oracle database security kwesi edwards dominic young principal solutions architect account manager...
TRANSCRIPT
<Insert Picture Here>
Oracle Database Security Kwesi Edwards Dominic YoungPrincipal Solutions Architect Account ManagerOracle Higher Education Oracle Higher Education
Data Security Lifecycle
Inbound Data• Network Encryption• Strong Authentication• Identity Management Integration
Storage• Transparent Data Encryption• Secure Backup
Access Control• Database Vault• Oracle Label Security• Fusion Security
Outbound Data• Network Encryption
Monitor• Configuration Scanning• Audit Vault
<Insert Picture Here>
Agenda
• Network Encryption• Encryption of data in motion
• Strong Authentication• PKI, Kerberos, Radius
• Data Encryption• Encryption of data at rest• Secure Backup
• Oracle DataVault• DB Auditing
• Audit Vault
Network Security Threats
2. Data Modification or Replay
3. Data Disruption
Packet stolenOrder never arrives
$500.00
1. Data Theft
My competitor sees my bids in a sealed auction.
$50,000
Network Encryption
• Provided by Oracle for nearly a decade• Encrypts all communication with the database
• AES• RSA RC4 (40-, 56-, 128-, 256-bit keys)• DES (40-, 56-bit) and 3DES (2- and 3-key)
• Data integrity with checksums• MD5, SHA-1• Automatically detects modifications, replays, missing
packets
• Easy to setup
<Insert Picture Here>
Agenda
• Network Encryption• Encryption of data in motion
• Strong Authentication• PKI, Kerberos, Radius
• Data Encryption• Encryption of data at rest• Secure Backup
• Oracle Data Vault• DB Auditing
• Audit Vault
Strong Authentication
• Kerberos• Ease of deployment makes this a popular choice
• PKI• Large customers are working on full scale deployments• Strong interest among large Universities• Oracle supports SSL accelerators
• Radius• Database integrates with RADIUS
<Insert Picture Here>
Agenda
• Network Encryption• Encryption of data in motion
• Strong Authentication• PKI, Kerberos, Radius
• Data Encryption• Encryption of data at rest• Secure Backup
• Oracle Data Vault• DB Auditing
• Audit Vault
The Need for Encryption
• Worldwide privacy, security laws and regulations• Sarbanes-Oxley• PCI• California SB 1386 • Country-specific laws
Customer CreditCard Numbers
Disks replacedfor maintenance
Laptops stolenBackups lost
Data worthless if encrypted
The DBMS_CRYPTO Package
• Formerly DBMS_OBFUSCATION (Release 8)• Extensive control of options
• Generate as many, or as few keys as you desire• Granular access control, Manual salt generation, algorithm
selection, chaining mode
• Limited Transparency
Transparent Data Encryption
• Integrated with the Oracle database for simplicity• Alter table encrypt column …
• Provides application transparency• No API calls, database triggers or views required
• Media protection of PII data• Social security numbers• Credit Card Numbers
• Performance• Works with existing indexes for
fast searches
Separation of duties
DBA starts upDatabase
Security DBA opens walletcontaining master key
Wallet password is separate fromSystem or DBA password
No access to wallet
Master key and column keys
Column keys encryptedby master key
Master key storedin PKCS#12 wallet
Security DBA opens walletcontaining master key Column keys encrypt
data in columns
Oracle Secure Backup:Tape Backup Management
Highest levels of tape data protection at the lowest cost!
Fastest & Best Integrated tape backup for the Oracle Database
-Recovery Manager (RMAN) integration
-Enterprise Manager (EM) interface
Maximum security options
Free version (limited functionality) will ship with the Oracle Database
Oracle Secure BackupCentralized Tape Backup Management
Oracle DatabasesOracle Databases
Integration with
RMAN
File System DataFile System Data
UNIX Linux
Windows NAS
Tape
Why Use Oracle Secure Backup?
Scalable from the department to the data center
Database tape backups can now be seamlessly managed by Database Administrators (DBA) or storage group
Intelligent integration with RMAN delivering the best performance and security for database backups
Easily managed using Enterprise Manager (EM)
Single technical support resource for entire backup solution expedites problem resolution
Reliable data protection at lower cost and complexity• For the Oracle Database and file system data
End to End Security
Data EncryptedOn Backup Files
DataWrittenTo Disk
AutomaticallyEncrypted
DataAutomatically
DecryptedThrough
SQL Interface
Oracle Advanced SecurityNetwork Encryption
Oracle Advanced SecurityStrong Authentication
Oracle Advanced SecurityTransparent Data Encryption
<Insert Picture Here>
Agenda
• Network Encryption• Encryption of data in motion
• Strong Authentication• PKI, Kerberos, Radius
• Data Encryption• Encryption of data at rest• Secure Backup
• Oracle Data Vault• DB Auditing
• Audit Vault
Data Vault Objectives
• Multi-factored approach to database security• Protect and share data assets using environmental factors for
assurance• Defense in depth approach• Protect application schemas from system privileges
• Database Server as Database Appliance• Lock Down, Hardened Software and Privileges• Comprehensive Audit Policy• Separation of Duties
Data Vault Protected Schema
• Protect Data Vault metadata from tampering• Remove metadata dependency on SYS schema• Access to protected schema only through the
administrative roles• Provide separation of duties by different
administrative roles• Password required for SYS login• No OSDBA group membership
<Insert Picture Here>
Agenda
• Network Encryption• Encryption of data in motion
• Strong Authentication• PKI, Kerberos, Radius
• Data Encryption• Encryption of data at rest• Secure Backup
• Oracle DataVault• DB Auditing
• Audit Vault
AUDITING
• Audit & monitor database activity• Logon failures, privilege usage, data access,
object access,and other activities
• Standard Audit Trail (over 250 audit actions)
• Gives first level of information about access to the database
• Statement auditing• Privilege auditing• Schema Object auditing
• Fine-Grained Auditing (FGA)• Gives second level of information about
specific operations to the database• Enables you to monitor data access
based on content.
Oracle Database 10g Auditing
Fine-grained auditing (FGA)
• Beginning with Oracle9i Database, Oracle provides the capability to audit specific rows within a table. This is accomplished using the DBMS_FGA package.
• Features• Attach audit policy to table or view • Specify audit condition using a SQL predicate• User’s query text with bind variables are written to audit record upon
a triggering audit event• Event handler can alert administrator to triggering condition (e.g.
write record to log, send page)
10gR210gR1
Oracle 9iR2(Future)
Other Sources,Databases
Monitor Policies
Reports Security
Collect and Consolidate Audit Data
Simplify Compliance Reporting
Detect and Prevent Insider Threats
Scale and Security
Lower IT Costs With Audit Policies
Oracle Audit Vault Oracle Database Vault
DB Security Evaluation #19
Transparent Data Encryption
EM Configuration Scanning
Fine Grained Auditing (9i)
Secure application roles
Client Identifier / Identity propagation
Oracle Label Security
Proxy authentication
Enterprise User Security
Global roles
Virtual Private Database (8i)
Database Encryption API
Strong authentication (PKI, Kerberos, RADIUS)
Native Network Encryption (Oracle7)
Database Auditing
Government customer
Oracle Database Security30 years of Innovation
20071977
<Insert Picture Here>
Agenda
• Network Encryption• Encryption of data in motion
• Strong Authentication• PKI, Kerberos, Radius
• Data Encryption• Encryption of data at rest• Secure Backup
• Oracle DataVault• DB Auditing
• Audit Vault
For More Information
http://search.oracle.com
or
oracle.com/security
Transparent Data Encryption