Oracle Database Security

Comments

Transcription

Oracle Database Security
<Insert Picture Here>
La nuova linea di difesa per la sicurezza
completa del tuo database
Agenda
• Oracle & Security Solutions
• DB Security
•
•
•
•
Monitoring & Blocking
Auditing
Access Control
Encryption & Masking
• Summary
• Q&A
<Insert Picture Here>
Sempre piu‟ dati…
Two Thirds of Sensitive and
Regulated Data Resides in
Databases…
La crescita
raddoppia
ogni anno
1,800 Exabytes
2006
Source: IDC, 2008
2011
Sempre piu‟ esposti…
PUBLICLY REPORTED DATA BREACHES
600
500
400
300
200
100
Total Personally
Identifying Information
Records Exposed
(Millions)
0
2005
2006
2007
2008
2009
Source: DataLossDB
Once exposed, the data is out there – the bell can‟t be un-rung
Remediation Cost Exceeds $300/record
4
Copyright © 2010, Oracle. All rights reserved
Sempre piu‟ rischi…
• Furti di dati
• Minaccie Interne
• Spionaggio Industriale
• Dal 2005 ad oggi +630% di violazioni (Source: DataLossDB, 2009)
Sempre piu‟ normative…
locali / internazionali / di settore
UK/PRO
PIPEDA
Sarbanes-Oxley
EU Data Directives
GLBA
PCI
Breach Disclosure
Basel II
FISMA
Euro SOX
HIPAA
K SOX
J SOX
ISO 17799
SAS 70
COBIT
AUS/PRO
90% delle aziende NON e‘ in regola
Source: IT Policy Compliance Group, 2007.
Where Losses Come From?
92% of Records from Compromised Databases
2010 Data Breach
Investigations Report
7
Top Attack Techniques
% Breaches and % Records
2010 Data Breach
Investigations Report
Most records lost through
„Stolen Credentials” & “SQL Injection”
8
Existing Security Solutions Not Enough
Key Loggers
Malware
Phishing
SQL Injection
Botware
Espionage
Social Engineering
Web Users
Application
Users
Application
Database
Administrators
Data Must Be Protected in depth
9
Oracle Security
Database Security
•
•
•
•
•
Encryption and Masking
Privileged User Controls
Multi-Factor Authorization
Activity Monitoring and Audit
Secure Configuration
Identity Management
•
•
•
•
•
•
User Provisioning
Role Management
IdM & Access Governance
Entitlements Management
Risk-Based Access Control
Virtual Directories
Information Rights
Management
• Centralized document access control
• Digital shredding
• Document Activity Monitoring and Audit
Oracle Security – DB Security
Database Security
• Encryption and Masking
• Privileged User Controls
• Multi-Factor Authorization
• Activity Monitoring and Audit
• Secure Configuration
Identity Management
Information Rights
Management
Oracle Database Security Solutions
Encryption and Masking
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Access Control
• Oracle Database Vault
• Oracle Label Security
Auditing and Monitoring
• Oracle Audit Vault
• Oracle Configuration Management
Encryption & Masking
• Oracle Total Recall
Access Control
Auditing & Monitoring
Blocking & Logging
Blocking and Logging
• Oracle Database Firewall
12
Oracle Database Security Solutions
• Monitor and block threats before they reach databases
• Track changes and audit database activity
• Control access to data within the database
• Prevent access by non database users
• Remove sensitive data from non production environments
Monitoring
& Blocking
Auditing
• Database Firewall • Audit Vault
• Total Recall
• Configuration
Management
Access
Control
Encryption
& Masking
• Database Vault
• Advanced Security
• Label Security
• Secure Backup
• Identity
Management
• Data Masking
Oracle Database Security Solutions
• Monitor and block threats before they reach databases
• Track changes and audit database activity
• Control access to data within the database
• Prevent access by non database users
• Remove sensitive data from non production environments
Monitoring
& Blocking
Auditing
• Database Firewall • Audit Vault
• Total Recall
• Configuration
Management
Access
Control
Encryption
& Masking
• Database Vault
• Advanced Security
• Label Security
• Secure Backup
• Identity
Management
• Data Masking
Oracle Database Firewall
First Line of Defense
Allow
Log
Alert
Substitute
Applications
Block
Alerts
Built-in
Reports
Custom
Reports
Policies
• Monitor database activity to prevent unauthorized database access, SQL
injections, privilege or role escalation, illegal access to sensitive data, etc.
