1 / 0

Latest Innovations in Database Security

Latest Innovations in Database Security. Frank Yang APAC Database Security Product Manager.

tegan
Download Presentation

Latest Innovations in Database Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Latest Innovations in Database Security Frank YangAPAC Database Security Product Manager
  2. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  3. Program Agenda Business drivers for database security Monitoring Oracle and non-Oracle databases New solutions to secure data and applications Updates for existing database security features
  4. Business Drivers for Data Security Protect sensitive data Manage Compliance Control Costs Plan for Growth
  5. What Do We Know About Our Attackers? ADVANCED ADAPTIVE PERSISTENT PLANNED THREATS TARGETS Apply enough fire power to break weakest link Ability to dial-up the attack vector Scanning, scoping, infiltrating Stay put, but avoid detection Infrastructure, IP, and business targets Cause harm directly/indirectly
  6. Challenges in Securing Databases Meeting Ever Changing Threat & Compliance Landscape Performance & Management Securing Oracle & Non Oracle Databases Securing Existing Applications
  7. Oracle Database Security Solutions Protecting Critical Data Infrastructure PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption and Masking Activity Monitoring Database Lifecycle Management Privilege User Control Database Firewall Data Discovery and Classification Multi-Factor Authorization Auditing and Reporting Vulnerability Scanning
  8. INTRODUCING ORACLE Audit Vault and Database Firewall
  9. Oracle Audit Vault and Database Firewall New Detective Control for Oracle and Non-Oracle Databases Users Applications Database Firewall Allow Log Alert Substitute Block Firewall Events DB Audit Data Auditor Reports ! Alerts Security Manager OS, Directory & Custom Audit Logs Custom Server Policies Audit/Event Warehouse
  10. Activity Reports System Privileges Used
  11. Oracle Audit Vault and Database Firewall Comprehensive Auditing and Monitoring Platform Technology Differentiators Exceptional horizontal and vertical scalability to support massive volume of data Accurate network monitoring based on SQL grammar Extensible platform with Templates for new custom audit sources (no-coding) Audit policy management and integrated audit trail cleanup Compliance/custom reports/alerts and workflow without overloading the security team Information lifecycle management for target specific retention Deployment Simplicity Start with auditing and extend to monitoring; or vice-versa Ease of deployment with “software appliance” on your hardware Multiple deployment modes: in-line, out-of-band, proxy, host-based, HA
  12. ORACLE PRODUCT LOGO INTRODUCING ORACLE DATA REDACTION xxxx-xxxx-xxxx-4368
  13. Oracle Data Redaction New Preventive Control 4451-2172-9841-4368 Credit Card Processing Real-time redaction of sensitive data based on context Transparent to applications, no code changes required Consistent enforcement within the database No changes in regular database operations Policy Credit Card Numbers 4451-2172-9841-4368 5106-8395-2095-5938 7830-0032-0294-1827 xxxx-xxxx-xxxx-4368 Call Center Application
  14. Supported Transformations Redacted Results Stored Data 01/01/2001 10/09/1992 Full XXX-XX-2147 052-51-2147 Partial [hidden]@acme.com tim.lee@acme.com RegExp 4451-2172-9841-4368 4943-6344-0547-0110 Random
  15. Declarative Multi-factor Policies Policy identification What to redact? Data Redaction Policy PL/SQL APIs, Enterprise Manager How to redact? When to redact?
  16. Redaction Using Enterprise Manager
  17. ORACLE PRODUCT LOGO INTRODUCING Privilege Analysis
  18. Privilege Use Analysis Reduce Attack Surface Select Update … APPADMIN role … Report on actual privileges and roles used in the database Revoke unnecessary privileges and roles as needed Help enforce least privilege and reduce risks Create … Select …Update … DBA role APPADMIN role Create DBA role Alter system … Privilege Analysis
  19. Privilege Analysis System Privileges Used
  20. Privilege Analysis Unused Privileges to be Revoked?
  21. ORACLE PRODUCT LOGO INTRODUCING unified auditing
  22. Oracle Database Auditing Catch Anomalies with Conditional Auditing Set of privileges, objects, actions auditing managed as a group Policy Based Multi-factor auditing to easily catch anomalies Conditional Unified Audit Secure, Performant Audit all access except when connected by …. User Exceptions Add context data: realms, labels, app context, etc. Extensible Syntax
