Database

Security Why the long face?

James Anthony Technology Director

eDBA 2010

About e-DBA
Founded 1998 Highest level CerFed PlaFnum Partner status
Oracle Technology Partner of the Year 2010 Oracle User Group Award Winner 2010 x 4 System AdministraFon & Management Database 7 > 11g Development APEX Database Security Oracle SoXware Management

Managed Service Specialist:

Oracle Technology SoluFons supplied to all Markets

eDBA 2010

Agenda
Database-Centric InformaFon Security Database Security Oracle Database Security SoluFons Defense-in-Depth Q&A
eDBA 2010 3

More breaches then ever

eDBA 2010

More threats than ever

More RegulaFons Than Ever

PIPEDA Sarbanes-Oxley Breach Disclosure HIPAA PCI GLBA FISMA COBIT UK/PRO EU Data DirecFves Basel II ISO 17799 Euro SOX J SOX K SOX

SAS 70 AUS/PRO

Source: IT Policy Compliance Group, 2007.

eDBA 2010

Survey: Enterprise Data at Risk

The 2009 IOUG Data Security Report: BUDGET PRESSURES LEAD TO INCREASED RISKS

Only 21%
uniformly encrypFng PII in all databases

Only 20%
uniformly encrypt database trac

Only 12%
uniformly encrypt database backups/exports

50%
not aware of all databases with sensiFve data

48%
say database users could access data directly

70%
use naFve audiFng, only 18% automate monitoring

61%
cannot prevent DBAs from reading or tampering with sensiFve data

67%
can not detect if they were

Less than 30%

monitoring sensiFve data reads/writes

Securing Data in Your Database

EncrypFon Masking ClassicaFon Access Control

AcFvity Monitoring Change Tracking Discovery and Assessment Secure ConguraFon

eDBA 2010

Database Centric SoluFons

User Management Access Control Encryption & Masking Monitoring

Non default & Strong passwords Centralized Credentials for all users (esp. Privileged Users) User Lifecycle Management Strong authentication Secure Configuration (best practice)

Privileged User Controls. Reduction in shared account usage. Who, When, Where, How? Data Classification. Row and Column level control.

Data at Rest Data in Motion Masking of Data in Live and Test Dump File Encryption Backup Encryption

Auditing at database level Targeted Auditing (e.g. high value) Audit Consolidation Pro-active alerting Audit data protection Attestation of policy compliance Change Discipline and Detection

Enterprise User Security

1 User authenticates to database with username and password as usual

Client Database defers authentication to Oracle Directory Services 2

4 3 Oracle Directory Services validates user credentials

User is mapped to a physical database user, with database roles granted

Central CredenFal Store

HR

CRM
DBA, Developer or Application User Directory Services provides central authentication

DEV

The Bigger Picture

Centralized Credentials for OS Login (OS Authentication Services) Centralized Credentials for database login

Existing Directories (e.g. MS AD)

Other User credential stores (e.g. HR)

Attestation of access (compliance reports) Provisioning/De-Provisioning

Database Defense-in-Depth
Monitoring
ConguraFon Management Audit Vault Total Recall

Access Control
Database Vault Label Security
EncrypFon & Masking Access Control Monitoring

EncrypFon & Masking

Advanced Security Secure Backup Data Masking

eDBA 2010

13

Database Defense-in-Depth
Monitoring
ConguraFon Management Audit Vault Total Recall

Access Control
Database Vault Label Security
EncrypFon & Masking Access Control Monitoring

Encryp7on & Masking

Advanced Security Secure Backup Data Masking

eDBA 2010

14

Oracle Advanced Security

Transparent Data EncrypFon
Disk Backups

Exports

ApplicaFon

O-Site FaciliFes

Complete encrypFon for data at rest No applicaFon changes required Ecient encrypFon of all applicaFon data Built-in key lifecycle management

eDBA 2010

15

Oracle Advanced Security

Network EncrypFon & Strong AuthenFcaFon

Standard-based encrypFon for data in transit Strong authenFcaFon of users and servers No infrastructure changes required Easy to implement

eDBA 2010

16

Oracle Secure Backup

Integrated Tape or Cloud Backup Management

Secure data archival to tape or cloud Easy to administer key management Fastest Oracle Database tape backups Leverage low-cost cloud storage

eDBA 2010

17

Oracle Data Masking

Data De-IdenFcaFon
ProducFon
LAST_NAME AGUILAR BENSON NI_NUM JE114414C 323-22-2943 SALARY 40,000 60,000 ANSKEKSL BKJHHEIEDK

