Data Privacy The Database Story Oded Raz, Co CEO & Co Founder of

Data Privacy The Database Story Oded Raz, Co CEO & Co Founder of Oracle ACE Director

About Brillix Brillix is active in two line of business: Consulting services We offer our customers senior DBA consultants in order to help them improve their database s performance, plan highavailability & DR sites and improve their software architecture. Products The cooperation between top DBAs and highly experienced developing manager helps us produces great database security products. Our flagship product is JumbleDB Scrambling and masking solution for non-production environments.

True or Myth Customer s Private data is secured Most of the security birches are within the organization Organizations protect their databases Data theft accurse mainly from within

The Enemy Within Network IDS Host IDS Firewall Scanner

The Enemy Within Regular Employees Clerks Helpdesk Sales. IT Specialist Developers System Administrator DBA.

What Regulations got to do with it PCI DSS Payment Card Industry Data Security Standard of 2004 SOX Sarbanes-Oxley Act of 2002 357 Israel Banking Guidelines HIPAA Health Insurance Portability and Accountability Act of 1996

DBA/Insider The7 Remains Key Concern 80% of threats come from insiders 65% of internal threats are undetected 60% of data loss/corrupdon due to human error 30% concerned about DBA threat 50% looking at monitoring insider/dba threats

Top Web Site VulnerabiliDes - 2010 8

Impact of SQL InjecDon Bypassing authendcadon mechanisms select id from users where name= admin and password= or 1 = 1 InformaDon disclosure select phone from users where name= UNION select credit_num from users - - InformaDon tampering select id from clients where name= ; update clients set debt=0; - - 9

Impact of SQL InjecDon Database corrupdng select usr_id from clients where name= ; drop table clients;- - Command execudon select picture from animals where name= ;EXEC filesystem_cmd 'format /y c: 10

Database Security - Building Blocks Auditing AudiDng Service Authorization AuthorizaDon Service Session Session Management Service Authentication User + Password CerDficates Smart Card Biometrics Smart Card + Biometrics Identification User Name / User ID Encryption Database EncrypDon

Protect Database environments Oracle Limit Database Access EncrypDon Limit Data Access Audit Oracle Hardening procedure Default in 11g DBMS_CRYPTO TDE Scramble Non- ProducDon data VPD / Label Security Database Vault Database Firewall * FGA Fine Grain Audit Audit Vault Database Firewall

עשרת הדיברות לאבטחת בסיסי נתונים מעבר לעבודה עם משתמשים אישיים יש להמנע מ SYS ו - SYSTEM. התקן כמה שפחות Features בבסיס הנתונים. מה לעזזל עושים המפתחים בסביבת הייצור שלי! אל תיתן הראשות DBA לשווא. יש לאסור חיבור לבסיס הנתונים משרת בסיס הנתונים עצמו. הורד הרשאות מ- PUBLIC כמה שניתן.CREATE PROCEDURE / הימנע מלתת הרשאות FUNCTION הפעל AUDIT על טבלאות רגישות הימנע מגישה אל מערכת ההפעלה מתוך בסיס הנתונים בצע בקרת של קוד הניגש אל בסיס הנתונים 13

Authentication Using OVD

Virtual Private Database Users only see data that they have access to CondiDons can differ by users Data access is managed at the database level Fine- Grained Access Control: Enforced at server ApplicaDon Context: Determines access control condidon Sales Rep Customer Sales rep sees orders for his own customers only SELECT * FROM ORDERS; Customer sees only their own orders ORDERS

How It Works q Accessing object with an alached policy automadcally invokes the policy (consults the funcdon) q Policy funcdon returns a predicate (a WHERE condidon) q ApplicaDon context determines correct policy for the user q Oracle dynamically rewrites the SQL statement, by appending the predicate SELECT * FROM orders becomes SELECT * FROM orders WHERE cust_no = SYS_CONTEXT( order_entry, cust_num )

Oracle Label Security - Model Level Group G0 G1 G2 G3 Top Secret G11 G12 G21 G22 G23 G31 Confidential Corporate G311 G312 Sensitive Personal Risk Compartment

Oracle Label Security - Example User Janet User Access Label ConfidenDal : Corporate, Personal : G2 FundRef Amount RowLabel AF2137 1000000 ConfidenDal : Corporate : G21 JG4112 225000 ConfidenDal : Branch : G5 XS3025 7500000 Top Secret : Risk : G6 AF2991 317000 SensiDve : Personal : G1 SD1328 900725 SensiDve : Corporate : G23

DBA Privileged Application Owner Application User SQL*Plus Application Bypass Data Vault Enforcement Other ApplicaDon E- Business Suite Oracle Database 10g Release 2 Oracle Data Dictionary Data Vault Security Protects Database and Applications

DBA looks at HR data Enforce Separation of Duty HR DBA Creates User Stop (Accidental) misuse of privileges SYS connects as SYSDBA for daily tasks Enforce principle of least privilege Select * from HR.emp DBA 3PM Monday CREATE USER..; HR DBA connect as sysdba OE HR DicDonary

Thank You! Read More about database security at - www.ildba.co.il