Database Security Questions HOUG 2016 Fehér Lajos 1
How Data Gets Compromised? Source: Verizon Data Breach Investigations Report Copyright 2015, Oracle and/or 2its affiliates. All rights reserved.
Where Losses Come From? 92% of Records from Compromised Databases Source: Verizon Data Breach Investigations Report
Top Attack Techniques % Breaches and % Records Most records lost through Stolen Credentials & SQL Injection Source: Verizon Data Breach Investigations Report
Database Security Defense-In-Depth Approach Monitor and block threats before they reach databases Control access to data within the databases Track changes and audit database activity Encrypt data to prevent direct access Implement with Transparency no changes to existing applications High Performance no measurable impact on applications Accuracy minimal false positives and negatives
Existing Security Solutions Not Enough Key Loggers Phishing Malware Botware SQL Injection Social Engineering Espionage Web Users Application Users Application Database Administrators Data Must Be Protected in depth
Simplified Application Model Exploit Application Bypass Application Exploit Database Users Apps Bypass Database Test/Dev Copy Abuse Privileged Accounts Access Exported Data Administrators Storage 7
Opportunities for Attack Exploit Application Bypass Application Exploit Database Users Apps Bypass Database Test/Dev Copy Abuse Privileged Accounts Access Exported Data Administrators Storage 8
Oracle Database Maximum Security Architecture Advanced Security Data Redaction Access Control (VPD and RAS) Database Vault Users Apps Database Firewall Data Masking Advanced Security TDE Test/Dev Copy Database Vault Privilege Analysis Administrators Storage Key Vault Audit Vault 9
Defense-in-Depth Security Controls EVALUATE PROTECT DETECT Security Configuration Encryption & Redaction Auditing Sensitive Data Discovery Masking & Subsetting Activity Monitoring Least Privilege Use DBA & Operational Controls Alerting & Reporting 10
Oracle Real Application Security (RAS) Next Generation Database Enforced Application Security Field Batch Jobs, Adhoc Highlights End-to-end uniform security across mid-tier and database Declarative security (no handcoded checks) Joe Application Data security based upon application users and roles Audit of end-user activity Analytics Audit Simplified administration Supports new/legacy apps 11
Attack #1: Exploit the Application Get the application to reveal information that wasn t intended How can this happen? Bug in the application s access control logic SQL injection Exploits the application s privileges to read and write the database Defenses Data Redaction limits sensitive data handled by the application Database Firewall examines SQL from the application and blocks abnormal statements 12
Oracle Advanced Security Redaction Authorized Display Redacted Display Policy Credit Card # 5105-1051-0510-5100 4012-8888-8888-1881 5454-5454-5454-5454 Application Identify sensitive data, possibly using Enterprise Manager Best for data that is displayed but not interpreted by application Prevents compromise due to application bugs and protects all applications that use the same data Cardholder data National identifiers Personally Identifiable Info Medical Record Data And more Business apps including display screens, reports, dashboards, panels New and legacy applications 13
Oracle Database Firewall Differentiates normal SQL statements used by application vs abnormal SQL from attacker Uses SQL parser, not just regular expressions, to recognize statements Start by monitoring unexpected SQL Later move to blocking Whitelist of expected statements for maximum security Also supports blacklist policies Users Apps Alerts Reports Policies Database Firewall Events Audit Vault 14
Attack #2: Bypass the Application / Exploit the Database Connect to the database and access the data directly Bypasses any controls enforced by the application Defenses Harden and monitor the database configuration Implement access control in the database Virtual Private Database uses policy functions to filter data rows Real Application Security uses declarative policies based on ACLs Database Vault limits privileged access to data 15
Oracle Database Vault Use realms to protect against access using system privileges Enforce separation of duty among administrators Use command rules with multiple factors to tightly control routine administration Training mode helps to fine-tune policies Privileged User HR App SELECT ANY HR HR Realm Fin App Fin Fin Realm 16
