Oracle Database Security Solutions

Oracle Database Security Solutions Eric Cheung Senior Manager, Technology Sales Consulting [email protected]

May 2008

Key Drivers for Data Security Privacy and Compliance • • • • • •

Sarbanes-Oxley (SOX), J-SOX, GLBA Payment Card Industry (PCI) HIPAA, EU Privacy Directives Breach Disclosure Laws COSO, COBIT frameworks Separation of duty, Proof of compliance, Risk Assessment and Monitoring

Insider / External Threats • Large percentage of threats go undetected • Outsourcing and off-shoring trend • Customers want to monitor insider & DBA 2

Oracle Database Security Continuous Innovation Data Masking TDE Tablespace Encryption Oracle Total Recall

Oracle Database 11g

Oracle Audit Vault Oracle Database Vault Transparent Data Encryption (TDE) Real Time Masking Secure Config Scanning

Oracle Database 10g

Oracle Database 9i

Fine Grained Auditing Oracle Label Security Enterprise User Security Oracle8i Virtual Private Database (VPD) Database Encryption API Strong Authentication Oracle7 Native Network Encryption Database Auditing Government customer 3

Data Privacy and Regulatory Compliance Database Security Challenges Protecting Access to Application Data Database Monitoring

De-Identifying Information for Sharing

Data Encryption

Data Classification

4

Oracle Database Security Solutions for Privacy and Compliance Database Vault Advanced Security

Configuration Management

Secure Backup

Total Recall

Label Security

Audit Vault Data Masking

5

Oracle Database Security Solutions for Privacy and Compliance

Database Vault Advanced Security

Configuration Management

Secure Backup

Total Recall

Label Security

Audit Vault Data Masking

6

Oracle Database Vault Highly Privileged User Controls • Database DBA views HR data Compliance and protection from insiders

SELECT * FROM HR.EMP

DBA

HR Realm

• HR APP Owner views Fin. data

HR HR App

Eliminates security risks from server consolidation

FIN Realm

FIN FIN App

7

Oracle Database Vault Real Time Access Controls

Connect …. HR HR Application User

Unexpected IP address

CREATE … FIN FIN Application DBA

Business hours

8

Oracle Database Vault Separation of Duty • Account Management • Database Vault over rides all existing administration privileges for creating new accounts

• Security administration • Database Vault administration is done using a separation administration account from DBA or SYSDBA

• Traditional database Administration • Traditional administrative tasks are separate from account management and security administration

9

Major Financial Services Company Use Case • Control Privileged Users • Prevent DBAs from accessing sensitive data in Realms • Setup multiple levels of DBAs

• Control Access based upon environmental factors • Restrict hostnames authorized to access the DB • Control access based on geography

• Control use of ad-hoc query tools; Enforce maintenance periods • Restrict connections by ad-hoc query tools to maintenance times or specific users

• Control Patching activity • Patching activity requires another monitoring user to be logged in

• Control unauthorized database changes

10

Oracle Database Vault Application Certification • • • • •

PeopleSoft E-Business Suite Siebel Oracle Content DB Oracle Internet Directory

11

Oracle Database Security Solutions for Privacy and Compliance Database Vault

Advanced Security

Configuration Management

Secure Backup

Total Recall

Label Security

Audit Vault Data Masking

12

Oracle Advanced Security Transparent Data Encryption • Protect application data • Easily encrypt sensitive data • Protect entire application tables or specific data (credit card) • No changes to existing applications

• Built-in key management • Keys automatically generated and managed • Integrates with Hardware Security Modules (HSM)

75000 Data Transparently Decrypted

^#^ * Data Transparently Encrypted

13

Transparent Data Encryption Point-And-Click Deployment

14

Oracle Advanced Security Encrypting Columns • Encrypt a column in an existing table: alter table credit_rating modify (person_id encrypt)

• Create a new table with an encrypted column: create table orders ( order_id number (12), customer_id number(12), credit_card varchar2(16) encrypt); Note - Default algorithm is AES 192

15

Oracle Advanced Security Encrypting Tablespaces • Create new tablespace with keyword "Encrypt"

CREATE TABLESPACE securespace2 DATAFILE '/home/user/oradata/secure01.dbf' SIZE 150M ENCRYPTION DEFAULT STORAGE(ENCRYPT);

Note - Default algorithm is AES 128

16

Oracle Advanced Security Key Management Architecture Oracle Data Dictionary stores & encrypts column keys using master key

