1
Cumplimiento de PMG SSI para sector Gobierno en Chile Jaime Briggs MSc CS, CISSP, CCSK Sales Manager Strategic accounts jaime.briggs@oracle.com
Agenda Pilares Fundamentales de SSI Desafios de Seguridad Estrategia de seguridad en la Base de Datos Soluciones de seguridad en Bases de Datos Defensa en Profundidad Q&A 3
Pilares Fundamentales de SSI 4
Pilares Fundamentales del SSI 5
Pilares Fundamentales del SSI 6
Pilares Fundamentales del SSI 7
Pilares Fundamentales del SSI 8
Pilares Fundamentales del SSI 9
Pilares Fundamentales del SSI 10
11
Billones de registros de bases de datos robados 97% de las perdidas eran posible de ser evitadas con controles básicos 98% records robados de las bases de datos 84% vulnerados con credenciales robadas 71% robados en minutos 92% descubierto por terceros 12
Cuan seguras son sus Bases de Datos? 2012 IOUG Data Security Survey Results 68% Data almacenada en archivos de BD puede ser leida a nivel OS 44% No pueden prevenir acceso directo a la BD (application bypass) 32% Pueden prevenir DBAs de acceder data o procedimientos de almacenado 65% No han tomado acciones para prevenir SQL injection attacks 61% No monitorean escritura de aplicaciones a datos sensibles 55% Copian data de producción a ambientes de testing 13
Por qué las BD son tan vulnerables? 80% of IT Security Programs Don t Address Database Security Forrester Research Network Security Enterprises are taking on risks that they may not even be aware Authentication & User Security SIEM of. Especially as more and more attacks against databases exploit legitimate access. Email Security Database Security Web Application Firewall Endpoint Security 14
La seguridad en BD requiere de Auditing, authorization, authentication and more Data Discovery Compliance Scan Vulnerability Scan Security Patching Privileged user access Applications SQL Monitoring & Blocking Activity auditing Encryption Masking 15
La piedra fundamental es la encriptación Preventive Control for Oracle Databases Oracle Advanced Security Complete data at rest encryption prevents IT Staff/OS user direct access Efficient application data encryption without application changes Built-in two-tier key management for SoD with support for centralized key management using HSM/KMS Strong authentication of database users for greater identity assurance Applications Disk Backups Exports Off-Site Facilities 16
Privileged User Controls Preventive Control for Oracle Databases Database Vault Automatic and customizable DBA separation of duties and protective realms Enforce who, where, when, and how data is accessed using rules and factors Securely consolidate application data or enable multi-tenant data management Applications Procurement HR Finance Security DBA select * from finance.customers DBA Application DBA 17
Autenticación y SSO 18
Autenticación y SSO 19
Label Based Access Control Preventive Control for Oracle Databases Oracle Label Security Virtual information partitioning Classify users and data using labels Database enforced row level access control transparent to applications Classification labels based on business drivers, can be factors in other policies Users classification through Oracle Identity Management Suite Confidential Sensitive Transactions Confidential Report Data Public Reports Sensitive 20
Database Activity Monitoring and Firewall Detective Control for Oracle and non-oracle Databases Oracle Database Firewall Monitors database activity, detects, & prevents attacks e.g. SQL injections White-list, black-list, and exception-list security policies based on highly accurate SQL grammar based analysis Scalable software appliance offers inline blocking and monitoring, or out-ofband monitoring modes Built-in and custom compliance reports Applications Users Oracle Database Firewall Allow Log Alert Substitute Block SQL Analysis Whitelist Blacklist Policy Factors 21
Audit, Report, and Alert in Real-Time Detective Control for Oracle and non-oracle Databases Oracle Audit Vault Consolidate database audit trail into secure centralized repository Detect and alert on suspicious activities, including privileged users Out-of-the box compliance reports for SOX, PCI, and other regulations Audit Data HR Data CRM Data ERP Data Alerts Built-in Reports Custom Reports Streamline audits with report generation, notification, attestation, archiving, etc. Databases Policies Auditor 22
Configuration Management Administrative Control for Oracle Databases Oracle Database Lifecycle Management Discover and classify databases into security and compliance policy groups Scan databases against 400+ best practices, industry standards, custom Detect unauthorized database config. changes, trouble ticket tracking Automated patching, provisioning, and change management Scan & Monitor Discover Patch 23
Masking Data for Non-Production Use Preventive Control for Oracle Databases Oracle Data Masking Securely available application data in non-production environments Prevent application developers and testers from seeing production data Extensible template library and policies for data masking automation Referential integrity automatically preserved so applications work LAST_NAME SSN SALARY AGUILAR 203-33-3234 40,000 BENSON 323-22-2943 60,000 Production Non-Production Test Dev LAST_NAME SSN SALARY ANSKEKSL 323 23-1111 60,000 BKJHHEIEDK 252-34-1345 40,000 Production 24
Algunos clientes Oracle en seguridad Lo que han requerido Solución completa Transparente Efectiva Escalable Flexible 25
Q&A 26
27
28