Securing Data in Oracle Database 12c

(1)

(2)

Securing Data in

Oracle Database 12c

Thomas Kyte

http://asktom.oracle.com/

(3)

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for

information purposes only, and may not be incorporated into any contract. It is not a

commitment to deliver any material, code, or functionality, and should not be relied upon

in making purchasing decisions. The development, release, and timing of any features or

functionality described for Oracle’s products remains at the sole discretion of Oracle.

(4)

Oracle Key Vault

Data Redaction

Oracle Audit Vault

Oracle Database Vault

DB Security Evaluation #19

Transparent Data Encryption

EM Configuration Scanning

Fine Grained Auditing (9i)

Secure application roles

Client Identifier / Identity propagation

Oracle Label Security

Proxy authentication

Enterprise User Security

Global roles

Virtual Private Database (8i)

Database Encryption API

Strong authentication (PKI, Kerberos, RADIUS)

Native Network Encryption (Oracle7)

Database Auditing

Government customer

Oracle Database Security

30 years of Innovation

2014

1977

(5)

Security

• Oracle is very secure

• Therefore, we don’t need to be, it just happens

• Besides, it is not as important as having pretty screens after all.

• And if we add it later,

–

I’m sure it’ll be non-intrusive

–

And very performant

(6)

(7)

Apps

Users

Advanced Security

Data Redaction

Data Masking

TDE

Database Vault

Privilege Analysis

Database Vault

Privileged User Controls

OS &

Storage

Directories

Databases

Custom

Audit Data &

Event Logs

Database Firewall

Oracle Maximum Security Architecture

Core Components

Reports

Alerts

Audit Vault

Policies

Events

(8)

Program Agenda

Transparent Data Encryption (TDE), Key Vault

Privilege Analysis

Database Vault

Database Firewall

Data Redaction, Data Masking, Fine Grained Access Control

Audit Vault

1

2

3

4

5

6

(9)

Program Agenda

Transparent Data Encryption (TDE), Key Vault

Privilege Analysis

Database Vault

Database Firewall

Data Redaction, Data Masking, Fine Grained Access Control

Audit Vault

1

2

3

4

5

6

(10)

• SQL Interface to key management

• New FIPS 140-2 mode (dbfips_140)

• Encrypts tablespaces or columns to secure

data at rest

• Requires no application changes

• “Near Zero” overhead with hardware

• Integrated with Oracle DB technologies

–

Log files, Compression, ASM, DataPump

Advanced Security

Transparent Data Encryption (TDE)

Preventive Control for Oracle Databases

Disk

Backups

Exports

Off-Site

Facilities

Applications

(11)

The Challenges of Key Management

Management

• Proliferation of encryption wallets and keys

• Authorized sharing of keys

• Key availability, retention, and recovery

• Custody of keys and key storage files

Regulations

• Physical separation of keys from encrypted data

• Periodic key rotations

• Monitoring and auditing of keys

(12)

Key Management with Oracle Key Vault

• Centrally manage and share keys, secrets, Oracle wallets, Java keystores, and more

• Optimized for Oracle stack (Database, Middleware, Systems) and Advanced Security TDE

• Robust, secure, and standards compliant (OASIS KMIP) key manager

(13)

Oracle Key Vault High-Level Architecture

Standby

Administration

Console, Alerts,

Reports

Secure Backups

= Credential File

= Oracle Wallet

= Server Password

= Java Keystore

= Certificate

Databases

Servers

Middleware

13

(14)

Oracle Wallet Scenarios

Oracle Advanced Security Transparent Data Encryption (TDE)

14

Single

Instance

GoldenGate

Multiple DBs

Same Machine

RAC

Data Guard

(15)

Oracle Advanced Security Transparent Data Encryption (TDE)

Direct Connection Scenarios

15

Single

Instance

Multiple DBs

Same Machine

RAC

Data Guard

GoldenGate

(16)

Oracle Key Vault Software Appliance Platform

• Turnkey solution based on hardened stack

• Includes Oracle Database and security options

• Open x86-64 hardware to choose from

• Easy to install, configure, deploy, and patch

• Separation of duties for administrative users

• Full auditing, preconfigured reports, and alerts

(17)

Program Agenda

Transparent Data Encryption (TDE), Key Vault

Privilege Analysis

Database Vault

Database Firewall

Data Redaction, Data Masking, Fine Grained Access Control

Audit Vault

1

2

3

4

5

6

(18)

Privilege Analysis



_{You want to use the concept of least privileges}



_{Problem: You don’t know what privileges they really need,}

maybe just give them SELECT ANY TABLE

(19)

Privilege Analysis

Discover Use of Privileges and Roles

Administrative Control for Oracle Database 12c

Create…

Drop…

Update…

DBA role

APPADMIN role



Turn on privilege capture mode



Report on actual privileges and roles

used in the database



Helps revoke unnecessary privileges



Enforce least privilege and reduce risks



Increase security without disruption

Unused

Update

APPADMIN

(20)

