1 / 38

Oracle Database Vault with Oracle Database 12c

Oracle Database Vault with Oracle Database 12c. Chi Ching Chui Senior Development Manager Oracle Database Security October 1, 2014. Agenda. Oracle Database Vault Controls Overview Enhancements in Oracle Database 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis

nydia
Download Presentation

Oracle Database Vault with Oracle Database 12c

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development Manager Oracle Database Security October 1, 2014

  2. Agenda Oracle Database Vault Controls Overview Enhancements in Oracle Database 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A 1 2 3 4 5 6

  3. Agenda Oracle Database Vault Controls Overview Enhancements in Oracle Database 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A 1 2 3 4 5 6

  4. Applications Bypass and Configuration Drift ANALYZE TABLE Procurement select * from hr.salary User with powerful system privileges HR TRUNCATE TABLE HR Application Finance Oracle Confidential – Internal/Restricted/Highly Restricted

  5. Restrict Access to Application Data Secure data against unauthorized access Secure entire schema or individual objects Support conditional authorization (Allowed access between 1-5am) Allow authorized operational tasks (Tuning, Data Pump, jobs) SELECT ANY Privileged User HR HR App HR Realm Fin Fin Realm Fin App Oracle Confidential – Internal/Restricted/Highly Restricted

  6. Database Command Controls Rule Current Time between 1 to 5am Factor Current Time Rule Set Limit Maintenance Window Command Rule ANALYZE TABLE, ALTER TABLE… AND Rule IP Address = '196.168.1.1' Factor IP Address Oracle Confidential – Internal/Restricted/Highly Restricted

  7. Oracle Database Vault Reports Oracle Confidential – Internal/Restricted/Highly Restricted

  8. Agenda Oracle Database Vault Controls Overview Enhancements in Oracle Database 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A 1 2 3 4 5 6

  9. Enhancements in Oracle Database Vault 12c • Installed by default • Run two PL/SQL procedures (configure_dv, enable_dv) to enable Oracle Database Vault • No Oracle binary dependency • Mandatory Realm • Restrict all types of access including object owners and users with object privileges • Integrated with new unified auditing • Write to the database audit trail • Create and manage using the unified audit policy syntax Oracle Confidential – Internal/Restricted/Highly Restricted

  10. Agenda Oracle Database Vault Controls Overview Enhancements in Oracle Database 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A 1 2 3 4 5 6

  11. Deployment Guidelines for Oracle Database Vault • Design the Protection • Verify & Deploy • Who is responsible for • Account mgmt • Security admin • Operations • Create realms, command rules • Authorize users based on their responsibility • Document the security policies • How data should be accessed • What to secure • Who to authorize • Functional testing • Confirm protection works as designed • Separation of Duties • Implement Database Vault Oracle Confidential – Internal/Restricted/Highly Restricted

  12. Example - Secure an Application Connection Control Secure the application data Only the trusted application and users can connect to the database DBA_DEBRA maintains the database hosting the application APPS "HR" Application 192.168.1.1 HR HR Realm DBA_DEBRA Oracle Confidential – Internal/Restricted/Highly Restricted

  13. Example - Secure an Application Secure the application data Only the trusted application and users can connect to the database DBA_DEBRA maintains the database hosting the application APPS "HR" Application 192.168.1.1 HR HR Realm DBA_DEBRA Oracle Confidential – Internal/Restricted/Highly Restricted

  14. Realm: Secure HR schema Oracle Confidential – Internal/Restricted/Highly Restricted

  15. Example - Secure an Application Connection Control Secure the application data Only the trusted application and users can connect to the database DBA_DEBRA maintains the database hosting the application APPS HR HR Realm "HR" Application 192.168.1.1 DBA_DEBRA Oracle Confidential – Internal/Restricted/Highly Restricted

