• No results found

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

N/A
N/A
Protected

Academic year: 2021

Share "Copyright 2013, Oracle and/or its affiliates. All rights reserved."

Copied!
30
0
0

Loading.... (view fulltext now)

Full text

(1)
(2)

Security Inside-Out with

Oracle Database 12c

Denise Mallin, CISSP

(3)

The following is intended to outline our general product

direction. It is intended for information purposes only, and

may not be incorporated into any contract. It is not a

commitment to deliver any material, code, or functionality,

and should not be relied upon in making purchasing

(4)

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 4

Breached using weak

or stolen credentials

Preventable with

basic controls

76

%

97

%

Records breached

from servers

67

%

Over 1.1Billion Served

Discovered by an

external party

(5)

Changing Security Landscape

Data Protection Challenges

Oracle Database 12c Defense-in-Depth

(6)

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 6

From

to

Adapted from Kuppinger Cole Presentation, March 2013

Basic security not enough for today’s business

(7)

“You don’t bother to just simply

hack the organization and its

infrastructure; you focus much

more of your attention on hacking

the employees….”

Anatomy of an Attack

Uri Rivner Former CTO,

RSA (Security Division of EMC)

More Targets to Attack

DBAs, OS Administrators, Developers, Testers, Partners, …

(8)

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 8

Why Are Databases Vulnerable?

80% of IT Security Programs Don’t Address Database Security

(9)

Oracle Database Security Offerings

Security and Compliance for Databases

Auditing

Activity Monitoring

Database Firewall

DETECTIVE

Data Masking

Privileged User Controls Encryption and Redaction

PREVENTIVE

ADMINISTRATIVE

Sensitive Data Discovery

Configuration Management Privilege Analysis

(10)

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 10

Oracle Database Security Offerings

Security and Compliance for Databases

Auditing

Activity Monitoring

Database Firewall

DETECTIVE

Data Masking

Privileged User Controls Encryption and Redaction

PREVENTIVE

ADMINISTRATIVE

Sensitive Data Discovery

Configuration Management Privilege Analysis

(11)

 Encrypts tablespaces or columns to secure data at rest

 Built-in two-tier key management  Requires no application changes

 “Near Zero” overhead with hardware

 Integrated with Oracle DB technologies

– Log files, Compression, ASM, DataPump

Advanced Security

Transparent Data Encryption (TDE)

Preventive Control for Oracle Databases

(12)

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 12

Oracle Key Vault

 Simplified key management

 Centrally manage keys, secrets, passwords, wallets

 Share secret data as needed

 Retrieve TDE master keys

 Online/offline mode

 Simplified enrollment and provisioning

 Secure software appliance

 OASIS KMIP 1.1

Keys, Wallets

KMIP Endpoints Data Guard

Oracle Key Vault

(13)

 Real-time redaction based upon user, IP, app context, session factors, …  Applies to columns on tables/views  Full/partial, random/fixed redaction  Transparent to typical applications  No impact on operational activities

Advanced Security

Redaction of Sensitive Data Displayed

Preventive Control for Oracle Database 12c and 11g (11.2.0.4)

Credit Card Numbers

(14)

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 14

 Replaces sensitive application data  Detects/Preserves referential integrity  Extensible template library and formats

 Supports masking in non-Oracle DB

 Integrates with subsetting and Real Application Testing

Oracle Data Masking

Masking Data for Non-Production Use

Preventive Control for Oracle and non-Oracle Databases

(15)

 Realms around sensitive schemas or objects  Restrict DBA access to realm data

 Support multi-factor SQL command rules  Enforce separation of duties

 Block threats targeting privileged DB accounts  Restrict all access unless explicitly authorized

with Mandatory Realms (New)

Oracle Database Vault

Preventive Controls Inside the Oracle Database

Preventive Control for Oracle Databases

Finance

HR

Procurement

select * from procurement.bids

(16)

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 16

Label Based Access Control

Preventive Control for Oracle Databases

Confidential

Sensitive

Sensitive Confidential

Public

 Multi-level security for consistent access control for applications using the data

 Classify users and/or data using labels  Row level access control using labels  Virtual information partitioning for cloud,

SaaS, hosting environments

 User labels can be used for Redaction and Database Vault

(17)

