security and the data warehouse kristy edwards principle product manager, security oracle...

Security and the Data Warehouse

Kristy EdwardsPrinciple Product Manager, Security

Oracle Corporation

George LumpkinDirector Product Management, DW

Oracle Corporation

Session id: 40176

3

Agenda

Data warehousing security issues Data Warehouse security strategy

– Secure the entire DW environment– Oracle database security is the foundation of a

DW security strategy

Summary: Customer success stories

4

Technical challenges

More valuable data since current and historical records are stored from all parts of the organization

– Customer profiles– Company’s financial history– Quarterly sales information

Performance is paramount– Security cannot adversely affect performance

More users have direct, ad-hoc query access to a data warehouse

Sensitive data stored in data marts and ETL servers

5

Business challenges

How can I consolidate multiple data marts in the same database?

How can I share the information in my data warehouse with partners and customers?

How can I ensure that my data warehouse obeys laws and regulations regarding data privacy?

6

Agenda

Data warehousing security issues Data Warehouse security strategy




7

Oracle Strategy for DW Security

End-to-End Security– Secure the entire DW process– From ETL all the way through the end-user

Consolidation– Leverage consolidation to increase security

Secure Foundation– Oracle database security is the foundation of a


8

Consolidation Provides Better Security

Centrally managed by an expert Fewer points of attack Apply security patches quickly in one place Enforce security consistently Protect the data itself

9

Agenda

Data warehouse security issues Data warehouse security strategy




10

Layers of Security

Physical Policies Perimeter and Network Applications and RDBMS OS

Security Trends

OLTP

Access Control

Fine-grained Access Control

Authentication

Audit

Identity Management

Network Crypto

Data Warehousing

Time

12

Security built into the server cannot be bypassed– Consistent security policy regardless of the tool or interface

used to access data– Oracle preserves the identity of the user

Security is transparent to tools and applications

Oracle Database 10g Provides the Security Foundation

DiscovererDiscoverer

Oracle DB 10gOracle DB 10g

Business Objects

Identical Data Access

Policies

SQL*PlusSQL*Plus

13

Assurance of Oracle Database 10g Security

Builds on 15 17 independent security evaluations

Effective way to validate vendor’s security assertions

– NCR Teradata has 0 evaluations– IBM DB2 has 0 evaluations– SQL Server has 1 evaluation

X

14

Leverage Oracle Database 10g Security

Enterprise Data Warehouse

Marketing

Finance

Salesaud$

SSN^-|/,

%~`^-%-:*^|>

~`^-<-//

[^|#

%~`^

Label

ID NameDept

Protect data in transit

Protect stored data

Audit AccessControl

AuthenticateAuthorize

Identity Management

123456

7

15

Row-level Security Benefits for Data Warehousing

Consolidation – with assurance of data separation

Lower cost of ownership– Build security once, not within multiple applications

Minimizes risks through database-enforced security Highly scalable without performance impact Leverage RLS to protect private information in data

warehouses

16

Security Issue #2Accountability

Keep users accountable for their actions Identify misuse of legitimate user privilege

– E.g., data snoopers (e.g., why is a user accessing his own record from June 29 so often?)

Support intrusion detection

17

Solution:Fine-grained Auditing

Audit for accountability Audit with precision Monitor data access based on content Attach audit policy to table or view

– with ‘WHERE’ condition– Relevant column– PL/SQL package DBMS_FGA to apply

policies to table/view– Exact query text in audit record

Data warehouses cannot afford to audit too broadly

Relevant column

FGA FGA PolicyPolicy

18

Fine-grained Auditing

SELECT name, job, deptno FROM patients

Not audited

SELECT name, diagnosis FROM patients WHERE

name=‘KING’

Audit Record

SELECT name, diagnosis

FROM patients WHERE

name = ‘KING’,

<timestamp>, <userid>,

etc.

SELECT name, diagnosis

FROM patients WHERE

name = ‘KING’,

<timestamp>, <userid>,

etc.

PATIENTS

Audit Policy

Send Alert!

