Top Five Database Security and Compliance Resolutions for 2008

Transcription

1 Top Five Database Security and Compliance Resolutions for 2008 Speakers Michael Krieger, VP, Market Experts Group Ziff Davis Enterprise Rich Mogull, Founder Securosis Roxana Bradescu, Senior Product Director, Database Security Marketing - Oracle January 25, :00 p.m. Eastern / 11:00 a.m. Pacific 45 minutes HOSTED BY:

2 Database Security: Your Top 5 Security and Compliance Resolutions for 2008 Rich Mogull Securosis, L.L.C.

3 What s So Different About 2008? Nothing special, just the continuing scrutiny of database security and compliance. It s not new, it isn t going away, and you re running out of time.

4 The Database Security Hat Trick The Sarbanes-Oxley told us we can t trust anyone. Ongoing data breaches showed us bad guys moved from defacing web sites to attacking databases, just as we connected more sensitive databases to web applications. PCI forced us to implement specific database security controls.

5 In 2008, as in 2007, we need to focus on database security, auditability, change management, transparency, and separation of duties. We ll harden against attacks while achieving compliance.

6 Why You Should Care DBAs own the databases, and few security professionals have in-depth database knowledge. Likewise, DBAs do not have in-depth security experience, and cannot provide Separation of Duties (SoD) on themselves. Security administrators and DBAs must learn basic fundamentals of each other s domain. Both teams are responsible for database security and compliance, and must work together.

7 How To Work Together Configuration Operations Maintenance Design Standards Response SoD Audit Monitoring Vuln Mgmt

8 Your Top Five Resolutions 1. Know your databases. 2. Implement a configuration and vulnerability management program for databases. 3. Enforce separation of duties. 4. Begin auditing and activity monitoring of key databases. 5. Start masking sensitive data

9 Security == Compliance Compliance!= Security

10 I Know Your Databases

11 Identify and Classify Pick 3 Discover Enumerate & Classify Pick 3 critical data types: Corporate Financial Credit Cards/SSN Healthcare Data Identify all databases- known and unknown Classify those with the sensitive data

12 Identify and Classify Security Establish classification standards Port and vulnerability scan to find unknown databases Create tracking and digital asset management system Operationalize into an ongoing process Tools Classification tools Database activity monitoring with discovery Digital asset management DB Vuln scanning with discovery Database management Database Identify registered databases Enumerate for sensitive information Load new databases into management system Mark classification in database management system

13 II Implement Configuration and Vulnerability Management

14 Configuration and Vulnerability Management Define Standards Prioritize Databases Remediate Deficiencies Create Update Program Continuous Change Management

15 Config & Vuln Management Develop security standards Database vulnerability scanning Evaluate and prioritize security patches for DBAs Verify patches applied Audit configuration changes Trending Security Tools Configuration management Vulnerability scanning Database activity monitoring Develop configuration standards Assist with developing security standards Identify configuration deficiencies Remediate deficiencies Patch according to program and priority Change management Trending Database

16 III Enforce Separation of Duties

17 Separation of Duties

18 Separation of Duties Preventative Detective

19 Separation of Duties Security Database Define roles and controls Monitor privileged user activity Incident response Define roles and controls Implement database controls Manage non-privileged users Manage data masking

20 IV Audit and Monitor Activity

21 Monitor Activity Database Activity Monitoring Secure Repository Database Auditing DML/DDL/SQL

22 Monitoring and Auditing Security Determine compliance and security requirements for auditing and monitoring Develop alerts Review logs Respond to incidents Tools Database auditing Log management Database activity monitoring Security Information and Event Management Database Determine technical auditing and monitoring requirements Install, configure, and maintain Help security understand events

23 V Mask Sensitive Data

24 Data Masking Production ID Last First SSN 1111 Mogull Richard Smith John ID Last First SSN 1111 Johnson Brian Roberts Ted Development OLAP/Business Unit DB

25 VI-VIII Bonus Resolutions

26 Since I Can t Count VI.Stop pretending applications and databases are separate VII.Encrypt for media protection VIII.Control ad-hoc access

27 Summary Database and security can, and must work together for compliance and security. Proper separation of duties means no one, not even security, has all the keys to the castle. Learn the basics of each other s fields. Want a new career? Become a Security DBA

28 Rich Mogull Securosis, L.L.C. AIM: securosis Skype: rmogull

29 Roxana Bradescu Sr. Product Director, Oracle Database Security Marketing

30 Oracle Innovation Database Security Leader Data Masking Oracle Audit Vault Oracle Database Vault Secure Tape Backup Transparent Data Encryption VPD Column Masking VPD Column Relevant Secure Configuration Scanning Client Identity Propagation Fine Grained Auditing Oracle Label Security Proxy Authentication Enterprise User Security Virtual Private Database (VPD) Database Encryption API Strong Authentication Network Encryption Database Auditing 1 st Database for Government Customer

31 Oracle Database Security Options for Security & Regulatory Compliance Secure Configuration Database Vault SECRET Label Security Data Masking Audit Vault Secure Backup Total Recall Network Encryption Strong Authentication Transparent Data Encryption

32 For More Information or database security

33