP
address
9
Oracle Database VaultSeparation of Duty
• Account Management • Database Vault over rides all existing administration privileges for creating new accounts
• Security administration• Database Vault administration is done using a separation administration account from DBA or SYSDBA
• Traditional database Administration• Traditional administrative tasks are separate from account management and security administration
10
Major Financial Services CompanyUse Case
• Control Privileged Users• Prevent DBAs from accessing sensitive data in Realms
• Setup multiple levels of DBAs
• Control Access based upon environmental factors• Restrict hostnames authorized to access the DB
• Control access based on geography
• Control use of ad-hoc query tools; Enforce maintenance periods• Restrict connections by ad-hoc query tools to maintenance times or specific users
• Control Patching activity• Patching activity requires another monitoring user to be logged in
• Control unauthorized database changes
11
Oracle Database VaultApplication Certification
• PeopleSoft
• E-Business Suite
• Siebel
• Oracle Content DB
• Oracle Internet Directory
12
Database Vault
Oracle Database Security Solutions for Privacy and Compliance
Data
Masking
Advanced
Security
Label
Security
Secure
Backup
Total
Recall
Audit
Vault
Configuration
Management
13
Oracle Advanced SecurityTransparent Data Encryption
• Protect application data• Easily encrypt sensitive data
• Protect entire application tables or specific data (credit card)
• No changes to existing applications
• Built-in key management• Keys automatically generated
and managed
• Integrates with Hardware Security Modules (HSM)
Data
Transparently
Encrypted
Data
Transparently
Decrypted
^#^ *75000
14
Transparent Data EncryptionPoint-And-Click Deployment
15
Oracle Advanced Security Encrypting Columns
• Encrypt a column in an existing table:
alter table credit_rating modify (person_id encrypt)
• Create a new table with an encrypted column:
create table orders (order_id number (12),customer_id number(12),credit_card varchar2(16) encrypt);
Note - Default algorithm is AES 192
16
Oracle Advanced SecurityEncrypting Tablespaces
• Create new tablespace with keyword "Encrypt"
CREATE TABLESPACE securespace2 DATAFILE '/home/user/oradata/secure01.dbf' SIZE 150M ENCRYPTION
DEFAULT STORAGE(ENCRYPT);
Note - Default algorithm is AES 128
17
Oracle Advanced SecurityKey Management Architecture
Master key storedin PKCS#12 wallet
Security DBA
opens wallet
containing master
key
Oracle Data
Dictionary stores
& encrypts
column keys
using master key
Application users
Transparent Data
Encryption
FIN application
data encrypted
using column
key
HR application
data encrypted
using column
key
18
Oracle Advanced SecurityKey Management Architecture withHSM
Master key storedin HSM
Security DBA
opens wallet
containing master
key
HR application
data encrypted
using column
key Application users
Transparent Data
Encryption
FIN application
data encrypted
using column
key
Oracle Data
Dictionary stores
& encrypts
column keys
using master key
19
Oracle Secure Backup Integrated Tape Backup Management
Oracle Secure BackupCentralized Tape Backup Management
File System DataFile System Data
UNIX Linux
Windows NAS
Tape
Oracle DatabasesOracle Databases
Integration with
RMAN
• Improved Security and Manageability• Backup encryption for file systems added
• Automated backup of OSB catalog
• Policy-based migration from Virtual Tape Library (VTL) to tape
• Advanced media management • Vaulting provides automatic rotation of tapes between multiple locations
• Tape duplication based on policies
• Sun StorageTek ACSLS support
• Improved Performance• No backup (and reads) of committed undo
20
Database Vault
Oracle Database Security Solutions for Privacy and Compliance
Data
Masking
Advanced
Security
Label
Security
Secure
BackupTotal
Recall
Audit
Vault
Configuration
Management
21
Oracle Label SecurityAccess Control by Data Classification
• Additional access control check• Database verifies requestor has table privileges first (select,update,insert,.)
