Transcript Oracle Database Security

The twenty-four/seven database
Oracle Database Security
David Yahalom
Senior database consultant
[email protected]
www.xpert.com
www.davidyahalom.com
Security Drivers (and constraints):
• Enterprise value resides in Bits (I.P.) not Atoms
(factories). Google Vs. Ford.
• Data everywhere, must be accurate, fast and
available.
• Security must be Transparent to the end user.
• Security decisions increasingly tied to compliance
(regulatory or in-house).
Security Drivers (and constraints):
• Network security is well known and understood (VPN,
Firewall).
• Attackers now going where data resides.
• Legitimate and authenticated users are a concern.
Inbound Data
Storage
• Network Encryption
• Strong Authentication
• Identity Management
• Transparent Data Encryption
• Secure Backup
Monitor
• Database Vault.
• Audit Vault.
• Configuration Scanning.
Outbound Data
Access Control
• Network Encryption
• Data Masking
• Database Vault
• Oracle Label Security
• Oracle VPD
“A 2007 Oracle survey found that a DBA usually spend
less than 7% of total work time on database security.”
Database Security is NOT a one time project.
Database Security is a on-going process.
Add a security-focused DBA to
the security department.
The secure database solutions:
• Oracle Database Vault.
• Oracle Advanced Security.
• Oracle Audit Vault
• Virtual Private Database.
• Fine-Grained Auditing.
• Secure Backup.
Network
End Client
Oracle
Database
DBA
Backup
Medium
Oracle Security Solution
Oracle Advanced Security
Flowing & Resting data:
• Worry about Encryption “in the land”.
• Data at rest is a critical security concern (encrypt the
heart of your data).
Network Security Threats:
Data Theft
My competitor
sees my bids in
a sealed
auction.
Data Modification or Replay
$50,000
Data Disruption
Packet stolen
Order never arrives
$500.00
Oracle Advanced Security:
Oracle Advanced Security is a security option for the
Oracle Database.
Oracle Advanced Security combines
network encryption,
database encryption
and strong authentication
together to help customers address privacy and
compliance requirements.
Oracle Advanced Security:
• Transparent Data Encryption: the datafile is safe!
• Network protocol traffic encryption & integrity.
• Strong Authentication (Kerberos, RADIUS, SSL, PKI).
• Encryption standards:
• RC4, DES, 3DES, AES.
• MD5 + SH1 data integrity.
Network
Advanced Security
TDE
Oracle
Database
End Client
DBA
TDE
Backup
Medium
Oracle Security Solution
Oracle Database Vault
Database Vault:
Authoritative security studies have documented that
more than 80% of information system data losses and
attacks have been perpetrated by 'insiders' — those
authorized with some level of access to the system and
its data.
• 80% of threats come from insiders.
• 65% of internal threats are undetected.
Database Vault:
Oracle Database Vault addresses common regulatory
compliance requirements and reduces the risk of
insider threats.
Database Vault:
• Preventing highly privileged users (DBA) from
accessing application data.
• Enforcing separation of duty (DBA can’t create users,
view data).
• Providing controls over who, when, where and how
applications, data and databases can be accessed.
• Can be added to existing application environments
without changes to the existing application code.
Wallet password is separate from
System or DBA password
No access
to wallet
DBA starts up
Database
Security DBA opens wallet
containing master key
Network
Database Vault
Oracle
Database
End Client
DBA
Database Vault
Backup
Medium
Oracle Security Solution
Oracle Virtual Private Database
Virtual Private Database:
Also known as Fine Grained Access Control, provides
powerful row-level security capabilities
For example, VPD can be used restrict access to data
during business hours.
Virtual Private Database:
Transparently modifying requests for data to present a
partial view of the tables to the users based on a set of
defined criteria.
select * from accounts;
changes to:
select * from accounts where am_name = BOAZ';
Virtual Private Database:
Oracle Label Security – optional add-on for providing
easy to use interface for row-level security. No coding
needed.
Network
End Client
Oracle
Database
VPD
VPD
DBA
Backup
Medium
Oracle Security Solution
Oracle Secure Backup
Secure Backup:
The next generation centralized tape backup
management delivers advanced media management
and backup encryption for file systems and Oracle.
Secure Backup:
• Optimized tape backup for Oracle increasing backup
performance by 10 – 25%.
• Secure data protection - 256 AES backup encryption
for file systems protecting backup data when tapes are
onsite, offsite or lost.
• Integrated to EM & RMAN: tape backups can now be
done by the DBA.
Network
Oracle
Database
End Client
DBA
Secure Backup
Backup
Medium
Oracle Security Solution
Oracle Audit Vault
Audit Vault:
Oracle Audit Vault turns audit data into a key security
resource to help address today's security and
compliance challenges. Oracle Audit Vault automates
the audit collection, integrates sources, simply
compliance reporting and provides scale and security.
Audit Vault:
• Logon failures, privilege usage, data access,
object access, and other activities
• Statement, privilege, schema object and contentbased auditing.
• Alerts & compliance reports.
• Audit data warehouse & report generation.
Oracle Security Solution
The Complete Secure Database
Network
Advanced Security
Advanced Security
Database Vault
End Client
VPD
Oracle
Database
TDE
VPD
DBA
Database Vault
TDE
Secure Backup
Backup
Medium
Thank You!