Program Agenda

Transparent Data Encryption (TDE), Key Vault

Privilege Analysis

Database Vault

Database Firewall

Data Redaction, Data Masking, Fine Grained Access Control

Audit Vault

1

2

3

4

5

6

(21)

Procurement

HR

Finance

• Limit default powers of privileged users

• Enforce policy rules inside the database

• Violations audited, secured and sent to Oracle Audit Vault

• No application changes required

Application

DBA

select * from

finance.customers

Oracle Database Vault

(22)

Procurement

HR

Finance

• Limit default powers of privileged users

• Enforce policy rules inside the database

• Violations audited, secured and sent to Oracle Audit Vault

• No application changes required

Application

DBA

select * from

finance.customers

Oracle Database Vault

(23)

Oracle Database Vault

• Block privileged database users from

accessing application data

• Block threats from compromised

privileged accounts

• Block application users from accessing

other applications inside the same

database

• Securely consolidate and use private or

public cloud computing

(24)

Oracle Database Vault 12c

• Provide additional security check before

allowing authorized users to access

application data

• Enable application DBA control by allowing

patching while denying access to sensitive

application data

• Freeze security settings identified by

Privilege Analysis: roles, grants, …

• Temporarily seal off entire application data

in the event of a cyber threat

(25)

Program Agenda

Transparent Data Encryption (TDE), Key Vault

Privilege Analysis

Database Vault

Database Firewall

Data Redaction, Data Masking, Fine Grained Access Control

Audit Vault

1

2

3

4

5

6

(26)

Oracle Audit Vault and Database

Firewall

Database Activity Monitoring and Firewall

Detective Control for Oracle and non-Oracle Databases



Monitors and logs database network traffic



Detects and blocks unauthorized database

activity including SQL injection attacks



Highly accurate SQL grammar analysis



Whitelist approach to enforce activity



Blacklists for managing high risk activity



Scalable secure software appliance

Block

Log

Allow

Alert

Substitute

Apps

Whitelist Blacklist

SQL

Analysis

Policy

Factors

Users

(27)

Program Agenda

Transparent Data Encryption (TDE), Key Vault

Privilege Analysis

Database Vault

Database Firewall

Data Redaction, Data Masking, Fine Grained Access Control

Audit Vault

1

2

3

4

5

6

(28)

Oracle Data Redaction

• On-the-fly redaction based upon user name, IP address,

application context, and other factors

• Transparent, consistent enforcement in the database

• Minimal impact on production work loads

Redacting Sensitive Data for Applications

Credit Card #

4451-2172-9841-4368

5106-6342-4881-5211

4891-3311-0090-5055

Policy

Call Centers

Decision Support Systems

(29)

Supported Transformations

Original  Redacted

Full

Redaction

05/24/75  01/01/01

11 Rock Bluff Dr.  XXXXXXX

Partial

Redaction

068-35-2299  --2299*

*D1L86YZV8K  D1******8K*

RegExp

Redaction

[email protected]  [redacted]@acme.com

94025-2450  94025-[hidden]

Random

Redaction

4022-5231-5531-9855  4943-6344-0547-0110

09/30/73  11/14/85

(30)

01001011001010100100

10010010010010010010

01001000100101010010

Introducing Oracle Data Masking and Subsetting Pack

Reduces Risk in Sharing by Obfuscating or Removing Sensitive Data

30

NAME

SALARY

AGUILAR

50135.56

BENSON

35789.89

CHANDRA

60765.23

DONNER 103456.82

NAME

SALARY

AGUILAR

35676.24

CHANDRA

76546.89

Discover Sensitive Data

Mask Data Using Format Library

Subset Based on Conditions/Goal

Mask/Subset in Export or on Staging

Retain Application Integrity

(31)

Program Agenda

Transparent Data Encryption (TDE), Key Vault

Privilege Analysis

Database Vault

Database Firewall

Data Redaction, Data Masking, Fine Grained Access Control

Audit Vault

1

2

3

4

5

6

(32)

Conditional Auditing Framework

Detective Control for Oracle Database 12c



New policy- and condition-based syntax



What: CREATE, ALTER, ALL, …



Where: Set of Privileges, Roles, objects



When: IP_ADDRESS !=“10.288.241.88”



Exceptions: Except HR



Group audit settings for manageability



New roles: Audit Viewer and Audit Admin



Out-of-box audit policies



Single unified database audit trail

Database Auditing

IF

ACTIONS CREATE

AND

IP_ADDRESS =

THEN

AND

THEN

(33)

Built-in Reports

Alerts

Custom Reports

!

Policies

Oracle Audit Vault

AUDIT

DATA

AUDIT VAULT

Firewall Events

Database Firewall

Detective Control for Databases, Operating Systems, …

(34)

Program Agenda

Transparent Data Encryption (TDE), Key Vault

Privilege Analysis

Database Vault

Database Firewall

Data Redaction, Data Masking, Fine Grained Access Control

Audit Vault

1

2

3

4

5

6

(35)