Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Oracle Day 2011
SECURITY and PERFORMANCE is an OPTION (!)
Yalçın Zorman, Managing Partner
OCP 11g, 10g, 9, 8i, 8, 7.3
Oracle Day 2011
Oracle Day 2011
The Oracle Experts...
• Established in Mar-2006
• Specialized on Oracle Technology (Database, RAC, DataGuard, Developer Tools) & Oracle Applications (eBusiness Suite & Hyperion) products
• 3 Line-of Businesses - Oraturk Consulting & Outsourcing
- Oraturk Support
- Oraturk Training
• Providing services to 17 countries including Turkey
• Oracle, IBM & Microsoft Partnership
Oracle Day 2011
Facts & Figures
3 Continents & 17 Countries
Europe
• UK, Irelend, Turkey,Finland, Greece, Estonia, Bulgaria,
Lithuania, Serbia & Montenegro, Slovenia
Middle_East
• Dubai, Kuwait, Saudi Arabia, Qatar, Jordan
Africa
• Nigeria, Ghana
Oracle Day 2011
Why Oraturk?
Proven Expertise
• All LOB Directors & Consultants has been graduated from ―Oracle Turkey (1996 – 2006)‖
• Learned & Implemented Oracle products while working for Oracle
• Average Oracle product experience is 10 years
Comprehensive & Specialized Offerings
• Database, E-Business Suite, Applications Server, Java & Development Tools
Accelerate Productivity
• Shortened process for the implementation & learning efforts
Professional Approach
• Ability to map ―product offerings to customer requirement‖ with %100 customer satisfaction approach
Oracle Day 2011
Other
12.6%
Microsoft
18.1%
Oracle
48.6%
IBM
20.7%
#1 Database and Most Secure
―Most DBMS vendors offer basic
security features; Oracle’s offering is
most comprehensive.‖
Source: Gartner DataQuest, 2008; Forrester Database Security Market Report, 2009
Oracle Day 2011
Why Maximum Security?
Two Thirds of Sensitive and Regulated
Information now Resides in Databases
… and Doubling Every Two Years
Source: "Effective Data Leak Prevention Programs: Start by Protecting Data at
the Source — Your Databases", IDC, August 2011
Classified Govt. Info.
Trade Secrets
Competitive Bids
Corporate Plans
Source Code Credit Cards
Customer Data
Financial Data
HR Data
Citizen Data
Oracle Day 2011
―Forrester estimates
that although 70%
of enterprises have
an information security plan, only 20%
of enterprises have a
database security plan.‖
Is IT Security Addressing Databases?
Source: Creating An Enterprise Database Security Plan, Forrester Reseach Inc. July 2010
Endpoint Security
Vulnerability Management
Network Security
Email Security
Authentication Security
Database
Security
Oracle Day 2011
Limited Database Controls…
Source: 2010 Independent Oracle User Group Data Security Report
70% System users can read/tamper data stored in database files or storage
76% Cannot prevent DBAs from reading/modifying data
68% Cannot detect if database users are abusing privileges
63% Vulnerable to SQL injection attacks or not sure
48% Copy sensitive production data to non-production environments
31% Likely to get breached over the coming year
Oracle Day 2011
70% attacks originate inside the firewall
90% attacks perpetrated by employees with privileged access
More threats than ever…
Oracle Day 2011
• Federal, state, local, industry…adding
more mandates every year!
• Need to meet AND demonstrate
compliance
• Compliance costs are unsustainable
Report and audit ?
90% Companies behind in compliance
More regulations than ever…
Oracle Day 2011
The 2000-2010 Decade Landscape
• IT Landscape
– Highly available and scalable
– Outsourcing, offshoring, Third Party Service Providers
• Threat Landscape
– SQL Injection introduced (Oct 2000), Insider Threats
– Organized Crime
• Regulatory Landscape
– SOX (2002), C-SOX (2003), J-SOX (2006), Australian CLERP-9 (2004), …
– Payment Card Industry (2.0 in Oct 2010), Breach disclosure laws
Oracle Day 2011
Landscape Looking Ahead
• IT Landscape
– Vanishing perimeter dissolves insider/outsider differences
– Data consolidation, massive warehouses
– Public/private cloud, partner, globalization
• Threat Landscape
– Databases to become a prime target
– Data = $$$
– Sophisticated hacking tools, Cyber terrorism
• Regulatory Landscape
– Moving from pure detective controls to preventive controls
– All countries joining in protecting Customers’ Personal data
Oracle Day 2011
Database Security – Big Picture
Applications
Network SQL Monitoring
and Blocking
Encrypted Database
Data Masking
Multi-factor
authorization
Unauthorized
DBA Activity
Compliance
Scan
Vulnerability
Scan
Activity Audit Patch
Automation
Auditing
Authorization
Authentication
Oracle Day 2011
Sources of Vulnerability Attacks can come from anywhere
• SQL Injection attack
• Application Bypass Applications
• Access to production data in non-secure environment
• Access to production systems for trouble shooting Test and Dev
• System admin, DBA, Application admins
• Stolen credential, Inadequate training, Malicious Insiders
Administrative Account Misuse
• Lost / Stolen Backups
• Direct OS Access Operations
Oracle Day 2011
Sources of Vulnerability Attacks can come from anywhere
• SQL Injection attack
• Application Bypass Application Users
• Access to production data in non-secure environment
• Access to production systems for trouble shooting Test and Dev
• System admin, DBA, Application admins
• Stolen credential, Inadequate training, Malicious Insiders
Administrative Account Misuse
• Lost / Stolen Backups
• Direct OS Access Operations
Oracle Day 2011
Operations
• Data files can be accessed directly at the operating system (OS) level, bypassing all database controls What
• Gain access to OS root account, Oracle software account, Oracle DBA account
• Copy or search raw database files How
