Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Transcription

1 1

2 Security Inside Out Latest Innovations in Oracle Database 12c Jukka Männistö Database Architect Oracle Nordic Coretech Presales

3 The Security Landscape Regulatory Landscape HIPAA, SOX (2002), NERC/CIP, Australian CLERP-9 (2004), Privacy breach disclosure laws (California SB 1386,..) Payment Card Industry (2.0 in Oct 2010) Proposed EU data protection regulation (2016?) IT Landscape Global work force Outsourcing Consolidation Threat Landscape Insider threats, SQL Injection (2000) Advanced Persistent Threats (APT), Organized Crime, State Sponsored,. 3

4 Records breached 67 % from servers 76 % Breached using weak or stolen credentials Over 1.1B Served Discovered by an 69 % external party 97 % Preventable with basic controls 4

5 Why Are Databases Vulnerable? 80% of IT Security Programs Don t Address Database Security Forrester Research Enterprises are taking on risks that they may not even be aware of. Network Security Especially as more and more attacks against databases exploit legitimate access by compromising applications and user credentials. Authentication & User Security Security Database Security SIEM Endpoint Security 5

6 Is Your Data Secure? Unit 61398, HQ of Peoples Liberation Army Cyberwarfare office, Shangahi, China 6

7 Finland? 7

8 8

9 Why Increase Database Security? Two Thirds of Sensitive and Regulated Information now Resides in Databases and Doubling Every Two Years HR Data Citizen Data Credit Cards Customer Data Financial Data Classified Govt. Info. Trade Secrets Competitive Bids Corporate Plans Source Code Bug Database 9 Source: "Effective Data Leak Prevention Programs: Start by Protecting Data at the Source Your Databases", IDC, August 2011

10 From Mistakes to Malicious Basic Security is Not Enough for Today s Business Accidents Unintended disclosures Privilege Abuse Curiosity Leakage Social Engineering Sophisticated Attacks Business Data Theft Loss of Reputation 10

11 What Are The Typical Risks? Users WebServer AppServer Prod Database Insider network sniffing DBA privilege access Suspicious activity SQL Injection attacks Test system with real data Backup Filesystem/Tape access Test copy Production Storage 11

12 What Are The Typical Risks? Users WebServer AppServer Prod Database Insider Network network Encryption sniffing Oracle DBA privilege Database access Vault Audit Suspicious Vault & Data activity Redaction Oracle SQL Injection Database attacks Firewall Test Datamasking system with real Pack data Backup Transparent Filesystem/Tape Data Encryption access Test copy Production Storage 12

13 Take A PREVENTIVE DATABASE GOVERNANCE DETECTIVE ADMINISTRATIVE 13 Copyright 2012, 2013, Oracle and/or its affiliates. All rights reserved.

14 Take A PREVENTIVE DETECTIVE ADMINISTRATIVE 14 Copyright 2012, 2013, Oracle and/or its affiliates. All rights reserved.

15 Encryption is the Foundation Preventive Control for Oracle Databases Advanced Security Encrypts tablespaces or columns Prevents access to data at rest Built-in two-tier key management Requires no application changes Near Zero overhead with hardware Integrated with Oracle technologies Log files, Compression, ASM, DataPump Applications Disk Backups Exports Off-Site Facilities 15

16 Redaction of Sensitive Data Displayed Preventive Control for Oracle Database 12c Advanced Security Real-time redaction of application data based upon user name, IP, application context, and other session factors Full, partial, fixed redaction Library of redaction policies and pointand-click policy definition Transparent to typical applications No impact on operational activities Credit Card Numbers Redaction Policy xxxx-xxxx-xxxx Call Center Application Billing Department 16

17 Application Screen Before Redacting 17

18 Application Screens After Redacting DBMS_REDACT.ADD_POLICY( object_schema => 'CALLCENTER', object_name => 'CUSTOMERS' column_name => 'SSN'... 18

19 Masking Data for Non-Production Use Preventive Control for Oracle and non-oracle Databases Oracle Data Masking Replace sensitive application data Extensible template library and formats Referential integrity detected/preserved Application templates Integrates with Subsetting and Real Application Testing LAST_NAME SSN SALARY AGUILAR ,000 BENSON ,000 LAST_NAME SSN SALARY ANSKEKSL ,000 BKJHHEIEDK ,000 Production Non-Production Test Dev Production 19

