1 Copyright © 2013, Oracle and/or its affiliates. All ...Security Inside Out Latest Innovations in Oracle Database 12c Jukka Männistö Database Architect Oracle Nordic Coretech Presales

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1

Security Inside Out Latest Innovations in Oracle Database 12c

Jukka Männistö

Database Architect

Oracle Nordic Coretech Presales


The 1995 -2014 Security Landscape Regulatory Landscape

– HIPAA, SOX (2002), NERC/CIP, Australian CLERP-9 (2004),

– Privacy breach disclosure laws (California SB 1386,…..)

– Payment Card Industry (2.0 in Oct 2010)

– Proposed EU data protection regulation (2016?)

IT Landscape

– Global work force

– Outsourcing

– Consolidation

Threat Landscape

– Insider threats, SQL Injection (2000)

– Advanced Persistent Threats (APT), Organized Crime, State Sponsored,….


Breached using weak or stolen credentials

Preventable with basic controls

76%

97%

Records breached from servers 67%

Over 1.1B Served Discovered by an external party 69%


Forrester Research

Network Security

SIEM

Endpoint Security

Email Security

Authentication & User Security

Database Security

Why Are Databases Vulnerable? 80% of IT Security Programs Don’t Address Database Security

“Enterprises are taking on risks that

they may not even be aware of.”

“Especially as more and more

attacks against databases exploit

legitimate access by compromising

applications and user credentials.”


Is Your Data Secure?

Unit 61398, HQ of Peoples Liberation Army

Cyberwarfare office, Shangahi, China


Finland?



Why Increase Database Security?

Two Thirds of Sensitive and Regulated

Information now Resides in Databases

… and Doubling Every Two Years

Source: "Effective Data Leak Prevention Programs: Start by Protecting Data at

the Source — Your Databases", IDC, August 2011

Classified Govt. Info.

Trade Secrets

Competitive Bids

Corporate Plans

Source Code

Bug Database Credit Cards

Customer Data

Financial Data

HR Data

Citizen Data


Social Engineering

Sophisticated Attacks

Business Data Theft

Loss of Reputation

• Privilege Abuse

• Curiosity

• Leakage

• Accidents

• Unintended disclosures

From Mistakes to Malicious Basic Security is Not Enough for Today’s Business


Test copy Production Storage

Prod Database Users AppServer WebServer

Backup

What Are The Typical Risks?

Filesystem/Tape access

Insider network sniffing DBA privilege access

SQL Injection attacks

Test system with real data

Suspicious activity


Test copy Production Storage

Prod Database Users AppServer WebServer

Backup

What Are The Typical Risks?

Filesystem/Tape access

Insider network sniffing DBA privilege access

SQL Injection attacks

Test system with real data

Network Encryption Oracle Database Vault

Oracle Database Firewall

Transparent Data Encryption

Datamasking Pack

Suspicious activity Audit Vault & Data Redaction


DATABASE GOVERNANCE


PREVENTIVE

ADMINISTRATIVE

DETECTIVE

Take A

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 14 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 14

PREVENTIVE

ADMINISTRATIVE

DETECTIVE

Take A


Encrypts tablespaces or columns

Prevents access to data at rest

Built-in two-tier key management

Requires no application changes

“Near Zero” overhead with hardware

Integrated with Oracle technologies

– Log files, Compression, ASM, DataPump

Advanced Security

Encryption is the Foundation Preventive Control for Oracle Databases

Disk

Backups

Exports

Off-Site

Facilities

Applications


Real-time redaction of application data

based upon user name, IP, application

context, and other session factors

Full, partial, fixed redaction

Library of redaction policies and point-

and-click policy definition

Transparent to typical applications

No impact on operational activities

Advanced Security

Redaction of Sensitive Data Displayed Preventive Control for Oracle Database 12c

Credit Card Numbers 4451-2172-9841-4368

5106-8395-2095-5938

7830-0032-0294-1827

Redaction Policy

xxxx-xxxx-xxxx-4368 4451-2172-9841-4368

Billing Department Call Center Application


Application Screen Before Redacting


Application Screens After Redacting

DBMS_REDACT.ADD_POLICY(

object_schema => 'CALLCENTER',

object_name => 'CUSTOMERS'

column_name => 'SSN'...


