Protecting Sensitive Data Reducing Risk with Oracle Database Security

Transcription

1

2 Protecting Sensitive Data Reducing Risk with Oracle Database Security Information Security Architect

3 Agenda 1 2 Anatomy of an Attack Three Steps to Securing an Oracle Database 3 Database Security Strategy 3

4 Agenda 1 2 Anatomy of an attack Three steps to securing an Oracle Database 3 Database Security Strategy 4

5 FROM MISTAKES TO MALICIOUS BASIC SECURITY IS NO LONGER ENOUGH Accidental deletes Unauthorized disclosures Privilege Abuse Curiosity Leakage Social Engineering Denial of Service Sophisticated Attacks Data Theft Loss to Business Impacts Reputation

6 ANATOMY OF AN ATTACK STARTS WITH SOCIAL ENGINEERING ATTACKER PHISHING ATTACK COMMAND SERVER XSS OR SQL INJECTION ATTACK i i i i i i i i i i DOWNLOADED MALWARE

7 ANATOMY OF AN ATTACK ESTABLISH A FOOTHOLD ESTABLISH MULTIPLE BACKDOORS DUMPING PASSWORDS DOMAIN CONTROLLER i i i i i i GATHERING DATA

8 ANATOMY OF AN ATTACK EXFILTRATE DATA AND COVER TRACKS STOLEN DATA USED IN FOLLOW ON ATTACKS EXFILTRATE DATA VIA STAGING SERVER ANYWHERE IN THE WORLD

9 A Wide Range of Attack Vectors no single control addresses all of them App User Snooping Malware Attack Data at Rest Attack SQL Attack Data Redaction Label Security DB Firewall Data Encryption Prod Data Accidental Exposure Activity Monitoring Backup Data Prod Data Dev/Test Data DB Vault DBA Permission Abuse Data Masking Sensitive Data Discovery Configuration Management Insider Threat DevTeam Snooping Lost Laptop Lost Disk or Tapes 9

10 Over 1.8 Billion Records Breached 67 % 43 % 69 % 97 % Records breached from servers Breached using weak or stolen credentials Discovered by an external party Preventable with basic controls

11 97% Of Controls Database Breaches Could have Been Prevented With Basic Controls 11

12 Compliance Requires New Security Controls Regulatory Frameworks HIPAA, IRS 1075, CJIS, Breach Notification, European Data Protection Regulation, etc. Regulatory Requirements Data Security Access Controls Segregation of Duties Audit & Accountability Continuous Monitoring & Alerting Regulated Data Federal Tax Info, Electronic Health Records, Criminal History Reports, PII Securing Data Controlling Access Segregation of Duties Auditing Management & Alerting!

13 Agenda 1 2 Anatomy of an attack Three steps to securing an Oracle Database 3 Database Security Strategy 13

14 3 STEPS TO SECURE CONSOLIDATION DATABASE DEFENSE-IN-DEPTH STRATEGY Find Sensitive Data, Privileges Prevent Unauthorized Data Access Detect, Alert on Database Activity

15 STEP 1 ADMINISTRATIVE CONTROLS FIND SENSITIVE DATA, DATABASES, AND PRIVILEGES Analyze Privileges Sensitive Data Finder Configuration Scanning Database Vault 12c All Security Options EM Lifecycle Management

16 Database Privilege Analysis Create Drop Modify DBA role APPADMIN role Oracle Database Vault 12c Report on actual privileges and roles used by database users Helps revoke unnecessary privileges Enforce least privilege and reduce risks Increase security without disruption Privilege Analysis 16

17 Discover Sensitive Data and Databases Oracle Enterprise Manager 12c Scan Oracle for sensitive data Built-in, extensible data definitions Discover application data models Protect sensitive data appropriately: encrypt, redact, mask, audit

18 Continuous Configuration Monitoring Oracle Enterprise Manager 12c Discover Discover and classify databases Scan for best practices, standards Detect unauthorized changes Scan & Monitor Automated remediation Patching and provisioning Patch 18

19 Oracle Provided Oracle DB 11g STIG Compliance Includes both Oracle Database and Oracle Home Checklists Almost all Scripted defined checks have been automated. ~20% Manual/Interview checks automated. Remaining require manual Attestation.