Master key stored in PKCS#12 wallet

Security DBA opens wallet containing master key

Transparent Data Encryption

Application users

FIN application data encrypted using column key

HR application data encrypted using column key

17

Oracle Advanced Security Key Management Architecture withHSM Oracle Data Dictionary stores & encrypts column keys using master key

Master key stored in HSM

Security DBA opens wallet containing master key

Transparent Data Encryption

Application users

FIN application data encrypted using column key

HR application data encrypted using column key

18

Oracle Secure Backup Integrated Tape Backup Management • Improved Security and Manageability • Backup encryption for file systems added • Automated backup of OSB catalog • Policy-based migration from Virtual Tape Library (VTL) to tape

Oracle Databases

File System Data UNIX

Integration with

RMAN

Windows

Linux NAS

• Advanced media management • Vaulting provides automatic rotation of tapes between multiple locations • Tape duplication based on policies • Sun StorageTek ACSLS support

Oracle Secure Backup Centralized Tape Backup Management

• Improved Performance • No backup (and reads) of committed undo

Tape 19

Oracle Database Security Solutions for Privacy and Compliance Database Vault Advanced Security

Configuration Management

Secure Backup

Total Recall Audit Vault Data Masking

Label Security

20

Oracle Label Security Access Control by Data Classification • Additional access control check

Data Highly Sensitive

• Database verifies requestor has table privileges first (select,update,insert,.) • Label Security mediates additional access based on sensitivity assigned to the data or operation • Specialized security solution

Sensitive

Confidential

• Components • • • •

Users label authorizations Data labels Special user privileges Enforcement options

Sensitive

Highly Sensitive

User Label Authorization "Security Clearance"

21

Sensitivity Label Components More Than Just levels

Sensitivity Level Highly Sensitive

Sensitive

Confidential

Sensitive 22

Sensitivity Label Components More Than Just levels

Sensitivity Level Highly Sensitive

Plus Zero or More Compartments HR

PII

FIN

LEGAL

Sensitive

Confidential

Sensitive : HR 23

Sensitivity Label Components More Than Just levels

Sensitivity Level Highly Sensitive

Plus Zero or More Compartments HR

PII

FIN

LEGAL

Plus Zero or More Groups Sensitive US

Europe

Global

Confidential

Sensitive : HR : US 24

Oracle Enterprise Manager

25

Oracle Label Security Flexible Policy Model HR Policy

Levels

Compartments

Groups

Law Enforcement

Government Policy

Level 1 Confidential Level 2 Sensitive Highly Sensitive Level 3

Confidential Secret Top Secret

PII Data Investigation

Internal Affairs Drug Enforcement

Desert Storm Border Protection

HR REP Senior HR REP

Local Jurisdiction FBI Justice

NATO Homeland Security

26

Oracle Label Security Additional Use Cases • Embed in Database Vault Command Rules • Compare label authorization in command rules for separation of duty customization

• Embed in Data Masking decisions • Use with VPD column real time data masking to decide whether to NULL out PII data returned in query

• Notate application users current working label authorization on information portals

27

Oracle Database Security Solutions for Privacy and Compliance Database Vault Advanced Security

Configuration Management

Secure Backup

Total Recall

Label Security

Audit Vault

Data Masking 28

Off-Line Data Masking Oracle Enterprise Manager

• Automates production data masking • Easily mask existing application data • No impact on production database

LAST_NAME

SSN

SALARY

AGUILAR

203-33-3234

40,000

BENSON

323-22-2943

60,000

Cloned Database

Production Database

• Built-in data relationship discovery • Use foreign key definitions • Define custom data relationships

LAST_NAME

SSN

SALARY

ANSKEKSL

111—23-1111

40,000

BKJHHEIEDK

111-34-1345

60,000

29

Real-Time Data Masking Virtual Private Database Masking • Null out or clear table columns for all or specific table rows Select * from customers; VPD

licy Po D VP

where account_mgr_id = sys_context('APP','CURRENT_MGR');

APP SSN

701-495-2123

25000

121-791-4212 181-095-1232

15000

581-295-7603

12000

431-395-9332

17000

381-395-9223

15000

10000

483-562-0912 461-978-8212

30

Oracle Database Security Solutions for Privacy and Compliance Database Vault Advanced Security

Configuration Management

Secure Backup

Total Recall Audit Vault

Label Security Data Masking

31

Auditing in the Oracle Database Robust, Flexible, and High Fidelity Audit • Industry’s most advanced • Statement - audit DDL / DML based structure type or schema object • Privilege - audit statements that use system privileges • Specific user or group of users

