<Insert Picture Here> Oracle Database Security Ursula Koski Senior Principal Architect [email protected]
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
<Insert Picture Here>
Oracle Database Security Ursula Koski Senior Principal Architect [email protected]
Ursula Koski Senior Principal Architect • Senior Principal Architect
• Oracle User Group Liaison and OUGF Board Member (Finland)
• Joined Oracle 2007 – Working mainly with short term database
engagements around the world. High availability and disaster recovery area.
– Have worked as an Oracle DBA for partners from 1994.
• Interests – Professional: Oracle Database Evangelist,
Maximum Availability Architecture and Database Disaster Recovery & Problem solving.
– Personal: Oracle Databases, all technical gadgets (Geek!), traveling and reading.
3
Data Security Challenges
• What to secure? • Sensitive Data: Confidential, PII, regulatory • Data in packaged and custom applications • Secure Life cycle: creation, transit, storage, backup, test, transfer
• Can we secure it now? • Secure using existing systems? • Transparent? • Loss, Unauthorized access, Separation of Duty
• Will it meet business requirements? • Flexible, Transparent, Compliant? • Secures both custom and packaged applications?
• Will it reduce operational cost? • Easy to manage? • Performant?
4
Oracle Database Security Defense-in-Depth for Security and Compliance
Database Vault
Label Security
Access Control
Configuration Management
Audit Vault Total
Recall
Monitoring
Data Masking
Advanced Security Secure
Backup
Encryption and Masking
5
Oracle Database Security Defense-in-Depth for Security and Compliance
Data Masking
Advanced Security Secure
Backup
Encryption and Masking
6
Oracle Advanced Security Transparent Data Encryption
Disk
Backups
Exports
Off-Site Facilities
• No application changes required
• Efficient encryption of all application data
• Built-in key lifecycle management
• Works with Exadata V2 Smart Scans
• Works with Oracle Advanced Compression
Application
7
Oracle Advanced Security Network Encryption & Strong Authentication
• Standard-based encryption for data in transit
• Strong authentication of users and servers
• No infrastructure changes required
• Easy to implement
8
Oracle Secure Backup Integrated Tape or Cloud Backup Management
• Secure data archival to tape or cloud
• Easy to administer key management
• Fastest Oracle Database tape backups
• Leverage low-cost cloud storage
9
Oracle Data Masking Irreversible De-Identification
• Remove sensitive data from non-production databases
• Referential integrity preserved so applications continue to work
• Extensible template library and policies for automation
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 40,000
BKJHHEIEDK 222-34-1345 60,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Non-Production
10
Oracle Database Security Defense-in-Depth for Security and Compliance
Database Vault
Label Security
Access Control
Data Masking
Advanced Security Secure
Backup
Encryption and Masking
11
Oracle Database Vault Separation of Duties & Privileged User Controls
• DBA separation of duties
• Limit powers of privileged users
• Securely consolidate application data
• No application changes required
• Works with Oracle Exadata V2 Database Machine
Procurement
HR
Finance Application
select * from finance.customers
DBA
12
Oracle Database Vault Multi-Factor Access Control Policy Enforcement
• Protect application data and prevent application by-pass
• Enforce who, where, when, and how using rules and factors
• Out-of-the box policies for Oracle applications, customizable
Procurement
HR
Rebates Application
13
Oracle Label Security Data Classification for Access Control
• Classify users and data based on business drivers
• Database enforced row level access control
• Users classification through Oracle Identity Management Suite
• Classification labels can be factors in other policies
Confidential Sensitive
Transactions
Report Data
Reports
Sensitive
Confidential
Public
Did you know?
• Finding User Accounts That Have Default Passwords
• When you create a database in Oracle Database 11g Release 2 (11.2), most of its default accounts are locked with the passwords expired.
• To find both locked and unlocked accounts that use default passwords, log onto SQL*Plus using the SYSDBA privilege and then query the DBA_USERS_WITH_DEFPWD data dictionary view.
14
SELECT d.username, u.account_status FROM DBA_USERS_WITH_DEFPWD d, DBA_USERS u WHERE d.username = u.username ORDER BY 2,1;
USERNAME ACCOUNT_STATUS ----------------- -------------------------- SCOTT EXPIRED & LOCKED
15
Oracle Database Security Defense-in-Depth for Security and Compliance
Database Vault
Label Security
Access Control
Configuration Management
Audit Vault Total
Recall
Monitoring
Data Masking
Advanced Security Secure
Backup
Encryption and Masking
16
Oracle Audit Vault Automated Activity Monitoring & Audit Reporting
• Consolidate audit data into secure repository
• Detect and alert on suspicious activities
• Out-of-the box compliance reporting
• Centralized audit policy management
CRM Data
ERP Data
Databases
HR Data
Audit Data
Policies
Built-in Reports
Alerts
Custom Reports
!
Auditor
17 17
Oracle Database Auditing Performance Audit users/tables effectively
• Oracle Database 11.2 • ~250 audit records / second
Audit Location Throughput Degradation
Additional CPU Used above 50%
OS file 1.39% 1.45% XML format file 1.70% 3.51% XML format file + SQL Text
3.22% 4.56%
Database Tables 3.84% 4.55% Database Tables + SQL Text
11.93% 13.95%
• 4 – CPU 3.6 GHz, 4GB RAM • Linux 2.6.9-34.0.1.0.11.ELsmp • Existing CPU Work Load: 50%
18
Oracle Total Recall Secure Change Tracking
select salary from emp AS OF TIMESTAMP
'02-MAY-09 12.00 AM‘ where emp.title = ‘admin’
• Transparently track data changes
• Efficient, tamper-resistant storage of archives
• Real-time access to historical data
• Enables forensics and error correction
19
Oracle Configuration Management Vulnerability Assessment & Secure Configuration
• Database discovery
• Continuous scanning against best practices
• Detect and prevent unauthorized configuration changes
• Change management compliance reports
Configuration Management
& Audit Vulnerability Management
Fix
Analysis & Analytics
Prioritize
Policy Management
Assess Classify Monitor Discover
Asset Management
20
Oracle Database Security Defense-in-Depth for Security and Compliance
Database Vault
Label Security
Access Control
Configuration Management
Audit Vault Total
Recall
Monitoring
Data Masking
Advanced Security Secure
Backup
Encryption and Masking
21
For More Information
oracle.com/database/security
search.oracle.com
database security
Oracle Products Available Online
Oracle Store Buy Oracle license and support online today at oracle.com/store
23
24
Related Documents
