Upload
alessandro-silveira
View
213
Download
0
Embed Size (px)
Citation preview
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
1/30
DatabaseSecurityWhythe
longface?JamesAnthonyTechnologyDirector
eDBA2010
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
2/30
Aboute-DBA
Founded1998 HighestlevelCerfiedPlanumPartnerstatus
OracleTechnologyPartneroftheYear2010 OracleUserGroupAwardWinner2010x4
ManagedServiceSpecialist: SystemAdministraon&Management Database7>11g DevelopmentAPEX DatabaseSecurity OracleSowareManagement
OracleTechnologySoluonssuppliedtoallMarkets
2eDBA2010
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
3/30
Agenda
Database-CentricInformaonSecurity
DatabaseSecurity OracleDatabaseSecuritySoluons
Defense-in-Depth Q&A
3eDBA2010
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
4/30
Morebreachesthenever
eDBA2010 4
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
5/30
Morethreatsthanever
5
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
6/30
MoreRegulaonsThanEver
eDBA2010 6
FISMA
Sarbanes-Oxley
BreachDisclosure
PCI
HIPAA
GLBA
PIPEDA
BaselII
EUDataDirecves
EuroSOXJSOX
KSOX
SAS70
AUS/PRO
UK/PRO
Source:ITPolicyComplianceGroup,2007.
COBIT ISO17799
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
7/30
Survey:EnterpriseDataatRiskThe2009IOUGDataSecurityReport:
BUDGETPRESSURESLEADTOINCREASEDRISKS
Only21%
uniformlyencrypng
PIIinalldatabases
Only20%uniformlyencrypt
databasetraffic
Only12%uniformlyencryptdatabase
backups/exports
50%notawareofall
databaseswith
sensivedata
48%saydatabaseusers
couldaccessdata
directly
61%
cannotpreventDBAsfromreadingortamperingwith
sensivedata
67%
cannotdetectiftheywere
monitoringsensivedata
reads/writes
Lessthan30%
70%usenaveauding,only18%automate
monitoring
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
8/30
SecuringDatainYourDatabase
eDBA2010 8
Encrypon Masking Classificaon AccessControl
AcvityMonitoring ChangeTracking DiscoveryandAssessment
SecureConfiguraon
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
9/30
DatabaseCentricSoluons
User
Management
Access
Control
Encryption &
MaskingMonitoring
Non default & Strongpasswords
Centralized Credentialsfor all users (esp.Privileged Users)
User LifecycleManagement
Strong authentication
Secure Configuration
(best practice)
Privileged UserControls.
Reduction in sharedaccount usage.
Who, When, Where,How?
Data Classification.
Row and Column levelcontrol.
Data at Rest
Data in Motion
Masking of Data in Liveand Test
Dump File Encryption
Backup Encryption
Auditing at database level
Targeted Auditing (e.g. highvalue)
Audit Consolidation
Pro-active alerting
Audit data protection
Attestation of policycompliance
Change Discipline andDetection
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
10/30
EnterpriseUserSecurity
User authenticates to database withusername and password as usual
Client
Database defers authentication toOracle Directory Services
User is mapped to aphysical database user,
with database rolesgranted
1
2
4
3
Oracle Directory Services validates
user credentials
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
11/30
CentralCredenalStore
DBA, Developer orApplication User
HR
CRM
DEV
Directory Servicesprovides centralauthentication
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
12/30
TheBiggerPicture
Existing Directories
(e.g. MS AD)
Other User credential stores
(e.g. HR)
Attestation of access
(compliance reports) Provisioning/De-Provisioning
Centralized Credentials fordatabase login
Centralized Credentials forOS Login
(OS Authentication Services)
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
13/30
DatabaseDefense-in-Depth
eDBA2010 13
Monitoring
AccessControl
Encrypon&Masking
Monitoring
ConfiguraonManagementAuditVaultTotalRecallAccessControl
DatabaseVaultLabelSecurity
AdvancedSecuritySecureBackupDataMasking
Encrypon&Masking
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
14/30
DatabaseDefense-in-Depth
eDBA2010 14
Monitoring
AccessControl
Encrypon&Masking
Monitoring
ConfiguraonManagementAuditVaultTotalRecallAccessControl
DatabaseVaultLabelSecurity
AdvancedSecuritySecureBackupDataMasking
Encryp7on&Masking
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
15/30
Disk
Backups
Exports
Off-SiteFacilies
OracleAdvancedSecurityTransparentDataEncrypon
eDBA2010 15
CompleteencryponfordataatrestNoapplicaonchangesrequired
Efficientencryponofallapplicaondata
Built-inkeylifecyclemanagement