• Highly accurate SQL grammar based analysis provides zero day protection
without false positives, and flexible enforcement options
• Scalable architecture provides enterprise performance in all deployment modes
• Built-in and custom compliance reports for SOX, PCI, and other regulations
Oracle Database Firewall
Positive Security Model
White List
Allow
Applications
Block
• ―Allowed‖ behavior can be defined for any user or application
• Whitelist can take into account built-in factors such as time of day,
day of week, network, application, etc.
• Automatically generate whitelists for any application
• Transactions found not to match the policy instantly rejected
• Database will only process data how you want and expect
Oracle Database Firewall
Negative Security Model
Black List
Allow
Applications
Block
• Stop specific unwanted SQL commands, user or schema access
• Prevent privilege or role escalation and unauthorized access to sensitive data
• Blacklist can take into account built-in factors such as time of day, day of
week, network, application, etc.
• Selectively block any part of transaction in context to your business and
security goals
Oracle Database Firewall
Policy Enforcement
Log
Allow
SELECT * FROM accounts
Alert
Becomes
Applications
Substitute
SELECT * FROM dual where 1=0
Block
• Innovative SQL grammar technology reduces millions of SQL statements into a
small number of SQL characteristics or ―clusters‖
• Superior performance and policy scalability
• Flexible enforcement at SQL level: block, substitute, alert and pass, log only
• SQL substitution foils attackers without disrupting applications
• Zero day protection without false positives
Oracle Database Firewall
Accuracy
Why is understanding SQL critical?
SQL is a language with about 400 key words and a strict
grammar structure (ISO SQL spec 1500+ pages):
SELECT id, username, password, acccount_no FROM tbl_users WHERE
username = ‘Bill’ AND account_no BETWEEN 1001000 AND 1001012;
KEY
WORDS
OPERATORS
SCHEMA
DATA
Unless the grammar and structure of the language is
known, then errors are made when analysing SQL
UPDATE tbl_users SET comments = ‘The user has asked for another
account_no, and wishes to be billed for services between 1/2/2009
and 2/2/2009, and wants to know where the invoice should be sent
to. She will select the new service level agreement to run from
3/7/2009 next month’ WHERE id = ‘A15431029’;
Oracle Database Firewall
Data Masking
• Prevents creating yet another database with sensitive and regulated data
• Sensitive and regulated information contained in SQL statements can be
masked or redacted in real-time prior to being logged
• Flexible masking policies allow masking all data or just specific columns
• Critical for organizations who want to monitor and log all database activity
Oracle Database Firewall
Policy Analyzer
• Policy Analyzer allows the creation of rich policies.
The policy settings are made up of one or more of the
following settings:
•
•
•
•
•
•
•
•
•
•
White list ―clusters‖
SQL type (e.g. DML, DDL, DCL etc.)
Schema
Username (DB and OS)
Timeslice (hours and days of week)
Client type (program name)
Client IP Address
Exceptions to the policy
Login and Logout
Invalid SQL
Oracle Database Firewall
Reporting
Oracle Database Firewall
Oracle Database Firewall
Oracle Database Firewall
• Database Firewall log data
consolidated into reporting
database
• Over 130 built in reports that can
be modified and customized
• Entitlements reporting for
database attestation and audit
• Database activity and
privileged user reports
• Supports demonstrating PCI,
SOX, HIPAA/HITECH, etc.
controls
Oracle Database Firewall
User Role Auditing
• Entitlement Reports
• User names
• User roles and privileges
• Last changed, changed by whom and when
• Automated and transparent
• User role auditing can be run ad-hoc or scheduled
• Report on user roles and privileges
• Deltas since the last report
• Workflow
• Changes can be marked as ―accepted‖ or ―refused‖
Oracle Database Firewall
Stored Procedure Auditing
• Stored procedure contents
• Its not enough to know a procedure was run, it is important to
know what SQL was executed when the procedure is called.