Non-ProducFon
LAST_NAME NI_NUM AD124578A BC985412R SALARY 60,000 40,000

Remove sensiFve data from non-producFon databases ReferenFal integrity preserved so applicaFons conFnue to work SensiFve data never leaves the database Extensible template library and policies for automaFon

eDBA 2010

18

Database Defense-in-Depth
Monitoring
ConguraFon Management Audit Vault Total Recall

Access Control
Database Vault Label Security
EncrypFon & Masking Access Control Monitoring

EncrypFon & Masking

Advanced Security Secure Backup Data Masking

eDBA 2010

19

Oracle Database Vault

SeparaFon of DuFes & Privileged User Controls
Procurement
ApplicaFon DBA

HR Finance

select * from nance.customers DBA separaFon of duFes Limit powers of privileged users Securely consolidate applicaFon data No applicaFon changes required

eDBA 2010

20

Oracle Database Vault

MulF-Factor Access Control Policy Enforcement
Procurement HR
ApplicaFon

Rebates

Protect applicaFon data and prevent applicaFon by-pass Enforce who, where, when, and how using rules and factors Out-of-the box policies for Oracle applicaFons, customizable

eDBA 2010

21

Oracle Label Security

Data ClassicaFon for Access Control
SensiFve
TransacFons

CondenFal
Report Data

Public
Reports

CondenFal

SensiFve

Classify users and data based on business drivers Database enforced row level access control Users classicaFon through Oracle IdenFty Management Suite ClassicaFon labels can be factors in other policies

eDBA 2010

22

Database Defense-in-Depth
Monitoring
Congura7on Management Audit Vault Total Recall

Access Control
Database Vault Label Security
EncrypFon & Masking Access Control Monitoring

EncrypFon & Masking

Advanced Security Secure Backup Data Masking

eDBA 2010

23

Automated AcFvity Monitoring & Audit ReporFng

HR Data

Oracle Audit Vault

!
Alerts Built-in Reports Custom Reports Policies

CRM Data

ERP Data

Audit Data

Databases

Auditor

Consolidate audit data into secure repository Detect and alert on suspicious acFviFes Out-of-the box compliance reporFng Centralized audit policy management

eDBA 2010

24

Oracle Total Recall

Secure Change Tracking
select salary from emp AS OF TIMESTAMP '02-MAY-09 12.00 AM where emp.Ftle = admin

Transparently track data changes Ecient, tamper-resistant storage of archives Real-Fme access to historical data Simplied forensics and error correcFon

eDBA 2010

25

ConguraFon Management
Vulnerability Assessment & Secure ConguraFon

Discover Asset Management

Classify Policy Management

Assess

PrioriFze

Fix

Monitor Analysis & AnalyFcs

Vulnerability Management

ConguraFon Management & Audit

Database discovery ConFnuous scanning against 375+ best pracFces and industry standards, extensible Detect and prevent unauthorized conguraFon changes Change management compliance reports
eDBA 2010 26

ConguraFon Change Console

Real Time change detecFon & NoFcaFon Provide point in Fme avestaFon

Dashboard reporting and visualization

Database Defense-in-Depth
Monitoring
ConguraFon Management Audit Vault Total Recall

Access Control
Database Vault Label Security
EncrypFon & Masking Access Control Monitoring

EncrypFon & Masking

Advanced Security Secure Backup Data Masking

eDBA 2010

28

Summary

Transparent Integrated Comprehensive Cost-EecFve

eDBA 2010

29

TesFng in the Real World Seminar

28th April Oracle Edinburgh Oce

eDBA 2010