Date post: | 30-May-2018 |
Category: |
Documents |
Upload: | utkarsh-sethi |
View: | 222 times |
Download: | 0 times |
of 29
8/14/2019 Oracle DB Security
1/29
8/14/2019 Oracle DB Security
2/29
8/14/2019 Oracle DB Security
3/29
Data Security Lifecycle
Inbound Data Network Encryption Strong Authentication Identity Management Integration
Storage Transparent Data Encryption Secure Backup
Access Control Database Vault Oracle Label Security Fusion Security
Outbound Data Network Encryption
Monitor Configuration Scanning Audit Vault
8/14/2019 Oracle DB Security
4/29
Agenda
Network Encryption Encryption of data in motion
Strong Authentication PKI, Kerberos, Radius
Data Encryption Encryption of data at rest
Secure Backup
Oracle DataVault
DB Auditing Audit Vault
8/14/2019 Oracle DB Security
5/29
Network Security Threats
2. Data Modification or Replay
3. Data Disruption
Packet stolenOrder never arrives
$500.00
1. Data Theft
My competitor sees
my bids in a sealedauction.
$50,000
8/14/2019 Oracle DB Security
6/29
Network Encryption
Provided by Oracle for nearly a decade
Encrypts all communication with the database AES
RSA RC4 (40-, 56-, 128-, 256-bit keys)
DES (40-, 56-bit) and 3DES (2- and 3-key)
Data integrity with checksums MD5, SHA-1
Automatically detects modifications, replays, missing
packets
Easy to setup
8/14/2019 Oracle DB Security
7/29
Agenda
Network Encryption Encryption of data in motion
Strong Authentication PKI, Kerberos, Radius
Data Encryption Encryption of data at rest
Secure Backup
Oracle Data Vault
DB Auditing Audit Vault
8/14/2019 Oracle DB Security
8/29
Strong Authentication
Kerberos Ease of deployment makes this a popular choice
PKI Large customers are working on full scale deployments
Strong interest among large Universities Oracle supports SSL accelerators
Radius Database integrates with RADIUS
8/14/2019 Oracle DB Security
9/29
Agenda
Network Encryption Encryption of data in motion
Strong Authentication PKI, Kerberos, Radius
Data Encryption Encryption of data at rest
Secure Backup
Oracle Data Vault
DB Auditing Audit Vault
8/14/2019 Oracle DB Security
10/29
The Need for Encryption
Worldwide privacy, security laws and regulations Sarbanes-Oxley
PCI
California SB 1386
Country-specific laws
Customer CreditCard Numbers
Disks replacedfor maintenance
Laptops stolenBackups lost
Data worthless if encrypted
8/14/2019 Oracle DB Security
11/29
The DBMS_CRYPTO Package
Formerly DBMS_OBFUSCATION (Release 8)
Extensive control of options Generate as many, or as few keys as you desire
Granular access control, Manual salt generation, algorithm
selection, chaining mode
Limited Transparency
8/14/2019 Oracle DB Security
12/29
Transparent Data Encryption
Integrated with the Oracle database for simplicity Alter table encrypt column
Provides application transparency No API calls, database triggers or views required
Media protection of PII data Social security numbers
Credit Card Numbers
Performance Works with existing indexes for
fast searches
8/14/2019 Oracle DB Security
13/29
Separation of duties
DBA starts upDatabase
Security DBA opens walletcontaining master key
Wallet password is separate fromSystem or DBA password
No accessto wallet
8/14/2019 Oracle DB Security
14/29
Master key and column keys
Column keys encryptedby master key
Master key storedin PKCS#12 wallet
Security DBA opens walletcontaining master key Column keys encrypt
data in columns
8/14/2019 Oracle DB Security
15/29
Oracle Secure Backup:
Tape Backup Management
Highest levels of tape dataprotection at the lowest cost!
Fastest & Best Integratedtape backup for the OracleDatabase
-Recovery Manager(RMAN) integration
-Enterprise Manager(EM) interface
Maximum security options
Free version (limitedfunctionality) will ship with theOracle Database
Oracle Secure BackupCentralized Tape Backup Management
Oracle DatabasesOracle Databases
Integration with
RMAN
File System DataFile System Data
UNIX Linux
Windows NAS
Tape
8/14/2019 Oracle DB Security
16/29
Why Use Oracle Secure Backup?
