Database Security & Compliance with Audit Vault and Database Firewall Pierre Leon Database Security 1
Topics Encryption Authentication Authorising highly privileged users Access control by data classification Network-based access control & auditing Production data used elsewhere Enterprise-wide configuration management 3
ENCRYPTION 4
Encrypting Data At Rest Oracle Advanced Security Disk Backups Exports Application Off-Site Facilities Efficient encryption of all application data Built-in key lifecycle management No application changes required Works with Exadata and Oracle Advanced Compression 5
Transparent Data Encryption Automatic 2-Level Key Management Master key stored in PKCS#12 wallet or HW Sec Module! Column / Tablespace keys encrypted by MASTER KEY Security Admin opens wallet/hsm containing the MASTER KEY Table/Tablespace keys encrypt data on disk Copyright Oracle Corporation, 2010,2011. All rights reserved 6
Strong Authentication / Network Encryption Oracle Advanced Security Standards-based encryption for data in transit Strong authentication of users and servers No infrastructure changes required Easy to implement Copyright Oracle Corporation, 2010. All rights reserved 11
AUTHENTICATION 14
Strong Authentication Oracle Advanced Security Supported authentication servers Oracle Internet Directory (EUS) Kerberos Win2K/XP (Active Dir) Entrust (PKI) Radius API - Smartcards - SecurID tokens - Biometric devices Oracle Database Benefits! Authentication that is stronger than passwords! Integrate DB authentication with infrastructure Authentication Service Copyright Oracle Corporation, 2010,2011. All rights reserved 15
Centralised User and Role Management Enterprise User Security Client User authenticates with password, Kerberos or X509v3 certificate over SSL Authorise Database Privileges Example Verify A B Chained Authent. Fetch Global Roles from Directory Active Directory Kerberos Authentication OID/OVD/ODSEE stores user credentials and roles Copyright Oracle Corporation, 2010,2011. All rights reserved 17
Centralised User and Role Management Enterprise User Security Benefits Centralised user & role provisioning Reduce in-database user accounts Works with existing repositories Plugs into Identity Management solutions Oracle Identity Management Copyright Oracle Corporation, 2010. All rights reserved 18
AUTHORISING HIGHLY PRIVILEGED USERS 23
Protecting Sensitive Data Inside The DB Oracle Database Vault Security DBA Application Procurement HR Application DBA Finance select * from finance.customers DBA Automatic and customisable protective realms and DBA separation of duties Enforce who, where, when, and how using rules and factors Enforce least privilege for privileged database users Prevent application by-pass and enforce enterprise data governance Securely consolidate application data or enable multi-tenant data management EAL 4+ certified 24
Protecting Commands Command Rules & Authorisation Factors Application Procurement HR Finance User - Name - Authentication type - Session User - Proxy Enterprise Identity Network - Machine name - Client IP - Network Protocols Database - Database IP - Database Instance - Database Hostname - Database SID Runtime - Language - Date/Day of Week - Time Rules to control how users can execute almost any SQL statement regardless of the Realm in which the object exists Command rules can take into account 30+ built-in or custom Factors Command rules can be system-wide, schema specific, object specific, and comprised of rule sets Out-of-the command rules for Oracle and non-oracle applications 27
Example Break Glass Rule Set Rule Set Business Manager AND DBA Security Admin Rule Set 2 Hours AND Rule Set Objects AND Commands 28
Out of the Box Protection Templates For Application Data Pre-built policies include realms and command rules Prevent DBA from accessing application data Prevent privileged users from tampering with application objects Complements application security Transparent to existing applications Customisable Oracle E-Business Suite 11i / R12 PeopleSoft Applications Siebel, i-flex JD Edwards Enterprise One SAP Infosys Finacle 30 30
ACCESS CONTROL BY DATA CLASSIFICATION DYNAMIC DATA HIDING 31
Data Classification Oracle Label Security Confidential Sensitive Transactions Confidential Report Data Public Reports Sensitive Classify users and data based on business drivers Database enforced row level access control Users classification through Oracle Identity Management Suite Classification labels can be factors in other policies EAL4+ certified Copyright Oracle Corporation, 2010,2011. All rights reserved 32
ENTERPRISE-WIDE NETWORK-BASED ACCESS CONTROL & AUDITING 40
Oracle Audit Vault and Database Firewall Detective/Preventive Control for Oracle and Non-Oracle Databases Users Database Firewall Allow Log Alert Applications Substitute Block Firewall Events Auditor Security Manager Reports Alerts Policies!! Audit Data Audit Vault OS, Directory Services, File system & Custom Audit Logs 41
Audit and Event Repository " Based on proven Oracle Database technology Includes compression, partitioning, scalability, high availability, etc. Open schema for flexible reporting " Information lifecycle management for target specific data retention " Centralised web console for easy administration " Command line utility for automation and scripting 42
Expanded Enterprise Auditing " Databases: Oracle, SQL Server, DB2 LUW, Sybase ASE " New Audit Sources Operating Systems: Microsoft Windows, Solaris Directory Services: Active Directory File Systems: Oracle ACFS " Audit Collection Plugins for Custom Audit Sources XML file maps custom audit elements to canonical audit elements Collect and map data from XML audit file and database tables 43
Oracle Audit Vault and Database Firewall SQL Injection Protection with Positive Security Model SELECT * from stock where catalog-no='phe8131' White List Allow Applications SELECT * from stock where catalog-no=' ' union select cardno,0,0 from Orders --' Block Databases Allowed behavior can be defined for any user or application Automated white list generation for any application Out-of-policy database transaction detected and blocked/alerted 44