• Label Security mediates additional access based on sensitivity assigned to the data or operation
• Specialized security solution
• Components• Users label authorizations
• Data labels
• Special user privileges
• Enforcement options
Confidential
Highly Sensitive
Sensitive
User Label Authorization "Security Clearance"
Sensitive Highly Sensitive
Data
Sensitivity Label ComponentsMore Than Just levels
Confidential
Sensitivity Level
Sensitive
Highly
Sensitive
Sensitive Sensitive
22
Sensitivity Label ComponentsMore Than Just levels
Confidential
Sensitivity Level Plus Zero or More Compartments
Sensitive
Highly
SensitiveHR PII FIN LEGAL
Sensitive : HR Sensitive : HR
23
Sensitivity Label ComponentsMore Than Just levels
Confidential
Sensitivity Level Plus Zero or More Compartments
Sensitive
Highly
SensitiveHR PII FIN LEGAL
Plus Zero or More Groups
US Europe Global
Sensitive : HR : USSensitive : HR : US
24
25
Oracle Enterprise Manager
26
Oracle Label SecurityFlexible Policy Model
NATO
Homeland Security
Local Jurisdiction
FBI
Justice
HR REP
Senior HR REP
Desert Storm
Border Protection
Internal Affairs
Drug Enforcement
PII Data
Investigation
Confidential
Secret
Top Secret
Level 1
Level 2
Level 3
Confidential
Sensitive
Highly Sensitive
Government Policy
Law Enforcement
HR Policy
LevelsLevels
CompartmentsCompartments
GroupsGroups
27
Oracle Label Security
Additional Use Cases
• Embed in Database Vault Command Rules• Compare label authorization in command rules for separation of duty customization
• Embed in Data Masking decisions
• Use with VPD column real time data masking to decide whether to NULL out PII data returned in query
• Notate application users current working label authorization on information portals
28
Database Vault
Oracle Database Security Solutions for Privacy and Compliance
Data
Masking
Advanced
Security
Label
Security
Secure
BackupTotal
Recall
Audit
Vault
Configuration
Management
29
Off-Line Data MaskingOracle Enterprise Manager
• Automates production data masking
• Easily mask existing application data
• No impact on production database
• Built-in data relationship discovery
• Use foreign key definitions
• Define custom data relationships
60,000323-22-2943BENSON
40,000203-33-3234AGUILAR
SALARYSSNLAST_NAME
60,000111-34-1345BKJHHEIEDK
40,000111—23-1111ANSKEKSL
SALARYSSNLAST_NAME
Cloned Database
Production Database
30
Real-Time Data MaskingVirtual Private Database Masking
• Null out or clear table columns for all or specific table rows
where account_mgr_id = sys_context('APP','CURRENT_MGR');
381-395-9223
431-395-9332
483-562-0912
461-978-8212
581-295-7603
181-095-1232
121-791-4212
701-495-2123
15000
17000
12000
10000
15000
25000
Select * from
customers;
APP
VPD P
olicy
SSN
VPD
31
Database Vault
Oracle Database Security Solutions for Privacy and Compliance
Data
Masking
Advanced
Security
Label
Security
Secure
BackupTotal
Recall
Audit
Vault
Configuration
Management
32
Auditing in the Oracle DatabaseRobust, Flexible, and High Fidelity Audit
• Industry’s most advanced• Statement - audit DDL / DML based structure type or schema object
• Privilege - audit statements that use system privileges
• Specific user or group of users
• Fine grained auditing (Oracle9i)• Enterprise Edition conditional auditing feature
• Select statements only (Oracle9i)
• Updates, inserts, and delete statements (Oracle Database 10g)
• Flexible
• Audit table and OS file destinations (OS is most performant)
• Supports XML format
• Windows event viewer & SYSLOG
33
Oracle Audit Vault Protect Your Enterprise With Auditing
Oracle Database 10g Release 2
Oracle Database 10g Release 1
Oracle Database 9i Release 2 (Future)
Other Sources,Databases
Monitor EnforceReport Secure
Oracle Database 11g
• Manage Audit Data
• Centrally secure audit data from Oracle databases
• Centrally manage Oracle database audit settings
• Detect suspicous activities
• Monitor database users –especially privileged users
• Alert on unauthorized activities
• Simplify compliance reporting
• Built-in compliance reports
• Define custom reports
34
Audit Vault ReportsOut-of-the-box Audit Assessments & Custom Reports
• Out-of-the-box reports• Privileged user activity
• Access to sensitive data
• Role grants, DDL activity
• Custom reports• Published warehouse schema
• Use Oracle or 3rd party tools
• User-defined reports• What privileged users did on the financial database?
