Transcript Document

ORACLE Security Solution
Overview
Ray Shih
Principal Sales Consultant
Oracle Corporation
Oracle Audit Vault (CY 2007)
Oracle Data Vault (CY 2006)
Database CC Security Eval #18 (10g R1)
Transparent Data Encryption
VPD Column Sec Policies
Fine Grained Auditing (9i)
1st Database Common Criteria (EAL4)
Oracle Label Security (2000 8.1.7)
Virtual Private Database (1998)
Enterprise User Security (8i)
Database Encryption API
Kerberos Support (8i)
Support for PKI
Radius Authentication
Network Encryption (Oracle7)
Oracle Advanced Security introduced
First Orange Book B1 evaluation (1993)
Trusted Oracle7 MLS DB
Government customer
Oracle - 30 Plus Years of
Database
Security Leadership
1977
2007
2
Database Vendor Comparison
Features
Average
Good
Best
Oracle
Data-at-Rest Encryption
SQL Server
DB2
Oracle
Auditing Features
SQL Server
DB2
Advanced Security
Features
Oracle
SQL Server
DB2
Source: Forrester Research
3
Data Security Components
User Management
Access Control
Core
Platform
Security
Monitoring
Data Protection
4
Data Security: Oracle Products
User Management
Access Control
• Oracle Identity Management
• Enterprise User Security
• Oracle Database Vault
• Oracle Label Security
• Virtual Private Database
Core
Platform
Security
Monitoring
• Oracle Audit Vault
• EM Configuration Pack
Data Protection
• Oracle Advanced Security
• Oracle Secure Backup
5
Overview :
Oracle Identity Access management
Oracle Advanced Security
Application
Strong Authentication
Oracle Advanced Security
Network Encryption
Data
Automatically
Decrypted
Through
SQL Interface
Data
Written
To Disk
Automatically
Encrypted
Oracle
Advanced
Security
Transparent
Data Encryption
Data Encrypted
On Backup Files
6
Oracle IAM Products
Access
Control
Identity
Administration
Directory
Services
Oracle Access Manager
Oracle Virtual Directory
Oracle Enterprise
Single Sign-On
Oracle Identity Manager
Oracle Identity Federation
Oracle Internet Directory
(with Directory Integration
Platform)
Oracle Web Services
Manager
Audit & Compliance
Oracle Identity & Access Management Suite
Management
Oracle Enterprise Manager for Identity Management
7
Database Supply Package
for Encryption
1. DBMS_CRYPTO
2. DBMS_OBFUSCATION_TOOLKIT
8
9
Network Encryption
 Encrypts all communications with the database
–
–
–
–
AES
RSA RC4 (40-, 56-, 128-, 256-bit keys)
DES (40-, 56-bit) and 3DES (2- and 3-key)
Diffie-Hellman key exchange
 Data integrity with checksums
–
–
MD5, SHA-1
Automatically detects modifications, replays, missing
packets
10
Strong Authentication
 PKI
–
–
PKCS #7-11-12
Support smart cards, biometrics, etc
 Kerberos
–
–
Simple deployment
Integrate with Kerberos Servers
 RADIUS
–
Integrate with 3rd party RADIUS compliant solutions
11
Oracle Database 10g Release 2 –
Transparent Data Encryption
Application
ASO
Network
Encryption
Data
Decrypted
Through
SQL Interface
Data
Written
To Disk
Encrypted
 Transparent Data
Encryption
–
–
–
Includes Key
Management
Transparent to
applications
Helps Address Privacy
and Regulatory
compliance
Data Encrypted
On Backup Files
12
Transparent Data Encryption
13
Create the Master Key
Wallet Location
sqlnet.ora
Key Table
Master Key
14
Open the Wallet
ALTER SYSTEM SET WALLET OPEN
IDENTIFIED BY “welcome1”;
15
Create an Encrypted Column
CREATE TABLE cust_payment_info
(first_name VARCHAR2(11),
last_name VARCHAR2(10),
order_number NUMBER(13),
credit_card_number VARCHAR2(20)
ENCRYPT NO SALT);
16
Encrypt Clause Syntax
CREATE TABLE cust_payment_info
(…
credit_card_number VARCHAR2(20)
ENCRYPT USING ‘AES256’
IDENTIFIED BY password
NO SALT);
17
TDE Restrictions (10g)
 No Bitmapped or Domain indexes on encrypted
columns allowed
 No Large Objects (LOBS or CLOBS) may be
encrypted
 Direct-Path SQL*Loader
 No SYS schema objects may be encrypted
 Other database tools and utilities that directly
access data files
18
TDE 11g
• Tablespace Encryption
• Master key stored in HSM device
• SECUREFILE LOB Encryption
19
Oracle Advanced Security
Tablespace Encryption
 Define a new tablespace as ‘encrypted’
–
–
cannot convert existing, un-encrypted tablespaces
however, content can be moved into encrypted tablespaces
 Always salted for higher security
 Overcomes limitation of column-based TDE:
–
–
supports indexes other than b-tree
supports foreign keys
 No additional management overhead
–
integrated into TDE key management, same wallet used as
for column based Transparent Data Encryption
 No storage overhead (!)
