Upload
alain-bismark-almeida-diaz
View
230
Download
0
Embed Size (px)
Citation preview
7/30/2019 Oracle DB Security_Customers
1/21
Oracle Database security options
7/30/2019 Oracle DB Security_Customers
2/21
Agenda
Business Drivers
Oracle DB security solutions overview Database Firewall
Q&A
2
7/30/2019 Oracle DB Security_Customers
3/21
How is Data Compromised?Source: Verizon 2010 Data BreachInvestigations Report
7/30/2019 Oracle DB Security_Customers
4/21
Qu necesita auditar?
Revisiones peridicas sobre los derechos concedidosa los usuarios
Controles especiales sobre utilidades del sistema yherramientas de auditoria
Seguimiento sobre el acceso y uso de los sistemas paradetectar actividades no autorizadas
Separacin de funciones para reducir el riesgo de erroro fraude
Mantenimiento de registros de auditoria y monitoreo deluso de los sistemas
Apoya la gestin de incidentes:
debe ser protegida
Mantener un estricto y formal control de cambios, queser debidamente apoyado por sistemas informticosen el caso de ambientes complejos o con alto numero
de cambios
Procedimientos formales para el reporte de incidentesde seguridad de la informacin y las vulnerabilidadesasociadas con los sistemas de informacin
Procedimientos establecidos para dar una respuestaadecuada a los incidentes y vulnerabilidades de
seguridad reportadas
7/30/2019 Oracle DB Security_Customers
5/21
La agenda de hoyLa agenda de hoy
Estado ActualEstado ActualEstado ActualEstado ActualEstado ActualEstado ActualEstado ActualEstado Actual
Qu es RAC?Qu es RAC?Qu es RAC?Qu es RAC?Qu es RAC?Qu es RAC?Qu es RAC?Qu es RAC?Seguridad en Base deSeguridad en Base de
RAC para EscalabilidadRAC para EscalabilidadRAC para EscalabilidadRAC para EscalabilidadRAC para EscalabilidadRAC para EscalabilidadRAC para EscalabilidadRAC para Escalabilidad
RAC Para Alta DisponibilidadRAC Para Alta DisponibilidadRAC Para Alta DisponibilidadRAC Para Alta DisponibilidadRAC Para Alta DisponibilidadRAC Para Alta DisponibilidadRAC Para Alta DisponibilidadRAC Para Alta Disponibilidad
Consolidacin Con RACConsolidacin Con RACConsolidacin Con RACConsolidacin Con RACConsolidacin Con RACConsolidacin Con RACConsolidacin Con RACConsolidacin Con RAC
7/30/2019 Oracle DB Security_Customers
6/21
Oracle Database Security
Defense-in-Depth
Access Control
Oracle Database Vault
Oracle Advanced Security
Oracle Secure Backup
Oracle Data Masking
Encryption and Masking
rac e a e ecur y
Auditing and Tracking
Oracle Audit Vault
Oracle Configuration Management
Oracle Total Recall
Oracle Database Firewall
Monitoring and Blocking
6
7/30/2019 Oracle DB Security_Customers
7/21
Oracle Advanced SecurityProtect data on Network, Disk, and Tape
Transparent Data Encryption (TDE)
No application changes
Tablespace and column encryption
Encrypted backups (RMAN) and DataPump Exports
Encrypt Oracle Securefiles (LOBS)
NetworkEncryption
Strong
Authentication
Oracle Advanced Security
Built-In Key Management Transparent, automated
Hardware Security Module (HSM)
Network Encryption
SSL/TLS
Native - no certificates required
Strong Authentication
Kerberos, PKI
^#^*>*75000
Encrypted Disks, Backups,
Exports
)(
7/30/2019 Oracle DB Security_Customers
8/21
Oracle Advanced SecurityTablespace Encryption
Encrypt all application data
Encrypt entire database files
No need to worry about encrypting
individual columns
SQL Layer
Buffer Cache
SSN = 987-65-..
High performance
Integrated with Oracle data
compression
No application changes All data types
Index range scans
data blocks
*M$b@^s%&d7
undoblocks
tempblocks
flashbacklogs
redologs
7/30/2019 Oracle DB Security_Customers
9/21
Oracle Database VaultFeature Overview
Controls on privileged users Restrict privileged users from
accessing application data
Enforces separation of duty
Protection RealmsProtection Realms
MultiMulti--FactorFactorAuthorizationAuthorizationRealm ViolationRealm Violation
Controls access based on IP
address, authenticationmethod, time of day,.
