Latest innovations in database security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 45

Latest Innovations in Database Security PowerPoint PPT Presentation


  • 45 Views
  • Uploaded on
  • Presentation posted in: General

Latest Innovations in Database Security. Frank Yang APAC Database Security Product Manager.

Download Presentation

Latest Innovations in Database Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Latest innovations in database security

Latest Innovations in Database Security

Frank YangAPAC Database Security Product Manager


Latest innovations in database security

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.


Program agenda

Program Agenda

  • Business drivers for database security

  • Monitoring Oracle and non-Oracle databases

  • New solutions to secure data and applications

  • Updates for existing database security features


Business drivers for data security

Business Drivers for Data Security

Protect sensitive data

Manage

Compliance

Control Costs

Plan for Growth


What do we know about our attackers

What Do We Know About Our Attackers?

ADVANCED ADAPTIVE

PERSISTENT PLANNED

THREATS TARGETS

  • Apply enough fire power to break weakest link

  • Ability to dial-up the attack vector

  • Scanning, scoping, infiltrating

  • Stay put, but avoid detection

  • Infrastructure, IP, and business targets

  • Cause harm directly/indirectly


Challenges in securing databases

Challenges in Securing Databases

Meeting Ever Changing Threat & Compliance Landscape

Performance & Management

Securing Oracle & Non Oracle Databases

Securing Existing Applications


Oracle database security solutions

Oracle Database Security Solutions

Protecting Critical Data Infrastructure

PREVENTIVE

DETECTIVE

ADMINISTRATIVE

Encryption and Masking

Activity Monitoring

  • Database Lifecycle Management

Privilege User Control

Database Firewall

Data Discovery and Classification

Multi-Factor Authorization

Auditing and Reporting

Vulnerability Scanning


Latest innovations in database security

INTRODUCING

ORACLE Audit Vault

and Database Firewall


Oracle audit vault and database firewall

Oracle Audit Vault and Database Firewall

New Detective Control for Oracle and Non-Oracle Databases

Users

Applications

Database Firewall

Allow

Log

Alert

Substitute

Block

Firewall Events

DB Audit Data

Auditor

Reports

!

Alerts

Security

Manager

OS, Directory & Custom Audit Logs

Custom Server

Policies

Audit/Event Warehouse


Activity reports

Activity Reports

System Privileges Used


Oracle audit vault and database firewall1

Oracle Audit Vault and Database Firewall

Comprehensive Auditing and Monitoring Platform

  • Technology Differentiators

    • Exceptional horizontal and vertical scalability to support massive volume of data

    • Accurate network monitoring based on SQL grammar

    • Extensible platform with Templates for new custom audit sources (no-coding)

    • Audit policy management and integrated audit trail cleanup

    • Compliance/custom reports/alerts and workflow without overloading the security team

    • Information lifecycle management for target specific retention

  • Deployment Simplicity

    • Start with auditing and extend to monitoring; or vice-versa

    • Ease of deployment with “software appliance” on your hardware

    • Multiple deployment modes: in-line, out-of-band, proxy, host-based, HA


Latest innovations in database security

ORACLE

PRODUCT

LOGO

INTRODUCING

ORACLE DATA

REDACTION

xxxx-xxxx-xxxx-4368


Oracle data redaction

Oracle Data Redaction

New Preventive Control

4451-2172-9841-4368

Credit Card Processing

  • Real-time redaction of sensitive data based on context

  • Transparent to applications, no code changes required

  • Consistent enforcement within the database

  • No changes in regular database operations

Policy

Credit Card Numbers

4451-2172-9841-4368

5106-8395-2095-5938

7830-0032-0294-1827

xxxx-xxxx-xxxx-4368

Call Center Application


Supported transformations

Supported Transformations

Redacted Results

Stored Data

01/01/2001

10/09/1992

Full

XXX-XX-2147

052-51-2147

Partial

[hidden]@acme.com

[email protected]

RegExp

4451-2172-9841-4368

4943-6344-0547-0110

Random


Declarative multi factor policies

Declarative Multi-factor Policies

Policy identification

What to redact?

Data Redaction Policy

PL/SQL APIs, Enterprise Manager

How to redact?

When to redact?


Redaction using enterprise manager

Redaction Using Enterprise Manager


Latest innovations in database security

ORACLE

PRODUCT

LOGO

INTRODUCING

Privilege

Analysis


Privilege use analysis

Privilege Use Analysis

Reduce Attack Surface

Select

Update …

APPADMIN role

  • Report on actual privileges and roles used in the database

  • Revoke unnecessary privileges and roles as needed

  • Help enforce least privilege and reduce risks

Create …

Select …Update …

DBA role

APPADMIN role

Create

DBA role

Alter system

Privilege

Analysis


Privilege analysis

Privilege Analysis

System Privileges Used


Privilege analysis1

Privilege Analysis

Unused Privileges to be Revoked?