• Fine grained auditing (Oracle9i) • Enterprise Edition conditional auditing feature • Select statements only (Oracle9i) • Updates, inserts, and delete statements (Oracle Database 10g)

• Flexible • Audit table and OS file destinations (OS is most performant) • Supports XML format • Windows event viewer & SYSLOG 32

Oracle Audit Vault Protect Your Enterprise With Auditing

• Manage Audit Data • Centrally secure audit data from Oracle databases

Report Monitor Enforce Secure

• Centrally manage Oracle database audit settings

• Detect suspicous activities • Monitor database users – especially privileged users • Alert on unauthorized activities

• Simplify compliance reporting • Built-in compliance reports

Oracle Database 9i Release 2

(Future) Other Sources, Databases Oracle Database 10g Oracle Database Release 1 11g Oracle Database 10g Release 2

• Define custom reports 33

Audit Vault Reports Out-of-the-box Audit Assessments & Custom Reports • Out-of-the-box reports • Privileged user activity • Access to sensitive data • Role grants, DDL activity

• Custom reports • Published warehouse schema • Use Oracle or 3rd party tools

• User-defined reports • What privileged users did on the financial database? • What user ‘A’ did across multiple databases? • Who accessed sensitive data?

34

Oracle Audit Vault Manageability • Audit Vault Dashboard • • • •

Enterprise overview Alerts on audit events Drill down reports Audit Vault administration

• Audit Vault Policies • Collection of audit settings for databases • Provision database audit settings centrally for compliance policies • Compare against existing audit settings on source • Demonstrate compliance with internal mandates 35

Oracle Audit Vault Respository Scalable, Flexible & Secure • Performance and Scalability • Scale to Terabytes with partitioning • Data warehouse enables business intelligence and analysis

• Security • Separation of duty • Privileged users can't modify audit data • Data protected in transit from source to Audit Vault

36

Introducing Oracle Total Recall Tamper-Resistant Real-Time Database Archiving • Automated table “snapshots” record changes to data • Complements auditing – who v. what • Optimized to minimize performance overhead

• Historical data can be retained as long as needed for regulatory compliance and forensic analysis • Automatically prevents end users from changing historical data

• Seamless access to archived historical data • Historical data stored in the database for real-time access • Stored in compressed form to minimize storage requirements select * from product_information AS OF TIMESTAMP '02-MAY-05 12.00 AM‘ where product_id = 3060

37

Tracking Compliance Over Time Compliance Trend across IT infrastructure

38

Example of Security Policy Rules Over 250 Built-in Policy Rules Database Services

Host

• • • •

• • •

•

Enable listener logging Password-protect listeners Disallow default listener name Ensure listener log file is valid and owned by Oracle Ensure listener host name is specified with IP

Database File Permissions • • •

Init.ora should have restricted file permission Files in $OH/bin should be owned by Oracle Data files should be owned by Oracle

Database Profile/Configuration • • • • • • •

Default Passwords Disallow access to objects by a fixed user link Disallow default tablespace set to SYSTEM Set password_grace_time Limit or deny access to DBMS_LOB Set password_reuse_max Avoid using utl_file_dir parameter

Detect open ports Detect insecure services Ensure NTFS file system type (Windows)

Application Server • • • • • • • • • • •

HTTPD has minimal privileges Use HTTP/S Apache logging should be on Demo applications disabled Disable default banner page Disable access to unused directories Disable directory indexing Forbid access to certain packages Disable packages not used by DAD owner Remove unused DAD configurations Password complexity enabled

39

Learn More http://search.oracle.com database security Technology Overview • Visit: oracle.com/database/security • View Whitepapers and webinars

Technical Information, Demos, Software • Visit OTN: otn.oracle.com -> products -> database -> security and compliance

40

41

Release Wide Map of Security Products Solution

Oracle 8i

Oracle

Oracle

Oracle

Oracle

Oracle

Database

Database

Database

Database

Database

9iR1

9iR2

10g R1

10g R2

11gR1

Database Auditing Network Encryption Virtual Private Database Label Security Privileged User Controls Enterprise User Security Fine Grained Auditing Client Identifier EM Configuration Scanning TDE Column Encryption TDE Tablespace Encryption EM Data Masking

Data Masking is available starting with EM 10.2.0.4 and works against Oracle Database 9.2 and higher databases.

42

43