• Stored procedure reports
• Name
• Content
• Threat rating (injection risk, system tables etc).
• Stored procedure type (DML, DDL, DCL, SELECT etc)
• Last changed, changed by whom and when
• Automated and transparent
• Stored procedure audit can be run adhoc or scheduled
• Workflow
• Changes can be marked as ―accepted‖ or ―refused‖
Oracle Database Firewall
Basic Components
Database Firewall
Management Server
Database Firewall
•
Blocks unauthorized traffic
• Monitors access
Policy Analyzer
Database Firewall
(HA Mode)
•
•
Reports, archives repository • Creates security polic
Firewall mgmt, policy mgmt • Runs on Windows desk
• Alerts, integration
Remote/Local Monitor
•
Forwards network traffic
Oracle Database Firewall
How
The
Integration
F5
BIG-IP
ASM
Integration Works
iRule
Oracle Database Firewall
Web traffic is secured with BIG-IP ASM, and database traffic with Oracle
Database Firewall
When a user logs into an application, BIG-IP passes their identity to
Oracle Database Firewall
Transaction takes place, then all context of the attack is sent to Oracle
Database Firewall, and user identity is associated with the attack in
reports, based on session and the ASM cookie.
26
Oracle Database Firewall and F5 ASM reporting
212.103.224.99
Client IP
address
None
Attack
confirmation
SQL
query
Security
policy
DB user
app_001
Threat
severity
Security
policy
Categor
y of
attack
Oracle Database
Firewall event
summary
showing database
and Web events
Secured
databas
e
Parameter and
attack string
Allow
Full HTTP
request
Hyperlink back to
BIG-IP forensics
Oracle Database
Firewall event
details
Attack
categories
Web user
name
BIG-IP ASM event
details
27
Oracle Database Security Solutions
• Monitor and block threats before they reach databases
• Track changes and audit database activity
• Control access to data within the database
• Prevent access by non database users
• Remove sensitive data from non production environments
Monitoring
& Blocking
Auditing
• Database Firewall • Audit Vault
• Total Recall
• Configuration
Management
Access
Control
Encryption
& Masking
• Database Vault
• Advanced Security
• Label Security
• Secure Backup
• Identity
Management
• Data Masking
Oracle Audit Vault
Centralizzazione e automazione attivita‟ di Audit con reporting
!
HR Data
CRM Data
ERP Data
Audit
Data
Databases
Alerts
Built-in
Reports
Custom
Reports
Policies
Auditor
• Consolidamento dei dati di audit in repository centrale e sicuro
(protetto da DB Vault)
• Riconoscimento e allarme su attivita‘ sospette
• Reportistica di compliance gia‘ pronta all‘uso
• Gestione centralizzata delle regole di audit
Oracle Total Recall
Tracciamento sicuro dei dati storici
select salary from emp AS OF TIMESTAMP
'02-MAY-09 12.00 AM‗ where emp.title = ‗admin‘
• Traccia i cambiamenti dei dati in modo trasparente per le
applicazioni
• Memorizzazione degli archivi efficente e protetta
• Accesso in real-time ai dati storici
• Per la correzione degli errori e la compliance
Oracle Configuration Management
Secure Your Database Environment
Monitor
Discover
Asset
Management
Classify
Policy
Management
Assess
Prioritize
Vulnerability
Management
Fix
Configuration
Management
& Audit
Monitor
Analysis &
Analytics
• Discover and classify databases into policy groups
• Scan databases against 400+ best practices and industry standards, custom
enterprise-specific configuration policies
• Detect and event prevent unauthorized database configuration changes
• Change management dashboards and compliance reports
Oracle Database Security Solutions
• Monitor and block threats before they reach databases
• Track changes and audit database activity
• Control access to data within the database
• Prevent access by non database users
• Remove sensitive data from non production environments
Monitoring
& Blocking
Auditing
• Database Firewall • Audit Vault
• Total Recall
• Configuration
Management
Access
Control
Encryption
& Masking
• Database Vault
• Advanced Security
• Label Security
• Secure Backup
• Identity
Management
• Data Masking
Oracle Database Vault
Separazione dei ruoli e regolamentazione attivita‟ amministratori
Procurement
DBA
HR
Applicazione
Finance
select * from finance.customers
• Realizza la separazione dei ruoli/doveri tra DBA e Sec. Admin.
