Upload
eduardo-bartram
View
222
Download
0
Tags:
Embed Size (px)
Citation preview
The twenty-four/seven database
Oracle Database Security
David YahalomSenior database [email protected]
Security Drivers (and constraints):
• Enterprise value resides in Bits (I.P.) not Atoms (factories). Google Vs. Ford.
• Data everywhere, must be accurate, fast and available.
• Security must be Transparent to the end user.
• Security decisions increasingly tied to compliance (regulatory or in-house).
Security Drivers (and constraints):
• Network security is well known and understood (VPN, Firewall).
• Attackers now going where data resides.
• Legitimate and authenticated users are a concern.
Inbound Data• Network Encryption• Strong Authentication• Identity Management
Storage• Transparent Data Encryption• Secure Backup
Access Control• Database Vault• Oracle Label Security• Oracle VPD
Outbound Data• Network Encryption• Data Masking
Monitor• Database Vault.• Audit Vault.• Configuration Scanning.
“A 2007 Oracle survey found that a DBA usually spend less than 7% of total work time on database security.”
Database Security is NOT a one time project.
Database Security is a on-going process.
Add a security-focused DBA to the security department.
The secure database solutions:
• Oracle Database Vault.
• Oracle Advanced Security.
• Oracle Audit Vault
• Virtual Private Database.
• Fine-Grained Auditing.
• Secure Backup.
Oracle Oracle DatabaseDatabase
Backup Backup MediumMedium
End ClientEnd Client
DBADBA
NetworkNetwork
Flowing & Resting data:
• Worry about Encryption “in the land”.
• Data at rest is a critical security concern (encrypt the heart of your data).
Network Security Threats:
Data Modification or Replay
Data Disruption
Packet stolenOrder never arrives
$500.00
Data Theft
My competitor sees my bids in a sealed auction.
$50,000
Oracle Advanced Security:
Oracle Advanced Security is a security option for the Oracle Database.
Oracle Advanced Security combines network encryption, database encryption and strong authentication together to help customers address privacy and compliance requirements.
Oracle Advanced Security:
• Transparent Data Encryption: the datafile is safe!
• Network protocol traffic encryption & integrity.
• Strong Authentication (Kerberos, RADIUS, SSL, PKI).
• Encryption standards:
• RC4, DES, 3DES, AES.• MD5 + SH1 data integrity.
Oracle Oracle DatabaseDatabase
Backup Backup MediumMedium
End ClientEnd Client
DBADBA
NetworkNetwork
TDE
TDE
Advanced Security
Database Vault:
Authoritative security studies have documented that more than 80% of information system data losses and attacks have been perpetrated by 'insiders' — those authorized with some level of access to the system and its data.
• 80% of threats come from insiders.
• 65% of internal threats are undetected.
Database Vault:
Oracle Database Vault addresses common regulatory compliance requirements and reduces the risk ofinsider threats.
Database Vault:
• Preventing highly privileged users (DBA) from accessing application data.
• Enforcing separation of duty (DBA can’t create users, view data).
• Providing controls over who, when, where and how applications, data and databases can be accessed.
• Can be added to existing application environments without changes to the existing application code.
DBA starts upDatabase
Security DBA opens walletcontaining master key
Wallet password is separate fromSystem or DBA password
No access to wallet
Oracle Oracle DatabaseDatabase
Backup Backup MediumMedium
End ClientEnd Client
DBADBA
NetworkNetwork
Database Vault
Database Vault
Virtual Private Database:
Also known as Fine Grained Access Control, provides powerful row-level security capabilities
For example, VPD can be used restrict access to data during business hours.
Virtual Private Database:
Transparently modifying requests for data to present a partial view of the tables to the users based on a set of defined criteria.
select * from accounts;
changes to: select * from accounts where am_name = BOAZ';
Virtual Private Database:
Oracle Label Security – optional add-on for providing easy to use interface for row-level security. No coding needed.
Oracle Oracle DatabaseDatabase
Backup Backup MediumMedium
End ClientEnd Client
DBADBA
NetworkNetwork
VPD
VPD
Secure Backup:
The next generation centralized tape backup management delivers advanced media management and backup encryption for file systems and Oracle.
Secure Backup:
• Optimized tape backup for Oracle increasing backup performance by 10 – 25%.
• Secure data protection - 256 AES backup encryption for file systems protecting backup data when tapes are onsite, offsite or lost.
• Integrated to EM & RMAN: tape backups can now be done by the DBA.
Oracle Oracle DatabaseDatabase
Backup Backup MediumMedium
End ClientEnd Client
DBADBA
NetworkNetwork
Secure Backup
Audit Vault:
Oracle Audit Vault turns audit data into a key security resource to help address today's security and compliance challenges. Oracle Audit Vault automates the audit collection, integrates sources, simply compliance reporting and provides scale and security.
Audit Vault:
• Logon failures, privilege usage, data access, object access, and other activities
• Statement, privilege, schema object and content-based auditing.
• Alerts & compliance reports.
• Audit data warehouse & report generation.
Oracle Oracle DatabaseDatabase
Backup Backup MediumMedium
End ClientEnd Client
DBADBA
NetworkNetwork
Database Vault
TDE
TDE
Secure Backup
VPD
VPD
Database Vault
Advanced Security
Advanced Security