540 likes | 1.03k Views
Privacy. Insider Threats. Compliance. Oracle Database 11g Lock Down Your Data. Gary Quarles Sales Consultant. Key Drivers for Data Security . Regulatory Compliance. Sarbanes-Oxley (SOX), J-SOX, HIPAA GLBA Payment Card Industry (PCI) EU Privacy Directives, CA SB 1386….
E N D
Privacy Insider Threats Compliance Oracle Database 11gLock Down Your Data Gary Quarles Sales Consultant
Key Drivers for Data Security Regulatory Compliance • Sarbanes-Oxley (SOX), J-SOX, HIPAA • GLBA • Payment Card Industry (PCI) • EU Privacy Directives, CA SB 1386…. • Adequate IT controls, COSO, COBIT • Separation of duty, Proof of compliance, Risk Assessment and Monitoring • Large percentage of threats go undetected • Outsourcing and off-shoring trend • Customers want to monitor insider/DBA Insider/External Threats
Oracle Audit Vault Oracle Database Vault DB Security Evaluation #19 Transparent Data Encryption EM Configuration Scanning Fine Grained Auditing (9i) Secure application roles Client Identifier / Identity propagation Oracle Label Security Proxy authentication Enterprise User Security Global roles Virtual Private Database (8i) Database Encryption API Strong authentication (PKI, Kerberos, RADIUS) Native Network Encryption (Oracle7) Database Auditing Government customer Oracle Database Security 30 years of Innovation 1977 2007
Data Security Components User Management Access Control Core Platform Security Monitoring Data Protection
Data Security: Oracle Products • User Management • Oracle Identity Management • Enterprise User Security • Access Control • Oracle Database Vault • Oracle Label Security • Virtual Private Database Core Platform Security • Data Protection • Oracle Advanced Security • Oracle Secure Backup • Monitoring • Oracle Audit Vault • EM Configuration Pack
Data Security: Oracle Products • User Management • Oracle Identity Management • Enterprise User Security • Access Control • Oracle Database Vault • Oracle Label Security • Virtual Private Database Core Platform Security • Data Protection • Oracle Advanced Security • Oracle Secure Backup • Monitoring • Oracle Audit Vault • EM Configuration Pack
Enterprise User Security (EUS) • User Management for Compliance • Centralized User Management • Consolidate database accounts with shared database schemas • Centrally managed DBAs • Validated with Oracle Virtual Directory • Enterprise Strong Authentication • Kerberos (MSFT, MIT) • PKI (x.509v3) • Password • SYSDBA Strong Auth • Database Enterprise Edition Feature • Requires Oracle Identity Management • Available since Oracle 8.1.6 HR Database Financial Database Customer Database EUS EUS Oracle Identity Management
Data Security: Oracle Products • Access Control • Oracle Database Vault • Oracle Label Security • Virtual Private Database • User Management • Oracle Identity Management • Enterprise User Security Core Platform Security • Data Protection • Oracle Advanced Security • Oracle Secure Backup • Monitoring • Oracle Audit Vault • EM Configuration Pack
Need for Stronger and Transparent Access Control • Key Drivers • Restrict full access to data for Privileged users • Administrators • Developers/QA • Application Users • Easily implement environment based access control • User parameters • Network parameters • Database parameters • Key Requirements • Applying on existing legacy applications • Support for custom policies • Difficult to circumvent • Minimal Performance impact
Oracle Database Vault Compliance and Insider Threats • Controls on privileged users • Restrict DBA from application data • Provide Separation of Duty • Security for database and information consolidation • Enforce data access security policies • Control who, when, where and how is data accessed • Make decision based on IP address, time, auth… • Available on Oracle Database 10g Release 2 and Oracle Database 9.2.0.8 • Validated with PeopleSoft • Validation for E-Business, Siebel, and others in progress Protection Realms Reports Multi-Factor Authorization Command Rules Separation of Duty
Database DBA views HR data • Compliance and protection from insiders select * from HR.emp DBA HR HR Fin Fin • HR DBA views Fin. data HR DBA HR Realm • Eliminates security risks from server consolidation FIN DBA Fin Realm Oracle Database Vault Protection Realms Realms can be easily applied to existing applications with transparency and minimal performance impact
HR FIN Oracle Database VaultTransparent Multi-factor Authorization SELECT …. Unexpected IP address HR account CREATE … Business hours FIN DBA
1 2 3 4 6 Oracle Database VaultTransparent Protection Define Realms(Block Highly Privileged Users) Add SQL Command Rules (Optional) Add other security policies (Optional) PL/SQL scripts to deploy security policies 5 Test your application Consider application maintenance