AUDIT_CONDITION:

‘name != USER’

AUDIT_COLUMN = DIAGNOSIS

19

Benefits for Data Warehousing

Audit analysis– Fewer, but more precise, audit records– Reduce false or misleading audits makes it

easier to analyze audit records – SQL text gives insight to intent of the query

Accountability and deterrence – Minimizes security risks if a user knows he/she

being monitored

Supports fact tables and materialized views

20

Security Issue #3Protect Data In Transit

Stored data has inherent protection of user authentication, access control, audit

Data traveling over network does not have these protections

80% of data loss is to insiders

21

Solution: Network Encryption

Oracle Advanced Security encrypts all communication with the database

– Uses standard algorithms AES 3DES, DES RC4 Diffie-Hellman key exchange

– Supplies SSL– Secures all protocols into the database

Net8, IIOP, Thin JDBC

22

Benefits for Data Warehousing

Minimizes security risks since data traveling over the network is encrypted

Protects all network communications with Oracle with minimal impact

Easy to deploy– 6 sqlnet.ora parameters

23

Security Issue #4 Protect Stored Data

Especially sensitive information requires additional layer of security

– social security numbers– credit card numbers

Mitigate threats– hackers compromising the OS and reading

database files– malicious DBA

24

Solution:Stored Data Encryption

Oracle DB 10g has a new encrypt/decrypt interface called DBMS_CRYPTO

– AES, 3DES and DES encryption– MD5, MD4 and SHA-1 cryptographic hashes – Supports all datatypes (LOB, BLOB, CLOB)

Application provides key generation, management, recovery

– Encryption keys must be stored somewhere – Can be stored in a database file, on the OS, in

application, on diskette, etc. Don’t solve access control problem with encryption

25

Stored Data Encryption Benefits

Minimizes security risks by storing very sensitive data encrypted

Oracle Database 10g supports third party security solutions

26

Security Issue #1Access Control

Not all users should have access to all the data in the data warehouse

– Database must preserve user identity to determine exactly what the user can access

– Database must control access

27

Access Control

Object-level security– Authorization– Roles and privileges

Manage locally or centrally– Role-based Access Control (RBAC)

Row-level Security (RLS)– Control access within objects– Fine-grained access control– Virtual Private Database– Oracle Label Security

28

Virtual Private Database

Data access is managed at the database level– Fine-Grained Access Control– Application Context– Users only see data that they have access to– Row-level access control

Add policy to any table, view or synonym– Administrator binds PL/SQL package with table using

Oracle-supplied API (dbms_rls)

VPDPolicy

Table or View

29

VPD for Data Warehousing

Server dynamically rewrites SQL– Query modification based on PL/SQL package

assigned to an object– “Where” clause appended to SQL statement

Western Sales Rep

Product Manager

SELECT sum(s)

FROM

SALES_HISTORY;

where terr_id=10;where terr_id=10;

where prod_id=12;where prod_id=12;

Access to his/her territory’s sales SALES_HISTORY

Access to one product’s sales across all territories 1MM rows

30

VPD for Data Warehousing

No sacrifice in SQL performance– All performance features (indexes, parallelism, partitioning,

etc) apply to VPD-based queries Fact Tables

– Policies can be applied to very large fact tables– Most popular implementation– Secures data at the source

Materialized Views– Policies can be applied to summaries– Materialized Views increase performance, and VPD

increases security

31

Out-of-the-box, row level security– Built on VPD – Extends VPD by adding label-based access

control Same benefits as VPD, but works out of the box Installable product vs. “write your own”

– Data access is based on sensitivity labels and customizable enforcement options

Labels can be applied to fact tables and/or materialized views

Oracle Label Security for DW

32

Oracle Label Security for DW

Oracle Label Security authorizationssensitive : testscore : District Schools

Oracle Label Security authorizationssensitive : testscore : JFK High

Fname Lname Score Sensitivity LabelAna Adams 155 sensitive:testscore:JFK HighMona Patel 150 sensitive:testscore:MLK HighJen Chu 175 sensitive:testscore:MLK HighRon Alta 145 sensitive:testscore:JFK High

Superintendent

JFK Principal

OK

OK

xx All

Student Fact Table

33

Agenda

Data warehouse security issues Data warehouse security strategy




34

Business challenges




35

Case Study: Province of British Columbia

Business requirements– Consolidated financial information for 28 Ministries– Individual Ministry data mart look and feel

Security issues– Confidentiality of inter-Ministry financial budgetary and

expenditure information– Users require different levels of access - Ministry staff

restricted to their data, Controller General staff have open access for consolidated and audit reporting

