420 likes | 519 Views
How a Protected Enterprise Reduces Risk and Liability. Oracle Corporation. Mike Mull, CISSP Solution Specialist Oracle Protected Enterprise Group. The Burden is Real. Issues & Concerns. Intellectual capital. Financial Losses. Asset Protection. Brand Protection. Public Image.
E N D
How a Protected Enterprise Reduces Risk and Liability Oracle Corporation Mike Mull, CISSP Solution Specialist Oracle Protected Enterprise Group
Issues & Concerns Intellectual capital Financial Losses Asset Protection Brand Protection Public Image Litigation Business Risks Compliance Employee & Customer Privacy Loss of Customer Trust Source: Cybersecurity: It’s Dollars and Cents Business Week 2/11/2005
Protected Enterprise Challenges • Address regulatory compliance • Ensure privacy and accountability • Reduce risk and liability • Increase business agility • Maintain operational effectiveness Business Information Security Continuity • Identification (who) • Access Controls (what) • Auditing (where, when & how) • High Availability • Disaster Recovery • Continuous Operations Applies to ALL applications across ALL industries
Business Continuity In Motion At Rest Data Security Auditing and Access Management I n t e g r a t e d S e c u r i t y Single Sign-on Disaster Recovery Single Console Administration Secure Channels
Security is a System SECURITY Product Configuration Implementation Policy and Process
Security Realms • Policies and Processes • Policy makers are not policy implementers or users • Process documentation • Product • Buffer overflows • Resolved by vendor’s development teams • Example: Oracle provides patches by email blasts from Meta-link • Configuration • Database settings (*.ora) • OS file settings • Network setup • DoE/CIS Benchmark and Oracle Best Practices serve as guide • Implementation • Technologies (VPD, Auditing, etc.) • Design choices
Why is Security Hard? • No system can be 100% secure • Reality is risk mitigation, not risk avoidance • Difficult to prove good security • Bad security gets proven to/for us • Good security and no security can look the same • How does one know how secure they are? • Many things to secure • People, equipment, OS, network, Application Servers, applications, and databases
Password Policy Example • Cannot be similar to user’s name • Cannot be easily guessable • Must be at least 12 characters in length • Contains upper and lower case characters • Contains at least one special character • Contains at least one number • Rotated every 14 days • Cannot be re-used for 5 years My current password: “This1is2Hard!”
Balancing the Business Need flexibility to adjust to current situation Best Case: Accommodate all requirements Usability x Security Performance
Security has to be built in to the system, not bolted on afterwards Security Tenets
Security Tenets • Defense in depth • Security in layers for higher assurance
Security Tenets • Be proactive
Security Tenets • Abide by the least-privilege principle Create Session Create Table Alter Session Create Procedure Drop Table Create View Create Synonym Create Sequence
Security Tenets Not all products are created equal
The Challenge Get the right data (securely) to the right people in a timely manner that maximizes usability, lowers administrative burdens, eases application development and maximizes security Identity Management Data in transit Data in transit • Applications need to know user • Databases need to know user Database security and auditing
Defense in Depth Identification and Identity Preservation • Proxy Authentication, Client Identifiers, Identity Management Element Level Protections • Database Encryption Fine-Grained Access Control • Row Level Security Accountability • Fine-Grained Auditing
Oracle DB User Application “A” User Application “A” User Application “A” 2. Middle tier connects to an (anonymous) application account 1. Users authenticate to middle tier Typical Authentication Architecture Security cannot be based on anonymity! Connection Pool 3. Database cannot apply proper access controls and auditing at the user level
Oracle DB Blue User Red User Yellow User 2. Middle tier proxies user identity to database 1. Users authenticate to middle tier Identity Preservation – Proxy Authentication Connection Pool 3. Database applies authorizations, access control, and auditing for real end user
Oracle DB Identity Preservation – Client Identifiers • Database procedure called by application • Client Identifiers convey user’s information to DB • User information used in access control decisions • Value is automatically audited Connection Pool Set_Identifier(‘Yellow User’) Set_Identifier(‘Green User’)
Globally Integrated E-Business Streamlined Security IT Cost and Complexity Regulatory Compliance Quality of Service Efficient customer service Tighter supplier & partner relationships Consistent ID and security policy Quick enforcement of privilege updates Simplify admin & helpdesk tasks Identity Lifecycle Management Privacy & Confidentiality Monitorability & Auditability Personalized content Profile & preference Self-service Provisioning Workflow Automation Security Monitoring & Auditing Web Authorizations Secure Federation SSO Identity & Access Management Delegated Admin Self Service Policy Based Access Mgmt Role Based Access Mgmt Account Provisioning Certificate Authority Federated Directory Meta-Directory Identity Integration I d e n t i t y Directory Core Identity Management Business Problems
DMV HISTORY STATE STATE INSURANCE Office Intranet CREATE POLICY CREATE POLICY Create New Policy Check Rates CREDIT CHECK Client History BROKER WEB APPS EMPLOYMENT HISTORY Securing Cross-Organization Transactions An example: An independent broker uses Big Insurance Co.’s Web application to issue a new insurance policy for a client. INDEPENDENT INSURANCE BROKER INC. BIG INSURANCE CORP.