Latest innovations in database security

ORACLE

PRODUCT

LOGO

INTRODUCING

unified auditing


Oracle database auditing

Oracle Database Auditing

Catch Anomalies with Conditional Auditing

Set of privileges, objects, actions auditing managed as a group

Policy Based

Multi-factor auditing to easily catch anomalies

Conditional

Unified Audit

Secure, Performant

Audit all access except when connected by ….

User Exceptions

Add context data: realms, labels, app context, etc.

Extensible Syntax


Create custom audit policies

Create Custom Audit Policies


Latest innovations in database security

ORACLE

PRODUCT

LOGO

INTRODUCING

Real application

security


Hr application security requirements

HR Application Security Requirements

Employees can view public information.


Hr application security requirements1

HR Application Security Requirements

Public page contains basic employee information.

- Users in Employee role can view public record.

An employee can view his own record and update his contact information.


Hr application security requirements2

HR Application Security Requirements

Manager can view salary of his organization.


Hr application security requirements3

HR Application Security Requirements

HR representative can view employee SSN.


Real application security

Real Application Security

CRM Application

HR Application

Business Logic

Security Policy

Business Logic

Security Policy

Users and Roles

Users and Roles

Identity/Policy Store

Security Enforced on Direct Connections

Direct, Uncontrolled Access

Shared, All-PowerfulConnection

Light Weight Sessions


Latest innovations in database security

ORACLE

PRODUCT

LOGO

Enhancements to

Security features


Performance leap for sec features

Performance Leap for Sec. Features

Eliminating Performance as an Issue

* On Developer machine; Formal performance tests TBD

** With hardware acceleration on Intel or Oracle SPARC


Cryptographic enhancements

Cryptographic Enhancements

  • SHA-512 for Password verifiers, Certificate signatures, DBMS_CRYPTO

  • Cryptographic hardware acceleration

    • Network encryption, DBMS_CRYPTO toolkit and other operations

    • Now on Windows, in addition to Linux and Solaris

  • FIPS 140 validation for cryptographic operations

  • Export/import/merge operations to move individual keys

  • Operations to migrate keys between wallet and HSM keystore


Oracle database vault

Oracle Database Vault

Mandatory Realm

  • Seal off access to sensitive data even when emergency access is given to application DBA or support analyst

  • Freeze all security settings identified by Privilege Analysis: roles, grants, …

  • Single command to enable Database Vault

select * from finance.cust


Privilege user controls

Privilege User Controls

  • Strong password policies, prohibit account sharing

  • Least privilege analysis for privileged users

  • Separation of duty with task specific roles

    • Multi-factor authorization controls

    • Multi-factor conditional and exception based auditing

    • Audit top level and recursive SQL statements

    • Database Vault Realms

  • Monitoring activities through Audit Vault and Database Firewall


Improving database security posture

Improving Database Security Posture

  • Out-of-the-box audit policies (Account Management, Security Configuration, Database Parameters)

    • Mandatory audit of audit administration

  • New roles for Audit Reviewer, Audit Administrator

  • New roles for Key Management, Backup, Data Guard

    • New Kerberos stack

  • Running Oracle Database as a Windows service


Building secure applications

Building Secure Applications

  • Sensitive data discovery, Least privilege analysis

    • Multi-factor authorization, auditing, and redaction

  • Virtual Private Database for row/column security

  • Label based access control

  • Secure Application Context

  • Code-based access control (CBAC) associates privileges with code

  • Real Application Security


Enterprise manager security console

Enterprise Manager Security Console

Simplified Management

  • Centralized Console

  • Events and alerts

  • Policy management

  • Step-by-step

  • Create by examples

  • Format libraries


Discover sensitive data

Discover Sensitive Data

Administrative Control

  • Scan databases for sensitive data

  • Create and maintain application data models

  • Encrypt, redact, mask, audit…


Securely provisioning test systems

Securely Provisioning Test Systems

Mask Sensitive Data for Test/Dev.

Before

Test

010010110010101001001001001001001001001001001000100101010010010010011100100100100100100100001001001011100100101010010010101010011010100101010010

  • Masking at-Source minimizes sensitive data exposure

  • Application Masking Templates

    • E-Business Suite 12.1.3

    • Fusion Applications

    • PeopleSoft (planned with PTools 8.5.3)

  • Self-updated masking templates

    • EM store @ Oracle

Prod

Data Subset

New

Clone &Mask

Subsetted & Masked Data Pump File

Test

Prod

010010110010101001001001001001001001001001001000100101010010010010011100100100100100100100001001001011100100101010010010101010011010100101010010

At-Source Masking


Oracle database security solutions1

Oracle Database Security Solutions

Maximum Security for Critical Data Infrastructure

PREVENTIVE

DETECTIVE

ADMINISTRATIVE

Encryption

Activity Monitoring

  • Database Lifecycle Management

Redaction and Masking

Database Firewall

Data Discovery and Classification

Multi-Factor Authorization

Auditing and Reporting

Vulnerability Scanning


Oracle database security

Oracle Database Security

Key Benefits

Security and Compliance

Enterprise Ready

Simple and Flexible

Speed and Scale


Graphic section divider

Graphic Section Divider


  • Login