Applicaon
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
16/30
OracleAdvancedSecurityNetworkEncrypon&StrongAuthencaon
eDBA2010 16
Standard-basedencryponfordataintransitStrongauthencaonofusersandserversNoinfrastructurechangesrequiredEasytoimplement
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
17/30
OracleSecureBackupIntegratedTapeorCloudBackupManagement
eDBA2010 17
SecuredataarchivaltotapeorcloudEasytoadministerkeymanagement
FastestOracleDatabasetapebackups
Leveragelow-costcloudstorage
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
18/30
OracleDataMaskingDataDe-Idenficaon
eDBA2010 18
Removesensivedatafromnon-producondatabasesReferenalintegritypreservedsoapplicaonsconnuetowork
Sensivedataneverleavesthedatabase
Extensibletemplatelibraryandpoliciesforautomaon
LAST_NAME NI_NUM SALARY
ANSKEKSL AD124578A 60,000
BKJHHEIEDK BC985412R 40,000
LAST_NAME NI_NUM SALARY
AGUILAR JE114414C 40,000
BENSON 323-22-2943 60,000
Producon Non-Producon
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
19/30
DatabaseDefense-in-Depth
eDBA2010 19
Monitoring
AccessControl
Encrypon&Masking
Monitoring
ConfiguraonManagementAuditVaultTotalRecallAccessControl
DatabaseVaultLabelSecurity
AdvancedSecuritySecureBackupDataMasking
Encrypon&Masking
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
20/30
OracleDatabaseVaultSeparaonofDues&PrivilegedUserControls
eDBA2010 20
DBAseparaonofdues Limitpowersofprivilegedusers
Securelyconsolidateapplicaondata
Noapplicaonchangesrequired
Procurement
HR
Finance
Applicaon
select*fromfinance.customers
DBA
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
21/30
OracleDatabaseVaultMul-FactorAccessControlPolicyEnforcement
eDBA2010 21
Protectapplicaondataandpreventapplicaonby-pass Enforcewho,where,when,andhowusingrulesandfactors Out-of-theboxpoliciesforOracleapplicaons,customizable
Procurement
HR
RebatesApplicaon
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
22/30
ClassifyusersanddatabasedonbusinessdriversDatabaseenforcedrowlevelaccesscontrol
UsersclassificaonthroughOracleIdentyManagementSuite
Classificaonlabelscanbefactorsinotherpolicies
OracleLabelSecurityDataClassificaonforAccessControl
eDBA2010 22
Confidenal Sensive
Transacons
ReportData
Reports
Sensive
Confidenal
Public
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
23/30
DatabaseDefense-in-Depth
eDBA2010 23
Monitoring
AccessControl
Encrypon&Masking
Monitoring
Configura7onManagementAuditVaultTotalRecallAccessControl
DatabaseVaultLabelSecurity
AdvancedSecuritySecureBackupDataMasking
Encrypon&Masking
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
24/30
OracleAuditVaultAutomatedAcvityMonitoring&AuditReporng
eDBA2010 24
Consolidateauditdataintosecurerepository Detectandalertonsuspiciousacvies Out-of-theboxcompliancereporng Centralizedauditpolicymanagement
CRMData
ERPData
Databases
HRData
AuditData
Policies
Built-inReports
Alerts
CustomReports
!
Auditor
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
25/30
OracleTotalRecallSecureChangeTracking
eDBA2010 25
selectsalaryfromempASOFTIMESTAMP
'02-MAY-0912.00AMwhereemp.tle=admin
TransparentlytrackdatachangesEfficient,tamper-resistantstorageofarchivesReal-meaccesstohistoricaldataSimplifiedforensicsanderrorcorrecon
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
26/30
ConfiguraonManagementVulnerabilityAssessment&SecureConfiguraon
eDBA2010 26
DatabasediscoveryConnuousscanningagainst375+bestpraccesandindustrystandards,extensible
DetectandpreventunauthorizedconfiguraonchangesChangemanagementcompliancereports
ConfiguraonManagement&Audit
VulnerabilityManagement
Fix
Analysis&Analycs
Priorize
PolicyManagement
AssessClassify MonitorDiscover
AssetManagement
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
27/30
ConfiguraonChangeConsole
RealTimechangedetecon&Noficaon
Providepointinmeaestaon
Dashboard reportingand visualization
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
28/30
DatabaseDefense-in-Depth
eDBA2010 28
Monitoring
AccessControl
Encrypon&Masking
Monitoring
ConfiguraonManagementAuditVaultTotalRecallAccessControl
DatabaseVaultLabelSecurity
AdvancedSecuritySecureBackupDataMasking
Encrypon&Masking
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
29/30
Summary
eDBA2010 29
Transparent
Integrated
ComprehensiveCost-Effecve
8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony
30/30
TesngintheRealWorld
Seminar28thAprilOracleEdinburghOffice
eDBA2010