Scalable from the department to the data center
Database tape backups can now be seamlessly managed byDatabase Administrators (DBA) or storage group
Intelligent integration with RMAN delivering the bestperformance and security for database backups
Easily managed using Enterprise Manager (EM)
Single technical support resource for entire backup solutionexpedites problem resolution
Reliable data protection at lower cost and complexity
For the Oracle Database and file system data
8/14/2019 Oracle DB Security
17/29
End to End Security
Data EncryptedOn Backup Files
DataWrittenTo Disk
AutomaticallyEncrypted
Data
AutomaticallyDecryptedThrough
SQL Interface
Oracle Advanced SecurityNetwork Encryption
Oracle Advanced SecurityStrong Authentication
OracleAdvancedSecurityTransparentData Encryption
8/14/2019 Oracle DB Security
18/29
Agenda
Network Encryption Encryption of data in motion
Strong Authentication PKI, Kerberos, Radius
Data Encryption Encryption of data at rest
Secure Backup
Oracle Data Vault
DB Auditing Audit Vault
8/14/2019 Oracle DB Security
19/29
Data Vault Objectives
Multi-factored approach to database security Protect andshare data assets using environmental factors for
assurance
Defense in depth approach
Protect application schemas from system privileges
Database Server as Database Appliance Lock Down, Hardened Software and Privileges
Comprehensive Audit Policy
Separation of Duties
8/14/2019 Oracle DB Security
20/29
8/14/2019 Oracle DB Security
21/29
Agenda
Network Encryption Encryption of data in motion
Strong Authentication PKI, Kerberos, Radius
Data Encryption Encryption of data at rest
Secure Backup
Oracle DataVault
DB Auditing Audit Vault
8/14/2019 Oracle DB Security
22/29
AUDITING
Audit & monitor database activity Logon failures, privilege usage, data access,
object access,and other activities
Standard Audit Trail (over 250 audit actions) Gives first level of information about access to
the database Statement auditing Privilege auditing Schema Object auditing
Fine-Grained Auditing (FGA) Gives second level of information about specificoperations to the database
Enables you to monitor data accessbased on content.
Oracle Database 10gAuditing
8/14/2019 Oracle DB Security
23/29
Fine-grained auditing (FGA)
Beginning with Oracle9iDatabase, Oracle provides thecapability to audit specific rows within a table. This isaccomplished using the DBMS_FGA package.
Features Attach audit policy to table or view
Specify audit condition using a SQL predicate
Users query text with bind variables are written to audit record upona triggering audit event
Event handler can alert administrator to triggering condition (e.g.write record to log, send page)
8/14/2019 Oracle DB Security
24/29
10gR210gR1
Oracle 9iR2(Future)
Other Sources,Databases
Monitor Policies
Reports Security
Collect and ConsolidateAudit Data
Simplify ComplianceReporting
Detect and PreventInsider Threats
Scale and Security
Lower IT Costs WithAudit Policies
8/14/2019 Oracle DB Security
25/29
Oracle Audit VaultOracle Database Vault
DB Security Evaluation #19
Transparent Data Encryption
EM Configuration Scanning
Fine Grained Auditing (9i)
Secure application roles
Client Identifier / Identity propagation
Oracle Label SecurityProxy authentication
Enterprise User Security
Global roles
Virtual Private Database (8i)
Database Encryption API
Strong authentication (PKI, Kerberos, RADIUS)
Native Network Encryption (Oracle7)
Database Auditing
Government customer
Oracle Database Security30 years of Innovation
20071977
8/14/2019 Oracle DB Security
26/29
Agenda
Network Encryption Encryption of data in motion
Strong Authentication PKI, Kerberos, Radius
Data Encryption Encryption of data at rest
Secure Backup
Oracle DataVault
DB Auditing Audit Vault
8/14/2019 Oracle DB Security
27/29
For More Information
http://search.oracle.com
or
oracle.com/security
Transparent Data Encryption
8/14/2019 Oracle DB Security
28/29
8/14/2019 Oracle DB Security
29/29