Download
1 / 45

Latest Innovations in Database Security - PowerPoint PPT Presentation


  • 68 Views
  • Uploaded on

Latest Innovations in Database Security. Frank Yang APAC Database Security Product Manager.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Latest Innovations in Database Security' - tegan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Latest innovations in database security
Latest Innovations in Database Security

Frank YangAPAC Database Security Product Manager


The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.


Program agenda
Program Agenda direction.

  • Business drivers for database security

  • Monitoring Oracle and non-Oracle databases

  • New solutions to secure data and applications

  • Updates for existing database security features


Business drivers for data security
Business Drivers for Data Security direction.

Protect sensitive data

Manage

Compliance

Control Costs

Plan for Growth


What do we know about our attackers
What Do We Know About Our Attackers? direction.

ADVANCED ADAPTIVE

PERSISTENT PLANNED

THREATS TARGETS

  • Apply enough fire power to break weakest link

  • Ability to dial-up the attack vector

  • Scanning, scoping, infiltrating

  • Stay put, but avoid detection

  • Infrastructure, IP, and business targets

  • Cause harm directly/indirectly


Challenges in securing databases
Challenges in Securing Databases direction.

Meeting Ever Changing Threat & Compliance Landscape

Performance & Management

Securing Oracle & Non Oracle Databases

Securing Existing Applications


Oracle database security solutions
Oracle Database Security Solutions direction.

Protecting Critical Data Infrastructure

PREVENTIVE

DETECTIVE

ADMINISTRATIVE

Encryption and Masking

Activity Monitoring

  • Database Lifecycle Management

Privilege User Control

Database Firewall

Data Discovery and Classification

Multi-Factor Authorization

Auditing and Reporting

Vulnerability Scanning


INTRODUCING direction.

ORACLE Audit Vault

and Database Firewall


Oracle audit vault and database firewall
Oracle Audit Vault and Database Firewall direction.

New Detective Control for Oracle and Non-Oracle Databases

Users

Applications

Database Firewall

Allow

Log

Alert

Substitute

Block

Firewall Events

DB Audit Data

Auditor

Reports

!

Alerts

Security

Manager

OS, Directory & Custom Audit Logs

Custom Server

Policies

Audit/Event Warehouse


Activity reports
Activity Reports direction.

System Privileges Used


Oracle audit vault and database firewall1
Oracle Audit Vault and Database Firewall direction.

Comprehensive Auditing and Monitoring Platform

  • Technology Differentiators

    • Exceptional horizontal and vertical scalability to support massive volume of data

    • Accurate network monitoring based on SQL grammar

    • Extensible platform with Templates for new custom audit sources (no-coding)

    • Audit policy management and integrated audit trail cleanup

    • Compliance/custom reports/alerts and workflow without overloading the security team

    • Information lifecycle management for target specific retention

  • Deployment Simplicity

    • Start with auditing and extend to monitoring; or vice-versa

    • Ease of deployment with “software appliance” on your hardware

    • Multiple deployment modes: in-line, out-of-band, proxy, host-based, HA


ORACLE direction.

PRODUCT

LOGO

INTRODUCING

ORACLE DATA

REDACTION

xxxx-xxxx-xxxx-4368


Oracle data redaction
Oracle Data Redaction direction.

New Preventive Control

4451-2172-9841-4368

Credit Card Processing

  • Real-time redaction of sensitive data based on context

  • Transparent to applications, no code changes required

  • Consistent enforcement within the database

  • No changes in regular database operations

Policy

Credit Card Numbers

4451-2172-9841-4368

5106-8395-2095-5938

7830-0032-0294-1827

xxxx-xxxx-xxxx-4368

Call Center Application


Supported transformations
Supported Transformations direction.

Redacted Results

Stored Data

01/01/2001

10/09/1992

Full

XXX-XX-2147

052-51-2147

Partial

[hidden]@acme.com

[email protected]

RegExp

4451-2172-9841-4368

4943-6344-0547-0110

Random


Declarative multi factor policies
Declarative Multi-factor Policies direction.

Policy identification

What to redact?

Data Redaction Policy

PL/SQL APIs, Enterprise Manager

How to redact?

When to redact?



ORACLE direction.

PRODUCT

LOGO

INTRODUCING

Privilege

Analysis


Privilege use analysis
Privilege Use Analysis direction.

Reduce Attack Surface

Select

Update …

APPADMIN role

  • Report on actual privileges and roles used in the database

  • Revoke unnecessary privileges and roles as needed

  • Help enforce least privilege and reduce risks

Create …

Select …Update …

DBA role

APPADMIN role

Create

DBA role

Alter system

Privilege

Analysis


Privilege analysis
Privilege Analysis direction.

System Privileges Used


Privilege analysis1
Privilege Analysis direction.

Unused Privileges to be Revoked?


ORACLE direction.

PRODUCT

LOGO

INTRODUCING

unified auditing


Oracle database auditing
Oracle Database Auditing direction.

