1 / 23

Database Security

Database Security. TDE DP RMAN VPD. Objectives. After completing this lesson, you should be able to do the following: Implement Transparent Data Encryption (TDE) Use TDE with encrypted columns Describe Data Pump (DP) encryption

mura
Download Presentation

Database Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Database Security

  2. TDE DP RMAN VPD Objectives • After completing this lesson, you should be able to do the following: • Implement Transparent Data Encryption (TDE) • Use TDE with encrypted columns • Describe Data Pump (DP) encryption • Identify components of Recovery Manager (RMAN)–encrypted backups • Define basic concepts of a Virtual Private Database (VPD) • Apply a column-level VPD policy

  3. Column and index data Wallet Oracle Transparent Data Encryption (TDE): Overview • Need for secure information • Automatic encryption of sensitive information: • Embedded in the Oracle database • No need to change application logic • Encrypts data and index values • Using an encryption key: • Master key for the entire database • Stored in Oracle Wallet Encryption/Decryption

  4. Name Sal Card Address Name Sal Card Address JFV É&à{ +”~é[ Rognes JFV 10000 A0023 Rognes ])°=# §!?&} 20000 B1524 &(è`$ }{|\ç{ 10000 C2568 @”#|} #{[|è` 30000 D1483 µ£*°{ }|_@} 20000 E0732 ~{([ç^ “&²#è 40000 F3456 TDE Process Wallet Master key Column keys ExternalSecurityModule Encrypted data Clear data SELECT|INSERT|UPDATE|CREATE TABLE ALTER TABLE

  5. Implementing Transparent Data Encryption • Create a wallet: automatically or by using Oracle Wallet Manager. Example sqlnet.ora entry: ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/opt/oracle/product/10.2.0/db_1/)))

  6. Implementing Transparent Data Encryption 2. Set the master key from within your instance: 3. Open the wallet from within your instance (future): 4. Create tables that contain encrypted columns: ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY <password>; ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY <password>; CREATE TABLE emp ( first_name VARCHAR2(128), last_name VARCHAR2(128), empID NUMBER ENCRYPT NO SALT, salary NUMBER(6) ENCRYPT USING '3DES168', comm NUMBER(6) ENCRYPT);

  7. Existing Tables and TDE • Add encrypted columns: • Encrypt unencrypted columns: • Disable column encryption: • Add or remove salt: • Change keys and the encryption algorithm: ALTER TABLE emp ADD (ssn VARCHAR2(11) ENCRYPT); ALTER TABLE emp MODIFY (first_name ENCRYPT); ALTER TABLE emp MODIFY (first_name DECRYPT); ALTER TABLE emp MODIFY(first_name ENCRYPT[NO]SALT); ALTER TABLE emp REKEY USING '3DES168';

  8. Transparent Data Encryption: Considerations • You cannot encrypt tables owned by SYS. • LONG and LOB data types are not supported. • The supported encryption algorithms are: • 3DES168 • AES128 • AES192 • AES256 • NO SALT must be used to encrypt index columns. • TDE works with indexes for equality searches. • Encrypted data must be decrypted before expressions evaluation. • Best practice tip: Back up the wallet.

  9. Wallet Support for Usernames and Passwords • Wallets can now hold more than just a certificate: • You can store usernames and passwords in a wallet rather than providing them on the command line. • Batch job processing: • Protects exposure of usernames and passwords when listing processes on the OS • Set up using: • WALLET_LOCATION in sqlnet.ora • mkstore utility connect /@db_connect_string

  10. TDE > DP RMAN VPD Data Pump and Transparent Data Encryption • Use your own provided column key during export and import: • Also true for external tables: ENCRYPTION_PASSWORD = <password> CREATE TABLE emp_ext ( first_name, last_name, empID, salary ENCRYPT IDENTIFIED BY "xIcf3T9u" ) ORGANIZATION EXTERNAL ( TYPE ORACLE_DATAPUMP DEFAULT DIRECTORY "D_DIR" LOCATION('emp_ext.dat') ) REJECT LIMIT UNLIMITED as select * from employees;

  11. TDE DP > RMAN VPD RMAN Encrypted Backups: Overview • Three possible encryption modes for your backups: • Transparent mode: • Requires Oracle Wallet • Is best suited for day-to-day backup and restore operations at the same location • Is the default encryption mode • Password mode: • Requires you to provide a password • Is best suited for backups restored at remote locations • Dual mode: • Can use either Oracle Wallets or passwords • Is best suited for backups restored locally and remotely

