Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Transcription

1 1

2 Solutions for securing and auditing Oracle database Edgars Ruņģis Technology Consultant

3 Why Are Databases Vulnerable? 80% of IT Security Programs Don t Address Database Security Forrester Research Enterprises are taking on risks that they may not even be aware of. Network Security Especially as more and more attacks against databases exploit legitimate access by compromising applications and user credentials. Authentication & User Security Security Database Security SIEM Endpoint Security 3

4 Is perimeter based defense effective enough in case of Databases? 4

5 Considerations for Maximum Security Preventive and Detective Controls 5

6 Encryption is the Foundation Preventive Control for Oracle Databases Advanced Security Encrypts tablespaces or columns Prevents access to data at rest Built-in two-tier key management Requires no application changes Near Zero overhead with hardware Integrated with Oracle technologies Log files, Compression, ASM, DataPump Applications Disk Backups Exports Off-Site Facilities 6

7 Redaction of Sensitive Data Displayed Preventive Control for Oracle Database Advanced Security Real-time redaction of application data based upon user name, IP, application context, and other session factors Full, partial, fixed redaction Library of redaction policies and pointand-click policy definition Transparent to typical applications No impact on operational activities Credit Card Numbers Redaction Policy xxxx-xxxx-xxxx Call Center Application Billing Department 7

8 Application Screen Before Redacting 8

9 Application Screens After Redacting DBMS_REDACT.ADD_POLICY( object_schema => 'CALLCENTER', object_name => 'CUSTOMERS' column_name => 'SSN'... 9

10 Masking Data for Non-Production Use Preventive Control for Oracle and non-oracle Databases Oracle Data Masking Replace sensitive application data Extensible template library and formats Referential integrity detected/preserved Application templates Integrates with Subsetting and Real Application Testing LAST_NAME SSN SALARY AGUILAR ,000 BENSON ,000 LAST_NAME SSN SALARY ANSKEKSL ,000 BKJHHEIEDK ,000 Production Non-Production Test Dev Production 10

11 11

12 Oracle Database Vault Privileged User and Operational Controls Procurement Application HR Finance select * from finance.customers Limit default powers of privileged users Enforce policy rules inside the database Violations audited, secured and sent to Oracle Audit Vault No application changes required DBA 12

13 Oracle Database Vault Realms Block DBA Privileges Block privileged database users from accessing application data Block threats from compromised privileged accounts Block application users from accessing other applications inside the same database Provide additional security check before allowing authorized users to access application data 13

14 Audit Database Activity Detective Control for Oracle and non-oracle Databases Oracle Audit Vault and Database Firewall Collect, Analyze audit/event data SOC Audit Data & Event Logs Centralized secure repository Consolidated multi-source reporting Out-of-the box and custom reports Fine-grain separation of duties Secure, scalable software appliance Auditor Alerts! Reports Policies! Audit Vault OS & Storage Directories Databases Custom 16

15 Database Activity Monitoring and Firewall Detective Control for Oracle and non-oracle Databases Oracle Audit Vault and Database Firewall Monitor network traffic, detect and block unauthorized database activity Detect/stop SQL injection attacks Highly accurate SQL grammar analysis Users Apps Allow Log Alert Substitute Block Whitelist approach to enforce activity Blacklists for managing high risk activity Scalable secure software appliance SQL Analysis Whitelist Blacklist Policy Factors 17

16 Oracle Audit Vault and Database Firewall Detective Control for Oracle and non Oracle Databases Database Firewall Users Firewall Events Alerts! Reports Policies AUDIT DATA Operating Systems File Systems Directories Custom Audit Data AUDIT VAULT 18

17 Configuration Management Administrative Control for Oracle Databases Oracle Database Lifecycle Management Discover and classify databases Scan for secure configuration Follow compliance frameworks Detect unauthorized changes Patching and provisioning Scan & Monitor Discover Patch 19

18 20

19 Oracle Maximum Security Architecture Core Components Advanced Security Data Redaction Users Database Vault Privilege Analysis Apps Alerts Database Firewall Events Data Masking Advanced Security TDE Database Vault Privileged User Controls Reports Policies Audit Vault Audit Data & Event Logs Databases OS & Storage Directories Custom 26

20 Oracle Database Security Resources Data Sheets Whitepapers Webcasts Case Studies Events News and more 27

21 28

22 29