• Encrypt database files
• OS level auditing
• Limit accounts on production servers
Protection Strategy
Oracle Day 2011
Transparent Data Encryption Oracle Advanced Security
Disk
Backups
Exports
Off-Site
Facilities
• Protects from unauthorized OS level or network access
• Efficient encryption of all application data
• Built-in key lifecycle management
• No application changes required
Application
Oracle Day 2011
Database Security – Big Picture
Applications
Network SQL Monitoring
and Blocking
Encrypted Database
Data Masking
Multi-factor
authorization
Unauthorized
DBA Activity
Compliance
Scan
Vulnerability
Scan
Activity Audit Patch
Automation
Auditing
Authorization
Authentication
Oracle Day 2011
Account Misuse
• SQL Injection
• Application Bypass Applications
• Access to production data in non-secure environment
• Access to production systems for trouble shooting Test and Dev
• System admin, DBA, Application admins
• Stolen credential, Inadequate training, Malicious Insiders
Administrative Account Misuse
• Lost / Stolen Backups
• Direct OS Access Operations
Oracle Day 2011
Account Misuse
• Privileged accounts are a targets of attack What
• Privileged accounts have ability to access critical data How
• Limit administrative account access to the database
• Audit privileged user activity
• Preventive controls around application data
Protection Strategy
Oracle Day 2011
Procurement
HR
Finance
Database Operational Controls Oracle Database Vault
• Limit powers of privileged users, and enforce SoD
• Protect application data and prevent application by-pass
• Enforce who, where, when, and how using rules and factors
• Securely consolidate application data
• No application changes required
Application select * from
finance.customers
DBA
Oracle Day 2011
Audit Consolidation & Reporting Oracle Audit Vault
• Consolidate audit data into secure repository
• Detect and alert on suspicious activities
• Out-of-the box compliance reporting
CRM/ERP Data
Custom App
HR Data
Audit
Data
Policies
Built-in
Reports
Alerts
Custom
Reports
Auditor
!
Oracle Day 2011
Database Security – Big Picture
Applications
Network SQL Monitoring
and Blocking
Encrypted Database
Data Masking
Multi-factor
authorization
Unauthorized
DBA Activity
Compliance
Scan
Vulnerability
Scan
Activity Audit Patch
Automation
Auditing
Authorization
Authentication
Oracle Day 2011
Test and Dev
• SQL Injection attack
• Application Bypass Applications
• Access to production data in non-secure environment
• Access to production systems for trouble shooting Test and Dev
• System admin, DBA, Application admins
• Stolen credential, Inadequate training, Malicious Insiders
Administrative Account Misuse
• Lost / Stolen Backups
• Direct OS Access Operations
Oracle Day 2011
Test and Dev
• Product data frequently copied to development and test
• Data unnecessarily exposed What
• Test and dev systems may not be as well monitored or protected as production systems How
• Mask sensitive production data before transferring
• Restrict connectivity between test/dev and production
Protection Strategy
Oracle Day 2011
Irreversible De-Identification Oracle Data Masking
• Reduce scope of audit with irreversible de-Identification on non-
production databases
• Referential integrity preserved so applications continue to work
• Extensible template library and policies for automation
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 40,000
BKJHHEIEDK 222-34-1345 60,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Non-Production
Oracle Day 2011
Database Security – Big Picture
Applications
Network SQL Monitoring
and Blocking
Encrypted Database
Data Masking
Multi-factor
authorization
Unauthorized
DBA Activity
Compliance
Scan
Vulnerability
Scan
Activity Audit Patch
Automation
Auditing
Authorization
Authentication
Oracle Day 2011
Applications
• SQL Injection attack
• Application Bypass Applications
• Access to production data in non-secure environment
• Access to production systems for trouble shooting Test and Dev
• System admin, DBA, Application admins
• Stolen credential, Inadequate training, Malicious Insiders
Administrative Account Misuse
• Lost / Stolen Backups
• Direct OS Access Operations
Oracle Day 2011
Applications
• Applications may be vulnerable to SQL Injection attacks
• Legacy applications particularly vulnerable What
• Application input fields can be misused How
• Monitor in-bound application SQL
• Block unauthorized SQL before it reaches the database
Protection Strategy
Oracle Day 2011
• Monitors database activity, and prevents attacks and SQL injections
• White-list, black-list, and exception-list based security policies based upon
highly accurate SQL grammar based analysis
• In-line blocking and monitoring, or out-of-band monitoring modes
Policies Built-in
Reports Alerts Custom
Reports
Applications Block
Log
Allow
Alert
Substitute
First Line of Defense on the Network Oracle Database Firewall
Oracle Day 2011
Database Security – Big Picture
Applications
Network SQL Monitoring
and Blocking
Encrypted Database
Data Masking
Multi-factor
authorization
Unauthorized
DBA Activity
Compliance
Scan
Vulnerability
Scan
Activity Audit Patch
Automation
Auditing
Authorization
Authentication
Oracle Day 2011
Next Step…
Oracle Day 2011
• Database & Security Healthcheck Campaign by ORATURK Consultants
• Gap Analysis
• Implementing Oracle Security Products
• Monitor database security & new requirements
www.oraturk.com
Configuration
Management
& Audit
Vulnerability
Management
Audit
Analysis &
Analytics
Act
Policy
Management
Analyze Classify Advice Discover
Asset
Management