1 / 365

Security Requirements

Security Requirements. Objectives. After completing this lesson, you should be able to do the following: Describe fundamental security requirements Define the following terms: Least privilege Authorization Authentication Describe security policies

randyjohnson
Download Presentation

Security Requirements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Requirements

  2. Objectives • After completing this lesson, you should be able to do the following: • Describe fundamental security requirements • Define the following terms: • Least privilege • Authorization • Authentication • Describe security policies • Describe the concept of security in detail

  3. Industry-Security Requirements • Legal: • Sarbanes-Oxley Act (SOX) • Health Information Portability and Accountability Act (HIPAA) • California Breach Law • UK Data Protection Act • Auditing

  4. Security Standards • Recognized security standards: • ISO 17799 • SANS Institute • CERT/CC Do your policies meet the standards?

  5. Fundamental Data-Security Requirements • You should know the following fundamental data-security requirements: • Confidentiality • Integrity • Availability

  6. Components for Enforcing Security • Authentication • Authorization • Access control • Auditing

  7. Security Risks • Risk analysis includes: • External attack: • Unauthorized users • Denial of service • Unauthorized data and serviceaccess • Internal abuse: data or service theft • Sabotage: data or service corruption • Complexity

  8. Risk Analysis Threat Vulnerability Attack Prevent Discover Protect Control

  9. Principle of Least Privilege • Install only the required software on the machine. • Activate only the required services on the machine. • Give operating system (OS) and database access to only those users who require access. • Limit access to the root or administrator account. • Limit access to SYSDBA and SYSOPER accounts. • Limit users’ access to only the database objects that are required to do their jobs.

  10. Defining a Security Policy • What is a security policy? • A set of rules • Specific to an area and site • Required • Approved by management • What is a standard? • Rules specific to a system or process • Required for everyone • What are guidelines? • Suggestions and best practices • Specific to a system or a process

  11. Developing Your Security Policy • The steps to develop your security policy are: 1. Assemble your security team. 2. Define your security requirements. 3. Develop procedures and systems to meet these requirements. 4. Implement security procedures.

  12. Examining All Aspects of Security • Consider the following dimensions: • Physical • Personnel • Technical • Procedural • Example: An employee leaves his or her desk while using an application.

  13. Implementing a Security Policy • Implement your standards and procedures. • Implement the plan for developing new systems and applications. • Monitor and enforce the policy. • Keep systems and applications up-to-date with security patches. • Educate users.

  14. Defense in Depth • Using the concept of “defense in depth”: • Enforce security policies • Train users • Harden the operating system • Use firewalls • Use network security • Use database-security features

  15. Hardening the Operating System • Limit services to required services. • Limit users. • Use security from the service. • Apply all security patches and workarounds. • Protect backups. • Test security for in-house development. • Require strong passwords. • Control physical access. • Audit system activity. • Use intrusion-detection tools.

  16. Easing Administration • Examine the security features of the service: • Select the features that meet your security requirements. • Integrate the features to simplify administration. • Ease security administration by: • Using single sign-on • Delegating security authority • Grouping users with common privileges • Synchronizing with other sources

  17. Using a Firewall to Restrict Network Access Database server Client computers Firewall Application Web server Firewall

  18. Hardening Oracle Services • Harden the database. • Harden Oracle Net Services. • Use Connection Manager as a firewall. • Use available components: • Fine-grained access control • Enterprise user authentication • Encryption • Label security • Strong authentication by using public key infrastructure or Kerberos • Harden the middle tier.

  19. Summary • In this lesson, you should have learned how to: • List and describe fundamental security requirements • Define the following terms: • Principle of least privilege • Authorization • Authentication • Describe some security risks and requirements • Describe the concept of security in detail

  20. Security Solutions

  21. Objectives • After completing this lesson, you should be able to describe the following recommended solutions to common problems: • Preventing exploits • Maintaining data integrity • Protecting data • Controlling data access

  22. Preventing Exploits • Use industry-standard practices: • Harden the database. • Harden the operating system. • Harden the network.

  23. Maintaining Data Integrity • Sarbanes-Oxley requires assurance of the integrity of the data that is used to produce financial reports. Oracle Database 10g can provide the following: • Standard auditing • Fine-grained auditing • Privileged-account auditing • Network encryption

  24. Data Protection • Under CA-SB-1386, personally identifiable information must be protected. Use the following techniques: • Restrict access. • Encrypt stored data. • Encrypt network traffic. • Restrict network access. • Monitor activity. • Harden every layer. MyCreditCardNum OKYMSEISPDTGA

  25. Access Control • The law requires that only certain persons may access specific data. Access control and monitoring include: • Implement the Virtual Private Database (VPD): • Application context • Fine-grained access control (FGAC) • Use Oracle Label Security (OLS). • Apply auditing.