• Limita il potere e solleva da responsabilita‘ gli utenti con privilegi
di gestione del sistema
• Permette di consolidare in sicurezza dati di applicazioni
diverse
• Le applicazioni NON devono essere modificate
Oracle Database Vault
Controllo accessi “Multi-Factor” basato su regole
Procurement
HR
Application
Rebates
• Protezione dei dati tramite prevenzione di by-pass applicativi
• Previene l‘uso e l‘accesso ai dati da parte di utenti non
autorizzati, postazioni inadatte, orari impropri e metodi errati,
tramite l‘applicazione di regole e fattori
Oracle Label Security
Classificazione dati con controllo degli accessi
Sensitive
Transactions
Confidential
Report Data
Public
Reports
Confidential
Sensitive
• Classificazione di utenti e dati tramite ―label‖ nascosta
• Il Database forza il controllo di accesso a livello di riga (filtro)
• Ogni label puo‘ contere piu‘ criteri di valutazione di accesso (sicurezza,
dipartimento, gruppo)
• Integrato con Oracle Identity Management Suite per la classificazione degli utenti
• Label Security 11g e‘ stata certificata Common Criteria (CC) EAL4+
Enterprise User Security
Gestione Utenti e Privilegi basa su LDAP / MS AD
Management
LDAP / MS AD
User
Login
Redirection
Login
Oracle DB
How EUS works
Enterprise User Security
Oracle DB1
(No)/SSL
Pwd, SSL,
or Kerberos
Global user
Global roles
sqlplus
Logon as an
Enterprise User
Oracle Directory
Services
(LDAP Oracle o
altro LDAP)
Oracle DB2
(No)/SSL
Global user
Global roles
Pwd, SSL,
or Kerberos
PL/SQL or JAVA
Programs
Logon as an
Enterprise User
Enterprise User Security (EUS)
• Centralized User Management
• User accounts centralized in Oracle Internet
Directory (OID) o altro LDAP
• Map directory users to shared database
schemas
• Audit with end user identity
• Centralized Role Management
HR
Database
Financial
Database
EUS
Customer
Database
EUS
• Centralized user role management
• Map enterprise roles to database global roles
• Enterprise roles mapped into directory
groups
• Directory support
• Oracle Internet Directory (OID)
• Altri LDAP attraverso Oracle Virtual Directory
(OVD)
• Authentication Methods
• Password, Kerberos (Microsoft, MIT), PKI
(x.509v3)
Oracle Directory
Services
EUS with OID and Password Authentication
OVD – EUS Password Integration
Oracle Database Security Solutions
• Monitor and block threats before they reach databases
• Track changes and audit database activity
• Control access to data within the database
• Prevent access by non database users
• Remove sensitive data from non production environments
Monitoring
& Blocking
Auditing
• Database Firewall • Audit Vault
• Total Recall
• Configuration
Management
Access
Control
Encryption
& Masking
• Database Vault
• Advanced Security
• Label Security
• Secure Backup
• Identity
Management
• Data Masking
Oracle Advanced Security
Overview
• Transparent Data Encryption (TDE)
•
•
•
•
•
Transparently encrypt data at rest in the database
Built-in key management
Encrypt database backups
Encrypt Oracle Datapump exports
Encrypt Oracle SecureFiles
• Network Encryption
• SSL / TLS
• Strong Authentication
• Kerberos, PKI, RADIUS
Oracle Advanced Security
Transparent Data Encryption
Disk
Backups
Exports
Application
• Encryption sui dati memorizzati (AES 128)
• Attivazione dichiarativa e selettiva a livello colonna
