Security Inside-Out with
Oracle Database 12c
Denise Mallin, CISSP
The following is intended to outline our general product
direction. It is intended for information purposes only, and
may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality,
and should not be relied upon in making purchasing
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 4
Breached using weak
or stolen credentials
Preventable with
basic controls
76
%
97
%
Records breached
from servers
67
%
Over 1.1Billion Served
Discovered by an
external party
Changing Security Landscape
Data Protection Challenges
Oracle Database 12c Defense-in-Depth
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 6
From
to
Adapted from Kuppinger Cole Presentation, March 2013
Basic security not enough for today’s business
“You don’t bother to just simply
hack the organization and its
infrastructure; you focus much
more of your attention on hacking
the employees….”
Anatomy of an Attack
Uri Rivner Former CTO,
RSA (Security Division of EMC)
More Targets to Attack
DBAs, OS Administrators, Developers, Testers, Partners, …
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 8
Why Are Databases Vulnerable?
80% of IT Security Programs Don’t Address Database Security
Oracle Database Security Offerings
Security and Compliance for Databases
Auditing
Activity Monitoring
Database Firewall
DETECTIVE
Data Masking
Privileged User Controls Encryption and Redaction
PREVENTIVE
ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management Privilege Analysis
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 10
Oracle Database Security Offerings
Security and Compliance for Databases
Auditing
Activity Monitoring
Database Firewall
DETECTIVE
Data Masking
Privileged User Controls Encryption and Redaction
PREVENTIVE
ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management Privilege Analysis
Encrypts tablespaces or columns to secure data at rest
Built-in two-tier key management Requires no application changes
“Near Zero” overhead with hardware
Integrated with Oracle DB technologies
– Log files, Compression, ASM, DataPump
Advanced Security
Transparent Data Encryption (TDE)
Preventive Control for Oracle Databases
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 12
Oracle Key Vault
Simplified key management
Centrally manage keys, secrets, passwords, wallets
Share secret data as needed
Retrieve TDE master keys
Online/offline mode
Simplified enrollment and provisioning
Secure software appliance
OASIS KMIP 1.1
Keys, Wallets
KMIP Endpoints Data Guard
Oracle Key Vault
Real-time redaction based upon user, IP, app context, session factors, … Applies to columns on tables/views Full/partial, random/fixed redaction Transparent to typical applications No impact on operational activities
Advanced Security
Redaction of Sensitive Data Displayed
Preventive Control for Oracle Database 12c and 11g (11.2.0.4)
Credit Card Numbers
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 14
Replaces sensitive application data Detects/Preserves referential integrity Extensible template library and formats
Supports masking in non-Oracle DB
Integrates with subsetting and Real Application Testing
Oracle Data Masking
Masking Data for Non-Production Use
Preventive Control for Oracle and non-Oracle Databases
Realms around sensitive schemas or objects Restrict DBA access to realm data
Support multi-factor SQL command rules Enforce separation of duties
Block threats targeting privileged DB accounts Restrict all access unless explicitly authorized
with Mandatory Realms (New)
Oracle Database Vault
Preventive Controls Inside the Oracle Database
Preventive Control for Oracle Databases
Finance
HR
Procurement
select * from procurement.bids
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 16
Label Based Access Control
Preventive Control for Oracle Databases
Confidential
Sensitive
Sensitive Confidential
Public
Multi-level security for consistent access control for applications using the data
Classify users and/or data using labels Row level access control using labels Virtual information partitioning for cloud,
SaaS, hosting environments
User labels can be used for Redaction and Database Vault
Oracle Database Security Offerings
Security and Compliance for Databases
Auditing
Activity Monitoring
Database Firewall
DETECTIVE
Data Masking
Privileged User Controls Encryption and Redaction
PREVENTIVE
ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management Privilege Analysis
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 18
New Conditional Auditing Framework
Detective Control for Oracle Database 12c
New condition-based syntax
What: CREATE, ALTER, ALL, …
Where: Set of Privileges, Roles, objects
When: IP_ADDRESS !=“10.288.241.88” Exceptions: Except HR
Group audit settings for manageability
Out-of-box audit policies
New roles: Audit Viewer and Audit Admin
Single unified database audit trail
Oracle Audit Vault and
Database Firewall
Audit, Report, and Alert in Real-Time
Detective Control for Oracle and non-Oracle Databases
Audit Data & Event Logs OS & Storage Directories Databases Oracle Database Firewall Custom Collect and Analyze audit/event data
Consolidated multi-source reporting Out-of-the box and custom reports Conditional real-time alerts
Secure, scalable software appliance Policies
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 20
Oracle Audit Vault and
Database Firewall
Database Activity Monitoring and Firewall
Detective Control for Oracle and non-Oracle Databases
Monitor database network traffic Block unauthorized database activity
including SQL injection attacks
Highly accurate SQL grammar analysis
Whitelist approach to enforce activity Blacklists for managing high risk activity Secure scalable software appliance
Built-in Reports Alerts
Custom Reports !
Policies
Oracle Audit Vault and Database Firewall
AUDIT DATA AUDIT VAULT Firewall Events Database Firewall
Detective Control for Databases, Operating Systems, …
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 22
Oracle Database Security Offerings
Security and Compliance for Databases
Auditing
Activity Monitoring
Database Firewall
DETECTIVE
Data Masking
Privileged User Controls Encryption and Redaction
PREVENTIVE
ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management Privilege Analysis
Oracle Database Vault
Discover Use of Privileges and Roles
Administrative Control for Oracle Database 12c
Create… Drop… Update… DBA role
APPADMIN role Capture privileges used per session,
across sessions, per specific context, or full database
Report on privileges/roles used/unused Help revoke unnecessary privileges Enforce least privilege and reduce risks Increase security without disruption
Unused Update APPADMIN
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 24
Scan Oracle for sensitive data
Use built-in, extensible data definitions Discover application data models
Protect sensitive data appropriately: encrypt, redact, mask, audit…
Oracle Enterprise Manager 12c
Discover Sensitive Data and Databases
Oracle Database Lifecycle Management
Configuration Management
Administrative Control for Oracle Databases
Discover
Scan & Monitor
Patch
Discover and classify databases Scan for secure configuration
Follow compliance frameworks
Detect unauthorized changes
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 26
Database Security Additions/Improvements in 12c
Performance and Management
– 2x-25x Performance: Label Security, Database Vault, Audit, Encryption
– Hardware Cryptographic Acceleration
– EM Security Console
– Revamped UI
Additions to All DB Editions
– Strong Authentication
– SSL/TLS and native network encryption
– Conditional Auditing
– New Separation of Duty Roles
– Updated Kerberos and Cryptography stack
– Secure DB configuration on Windows
Additions to DB Enterprise Edition
– Real Application Security
– Transparent Sensitive Data Protection
Additions to DB Security Options
– Data Redaction (Advanced Security)
– Privilege Analysis (Database Vault)
– Mandatory Realms (Database Vault)
Oracle Database Security Offerings
Defense-in-Depth for Maximum Security
Auditing
Activity Monitoring
Database Firewall
DETECTIVE
Data Masking
Privileged User Controls Encryption and Redaction
PREVENTIVE
ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management Privilege Analysis
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 28 Apps Users Advanced Security Data Redaction Data Masking Advanced Security TDE Database Vault Privilege Analysis Database Vault Privileged User Controls
OS &
Storage Directories
Databases Custom
Audit Data & Event Logs Database Firewall