Contenu connexe
Similaire à Oracle Database 11g Security and Compliance Solutions - By Tom Kyte (20)
Plus de Edgar Alejandro Villegas (20)
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
- 1. 1 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
- 2. 2 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information2 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
The following is intended to outline our general product
direction. It is intended for information purposes only, and
may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality,
and should not be relied upon in making purchasing
decisions. The development, release, and timing of any
features or functionality described for Oracle’s products
remains at the sole discretion of Oracle.
- 3. 3 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Best Practices for Database
Security and Compliance
Tom Kyte, Sr. Technical Architect, Oracle
Troy Kitch, Sr. Manager, Database Security Product Marketing, Oracle
- 4. 4 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Program Agenda
• Enterprise Data Security Challenges
• Database Security Best Practices
• Oracle Database Security Solutions
• Defense-in-Depth
• Q&A
- 5. 5 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Database Server Breaches
Two-thirds of sensitive and regulated
information now resides in databases
… and doubling every two years
Source: Verizon, 2007-11 and IDC, "Effective Data Leak Prevention Programs: Start by
Protecting Data at the Source — Your Databases", August 2011
48% Data Breaches
Caused by Insiders
89% Records Stolen
Using SQL Injection
86% Hacking Used
Stolen Credentials
Over 1B records compromised over past six years
- 6. 6 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
How Secure Are Your Databases?
2011 IOUG Data Security Survey Results
24% Can prevent DBAs from accessing data and stored procedures
69% Do not monitor sensitive application data reads and writes
63% Have not taken steps to prevent SQL injection attacks or unsure
48% Copy sensitive data to development and test environments
70% Data stored in database files or storage can be read at OS level
57% Cannot prevent direct access to database (application bypass)
- 7. 7 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
“Forrester estimates
that although 70%
of enterprises have
an information security plan,
only 20% of enterprises have a
database security plan.”
IT Security Not Addressing Database Security
– Only 20% Have a Plan
Source: Creating An Enterprise Database
Security Plan , July 2010
Endpoint
Security
Vulnerability
Management
Network SecurityEmail Security
Authentication
and User Security
Database
Security
- 8. 8 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Database Security Best Practices
• Prevent access to data
at OS, storage,
network, media layers
• Transparent data
encryption for data at
rest, in transit, on
media
• Separation of duties
for key management
• Privileged user access
control to limit access
to application data
• Multi-factor
authorization for
enforcing enterprise
security policies
• Secure application
consolidation
• Native Oracle and non-
Oracle database
auditing, centralized
audit policies
• Consolidate, secure,
analyze audit trail,
alert on suspicious
activities
• Report for compliance
& security, automate
database audit
workflow
• Monitor Oracle & non-
Oracle database traffic
over the network
• Block threats like SQL
injection attacks
before reaching
databases
• Enforce normal
database activity,
lightweight monitoring
• Sensitive data
discovery for
production
• Secure database
lifecycle management,
configuration
scanning, patch
automation
• Mask data for
nonproduction
development & test
Mitigate
Database
Bypass
Prevent
Application
Bypass
Consolidate
Auditing and
Compliance
Reporting
Monitor
Database
Traffic and
Block Threats
Protect All
Database
Environments
- 9. 9 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Disk
Backups
Exports
Off-Site
Facilities
Mitigate Database Bypass
• Prevents access to data stored in database files, on tape, etc. by IT staff/OS users
• Efficient application data encryption without application changes
• Built-in two-tier key management for SoD with support for centralized key
management using HSM/KMS
• Strong authentication of database users for greater identity assurance
Oracle Advanced Security for authentication and encryption
Application
- 10. 10 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Prevent Application Bypass
Oracle Database Vault to enforce privileged user access
Application
Procurement
HR
Finance
Application
DBA
select * from finance.customers
DBA
Security
DBA
• Automatic and customizable DBA separation of duties and protective realms
• Enforce who, where, when, and how data is accessed using rules and factors
– Enforce least privilege for privileged database users
– Prevent application by-pass and enforce enterprise data governance
• Securely consolidate application data or enable multi-tenant data management
- 11. 11 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Prevent Application Bypass
• Classify users and data based on business drivers
• Database enforced row level access control
• Users classification through Oracle Identity Management Suite
• Classification labels can be factors in other policies
• No application changes required
Oracle Label Security for data classification access control
Transactions
Report Data
Reports
Confidential Sensitive
Sensitive
Confidential
Public
- 12. 12 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Consolidate Auditing & Compliance Reporting
• Consolidate database audit trail into secure centralized repository
• Detect and alert on suspicious activities, including privileged users
• Out-of-the box compliance reports for SOX, PCI, and other regulations
– E.g., privileged user audit, entitlements, failed logins, regulated data changes
• Streamline audits with report generation, notification, attestation, archiving, etc.
Oracle Audit Vault for real-time database activity monitoring
CRM Data
ERP Data
Databases
HR Data
Audit
Data
Policies
Built-in
Reports
Alerts
Custom
Reports
!
Auditor
- 13. 13 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Consolidate Auditing & Compliance Reporting
• Transparently track application data changes over time
• Efficient, tamper-resistant storage of archives in the database
• Real-time access to historical application data using SQL
• Simplified incident forensics and recovery
Oracle Total Recall for automated change tracking
select salary from emp AS OF TIMESTAMP
'02-MAY-09 12.00 AM‘ where emp.title = ‘admin’
- 14. 14 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Block
Log
Allow
Alert
Substitute
Monitor Database Traffic and Block Threats
Oracle Database Firewall for activity monitoring, blocking
PoliciesBuilt-in
Reports
Alerts Custom
Reports
• Blocks unauthorized access like SQL injections from reaching databases
• SQL grammar analysis ensures accuracy, enforcement, and scalability
• White lists and black lists enforce application activity without false positives
• Scalable architecture provides enterprise performance in all deployment modes
• Built-in and custom compliance reports for SOX, PCI, and other regulations
Applications
- 15. 15 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Protect Database Environment: Production
• Discover and classify databases into security policy groups
• Scan databases against 400+ best practices and industry standards, custom enterprise-
specific configuration policies, and enforce security compliance
• Detect and prevent unauthorized database configuration changes, trouble ticket tracking
• Automated patching and secure provisioning
Discover Scan and Monitor Patch
Oracle Enterprise Manager for secure database lifecycle
- 16. 16 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Protect Database Environment: Nonproduction
• Make application data securely available in non-production environments
• Prevent application developers and testers from seeing production data
• Extensible template library and policies for data masking automation
• Referential integrity automatically preserved so applications continue to work
• Integration with Real Application Testing and Test Data Management
Oracle Data Masking for protecting insecure environments
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 60,000
BKJHHEIEDK 222-34-1345 40,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Non-Production
Data Never Leaves Database
- 17. 17 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Encrypting Personally
Identifiable Information
Defense in Depth Security
of Patient Donor Data
• Privileged user access controls
• Encrypting production and
masking nonproduction data
• HIPPA/HITECH Compliance
Oracle Database Vault
Oracle Advanced Security
Oracle Data Masking
Database Security Best Practices Case Studies
• Monitoring privileged users,
sensitive data updates and more
• Secure central audit repository
• Sarbanes-Oxley Act Compliance
Audit, Alert & Report on
Application Logs
Oracle Audit Vault
• Transparent data encryption
• No application changes or
performance impact
• PCI DSS compliance
Oracle Advanced Security
- 18. 18 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Oracle Database Security Strategy
Encryption, Privileged User
Controls, Classification
Activity Monitoring, Auditing,
Blocking Attacks, Reporting
MySQL
Database Lifecycle Management,
Data Masking for Non-Production
Maximum Security:
Controls within Database
Low Security:
Sensitive Data Removed
External Controls:
Protect Oracle & Non-Oracle Database
Defense-in-depth
- 19. 19 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Questions To Consider…
• Do you know where all sensitive data resides?
• Would you know if your data was breached?
• Are you aware of all your regulatory mandates?
• What best practices are you following, where are holes?
- 20. 20 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Q&A
- 21. 21 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Database Security Best Practices
• Best Practices For
– Database Activity Monitoring and Blocking, Feb 29
– Database Auditing, Alerting and Reporting, Mar 28
– Transparent Data Encryption, Apr 25
– Database Privileged User Access Control, May 30
Monthly Webcast Series
- 22. 22 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
For More Information
oracle.com/database/security
search.oracle.com
or
database security
- 23. 23 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
- 24. 24 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information