20 Oracle Database Vault Privileged User and Operational Controls Procurement Application HR Finance select * from finance.customers Limit default powers of privileged users Enforce policy rules inside the database Violations audited, secured and sent to Oracle Audit Vault No application changes required DBA 20

21 Oracle Database Vault Realms Block DBA Privileges Block privileged database users from accessing application data Block threats from compromised privileged accounts Block application users from accessing other applications inside the same database Securely consolidate and use private or public cloud computing 21

22 Oracle Database Vault 12c New Mandatory Realms Block Direct Object Grants Provide additional security check before allowing authorized users to access application data Enable application DBA control by allowing patching while denying access to sensitive application data Freeze security settings identified by Privilege Analysis: roles, grants, Temporarily seal off entire application data in the event of a cyber threat 22

23 Take A PREVENTIVE DETECTIVE ADMINISTRATIVE 23 Copyright 2012, 2013, Oracle and/or its affiliates. All rights reserved.

24 Conditional Auditing Detective Control for Oracle Databases Framework for Conditional Auditing Audit based upon database session factors Audit only what is needed Group audit settings for manageability Out of the box policies My Audit Policy ACTIONS ALL WHEN IP!= '' '' Except HR Name What When Exceptions 24

25 Audit Database Activity Detective Control for Oracle and non-oracle Databases Oracle Audit Vault and Database Firewall Collect, Analyze audit/event data SOC Audit Data & Event Logs Centralized secure repository Consolidated multi-source reporting Out-of-the box and custom reports Fine-grain separation of duties Secure, scalable software appliance Auditor Alerts! Reports Policies! Audit Vault OS & Storage Directories Databases Custom 25

26 Database Activity Monitoring and Firewall Detective Control for Oracle and non-oracle Databases Oracle Audit Vault and Database Firewall Monitor network traffic, detect and block unauthorized database activity Detect/stop SQL injection attacks Highly accurate SQL grammar analysis Users Apps Allow Log Alert Substitute Block Whitelist approach to enforce activity Blacklists for managing high risk activity Scalable secure software appliance SQL Analysis Whitelist Blacklist Policy Factors 26

27 Oracle Audit Vault and Database Firewall Detective Control for Oracle and non Oracle Databases Database Firewall Users Firewall Events Alerts! Reports Policies AUDIT DATA Operating Systems File Systems Directories Custom Audit Data AUDIT VAULT 27

28 Take A PREVENTIVE DETECTIVE ADMINISTRATIVE 28 Copyright 2012, 2013, Oracle and/or its affiliates. All rights reserved.

29 Configuration Management Administrative Control for Oracle Databases Oracle Database Lifecycle Management Discover and classify databases Scan for secure configuration Follow compliance frameworks Detect unauthorized changes Patching and provisioning Scan & Monitor Discover Patch 29

30 Discover Sensitive Data and Databases Administrative Control for Oracle Database 12c Oracle Enterprise Manager 12c Scan Oracle for sensitive data Built-in, extensible data definitions Discover application data models Protect sensitive data appropriately: encrypt, redact, mask, audit 30

31 Take A PREVENTIVE DATABASE GOVERNANCE DETECTIVE ADMINISTRATIVE 31 Copyright 2012, 2013, Oracle and/or its affiliates. All rights reserved.

32 Critical patch update html?ssSourceSiteId=ocomen Latest January 2014 Next April 2014 Main reason for applying path, uncertainity Testing Testing with Real Application Testing CPU s are increasingly important Need to be integrated in operating procedures 32

33 Security Alert Subscription html In order to start receiving notifications of the release of Critical Patch Updates and Security Alerts, follow the steps outlined below. If you have previously signed up for this alert, please double check that your electronic subscriptions are up to date. 1. If you do not have an Oracle Technology Network account, click on the Sign In/Register for Account link at the top of this page to create an account. 2. Alternatively, if you already have an Oracle Technology Network account, click on the Sign In/Register for Account link at the top of this page and login to your account. 3. Once logged in, click the Account link at the top of this page, scroll down to Subscription Center > Oracle Technology News, ensure the checkbox next to Oracle Security Alerts is selected, and save your changes. To unsubscribe, repeat these steps but uncheck the Oracle Security Alerts checkbox. 33

34 Reference Documentation Database Security Guide %2Ftoc.htm&remark=portal+%28Books%29 Oracle Security Reference Architecture Part of It Strategies From Oracle pdf 34

35 35