• What user ‘A’ did across multiple databases?
• Who accessed sensitive data?
35
Oracle Audit VaultManageability
• Audit Vault Dashboard
• Enterprise overview
• Alerts on audit events
• Drill down reports
• Audit Vault administration
• Audit Vault Policies
• Collection of audit settings for databases
• Provision database audit settings centrally for compliance policies
• Compare against existing audit settings on source
• Demonstrate compliance with internal mandates
36
Oracle Audit Vault RespositoryScalable, Flexible & Secure
• Performance and Scalability• Scale to Terabytes with partitioning
• Data warehouse enables business intelligence and analysis
• Security
• Separation of duty
• Privileged users can't modify audit data
• Data protected in transit from source to Audit Vault
37
Introducing Oracle Total RecallTamper-Resistant Real-Time Database Archiving
• Automated table “snapshots” record changes to data• Complements auditing – who v. what
• Optimized to minimize performance overhead
• Historical data can be retained as long as needed for regulatory compliance and forensic analysis
• Automatically prevents end users from changing historical data
• Seamless access to archived historical data• Historical data stored in the database for real-time access
• Stored in compressed form to minimize storage requirements
select * from product_information AS OF TIMESTAMP
'02-MAY-05 12.00 AM‘ where product_id = 3060
38
Tracking Compliance Over TimeCompliance Trend across IT infrastructure
39
Example of Security Policy RulesOver 250 Built-in Policy Rules
Host• Detect open ports• Detect insecure services• Ensure NTFS file system type (Windows)
Application Server
• HTTPD has minimal privileges
• Use HTTP/S
• Apache logging should be on
• Demo applications disabled
• Disable default banner page
• Disable access to unused directories
• Disable directory indexing
• Forbid access to certain packages
• Disable packages not used by DAD owner
• Remove unused DAD configurations
• Password complexity enabled
Database Services
• Enable listener logging
• Password-protect listeners
• Disallow default listener name
• Ensure listener log file is valid and owned by
Oracle
• Ensure listener host name is specified with IP
Database File Permissions
• Init.ora should have restricted file permission
• Files in $OH/bin should be owned by Oracle
• Data files should be owned by Oracle
Database Profile/Configuration
• Default Passwords
• Disallow access to objects by a fixed user link
• Disallow default tablespace set to SYSTEM
• Set password_grace_time
• Limit or deny access to DBMS_LOB
• Set password_reuse_max
• Avoid using utl_file_dir parameter
40
Learn More
Technology Overview
• Visit: oracle.com/database/security
• View Whitepapers and webinars
Technical Information, Demos, Software
• Visit OTN: otn.oracle.com -> products -> database -> security and compliance
http://search.oracle.com
database security
41
42
EM Configuration Scanning
TDE Column Encryption
Client Identifier
Enterprise User Security
TDE Tablespace Encryption
Privileged User Controls
Release Wide Map of Security Products
Solution
Virtual Private Database
Network Encryption
Oracle
8i
Oracle
Database
9iR2
Oracle
Database
10g R1
Oracle
Database
11gR1
Oracle
Database
10g R2
EM Data Masking
Oracle
Database
9iR1
Database Auditing
Label Security
Data Masking is available starting with EM 10.2.0.4 and works against Oracle Database 9.2 and higher databases.
Fine Grained Auditing
43
