Embed Size (px)
DESCRIPTION
Oracle security 01-security requirements & solutions
Citation preview
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
ObjectivesAfter completing this lesson, you should be able to do the following:• Describe fundamental security requirements• Define the following terms:
– Least privilege– Authorization– Authentication
• Describe security policies• Describe the concept of security in detail• Preventing exploits• Maintaining data integrity• Protecting data• Controlling data access
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Industry-Security Requirements
• Legal:– Sarbanes-Oxley Act (SOX)– Health Information Portability and Accountability
Act (HIPAA)– California Breach Law– UK Data Protection Act
• Auditing
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Security Standards
Recognized security standards: • ISO 17799 • SANS Institute• CERT/CC
Do your policies meet the standards?
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Fundamental Data-Security Requirements
You should know the following fundamental data-security requirements:• Confidentiality• Integrity• Availability
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Components for Enforcing Security
• Authentication• Authorization• Access control• Auditing
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Security Risks
Risk analysis includes:• External attack:
– Unauthorized users– Denial of service– Unauthorized data and service
access• Internal abuse: data or service theft• Sabotage: data or service corruption• Complexity
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Principle of Least Privilege
• Install only the required software on the machine.• Activate only the required services on the machine.• Give operating system (OS) and database access
to only those users who require access.• Limit access to the root or administrator account.• Limit access to SYSDBA and SYSOPER accounts.• Limit users’ access to only the database objects
that are required to do their jobs.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Defining a Security Policy
• What is a security policy?– A set of rules– Specific to an area and site– Required – Approved by management
• What is a standard?– Rules specific to a system or process– Required for everyone
• What are guidelines?– Suggestions and best practices– Specific to a system or a process
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Developing Your Security Policy
The steps to develop your security policy are:1. Assemble your security team.2. Define your security requirements.3. Develop procedures and systems to meet these
requirements.4. Implement security procedures.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Examining All Aspects of Security
Consider the following dimensions:• Physical• Personnel• Technical• Procedural
Example: An employee leaves his or her desk while using an application.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Implementing a Security Policy
• Implement your standards and procedures.• Implement the plan for developing new systems
and applications.• Monitor and enforce the policy.• Keep systems and applications up-to-date with
security patches.• Educate users.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Hardening the Operating System
• Limit services to required services.• Limit users.• Use security from the service.• Apply all security patches and workarounds.• Protect backups.• Test security for in-house development.• Require strong passwords.• Control physical access.• Audit system activity.• Use intrusion-detection tools.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Easing Administration
• Examine the security features of the service:– Select the features that meet your security
requirements.– Integrate the features to simplify administration.
• Ease security administration by:– Using single sign-on– Delegating security authority– Grouping users with common privileges– Synchronizing with other sources
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Using a Firewall to Restrict Network Access
ApplicationWeb server
Databaseserver
Client computers
Firewall Firewall
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Hardening Oracle Services
• Harden the database.• Harden Oracle Net Services. • Use Connection Manager as a firewall.• Use available components:
– Fine-grained access control– Enterprise user authentication – Encryption– Label security – Strong authentication by using public key
infrastructure or Kerberos• Harden the middle tier.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Preventing Exploits
Use industry-standard practices:• Harden the database.• Harden the operating system.• Harden the network.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Maintaining Data Integrity
Sarbanes-Oxley requires assurance of the integrity of the data that is used to produce financial reports. Oracle Database 10g can provide the following: • Standard auditing• Fine-grained auditing• Privileged-account auditing• Network encryption
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Data Protection
Under CA-SB-1386, personally identifiable information must be protected. Use the following techniques:• Restrict access.• Encrypt stored data.• Encrypt network traffic.• Restrict network access.• Monitor activity.• Harden every layer.
OKYMSEISPDTGA
MyCreditCardNum
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Access Control
The law requires that only certain persons may access specific data. Access control and monitoring include: • Implement the Virtual Private Database (VPD):
– Application context– Fine-grained access control (FGAC)
• Use Oracle Label Security (OLS).• Apply auditing.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
SummaryIn this lesson, you should have learned how to:• List and describe fundamental security
requirements• Define the following terms:
– Principle of least privilege– Authorization– Authentication
• Describe some security risks and requirements• Describe the concept of security in detail• Preventing exploits• Maintaining data integrity• Protecting data• Controlling data access