  16. Rule – Trusted Application Oracle Confidential – Internal/Restricted/Highly Restricted

  17. Rule – Trusted Administrators Oracle Confidential – Internal/Restricted/Highly Restricted

  18. Rule Set – Trusted Database Connections Evaluation options for rules can be 'Any True' or 'All True' • Audit options: • Audit on Failure • Audit on Success • Always Audit • Added two rules: • Is Trusted Administrators • Is Trusted Application Oracle Confidential – Internal/Restricted/Highly Restricted

  19. Command Rule – Control Database Connection Oracle Confidential – Internal/Restricted/Highly Restricted

  20. Example – Operational Task Authorizations Oracle Confidential – Internal/Restricted/Highly Restricted

  21. Agenda Oracle Database Vault Controls Overview Enhancements in Oracle 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A 1 2 3 4 5 6

  22. Privilege Analysis – New to Oracle Database Vault 12c DBA_DEBRA Select …Update … Drop … DBA role …. Custom Applications Unused/Used Reports Runtime Capture • Runtime analysis of roles and privileges • Identifies unused privileges and roles • Helps reduce attack surface Oracle Confidential – Internal/Restricted/Highly Restricted

  23. Privilege Analysis Features • Capture types • Database wide • Condition based (Example: login user is DBA_DEBRA) • Enabled database role (Example: DBA role is enabled) • Runs inside the database authorization engine • Lists used/unused privileges and roles and how they were granted • Less than 5% overhead on runtime capture Oracle Confidential – Internal/Restricted/Highly Restricted

  24. Steps for Analyzing Privileges in Oracle Database • Start Capture • Analyze & Take Actions • Decide capture type • Database-wide • Condition based • Enabled DB roles • Disable the runtime capture • Generate capture reports • Identify and remove unnecessary privileges • Audit unused privileges • Replace with less powerful privileges • Enable the capture policy • Run full applications tests to capture all use cases • Create Capture Policy • Generate Reports Oracle Confidential – Internal/Restricted/Highly Restricted

  25. Create Capture Policy DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE('HR Analysis Policy' , 'Analyze privilege usage in the HR applications' , 3, 'SYS_CONTEXT('USERENV', 'SESSION_USER') = 'APPS'' ); Oracle Confidential – Internal/Restricted/Highly Restricted

  26. Start Runtime Capture DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE('HR Analysis Policy'); Oracle Confidential – Internal/Restricted/Highly Restricted

  27. Stop Runtime Capture & Generate Report DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE('HR Analysis Policy'); DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT('HR Analysis Policy'); Oracle Confidential – Internal/Restricted/Highly Restricted

  28. Privileges Analysis Reports Oracle Confidential – Internal/Restricted/Highly Restricted

  29. Unused Privileges Report Oracle Confidential – Internal/Restricted/Highly Restricted

  30. Used Privileges Report Oracle Confidential – Internal/Restricted/Highly Restricted

  31. Agenda Oracle Database Vault Controls Overview Enhancements in Oracle 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A 1 2 3 4 5 6

  32. Summary of Oracle Database Vault • Control default power of privileges • Realms restrict access by privileged users • Multi-factor authorization and database command controls • Prevents configuration drift and accidental DDLs (drop table etc.) • Ease of deployment • Installed by default • No application changes required • Certified policies for major applications • Privilege Analysis • Runtime analysis of roles and privileges • Helps reduce attack surface Oracle Confidential – Internal/Restricted/Highly Restricted

  33. Agenda Oracle Database Vault Controls Overview Enhancements in Oracle 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A 1 2 3 4 5 6

  34. Oracle Database Security at OpenWorld 2014 Plus: Visit the Oracle Database Security pods at the Demo Grounds for one-on-one discussions and demonstrations!

  35. Connect With Us /OracleDatabase /OracleSecurity blogs.oracle.com/ SecurityInsideOut blogs.oracle.com/ KeyManagement Oracle Database Insider /Oracle/database /OracleLearning oracle.com/database/security oracle.com/technetwork/database/security

More Related