Catch Anomalies with Conditional Auditing

Set of privileges, objects, actions auditing managed as a group

Policy Based

Multi-factor auditing to easily catch anomalies

Conditional

Unified Audit

Secure, Performant

Audit all access except when connected by ….

User Exceptions

Add context data: realms, labels, app context, etc.

Extensible Syntax



ORACLE direction.

PRODUCT

LOGO

INTRODUCING

Real application

security


Hr application security requirements
HR Application Security Requirements direction.

Employees can view public information.


Hr application security requirements1
HR Application Security Requirements direction.

Public page contains basic employee information.

- Users in Employee role can view public record.

An employee can view his own record and update his contact information.


Hr application security requirements2
HR Application Security Requirements direction.

Manager can view salary of his organization.


Hr application security requirements3
HR Application Security Requirements direction.

HR representative can view employee SSN.


Real application security
Real Application Security direction.

CRM Application

HR Application

Business Logic

Security Policy

Business Logic

Security Policy

Users and Roles

Users and Roles

Identity/Policy Store

Security Enforced on Direct Connections

Direct, Uncontrolled Access

Shared, All-PowerfulConnection

Light Weight Sessions


ORACLE direction.

PRODUCT

LOGO

Enhancements to

Security features


Performance leap for sec features
Performance Leap for Sec. Features direction.

Eliminating Performance as an Issue

* On Developer machine; Formal performance tests TBD

** With hardware acceleration on Intel or Oracle SPARC


Cryptographic enhancements
Cryptographic Enhancements direction.

  • SHA-512 for Password verifiers, Certificate signatures, DBMS_CRYPTO

  • Cryptographic hardware acceleration

    • Network encryption, DBMS_CRYPTO toolkit and other operations

    • Now on Windows, in addition to Linux and Solaris

  • FIPS 140 validation for cryptographic operations

  • Export/import/merge operations to move individual keys

  • Operations to migrate keys between wallet and HSM keystore


Oracle database vault
Oracle Database Vault direction.

Mandatory Realm

  • Seal off access to sensitive data even when emergency access is given to application DBA or support analyst

  • Freeze all security settings identified by Privilege Analysis: roles, grants, …

  • Single command to enable Database Vault

select * from finance.cust


Privilege user controls
Privilege User Controls direction.

  • Strong password policies, prohibit account sharing

  • Least privilege analysis for privileged users

  • Separation of duty with task specific roles

    • Multi-factor authorization controls

    • Multi-factor conditional and exception based auditing

    • Audit top level and recursive SQL statements

    • Database Vault Realms

  • Monitoring activities through Audit Vault and Database Firewall


Improving database security posture
Improving Database Security Posture direction.

  • Out-of-the-box audit policies (Account Management, Security Configuration, Database Parameters)

    • Mandatory audit of audit administration

  • New roles for Audit Reviewer, Audit Administrator

  • New roles for Key Management, Backup, Data Guard

    • New Kerberos stack

  • Running Oracle Database as a Windows service


Building secure applications
Building Secure Applications direction.

  • Sensitive data discovery, Least privilege analysis

    • Multi-factor authorization, auditing, and redaction

  • Virtual Private Database for row/column security

  • Label based access control

  • Secure Application Context

  • Code-based access control (CBAC) associates privileges with code

  • Real Application Security


Enterprise manager security console
Enterprise Manager Security Console direction.

Simplified Management

  • Centralized Console

  • Events and alerts

  • Policy management

  • Step-by-step

  • Create by examples

  • Format libraries


Discover sensitive data
Discover Sensitive Data direction.

Administrative Control

  • Scan databases for sensitive data

  • Create and maintain application data models

  • Encrypt, redact, mask, audit…


Securely provisioning test systems
Securely Provisioning Test Systems direction.

Mask Sensitive Data for Test/Dev.

Before

Test

010010110010101001001001001001001001001001001000100101010010010010011100100100100100100100001001001011100100101010010010101010011010100101010010

  • Masking at-Source minimizes sensitive data exposure

  • Application Masking Templates

    • E-Business Suite 12.1.3

    • Fusion Applications

    • PeopleSoft (planned with PTools 8.5.3)

  • Self-updated masking templates

    • EM store @ Oracle

Prod

Data Subset

New

Clone &Mask

Subsetted & Masked Data Pump File

Test

Prod

010010110010101001001001001001001001001001001000100101010010010010011100100100100100100100001001001011100100101010010010101010011010100101010010

At-Source Masking


Oracle database security solutions1
Oracle Database Security Solutions direction.

Maximum Security for Critical Data Infrastructure

PREVENTIVE

DETECTIVE

ADMINISTRATIVE

Encryption

Activity Monitoring

  • Database Lifecycle Management

Redaction and Masking

Database Firewall

Data Discovery and Classification

Multi-Factor Authorization

Auditing and Reporting

Vulnerability Scanning


Oracle database security
Oracle Database Security direction.

Key Benefits

Security and Compliance

Enterprise Ready

Simple and Flexible

Speed and Scale



ad