Major Financial Services CompanyUse Case • Control Privileged Users • Prevent DBAs from accessing sensitive data in Realms • Setup multiple levels of DBAs • Control Access based upon environmental factors • Restrict hostnames authorized to access the DB • Control access based on geography • Control use of ad-hoc query tools; Enforce maintenance periods • Restrict connections by ad-hoc query tools to maintenance times • Control Patching activity • Patching activity requires another monitoring user to be logged in • Control unauthorized database changes
Noel Yuhanna Research Analyst, Forrester “The Database Vault features will be in demand, especially for databases that contain private data. Enterprises want their administrators to manage their databases, not data. Oracle is leading the pack of database makers with the new access restriction features. Microsoft, IBM and Sybase don't have anything like this.” Oracle wants to rein in database admins ZDnet News, April 25, 2006
Data Security: Oracle Products • Access Control • Oracle Database Vault • Oracle Label Security • Virtual Private Database • User Management • Oracle Identity Management • Enterprise User Security Core Platform Security • Data Protection • Oracle Advanced Security • Oracle Secure Backup • Monitoring • Oracle Audit Vault • EM Configuration Pack
Need for Label Authorizations • Key Driver • Extended security authorizations for need-to-know enforcement • Payment Card Industry (PCI) requirement • Protection of PII data • Multi-level security (Government & Defense) • Key Requirements • Transparent • Performant • Highly Adaptable • Evaluated (Government & Defense)
Oracle Label SecurityLabel Based Access Control • Extend security authorizations • Label authorizations • Data Classification • Sensitivity labels • Flexible and Adaptable • Database & Application users • Multiple enforcement options • Built-in mediation routines • Available since Oracle8i Sensitive: PII Oracle Label Security Access Mediation Confidential Public User Label Authorization Confidential
Oracle Label SecurityMulti-level (row level) Security Government & Defense Case Operation Start Date Sensitivity Label Status Pacific Alpha Secret Project Secure Border Top Secret Latin America Operation Secret Desert Storm Secret Border Protection Alpha Top Secret Secure Flights Public See OLS Best Practices for Government and Defense TWP on OTN
Oracle Label SecurityManageability • Comprehensive API Available • Integrated with Oracle Identity Management
Graciela Mucci CIO, ARTEAR • “Instead of maintaining security policies in our applications and database, Oracle Label Security allowed us to apply these access controls where it matters most: the centralized database on a scalable Oracle RAC system.” • Sept. ‘06
1 2 3 4 5 Oracle Label SecurityDeployment Guide Identify and define labels based on company programs and/or data New ones can be defined later Provision user label authorizations Database or Oracle Identity Management - database or application users Apply OLS functions in applications or database Extend Database Vault Factors, Command rules, Separation of Duty, VPD Use GUI or API to protect application tables (optional)Required only if you want transparent access mediation for multi-level security Label data (optional)Required only if you want transparent access mediation for multi-level security
Data Security: Oracle Products • Access Control • Oracle Database Vault • Oracle Label Security • Virtual Private Database • User Management • Oracle Identity Management • Enterprise User Security Core Platform Security • Data Protection • Oracle Advanced Security • Oracle Secure Backup • Monitoring • Oracle Audit Vault • EM Configuration Pack
Need for Fine-grained Access ControlDatabase enforced query modification • Key Driver • Data consolidation requires stronger security • Large warehouses need to logically partitioned information • Database enforced security simplifies applications • Key Requirements • Transparent • Performant • Highly Adaptable
Virtual Private DatabasePolicy-based query modification • Database enforced security policies for query modification • Introduced in Oracle8i • Attach to table, view, table + column SOCIAL SECURITY NUMBER Added by VPD Select * from employees where account_mgt_id = 148 431-395-9332 381-395-9223
Virtual Private DatabaseColumn Relevant Policies (10g) VPD Col Relevant Policy Select cust_last_name, social_security_number from accts; SOCIAL SECURITY NUMBER 431-395-9332 381-395-9223
Data Security: Oracle Products • User Management • Oracle Identity Management • Enterprise User Security • Access Control • Oracle Database Vault • Oracle Label Security • Virtual Private Database Core Platform Security • Data Protection • Oracle Advanced Security • Oracle Secure Backup • Monitoring • Oracle Audit Vault • EM Configuration Pack