Oracle Database Security Offerings

Security and Compliance for Databases

Auditing

Activity Monitoring

Database Firewall

DETECTIVE

Data Masking

Privileged User Controls Encryption and Redaction

PREVENTIVE

ADMINISTRATIVE

Sensitive Data Discovery

Configuration Management Privilege Analysis

(18)

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 18

New Conditional Auditing Framework

Detective Control for Oracle Database 12c

 New condition-based syntax

 What: CREATE, ALTER, ALL, …

 Where: Set of Privileges, Roles, objects

 When: IP_ADDRESS !=“10.288.241.88”  Exceptions: Except HR

 Group audit settings for manageability

 Out-of-box audit policies

 New roles: Audit Viewer and Audit Admin

 Single unified database audit trail

(19)

Oracle Audit Vault and

Database Firewall

Audit, Report, and Alert in Real-Time

Detective Control for Oracle and non-Oracle Databases

Audit Data & Event Logs OS & Storage Directories Databases Oracle Database Firewall Custom  Collect and Analyze audit/event data

 Consolidated multi-source reporting  Out-of-the box and custom reports  Conditional real-time alerts

 Secure, scalable software appliance Policies

(20)

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 20

Oracle Audit Vault and

Database Firewall

Database Activity Monitoring and Firewall

Detective Control for Oracle and non-Oracle Databases

 Monitor database network traffic  Block unauthorized database activity

including SQL injection attacks

 Highly accurate SQL grammar analysis

 Whitelist approach to enforce activity  Blacklists for managing high risk activity  Secure scalable software appliance

(21)

Built-in Reports Alerts

Custom Reports !

Policies

Oracle Audit Vault and Database Firewall

AUDIT DATA AUDIT VAULT Firewall Events Database Firewall

Detective Control for Databases, Operating Systems, …

(22)

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 22

Oracle Database Security Offerings

Security and Compliance for Databases

Auditing

Activity Monitoring

Database Firewall

DETECTIVE

Data Masking

Privileged User Controls Encryption and Redaction

PREVENTIVE

ADMINISTRATIVE

Sensitive Data Discovery

Configuration Management Privilege Analysis

(23)

Oracle Database Vault

Discover Use of Privileges and Roles

Administrative Control for Oracle Database 12c

Create… Drop… Update… DBA role

APPADMIN role  Capture privileges used per session,

across sessions, per specific context, or full database

 Report on privileges/roles used/unused  Help revoke unnecessary privileges  Enforce least privilege and reduce risks  Increase security without disruption

Unused Update APPADMIN

(24)

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 24

 Scan Oracle for sensitive data

 Use built-in, extensible data definitions  Discover application data models

 Protect sensitive data appropriately: encrypt, redact, mask, audit…

Oracle Enterprise Manager 12c

Discover Sensitive Data and Databases

(25)

Oracle Database Lifecycle Management

Configuration Management

Administrative Control for Oracle Databases

Discover

Scan & Monitor

Patch

 Discover and classify databases  Scan for secure configuration

 Follow compliance frameworks

 Detect unauthorized changes

(26)

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 26

Database Security Additions/Improvements in 12c

 Performance and Management

– 2x-25x Performance: Label Security, Database Vault, Audit, Encryption

– Hardware Cryptographic Acceleration

– EM Security Console

– Revamped UI

 Additions to All DB Editions

– Strong Authentication

– SSL/TLS and native network encryption

– Conditional Auditing

– New Separation of Duty Roles

– Updated Kerberos and Cryptography stack

– Secure DB configuration on Windows

 Additions to DB Enterprise Edition

– Real Application Security

– Transparent Sensitive Data Protection

 Additions to DB Security Options

– Data Redaction (Advanced Security)

– Privilege Analysis (Database Vault)

– Mandatory Realms (Database Vault)

(27)

Oracle Database Security Offerings

Defense-in-Depth for Maximum Security

Auditing

Activity Monitoring

Database Firewall

DETECTIVE

Data Masking

Privileged User Controls Encryption and Redaction

PREVENTIVE

ADMINISTRATIVE

Sensitive Data Discovery

Configuration Management Privilege Analysis

(28)

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 28 Apps Users Advanced Security Data Redaction Data Masking Advanced Security TDE Database Vault Privilege Analysis Database Vault Privileged User Controls

OS &

Storage Directories

Databases Custom

Audit Data & Event Logs Database Firewall

Oracle Maximum Security Architecture

(29)
(30)

References

Related documents