Data Privacy The Database Story Oded Raz, Co CEO & Co Founder of

Transcription

1 Data Privacy The Database Story Oded Raz, Co CEO & Co Founder of Oracle ACE Director

2 About Brillix Brillix is active in two line of business: Consulting services We offer our customers senior DBA consultants in order to help them improve their database s performance, plan highavailability & DR sites and improve their software architecture. Products The cooperation between top DBAs and highly experienced developing manager helps us produces great database security products. Our flagship product is JumbleDB Scrambling and masking solution for non-production environments.

3 True or Myth Customer s Private data is secured Most of the security birches are within the organization Organizations protect their databases Data theft accurse mainly from within

4 The Enemy Within Network IDS Host IDS Firewall Scanner

5 The Enemy Within Regular Employees Clerks Helpdesk Sales. IT Specialist Developers System Administrator DBA.

6 What Regulations got to do with it PCI DSS Payment Card Industry Data Security Standard of 2004 SOX Sarbanes-Oxley Act of Israel Banking Guidelines HIPAA Health Insurance Portability and Accountability Act of 1996

7 DBA/Insider The7 Remains Key Concern 80% of threats come from insiders 65% of internal threats are undetected 60% of data loss/corrupdon due to human error 30% concerned about DBA threat 50% looking at monitoring insider/dba threats

8 Top Web Site VulnerabiliDes

9 Impact of SQL InjecDon Bypassing authendcadon mechanisms select id from users where name= admin and password= or 1 = 1 InformaDon disclosure select phone from users where name= UNION select credit_num from users - - InformaDon tampering select id from clients where name= ; update clients set debt=0; - - 9

10 Impact of SQL InjecDon Database corrupdng select usr_id from clients where name= ; drop table clients;- - Command execudon select picture from animals where name= ;EXEC filesystem_cmd 'format /y c: 10

11 Database Security - Building Blocks Auditing AudiDng Service Authorization AuthorizaDon Service Session Session Management Service Authentication User + Password CerDficates Smart Card Biometrics Smart Card + Biometrics Identification User Name / User ID Encryption Database EncrypDon

12 Protect Database environments Oracle Limit Database Access EncrypDon Limit Data Access Audit Oracle Hardening procedure Default in 11g DBMS_CRYPTO TDE Scramble Non- ProducDon data VPD / Label Security Database Vault Database Firewall * FGA Fine Grain Audit Audit Vault Database Firewall

13 עשרת הדיברות לאבטחת בסיסי נתונים מעבר לעבודה עם משתמשים אישיים יש להמנע מ SYS ו - SYSTEM. התקן כמה שפחות Features בבסיס הנתונים. מה לעזזל עושים המפתחים בסביבת הייצור שלי! אל תיתן הראשות DBA לשווא. יש לאסור חיבור לבסיס הנתונים משרת בסיס הנתונים עצמו. הורד הרשאות מ- PUBLIC כמה שניתן.CREATE PROCEDURE / הימנע מלתת הרשאות FUNCTION הפעל AUDIT על טבלאות רגישות הימנע מגישה אל מערכת ההפעלה מתוך בסיס הנתונים בצע בקרת של קוד הניגש אל בסיס הנתונים 13

14 Authentication Using OVD

15 Virtual Private Database Users only see data that they have access to CondiDons can differ by users Data access is managed at the database level Fine- Grained Access Control: Enforced at server ApplicaDon Context: Determines access control condidon Sales Rep Customer Sales rep sees orders for his own customers only SELECT * FROM ORDERS; Customer sees only their own orders ORDERS

16 How It Works q Accessing object with an alached policy automadcally invokes the policy (consults the funcdon) q Policy funcdon returns a predicate (a WHERE condidon) q ApplicaDon context determines correct policy for the user q Oracle dynamically rewrites the SQL statement, by appending the predicate SELECT * FROM orders becomes SELECT * FROM orders WHERE cust_no = SYS_CONTEXT( order_entry, cust_num )

17 Oracle Label Security - Model Level Group G0 G1 G2 G3 Top Secret G11 G12 G21 G22 G23 G31 Confidential Corporate G311 G312 Sensitive Personal Risk Compartment

18 Oracle Label Security - Example User Janet User Access Label ConfidenDal : Corporate, Personal : G2 FundRef Amount RowLabel AF ConfidenDal : Corporate : G21 JG ConfidenDal : Branch : G5 XS Top Secret : Risk : G6 AF SensiDve : Personal : G1 SD SensiDve : Corporate : G23

19

20 DBA Privileged Application Owner Application User SQL*Plus Application Bypass Data Vault Enforcement Other ApplicaDon E- Business Suite Oracle Database 10g Release 2 Oracle Data Dictionary Data Vault Security Protects Database and Applications

21 DBA looks at HR data Enforce Separation of Duty HR DBA Creates User Stop (Accidental) misuse of privileges SYS connects as SYSDBA for daily tasks Enforce principle of least privilege Select * from HR.emp DBA 3PM Monday CREATE USER..; HR DBA connect as sysdba OE HR DicDonary

22 Thank You! Read More about database security at -