Embed Size (px)
Citation preview
Database Security
Ursula Koski | Senior Principal Architect | Oracle Corporation
Ursula Koski
Senior Principal Architect• Senior Principal Architect
• Oracle User Group Liaison and OUGF Board Member
(Finland); Finnish Security Association ry Board
Member
• Joined Oracle in 2007
– Working mainly with short term database
engagements around the world. High availability
and disaster recovery area. and disaster recovery area.
– Have worked as an Oracle DBA for partners from
1994.
• Interests
– Professional: Oracle Database Evangelist,
Maximum Availability Architecture and Database
Disaster Recovery & Problem solving.
– Personal: Oracle Databases, all technical gadgets
(Geek!), traveling and reading.
What is an “Advanced Persistent Threat”?Cybercrime directed at political, infrastructure, and business targets
What are APTs Ultimately After?
Two Thirds of Sensitive and Regulated
Information now Resides in Databases
' and Doubling Every Two YearsClassified Govt. Info.
Trade Secrets
Source: IDC, "Effective Data Leak Prevention Programs: Start by Protecting Data at the Source — Your Databases", August 2011
Competitive Bids
Corporate Plans
Source Code
Bug Database
Credit Cards
Customer Data
Financial Data
HR Data
Citizen Data
Database Sprawl Makes Attacking Easier!
Sensitive Data
Partners DW/AnalyticsReports Stand By Test DevTemp use
CRM
HR
APPS Admin
DBA
OS Admin
APPS Admin
DBA
Security in a Traditional Environment
HR
ERP
DBA
OS Admin
APPS Admin
DBA
OS Admin
CRM
HR
Security in a Cloud / Consolidated Environment
HR
ERP
DW
“Forrester estimates
that although 70%
of enterprises have
Are Databases Adequately Protected?
EndpointSecurity
Network Security
Authentication Security
of enterprises have
an information security plan, only
20% of enterprises have a
database security plan.”
Source: Forrester Research Inc., Creating An Enterprise Database Security Plan, July 2010
Vulnerability ManagementEmail Security
Database Security
Limited Database Controls'
70% System users can read/tamper data stored in database files or storage70% System users can read/tamper data stored in database files or storage
76% Cannot prevent DBAs from reading/modifying data76% Cannot prevent DBAs from reading/modifying data
68% Cannot detect if database users are abusing privileges68% Cannot detect if database users are abusing privileges
Source: 2010 Independent Oracle User Group Data Security Report
68% Cannot detect if database users are abusing privileges68% Cannot detect if database users are abusing privileges
63% Vulnerable to SQL injection attacks or not sure63% Vulnerable to SQL injection attacks or not sure
48% Copy sensitive production data to non-production environments 48% Copy sensitive production data to non-production environments
31% Likely to get breached over the coming year31% Likely to get breached over the coming year
Data Security – IOUG 2010 Report
72% Do not uniformly encrypt sensitive data in all databases
76%Can not prevent privileged database users from reading/modifying
data
68% Can not detect if database users are abusing privileges68% Can not detect if database users are abusing privileges
66% Not sure if applications subject to SQL injection
48% Copy sensitive production data to non-production environments
Source: 2010 IOUG Data Security Report
What are the High Value Target Systems?
From a study conducted by the Verizon RISK team in conjunction with the US Secret Service
Most Records Lost from Database Servers
Type Category % Breaches % Records
Database Server Servers & Applications 25% 92%Desktop Computer End-User Devices 21% 1%
How were these records breached?
89% using SQL injection
86% using stolen credentials
By exploiting legitimate access to databases!
Source: 2010 Verizon Data Breach Investigations Report
1
Opportunistic Breaches and APT
48% involved privilege misuse
40% resulted from hacking
38% utilized malware
28% employed social tactics
Source: 2010 Verizon Data Breach Investigations Report
1
How did We end up Here?