20
Oracle Advanced Security
Master key stored in HSM device
 Store the Master key in an external hardware
device
 Master key never leaves the device
 Standard PKCS #11 API allows customers to
choose from a wide range of HSM vendors
 Encryption and decryption done on the
database server
 Simplifies key management in distributed
environments (data guard, RAC)
21
Oracle Advanced Security
SECUREFILE LOB Encryption
 SECUREFILE LOB encryption
 All SECUREFILE LOBs in an encrypted
column are encrypted
–
–
–
In-line (in table) and out-of-line (in tablespace)
are both encrypted
BFILEs are not encrypted
Always salted for higher security
22
Oracle Advanced Security
Transparent Data Encryption Manageability (11g)
23
Oracle Label Security
Sensitive : ACME
Application Table
Store ID
Revenue
Department
Sensitivity Label
AX703
10200.34
Finance
Sensitive : ACME
B789C
18020.34
Engineering
Sensitive : WIDGET
JFS845
15045.23
Legal
Highly Sensitive: ACME
SF78SD
21004.45
HR
Unclassified: ACME
OK
OK
Virtual Private Database
 Fine-grained Access Control
 Row-Level security
 Server-enforced security policy
–
Associates security policies with
tables or views
 Transparent predicate rewrite
 ASPs Hosting Applications
SELECT * FROM ORDERS;
Harry
Orders
Table
Security
Policy
Dick
SELECT * FROM ORDERS;
Virtual Private Database
Column Relevant Policies (10g)
Select cust_last_name,
social_security_number
from accts;
VPD Col
Relevant
Policy
SOCIAL SECURITY NUMBER
431-395-9332
381-395-9223
27
Oracle Secure Backup
File Systems
Linux, Unix
Windows,
Filers
Databases
 Oracle Secure Backup is ideal for customers seeking a
low cost alternative to complex backup products
 Best integrated end-to-end backup of Oracle Databases
–
–
Media manger for RMAN backup and recovery of
Oracle9i and 10g databases to tape
Fastest Database Backup on the market
 Backup Oracle Home, App Server and other file systems
 Oracle Secure Backup includes:
–
–
–
Centralized management of network backups
Scalability to low 100’s of servers, 10’s of millions of files
Easy management through Enterprise Manager
Supports popular tape
libraries & drives
28
Data Vault Overview
29
Why Database Vault?

Regulations such as SarbanesOxley and Graham-Leach Bliley, and
Basel II require Strong Internal
Controls and Separation of Duty

Internal threats are a much bigger
concern today require enforcement
of operational security policies Who, When, Where can data be
accessed?

Database consolidation strategy
requires preventive measures
against access to application data by
Powerful (DBA) users
30
Oracle Data Vault
A security solution to increase a customer's ability to protect sensitive
information
Data Vault introduces several new and very
powerful security concepts:
• Realms make it easy to restrict users with
powerful DBA privileges to specified application
schemas – Separation of Duty
•Easy to create an “HR dba” or “Financials dba”
• Factors extend access beyond User and Role
based Access
• Rules control database access based on factors
in the environment
•Control access based on time of day, IP
address, location …
Oracle Database Vault
Protection Realms
• Database DBA views HR
data
Compliance and
protection from insiders
• HR DBA views Fin. data
Eliminates security
risks from server
consolidation
select * from HR.emp
DBA
HR
HR
HR DBA
HR Realm
Fin
Fin
FIN DBA
Fin Realm
Realms can be easily applied to existing applications
with transparency and minimal performance impact
32
Oracle Database Vault
Transparent Multi-factor Authorization
SELECT ….
