Oracle security 01-security requirements & solutions

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com

Security Requirements & Solutions

ObjectivesAfter completing this lesson, you should be able to do the following:• Describe fundamental security requirements• Define the following terms:

– Least privilege– Authorization– Authentication

• Describe security policies• Describe the concept of security in detail• Preventing exploits• Maintaining data integrity• Protecting data• Controlling data access

Industry-Security Requirements

• Legal:– Sarbanes-Oxley Act (SOX)– Health Information Portability and Accountability

Act (HIPAA)– California Breach Law– UK Data Protection Act

• Auditing

Security Standards

Recognized security standards: • ISO 17799 • SANS Institute• CERT/CC

Do your policies meet the standards?

Fundamental Data-Security Requirements

You should know the following fundamental data-security requirements:• Confidentiality• Integrity• Availability

Components for Enforcing Security

• Authentication• Authorization• Access control• Auditing

Security Risks

Risk analysis includes:• External attack:

– Unauthorized users– Denial of service– Unauthorized data and service

access• Internal abuse: data or service theft• Sabotage: data or service corruption• Complexity

Principle of Least Privilege

• Install only the required software on the machine.• Activate only the required services on the machine.• Give operating system (OS) and database access

to only those users who require access.• Limit access to the root or administrator account.• Limit access to SYSDBA and SYSOPER accounts.• Limit users’ access to only the database objects

that are required to do their jobs.

Defining a Security Policy

• What is a security policy?– A set of rules– Specific to an area and site– Required – Approved by management

• What is a standard?– Rules specific to a system or process– Required for everyone

• What are guidelines?– Suggestions and best practices– Specific to a system or a process

Developing Your Security Policy

The steps to develop your security policy are:1. Assemble your security team.2. Define your security requirements.3. Develop procedures and systems to meet these

requirements.4. Implement security procedures.

Examining All Aspects of Security

Consider the following dimensions:• Physical• Personnel• Technical• Procedural

Example: An employee leaves his or her desk while using an application.

Implementing a Security Policy

• Implement your standards and procedures.• Implement the plan for developing new systems

and applications.• Monitor and enforce the policy.• Keep systems and applications up-to-date with

security patches.• Educate users.

Hardening the Operating System

• Limit services to required services.• Limit users.• Use security from the service.• Apply all security patches and workarounds.• Protect backups.• Test security for in-house development.• Require strong passwords.• Control physical access.• Audit system activity.• Use intrusion-detection tools.

Easing Administration

• Examine the security features of the service:– Select the features that meet your security

requirements.– Integrate the features to simplify administration.

• Ease security administration by:– Using single sign-on– Delegating security authority– Grouping users with common privileges– Synchronizing with other sources

Using a Firewall to Restrict Network Access

ApplicationWeb server

Databaseserver

Client computers

Firewall Firewall

Hardening Oracle Services

• Harden the database.• Harden Oracle Net Services. • Use Connection Manager as a firewall.• Use available components:

– Fine-grained access control– Enterprise user authentication – Encryption– Label security – Strong authentication by using public key

infrastructure or Kerberos• Harden the middle tier.

Preventing Exploits

Use industry-standard practices:• Harden the database.• Harden the operating system.• Harden the network.

Maintaining Data Integrity

Sarbanes-Oxley requires assurance of the integrity of the data that is used to produce financial reports. Oracle Database 10g can provide the following: • Standard auditing• Fine-grained auditing• Privileged-account auditing• Network encryption

Data Protection

Under CA-SB-1386, personally identifiable information must be protected. Use the following techniques:• Restrict access.• Encrypt stored data.• Encrypt network traffic.• Restrict network access.• Monitor activity.• Harden every layer.

OKYMSEISPDTGA

MyCreditCardNum

Access Control

The law requires that only certain persons may access specific data. Access control and monitoring include: • Implement the Virtual Private Database (VPD):

– Application context– Fine-grained access control (FGAC)

• Use Oracle Label Security (OLS).• Apply auditing.

SummaryIn this lesson, you should have learned how to:• List and describe fundamental security

requirements• Define the following terms:

– Principle of least privilege– Authorization– Authentication

• Describe some security risks and requirements• Describe the concept of security in detail• Preventing exploits• Maintaining data integrity• Protecting data• Controlling data access

Oracle security 01-security requirements & solutions

Technology

Oracle Label Security Pada Oracle Database 10g

Oracle security 08-oracle network security

Security Target - Oracle

Oracle Security

Risk-Driven Database Security - oracle.com · ADM is included at no additional cost with Oracle Advanced Security, Oracle Database Vault, Oracle Label Security, Oracle Data Masking

Oracle Security Presentation

Oracle ADF Security

ORACLE ADVANCED SECURITY

Oracle Security Basics - Pete Finnigan · Oracle Security Basics ... The Basic Tenets Of Oracle Security ... Listener Parameter File /oracle/11g/network/admin/listener.ora

Oracle Mobile Security · Oracle Mobile Security Suite – Enterprise Mobility Management Solution Oracle Mobile Security Suite (OMSS) provides a comprehensive Enterprise Mobility

Oracle security-formula

Helping to Address EU GDPR Compliance Using Oracle ... · HELPING TO ADDRESS EU GENERAL DATA PROTECTION REQUIREMENTS USING ORACLE ADVANCED CUSTOMER SERVICES AND ORACLE SECURITY SOLUTIONS

Hardening Oracle Database with Oracle Solaris Security ... · Oracle White Paper—Hardening Oracle Database with Oracle Solaris Security Technologies 1 Introduction This white paper

Oracle Security Masterclass.pdf

Oracle Database 12c Security and Compliancedownload.robotron.de/pdf/oracle/security-compliance-wp-12c-1896112_2.pdf3 | ORACLE DATABASE 12C SECURITY AND COMPLIANCE Oracle Database 12c

IT-Security: WebLogic Server and Oracle Platform Security ... · PDF fileIT-Security: WebLogic Server and Oracle Platform Security Services ... Oracle Platform Security Services (OPSS)

Oracle Security Developer Tools Reference Crypto ... B15975-01 Oracle Security Developer Tools Reference Oracle Security Developer Tools Reference

Circumvent Oracle Database Encryption - Oracle Security Services

An Oracle Security MasterclassAn Oracle Security · PDF fileAn Oracle Security MasterclassAn Oracle Security Masterclass ... (Litchfield (mod_plsql) and Metalink ... .Documentation

Oracle Data Pump Encrypted Column Support...Oracle White Paper—Encryption with Oracle Data Pump 1 Introduction The security and compliance requirements in today’s business world