Copyright 2014 Oracle and/or its affiliates. All rights reserved.

Transcription

2 Oracle Data Masking and Subsetting Oracle Advanced Security Best Practices for Database Encryption and Redaction Todd Bottger Sr. Principal Product Manager Oracle Database Security October 1st, 2014

3 Agenda Overview of Transparent Data Encryption (TDE) What s New for TDE in Oracle Database 12c Best Practices for TDE Performance Tuning Overview of Data Redaction Best Practices for Data Redaction Application Security Case Study: Data Redaction at Epsilon Wrap-Up and Questions 3

5 Transparent Data Encryption Feature Summary Encrypted Data Disks Applications Clear Data Backups Exports Off-Site Facilities Encrypts columns or entire application tablespaces Protects the database files on disk and on backups Transparent to applications, no changes required High-speed performance, low overhead Optimized for Exadata 5

6 Tight Integration with the Oracle Database TDE Support Database Products and Technologies Database Compression Backup and Restore Export and Import High-Availability Clusters Storage Management Database Replication Example Points of Integration Oracle Advanced Compression Oracle Recovery Manager (RMAN), Oracle Secure Backup Oracle Data Pump Export and Import Oracle Real Application Clusters (RAC), Oracle Active Data Guard Oracle Automatic Storage Management (ASM) Oracle GoldenGate * Integration with TDE tablespace encryption and/or key management as of Oracle Database 12c 6

7 Data-At-Rest Encryption for Exadata Integrations and Optimizations Oracle Advanced Security Transparent Data Encryption (TDE) to protect database columns and tablespaces Performance boost from leveraging Smart Scans and CPU-based cryptographic acceleration Oracle ASM Cluster File System (ACFS) encryption to protect log and configuration files on Exadata Oracle Key Vault to centrally manage Oracle Wallets and TDE/ACFS master keys on Exadata 7

8 TDE Key Architecture Data encryption keys are created and managed by TDE automatically A master encryption key encrypts the data encryption keys The master key typically is stored in Oracle Wallet or Oracle Key Vault Oracle Wallet OR Master Key Table Key Oracle Database Enterprise Edition TDE Encrypted Columns TDE Encrypted Tablespace Tablespace Key Oracle Key Vault 8

9 Oracle Key Vault Centrally manage and share keys, secrets, Oracle wallets, Java keystores, and more Optimized for Oracle stack (Database, Middleware, Systems) and Advanced Security TDE Robust, secure, and standards based (OASIS KMIP) key manager 9

11 What s New TDE in U.S. FIPS mode DBFIPS_140 parameter in init.ora Managing Oracle Wallets Storage in ASM, automatic backup, AES256 wallet Managing TDE master keys New SQL commands for one-stop key management Movement of individual keys Improved S.O.D. (SYSKM) Updated GUI in Oracle Enterprise Manager FIPS

12 TDE in U.S. FIPS Mode The underlying crypto library now used by TDE (BSAFE CCME/MES 4.x) provides a FIPS mode The library and mode are enabled by setting DBFIPS_140 in init.ora The library s original validation certificate is published by U.S. NIST here This is available for Oracle Database and as an early release for Oracle Database (Patch ) 12

13

15 Typical Customer Experience with Performance The performance overhead typically is small on modern hardware Case Studies: ETS (1-2%), Columbia U (1-3%) Measured overhead for a given test may vary Following the tuning tips for TDE will help 15

16 General Performance Tuning Tips Column Encryption Encrypt a narrow set of columns Optionally, turn off integrity checking After applying encryption, rebuild column indexes Tablespace Encryption Set SGA size appropriately Compress the data using Advanced Compression or EHCC Use hardware and software that provide CPU-based cryptographic acceleration If running on Exadata, leverage Smart Scans 16

