DatabaseSecruity-Whythelongface-JamesAnthony

8/2/2019 DatabaseSecruity-Whythelongface-JamesAnthony

1/30

DatabaseSecurityWhythe

longface?JamesAnthonyTechnologyDirector

eDBA2010


2/30

Aboute-DBA

Founded1998 HighestlevelCerfiedPlanumPartnerstatus

OracleTechnologyPartneroftheYear2010 OracleUserGroupAwardWinner2010x4

ManagedServiceSpecialist: SystemAdministraon&Management Database7>11g DevelopmentAPEX DatabaseSecurity OracleSowareManagement

OracleTechnologySoluonssuppliedtoallMarkets

2eDBA2010


3/30

Agenda

Database-CentricInformaonSecurity

DatabaseSecurity OracleDatabaseSecuritySoluons

Defense-in-Depth Q&A

3eDBA2010


4/30

Morebreachesthenever

eDBA2010 4


5/30

Morethreatsthanever

5


6/30

MoreRegulaonsThanEver

eDBA2010 6

FISMA

Sarbanes-Oxley

BreachDisclosure

PCI

HIPAA

GLBA

PIPEDA

BaselII

EUDataDirecves

EuroSOXJSOX

KSOX

SAS70

AUS/PRO

UK/PRO

Source:ITPolicyComplianceGroup,2007.

COBIT ISO17799


7/30

Survey:EnterpriseDataatRiskThe2009IOUGDataSecurityReport:

BUDGETPRESSURESLEADTOINCREASEDRISKS

Only21%

uniformlyencrypng

PIIinalldatabases

Only20%uniformlyencrypt

databasetraffic

Only12%uniformlyencryptdatabase

backups/exports

50%notawareofall

databaseswith

sensivedata

48%saydatabaseusers

couldaccessdata

directly

61%

cannotpreventDBAsfromreadingortamperingwith

sensivedata

67%

cannotdetectiftheywere

monitoringsensivedata

reads/writes

Lessthan30%

70%usenaveauding,only18%automate

monitoring


8/30

SecuringDatainYourDatabase

eDBA2010 8

Encrypon Masking Classificaon AccessControl

AcvityMonitoring ChangeTracking DiscoveryandAssessment

SecureConfiguraon


9/30

DatabaseCentricSoluons

User

Management

Access

Control

Encryption &

MaskingMonitoring

Non default & Strongpasswords

Centralized Credentialsfor all users (esp.Privileged Users)

User LifecycleManagement

Strong authentication

Secure Configuration

(best practice)

Privileged UserControls.

Reduction in sharedaccount usage.

Who, When, Where,How?

Data Classification.

Row and Column levelcontrol.

Data at Rest

Data in Motion

Masking of Data in Liveand Test

Dump File Encryption

Backup Encryption

Auditing at database level

Targeted Auditing (e.g. highvalue)

Audit Consolidation

Pro-active alerting

Audit data protection

Attestation of policycompliance

Change Discipline andDetection


10/30

EnterpriseUserSecurity

User authenticates to database withusername and password as usual

Client

Database defers authentication toOracle Directory Services

User is mapped to aphysical database user,

with database rolesgranted

1

2

4

3

Oracle Directory Services validates

user credentials


11/30

CentralCredenalStore

DBA, Developer orApplication User

HR

CRM

DEV

Directory Servicesprovides centralauthentication


12/30

TheBiggerPicture

Existing Directories

(e.g. MS AD)

Other User credential stores

(e.g. HR)

Attestation of access

(compliance reports) Provisioning/De-Provisioning

Centralized Credentials fordatabase login

Centralized Credentials forOS Login

(OS Authentication Services)


13/30

DatabaseDefense-in-Depth

eDBA2010 13

Monitoring

AccessControl

Encrypon&Masking

Monitoring

ConfiguraonManagementAuditVaultTotalRecallAccessControl

DatabaseVaultLabelSecurity

AdvancedSecuritySecureBackupDataMasking

Encrypon&Masking


14/30


eDBA2010 14

Monitoring

AccessControl

Encrypon&Masking

Monitoring




Encryp7on&Masking


15/30

Disk

Backups

Exports

Off-SiteFacilies

OracleAdvancedSecurityTransparentDataEncrypon

eDBA2010 15

CompleteencryponfordataatrestNoapplicaonchangesrequired

Efficientencryponofallapplicaondata

Built-inkeylifecyclemanagement

Applicaon


16/30

OracleAdvancedSecurityNetworkEncrypon&StrongAuthencaon

eDBA2010 16

Standard-basedencryponfordataintransitStrongauthencaonofusersandserversNoinfrastructurechangesrequiredEasytoimplement