Oracle VPD solves data warehouse security issues– No separate data marts– All financial information for 28 Ministries stored in one

database

36

Business challenges




37

Case Study: Data Syndicator

Business requirements– Deliver marketing research data to companies cost-effectively– Deliver timely web-based information to customers

Security issues– Separate proprietary information between each company– Within each company, users require different levels of access

Oracle VPD solves data warehouse security issues– Terabyte+ DW with all customer information in one table– Did not need to build complex security layer– Does not have to maintain a separate data warehouse for each

customer (30+)– Generate the same report for multiple customers quickly

38

Business challenges




39

Case Study: Los Angeles Unified School District

Business requirements– Provide its 750,000 students information about themselves – Web-based access for administrators to grades, test

scores, graduation rates and demographics Security and privacy issues

– Confidentiality of student information based on California Education Code and the Family Education Rights and Privacy Act of 1974

Oracle VPD solves data warehouse security issues– Student information stored the same data warehouse– Different types of users get different levels of access –

student, teacher, principal, district manager, district-wide programs manager

40

Data Warehouse Security Summary

Security is crucial for data warehouses – Data warehouses contain valuable data– Users have direct access to data

Security adds value to data warehouses– Enables efficiency via consolidation

Oracle’s data warehouse customers rely on our security solutions

41

Next Steps….Security and Identity Management Sessions

Identity Management for Database Applications

Oracle Platform Security: Solving Real-World Problems

Ask the Security Expert Unbreakable: What We

Learned Securing J2EE

Applications with Oracle Identity Management

Planning Your Oracle Identity Management Deployment

Improving Information Assurance of Linux

Oracle and Thor: Identity Management Provisioning

Implementing Identity Management at Lawrence Livermore National Labs - Thursday 3:15 Rm. 120

42

Next Steps…Oracle DEMOgrounds

– Virtual Private Database Column Enforcement – Oracle Label Security Directory Integration– Directory Based Database Authentication– Single Sign-On– CA & PKI Platform– Windows Integration & eBusiness Provisioning– Highly Available LDAP

43

Next Steps…

A4vison Accela Acsys Biometrics Alert Technologies Ascendent

Telecommunicatons BIO-Key International Compressus Dell Environmax eSpatial nCipher

Netegrity PCI Geomatics PlanGraphics 3Ship Analytics Targusinfo Thor Technologies Vigilos Waveset Xybernaut

Applications Security (Booth 841) Vormetric (Booth 2243)

Oracle Security Command Center (Booth 1736) Win a Dell Axim X5 handheld device

44

Next Steps for DW / BIData Warehousing DB Sessions

11:00 AM

#40153, Room 304

Oracle Warehouse Builder:

New Oracle Database 10g Release

3:30 PM

#40176, Room 303

Security and the Data Warehouse

4:00 PM

#40166, Room 130

Oracle Database 10g

SQL Model Clause

8:30 AM#40125, Room 130

Oracle Database 10g: A Spatial VLDB Case Study

3:30 PM#40177, Room 303

Building a Terabyte Data Warehouse,Using Linux and RAC

5:00 PM

#40043, Room 104

Data Pump in Oracle Database 10g:Foundation for Ultrahigh-Speed Data

Movement

TuesdayMonday

For More Info On Oracle BI/DW Go To http://otn.oracle.com/products/bi/db/dbbi.html

45

8:30 AM #40179, Room 304

Oracle Database 10g Data Warehouse Backup and Recovery

11:00 AM#36782, Room 304

Experiences with Real-Time Data Warehousing using Oracle 10g

1:00PM#40150, Room 102

Turbocharge your Database, Using the Oracle Database 10g SQLAccess

Advisor

Thursday

Oracle Database 10g

Oracle OLAP

Oracle Data Mining

Oracle Warehouse Builder

Oracle Application Server 10g

Business Intelligence and Data Warehousing Demos All Four DaysIn The Oracle Demo Campground

For More Info On Oracle BI/DW Go To http://otn.oracle.com/products/bi/db/dbbi.html

Next Steps for DW / BIData Warehousing DB Sessions

46

Reminder – please complete the OracleWorld online session survey

Thank you.

security and the data warehouse kristy edwards principle product manager, security oracle...

Documents

security foundationsecurity

data warehousesensitive

dw security strategy

data warehousingconsolidation

data privacy

multiple data marts

data warehousessecurity

dw securityend