  23. Create Custom Audit Policies
  24. ORACLE PRODUCT LOGO INTRODUCING Real application security
  25. HR Application Security Requirements Employees can view public information.
  26. HR Application Security Requirements Public page contains basic employee information. - Users in Employee role can view public record. An employee can view his own record and update his contact information.
  27. HR Application Security Requirements Manager can view salary of his organization.
  28. HR Application Security Requirements HR representative can view employee SSN.
  29. Real Application Security CRM Application HR Application Business Logic Security Policy Business Logic Security Policy Users and Roles Users and Roles Identity/Policy Store Security Enforced on Direct Connections Direct, Uncontrolled Access Shared, All-PowerfulConnection Light Weight Sessions
  30. ORACLE PRODUCT LOGO Enhancements to Security features
  31. Performance Leap for Sec. Features Eliminating Performance as an Issue * On Developer machine; Formal performance tests TBD ** With hardware acceleration on Intel or Oracle SPARC
  32. Cryptographic Enhancements SHA-512 for Password verifiers, Certificate signatures, DBMS_CRYPTO Cryptographic hardware acceleration Network encryption, DBMS_CRYPTO toolkit and other operations Now on Windows, in addition to Linux and Solaris FIPS 140 validation for cryptographic operations Export/import/merge operations to move individual keys Operations to migrate keys between wallet and HSM keystore
  33. Oracle Database Vault Mandatory Realm Seal off access to sensitive data even when emergency access is given to application DBA or support analyst Freeze all security settings identified by Privilege Analysis: roles, grants, … Single command to enable Database Vault select * from finance.cust
  34. Privilege User Controls Strong password policies, prohibit account sharing Least privilege analysis for privileged users Separation of duty with task specific roles Multi-factor authorization controls Multi-factor conditional and exception based auditing Audit top level and recursive SQL statements Database Vault Realms Monitoring activities through Audit Vault and Database Firewall
  35. Improving Database Security Posture Out-of-the-box audit policies (Account Management, Security Configuration, Database Parameters) Mandatory audit of audit administration New roles for Audit Reviewer, Audit Administrator New roles for Key Management, Backup, Data Guard New Kerberos stack Running Oracle Database as a Windows service
  36. Building Secure Applications Sensitive data discovery, Least privilege analysis Multi-factor authorization, auditing, and redaction Virtual Private Database for row/column security Label based access control Secure Application Context Code-based access control (CBAC) associates privileges with code Real Application Security
  37. Enterprise Manager Security Console Simplified Management Centralized Console Events and alerts Policy management Step-by-step Create by examples Format libraries
  38. Discover Sensitive Data Administrative Control Scan databases for sensitive data Create and maintain application data models Encrypt, redact, mask, audit…
  39. Securely Provisioning Test Systems Mask Sensitive Data for Test/Dev. Before Test 010010110010101001001001001001001001001001001000100101010010010010011100100100100100100100001001001011100100101010010010101010011010100101010010 Masking at-Source minimizes sensitive data exposure Application Masking Templates E-Business Suite 12.1.3 Fusion Applications PeopleSoft (planned with PTools 8.5.3) Self-updated masking templates EM store @ Oracle Prod Data Subset New Clone &Mask Subsetted & Masked Data Pump File Test Prod 010010110010101001001001001001001001001001001000100101010010010010011100100100100100100100001001001011100100101010010010101010011010100101010010 At-Source Masking
  40. Oracle Database Security Solutions Maximum Security for Critical Data Infrastructure PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption Activity Monitoring Database Lifecycle Management Redaction and Masking Database Firewall Data Discovery and Classification Multi-Factor Authorization Auditing and Reporting Vulnerability Scanning
  41. Oracle Database Security Key Benefits Security and Compliance Enterprise Ready Simple and Flexible Speed and Scale
  42. Graphic Section Divider
More Related