Attack #3: Bypass the Database Access data storage directly Bypasses any controls enforced by the database Defenses Transparent Data Encryption automatically encrypts and decrypts stored data Key Vault manages encryption keys for TDE (and other uses) 17
Oracle Advanced Security Data Redaction Transparent Data Encryption Encrypted Storage d$f8#;!90wz@yg#3 Redacted Applications Disks Backups Exports 18
Transparent Data Encryption Applications For best performance Clear Data Take advantage of x86 or SPARC hardware acceleration Use tablespace encryption in most cases Protects backups as well as database files on disk Critical issue is key management Encrypted Data d$f8#;!90wz Yg#3R qr+% @Ue#3 R+%K# *HH$7 #9Vlka Disks Backups Exports Off-Site Facilities 19
TDE Integration with Oracle Database Database Products and Technologies Engineered Systems Data Compression Backup and Restore Export and Import High-Availability Clusters Storage Management Pluggable Databases Database Replication Example Points of Integration Oracle Exadata Smart Scans Oracle Advanced Compression Oracle Recovery Manager (RMAN), Oracle Secure Backup Oracle Data Pump Export and Import Oracle Real Application Clusters (RAC), Active Data Guard Oracle Automatic Storage Management (ASM) Oracle Multitenant Option Oracle Golden Gate TDE Support * Integration with TDE tablespace encryption and/or key management as of Oracle Database 12c 20
TDE Advancements in Oracle Database 12c Release 1 Oracle Wallet Storage in ASM, automatic backup TDE Master Key New SQL commands for key management Movement of individual keys Improved S.O.D. (SYSKM) U.S. FIPS 140-2 mode DBFIPS_140 parameter in init.ora FIPS 140-2 21
Managing Master Keys in Oracle Wallet CRITICAL: Remember wallet password CRITICAL: Do not delete wallet. Retain copy of password-based wallet even if using auto-login CRITICAL: Do not have multiple databases share same wallet Set strong wallet password using numbers, capitalization, length >= 12 characters Rotate master encryption key and wallet password approximately every six months Backup wallet before and after each rotation operation Keep wallet backup separate from encrypted data backup Restrict wallet directory and file permissions Keep wallet read-only for daily use, set immutable bit where available For RAC, consider storing wallet in ACFS (DB 11gR2) or ASM (DB 12cR1) For DB 12cR1, separate duties using SYSKM
Transparent Data Encryption Main Takeaways Transparently encrypts with no impact on applications Delivers fast performance on modern hardware Manages keys with Oracle Wallet or Oracle Key Vault Directly integrates with popular Oracle Database technologies It just works! 23
Oracle Key Vault High-Level Architecture Middleware Standby Databases Administration Console, Alerts, Reports Servers Secure Backups = Oracle Wallet = Java Keystore = Certificate = Server Password = Credential File 24
Key Management with Oracle Key Vault Use Key Vault to centrally manage keys for TDE and more Share keys with related endpoints (RAC nodes, high availability standby systems) Audit all accesses and management operations 25
Oracle Advanced Security Transparent Data Encryption (TDE) Oracle Wallet Upload/Download Scenarios RAC Data Guard Multiple DBs Same Machine GoldenGate Single Instance 26
Attack #4: Abuse Privileged Accounts Improper access by administrators or by an attacker who impersonates them Defenses Database Vault realms limit privileged access Privilege Analysis helps reduce unnecessary privilege grants 27
Oracle Database Vault Privilege Analysis DBA_DEBRA Custom Applications Select Update Drop DBA role. Runtime Capture Unused/Used Reports Helps implement the Principle of Least Privilege Perform privilege capture on a realistic example of application workload Revoke unnecessary privileges or audit their use 28
Oracle Database Vault Database Vault Realms and Command Rules Protect Sensitive Schemas and Objects Protect sensitive data from privileged accounts Enforce a trusted path to prevent application by-pass Control database changes for security and compliance Privileged User HR App SELECT ANY TABLE IP: 111.11.111.11 HR HR Realm Fin Fin App IP: 111.11.111.22 ALTER SYSTEM Fin Realm DBA 29
Oracle Database Vault Privilege Analysis Privileges not used during capture 30
Unused Privileges Report 31
Used Privileges Report 32
Oracle Database Vault Manageability Installed with 12c Oracle Database Enterprise Edition Configure, enable using two PL/SQL calls Manage with Oracle Enterprise Manager or API Protection travels with PDB and backups Integrated with Oracle High Availability options (Data Guard, RAC ) Less than 2% performance overhead 33