17/30

OracleSecureBackupIntegratedTapeorCloudBackupManagement

eDBA2010 17

SecuredataarchivaltotapeorcloudEasytoadministerkeymanagement

FastestOracleDatabasetapebackups

Leveragelow-costcloudstorage


18/30

OracleDataMaskingDataDe-Idenficaon

eDBA2010 18

Removesensivedatafromnon-producondatabasesReferenalintegritypreservedsoapplicaonsconnuetowork

Sensivedataneverleavesthedatabase

Extensibletemplatelibraryandpoliciesforautomaon

LAST_NAME NI_NUM SALARY

ANSKEKSL AD124578A 60,000

BKJHHEIEDK BC985412R 40,000

LAST_NAME NI_NUM SALARY

AGUILAR JE114414C 40,000

BENSON 323-22-2943 60,000

Producon Non-Producon


19/30


eDBA2010 19

Monitoring

AccessControl

Encrypon&Masking

Monitoring




Encrypon&Masking


20/30

OracleDatabaseVaultSeparaonofDues&PrivilegedUserControls

eDBA2010 20

DBAseparaonofdues Limitpowersofprivilegedusers

Securelyconsolidateapplicaondata

Noapplicaonchangesrequired

Procurement

HR

Finance

Applicaon

select*fromfinance.customers

DBA


21/30

OracleDatabaseVaultMul-FactorAccessControlPolicyEnforcement

eDBA2010 21

Protectapplicaondataandpreventapplicaonby-pass Enforcewho,where,when,andhowusingrulesandfactors Out-of-theboxpoliciesforOracleapplicaons,customizable

Procurement

HR

RebatesApplicaon


22/30

ClassifyusersanddatabasedonbusinessdriversDatabaseenforcedrowlevelaccesscontrol

UsersclassificaonthroughOracleIdentyManagementSuite

Classificaonlabelscanbefactorsinotherpolicies

OracleLabelSecurityDataClassificaonforAccessControl

eDBA2010 22

Confidenal Sensive

Transacons

ReportData

Reports

Sensive

Confidenal

Public


23/30


eDBA2010 23

Monitoring

AccessControl

Encrypon&Masking

Monitoring

Configura7onManagementAuditVaultTotalRecallAccessControl



Encrypon&Masking


24/30

OracleAuditVaultAutomatedAcvityMonitoring&AuditReporng

eDBA2010 24

Consolidateauditdataintosecurerepository Detectandalertonsuspiciousacvies Out-of-theboxcompliancereporng Centralizedauditpolicymanagement

CRMData

ERPData

Databases

HRData

AuditData

Policies

Built-inReports

Alerts

CustomReports

!

Auditor


25/30

OracleTotalRecallSecureChangeTracking

eDBA2010 25

selectsalaryfromempASOFTIMESTAMP

'02-MAY-0912.00AMwhereemp.tle=admin

TransparentlytrackdatachangesEfficient,tamper-resistantstorageofarchivesReal-meaccesstohistoricaldataSimplifiedforensicsanderrorcorrecon


26/30

ConfiguraonManagementVulnerabilityAssessment&SecureConfiguraon

eDBA2010 26

DatabasediscoveryConnuousscanningagainst375+bestpraccesandindustrystandards,extensible

DetectandpreventunauthorizedconfiguraonchangesChangemanagementcompliancereports

ConfiguraonManagement&Audit

VulnerabilityManagement

Fix

Analysis&Analycs

Priorize

PolicyManagement

AssessClassify MonitorDiscover

AssetManagement


27/30

ConfiguraonChangeConsole

RealTimechangedetecon&Noficaon

Providepointinmeaestaon

Dashboard reportingand visualization


28/30


eDBA2010 28

Monitoring

AccessControl

Encrypon&Masking

Monitoring




Encrypon&Masking


29/30

Summary

eDBA2010 29

Transparent

Integrated

ComprehensiveCost-Effecve


30/30

TesngintheRealWorld

Seminar28thAprilOracleEdinburghOffice

eDBA2010

Documents

DatabaseSecruity-Whythelongface-JamesAnthony