Upload
lamnhu
View
213
Download
0
Embed Size (px)
Citation preview
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
CON6571 - Cybersecurity and Compliance in 2017 Database Security is Business-Critical
Vipin Samar Senior Vice President Database Security Development October 02, 2017
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
3
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Program Agenda
Security Trends and Current Solutions
Database Security Assessment Tool
Cloud Data Security Strategy and Service
Continuing Innovations in Database Security
EU General Data Protection Regulation (EU-GDPR)
1
2
3
4
5
4
NEW
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
High-level Trends in Security
• Data breaches becoming bigger and bolder – New targets: Data aggregators, financial accounting firms, breach investigators, security
companies, governments, ...
– New target types: devices, cloud, …
• Data breaches becoming very costly – $80 billion spent every year on IT security but actual breach cost exceeds a trillion dollars
– Average cost of a data breach is $7.35 million, $225 per stolen record
– Litigation expenses account for almost 65% of breach expenses
– Irreversible damage to victims, brand, and business
• Challenges – Severe shortage of security skills, no match to hacker expertise and automation
– Many organizations don’t know how vulnerable they are
5
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Lose Your Data, Lose the Business
6
What do you have? Where? How much? Who has access? Who accessed it?
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Privacy & Security Regulations Increasing World-Wide
EU GDPR
PCI
NZPA
APP
APPI
Ch GDPL
HK PDPO
Si PDPA
Th OIA
Ru DPA
IT Act
SAECTA
MDPA
APDPL
CLPPL
Art. 5
CDPL
MPDPL
FOIPPA PIPEDA
NY DFS 500 48 State Data Privacy laws
Patriot Act CIP HIPAA GLBA
7
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
XSS / Malware
Threat Landscape: Databases are the Prime Target
8
Threat Actors
Hackers OS Admin
DBA Test & Dev End-Users Support
SQL Injection
Stolen Credentials
Ransomware
Physical Theft
Privilege Escalation
Network Sniffing
Threat Vectors
Middleware
Applications
Databases
Operating System
Network
Storage
Backup
Threat Targets
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Attacking the Database
Apps
Test
9
Dev Partners
Exploit Database Exploit
Application
Attack Users
Attack Admins
Bypass Database
Target Exported Data
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Oracle Database Maximum Security Architecture
Apps
10
XXY-YY-5100
Data Redaction Database Firewall
Key Vault
Transparent Data Encryption
Automated Privilege Analysis
Data Masking
010-11-5100 022-22-5001
Audit Vault
Audit Data
Test Dev Partners
Database Vault
Configuration Checks
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Database Security Controls
11
Evaluate
Prevent
Detect
Data- Driven
Security
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Crypto Toolkit for
Applications
Row Level Security Key Management
Data Encryption
EVALUATE PREVENT DETECT DATA DRIVEN SECURITY
Security Configuration
Sensitive Data
Discovery
Privilege Analysis
DBA & Operation
Controls
Database Auditing
Database Firewall
Real Application
Security
Label based Security
Centralized Monitoring
Security Assessment Alerting & Reporting
Data Redaction
Data Masking and
Subsetting
Comprehensive Defense In Depth Security from Oracle
12
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
ANNOUNCING Database Security Assessment Tool (DBSAT)
Assess Your Risk Profile Before Hackers Do
13
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
What Hackers Try to Do Fully and Quickly Map the Target with Automation
Find DB/OS configuration vulnerabilities
Identify and target privileged
users
Identify application
vulnerabilities
14
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Data Owner: Where to Start? What to Look For? Tools? Skills? Time?
Is DB securely configured?
patched?
What could my users do? Risks?
What sensitive data do I have?
15
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Database Security Assessment Tool (DBSAT)
• Understand how (in)secure is your database
– Database securely configured?
– Identify privileged users and risks?
– Discover your sensitive data* for regulations
• Actionable Reports
– Summary and detailed reports
– Prioritized recommendations
• Analyze Oracle Database 10g and later
• Stand-alone command-line tool: Quick, Easy
• Availability: v1 Now; v2 coming soon
• FREE to current Oracle customers * In an upcoming release
DBSAT
10g +
16
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 19
Privileges and Roles - Users with DBA role
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 20
Privileges and Roles - Users with DBA role
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Sensitive Data Summary Report
21
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Sensitive Data Summary Report
22
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Sensitive Data Summary Report
23
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
For More Details
• Dedicated Session on DBSAT
Today, 5:45 p.m. - 6:30 p.m.
