CISSP Sales Consultant Donald.Shepherd@Oracle … 2011...•How to easily encrypt information stored in an Oracle database ... 200 ACME 12 201 BIG BOX 15 SUPPORT CUSTID CSR_ID 200

Don Shepherd | CISSP

Sales Consultant

[email protected]

2 Copyright © 2011, Oracle. All rights reserved

Today’s Agenda

• Encryption & Masking of Sensitive Data

• How to easily encrypt information stored in an Oracle database

• Masking information when used in a non-production environment

• Separation of Duties • How to control when and where a DBA can use elevated privileges

• Providing fine grained access control for DBAs

• Audit & Monitoring Activity • Database activity monitoring

• Know what happens and when inside your database.


Database Security Defense in Depth

Data

Prevent access by non-database users

Increase database user identity assurance

Control access to data within database

Audit database activity

Monitor database traffic and prevent

threats from reaching the database

Ensure database production environment

is secure and prevent drift

Remove sensitive data from

non-production environments


Ease o

f D

eplo

ym

ent

Security

Disk

NAS

Encryption

Oracle

Database

Application

Programmatic

Data at Rest Encryption


Disk

Backups

Exports

Off-Site

Facilities

Protect Data from Unauthorized Database Users

• Prevents “database by-pass” with complete end-to-end data encryption

• Requires no application changes

• Includes built-in key management

• High performance

• Easy to deploy

Application Network Encryption

Built-In Key Management

Data At Rest Encryption

Media Encryption

Strong Authentication


• 89% of companies use production customer data - often exceeding

10M records - for testing, development, support, training, etc.

• 74% use consumer data, 24% use credit card numbers!!!

• Only 23% do anything to suppress sensitive information and 81%

relied on contractual clauses to protect live data transferred to

outsourcers and other third parties

• 23% said live data used for development or testing had been lost or

stolen and 50% had no way of knowing


Application Change Lifecycle

Upgrade

DEV

TEST

PRODUCTION

STAGING

Clone &

Mask Share


Data Masking Irreversible De-Identification

• Remove sensitive data from non-production databases

• Referential integrity preserved so applications continue to

work

• Sensitive data never leaves the database

• Extensible template library and policies for automation

LAST_NAME SSN SALARY

ANSKEKSL 111—23-1111 60,000

BKJHHEIEDK 222-34-1345 40,000

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

Production Non-Production


Oracle Data Masking Comprehensive and Extensible Mask Library

Ensures consistent enforcement of policies Define once, apply everywhere

Accelerates solution deployment of masking Mask formats for common sensitive data

Enables customization of business rules Extensible mask routines


Oracle Data Masking Application Integrity and Sophisticated Masking Techniques

Ensure application consistency while eliminating

manual maintenance Automatic Referential Integrity

Apply context-sensitive business rules Sophisticated masking techniques

EMPLOYEE

EMPID NAME TITLE

12 SMITH SALESREP

13 JONES CSR

14 ELLISON CEO

15 FERNICOLA SALES MGR

CUSTOMER

CUSTID NAME REP_ID

200 ACME 12

201 BIG BOX 15

SUPPORT

CUSTID CSR_ID

200 13

Automatic Referential Integrity

Condition-

based

Masking

Compound

Masking


How Do Data Breaches Occur?

48% involved privilege misuse (+26%)

40% resulted from hacking (-24%)

38% utilized malware (<>)

28% employed social tactics (+16%)

15% comprised physical attacks (+6%)

2010 Data

Breach

Investigations

Report


Where Does Breached Data Come From?

