Database Security Questions HOUG Fehér Lajos. Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Transcription

1 Database Security Questions HOUG 2016 Fehér Lajos 1

2 How Data Gets Compromised? Source: Verizon Data Breach Investigations Report Copyright 2015, Oracle and/or 2its affiliates. All rights reserved.

3 Where Losses Come From? 92% of Records from Compromised Databases Source: Verizon Data Breach Investigations Report

4 Top Attack Techniques % Breaches and % Records Most records lost through Stolen Credentials & SQL Injection Source: Verizon Data Breach Investigations Report

5 Database Security Defense-In-Depth Approach Monitor and block threats before they reach databases Control access to data within the databases Track changes and audit database activity Encrypt data to prevent direct access Implement with Transparency no changes to existing applications High Performance no measurable impact on applications Accuracy minimal false positives and negatives

6 Existing Security Solutions Not Enough Key Loggers Phishing Malware Botware SQL Injection Social Engineering Espionage Web Users Application Users Application Database Administrators Data Must Be Protected in depth

7 Simplified Application Model Exploit Application Bypass Application Exploit Database Users Apps Bypass Database Test/Dev Copy Abuse Privileged Accounts Access Exported Data Administrators Storage 7

8 Opportunities for Attack Exploit Application Bypass Application Exploit Database Users Apps Bypass Database Test/Dev Copy Abuse Privileged Accounts Access Exported Data Administrators Storage 8

9 Oracle Database Maximum Security Architecture Advanced Security Data Redaction Access Control (VPD and RAS) Database Vault Users Apps Database Firewall Data Masking Advanced Security TDE Test/Dev Copy Database Vault Privilege Analysis Administrators Storage Key Vault Audit Vault 9

10 Defense-in-Depth Security Controls EVALUATE PROTECT DETECT Security Configuration Encryption & Redaction Auditing Sensitive Data Discovery Masking & Subsetting Activity Monitoring Least Privilege Use DBA & Operational Controls Alerting & Reporting 10

11 Oracle Real Application Security (RAS) Next Generation Database Enforced Application Security Field Batch Jobs, Adhoc Highlights End-to-end uniform security across mid-tier and database Declarative security (no handcoded checks) Joe Application Data security based upon application users and roles Audit of end-user activity Analytics Audit Simplified administration Supports new/legacy apps 11

12 Attack #1: Exploit the Application Get the application to reveal information that wasn t intended How can this happen? Bug in the application s access control logic SQL injection Exploits the application s privileges to read and write the database Defenses Data Redaction limits sensitive data handled by the application Database Firewall examines SQL from the application and blocks abnormal statements 12

13 Oracle Advanced Security Redaction Authorized Display Redacted Display Policy Credit Card # Application Identify sensitive data, possibly using Enterprise Manager Best for data that is displayed but not interpreted by application Prevents compromise due to application bugs and protects all applications that use the same data Cardholder data National identifiers Personally Identifiable Info Medical Record Data And more Business apps including display screens, reports, dashboards, panels New and legacy applications 13

14 Oracle Database Firewall Differentiates normal SQL statements used by application vs abnormal SQL from attacker Uses SQL parser, not just regular expressions, to recognize statements Start by monitoring unexpected SQL Later move to blocking Whitelist of expected statements for maximum security Also supports blacklist policies Users Apps Alerts Reports Policies Database Firewall Events Audit Vault 14

15 Attack #2: Bypass the Application / Exploit the Database Connect to the database and access the data directly Bypasses any controls enforced by the application Defenses Harden and monitor the database configuration Implement access control in the database Virtual Private Database uses policy functions to filter data rows Real Application Security uses declarative policies based on ACLs Database Vault limits privileged access to data 15

16 Oracle Database Vault Use realms to protect against access using system privileges Enforce separation of duty among administrators Use command rules with multiple factors to tightly control routine administration Training mode helps to fine-tune policies Privileged User HR App SELECT ANY HR HR Realm Fin App Fin Fin Realm 16

17 Attack #3: Bypass the Database Access data storage directly Bypasses any controls enforced by the database Defenses Transparent Data Encryption automatically encrypts and decrypts stored data Key Vault manages encryption keys for TDE (and other uses) 17

18 Oracle Advanced Security Data Redaction Transparent Data Encryption Encrypted Storage Redacted Applications Disks Backups Exports 18

19 Transparent Data Encryption Applications For best performance Clear Data Take advantage of x86 or SPARC hardware acceleration Use tablespace encryption in most cases Protects backups as well as database files on disk Critical issue is key management Encrypted Data d$f8#;!90wz Yg#3R R+%K# *HH$7 #9Vlka Disks Backups Exports Off-Site Facilities 19

20 TDE Integration with Oracle Database Database Products and Technologies Engineered Systems Data Compression Backup and Restore Export and Import High-Availability Clusters Storage Management Pluggable Databases Database Replication Example Points of Integration Oracle Exadata Smart Scans Oracle Advanced Compression Oracle Recovery Manager (RMAN), Oracle Secure Backup Oracle Data Pump Export and Import Oracle Real Application Clusters (RAC), Active Data Guard Oracle Automatic Storage Management (ASM) Oracle Multitenant Option Oracle Golden Gate TDE Support * Integration with TDE tablespace encryption and/or key management as of Oracle Database 12c 20

21 TDE Advancements in Oracle Database 12c Release 1 Oracle Wallet Storage in ASM, automatic backup TDE Master Key New SQL commands for key management Movement of individual keys Improved S.O.D. (SYSKM) U.S. FIPS mode DBFIPS_140 parameter in init.ora FIPS

