Oracle DB Security_Customers

7/30/2019 Oracle DB Security_Customers

1/21

Oracle Database security options


2/21

Agenda

Business Drivers

Oracle DB security solutions overview Database Firewall

Q&A

2


3/21

How is Data Compromised?Source: Verizon 2010 Data BreachInvestigations Report


4/21

Qu necesita auditar?

Revisiones peridicas sobre los derechos concedidosa los usuarios

Controles especiales sobre utilidades del sistema yherramientas de auditoria

Seguimiento sobre el acceso y uso de los sistemas paradetectar actividades no autorizadas

Separacin de funciones para reducir el riesgo de erroro fraude

Mantenimiento de registros de auditoria y monitoreo deluso de los sistemas

Apoya la gestin de incidentes:

debe ser protegida

Mantener un estricto y formal control de cambios, queser debidamente apoyado por sistemas informticosen el caso de ambientes complejos o con alto numero

de cambios

Procedimientos formales para el reporte de incidentesde seguridad de la informacin y las vulnerabilidadesasociadas con los sistemas de informacin

Procedimientos establecidos para dar una respuestaadecuada a los incidentes y vulnerabilidades de

seguridad reportadas


5/21

La agenda de hoyLa agenda de hoy

Estado ActualEstado ActualEstado ActualEstado ActualEstado ActualEstado ActualEstado ActualEstado Actual

Qu es RAC?Qu es RAC?Qu es RAC?Qu es RAC?Qu es RAC?Qu es RAC?Qu es RAC?Qu es RAC?Seguridad en Base deSeguridad en Base de

RAC para EscalabilidadRAC para EscalabilidadRAC para EscalabilidadRAC para EscalabilidadRAC para EscalabilidadRAC para EscalabilidadRAC para EscalabilidadRAC para Escalabilidad

RAC Para Alta DisponibilidadRAC Para Alta DisponibilidadRAC Para Alta DisponibilidadRAC Para Alta DisponibilidadRAC Para Alta DisponibilidadRAC Para Alta DisponibilidadRAC Para Alta DisponibilidadRAC Para Alta Disponibilidad

Consolidacin Con RACConsolidacin Con RACConsolidacin Con RACConsolidacin Con RACConsolidacin Con RACConsolidacin Con RACConsolidacin Con RACConsolidacin Con RAC


6/21

Oracle Database Security

Defense-in-Depth

Access Control

Oracle Database Vault

Oracle Advanced Security

Oracle Secure Backup

Oracle Data Masking

Encryption and Masking

rac e a e ecur y

Auditing and Tracking

Oracle Audit Vault

Oracle Configuration Management

Oracle Total Recall

Oracle Database Firewall

Monitoring and Blocking

6


7/21

Oracle Advanced SecurityProtect data on Network, Disk, and Tape

Transparent Data Encryption (TDE)

No application changes

Tablespace and column encryption

Encrypted backups (RMAN) and DataPump Exports

Encrypt Oracle Securefiles (LOBS)

NetworkEncryption

Strong

Authentication

Oracle Advanced Security

Built-In Key Management Transparent, automated

Hardware Security Module (HSM)

Network Encryption

SSL/TLS

Native - no certificates required

Strong Authentication

Kerberos, PKI

^#^*>*75000

Encrypted Disks, Backups,

Exports

)(


8/21

Oracle Advanced SecurityTablespace Encryption

Encrypt all application data

Encrypt entire database files

No need to worry about encrypting

individual columns

SQL Layer

Buffer Cache

SSN = 987-65-..

High performance

Integrated with Oracle data

compression

No application changes All data types

Index range scans

data blocks

*M$b@^s%&d7

undoblocks

tempblocks

flashbacklogs

redologs


9/21

Oracle Database VaultFeature Overview

Controls on privileged users Restrict privileged users from

accessing application data

Enforces separation of duty

Protection RealmsProtection Realms

MultiMulti--FactorFactorAuthorizationAuthorizationRealm ViolationRealm Violation

Controls access based on IP

address, authenticationmethod, time of day,.