HR
Unexpected IP address
HR account
CREATE …
FIN
Business hours
FIN DBA
33
Built-in Factors Extend
Authorizations









Authentication_Type
Client_Identifier
Client_IP
Database_Domain
Database_Hostname
Database_Instance
Database_IP
Database_Name
Domain









Language
Machine
Module
Network_Protocol
OS_User
Program
ProxyUser
Session_User
Terminal
34
Protect and Secure Applications
1
2
Create Realm
3
Authorize Users
Realm
Apply Realm
Realm
Orders
Contracts
Suppliers
Parts
Line
Items
35
Data Vault Solution
DBA
Privileged
Application
Owner
Application
User
SQL*Plus
Application
Bypass
Data Vault Enforcement
Other
Application
Oracle Data Dictionary
E-Business
Suite
Oracle
Database
10g
Release 2
Data Vault Security
Protects Database and
Applications
36
Audit Vault Overview
37
Customer Problems
 Regulatory compliance and configuration
audit monitoring
 Audit information resides in silos across the
enterprise
 Audit information needs strong protection
38
Regulatory and Compliance
Audit Monitoring
 Demonstrate to auditors that your
environment is well maintained and secure
 Demonstrate who accessed sensitive data in
multiple databases
 Report on database access during financial
reporting periods
39
Customer Need
 A single repository for audit data
 Centralized audit policies and audit settings
 Audit data and policy to be secure and
tamper evident
 Analyze and monitor audit data
 Manage high volume of audit data
 Minimal impact on production systems
Audit Challenges
 Security
–
–
Separation of duty and data
Tamper proof/evident audit data
 Large Volume of Data
–
–
Scalability, reliability, high availability
Need intelligent archival process
 Analysis and Reports
–
–
–
Efficient correlation mechanisms
Forensic analysis and intrusion detection
Compliance & Insider Threat requirements
 Audit Data Format
–
–
Diverse audit sources, different content/formats
No well established industry standard audit format
41
Oracle Audit Vault Overview
Trust-but-Verify
•
•
•
•
•
Collect and Consolidate Audit Data
• Oracle 9i Release 2 and higher
Simplify Compliance Reporting
• Built-in reports
Monitor
• Custom reports
Detect and Prevent Insider Threats
Reports
• Alert suspicious activity
Scale and Security
• Robust Oracle Database technology
• Database Vault, Advanced Security
• Partitioning
Oracle 9iR2
Lower IT Costs with Audit Policies
10gR1
• Centrally manage/provision audit
settings
Policies
Security
10gR2
(Future)
Other Sources,
Databases
42
Oracle Audit Vault Key Messages
 Protect and monitor audit data through
consolidation
–
–
Eliminate audit silos
Reporting
 Monitor audit data associated with powerful
users
–
Report on audited DBA activity centrally
 Monitor database changes by privileged users
–
Run reports on user logins, user create statements
43
Key Message Summary
Data Vault
Protect
 Applications with
flexible and dynamic
security controls
 Application data from
DBA
 Database from adhoc
changes by privileged
users
Audit Vault
Protect and Monitor
 Audit data from multiple
databases centrally
 Audit data associated
with powerful users
centrally
 Database changes by
privileged users
44
Audit Vault Architecture: Overview
Audit Vault Server
Audit Settings Management
Management
and
Monitoring
Audit Data Collection
Security
Infrastructure
Data Warehouse Reports Alerts
AV Admin
Administration
Audit data
Configuration metrics
Audit Vault Agent
AV Auditor
Collectors
REDO, DBAUD, OSAUD
Reporting and
alerts
Audit sources
Audit Vault Framework
Audit Vault Agent
Audit Vault Server
OC4J
OC4J
Audit Vault Console
Agent HTTP Listener
Management Service
Policy Service
Audit Service
Stop/start
agent
Management Service
Stop/start
collector
Policy Service
AV Web Application
Collect
metrics
EM Database Control
Collector Manager
Database
Audit data repository
Collectors
DBAUD
OSAUD
Configuration data
REDO
Alert service/alert queue
Source
Redo
logs
Audit trail
records
Apply module for REDO
Oracle Audit Vault: Security
Components
Audit Vault Agent
Audit Vault Server
OC4J
OC4J
Database client
Configuration/management
tools
HTTP
policy
settings and
management
commands
Database client
Config/management tools
Logs
Logs
Collectors
DBAUD
OSAUD
SQL*Net
Audit trail data
Collector attributes
Audit
repository
Source
Wallet password:
Agent user password
SQL*Net
Policy provision
Wallet password:
AV admin password
Oracle Database Collectors:
DBAUD
Audit Vault Agent