18 Data Redaction in Oracle Database 12c Redacting Sensitive Data for Applications Authorized Display Redacted Display Policy Credit Card # On-the-fly redaction based on user name, IP address, application context, and other factors Highly transparent enforcement across applications Minimal impact on production work loads Managed using EM GUI or convenient PL/SQL package Application Cardholder data National identifiers Personally Identifiable Info Medical Record Data And more Business apps including display screens, reports, dashboards, panels New and legacy applications 18

19 Application Screens After Redacting 19

20 Redaction Transformations Full Stored Data 10/09/1992 Redacted Display 01/01/2001 Partial XXX-XX-4328 RegExp Random

21 21

23 Best Practices Start by identifying specific application screens to redact Good candidates include display-oriented screens, reports, and dashboards Not well suited are screens that mix previously redacted data with updates Follow these guidelines in custom policy expressions: Redact by default, exempting only under specific conditions (white list) Take advantage of rich policy support for runtime conditions based on user, application, IP address and more Join multiple conditions together using logical operators and parentheses 23

24 Security Guidelines Restrict who holds important privileges including: EXEMPT REDACTION POLICY privilege EXECUTE privilege on DBMS_REDACT Track all changes to redaction policies Audit the execution of DBMS_REDACT Know what Data Redaction is not designed for Does not protect against inference attacks Does not prevent privileged database user attacks Does not redact for database roles that have EXEMPT by default including DBA users (DBA, SYS, SYSTEM) and DataPump users (import/export) 24

26 Main Takeaways Transparent Data Encryption (TDE) Transparently encrypts stored data for improved security and compliance Integrates directly with Exadata, Oracle Key Vault and more Enhancements in Oracle Database 12c deliver FIPS validation and make TDE even easier to deploy and use Data Redaction New in Oracle Database 12c, back ported to Oracle Database 11gR2 Redacts application display data on-the-fly based on runtime factors Provides highly transparent redaction across applications and with minimal impact on database workloads 26

27 Oracle Advanced Security Product Summary Data Redaction Transparent Data Encryption Authorized Display Credit Card # Encrypted Data Disks Backups Redacted Display Application Exports Off-Site Facilities 27

28 Oracle Database Security at OpenWorld 2014 Time Session Title Location Monday 2:45 3:30 Oracle Database Security Innovations in the Year of Megabreaches (CON8204) Moscone South 303 Monday 5:15 6:00 Introducing Oracle Key Vault: Centralize Keys, Wallets, and Java Keystores (CON8189) Moscone South 305 Tuesday 10:45 11:30 Oracle Database 12c: Defense-in-Depth Security (CON8194) Moscone South 306 Tuesday 3:45 4:30 Oracle Audit Vault and Database Firewall: What s New and Best Practices (CON8180) Moscone South 306 Tues 5:00 5:45 Oracle Real Application Security Next Generation VPD Moscone South 308 Tuesday 5:15 6:15 Hands-On Lab #1: Oracle Key Vault (HOL9275) Hotel Nikko Golden Gate Wednesday 10:15 11:00 Oracle Advanced Security: Best Practices for Database Encryption and Redaction (CON8186) Moscone South 306 Wednesday 12:45 1:30 Oracle Database Security Strategy and Best Practices: Customer Case Study Panel (CON8192) Moscone South 310 Wednesday 3:30 4:15 Oracle Database Vault with Oracle Database 12c (CON8197) Moscone South 306 Thursday 9:30 10:15 What s New and Best Practices for Oracle Data Masking and Subsetting (CON8184) Moscone South 306 Thursday 11:30 12:30 Hands-On Lab #2: Oracle Key Vault (HOL9275) Hotel Nikko Golden Gate Plus: Visit the Oracle Database Security pods at the Demo Grounds for one-on-one discussions and demonstrations! 28

29 Connect With Us /OracleDatabase /OracleSecurity blogs.oracle.com/ SecurityInsideOut blogs.oracle.com/ KeyManagement Oracle Database Insider /Oracle/database /OracleLearning oracle.com/database/security oracle.com/technetwork/database/security 29

30 30