2010 Data

Breach

Investigations

Report


Lack of Internal Database Controls

The 2010 IOUG Data Security Report

Only 28% uniformly encrypting

PII in all databases

66% not sure if web

applications subject

to SQL injection

63% don’t apply security

patches within 3 months of

release

48% not aware of all

databases with

sensitive data

44% say database users

could access data

directly

70% use native auditing,

only 25% automate

monitoring

Only 24% can “prevent” DBAs from

reading or tampering with

sensitive data

68% can not detect if

database users are

abusing privileges

monitoring sensitive

data reads/writes

Less than 30%


Protect Application Data Inside the Database

• Automatic and customizable protective realms and DBA separation of duties

• Enforce who, where, when, and how using rules and factors

– Enforce least privilege for privileged database users

– Prevent application by-pass and enforce enterprise data governance

• Securely consolidate application data or enable multi-tenant data management

Procurement

HR

Finance

Application

DBA

select * from finance.customers DBA

Security

Admin

Application


Oracle Audit Vault Trust-but-Verify

17

Oracle

Database

IBM

DB2 Microsoft

SQL Server

Sybase

ASE

Consolidate and Secure

Audit Data

Out-of-the Box

Compliance Reports

Alert on Security

Threats

Lower IT Costs With

Entitlements & Audit Policies


Secure & Scalable Audit Warehouse

• Audit Warehouse

• Document Schema

• Enable BI and analysis

• Performance and Scalability • Built-in partitioning

• Database compression

• Scales to Terabytes

• Certified with Oracle RAC

• Protected with Built-in Security • Encrypted audit data transmission

• Separation of Duty provided by Database Vault

– Audit Vault Administrator

– Audit Vault Auditor


Audit Vault Default Reports


User Entitlement Reports For Oracle Databases

• Report all user accounts, roles, and privileges

• Retrieve a snapshot of user entitlement data

• Compare changes in user accounts and privileges

• View SYSDBA/SYSOPER privileges

• Filter data based on users or privileges

• Regulations: SOX, PCI, HIPAA, SAS 70, STIG

20


Audit Vault Alerts Threat Detection with Custom Alerts

• Alerts can be defined for • Creating users on sensitive systems

• Role grants on sensitive systems

• “DBA” grants on all systems

• Failed logins for application users

• Directly viewing sensitive columns

• ….

• Add workflow for alerts

• Track alerts

• Drill down from the dashboard

• Send alerts to distribution lists


Over 900M Breached Records Resulted

from Compromised Database Servers

Type Category % Breaches % Records

Database Server Servers & Applications 25% 92% Desktop Computer End-User Devices 21% 1%

Verizon 2010 Data Breach Investigations Report


Database Firewall First Line of Defense

• Monitor database activity to prevent unauthorized database access, SQL

injections, privilege or role escalation, illegal access to sensitive data, etc.

• Highly accurate SQL grammar based analysis without costly false positives

• Flexible SQL level enforcement options based on white lists and black lists

• Scalable architecture provides enterprise performance in all deployment modes

• Built-in and custom compliance reports for SOX, PCI, and other regulations

Policies Built-in Reports

Alerts Custom Reports

Applications Block

Log

Allow

Alert

Substitute


Database Firewall Positive Security Model

• “Allowed” behavior can be defined for any user or application

• Whitelist can take into account built-in factors such as time of day,

day of week, network, application, etc.

• Automatically generate whitelists for any application

• Transactions found not to match the policy instantly rejected

• Database will only process data how you want and expect

White List

Applications Block

Allow

SELECT * from dvd_stock where

[catalog-no] =

'PHE8131'

and location = 1

SELECT * from dvd_stock

where

[catalog-no] =

'' union select cardNo, customerId, 0 from DVD_Orders --‘ and location = 1


Database Firewall Negative Security Model

• Stop specific unwanted SQL transactions, user or schema access

• Prevent privilege or role escalation and unauthorized access to sensitive data

• Blacklist can take into account built-in factors such as time of day, day of

week, network, application, etc.

• Selectively block any part of transaction in context to your business and

security goals

Block

Allow

Black List

Applications

UPDATE employee

SET salary = salary +

(salary * 0.5)

WHERE id=“me”;


Block

Log

Allow

Alert

Substitute

• Innovative SQL grammar technology reduces millions of SQL statements into a

small number of SQL characteristics or “clusters”

• Superior performance and policy scalability

• Highly accurate without costly and time consuming false positives

• Flexible enforcement at SQL level: block, substitute, alert and pass, log only

• SQL substitution foils attackers without disrupting applications

SELECT * FROM

accounts

Becomes

SELECT * FROM dual

where 1=0

Database Firewall Policy Enforcement

Applications


Database Firewall Reporting

• Oracle Database Firewall log data

consolidated into reporting database

• Dozens of built in reports that can be

modified and customized

• Database activity and privileged

user reports

• Entitlements reporting for

database attestation and audit

• Supports demonstrating controls

for PCI, SOX, HIPAA, etc.

• Logged SQL statements can be

sanitized of sensitive PII data


Complete Defense In Depth Strategy

Data

• Oracle Advanced Security

• Oracle Identity Management

• Oracle Database Vault

• Oracle Label Security

• Oracle Audit Vault

• Oracle Total Recall

• Oracle Database Firewall

• Oracle Configuration Management

• Oracle Data Masking



Documents

CISSP Sales Consultant Donald.Shepherd@Oracle … 2011...•How to easily encrypt information stored in an Oracle database ... 200 ACME 12 201 BIG BOX 15 SUPPORT CUSTID CSR_ID 200