1
Security Inside-Out with Oracle Database 12c Denise Mallin, CISSP Oracle Enterprise Architect - Security
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 3
Records breached 67 % from servers 76 % Breached using weak or stolen credentials Over 1.1Billion Served Discovered by an 69 % external party 97 % Preventable with basic controls 4
Agenda Changing Security Landscape Data Protection Challenges Oracle Database 12c Defense-in-Depth 5
From to Basic security not enough for today s business Accidents Disclosures Privilege Abuse Curiosity Data Leakage Social Engineering Sophisticated Attacks Business Data Theft Reputation Loss 6 Adapted from Kuppinger Cole Presentation, March 2013
More Targets to Attack DBAs, OS Administrators, Developers, Testers, Partners, Anatomy of an Attack You don t bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees. Uri Rivner Former CTO, RSA (Security Division of EMC) http://blogs.rsa.com/rivner/anatomy-of-an-attack 7
Why Are Databases Vulnerable? 80% of IT Security Programs Don t Address Database Security Network Security Authentication & User Security SIEM Email Security Database Security Endpoint Security 8 Source: Forrester 2012
Oracle Database Security Offerings Security and Compliance for Databases PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption and Redaction Auditing Privilege Analysis Data Masking Activity Monitoring Sensitive Data Discovery Privileged User Controls Database Firewall Configuration Management 9
Oracle Database Security Offerings Security and Compliance for Databases PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption and Redaction Auditing Privilege Analysis Data Masking Activity Monitoring Sensitive Data Discovery Privileged User Controls Database Firewall Configuration Management 10
Transparent Data Encryption (TDE) Preventive Control for Oracle Databases Advanced Security Encrypts tablespaces or columns to secure data at rest Built-in two-tier key management Requires no application changes Near Zero overhead with hardware Integrated with Oracle DB technologies Log files, Compression, ASM, DataPump Applications Disk Backups Exports Off-Site Facilities 11
Oracle Key Vault Simplified key management Centrally manage keys, secrets, passwords, wallets Share secret data as needed Data Guard RAC GoldenGate Retrieve TDE master keys App Online/offline mode Simplified enrollment and provisioning Secure software appliance TDE-Decryption Keys, Wallets Secure External Password Store OASIS KMIP 1.1 TDE-Wallet Oracle Key Vault KMIP Endpoints 12
Redaction of Sensitive Data Displayed Preventive Control for Oracle Database 12c and 11g (11.2.0.4) Advanced Security Real-time redaction based upon user, IP, app context, session factors, Applies to columns on tables/views Full/partial, random/fixed redaction Transparent to typical applications No impact on operational activities Credit Card Numbers 4451-2172-9841-4368 5106-8395-2095-5938 7830-0032-0294-1827 Redaction Policy xxxx-xxxx-xxxx-4368 4451-2172-9841-4368 Call Center Application Billing Department 13
Masking Data for Non-Production Use Preventive Control for Oracle and non-oracle Databases Oracle Data Masking Replaces sensitive application data Detects/Preserves referential integrity Extensible template library and formats Supports masking in non-oracle DB Integrates with subsetting and Real Application Testing LAST_NAME SSN SALARY AGUILAR 203-33-3234 60,000 BENSON 323-22-2943 40,000 LAST_NAME SSN SALARY Production Non-production ANSKEKSL 323-23-1111 60,000 BKJHHEIEDK 252-34-1345 40,000 Test Dev 14
Preventive Controls Inside the Oracle Database Preventive Control for Oracle Databases Oracle Database Vault Realms around sensitive schemas or objects Restrict DBA access to realm data Support multi-factor SQL command rules Enforce separation of duties Block threats targeting privileged DB accounts Restrict all access unless explicitly authorized with Mandatory Realms (New) Applications Finance HR Procurement Security DBA HR Admin select * from procurement.bids DBA 15
Label Based Access Control Preventive Control for Oracle Databases Oracle Label Security Multi-level security for consistent access control for applications using the data Classify users and/or data using labels Row level access control using labels Virtual information partitioning for cloud, SaaS, hosting environments User labels can be used for Redaction and Database Vault Confidential Sensitive Confidential Public Sensitive 16