Federated Identity Management:According to Burton Group… “What is federated identity management? • Agreements, standards, technologies that make identity and entitlements portable across autonomous domains • Begins at home, within and between organizations • Joined at the hip with Web services • Will grow both in granularity and scale From Burton Group Catalyst Conference
Company A uses SAML to send an identity “trusted ticket” to Company B’s application Company A: Portal Company A’s users authenticate into A’s portal Company B’s systems accept the ticket and grant access to the Company A user, through the Company A portal Federated Identity Company B: Technical Database Application
Web Services Security/Mgmt Concerns • Security • “We have many web services exposed to the internet now” • “Only valid partners may access our web services” • Exception Handling • “Notify operations if a transaction stalls” • “Send any incomplete orders to customer service for fixing” • Compliance and Consistency • “All customer orders must be encrypted with 128 bit keys” • “All XML messages must follow this format” • Service Level Monitoring • “The order system must process transactions in under 2 seconds” • “If uptime falls below 98% we owe contract penalties”
Needs for Web Services Management • Without WsM, policy is hard-coded into each Web Service • Result is silo’d, inconsistent security and management • A change in enterprise standards = rework of every service • Higher cost, more fragile, harder to change • No unified insight into operations across services The goal is to decouple security and management policy from each individual Service’s logic
Oracle WSM Components BUILD Policies ENFORCE Policies MONITOR Policies Policy Gateway Policy Agents Web Service Monitor Policy Manager Web Services
Defense in Depth Identification and Identity Preservation • Proxy Authentication, Client Identifiers, Identity Management Element Level Protections • Database Encryption Fine-Grained Access Control • Row Level Security Accountability • Fine-Grained Auditing
Encryption – Data at Rest • Regulations that affect you • Value of data • Be selective about what you encrypt • Encryption “in transit” may be required
Patakos Pattakos brown Brown Cho cho 931 123 ellison Ellison Ang ang 973 973 fitzger Fitzgerald Johnson johnso garcia Garcia Els els 666 666 duffy Duffy Nussbaum nussbaum Stored Data Encryption Element level protections • Selective encryption of sensitive data (e.g., SSNs, credit card #s, diagnosis) • Makes interpreting the real data more difficult DBMS_CRYPTO • Encryption • AES128/192/256, 3DES, RC4, DES • Hashing • SHA1, MD5, MD4, HMAC • CLOB, BLOB, and RAW support (no padding required) • On the horizon – Transparent encryption
Defense in Depth Identification and Identity Preservation • Proxy Authentication, Client Identifiers, Identity Management Element Level Protections • Database Encryption Fine-Grained Access Control • Row Level Security Accountability • Fine-Grained Auditing
007 Label Based Access Control • Record-level security based on security tags or labels • Simple to understand • Simple to convey • Simple to audit/prove TOP SECRET
Oil and Gas Services Company:Multiple Databases for secure access control BP Amoco Chevron ExxonMobil Conoco
Oracle Solution: Label SecurityCentralized data, secure access, reduced cost Chevron Oracle Label Security ExxonMobil BP Amoco Conoco
Defense in Depth Identification and Identity Preservation • Proxy Authentication, Client Identifiers, Identity Management Element Level Protections • Database Encryption Fine-Grained Access Control • Row Level Security Accountability • Fine-Grained Auditing
Security Processes: Prevention, Detection and Response • Prevention • Authentication, Access Controls • Detection and Response • Database Auditing • Audit by user, by object, by privilege • Ensure that attempts to view, modify, or delete data by unauthorized persons are tracked • Critical attempts should cause immediate response
Flashback Query AUDIT_CONDITION : NAME != USER AUDIT_COLUMN = SALARY Audit Policy Audit Records (FGA_LOG$) Not audited SELECT name, salary FROM emp WHERE name = ‘KING’, <timestamp>, <userid>, etc. SELECT name, job, deptno FROM emp EMP SELECT name, salary FROM emp WHERE name=‘KING’ Send Alert! SCOTT Fine-grained Auditing
What To Look for in Vendor • Look for Trusted Business Advisor • End-to-End Solution Provider • Independent Technical Evaluations • One with strong consulting offerings
Make Security a First-Class Citizen • Security placed in at design • Multi-layered implementation • Proactively act to maintain a strong posture • Mitigate the risks – don’t eliminate the risks • Apply common sense before applying cool technology • Consider the competing factors - balance performance and usability. Be practical
Q & Q U E S T I O N S A N S W E R S A