Oracle Audit Vault and Database Firewall Constraining Activity with Negative Security Model SELECT * FROM v$session Black List DBA activity via Applications DBA activity via Approved Workstation SELECT * FROM v$session Block Allow + Log Stop specific unwanted SQL interactions, user or schema access Blacklisting can be done on factors such as time of day, day of week, network, application, user name, OS user name etc Provide flexibility to authorised users while still monitoring activity 45
Oracle Audit Vault and Database Firewall Flexible Policy Enforcement Log Applications Allow SELECT * FROM accounts Becomes Alert SELECT * FROM dual where 1=0 Substitute Block SQL Grammar Analysis reduces millions of SQL statements into clusters Decision time is not influenced by the number of rules in the policy Enforcement at SQL level: block, substitute, alert and pass, log only SQL substitution foils attackers without disrupting applications 46
Audit and Event Data Security " Soft Appliance Hardened OS Preconfigured database " Fine-grained Administrative Groups Sources can be grouped for access authorisation Individual auditor reports limited to data from the grouped sources " Separation of Duty Separate administrator and auditor roles to restrict access Super-auditor manages data access permissions per source per auditor user " Alerting enhancements Multi-event alerts with thresholds & group-by 47
Performance and Scalability " Audit Vault Supports monitoring and auditing multiple hundreds of heterogeneous database and non-database targets Supports wide range of hardware to meet load requirements " Database Firewall Decision time is independent of the number of rules in the policy Multi-device / multi-process / multi-core scalability 8 core can handle between 30K 60K transactions/second 48
Flexible Deployment Architecture In-Line Blocking and Monitoring Applications and Users Remote Monitoring Out-of-Band Monitoring HA Mode Audit Vault Standby Audit Vault Primary Audit Data Soft appliance Audit Agents 49
Deployment Convenience " Soft-appliance packaging for firewall and server components " Simple installation and staged rollout All components are pre-configured; only basic network settings are required initially Start with auditing and extend to monitoring; or vice-versa HA mode " Convenient agent deployment and upgrade Easy agent deployment and upgrade with single downloadable jar file Includes all collection plug-ins & local network monitoring Comprehensive administrator tools to manage large deployments " Audit policy management and integrated audit trail cleanup 50
Single Administrator Console 51
Default Reports 52
Out-of-the Box Compliance Reporting 53
Report with Data from Multiple Source Types 54
Auditing Stored Procedure Calls Not everything is visible on the network 55
Comprehensive Audit Data 56
Blocking SQL Injection Attacks 57
Powerful Alerting Filter Conditions 58
PRODUCTION DATA USED ELSEWHERE 59
Secure Test System Deployment Data Masking Production LAST_NAME SSN SALARY AGUILAR 203-33-3234 60,000 BENSON 323-22-2943 40,000 Data Relationship Modeling Test Sensitive Data Identification Test System Setup Data Subsetting LAST_NAME SSN SALARY SMITH 111-23-1111 60,000 MILLER 222-34-1345 40,000 Data Masking Deploy secure test system by masking sensitive data Extensible template library and policies for automation Sophisticated masking: Condition-based, compound, deterministic Integrated masking and cloning NEW in EM 11g: Heterogeneous Data Masking NEW in EM 11g: Pre- and Post-mask commands and command line (EMCLI) support NEW in EM 12c: Data Masking integration with Real Application Testing NEW in EM 12c: Key-based reversible masking 68
Heterogeneous Data Masking Oracle Databases Data Relationship Modeling Non-Oracle Databases Sensitive Data Identification Test System Setup Data Subsetting Data Masking manage Production (Oracle) Production (non-oracle) monitor Enterprise Manager Cloujd Control with Data Masking manage manage Staging (Oracle) Test (Oracle) Staging (Oracle) Test (non-oracle) Database Gateway Database Gateway manage monitor Enterprise Manager Cloud Control with Data Masking Available for IBM DB2, Microsoft SQLServer, Sybase 71
ENTERPRISE-WIDE CONFIGURATION MANAGEMENT 72
Comply with IT Policies Know Where You Stand and Where You re Headed Rich Out of the box content: >1700 Compliance Rules > 30 Compliance Standards Security Recommendations Best Practices Self Updateable Always up to date Compliance Scores Historic trend to track progress Detailed Violation information: Reason for Violation Recommended Resolutions My Oracle Support Knowledge Articles Compliance Dashboard - Overview 74
Comply with IT Policies Know Where You Stand and Where You re Headed Rich Out of the box content: >1700 Compliance Rules > 30 Compliance Standards Security Recommendations Best Practices Self Updateable Always up to date Compliance Scores Historic trend to track progress Detailed Violation information: Reason for Violation Recommended Resolutions My Oracle Support Knowledge Articles Violation Details 76
Database Security Defence-In-Depth Database Encryption Prevent access by non-database users for data at rest, in motion, and stored data Database Authentication Increase database user identity assurance Database Access + Audit Audit database activity and create reports Monitor database traffic and prevent threats from reaching the database Data Segregation Strict access control to application data even from privileged users Enforce multi-factor authorisation Data Anonymisation Mask sensitive data in non-production environments Database Secure Configuration Ensure database production environment is secure and prevent drift 79
Database Security Defence-In-Depth Database Encryption Oracle Advanced Security Database Authentication Oracle Advanced Security Database Access + Audit Oracle Audit Vault + Database Firewall Data Segregation Oracle Database Vault Oracle Label Security Data Anonymisation Oracle Data Masking Database Secure Configuration Oracle Configuration Manager 80
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 82
Q! &! A! 84 84