  12. Transparent Mode Setup 1. Create a wallet: automatically or by using Oracle Wallet Manager. 2. Open the wallet from within your instance: 3. Set the master key from within your instance: 4. Configure RMAN to use transparent encryption: 5. There are no changes to your backup or recover commands. 6. Permanent configuration can be temporarily overwritten: ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY <password>; ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY <password>; CONFIGURE ENCRYPTION FOR DATABASE ON SET ENCRYPTION OFF

  13. Password Mode Setup 1. Set your RMAN session to use password encryption: 2. There are no changes to your backup commands. • Set your RMAN session to decrypt password-encrypted backups: 4. There are no changes to your recover commands. SET ENCRYPTION ON IDENTIFIED BY password ONLY SET DECRYPTION IDENTIFIED BY password1 {, password2,…, passwordn}

  14. Dual Mode Setup 1. Create a wallet: automatically or by using Oracle Wallet Manager. 2. Open the wallet from within your instance: 3. Set your RMAN session to use dual encryption: 4. There are no changes to your backup commands. 5. If necessary, set your RMAN session to decrypt your backups by using the password: 6. There are no changes to your recover commands. ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY <password>; SET ENCRYPTION ON IDENTIFIED BY password SET DECRYPTION IDENTIFIED BY password1 {, password2,…, passwordn}

  15. RMAN-Encrypted Backups: Considerations • Image copy backups cannot be encrypted. • COMPATIBLE must be set to at least 10.2.0. • V$RMAN_ENCRYPTION_ALGORITHMS contains the list of possible encryption algorithms. • Backup encryption is available only with Oracle Database Enterprise Edition. • One new encryption key is used for each new encrypted backup. • You can increase disk performance by using multiple channels. • You can change the master key anytime without affecting your transparent encrypted backups. CONFIGURE ENCRYPTION ALGORITHM 'algorithmname' SET ENCRYPTION ALGORITHM 'algorithmname'

  16. TDE DP RMAN > VPD Need for Data Privacy • Examples: • Employees: Protect salary and commission percent (used in the remainder of this lesson) • Online banking: Protect access to accounts • Web store: Supply individual shopping baskets • Web host: Allow each customer to see only their own data • Used in Oracle SalesOnline.com and Oracle Portal

  17. Definition and Usage of Terms • Fine-grained access control (FGAC): Use of functions • Application context: To preserve user identity and serve as a secure data cache for application attributes and values • Application attributes: Used by fine-grained access policies

  18. Virtual Private Database: Overview • Virtual Private Database (VPD) consists of: • Fine-grained access control (FGAC) • Secure application context • VPD uses policies to add conditions to SQL statements that protect sensitive data. • VPD provides row-level access control. • Application attributes defined inside an application context are used byfine-grained access policies.

  19. Virtual Private Database: Features • Column-level VPD enforces row-level access control based on accessed security columns. • With customization, you can define static and nonstatic policies. • Using shared policies, you can associate one policy with multiple objects. • Policy type can be INDEX. • Policy predicate text string can be of size 32 KB.

  20. Column-Level VPD: Example • Statements are not always rewritten. • Consider a policy protecting the SALARY and COMMISSION_PCT columns of the EMPLOYEES table. Fine-grained access control is: • Not needed for this query: • Enforced for these queries: SQL> SELECT last_name FROM employees; SQL> SELECT last_name, salary 2 FROM employees; SQL> SELECT * FROM employees;

  21. Creating a Column-Level Policy • Grant the privilege. • Create the function. • Apply the policy to the object. BEGIN dbms_rls.add_policy(object_schema => 'hr', object_name => 'employees', policy_name => 'hr_policy', function_schema =>'hr', policy_function => 'hrsec', statement_types =>'select,insert', sec_relevant_cols=>'salary,commission_pct'); END; /

  22. Summary • In this lesson, you should have learned how to: • Implement Transparent Data Encryption • Use TDE with encrypted columns • Describe Data Pump encryption • Identify components of RMAN-encrypted backups • Define basic concepts of a Virtual Private Database • Apply a column-level VPD policy

  23. Practice Overview:Using Oracle Database Security • This practice covers the following topics: • Implementing TDE by creating an encrypted wallet and encryption keys • Using TDE with encrypted columns

More Related