Securing Data in Oracle Database 12c Thomas Kyte http://asktom.oracle.com/
Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.
Oracle Database Security 30 years of Innovation Oracle Key Vault Data Redaction Oracle Audit Vault Oracle Database Vault DB Security Evaluation #19 Transparent Data Encryption EM Configuration Scanning Fine Grained Auditing (9i) Secure application roles Client Identifier / Identity propagation Oracle Label Security Proxy authentication Enterprise User Security Global roles Virtual Private Database (8i) 1977 Database Encryption API Strong authentication (PKI, Kerberos, RADIUS) Native Network Encryption (Oracle7) Database Auditing Government customer 2014
Security Oracle is very secure Therefore, we don t need to be, it just happens Besides, it is not as important as having pretty screens after all. And if we add it later, I m sure it ll be non-intrusive And very performant And easy to do
Oracle Maximum Security Architecture Core Components Advanced Security Data Redaction Users Database Vault Privilege Analysis Apps Alerts Database Firewall Events Data Masking TDE Database Vault Privileged User Controls Reports Policies Audit Vault Audit Data & Event Logs Databases OS & Storage Directories Custom
Program Agenda 1 2 3 4 5 6 Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault
Program Agenda 1 2 3 4 5 6 Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault
Transparent Data Encryption (TDE) Preventive Control for Oracle Databases Advanced Security SQL Interface to key management *New* FIPS 140-2 mode (dbfips_140) Encrypts tablespaces or columns to secure data at rest Requires no application changes Near Zero overhead with hardware Integrated with Oracle DB technologies Log files, Compression, ASM, DataPump Applications Disk Backups Exports Off-Site Facilities
The Challenges of Key Management Management Proliferation of encryption wallets and keys Authorized sharing of keys Key availability, retention, and recovery Custody of keys and key storage files Regulations Physical separation of keys from encrypted data Periodic key rotations Monitoring and auditing of keys Long-term retention of keys and encrypted data 11
Key Management with Oracle Key Vault Centrally manage and share keys, secrets, Oracle wallets, Java keystores, and more Optimized for Oracle stack (Database, Middleware, Systems) and Advanced Security TDE Robust, secure, and standards compliant (OASIS KMIP) key manager 12
Oracle Key Vault High-Level Architecture Middleware Standby Databases Administration Console, Alerts, Reports Servers Secure Backups = Oracle Wallet = Java Keystore = Certificate = Server Password = Credential File 13
Oracle Wallet Scenarios Oracle Advanced Security Transparent Data Encryption (TDE) RAC Data Guard Multiple DBs Same Machine GoldenGate Single Instance 14
Oracle Advanced Security Transparent Data Encryption (TDE) Direct Connection Scenarios RAC Data Guard Multiple DBs Same Machine GoldenGate Single Instance 15
Oracle Key Vault Software Appliance Platform Turnkey solution based on hardened stack Includes Oracle Database and security options Open x86-64 hardware to choose from Easy to install, configure, deploy, and patch Separation of duties for administrative users Full auditing, preconfigured reports, and alerts 16
Program Agenda 1 2 3 4 5 6 Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault
Privilege Analysis You want to use the concept of least privileges Problem: You don t know what privileges they really need, maybe just give them SELECT ANY TABLE That is not very secure and hard to justify to an auditor
Discover Use of Privileges and Roles Administrative Control for Oracle Database 12c Privilege Analysis Turn on privilege capture mode Report on actual privileges and roles used in the database Helps revoke unnecessary privileges Enforce least privilege and reduce risks Increase security without disruption Create Drop Update DBA role APPADMIN role Unused Update APPADMIN
Program Agenda 1 2 3 4 5 6 Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault
Oracle Database Vault Privileged User and Operational Controls Procurement Application HR Finance select * from finance.customers Limit default powers of privileged users Enforce policy rules inside the database Violations audited, secured and sent to Oracle Audit Vault No application changes required DBA
Oracle Database Vault Privileged User and Operational Controls Procurement Application HR Finance select * from finance.customers Limit default powers of privileged users Enforce policy rules inside the database Violations audited, secured and sent to Oracle Audit Vault No application changes required DBA
Oracle Database Vault Realms Block DBA Privileges Block privileged database users from accessing application data Block threats from compromised privileged accounts Block application users from accessing other applications inside the same database Securely consolidate and use private or public cloud computing
Oracle Database Vault 12c New Mandatory Realms Block Direct Object Grants Provide additional security check before allowing authorized users to access application data Enable application DBA control by allowing patching while denying access to sensitive application data Freeze security settings identified by Privilege Analysis: roles, grants, Temporarily seal off entire application data in the event of a cyber threat
Program Agenda 1 2 3 4 5 6 Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault
Database Activity Monitoring and Firewall Detective Control for Oracle and non-oracle Databases Oracle Audit Vault and Database Firewall Monitors and logs database network traffic Detects and blocks unauthorized database activity including SQL injection attacks Highly accurate SQL grammar analysis Users Apps Allow Log Alert Substitute Block Whitelist approach to enforce activity Blacklists for managing high risk activity Scalable secure software appliance SQL Analysis Whitelist Blacklist Policy Factors
Program Agenda 1 2 3 4 5 6 Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault
Oracle Data Redaction Redacting Sensitive Data for Applications Policy Credit Card # 4451-2172-9841-4368 5106-6342-4881-5211 4891-3311-0090-5055 On-the-fly redaction based upon user name, IP address, application context, and other factors Transparent, consistent enforcement in the database Minimal impact on production work loads Call Centers Decision Support Systems Systems with PII, PHI, PCI data
Supported Transformations Full Redaction Partial Redaction RegExp Redaction Random Redaction Original Redacted 05/24/75 01/01/01 11 Rock Bluff Dr. XXXXXXX 068-35-2299 ***-**-2299 D1L86YZV8K D1******8K 94025-2450 94025-[hidden] jim.lee@acme.com [redacted]@acme.com 4022-5231-5531-9855 4943-6344-0547-0110 09/30/73 11/14/85
Introducing Oracle Data Masking and Subsetting Pack Reduces Risk in Sharing by Obfuscating or Removing Sensitive Data Discover Sensitive Data NAME SALARY Mask Data Using Format Library AGUILAR 50135.56 BENSON 35789.89 CHANDRA 60765.23 DONNER 103456.82 01001011001010100100 10010010010010010010 01001000100101010010 NAME SALARY AGUILAR 35676.24 CHANDRA 76546.89 Subset Based on Conditions/Goal Retain Application Integrity Mask/Subset in Export or on Staging 30
Program Agenda 1 2 3 4 5 6 Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault
Conditional Auditing Framework Detective Control for Oracle Database 12c Database Auditing New policy- and condition-based syntax What: CREATE, ALTER, ALL, Where: Set of Privileges, Roles, objects When: IP_ADDRESS!= 10.288.241.88 Exceptions: Except HR Group audit settings for manageability New roles: Audit Viewer and Audit Admin Out-of-box audit policies Single unified database audit trail IF ACTIONS CREATE AND IP_ADDRESS = THEN THEN
Oracle Audit Vault Detective Control for Databases, Operating Systems, Database Firewall Firewall Events Alerts! Built-in Reports Custom Reports Policies AUDIT VAULT AUDIT DATA Custom
Program Agenda 1 2 3 4 5 6 Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault