View
219
Download
4
Category
Preview:
Citation preview
Don Shepherd | CISSP
Sales Consultant
Donald.Shepherd@Oracle.com
2 Copyright © 2011, Oracle. All rights reserved
Today’s Agenda
• Encryption & Masking of Sensitive Data
• How to easily encrypt information stored in an Oracle database
• Masking information when used in a non-production environment
• Separation of Duties • How to control when and where a DBA can use elevated privileges
• Providing fine grained access control for DBAs
• Audit & Monitoring Activity • Database activity monitoring
• Know what happens and when inside your database.
3 Copyright © 2011, Oracle. All rights reserved
Database Security Defense in Depth
Data
Prevent access by non-database users
Increase database user identity assurance
Control access to data within database
Audit database activity
Monitor database traffic and prevent
threats from reaching the database
Ensure database production environment
is secure and prevent drift
Remove sensitive data from
non-production environments
4 Copyright © 2011, Oracle. All rights reserved
Ease o
f D
eplo
ym
ent
Security
Disk
NAS
Encryption
Oracle
Database
Application
Programmatic
Data at Rest Encryption
5 Copyright © 2011, Oracle. All rights reserved
Disk
Backups
Exports
Off-Site
Facilities
Protect Data from Unauthorized Database Users
• Prevents “database by-pass” with complete end-to-end data encryption
• Requires no application changes
• Includes built-in key management
• High performance
• Easy to deploy
Application Network Encryption
Built-In Key Management
Data At Rest Encryption
Media Encryption
Strong Authentication
6 Copyright © 2011, Oracle. All rights reserved
• 89% of companies use production customer data - often exceeding
10M records - for testing, development, support, training, etc.
• 74% use consumer data, 24% use credit card numbers!!!
• Only 23% do anything to suppress sensitive information and 81%
relied on contractual clauses to protect live data transferred to
outsourcers and other third parties
• 23% said live data used for development or testing had been lost or
stolen and 50% had no way of knowing
7 Copyright © 2011, Oracle. All rights reserved
Application Change Lifecycle
Upgrade
DEV
TEST
PRODUCTION
STAGING
Clone &
Mask Share
8 Copyright © 2011, Oracle. All rights reserved
Data Masking Irreversible De-Identification
• Remove sensitive data from non-production databases
• Referential integrity preserved so applications continue to
work
• Sensitive data never leaves the database
• Extensible template library and policies for automation
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 60,000
BKJHHEIEDK 222-34-1345 40,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Non-Production
9 Copyright © 2011, Oracle. All rights reserved
Oracle Data Masking Comprehensive and Extensible Mask Library
Ensures consistent enforcement of policies Define once, apply everywhere
Accelerates solution deployment of masking Mask formats for common sensitive data
Enables customization of business rules Extensible mask routines
10 Copyright © 2011, Oracle. All rights reserved
Oracle Data Masking Application Integrity and Sophisticated Masking Techniques
Ensure application consistency while eliminating
manual maintenance Automatic Referential Integrity
Apply context-sensitive business rules Sophisticated masking techniques
EMPLOYEE
EMPID NAME TITLE
12 SMITH SALESREP
13 JONES CSR
14 ELLISON CEO
15 FERNICOLA SALES MGR
CUSTOMER
CUSTID NAME REP_ID
200 ACME 12
201 BIG BOX 15
SUPPORT
CUSTID CSR_ID
200 13
Automatic Referential Integrity
Condition-
based
Masking
Compound
Masking
13 Copyright © 2011, Oracle. All rights reserved
How Do Data Breaches Occur?
48% involved privilege misuse (+26%)
40% resulted from hacking (-24%)
38% utilized malware (<>)
28% employed social tactics (+16%)
15% comprised physical attacks (+6%)
2010 Data
Breach
Investigations
Report
14 Copyright © 2011, Oracle. All rights reserved
Where Does Breached Data Come From?
2010 Data
Breach
Investigations
Report
15 Copyright © 2011, Oracle. All rights reserved
Lack of Internal Database Controls
The 2010 IOUG Data Security Report
Only 28% uniformly encrypting
PII in all databases
66% not sure if web
applications subject
to SQL injection
63% don’t apply security
patches within 3 months of
release
48% not aware of all
databases with
sensitive data
44% say database users
could access data
directly
70% use native auditing,
only 25% automate
monitoring
Only 24% can “prevent” DBAs from
reading or tampering with
sensitive data
68% can not detect if
database users are
abusing privileges
monitoring sensitive
data reads/writes
Less than 30%
16 Copyright © 2011, Oracle. All rights reserved
Protect Application Data Inside the Database
• Automatic and customizable protective realms and DBA separation of duties
• Enforce who, where, when, and how using rules and factors
– Enforce least privilege for privileged database users
– Prevent application by-pass and enforce enterprise data governance
• Securely consolidate application data or enable multi-tenant data management
Procurement
HR
Finance
Application
DBA
select * from finance.customers DBA
Security
Admin
Application
17 Copyright © 2011, Oracle. All rights reserved
Oracle Audit Vault Trust-but-Verify
17
Oracle
Database
IBM
DB2 Microsoft
SQL Server
Sybase
ASE
Consolidate and Secure
Audit Data
Out-of-the Box
Compliance Reports
Alert on Security
Threats
Lower IT Costs With
Entitlements & Audit Policies
18 Copyright © 2011, Oracle. All rights reserved
Secure & Scalable Audit Warehouse
• Audit Warehouse
• Document Schema
• Enable BI and analysis
• Performance and Scalability • Built-in partitioning
• Database compression
• Scales to Terabytes
• Certified with Oracle RAC
• Protected with Built-in Security • Encrypted audit data transmission
• Separation of Duty provided by Database Vault
– Audit Vault Administrator
– Audit Vault Auditor
19 Copyright © 2011, Oracle. All rights reserved
Audit Vault Default Reports
20 Copyright © 2011, Oracle. All rights reserved
User Entitlement Reports For Oracle Databases
• Report all user accounts, roles, and privileges
• Retrieve a snapshot of user entitlement data
• Compare changes in user accounts and privileges
• View SYSDBA/SYSOPER privileges
• Filter data based on users or privileges
• Regulations: SOX, PCI, HIPAA, SAS 70, STIG
20
21 Copyright © 2011, Oracle. All rights reserved
Audit Vault Alerts Threat Detection with Custom Alerts
• Alerts can be defined for • Creating users on sensitive systems
• Role grants on sensitive systems
• “DBA” grants on all systems
• Failed logins for application users
• Directly viewing sensitive columns
• ….
• Add workflow for alerts
• Track alerts
• Drill down from the dashboard
• Send alerts to distribution lists
22 Copyright © 2011, Oracle. All rights reserved
Over 900M Breached Records Resulted
from Compromised Database Servers
Type Category % Breaches % Records
Database Server Servers & Applications 25% 92% Desktop Computer End-User Devices 21% 1%
Verizon 2010 Data Breach Investigations Report
23 Copyright © 2011, Oracle. All rights reserved
Database Firewall First Line of Defense
• Monitor database activity to prevent unauthorized database access, SQL
injections, privilege or role escalation, illegal access to sensitive data, etc.
• Highly accurate SQL grammar based analysis without costly false positives
• Flexible SQL level enforcement options based on white lists and black lists
• Scalable architecture provides enterprise performance in all deployment modes
• Built-in and custom compliance reports for SOX, PCI, and other regulations
Policies Built-in Reports
Alerts Custom Reports
Applications Block
Log
Allow
Alert
Substitute
24 Copyright © 2011, Oracle. All rights reserved
Database Firewall Positive Security Model
• “Allowed” behavior can be defined for any user or application
• Whitelist can take into account built-in factors such as time of day,
day of week, network, application, etc.
• Automatically generate whitelists for any application
• Transactions found not to match the policy instantly rejected
• Database will only process data how you want and expect
White List
Applications Block
Allow
SELECT * from dvd_stock where
[catalog-no] =
'PHE8131'
and location = 1
SELECT * from dvd_stock
where
[catalog-no] =
'' union select cardNo, customerId, 0 from DVD_Orders --‘ and location = 1
25 Copyright © 2011, Oracle. All rights reserved
Database Firewall Negative Security Model
• Stop specific unwanted SQL transactions, user or schema access
• Prevent privilege or role escalation and unauthorized access to sensitive data
• Blacklist can take into account built-in factors such as time of day, day of
week, network, application, etc.
• Selectively block any part of transaction in context to your business and
security goals
Block
Allow
Black List
Applications
UPDATE employee
SET salary = salary +
(salary * 0.5)
WHERE id=“me”;
26 Copyright © 2011, Oracle. All rights reserved
Block
Log
Allow
Alert
Substitute
• Innovative SQL grammar technology reduces millions of SQL statements into a
small number of SQL characteristics or “clusters”
• Superior performance and policy scalability
• Highly accurate without costly and time consuming false positives
• Flexible enforcement at SQL level: block, substitute, alert and pass, log only
• SQL substitution foils attackers without disrupting applications
SELECT * FROM
accounts
Becomes
SELECT * FROM dual
where 1=0
Database Firewall Policy Enforcement
Applications
27 Copyright © 2011, Oracle. All rights reserved
Database Firewall Reporting
• Oracle Database Firewall log data
consolidated into reporting database
• Dozens of built in reports that can be
modified and customized
• Database activity and privileged
user reports
• Entitlements reporting for
database attestation and audit
• Supports demonstrating controls
for PCI, SOX, HIPAA, etc.
• Logged SQL statements can be
sanitized of sensitive PII data
28 Copyright © 2011, Oracle. All rights reserved
Complete Defense In Depth Strategy
Data
• Oracle Advanced Security
• Oracle Identity Management
• Oracle Database Vault
• Oracle Label Security
• Oracle Audit Vault
• Oracle Total Recall
• Oracle Database Firewall
• Oracle Configuration Management
• Oracle Data Masking
29 Copyright © 2011, Oracle. All rights reserved
30 Copyright © 2011, Oracle. All rights reserved
Recommended