Audit Vault Server
OC4J
OC4J
Database client
Database client
Configuration/management
tools
Config/management tools
Logs
Logs
Collectors
DBAUD
Audit
repository
OSAUD
Source
AUD$
FGA_LOG$
Audit trail
records
Using the DBAUD Collector
–
–
–
–
Collects audit records from the audit trail when
AUDIT_TRAIL is set to DB,EXTENDED
Collects data from the SYS.AUD$ and SYS.FGA_LOG$
tables
Collects:
 DDL and DML statements
 SQL text
 Successes and/or failures as specified in audit settings
Can be remote from the source database and the Audit
Vault Server
Oracle Database Collectors:
OSAUD
Audit Vault Agent
Audit Vault Server
OC4J
OC4J
Database client
Database client
Configuration/management
tools
Config/management tools
Logs
Logs
Collectors
DBAUD
Audit
repository
OSAUD
Source
OS files
Audit trail
records
Using the OSAUD Collector
–
Collects audit records from the audit trail when
AUDIT_TRAIL is set to AUDIT_TRAIL = OS
–
Collects mandatory audit records from the operating
system audit trail
Collects:
 DDL and DML statements
 SYS privilege usage
–
–
 Successes and/or failures as specified in audit settings
Independent process running on source host
Oracle Database Collectors:
REDO
Audit Vault Agent
Audit Vault Server
OC4J
OC4J
Database client
Database client
Configuration/management
tools
Config/management tools
Logs
Logs
Collectors
Source
Redo
logs
LCRs
Audit
repository
Streams
apply
Streams
capture
Streams
propagate
Oracle Database Collectors:
REDO
–
–
Uses Streams technology to retrieve logical
change records (LCRs) from the redo log files
Collects:
 Committed DDL and DML statements
 SYS privilege usage
 Before-and-after values (successes only)
Alert Processing
Audit Vault Server
Defines
Audit alerts
Audit Policy System
AV Auditor
Evaluates
audit record
Collectors
DBAUD
OSAUD
REDO
Audit trail
records
Audit
Repository
Alert
queue
Meets alert
criteria
Audit Vault Console
Subscribes
AV Auditor
Enabling and Disabling Alert
Processing
AV
Administrator
Creating an Alert Rule
AV Auditor
Specifying the Basic Alert
Condition
AV Auditor
Specifying an Advanced Alert
Condition
AV Auditor
Specifying Audit Vault Event
Categories
Event Category Name
Description
ACCOUNT MANAGEMENT
Management of user/service accounts and
profiles
APPLICATION
MANAGEMENT
Management of applications or code on a
system
AUDIT COMMAND
Management of Audit service
DATA ACCESS
Association with a data item or resource for
its content or services
EXCEPTION
Error conditions or exceptional events
INVALID AUDIT RECORD
Collection of an invalid audit record
OBJECT MANAGEMENT
Creation and management of data items and
resource elements
Specifying Audit Vault Event
Categories
Event Category Name
Description
PEER ASSOCIATION
Management of association with peer
systems (DBLINKs)
ROLE AND PRIVILEGE
MANAGEMENT
Management of roles and privileges granted
to users or services
SERVICE AND
APPLICATION ACCESS
Use of services or applications
SYSTEM MANAGEMENT
Management of services that are system
level
UNKNOWN
Anything that does not belong to the other
categories
USER SESSION
Creation and use of user sessions on the
system
Viewing Alert information
About the Overview Page
AV Auditor
Audit Vault Data Warehouse:
Overview
AV Auditor
Raw audit
data table
Audit
warehouse
Audit Vault Server
database
Analysis
Reporting
Mining
Audit Vault Data Warehouse:
Schema
CLIENT_HOST_DIM
EVENT_DIM
TIME_DIM
CONTEXT_DIM
CLIENT_TOOL_DIM
AUDIT_EVENT_FACT
SOURCE_DIM
USER_DIM
TARGET_DIM
PRIVILEGES_DIM
Scheduling Data Warehouse
Operations
and Viewing Historical Information
The Audit Vault Administrator performs the following
tasks to manage the data warehouse:
–
–
–
–
Manages the data warehouse refresh schedule
Manages the retention period for data in the data
warehouse
Performs one-time operations:
 Load
 Refresh
 Purge
Views historical information about data
warehouse loading, refreshing, and purging
AV
Administrator
Viewing Account Management
Activity
AV Auditor
Viewing User Session Activity
AV Auditor
Viewing the Activity Overview
Report
AV Auditor
Viewing Details from the
Activity Overview Report
AV Auditor
Viewing Alert Reports
AV Auditor
Viewing Alert Report Details
AV Auditor
Creating Custom Reports
Use Oracle reporting tools such as the following
to create custom reports:
–
–
Oracle Business Intelligence Suite Enterprise
Edition
Oracle BI Publisher
AV Auditor
Q U E S T I O N S
A N S W E R S
72