Moscone West - Room 3011
• Demogrounds: SOA-074 Moscone West
• http://www.oracle.com/technetwork/database/security/dbsat.html
• Download DBSAT from https://go.oracle.com/LP=38340
• Watch for v2 announcement
24
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Preview Data Security Cloud Service (DSCS) Security Unified and Simplified
25
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Strategy for Securing Cloud Databases
26
2015 DBCS
2016 Hybrid
2017+ Services
Built-in Security Control and Visibility Security Cloud Services
With all Cloud databases – Transparent Data Encryption – Network encryption
With High/Extreme DBCS – Database Vault – Data Masking and Subsetting – Data Redaction – Label Security – DB Lifecycle Management
Hybrid Support: Same security infrastructure for cloud and on premise databases
– Key Vault on Premise – Audit Vault on Premise
Fusion SaaS – Database Vault – Data Masking – Transparent Data Encryption
Infrastructure Cloud Security – Security and Monitoring
Analytics – IT Compliance
Data Security Cloud Service – Discovery (Plans) – Masking (Plans) – Audit (Plans)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Continuing Innovations Strengthen Security, Simplify Operations
27
Audit Vault
Key Vault
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 28
Enterprise User Management
Oracle Database
Oracle Directory Services
Authentication Data Authorization Data Map Users / Roles
Enterprise Domains
DB User
Password Kerberos, PKI
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 29
Enterprise User Management
Oracle Database
Oracle Directory Services
Authentication Data Authorization Data Map Users / Roles
Enterprise Domains
Microsoft Active Directory
DB User
Password Kerberos, PKI
User / Group DB Password Verifier
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 30
Centrally Managed Users Directly in Active Directory
DB User
Microsoft Active Directory
Map Users / Roles
Password Kerberos, PKI
Oracle Database
NEW
User / Group DB Password Verifier
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Continuing Innovations for Data-at-Rest Encryption
31
Innovations Details TDE
Transparency No changes to the application stack
Performance Impact Minimal
Wallet Management SSO (Auto-login), use wallets to share keys in RAC, GoldenGate, ADG
Master Key Management Master Key is externalized for physical separation from encrypted data
Full-Stack Integration DB Technology: Redo Logs, temp/undo segments RAC, Multi-Tenant, GoldenGate, Active Data Guard, ExaData
FIPS 140-2 Level 1 FIPS algorithms and processing through FIPS-inside libraries
Migration of Data Offline and Online Tablespace Conversion from clear text data
NEW
NEW
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Continuing Innovations for Centralized Key Management
32
Innovations Details Key Vault
Wallet and Java KeyStore Mgmt Centrally store, retrieve, and share in RAC, GoldenGate, ADG
Online TDE master key Removes wallet management operations, provides physical separation
Supported endpoints Oracle Databases, Middleware, MySQL TDE, Solaris Crypto, ACFS
Availability Primary and Standby, Standby automatically becomes Primary
Scalability Manage multiple hundreds of databases
Hybrid Cloud Key Management Maintain control /visibility of Cloud Keys from on-premise Key Vault
Integration with HSM Support hardware security module as root-of-trust (SafeNet, Thales)
Persistent Cache Improves Database continuity when Key Vault server is unreachable
Read-only Restricted Mode Improves Database continuity, ensures no key loss by limiting updates
NEW
NEW
NEW
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Continuing Innovations in Audit Vault and Database Firewall
• Expanded coverage – Hybrid Cloud for Exadata Express and DBCS
– Before/After values report with Client_ID
– Updated platform support for targets - OL 6.8-7.3, RHL 7.0, IBM DB2 LUW 11.1
• Infrastructure improvements – Improved audit data collection performance
with tuned partitioning
– Multiple backup targets for faster backup
– Support for multiple networks cards for segmentation
33
Audit Data, Event Logs
Database Firewall
Policies
Reports
Alerts
Network Events
Audit Vault
Database Cloud Service Exadata Express CS Exadata CS
NEW
NEW
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
European Union General Data Protection Regulation (EU-GDPR) Strong Privacy Measures for EU Data Subjects
34
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 35
EU-GDPR Overview
• Strong data privacy measures for EU resident data, to protect data from misuse, disclosure, and theft
• EU Data Subjects granted rights to consent withdrawal, data erasure, information on how data is used
• Applies to ALL privacy data: PII, PHI, IT, social, political, cookies, logs, …
