1 / 29

Oracle Database Security

Oracle Database Security . Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager

ellery
Download Presentation

Oracle Database Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education Oracle Higher Education

  2. Data Security Lifecycle • Storage • Transparent Data Encryption • Secure Backup • Inbound Data • Network Encryption • Strong Authentication • Identity Management Integration • Monitor • Configuration Scanning • Audit Vault • Access Control • Database Vault • Oracle Label Security • Fusion Security • Outbound Data • Network Encryption

  3. Agenda <Insert Picture Here> • Network Encryption • Encryption of data in motion • Strong Authentication • PKI, Kerberos, Radius • Data Encryption • Encryption of data at rest • Secure Backup • Oracle DataVault • DB Auditing • Audit Vault

  4. Network Security Threats 1. Data Theft 2. Data Modification or Replay $500.00 $50,000 My competitor sees my bids in a sealed auction. 3. Data Disruption Packet stolenOrder never arrives

  5. Network Encryption • Provided by Oracle for nearly a decade • Encrypts all communication with the database • AES • RSA RC4 (40-, 56-, 128-, 256-bit keys) • DES (40-, 56-bit) and 3DES (2- and 3-key) • Data integrity with checksums • MD5, SHA-1 • Automatically detects modifications, replays, missing packets • Easy to setup

  6. Agenda <Insert Picture Here> • Network Encryption • Encryption of data in motion • Strong Authentication • PKI, Kerberos, Radius • Data Encryption • Encryption of data at rest • Secure Backup • Oracle Data Vault • DB Auditing • Audit Vault

  7. Strong Authentication • Kerberos • Ease of deployment makes this a popular choice • PKI • Large customers are working on full scale deployments • Strong interest among large Universities • Oracle supports SSL accelerators • Radius • Database integrates with RADIUS

  8. Agenda <Insert Picture Here> • Network Encryption • Encryption of data in motion • Strong Authentication • PKI, Kerberos, Radius • Data Encryption • Encryption of data at rest • Secure Backup • Oracle Data Vault • DB Auditing • Audit Vault

  9. The Need for Encryption • Worldwide privacy, security laws and regulations • Sarbanes-Oxley • PCI • California SB 1386 • Country-specific laws Data worthless if encrypted Disks replaced for maintenance Customer Credit Card Numbers Laptops stolen Backups lost

  10. The DBMS_CRYPTO Package • Formerly DBMS_OBFUSCATION (Release 8) • Extensive control of options • Generate as many, or as few keys as you desire • Granular access control, Manual salt generation, algorithm selection, chaining mode • Limited Transparency

  11. Transparent Data Encryption • Integrated with the Oracle database for simplicity • Alter table encrypt column … • Provides application transparency • No API calls, database triggers or views required • Media protection of PII data • Social security numbers • Credit Card Numbers • Performance • Works with existing indexes for fast searches

  12. Separation of duties Wallet password is separate from System or DBA password No access to wallet DBA starts up Database Security DBA opens wallet containing master key

  13. Master key and column keys Column keys encryptedby master key Master key stored in PKCS#12 wallet Security DBA opens wallet containing master key Column keys encryptdata in columns

  14. Oracle Databases File System Data UNIX Linux Integration with RMAN Windows NAS Oracle Secure Backup:Tape Backup Management • Highest levels of tape data protection at the lowest cost! • Fastest & Best Integrated tape backup for the Oracle Database • Recovery Manager (RMAN) integration • Enterprise Manager (EM) interface • Maximum security options • Free version (limited functionality) will ship with the Oracle Database Oracle Secure Backup Centralized Tape Backup Management Tape

  15. Why Use Oracle Secure Backup? • Intelligent integration with RMAN delivering the best performance and security for database backups • Scalable from the department to the data center • Database tape backups can now be seamlessly managed by Database Administrators (DBA) or storage group • Easily managed using Enterprise Manager (EM) • Single technical support resource for entire backup solution expedites problem resolution • Reliable data protection at lower cost and complexity • For the Oracle Database and file system data

  16. End to End Security Oracle Advanced Security Strong Authentication Oracle Advanced Security Network Encryption Oracle Advanced Security Transparent Data Encryption Data Automatically Decrypted Through SQL Interface Data Written To Disk Automatically Encrypted Data Encrypted On Backup Files

  17. Agenda <Insert Picture Here> • Network Encryption • Encryption of data in motion • Strong Authentication • PKI, Kerberos, Radius • Data Encryption • Encryption of data at rest • Secure Backup • Oracle Data Vault • DB Auditing • Audit Vault

  18. Data Vault Objectives • Multi-factored approach to database security • Protect and share data assets using environmental factors for assurance • Defense in depth approach • Protect application schemas from system privileges • Database Server as Database Appliance • Lock Down, Hardened Software and Privileges • Comprehensive Audit Policy • Separation of Duties

  19. Data Vault Protected Schema • Protect Data Vault metadata from tampering • Remove metadata dependency on SYS schema • Access to protected schema only through the administrative roles • Provide separation of duties by different administrative roles • Password required for SYS login • No OSDBA group membership

  20. Agenda <Insert Picture Here> • Network Encryption • Encryption of data in motion • Strong Authentication • PKI, Kerberos, Radius • Data Encryption • Encryption of data at rest • Secure Backup • Oracle DataVault • DB Auditing • Audit Vault

  21. Oracle Database 10g Auditing • Audit & monitor database activity • Logon failures, privilege usage, data access, object access,and other activities • Standard Audit Trail (over 250 audit actions) • Gives first level of information about access to the database • Statement auditing • Privilege auditing • Schema Object auditing • Fine-Grained Auditing (FGA) • Gives second level of information about specific operations to the database • Enables you to monitor data access based on content. AUDITING

  22. Fine-grained auditing (FGA) • Beginning with Oracle9i Database, Oracle provides the capability to audit specific rows within a table. This is accomplished using the DBMS_FGA package. • Features • Attach audit policy to table or view • Specify audit condition using a SQL predicate • User’s query text with bind variables are written to audit record upon a triggering audit event • Event handler can alert administrator to triggering condition (e.g. write record to log, send page)

  23. Collect and Consolidate Audit Data Simplify Compliance Reporting Detect and Prevent Insider Threats Scale and Security Lower IT Costs With Audit Policies Monitor Policies Security Reports (Future)Other Sources,Databases Oracle 9iR2 10gR2 10gR1

  24. Oracle Audit Vault Oracle Database Vault DB Security Evaluation #19 Transparent Data Encryption EM Configuration Scanning Fine Grained Auditing (9i) Secure application roles Client Identifier / Identity propagation Oracle Label Security Proxy authentication Enterprise User Security Global roles Virtual Private Database (8i) Database Encryption API Strong authentication (PKI, Kerberos, RADIUS) Native Network Encryption (Oracle7) Database Auditing Government customer Oracle Database Security 30 years of Innovation 1977 2007

  25. Agenda <Insert Picture Here> • Network Encryption • Encryption of data in motion • Strong Authentication • PKI, Kerberos, Radius • Data Encryption • Encryption of data at rest • Secure Backup • Oracle DataVault • DB Auditing • Audit Vault

  26. For More Information http://search.oracle.com Transparent Data Encryption or oracle.com/security

More Related