Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
1 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
Oracle’s Maximum Database Security Architecture
Marcin Kozak
Software Architect, Security
Month, Day, Year
Venue
City
2 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Program Agenda
• The State of Security
• Oracle Maximum Database Security
Architecture
• Protecting Enterprise Databases
– What is the threat?
– How is it exploited?
– How can you protect against it?
• Q&A
3 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Why Maximum Security?
Two Thirds of Sensitive and Regulated
Information now Resides in Databases
… and Doubling Every Two Years
Source: "Effective Data Leak Prevention Programs: Start by Protecting Data at
the Source — Your Databases", IDC, August 2011
Classified Govt. Info.
Trade Secrets
Competitive Bids
Corporate Plans
Source Code
Bug Database Credit Cards
Customer Data
Financial Data
HR Data
Citizen Data
4 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
The 2000-2010 Decade Landscape
• IT Landscape
– Highly available and scalable
– Outsourcing, offshoring, Third Party Service Providers
• Threat Landscape
– SQL Injection introduced (Oct 2000), Insider Threats
– Advanced Persistent Threats (APT), Organized Crime, State Sponsored,….
• Regulatory Landscape
– SOX (2002), C-SOX (2003), J-SOX (2006), Australian CLERP-9 (2004), …
– Payment Card Industry (2.0 in Oct 2010), Breach disclosure laws
5 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Landscape Looking Ahead
• IT Landscape
– Vanishing perimeter dissolves insider/outsider differences
– Data consolidation, massive warehouses
– Public/private cloud, partner, globalization
• Threat Landscape
– Sophisticated hacking tools, bot networks, supply chain
– Cyber terrorism and warfare sponsored by nation states
– Databases to become a prime target
• Regulatory Landscape
– Moving from pure detective controls to preventive controls
– All countries and states joining in protecting PII data
6 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
―Forrester estimates
that although 70%
of enterprises have
an information security plan, only 20%
of enterprises have a
database security plan.‖
Is IT Security Addressing Databases?
Source: Creating An Enterprise Database Security Plan, Forrester Reseach Inc. July 2010
Endpoint Security
Vulnerability Management
Network Security
Email Security
Authentication Security
Database
Security
7 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Database Security – Big Picture
Applications
Network SQL Monitoring
and Blocking
Encrypted Database
Data Masking
Multi-factor
authorization
Unauthorized
DBA Activity
Compliance
Scan Vulnerability
Scan
Data
Discovery
Activity Audit Patch
Automation
Auditing
Authorization
Authentication
8 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Sources of Vulnerability Attacks can come from anywhere
• SQL Injection attack
• Application Bypass Applications
• Access to production data in non-secure environment
• Access to production systems for trouble shooting Test and Dev
• System admin, DBA, Application admins
• Stolen credential, Inadequate training, Malicious Insiders
Administrative Account Misuse
• Lost / Stolen Backups
• Direct OS Access Operations
9 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Sources of Vulnerability Attacks can come from anywhere
• SQL Injection attack
• Application Bypass Application Users
• Access to production data in non-secure environment
• Access to production systems for trouble shooting Test and Dev
• System admin, DBA, Application admins
• Stolen credential, Inadequate training, Malicious Insiders
Administrative Account Misuse
• Lost / Stolen Backups
• Direct OS Access Operations
10 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Operations
• Data files can be accessed directly at the operating system (OS) level, bypassing all database controls What
• Gain access to OS root account, Oracle software account, Oracle DBA account
• Copy or search raw database files How
• Encrypt database files
• OS level auditing
• Limit accounts on production servers
Protection Strategy
11 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Transparent Data Encryption Oracle Advanced Security
Disk
Backups
Exports
Off-Site
Facilities
• Protects from unauthorized OS level or network access
• Efficient encryption of all application data
• Built-in key lifecycle management
• No application changes required
Application
12 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Account Misuse
• SQL Injection
• Application Bypass Applications
• Access to production data in non-secure environment
• Access to production systems for trouble shooting Test and Dev
• System admin, DBA, Application admins
• Stolen credential, Inadequate training, Malicious Insiders
Administrative Account Misuse
• Lost / Stolen Backups
• Direct OS Access Operations
13 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Account Misuse
• Privileged accounts are a targets of attack What
• Privileged accounts have unfettered access How
• Limit administrative account access to the database
• Audit privileged user activity
• Preventive controls around application data
Protection Strategy
14 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Procurement
HR
Finance
Database Operational Controls Oracle Database Vault
• Limit powers of privileged users, and enforce SoD
• Protect application data and prevent application by-pass
• Enforce who, where, when, and how using rules and factors
• Securely consolidate application data
• No application changes required
Application select * from
finance.customers
DBA
15 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Audit Consolidation & Reporting Oracle Audit Vault
• Consolidate audit data into secure repository
• Detect and alert on suspicious activities
• Out-of-the box compliance reporting
CRM/ERP Data
Custom App
HR Data
Audit
Data
Policies
Built-in
Reports
Alerts
Custom
Reports
Auditor
!
16 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Test and Dev
• SQL Injection attack
• Application Bypass Applications
• Access to production data in non-secure environment
• Access to production systems for trouble shooting Test and Dev
• System admin, DBA, Application admins
• Stolen credential, Inadequate training, Malicious Insiders
Administrative Account Misuse
• Lost / Stolen Backups
• Direct OS Access Operations
17 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Test and Dev
• Product data frequently copied to development and test
• PII data unnecessarily exposed What
• Test and dev systems may not be as well monitored or protected as production systems How
• Mask sensitive production data before transferring
• Restrict connectivity between test/dev and production
Protection Strategy
18 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Irreversible De-Identification Oracle Data Masking
• Reduce scope of audit with irreversible de-Identification on non-
production databases
• Referential integrity preserved so applications continue to work
• Extensible template library and policies for automation
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 40,000
BKJHHEIEDK 222-34-1345 60,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Non-Production
19 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Applications
• SQL Injection attack
• Application Bypass Applications
• Access to production data in non-secure environment
• Access to production systems for trouble shooting Test and Dev
• System admin, DBA, Application admins
• Stolen credential, Inadequate training, Malicious Insiders
Administrative Account Misuse
• Lost / Stolen Backups
• Direct OS Access Operations
20 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Applications
• Applications may be vulnerable to SQL Injection attacks
• Legacy applications particularly vulnerable What
• Application input fields can be misused How
• Monitor in-bound application SQL
• Block unauthorized SQL before it reaches the database
Protection Strategy
21 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
• Monitors database activity, and prevents attacks and SQL injections
• White-list, black-list, and exception-list based security policies based upon
highly accurate SQL grammar based analysis
• In-line blocking and monitoring, or out-of-band monitoring modes
Policies Built-in
Reports Alerts Custom
Reports
Applications Block
Log
Allow
Alert
Substitute
First Line of Defense on the Network Oracle Database Firewall
22 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Issues to Ponder?
1 Is our IP secured?
3 Would we know if we were breached?
4 Do privileged users know what they should not?
5 Are we in compliance with all regulations?
2 Can we defend against APTs and other attacks?
23 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Q&A
24 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
25 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.