Attack #5: Access Exported Data Copies of data may be exported for many reasons Exported data copies may not be protected as carefully Defenses Data Masking replaces sensitive data with other content Data Subsettinglimits exported data to a representative sample 34
Oracle Data Masking and Subsetting Pack Reduces Risk in Sharing by Obfuscating or Removing Sensitive Data Production Test/Dev Discover Sensitive Data Modeling Application Data SSN 463-62-9832 576-40-7056 518-12-6157 281-50-3106 Credit Card 3715-4691-3277-8399 5136-6247-3878-3201 3599-4570-2897-4452 5331-3219-2331-9437 01001011001010100100100100100100 10010010010010001001010100100100 SSN 10011100100100100100100100001001 463-62-9832 00101110010010101001001010101001 555-12-1234 10101001010100100000011111111000 Credit Card 3715-4691-3277-8399 5555-5555-5555-4444 Mask Data using Format Library Subset Based on Goal/Condition Mask/Subset in Export or on Staging Mask in Workload Captures & Clones Pre-installed in Enterprise Manager 35
Application Data Modeling Sensitive Data Discovery Data Relationships Sensitive Columns Metadata Automated Discovery 36
Extensive Masking Format Library Provides common masking formats Supports custom masking formats Random numbers/strings/dates Substitute User defined PL/SQL function and more Generates sample masked values Templates for specific versions of E- Business Suite and Fusion Applications 37
Masking Examples Mask Based on Condition Country Identifier CA 226-956-324 US 610-02-9191 UK JX 75 67 44 C Shuffle Records Country Identifier Health Health CA 368-132-576 Records Records US 829-37-4729 UK AI 80 56 31 D Emp ID First Name 324 Albert 986 Hussain Generate Deterministic Output HR FIN Emp ID First Name 324 Charlie 986 Murali Emp ID First Name 324 Charlie 986 Murali Generate Random Values Preserving Format Mask Operating System Files stored as Blobs Company Closing Price IBFG $36.92 XKJU 789.8 Company Closing Price IBFG $89.57 XKJU 341.9 BLOB 3178973456 6509876745 Search : [0-9]{10} Replace : * BLOB ********** ********** and more 38
Goal or Condition Based Subsetting Relative Database Size 100% 25% 10% 100M Rows Relative Table Size 20M Rows 2M Rows 1024 GB 256 GB 102 GB Condition Based 010010110010101001001001 001001001001001001001000 100101010010101010101010 Extract ASIA Sales 100101010010101010100010 100100101010101010101001 39
Deployment Options In-Database In-Export 01001011001010100100 10010010010010010010 01001000100101010010 01001011001010100100 10010010010010010010 01001000100101010010 01001011001010100100100100100100100100100100100010010101 00100100100111001001001001001001000010010010111001001010 10010010101010011010100101010010000001111111100001011001 Production Staging Test/Dev Production Export Test/Dev Minimal impact on the production environment Sensitive data remains within the production perimeter 40
Final Defense: Monitor Activity Monitoring activity is an overall defense Catches unknown attacks Detects tampering with defenses When monitoring is known, it can have a deterrent effect Defenses Database Auditing records significant security events as they occur Audit Vault collects audit data and provides reports and real-time alerts 41
Database Auditing Goal is to record the most important events without generating overwhelming amounts of data For example, record updates to sensitive table but not every SELECT Record security-relevant events that are expected to be infrequent Database audit policies are highly customizable Access to particular objects Use of roles or privileges Based on runtime conditions Beginning in 12.1, Unified Audit combines multiple audit mechanisms 42
Oracle Audit Vault Alerts Reports Policies Audit Data & Event Logs Databases OS & Storage Directories Custom Audit Vault Collects and consolidates audit data from multiple sources Protects tampering by removing audit data from subject systems Can collect additional detail from database redo logs such as values before and after update New reports show trends and anomalous activity 43
http://docs.oracle.com/database/121/dbseg/toc.htm Security Guide http://docs.oracle.com/database/121/tdpsg/toc.htm -- 2Day Security Guide http://www.securityfocus.com/bid http://www.oracle.com/technetwork/topics/security/alerts-086861.htm http://www.oracle.com/technetwork/database/security/index.html http://www.securedba.com/securedba/oracle_db/ http://oraclesecurity.com http://www.imperva.com/products/dsc_scuba-database-vulnerability-scanner.html http://www.mcafee.com/uk/products/security-scanner-for-databases.aspx 44
Q & A HOUG 2016 Fehér Lajos 45