22 Managing Master Keys in Oracle Wallet CRITICAL: Remember wallet password CRITICAL: Do not delete wallet. Retain copy of password-based wallet even if using auto-login CRITICAL: Do not have multiple databases share same wallet Set strong wallet password using numbers, capitalization, length >= 12 characters Rotate master encryption key and wallet password approximately every six months Backup wallet before and after each rotation operation Keep wallet backup separate from encrypted data backup Restrict wallet directory and file permissions Keep wallet read-only for daily use, set immutable bit where available For RAC, consider storing wallet in ACFS (DB 11gR2) or ASM (DB 12cR1) For DB 12cR1, separate duties using SYSKM

23 Transparent Data Encryption Main Takeaways Transparently encrypts with no impact on applications Delivers fast performance on modern hardware Manages keys with Oracle Wallet or Oracle Key Vault Directly integrates with popular Oracle Database technologies It just works! 23

24 Oracle Key Vault High-Level Architecture Middleware Standby Databases Administration Console, Alerts, Reports Servers Secure Backups = Oracle Wallet = Java Keystore = Certificate = Server Password = Credential File 24

25 Key Management with Oracle Key Vault Use Key Vault to centrally manage keys for TDE and more Share keys with related endpoints (RAC nodes, high availability standby systems) Audit all accesses and management operations 25

26 Oracle Advanced Security Transparent Data Encryption (TDE) Oracle Wallet Upload/Download Scenarios RAC Data Guard Multiple DBs Same Machine GoldenGate Single Instance 26

27 Attack #4: Abuse Privileged Accounts Improper access by administrators or by an attacker who impersonates them Defenses Database Vault realms limit privileged access Privilege Analysis helps reduce unnecessary privilege grants 27

28 Oracle Database Vault Privilege Analysis DBA_DEBRA Custom Applications Select Update Drop DBA role. Runtime Capture Unused/Used Reports Helps implement the Principle of Least Privilege Perform privilege capture on a realistic example of application workload Revoke unnecessary privileges or audit their use 28

29 Oracle Database Vault Database Vault Realms and Command Rules Protect Sensitive Schemas and Objects Protect sensitive data from privileged accounts Enforce a trusted path to prevent application by-pass Control database changes for security and compliance Privileged User HR App SELECT ANY TABLE IP: HR HR Realm Fin Fin App IP: ALTER SYSTEM Fin Realm DBA 29

30 Oracle Database Vault Privilege Analysis Privileges not used during capture 30

31 Unused Privileges Report 31

32 Used Privileges Report 32

33 Oracle Database Vault Manageability Installed with 12c Oracle Database Enterprise Edition Configure, enable using two PL/SQL calls Manage with Oracle Enterprise Manager or API Protection travels with PDB and backups Integrated with Oracle High Availability options (Data Guard, RAC ) Less than 2% performance overhead 33

34 Attack #5: Access Exported Data Copies of data may be exported for many reasons Exported data copies may not be protected as carefully Defenses Data Masking replaces sensitive data with other content Data Subsettinglimits exported data to a representative sample 34

35 Oracle Data Masking and Subsetting Pack Reduces Risk in Sharing by Obfuscating or Removing Sensitive Data Production Test/Dev Discover Sensitive Data Modeling Application Data SSN Credit Card SSN Credit Card Mask Data using Format Library Subset Based on Goal/Condition Mask/Subset in Export or on Staging Mask in Workload Captures & Clones Pre-installed in Enterprise Manager 35

36 Application Data Modeling Sensitive Data Discovery Data Relationships Sensitive Columns Metadata Automated Discovery 36

37 Extensive Masking Format Library Provides common masking formats Supports custom masking formats Random numbers/strings/dates Substitute User defined PL/SQL function and more Generates sample masked values Templates for specific versions of E- Business Suite and Fusion Applications 37

38 Masking Examples Mask Based on Condition Country Identifier CA US UK JX C Shuffle Records Country Identifier Health Health CA Records Records US UK AI D Emp ID First Name 324 Albert 986 Hussain Generate Deterministic Output HR FIN Emp ID First Name 324 Charlie 986 Murali Emp ID First Name 324 Charlie 986 Murali Generate Random Values Preserving Format Mask Operating System Files stored as Blobs Company Closing Price IBFG $36.92 XKJU Company Closing Price IBFG $89.57 XKJU BLOB Search : [0-9]{10} Replace : * BLOB ********** ********** and more 38

39 Goal or Condition Based Subsetting Relative Database Size 100% 25% 10% 100M Rows Relative Table Size 20M Rows 2M Rows 1024 GB 256 GB 102 GB Condition Based Extract ASIA Sales

40 Deployment Options In-Database In-Export Production Staging Test/Dev Production Export Test/Dev Minimal impact on the production environment Sensitive data remains within the production perimeter 40

41 Final Defense: Monitor Activity Monitoring activity is an overall defense Catches unknown attacks Detects tampering with defenses When monitoring is known, it can have a deterrent effect Defenses Database Auditing records significant security events as they occur Audit Vault collects audit data and provides reports and real-time alerts 41

42 Database Auditing Goal is to record the most important events without generating overwhelming amounts of data For example, record updates to sensitive table but not every SELECT Record security-relevant events that are expected to be infrequent Database audit policies are highly customizable Access to particular objects Use of roles or privileges Based on runtime conditions Beginning in 12.1, Unified Audit combines multiple audit mechanisms 42

43 Oracle Audit Vault Alerts Reports Policies Audit Data & Event Logs Databases OS & Storage Directories Custom Audit Vault Collects and consolidates audit data from multiple sources Protects tampering by removing audit data from subject systems Can collect additional detail from database redo logs such as values before and after update New reports show trends and anomalous activity 43

44 Security Guide Day Security Guide

45 Q & A HOUG 2016 Fehér Lajos 45