Transparency No changes to applications

required

Existing OracleExisting OracleDatabaseDatabase

SeparationSeparationof Dutyof Duty

CommandCommandRulesRules


10/21

Oracle Database VaultPrivileged User Controls

Database DBA views HRdata

Compliance andprotection from insiders

DBA

SELECT * FROM HR.EMP

HR Realm

Oracle Database Vault

HR APP Owner viewsFin. data

Eliminates security

risks from serverconsolidation

HR App

HR

FIN

FIN Realm

FIN App


11/21

Need for Label Based Access Control

Key Drivers

Multi-Level Security (MLS) Government & defense

Data classification

Security and compliance

Select * from Contracts;

Secret

11

Key Requirements Transparent

Performant

Highly flexible

Evaluated*

* Note - US NTISSP #11 requires all systems used in National Security systems to be evaluated

Top Secret

Secret DataOnly

Returned

Secret


12/21

Oracle Label SecurityReal Time Label Based Access Control

Data Classification

Assign data classification to rows Transparent, hidden column

Low storage overhead Confidential

Highly Sensitive

Sensitive

Data Classification

12

Enforce need-to-know Assign label authorizations to

database and application users

Transparent enforcement

Built-in proxy capability for

application user models Sensitive Highly SensitiveUser Label Authorizations

Oracle Label Security 10.2.0.3 has a Common Criteria (CC) EAL4+ evaluation


13/21

Oracle Secure BackupIntegrated Tape Backup Management

Protects entire environment Oracle Database 11g, Oracle

Database 10g, Oracle9i

Application files (OSB 10.2)

Built-in Oracle advantage

Sin le-vendor advanta e

File System DataFile System Data

UNIX Linux

Windows NAS

Oracle DatabasesOracle Databases

Integration with

RMAN

13

Fastest backup for Oracle 25-40% faster than competition

Express version

OSB express protects one server

to one attached tape drive No encryption

Bundled with Oracle Database

Oracle Secure BackupCentralized Tape Backup Management

Tape


14/21

What is data masking?

What

The act of anonymizing customer,

financial, or company confidential datato create new, legible data which

retains the data's properties, such as

its width, type, and format.

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

DSOUZA 989-22-2403 80,000

FIORANO 093-44-3823 45,000

Why

To protect confidential data in test

environments when the data is used

by developers or offshore vendors

When customer data is shared with3rd parties without revealing

personally identifiable information


ANSKEKSL 11123-1111 40,000

BKJHHEIEDK 111-34-1345 60,000

KDDEHLHESA 111-97-2749 80,000

FPENZXIEK 111-49-3849 45,000


15/21

Secure Test System DeploymentOracle Data Masking in EM 11g


SMITH 11123-1111 60,000

MILLER 222-34-1345 40,000


AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

Production Test

NEW: Masking of heterogeneous databases via database gateways NEW: Command line (EMCLI) support for data masking actions

Deploy secure test system by masking sensitive data

Sensitive data never leaves the database

Extensible template library and policies for automation

Sophisticated masking: Condition-based, compound, deterministic

Integrated masking and cloning

Leverage masking templates for common data types


16/21

Oracle Audit VaultAutomated Activity Monitoring & Audit Reporting

CRM Data

ERP Data

Databases

HR Data

AuditData

Policies

Built-inReports

Alerts

CustomReports

!

Auditor

Consolidate audit data into secure repository

Detect and alert on suspicious activities

Out-of-the box compliance reporting

Centralized audit policy management


17/21

Oracle Audit VaultTrust-but-Verify

Consolidate and SecureAudit Data

Out-of-the Box

17

OracleDatabase

IBMDB2

MicrosoftSQL Server

SybaseASE

Alert on SecurityThreats

Lower IT Costs WithEntitlements & Audit Policies


18/21

Oracle Audit VaultHeterogeneous Database Support

Microsoft SQL server versions 2000, 2005, &2008 Server side trace set specific audit event

Windows event audit specific audit events that areviewed by the windows event viewer

-

18

them in the audit log

IBM DB2 8.2 - 9.5 on Linux, Unix, Windows Extract binary audit files into a trace file

Sybase ASE 12.5.4 - 15.0.x Utilize the native audit tables


19/21

Built-in Custom

ApplicationsBlock

Log

Allow

Alert

Substitute


First Line of Defense

2011 Oracle Corporation 19

Monitor database activity to help prevent unauthorized activity,application bypass and SQL injections

Highly accurate SQL grammar based analysis

White-list, black-list, and exception-list based security policies

Built-in and custom compliance reports for regulations

Reports Reports


20/21


Positive Security Model Based Enforcement

White List

ApplicationsBlock

Allow


White-list based policies enforce normal or expected behavior

Policies evaluate factors such as time, day, network, and application

Easily generate white-lists for any application

Out of policy SQL statements can be logged, alerted, blocked or substitutedwith a harmless SQL statement

SQL substitution foils attackers without disrupting applications


21/21


Documents

Oracle DB Security_Customers