• Le applicazioni NON devono essere riviste
• Ciclo di gestione delle ―chiavi‖ integrato ma esterno al DB
• Supporta Oracle Advanced Compression
• Singole colonne, tablespace, SecureFiles, Export data pump
Off-Site
Facilities
Semplicita‟ di gestione
Criptare dati sensibili da Enterprise Manager
45
Oracle Advanced Security
Creating an Encrypted Tablespace
46
Oracle Advanced Security
TDE for Data Pump and RMAN
• Oracle Data Pump
• Bulk export/import to operating system flat files
• Oracle RMAN
• Database backups and recovery
• Use local master encryption key or passphrase to
encrypt export or backup file
47
Oracle Advanced Security
Key Features By Release
Oracle
Database 9i
Release 2
Oracle
Database 10g
Release 2
TDE with Exadata
TDE tablespace encryption with HSM
TDE tablespace encryption
TDE column encryption for SecureFiles
TDE column encryption with HSM
TDE column encryption
Network encryption
Strong authentication
48
Oracle
Database 11g
Release 1
Oracle
Database 11g
Release 2
Oracle Advanced Security
Network encryption e data integrity
•
•
•
•
•
Data
Application
•
absdfghjcv
Cifratura e
Data Integrity
(Modification,
Disruption, Replay)
Cifratura di tutte le comunicazioni da
e verso il database
Data integrity con checksums
•
•
•
•
RC4 (40, 56, 128, 256 bits)
DES (40 and 56 bits)
3DES (2 and 3 keys)
AES (128, 192, and 256 bits)
MD5
SHA-1
Certificata FIPS 140-1 Level 2
Trasparente alle applicazioni
Oracle Secure Backup
Gestione integrata dei Backup su Tape o Cloud
• Archiviazione ―sicura‖ di dati Oracle e NON su Tape
• Gestione delle chiavi semplice
• Integrato con RMAN e quindi il piu‘ veloce sistema di tape backup per
dati Oracle
• Nella 11g Rel.2 supporto a backup su Cloud Computing (Amazon S3)
Oracle Data Masking
De-Identificazione dati irreversibile
Produzione
Test
LAST_NAME
SSN
SALARY
LAST_NAME
SSN
SALARY
AGUILAR
203-33-3234
40,000
ANSKEKSL
111—23-1111
60,000
BENSON
323-22-2943
60,000
BKJHHEIEDK
222-34-1345
40,000
• Elimina l‘associabilita‘ col mondo reale, dei dati sensibili in modo
definitivo da ambienti diversi dalla produzione
• Viene preservata l‘integrita‘ referenziale tra i dati, permettendo alle
applicazioni di continuare a lavorare
• I dati sensibili NON escono mai dal DB di produzione
• Viene fornita una libreria di formati di mascheramento estensibile
Oracle Database Security Solutions
Summary: Protect Data & Save Money
• Comprehensive – single vendor addresses all your requirements
• Transparent – no changes to existing applications or databases
• Easy to deploy – point and click interfaces deliver value within hours
• Cost Effective – integrated solutions reduce risk and lower TCO
• Proven – #1 Database with over 30 years of security innovation!
Monitoring
& Blocking
Auditing
• Database Firewall • Audit Vault
• Total Recall
• Configuration
Management
Access
Control
Encryption
& Masking
• Database Vault
• Advanced Security
• Label Security
• Secure Backup
• Identity
Management
• Data Masking
Oracle Database Security – Big Picture
Audit
consolidation
Allow
Sensitive
Procurement
Log
Alert
Substitute
Applications
HR
Confidential
Rebates
Public
Unauthorized
Local Activity
DB Consolidation
Security
Local DBA
Privilege Mis-Use
Block
Network SQL
Monitoring
and Blocking
Encrypted
Database
Encrypted Encrypted
Backups
Exports
Data
Masking
53