The Need for Encryption • Key Drivers • Millions of records lost and many more vulnerable • Worldwide privacy, security and compliance regulations • Personal privacy data: Credit Cards, Social ID, … • PCI, California SB 1386, Country-specific laws • Key Requirements • Encrypting data in existing applications with minimal perf impact • Automated Key Management Disks replaced for maintenance Customer Credit Card Numbers Laptops stolen Backups lost
Data Transparently Decrypted Through SQL Interface Data Written To Disk Transparently Encrypted Transparent Data Encryption Oracle Advanced SecurityTransparent Encryption and Strong Authentication Strong Authentication (PKI, Kerberos) Transparent Network Encryption With RMAN Can Encrypt Entire Backups Sent to Disk
Oracle Advanced SecurityTransparent Data EncryptionManageability (11g)
Oracle Advanced SecurityOracle Database 11g Enhancements • Tablespace Encryption • Define a new tablespace as ‘encrypted’ • No need to specify columns • Even more transparent than existing column TDE • Supports range scans • Supports foreign keys • Existing content can be moved into encrypted tablespaces • SECUREFILE LOB encryption • Hardware Security Module Integration • Generate, store and manage master key in an external hardware device • Standard PKCS #11 API allows customers to choose from HSM vendors
Transparent Data EncryptionEasy Uptake • No changes to existing applications • No triggers, no views • Minimal performance impact • Built-in key management • No crash-course needed in encryption or key management; just focus on business logic • Simple alter table statement • Include changes in a script TDE supported by Oracle E-Business Suite and SAP
Transparent Data Encryption Transparent Data Encryption Five easy steps: Five easy steps: Identify columns holding sensitive data Identify columns holding sensitive data Does TDE support the datatype of the column? Does TDE support the datatype of the column? Column is not part of a Foreign Key? Column is not part of a Foreign Key? Setup and initialize the Master Key Setup and initialize the Master Key Encrypt existing and new data Encrypt existing and new data Transparent Data EncryptionDeployment Guide for Column Encryption 1 Identify columns holding sensitive data Credit Cards, SSN… 2 Verify TDE supports the datatype? TDE supports most all commonly used datatypes 3 Verify column is not part of a Foreign Key? Simple Data Dictionary Query 4 Encrypt existing and new data SQL*Developer GUI or Command line DDL, Alter Table….. Visit OTN for a complete list of data types and more
1 2 3 Transparent Data EncryptionDeployment Guide for Tablespace Encryption (11g) Identify tables holding sensitive data Credit Card Numbers, SSN, other personally identifiable data (PII) Create new encrypted tablespaces Using EM or command line Move tables into new encrypted tablespaces
Data Security: Oracle Products • User Management • Oracle Identity Management • Enterprise User Security • Access Control • Oracle Database Vault • Oracle Label Security • Virtual Private Database Core Platform Security • Monitoring • Oracle Database Auditing • Oracle Audit Vault • EM Configuration Pack • Data Protection • Oracle Advanced Security • Oracle Secure Backup
Need for Auditing Database Activity • Key Drivers • Regulatory Compliance (SOX, PCI, Privacy, …) • Risk assessment and compensating controls • Demonstrate controls for compliance • Security • Detect misuse of privileges • Key Requirements • Collect Audit trail data from many audit silos • Automate review of the audit trail logs, and raise alerts • Centralize audit policy management • Secure the audit trail • Minimize performance impact on production systems
Auditing in the Oracle DatabaseRobust, Flexible, and High Fidelity Audit • Industry’s most advanced • Robust auditing since Oracle 7 (1993) • Audit statement, privileges, statement event, failure or success, SYS auditing • Fine grained auditing introduced in Oracle9i (2001) • Flexible format supporting XML, SYSLOG, database tables, Windows event viewer • Use by customer’s today in nearly all markets • Finance • Healthcare • Government
Oracle Database AuditingOverview • Statement auditing • Selective auditing of related groups of DDL/DML statements regarding a particular type of database structure or schema object • Can be specified for all users or for only a select list • Privilege auditing • Auditing of statements that require the use of a system privilege • Can be specified for all users or for only a select list • Schema object auditing • Auditing of all SELECT and DML statements that require the use of schema object privileges • For all users; cannot be set for a specific list of users
