1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

Transcription

1 1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

2 Proteggere i dati direttamente nel database Una proposta tecnologica Angelo Maria Bosis Sales Consulting Senior Manager 2 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

3 What is an Advanced Persistent Threat? Cybercrime directed at political, infrastructure, and business targets 3 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

4 What are APTs Ultimately After? Two Thirds of Sensitive and Regulated Information now Resides in Databases and Doubling Every Two Years Classified Govt. Info. Trade Secrets HR Data Citizen Data Credit Cards Customer Data Financial Data Competitive Bids Corporate Plans Source Code Bug Database Source: IDC, "Effective Data Leak Prevention Programs: Start by Protecting Data at the Source Your Databases", August Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

5 Database Sprawl Makes Attacking Easier! 5 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

6 Are Databases Adequately Protected? Network Security Forrester estimates that although 70% of enterprises have an information security plan, only 20% of enterprises have a database security plan. Authentication Security Security Database Security Endpoint Security Vulnerability Management Source: Forrester Research Inc., Creating An Enterprise Database Security Plan, July Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

7 Limited Database Controls 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying data 68% Cannot detect if database users are abusing privileges 63% Vulnerable to SQL injection attacks or not sure 48% Copy sensitive production data to non-production environments 31% Likely to get breached over the coming year Source: 2010 Independent Oracle User Group Data Security Report 7 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

8 Most Records Lost from Database Servers Type Category % Breaches % Records Database Server Servers & Applications 25% 92% Desktop Computer End-User Devices 21% 1% How were these records breached? 89% using SQL injection 86% using stolen credentials By exploiting legitimate access to databases! Source: 2010 Verizon Data Breach Investigations Report 8 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

9 Sources of Vulnerability Test & Dev Partners Applications Configuration Administrative Accounts Operations Access to production data in non-secure environment Access to production systems for trouble shooting SQL Injection attack from outside Application bypass Security configuration parameters Security patches System administrators, DBAs, Application Administrators Stolen credentials, Inadequate training, Malicious insiders Direct OS access Lost / stolen backups 9 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

10 Oracle Database Security Platform Transparent Data Encryption, Privileged User Controls, Multi-Factor Authorization, Data Classification, and Change Tracking Maximum Security for Oracle Databases: Oracle Advanced Security Oracle Database Vault Oracle Label Security Oracle Total Recall Database Activity Auditing and Reporting, SQL Traffic Monitoring and Blocking, Real-Time Alerting, Workflow Automation Security for Oracle and non-oracle Databases Outside the Database: Oracle Audit Vault Oracle Database Firewall Secure Configuration Scanning, Automated Patching, Configuration Change Control, Sensitive Data Discovery, Data Masking Security for Production and non- Production Database Environments: Oracle Database Lifecycle Oracle Enterprise Manager Oracle Data Masking 10 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

11 Oracle Advanced Security Transparent Data Encryption Disk Backups Application Exports Off-Site Facilities Protects from unauthorized OS level or network access Efficient encryption of all application data Built-in key lifecycle management No application changes required 11 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

12 Oracle Database Vault Privileged User and Operational Controls Procurement Application HR Finance select * from finance.customers Limit default powers of privileged users Enforce policy rules inside the database Violations audited, secured and sent to Oracle Audit Vault No application changes required DBA 12 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

13 Oracle Database Firewall First Line Of Defense Monitors database activity, and prevents attacks and SQL injections White-list, black-list, and exception-list based security policies based upon highly accurate SQL grammar based analysis In-line blocking and monitoring, or out-of-band monitoring modes 13 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

14 Oracle Audit Vault Trust But Verify Consolidate database audit trail into secure centralized repository Detect and alert on suspicious activities, including privileged users Out-of-the box compliance reports for SOX, PCI, and other regulations E.g., privileged user audit, entitlements, failed logins, regulated data changes Streamline audits: report generation, notification, attestation, archiving, etc. 14 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

15 Oracle Data Masking Irreversibly De-Identify Data for Non-Production Use LAST_NAME SSN Production SALARY Test LAST_NAME SSN SALARY AGUILAR ,000 BENSON ,000 SMITH ,000 MILLER ,000 Make application data securely available in non-production environments Prevent application developers and testers from seeing production data Extensible template library and policies for data masking automation new format preserving masking Referential integrity automatically preserved so applications continue to work Integration with Real Application Testing and Test Data Management 15 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

16 Database Security Big Picture 16 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

17 Oracle Database Security Key Differentiators High Performance, Accurate Defense-in-Depth Security Platform Securing through the Life Cycle Transparently Support Existing Applications Heterogeneous Support 17 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

18 What s Your Next Move? 1 Know where is the sensitive data 2 Scan, assess, patch, audit your databases 3 Database Firewall as first line of defense 4 Control the privileged users 5 Encrypt and mask sensitive data 18 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

19 19 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

20 20 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information