  26. Middle-Tier Authentication and Authorization • Applications often handle the authentication and authorization for application users. Secure solutions are: • Pass-thru • Proxy User • Secure Application Role • Enterprise User Security Application server Database

  27. Network-wide Authentication • Solutions involving single sign-on or single point of authentication reduce administration costs and can improve security. There are several solutions: • Oracle Identity Management • Enterprise User Security (EUS) • Integration with Active Directory • Integration with Kerberos

  28. Summary • In this lesson, you should have learned how to describe the following recommended solutions to common problems: • Preventing exploits • Maintaining data integrity • Protecting data • Controlling data access

  29. Internal Database Security

  30. Objectives • After completing this lesson, you should be able to do the following: • Apply the principle of least privilege to the database • Apply security patches (Critical Patch Update) • Lock and expire default user accounts • Change default user passwords • Create strong passwords • Enforce password management • Protect the data dictionary

  31. Database Security: Checklist • Apply the principle of least privilege: • Install only what is required. • Harden the operating system (OS). • Maintain installed products. • Manage default user accounts. • Enforce password management. • Protect the data dictionary. • Revoke unnecessary privileges from PUBLIC. • Restrict the directories accessible by the user. • Limit users with administrative privileges. • Restrict remote database authentication. • Use other database security features.

  32. Reducing Administration Effort • Use roles to group users by job function. • Enable and disable roles as appropriate. • Use single sign-on.

  33. Installing Only What Is Required • Install only the required products and features. • Plan your installation: • Determine what needs to be installed. • You may require a custom installation. • You can always install additional products later.

  34. Applying Security Patches • Use the Critical Patch Update process. • Apply all security patches and workarounds. • See the Oracle Security Products Web site.

  35. SYS and SYSTEM Accounts • The SYS account: • Is granted the DBA role • Has all privileges with ADMINOPTION • Is required for startup, shutdown, and some maintenance commands • Owns the data dictionary • The SYSTEM account is granted the DBA role. • These accounts are not used normally.

  36. SYSOPER and SYSDBA

  37. Locking and Expiring Default User Accounts • The Database Configuration Assistant (DBCA) expires and locks all accounts, except: • SYS • SYSTEM • SYSMAN • DBSNMP • For a manual installation, lock and expire accounts by using: ALTER USER hr PASSWORD EXPIRE ACCOUNT LOCK;

  38. Changing Default Account Passwords • Default accounts provide easy access to the database. • Change the password on any account that has not been locked. • To change the password of the SH account to s9049gbnij, run: SQL> ALTER USER sh IDENTIFIED BY s9049gbnij; User altered. SQL>

  39. Enforcing Password Management • Use a password verification routine to enforce constraints on the user’s new password. • The profile identifies which routine to use: • A verification routine is created by the utlpwdmg.sql script. • Use the Oracle Advanced Security option for strong authentication. ALTER PROFILE all_users LIMIT ... PASSWORD_VERIFY_FUNCTION verify_function;

  40. Protecting the Data Dictionary • The data dictionary is protected by default with the initialization parameter set: • This configuration prevents users with the ANY system privileges from accessing data dictionary base tables. • The SELECTANYDICTIONARY system privilege allows read access to the dictionary only. O7_DICTIONARY_ACCESSIBILITY = FALSE

  41. System and Object Privileges • Applying the principle of least privilege: • Limit object privileges to actual needs • Do not use GRANTALLONobject • Limit system privileges • Do not grant the DBA role to users • Encapsulate sensitive objects

  42. Restricting the Directories Accessibleby the User • Do not use the UTL_FILE_DIR parameter. • Use the DIRECTORY objects: • Allows granular access to directory paths by the user • Allows read or write access separately • Is limited to the directories that the Oracle process can access Example: CREATE DIRECTORY local AS '/user/local/dbs'; GRANT READ, WRITE ON DIRECTORY local TO scott;

  43. Limiting Users with Administrative Privileges • Restrict the following types of privileges: • Grants of system and object privileges • SYS-privileged connections: SYSDBA and SYSOPER • DBA-type privileges, such as DROPANYTABLE • Restrict run-time permissions. Example: List all users with the DBA role: SQL> SELECT grantee FROM dba_role_privs 2 WHERE granted_role = 'DBA'; GRANTEE ------------------------------ SYS SYSTEM

  44. Separation of Responsibilities • Users with DBA privileges must be trusted, but separation of responsibilities can: • Prevent abuse of trust • Allow audit trails to protect the trusted position • To implement separation of trust: • DBA responsibilities must be shared • Accounts must never be shared • DBA and system administrator must be different people • SYSOPER and SYSDBA responsibilities must be separated.

  45. Using Other Database Security Features • Authenticate the users through the middle tier. • Use secure application roles. • Use virtual private databases. • Audit user activity, especially privileged activity. • Encrypt columns for additional privacy protection.

  46. Summary • In this lesson, you should have learned how to: • Apply the principle of least privilege to the database • Apply security patches (Critical Patch Update) • Lock and expire default user accounts • Change default user passwords • Create strong passwords • Enforce password management • Protect the data dictionary

  47. Database Auditing

  48. Objectives • After completing this lesson, you should be able to do the following: • Implement basic database auditing • Implement auditing of the privileged user • Implement DML and DDL auditing

  49. Monitoring for Suspicious Activity • Monitoring or auditing should be an integral part of your security procedures. • The built-in audit tools in Oracle Database 10g include: • Database auditing • Value-based auditing • Fine-grained auditing (FGA)

  50. Type of Audit • What Is Audited? • What Is in the Audit Trail? • Standard database auditing • Privilege use including object access • Fixed set of data • Value-based auditing • Data changed by DML statements • Administrator defined • Fine-grained auditing (FGA) • SQL statements (INSERT, UPDATE, DELETE, and SELECT) based on content • Fixed set of data, including the SQL statement Audit Tool Comparisons

More Related