Protecting Sensitive Data Reducing Risk with Oracle Database Security

Protecting Sensitive Data Reducing Risk with Oracle Database Security Antonio.Mata.Gomez@oracle.com Information Security Architect

Agenda 1 2 Anatomy of an Attack Three Steps to Securing an Oracle Database 3 Database Security Strategy 3

Agenda 1 2 Anatomy of an attack Three steps to securing an Oracle Database 3 Database Security Strategy 4

FROM MISTAKES TO MALICIOUS BASIC SECURITY IS NO LONGER ENOUGH Accidental deletes Unauthorized disclosures Privilege Abuse Curiosity Leakage Social Engineering Denial of Service Sophisticated Attacks Data Theft Loss to Business Impacts Reputation

ANATOMY OF AN ATTACK STARTS WITH SOCIAL ENGINEERING ATTACKER PHISHING ATTACK COMMAND SERVER XSS OR SQL INJECTION ATTACK i i i i i i i i i i DOWNLOADED MALWARE

ANATOMY OF AN ATTACK ESTABLISH A FOOTHOLD ESTABLISH MULTIPLE BACKDOORS DUMPING PASSWORDS DOMAIN CONTROLLER i i i i i i GATHERING DATA

ANATOMY OF AN ATTACK EXFILTRATE DATA AND COVER TRACKS STOLEN DATA USED IN FOLLOW ON ATTACKS EXFILTRATE DATA VIA STAGING SERVER ANYWHERE IN THE WORLD

A Wide Range of Attack Vectors no single control addresses all of them App User Snooping Malware Attack Data at Rest Attack SQL Attack Data Redaction Label Security DB Firewall Data Encryption Prod Data Accidental Exposure Activity Monitoring Backup Data Prod Data Dev/Test Data DB Vault DBA Permission Abuse Data Masking Sensitive Data Discovery Configuration Management Insider Threat DevTeam Snooping Lost Laptop Lost Disk or Tapes 9

Over 1.8 Billion Records Breached 67 % 43 % 69 % 97 % Records breached from servers Breached using weak or stolen credentials Discovered by an external party Preventable with basic controls

97% Of Controls Database Breaches Could have Been Prevented With Basic Controls 11

Compliance Requires New Security Controls Regulatory Frameworks HIPAA, IRS 1075, CJIS, Breach Notification, European Data Protection Regulation, etc. Regulatory Requirements Data Security Access Controls Segregation of Duties Audit & Accountability Continuous Monitoring & Alerting Regulated Data Federal Tax Info, Electronic Health Records, Criminal History Reports, PII Securing Data Controlling Access Segregation of Duties Auditing Management & Alerting!

Agenda 1 2 Anatomy of an attack Three steps to securing an Oracle Database 3 Database Security Strategy 13

3 STEPS TO SECURE CONSOLIDATION DATABASE DEFENSE-IN-DEPTH STRATEGY *7#$%!@!% #<>*$#@3! Find Sensitive Data, Privileges Prevent Unauthorized Data Access Detect, Alert on Database Activity

STEP 1 ADMINISTRATIVE CONTROLS FIND SENSITIVE DATA, DATABASES, AND PRIVILEGES Analyze Privileges Sensitive Data Finder Configuration Scanning Database Vault 12c All Security Options EM Lifecycle Management

Database Privilege Analysis Create Drop Modify DBA role APPADMIN role Oracle Database Vault 12c Report on actual privileges and roles used by database users Helps revoke unnecessary privileges Enforce least privilege and reduce risks Increase security without disruption Privilege Analysis 16

Discover Sensitive Data and Databases Oracle Enterprise Manager 12c Scan Oracle for sensitive data Built-in, extensible data definitions Discover application data models Protect sensitive data appropriately: encrypt, redact, mask, audit

Continuous Configuration Monitoring Oracle Enterprise Manager 12c Discover Discover and classify databases Scan for best practices, standards Detect unauthorized changes Scan & Monitor Automated remediation Patching and provisioning Patch 18

Oracle Provided Oracle DB 11g STIG Compliance Includes both Oracle Database and Oracle Home Checklists Almost all Scripted defined checks have been automated. ~20% Manual/Interview checks automated. Remaining require manual Attestation.

STEP 2 PREVENTIVE CONTROLS PREVENT UNAUTHORIZED DATA ACCESS Production DATA ENCRYPTION *7#$%!!@!%afb ##<>*$#@34 DATA REDACTION ssn:xxx-xx-4321 dob:xx/xx/xxxx DATA MASKING ACCESS CONTROLS ssn:253-21-4321 Insufficient Privilege APPLICATIONS ssn:253-21-4321 APPLICATIONS ssn:xxx-xx-4321 ssn:423-55-3571 dob: 12/01/1987 Dev/Test

Encryption is the Foundation Applications Disk Backups Exports Off-Site Facilities Oracle Advanced Security Transparent data encryption Prevents access to data at rest Requires no application changes Built-in two-tier key management Near Zero overhead with hardware Integrations with Oracle technologies e.g. Exadata, Advanced Compression, ASM, GoldenGate, DataPump, etc.