20 STEP 2 PREVENTIVE CONTROLS PREVENT UNAUTHORIZED DATA ACCESS Production DATA ENCRYPTION *7#$%!!@!%afb ##<>*$#@34 DATA REDACTION ssn:xxx-xx-4321 dob:xx/xx/xxxx DATA MASKING ACCESS CONTROLS ssn: Insufficient Privilege APPLICATIONS ssn: APPLICATIONS ssn:xxx-xx-4321 ssn: dob: 12/01/1987 Dev/Test

21 Encryption is the Foundation Applications Disk Backups Exports Off-Site Facilities Oracle Advanced Security Transparent data encryption Prevents access to data at rest Requires no application changes Built-in two-tier key management Near Zero overhead with hardware Integrations with Oracle technologies e.g. Exadata, Advanced Compression, ASM, GoldenGate, DataPump, etc.

22 Key Management Challenges Heard from Customers Management Challenges Proliferation of encryption wallets and keys Authorized sharing of keys Key availability, retention, and recovery Custody of keys and key storage files Regulatory Challenges Physical separation of keys from encrypted data Periodic key rotations Monitoring and auditing of keys Long-term retention of keys and encrypted data 22

23 Oracle Key Vault Software Appliance Platform Turnkey solution based on hardened stack Includes Oracle Database and security options Open x86-64 hardware to choose from Easy to install, configure, deploy, and patch Separation of duties for administrative users Full auditing, preconfigured reports, and alerts 23

24 Context-Aware Data Redaction Credit Card Numbers Redaction Policy xxxx-xxxx-xxxx Oracle Advanced Security Real-time sensitive data redaction based on database session context Library of redaction policies and point-andclick policy definition Consistent enforcement, policies applied to data Transparent to applications, users, and operational activities Call Center Application Billing Department 24

25 Remove sensitive data from non-production environments LAST_NAME SSN SALARY AGUILAR ,000 BENSON ,000 Production Test Dev Non-Production LAST_NAME SSN SALARY ANSKEKSL ,000 BKJHHEIEDK ,000 Oracle Data Masking & Subsetting Remove risk from non-production systems Reduce size of non-production systems Reduce storage costs Replace sensitive application data Referential integrity detected/preserved Extensible template library and formats Application templates available 25

26 Next Generation Access Control Applications Procurement HR Finance Security DBA select * from finance.customers Application DBA Oracle Database Vault Context-Sensitive Authorization Policies Limit DBA access to application data Multi-factor SQL command rules Enforce enterprise data governance, least privilege, segregation of duties Out of the box application policies DBA 26

27 Label-Based Access Control Sensitive Transactions Confidential Report Data Public Reports Oracle Label Security Virtual information partitioning for cloud, SaaS, hosting environments Classify users and data using labels Labels based on business drivers Automatically enforced row level access control, transparent to applications Labels can be factors used by other security features (eg: Redaction, Database Vault) Confidential Sensitive 27

28 STEP 3 DETECTIVE CONTROLS DETECT AND ALERT ON ACCESS ANOMALIES APP S DATABASE FIREWALL Firewall Events Alerts! Built-in Reports Custom Reports Audit Data Custom Policies AUDIT VAULT

29 Consolidate Audit Data Storage, Analysis, & Reporting Audit Data & Event Logs Oracle Database Firewall OS & Storage Directories Databases Custom! Alerts Built-in Reports Custom Reports Policies SOC/NOC Auditor Oracle Audit Vault & Database Firewall Centralized, secure audit data repository Manage audit data, return storage to operational data bases Powerful alerting - thresholds, group-by Out-of-the box and custom reports Consolidated multi-source reporting Security Analyst For Oracle and non-oracle Databases 29

30 Detect & Alert on Anomalies Users Apps SQL Analysis Allow Log Alert Substitute Block Policy Factors Oracle Audit Vault & Database Firewall Monitors network traffic, detect and block unauthorized activity Highly accurate SQL grammar analysis Can detect/stop SQL injection attacks Whitelist approach to enforce activity Blacklists for managing high risk activity Detect/Block Anomalous Activity Whitelist Blacklist For Oracle and non-oracle Databases 30

31 Agenda 1 2 Anatomy of an Attack Three Steps to Securing an Oracle Database 3 Database Security Strategy 31

32 Database Security Strategy Use Defense-in-Depth for Maximum Security Preventive Controls Detective Controls Administrative Controls Don t let perfection stand in the way of progress Look for incremental steps to reduce risk Do not accept the status quo business as usual is not an option 32

33 Security is part of Oracle s DNA Defense in Depth to address the full range of attack vectors Encryption, Context-aware access controls, separation of duty, fine-grained access controls Built-in Security not a bolt on, no compatibility issues Security controls do not break compression, backups, high availability, data integration High Performance is a Must Encryption, Masking Common Admin UIs reduce your cost to implement and manage Enterprise Manager Single Vendor = No Excuses = No Finger Pointing 33

34 Questions? 34

35 Oracle Confidential 35

36