1 / 38

Practical Security: Balancing the Business

Practical Security: Balancing the Business. Oracle Corporation. David Knox Chief Security Engineer North American Sales. What, me worry?. $25 Million Penalty Assessed Against Riggs Bank May 15, 2004. Former AOL Employee Pleads Guilty in Customer Data Theft February 7, 2005.

bree
Download Presentation

Practical Security: Balancing the Business

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Practical Security: Balancing the Business Oracle Corporation David Knox Chief Security Engineer North American Sales

  2. What, me worry?

  3. $25 Million Penalty Assessed Against Riggs Bank May 15, 2004 Former AOL Employee Pleads Guilty in Customer Data Theft February 7, 2005 AmSouth Faces $10M Penalty October 13, 2004 PayPal eMail Addresses Exposed in Attack January 24, 2005

  4. 30,704 Average hours a company will spend on Section 404 (SOX) compliance

  5. $5.1M Average cost of Sarbanes-Oxley compliance for a large U.S. company

  6. $11.5M Average cost for Healthcare provider to meet HIPAA compliance

  7. 125 Non-frivolous lawsuits for Fortune 500 company at any given time

  8. $10M Fine against six securities firms for not producing e-mails for SEC

  9. 10 x Cost for compliance by taking one-off versus integrated approach to compliance projects

  10. 145,000 Number of personal identities compromised in Choice Point “incident”

  11. “If you spend more on coffee than on IT security, then you will be hacked…what's more, you deserve to be hacked!” Richard Clarke, 2002Special Advisor to the President, Cyberspace Security

  12. Is Your Enterprise Information Protected?

  13. Two Sides Operational Objectives Risk Policy makers, Security weenies Administrators, Developers, Users

  14. Issues & Concerns Intellectual capital Financial Losses Asset Protection Brand Protection Public Image Litigation Business Risks Compliance Employee & Customer Privacy Loss of Customer Trust Source: Cybersecurity: It’s Dollars and Cents Business Week 2/11/2005

  15. Protected Enterprise Challenges • Reduce risk and liability • Address Regulatory Compliance • Ensure privacy and accountability • Maintain operational effectiveness Business Information Security Continuity • Identification (who) • Access Controls (what) • Auditing (where, when & how) • High Availability • Disaster Recovery • Continuous Operations Applies to ALL applications across ALL industries

  16. X Alerts Predictive Modeling Y Z Interactive Applications Portals 1. As data is consolidated it is more usable and less costly to manage 2. Availability and Security are now more important ETL, Web Services, Integration

  17. Security is a System SECURITY Product Configuration Implementation Policy and Process

  18. Security Realms • Policies • Policy makers are not policy implementers or users • FISMA, DITSCAP, 8500.1, HIPAA, CA SB 1386, FERPA, etc. • Product • Buffer overflows • Resolved by Oracle Corporate development teams • Patches (usually) provided by email blasts from Meta-link • Configuration • Database settings (*.ora) • OS file settings • Network setup • DoE/CIS Benchmark and Oracle Best Practices serve as guide • Implementation • Technologies (VPD, Auditing, etc.) • Design choices

  19. Understanding the Relationship

  20. Why is Security Hard? • No system can be 100% secure • Reality is risk mitigation, not risk avoidance • Difficult to prove good security • Bad security gets proven to/for us • Good security and no security can look the same • How does one know how secure they are? • Many things to secure • People, equipment, OS, network, Application Servers, applications, and databases

  21. Security has to be built in to the system, not bolted on afterwards Security Tenets

  22. Security Tenets • Defense in depth • Security in layers for higher assurance

  23. Security Tenets • Be proactive

  24. Security Tenets • Abide by the least-privilege principle Create Session DBA Create Table Alter Session Create Procedure Drop Table Create View Create Synonym Create Sequence

  25. Security Tenets • Abide by the least-privilege principle Create Session Create Table Alter Session Create Procedure Drop Table Create View Create Synonym Create Sequence

  26. Technology and Common Sense Sometimes the answer is easier than you think!

  27. Database Access Privileges only from application User A, Application Access ODBC, JDBC, SQL*NET

  28. Restricted at the Network Layer Firewalls OS network firewall TNS Listener/Connection Manager Strong Authentication Database Logon Triggers Database Access

  29. Key management Application transparency Performance DBMS_OBFUSCATION_TOOLKIT DBMS_CRYPTO 3rd-party crypto Tables, Views Encryption KING sfING SCOTT SCOjd BLAKE ByAgE SMITH SMITH JAMES gAMES JONES fONES MILLER MIER Technology Challenges

  30. Access Control Tables, Views • Controlled by specific object privileges • Controlled by general system privileges • Access enabled through procedures using “definer rights” • Privileges Assigned directly or via Roles • Standard Roles enabled/disabled by default • Password Protected Roles • Global Roles map to Enterprise Roles assigned by OiD • Secure (SAR) allows DB to control enablement

  31. Encrypted SALARY SALARY Ndm,hj 4500 SCOTT SCOTT 20 20 adslkfj 2500 DKNOX DKNOX 10 10 1300 alsdkfj BLAKE BLAKE 30 30 3200 ydusjk SMITH SMITH 20 20 NULL NULL qwuioo 3850 2900 ipopfj JAMES JAMES 30 30 uiolkl 3100 JONES JONES SCOTT SCOTT 20 20 20 20 qwweraz 3200 3000 3000 40 MATT MATT 40 10 10 KING KING Sensitive Column Data Oracle Label Security (OLS) 10g Column Sensitive VPD

  32. SALARY 4500 SCOTT 20 2500 DKNOX 10 1300 BLAKE 30 3200 SMITH 20 3850 NULL SCOTT 20 2900 DKNOX 10 JAMES 30 3100 BLAKE 30 SCOTT JONES 20 20 3200 3000 SMITH 20 JAMES 30 JONES SCOTT 20 20 40 40 MATT MATT 10 KING 10 KING Sensitive Columns Select name, deptno FROM EMP View

  33. Password Policy Example • Cannot be similar to user’s name • Cannot be easily guessable • Must be at least 12 characters in length • Contains upper and lower case characters • Contains at least one special character • Contains at least one number • Rotated every 14 days • Cannot be re-used for 5 years My current password: “This1is2Hard!”

  34. Balancing the Business Need flexibility to adjust to current situation Best Case: Accommodate all requirements Usability x Security Performance

  35. Make Security a First-Class Citizen • Security placed in at design • Multi-layered implementation • Proactively act to maintain a strong posture • Mitigate the risks – don’t eliminate the risks • Apply common sense before applying cool technology • Consider the competing factors • Make it practical, usable and performant

  36. Q & Q U E S T I O N S A N S W E R S A

  37. Practical Security Part II: Coming Next ... Your Need to Know

  38. Shameless Self-Promotion

More Related