Key Management Challenges Heard from Customers Management Challenges Proliferation of encryption wallets and keys Authorized sharing of keys Key availability, retention, and recovery Custody of keys and key storage files Regulatory Challenges Physical separation of keys from encrypted data Periodic key rotations Monitoring and auditing of keys Long-term retention of keys and encrypted data 22

Oracle Key Vault Software Appliance Platform Turnkey solution based on hardened stack Includes Oracle Database and security options Open x86-64 hardware to choose from Easy to install, configure, deploy, and patch Separation of duties for administrative users Full auditing, preconfigured reports, and alerts 23

Context-Aware Data Redaction Credit Card Numbers 4451-2172-9841-4368 5106-8395-2095-5938 7830-0032-0294-1827 Redaction Policy xxxx-xxxx-xxxx-4368 4451-2172-9841-4368 Oracle Advanced Security Real-time sensitive data redaction based on database session context Library of redaction policies and point-andclick policy definition Consistent enforcement, policies applied to data Transparent to applications, users, and operational activities Call Center Application Billing Department 24

Remove sensitive data from non-production environments LAST_NAME SSN SALARY AGUILAR 203-33-3234 40,000 BENSON 323-22-2943 60,000 Production Test Dev Non-Production LAST_NAME SSN SALARY ANSKEKSL 323 23-1111 60,000 BKJHHEIEDK 252-34-1345 40,000 Oracle Data Masking & Subsetting Remove risk from non-production systems Reduce size of non-production systems Reduce storage costs Replace sensitive application data Referential integrity detected/preserved Extensible template library and formats Application templates available 25

Next Generation Access Control Applications Procurement HR Finance Security DBA select * from finance.customers Application DBA Oracle Database Vault Context-Sensitive Authorization Policies Limit DBA access to application data Multi-factor SQL command rules Enforce enterprise data governance, least privilege, segregation of duties Out of the box application policies DBA 26

Label-Based Access Control Sensitive Transactions Confidential Report Data Public Reports Oracle Label Security Virtual information partitioning for cloud, SaaS, hosting environments Classify users and data using labels Labels based on business drivers Automatically enforced row level access control, transparent to applications Labels can be factors used by other security features (eg: Redaction, Database Vault) Confidential Sensitive 27

STEP 3 DETECTIVE CONTROLS DETECT AND ALERT ON ACCESS ANOMALIES APP S DATABASE FIREWALL Firewall Events Alerts! Built-in Reports Custom Reports Audit Data Custom Policies AUDIT VAULT

Consolidate Audit Data Storage, Analysis, & Reporting Audit Data & Event Logs Oracle Database Firewall OS & Storage Directories Databases Custom! Alerts Built-in Reports Custom Reports Policies SOC/NOC Auditor Oracle Audit Vault & Database Firewall Centralized, secure audit data repository Manage audit data, return storage to operational data bases Powerful alerting - thresholds, group-by Out-of-the box and custom reports Consolidated multi-source reporting Security Analyst For Oracle and non-oracle Databases 29

Detect & Alert on Anomalies Users Apps SQL Analysis Allow Log Alert Substitute Block Policy Factors Oracle Audit Vault & Database Firewall Monitors network traffic, detect and block unauthorized activity Highly accurate SQL grammar analysis Can detect/stop SQL injection attacks Whitelist approach to enforce activity Blacklists for managing high risk activity Detect/Block Anomalous Activity Whitelist Blacklist For Oracle and non-oracle Databases 30

Agenda 1 2 Anatomy of an Attack Three Steps to Securing an Oracle Database 3 Database Security Strategy 31

Database Security Strategy Use Defense-in-Depth for Maximum Security Preventive Controls Detective Controls Administrative Controls Don t let perfection stand in the way of progress Look for incremental steps to reduce risk Do not accept the status quo business as usual is not an option 32

Security is part of Oracle s DNA Defense in Depth to address the full range of attack vectors Encryption, Context-aware access controls, separation of duty, fine-grained access controls Built-in Security not a bolt on, no compatibility issues Security controls do not break compression, backups, high availability, data integration High Performance is a Must Encryption, Masking Common Admin UIs reduce your cost to implement and manage Enterprise Manager Single Vendor = No Excuses = No Finger Pointing 33

Questions? 34

Oracle Confidential 35