Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1
Security Inside Out Latest Innovations in Oracle Database 12c
Jukka Männistö
Database Architect
Oracle Nordic Coretech Presales
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 3
The 1995 -2014 Security Landscape Regulatory Landscape
– HIPAA, SOX (2002), NERC/CIP, Australian CLERP-9 (2004),
– Privacy breach disclosure laws (California SB 1386,…..)
– Payment Card Industry (2.0 in Oct 2010)
– Proposed EU data protection regulation (2016?)
IT Landscape
– Global work force
– Outsourcing
– Consolidation
Threat Landscape
– Insider threats, SQL Injection (2000)
– Advanced Persistent Threats (APT), Organized Crime, State Sponsored,….
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 4
Breached using weak or stolen credentials
Preventable with basic controls
76%
97%
Records breached from servers 67%
Over 1.1B Served Discovered by an external party 69%
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 5
Forrester Research
Network Security
SIEM
Endpoint Security
Email Security
Authentication & User Security
Database Security
Why Are Databases Vulnerable? 80% of IT Security Programs Don’t Address Database Security
“Enterprises are taking on risks that
they may not even be aware of.”
“Especially as more and more
attacks against databases exploit
legitimate access by compromising
applications and user credentials.”
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 6
Is Your Data Secure?
Unit 61398, HQ of Peoples Liberation Army
Cyberwarfare office, Shangahi, China
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 7
Finland?
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 8
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 9
Why Increase Database Security?
Two Thirds of Sensitive and Regulated
Information now Resides in Databases
… and Doubling Every Two Years
Source: "Effective Data Leak Prevention Programs: Start by Protecting Data at
the Source — Your Databases", IDC, August 2011
Classified Govt. Info.
Trade Secrets
Competitive Bids
Corporate Plans
Source Code
Bug Database Credit Cards
Customer Data
Financial Data
HR Data
Citizen Data
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 10
Social Engineering
Sophisticated Attacks
Business Data Theft
Loss of Reputation
• Privilege Abuse
• Curiosity
• Leakage
• Accidents
• Unintended disclosures
From Mistakes to Malicious Basic Security is Not Enough for Today’s Business
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 11
Test copy Production Storage
Prod Database Users AppServer WebServer
Backup
What Are The Typical Risks?
Filesystem/Tape access
Insider network sniffing DBA privilege access
SQL Injection attacks
Test system with real data
Suspicious activity
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 12
Test copy Production Storage
Prod Database Users AppServer WebServer
Backup
What Are The Typical Risks?
Filesystem/Tape access
Insider network sniffing DBA privilege access
SQL Injection attacks
Test system with real data
Network Encryption Oracle Database Vault
Oracle Database Firewall
Transparent Data Encryption
Datamasking Pack
Suspicious activity Audit Vault & Data Redaction
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 13
DATABASE GOVERNANCE
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 13
PREVENTIVE
ADMINISTRATIVE
DETECTIVE
Take A
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 14 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 14
PREVENTIVE
ADMINISTRATIVE
DETECTIVE
Take A
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 15
Encrypts tablespaces or columns
Prevents access to data at rest
Built-in two-tier key management
Requires no application changes
“Near Zero” overhead with hardware
Integrated with Oracle technologies
– Log files, Compression, ASM, DataPump
Advanced Security
Encryption is the Foundation Preventive Control for Oracle Databases
Disk
Backups
Exports
Off-Site
Facilities
Applications
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 16
Real-time redaction of application data
based upon user name, IP, application
context, and other session factors
Full, partial, fixed redaction
Library of redaction policies and point-
and-click policy definition
Transparent to typical applications
No impact on operational activities
Advanced Security
Redaction of Sensitive Data Displayed Preventive Control for Oracle Database 12c
Credit Card Numbers 4451-2172-9841-4368
5106-8395-2095-5938
7830-0032-0294-1827
Redaction Policy
xxxx-xxxx-xxxx-4368 4451-2172-9841-4368
Billing Department Call Center Application
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 17
Application Screen Before Redacting
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 18
Application Screens After Redacting
DBMS_REDACT.ADD_POLICY(
object_schema => 'CALLCENTER',
object_name => 'CUSTOMERS'
column_name => 'SSN'...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 19
Replace sensitive application data
Extensible template library and formats
Referential integrity detected/preserved
Application templates
Integrates with Subsetting and Real
Application Testing
Oracle Data Masking
Masking Data for Non-Production Use Preventive Control for Oracle and non-Oracle Databases
LAST_NAME SSN SALARY
ANSKEKSL 323—23-1111 40,000
BKJHHEIEDK 252-34-1345 60,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production
Non-Production
Dev
Test
Production
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 20
Procurement
HR
Finance
Oracle Database Vault Privileged User and Operational Controls
• Limit default powers of privileged users
• Enforce policy rules inside the database
• Violations audited, secured and sent to Oracle Audit Vault