Oracle Database Security Offerings Security and Compliance for Databases PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption and Redaction Auditing Privilege Analysis Data Masking Activity Monitoring Sensitive Data Discovery Privileged User Controls Database Firewall Configuration Management 17
New Conditional Auditing Framework Detective Control for Oracle Database 12c Database Auditing New condition-based syntax What: CREATE, ALTER, ALL, Where: Set of Privileges, Roles, objects When: IP_ADDRESS!= 10.288.241.88 Exceptions: Except HR Group audit settings for manageability Out-of-box audit policies New roles: Audit Viewer and Audit Admin Single unified database audit trail 18
Audit, Report, and Alert in Real-Time Detective Control for Oracle and non-oracle Databases Oracle Audit Vault and Database Firewall Collect and Analyze audit/event data Consolidated multi-source reporting Out-of-the box and custom reports Conditional real-time alerts Secure, scalable software appliance SOC Auditor! Alerts Reports Policies Audit Data & Event Logs Oracle Database Firewall OS & Storage Directories Databases Security Analyst Custom 19
Database Activity Monitoring and Firewall Detective Control for Oracle and non-oracle Databases Oracle Audit Vault and Database Firewall Monitor database network traffic Block unauthorized database activity including SQL injection attacks Highly accurate SQL grammar analysis Allow Log Alert Substitute Block Whitelist approach to enforce activity Blacklists for managing high risk activity Secure scalable software appliance SQL Analysis Whitelist Blacklist Policy Factors 20
Oracle Audit Vault and Database Firewall Detective Control for Databases, Operating Systems, Database Firewall Alerts Built-in Reports! Firewall Events Custom Reports Policies AUDIT VAULT AUDIT DATA Custom 21
Oracle Database Security Offerings Security and Compliance for Databases PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption and Redaction Auditing Privilege Analysis Data Masking Activity Monitoring Sensitive Data Discovery Privileged User Controls Database Firewall Configuration Management 22
Discover Use of Privileges and Roles Administrative Control for Oracle Database 12c Oracle Database Vault Capture privileges used per session, across sessions, per specific context, or full database Report on privileges/roles used/unused Help revoke unnecessary privileges Enforce least privilege and reduce risks Increase security without disruption Create Drop Update DBA role APPADMIN role Privilege Analysis Unused Update APPADMIN 23
Discover Sensitive Data and Databases Administrative Control for Oracle Database 12c Oracle Enterprise Manager 12c Scan Oracle for sensitive data Use built-in, extensible data definitions Discover application data models Protect sensitive data appropriately: encrypt, redact, mask, audit 24
Configuration Management Administrative Control for Oracle Databases Oracle Database Lifecycle Management Discover and classify databases Scan for secure configuration Follow compliance frameworks Detect unauthorized changes Patching and provisioning Scan & Monitor Discover Patch 25
Database Security Additions/Improvements in 12c Performance and Management 2x-25x Performance: Label Security, Database Vault, Audit, Encryption Hardware Cryptographic Acceleration EM Security Console Revamped UI Additions to All DB Editions Strong Authentication SSL/TLS and native network encryption Conditional Auditing New Separation of Duty Roles Updated Kerberos and Cryptography stack Secure DB configuration on Windows Additions to DB Enterprise Edition Real Application Security Transparent Sensitive Data Protection Additions to DB Security Options Data Redaction (Advanced Security) Privilege Analysis (Database Vault) Mandatory Realms (Database Vault) EM Sensitive Data Discovery (for all DB Security Options) 26
Oracle Database Security Offerings Defense-in-Depth for Maximum Security PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption and Redaction Auditing Privilege Analysis Data Masking Activity Monitoring Sensitive Data Discovery Privileged User Controls Database Firewall Configuration Management 27
Oracle Maximum Security Architecture Core Components Advanced Security Data Redaction Users Database Vault Privilege Analysis Apps Alerts Database Firewall Events Data Masking Advanced Security TDE Database Vault Privileged User Controls Reports Policies Audit Vault Audit Data & Event Logs Databases OS & Storage Directories Custom 28
Oracle Database Security Summary SECURITY AND COMPLIANCE ENTERPRISE READY SIMPLE AND FLEXIBLE SPEED AND SCALE 29
30