• Applies to ALL industries, whether on-premise or cloud, globally
• Fines up to 4% of global revenue
• Deadline May 25, 2018
• Similar laws likely to spread globally
Third Party
Data Protection
Officer
Supervisory Authority
Processor
Third Party
Processor
Data Subjects
Controller``
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
• Privacy-by-Design through data life-cycle – Creation
– Usage
– Test/dev
– Backup
– Integration, …
• Comprehensive Foundation Controls – Impact Assessment
– Sensitive Data Discovery
– Encryption
– Masking
– Monitoring
– Authorized Access, …
• Application Specific Controls – Right-to-be-forgotten
– Right-to-restrict-usage
– Right-to-rectification
– Data-minimization, …
• Notify authorities of data breaches within 72 hours
36
Key EU-GDPR Privacy Control Requirements
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
EU-GDPR Articles and Mapping to Oracle Security
GDPR Article Protection Mechanism Assisted by Oracle Security Offerings
Article 35 Data Protection Impact Assessment Configuration & Compliance Cloud Service Database Security Assessment Tool (DBSAT)
Article 32 Pseudonymization and encryption of personal data Advanced Security, Key Vault
Article 25, 29 Data protection by design and by default Processing under the authority
Database Vault
Article 30, 33 Notification of a personal data breach Audit Vault and Database Firewall Security Monitoring and Analytics Cloud Service
Article 18, 25, 32 Right to restriction of processing Data protection by design and by default
Label Security
Articles 25, 32 Pseudonymization and encryption of personal data Data Minimization
Data Masking and Subsetting
Article 25 Data Protection by Design and Default All of the above
37
NEW
NEW
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
• Work with competent legal advisors to determine your responsibilities under EU GDPR
• Appoint Data Protection Officers (DPO) that work with Supervisory Authorities
• Prepare Data Protection Impact Assessment that identifies sensitive data, locations, and security controls
• Implement GDPR practices / procedures
• Start NOW: Deadline fast approaching
38
What Organizations Need to Do
May 25, 2018
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
For More Details
• Full Oracle World Session
Tuesday, Oct 04, 3:45 p.m. – 4:30 p.m. Moscone West - Room 3011
Speakers: Oracle, Capgemini
• Demo grounds: SOA-074 Moscone West
• For more papers, resources https://www.oracle.com/uk/corporate
/features/gdpr.html
39
https://www.oracle.com/uk/corporate/features/gdpr.html
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Don’t Let Your Data Assets Become a Liability
41
Secure Your Data, Secure Your Business
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Oracle Database Security ebook
42
Comprehensive View of Threats and Database Security Controls
https://www.oracle.com/database/security/index.html
Second Edition adds EU-GDPR, Cloud, Security Assessment
EBOOK-v2
Coming Soon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
SECURITY INSIDE-OUT
Security close to the data: Eliminates guesswork, maximizes performance, application transparency
CLOUD DEPLOYMENTS
Pure Cloud and Hybrid: Built-in security, on-premise hybrid controls, data security cloud services, …
DEFENSE-IN-DEPTH SECURITY CONTROLS
Overlapping controls: Encryption, masking, auditing, monitoring, access control, redaction, …
ANTICIPATE THREATS & MITIGATE RISKS
Transparent Data Encryption, DBA Control, Redaction, Masking, Privilege Analysis, DB Firewall, RAS, …
Oracle Database Security Strategy
43
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
SOA-71
SOA-72
SOA-73
SOA-74
Moscone West
Visit Database Security in the Demo Grounds
44
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Database Security at Oracle OpenWorld 2017
Session Title Speaker Location Date & Time
CON6574 NEW FEATURE! Centralized Database User Management Using
Active Directory Oracle Epsilon
Moscone West - 3011 Mon., 3:15-4:00
CON6575 NEW! Database Security Assessment Tool Discovers Top Security
Risks Oracle Moscone West - 3011 Mon., 5:45-6:30
CON6573 Data Management and Security in the GDPR Era Oracle
Capgemini Moscone West - 3011 Tues., 3:45-4:30
CON6580 Encrypt Your Crown Jewels and Manage Keys Efficiently with Oracle Key Vault Oracle Moscone West - 3011 Tues.,4:45-5:30
CON6576 Accelerate Your Compliance Program with Oracle Audit Vault and
Database Firewall Oracle,
Symantec Moscone West - 3011 Tues., 5:45-6:30
CON6572 Inside the Head of a Database Hacker Oracle Moscone West - 3014 Wed. 11:00-11:45
CON6618 Sneak Preview: Oracle Data Security Cloud Service Oracle Moscone West - 3011 Wed.,2:00-2:45
45
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
46