Transparency No changes to applications
required
Existing OracleExisting OracleDatabaseDatabase
SeparationSeparationof Dutyof Duty
CommandCommandRulesRules
7/30/2019 Oracle DB Security_Customers
10/21
Oracle Database VaultPrivileged User Controls
Database DBA views HRdata
Compliance andprotection from insiders
DBA
SELECT * FROM HR.EMP
HR Realm
Oracle Database Vault
HR APP Owner viewsFin. data
Eliminates security
risks from serverconsolidation
HR App
HR
FIN
FIN Realm
FIN App
7/30/2019 Oracle DB Security_Customers
11/21
Need for Label Based Access Control
Key Drivers
Multi-Level Security (MLS) Government & defense
Data classification
Security and compliance
Select * from Contracts;
Secret
11
Key Requirements Transparent
Performant
Highly flexible
Evaluated*
* Note - US NTISSP #11 requires all systems used in National Security systems to be evaluated
Top Secret
Secret DataOnly
Returned
Secret
7/30/2019 Oracle DB Security_Customers
12/21
Oracle Label SecurityReal Time Label Based Access Control
Data Classification
Assign data classification to rows Transparent, hidden column
Low storage overhead Confidential
Highly Sensitive
Sensitive
Data Classification
12
Enforce need-to-know Assign label authorizations to
database and application users
Transparent enforcement
Built-in proxy capability for
application user models Sensitive Highly SensitiveUser Label Authorizations
Oracle Label Security 10.2.0.3 has a Common Criteria (CC) EAL4+ evaluation
7/30/2019 Oracle DB Security_Customers
13/21
Oracle Secure BackupIntegrated Tape Backup Management
Protects entire environment Oracle Database 11g, Oracle
Database 10g, Oracle9i
Application files (OSB 10.2)
Built-in Oracle advantage
Sin le-vendor advanta e
File System DataFile System Data
UNIX Linux
Windows NAS
Oracle DatabasesOracle Databases
Integration with
RMAN
13
Fastest backup for Oracle 25-40% faster than competition
Express version
OSB express protects one server
to one attached tape drive No encryption
Bundled with Oracle Database
Oracle Secure BackupCentralized Tape Backup Management
Tape
7/30/2019 Oracle DB Security_Customers
14/21
What is data masking?
What
The act of anonymizing customer,
financial, or company confidential datato create new, legible data which
retains the data's properties, such as
its width, type, and format.
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
DSOUZA 989-22-2403 80,000
FIORANO 093-44-3823 45,000
Why
To protect confidential data in test
environments when the data is used
by developers or offshore vendors
When customer data is shared with3rd parties without revealing
personally identifiable information
LAST_NAME SSN SALARY
ANSKEKSL 11123-1111 40,000
BKJHHEIEDK 111-34-1345 60,000
KDDEHLHESA 111-97-2749 80,000
FPENZXIEK 111-49-3849 45,000
7/30/2019 Oracle DB Security_Customers
15/21
Secure Test System DeploymentOracle Data Masking in EM 11g
LAST_NAME SSN SALARY
SMITH 11123-1111 60,000
MILLER 222-34-1345 40,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Test
NEW: Masking of heterogeneous databases via database gateways NEW: Command line (EMCLI) support for data masking actions
Deploy secure test system by masking sensitive data
Sensitive data never leaves the database
Extensible template library and policies for automation
Sophisticated masking: Condition-based, compound, deterministic
Integrated masking and cloning
Leverage masking templates for common data types
7/30/2019 Oracle DB Security_Customers
16/21
Oracle Audit VaultAutomated Activity Monitoring & Audit Reporting
CRM Data
ERP Data
Databases
HR Data
AuditData
Policies
Built-inReports
Alerts
CustomReports
!
Auditor
Consolidate audit data into secure repository
Detect and alert on suspicious activities
Out-of-the box compliance reporting
Centralized audit policy management
7/30/2019 Oracle DB Security_Customers
17/21
Oracle Audit VaultTrust-but-Verify
Consolidate and SecureAudit Data
Out-of-the Box
17
OracleDatabase
IBMDB2
MicrosoftSQL Server
SybaseASE
Alert on SecurityThreats
Lower IT Costs WithEntitlements & Audit Policies
7/30/2019 Oracle DB Security_Customers
18/21
Oracle Audit VaultHeterogeneous Database Support
Microsoft SQL server versions 2000, 2005, &2008 Server side trace set specific audit event
Windows event audit specific audit events that areviewed by the windows event viewer
-
18
them in the audit log
IBM DB2 8.2 - 9.5 on Linux, Unix, Windows Extract binary audit files into a trace file
Sybase ASE 12.5.4 - 15.0.x Utilize the native audit tables
7/30/2019 Oracle DB Security_Customers
19/21
Built-in Custom
ApplicationsBlock
Log
Allow
Alert
Substitute
Oracle Database Firewall
First Line of Defense
2011 Oracle Corporation 19
Monitor database activity to help prevent unauthorized activity,application bypass and SQL injections
Highly accurate SQL grammar based analysis
White-list, black-list, and exception-list based security policies
Built-in and custom compliance reports for regulations
Reports Reports
7/30/2019 Oracle DB Security_Customers
20/21
Oracle Database Firewall
Positive Security Model Based Enforcement
White List
ApplicationsBlock
Allow
2011 Oracle Corporation 20
White-list based policies enforce normal or expected behavior
Policies evaluate factors such as time, day, network, and application
Easily generate white-lists for any application
Out of policy SQL statements can be logged, alerted, blocked or substitutedwith a harmless SQL statement
SQL substitution foils attackers without disrupting applications
7/30/2019 Oracle DB Security_Customers
21/21
2011 Oracle Corporation 21