• No application changes required
Application
DBA
select * from
finance.customers
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 21
Oracle Database Vault
Block privileged database users from
accessing application data
Block threats from compromised
privileged accounts
Block application users from
accessing other applications inside the
same database
Securely consolidate and use private
or public cloud computing
Realms Block DBA Privileges
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 22
Oracle Database Vault 12c
Provide additional security check
before allowing authorized users to
access application data
Enable application DBA control by
allowing patching while denying
access to sensitive application data
Freeze security settings identified by
Privilege Analysis: roles, grants, …
Temporarily seal off entire application
data in the event of a cyber threat
New Mandatory Realms Block Direct Object Grants
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 23 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 23
PREVENTIVE
ADMINISTRATIVE
DETECTIVE
Take A
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 24
Framework for Conditional Auditing
Conditional Auditing Detective Control for Oracle Databases
Audit based upon database session
factors
Audit only what is needed
Group audit settings for
manageability
Out of the box policies
My Audit Policy
ACTIONS ALL
WHEN IP !=
''10.288.241.88''
Except HR
What
Name
When
Exceptions
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 25
Oracle Audit Vault and
Database Firewall
Audit Database Activity Detective Control for Oracle and non-Oracle Databases
Audit Data & Event Logs
Policies
Reports
Alerts ! OS & Storage
Directories
Databases
Custom Auditor
SOC Collect, Analyze audit/event data
Centralized secure repository
Consolidated multi-source reporting
Out-of-the box and custom reports
Fine-grain separation of duties
Secure, scalable software appliance Audit Vault
!
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 26
Oracle Audit Vault and
Database Firewall
Database Activity Monitoring and Firewall Detective Control for Oracle and non-Oracle Databases
Monitor network traffic, detect and block
unauthorized database activity
Detect/stop SQL injection attacks
Highly accurate SQL grammar analysis
Whitelist approach to enforce activity
Blacklists for managing high risk activity
Scalable secure software appliance
Block
Log
Allow
Alert
Substitute Apps
Whitelist Blacklist
SQL Analysis Policy
Factors
Users
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 27
Oracle Audit Vault and Database Firewall
Users
AUDIT
DATA
Operating Systems
File Systems
Directories
Custom Audit Data
Reports
Alerts !
Policies
AUDIT VAULT
Firewall
Events
Database Firewall
Detective Control for Oracle and non Oracle Databases
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 28 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 28
PREVENTIVE
ADMINISTRATIVE
DETECTIVE
Take A
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 29
Oracle Database Lifecycle Management
Configuration Management Administrative Control for Oracle Databases
Discover
Scan & Monitor
Patch
Discover and classify databases
Scan for secure configuration
Follow compliance frameworks
Detect unauthorized changes
Patching and provisioning
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 30
Scan Oracle for sensitive data
Built-in, extensible data definitions
Discover application data models
Protect sensitive data appropriately:
encrypt, redact, mask, audit…
Oracle Enterprise Manager 12c
Discover Sensitive Data and Databases Administrative Control for Oracle Database 12c
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 31
DATABASE GOVERNANCE
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 31
PREVENTIVE
ADMINISTRATIVE
DETECTIVE
Take A
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 32
Critical patch update
Latest January 2014
Next April 2014
Main reason for applying path, uncertainity
– Testing
– Testing with Real Application Testing
CPU’s are increasingly important
Need to be integrated in operating procedures
http://www.oracle.com/technetwork/topics/security/alerts-
086861.html?ssSourceSiteId=ocomen
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 33
Security Alert Subscription
http://www.oracle.com/technetwork/topics/security/securityemail-
090378.html
In order to start receiving e-mail notifications of the release of Critical Patch Updates and
Security Alerts, follow the steps outlined below. If you have previously signed up for this
alert, please double check that your electronic subscriptions are up to date.
1. If you do not have an Oracle Technology Network account, click on the Sign
In/Register for Account link at the top of this page to create an account.
2. Alternatively, if you already have an Oracle Technology Network account, click on the
Sign In/Register for Account link at the top of this page and login to your account.
3. Once logged in, click the Account link at the top of this page, scroll down to
Subscription Center > Oracle Technology News, ensure the checkbox next to Oracle
Security Alerts is selected, and save your changes.
To unsubscribe, repeat these steps but uncheck the Oracle Security Alerts checkbox.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 34
Reference Documentation
Database Security Guide
– http://www.oracle.com/pls/db112/to_toc?pathname=network.112%2Fe
16543%2Ftoc.htm&remark=portal+%28Books%29
Oracle Security Reference Architecture
– Part of “It Strategies From Oracle”
– http://oracle.com/technetwork/topics/entarch/oracle-ra-security-r3-0-
176702.pdf
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 35