Replace sensitive application data

Extensible template library and formats

Referential integrity detected/preserved

Application templates

Integrates with Subsetting and Real

Application Testing

Oracle Data Masking

Masking Data for Non-Production Use Preventive Control for Oracle and non-Oracle Databases

LAST_NAME SSN SALARY

ANSKEKSL 323—23-1111 40,000

BKJHHEIEDK 252-34-1345 60,000

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

Production

Non-Production

Dev

Test

Production


Procurement

HR

Finance

Oracle Database Vault Privileged User and Operational Controls

• Limit default powers of privileged users

• Enforce policy rules inside the database

• Violations audited, secured and sent to Oracle Audit Vault

• No application changes required

Application

DBA

select * from

finance.customers


Oracle Database Vault

Block privileged database users from

accessing application data

Block threats from compromised

privileged accounts

Block application users from

accessing other applications inside the

same database

Securely consolidate and use private

or public cloud computing

Realms Block DBA Privileges


Oracle Database Vault 12c

Provide additional security check

before allowing authorized users to

access application data

Enable application DBA control by

allowing patching while denying

access to sensitive application data

Freeze security settings identified by

Privilege Analysis: roles, grants, …

Temporarily seal off entire application

data in the event of a cyber threat

New Mandatory Realms Block Direct Object Grants


PREVENTIVE

ADMINISTRATIVE

DETECTIVE

Take A


Framework for Conditional Auditing

Conditional Auditing Detective Control for Oracle Databases

Audit based upon database session

factors

Audit only what is needed

Group audit settings for

manageability

Out of the box policies

My Audit Policy

ACTIONS ALL

WHEN IP !=

''10.288.241.88''

Except HR

What

Name

When

Exceptions


Oracle Audit Vault and

Database Firewall

Audit Database Activity Detective Control for Oracle and non-Oracle Databases

Audit Data & Event Logs

Policies

Reports

Alerts ! OS & Storage

Directories

Databases

Custom Auditor

SOC Collect, Analyze audit/event data

Centralized secure repository

Consolidated multi-source reporting

Out-of-the box and custom reports

Fine-grain separation of duties

Secure, scalable software appliance Audit Vault

!


Oracle Audit Vault and

Database Firewall

Database Activity Monitoring and Firewall Detective Control for Oracle and non-Oracle Databases

Monitor network traffic, detect and block

unauthorized database activity

Detect/stop SQL injection attacks

Highly accurate SQL grammar analysis

Whitelist approach to enforce activity

Blacklists for managing high risk activity

Scalable secure software appliance

Block

Log

Allow

Alert

Substitute Apps

Whitelist Blacklist

SQL Analysis Policy

Factors

Users


Oracle Audit Vault and Database Firewall

Users

AUDIT

DATA

Operating Systems

File Systems

Directories

Custom Audit Data

Reports

Alerts !

Policies

AUDIT VAULT

Firewall

Events

Database Firewall

Detective Control for Oracle and non Oracle Databases


PREVENTIVE

ADMINISTRATIVE

DETECTIVE

Take A


Oracle Database Lifecycle Management

Configuration Management Administrative Control for Oracle Databases

Discover

Scan & Monitor

Patch

Discover and classify databases

Scan for secure configuration

Follow compliance frameworks

Detect unauthorized changes

Patching and provisioning


Scan Oracle for sensitive data

Built-in, extensible data definitions

Discover application data models

Protect sensitive data appropriately:

encrypt, redact, mask, audit…

Oracle Enterprise Manager 12c

Discover Sensitive Data and Databases Administrative Control for Oracle Database 12c


DATABASE GOVERNANCE


PREVENTIVE

ADMINISTRATIVE

DETECTIVE

Take A


Critical patch update

Latest January 2014

Next April 2014

Main reason for applying path, uncertainity

– Testing

– Testing with Real Application Testing

CPU’s are increasingly important

Need to be integrated in operating procedures

http://www.oracle.com/technetwork/topics/security/alerts-

086861.html?ssSourceSiteId=ocomen


Security Alert Subscription

http://www.oracle.com/technetwork/topics/security/securityemail-

090378.html

In order to start receiving e-mail notifications of the release of Critical Patch Updates and

Security Alerts, follow the steps outlined below. If you have previously signed up for this

alert, please double check that your electronic subscriptions are up to date.

1. If you do not have an Oracle Technology Network account, click on the Sign

In/Register for Account link at the top of this page to create an account.

2. Alternatively, if you already have an Oracle Technology Network account, click on the

Sign In/Register for Account link at the top of this page and login to your account.

3. Once logged in, click the Account link at the top of this page, scroll down to

Subscription Center > Oracle Technology News, ensure the checkbox next to Oracle

Security Alerts is selected, and save your changes.

To unsubscribe, repeat these steps but uncheck the Oracle Security Alerts checkbox.


Reference Documentation

Database Security Guide

– http://www.oracle.com/pls/db112/to_toc?pathname=network.112%2Fe

16543%2Ftoc.htm&remark=portal+%28Books%29

Oracle Security Reference Architecture

– Part of “It Strategies From Oracle”

– http://oracle.com/technetwork/topics/entarch/oracle-ra-security-r3-0-

176702.pdf


Documents

1 Copyright © 2013, Oracle and/or its affiliates. All ...Security Inside Out Latest Innovations in Oracle Database 12c Jukka Männistö Database Architect Oracle Nordic Coretech Presales