IT Landscape
• World moving from 2-tier to 3-tier
• Limited security considerations
Threat Landscape
• Hackers driven by fame
• Insiders were well-trusted
Security
• All applications online, and highly available
• Outsourcing, Service Providers, Cloud
• DIY tools; Automated SQL injection attacks
• Targets: Credit cards, PII, IP
Security Landscape
• Network firewall
• Anti virus software
Regulatory Landscape
• HIPAA (1996, 2003)
• EU Data Protection Directives
• Desktop security; Perimeter security
• Vulnerability management
• GLBA (1999), SOX (2002), PCI (2004, 2010)
• Various breach disclosure and privacy laws
2000 2011
1
Sources of Vulnerability
• Security configuration parameters• Security configuration parameters
Applications• SQL Injection attack from outside
• Application bypassApplications
• SQL Injection attack from outside
• Application bypass
Test & Dev Partners
• Access to production data in non-secure environment
• Access to production systems for trouble shooting
Test & Dev Partners
• Access to production data in non-secure environment
• Access to production systems for trouble shooting
Configuration• Security configuration parameters
• Security patchesConfiguration
• Security configuration parameters
• Security patches
Administrative Accounts
• System administrators, DBAs, Application Administrators
• Stolen credentials, Inadequate training, Malicious insiders
Administrative Accounts
• System administrators, DBAs, Application Administrators
• Stolen credentials, Inadequate training, Malicious insiders
Operations• Direct OS access
• Lost / stolen backupsOperations
• Direct OS access
• Lost / stolen backups
Concentrate on the Greatest Risk
From a study conducted by the Verizon RISK team in conjunction with the US Secret Service
Types of Hacking / Percent of Breached Records
• Stolen Login Credentials were involved in 38% of Data
Breaches and 86% of Breached Records
The Two Biggest Culprits'
• SQL Injection was involved in 25% of all Data Breaches
and contributed to the loss of 89% of Breached Records
Database Security – Big Picture
Encrypted Database
Compliance Scan Vulnerability
ScanData
DiscoveryActivity Audit
Patch Automation
Auditing
AuthorizationApplications
Network SQL
Monitoring
and Blocking
Data Masking
Multi-factor
authorization
Unauthorized
DBA Activity
Authorization
Authentication
Discover, Scan, Configure, Patch Oracle Enterprise Manager
ConfigurationManagement
& Audit
VulnerabilityManagement
Audit
Analysis &Analytics
Act
PolicyManagement
AnalyzeClassify AdviceDiscover
AssetManagement
• Discover databases, applications, data models, sensitive data
• Continuously scan against security configuration standards
• Real time monitor file and configuration changes
• Analyze patches, resolve patch conflicts, schedule patches
Audit Consolidation & Reporting Oracle Audit Vault
CRM/ERP Data
Custom App
HR Data
Audit Data
Policies
Built-inReports
Alerts
CustomReports
Auditor
!
• Consolidate audit data into secure audit warehouse
• Detect and alert on suspicious activities
• Out-of-the box compliance reporting
Policies Auditor
Audit Warehouse
ApplicationsBlock
Log
Allow
Alert
Substitute
First Line of Defense on the Network Oracle Database Firewall
• Monitors database activity, and prevents attacks and SQL injections
• White-list, black-list, and exception-list based security policies based upon highly accurate SQL grammar based analysis
• In-line blocking and monitoring, or out-of-band monitoring modes
PoliciesBuilt-in
ReportsAlerts Custom
Reports
Procurement
HR
Finance
Database Operational Controls Oracle Database Vault
Application select * from finance.customersFinance
• Limit powers of privileged users, and enforce SoD
• Protect application data and prevent application by-pass
• Enforce who, where, when, and how using rules and factors
• Securely consolidate application data
• No application changes required
finance.customers
DBA
Transparent Data Encryption Oracle Advanced Security
Disk
Backups
Exports
Off-SiteApplication
Off-Site
Facilities
• Protects from unauthorized OS level or network access
• Efficient encryption of all application data
• Built-in key lifecycle management
• No application changes required
Irreversible De-Identification Oracle Data Masking
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 40,000
BKJHHEIEDK 222-34-1345 60,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Non-Production
• Reduce fear of loss and scope of audit with irreversible de-Identification
on non-production databases
• Referential integrity preserved so applications continue to work
• Extensible template library and policies for automation
BKJHHEIEDK 222-34-1345 60,000BENSON 323-22-2943 60,000
Oracle Database Security Strategy
mySQL
Low Security:
Sensitive Data Removed
Data Masking for Non-Production
Maximum Security:
Controls within Database
Encryption, Auditing, Privileged User Controls, Classification,
Change Tracking, App Security
External Controls:
Protect Oracle and Non-Oracle DB
Activity Monitoring, Auditing, Blocking Attacks, Reporting
Oracle Database SecurityKey Differentiators
High Performance, AccurateHigh Performance, Accurate
Defense-in-Depth Security PlatformDefense-in-Depth Security Platform
Securing through the Life CycleSecuring through the Life Cycle
Transparently Support Existing ApplicationsTransparently Support Existing Applications
Heterogeneous SupportHeterogeneous Support
Issues to Ponder?
1 Is our IP secured?1 Is our IP secured?
33
2 Can we defend against APTs and other attacks?2 Can we defend against APTs and other attacks?
3 Would we know if we were breached?3 Would we know if we were breached?
4 Do privileged users know what they should not?4 Do privileged users know what they should not?
5 Are we in compliance with all regulations?5 Are we in compliance with all regulations?
What’s Your Next Move?
1 Know where is the sensitive data1 Know where is the sensitive data
2 Scan, assess, patch, audit your databases2 Scan, assess, patch, audit your databases
3 Database Firewall as first line of defense3 Database Firewall as first line of defense3 Database Firewall as first line of defense3 Database Firewall as first line of defense
4 Control the privileged users4 Control the privileged users
5 Encrypt and mask sensitive data5 Encrypt and mask sensitive data
Q&AQ&A