Oracle Database AuditingOverview • Fine Grained Auditing • Introduced in Oracle9i • Policy / condition based auditing • Audit policies stored in database, associated with tables • Policy invoked (audit condition tested) when table is accessed; can audit when specific column is accessed Enforce Audit Policy in Database ... Where Salary > 500000 AUDIT COLUMN = Salary Select name, salary from emp where... Generate Audit Record
Data Security: Oracle Products • User Management • Oracle Identity Management • Enterprise User Security • Access Control • Oracle Database Vault • Oracle Label Security • Virtual Private Database Core Platform Security • Monitoring • Oracle Database Auditing • Oracle Audit Vault • EM Configuration Pack • Data Protection • Oracle Advanced Security • Oracle Secure Backup
Oracle Audit Vault Trust-but-Verify • Collect and Consolidate Audit Data • Oracle 9i Release 2 and higher • Simplify Compliance Reporting • Built-in reports • Custom reports • Detect and Prevent Insider Threats • Alert suspicious activity • Scale and Security • Robust Oracle Database technology • Database Vault, Advanced Security • Partitioning • Lower IT Costs with Audit Policies • Centrally manage/provision audit settings Monitor Policies Security Reports Oracle Database 9iR2 (Future)Other Sources,Databases Oracle Database 10gR1 Oracle Database 11gR1 Oracle Database 10gR2
Audit Vault ReportsOut-of-the-box Audit Assessments & Custom Reports • Out-of-the-box reports • Privileged user activity • Access to sensitive data • Role grants • DDL activity • Login/logout • User-defined reports • What privileged users did on the financial database? • What user ‘A’ did across multiple databases? • Who accessed sensitive data? • Custom reports • Oracle BI Publisher, Application Express, or 3rd party tools
Oracle Audit Vault Data WarehouseScalable, Flexible & Secure • Audit Warehouse • Enable business intelligence and analysis • Performance and Scalability • Built-in partitioning • Scales to Terabytes • Security • Separation of Duty • Oracle Database Vault • Oracle Advanced Security • Oracle RAC certified
Oracle Audit VaultManageability • Audit Vault Dashboard • Enterprise overview • Alerts and Reports • Administration • Audit Policies • Audit Vault Policies • Provision database audit settings centrally for compliance policies • Collection of audit settings on the databases • Compare against existing audit settings on source • Demonstrate compliance
Ari Kaplan President Independent Oracle Users Group (IOUG) • "If they're smart, a DBA can modify data and cover their tracks since DBAs tend to have unlimited access to databases. The technologies in Oracle's vaulting software make that impossible since every action a DBA executes effectively goes into a lockbox that they are powerless to modify." • July '07
Integrating with Oracle Audit VaultLevels of Integration • Leverage native database auditing beneath Apps • Turn ON database auditing under application for compliance specific events (DDL, DBA logins) • Low performance impact utilizing OS audit trail records • Fine-grained-audit (FGA) specific to sensitive tables • End-user Identity Propagation • Pass "Client identifier” from mid-tier or initialize after connection, recorded in Audit trail • Extensible reporting • Build customer reports against Audit Vault warehouse • Use Audit Vault SDK for application specific auditing
Transparent Data Encryption Transparent Data Encryption Five easy steps: Five easy steps: Identify columns holding sensitive data Identify columns holding sensitive data Does TDE support the datatype of the column? Does TDE support the datatype of the column? Column is not part of a Foreign Key? Column is not part of a Foreign Key? Setup and initialize the Master Key Setup and initialize the Master Key Encrypt existing and new data Encrypt existing and new data Oracle Audit VaultTransparently collecting audit data 1 Define Audit Policies Privileged Users, DDL, Fine Grained Audit (Sensitive Data) 2 Configure Collectors Aud$, OS, Redo 3 Setup Alerts New User Creations, Sensitive Data Access 4 Run Reports Out-of-the-box or build custom using open data warehouse schema
Data Security: Oracle Products • User Management • Oracle Identity Management • Enterprise User Security • Access Control • Oracle Database Vault • Oracle Label Security • Virtual Private Database Core Platform Security • Data Protection • Oracle Advanced Security • Oracle Secure Backup • Monitoring • Oracle Audit Vault • EM Configuration Pack
Oracle Database 11gCore Database Security Enhancements • Secure Configuration • Continuation of Secure By Default initiative started in Oracle9i • Password management settings • Audit sensitive administrative operations by default • Stronger password verifier • Case sensitive passwords • Backward compatibility mode • Expanded Kerberos support • Support principal names up to 2000 characters in length • Cross realm support