Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.

Slides:



Advertisements
Similar presentations
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Advertisements

Oracle Audit Vault and Database Firewall
Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.
1. Real-World Deployment and Best Practices with Oracle Database Vault at Customers: Ross Stores Covidien Kamal Tbeileh Sr. Principal Product Manager,
The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant
Self-Validation Tech Guide
Database Vault Marco Alamanni
Miss Scarlet with a lead pipe, in the library Players: 3 to 6 Contents: Clue game board, six suspect tokens, six murder weapons, 21 cards, secret envelope,
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 1.
Oracle Database Vault – DBA Best Practices
Author : Nguyễn Ngọc Linh Advisor: Mr. Nguyễn Huy Vũ.
Understand Database Security Concepts
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction.
Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.
Lesson 17: Configuring Security Policies
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
Database Management System
© 2004 Visible Systems Corporation. All rights reserved. 1 (800) 6VISIBLE Holistic View of the Enterprise Business Development Operations.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle SQL Developer What’s New in Version 4.1 Jeff Smith
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle SQL Developer For the DBA Jeff Smith
A Technical Overview of Microsoft SQL Server 2005 Melville Thomson IT Pro Evangelist (UK)
ORACLE DATABASE SECURITY
Database Security Managing Users and Security Models.
Project Implementation for COSC 5050 Distributed Database Applications Lab1.
10 Copyright © 2005, Oracle. All rights reserved. Implementing Oracle Database Security.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | OFSAAAI: Modeling Platform Enterprise R Modeling Platform Gagan Deep Singh Director.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Module 6: Designing Active Directory Security in Windows Server 2008.
Concepts of Database Management, Fifth Edition Chapter 8: Database Administration.
ORACLE SECURITY TIPS NZOUG’ 2010 Rotorua, NZ By: Francisco Munoz Alvarez.
Week 6 Lecture 2 System and Object Privileges. Learning Objectives  Identify and manage system and object privileges  Grant and revoke privileges to.
Module 14: Configuring Server Security Compliance
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
Metadata, Security, and the DBA Chapter 8.1 V3.0 Napier University Dr Gordon Russell.
17 Copyright © Oracle Corporation, All rights reserved. Managing Roles.
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
Roles & privileges privilege A user privilege is a right to execute a particular type of SQL statement, or a right to access another user's object. The.
Dale Roberts 1 Department of Computer and Information Science, School of Science, IUPUI Dale Roberts, Lecturer Computer Science, IUPUI
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Database Role Activity. DB Role and Privileges Worksheet.
Chapter 2 Securing Network Server and User Workstations.
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
Module 6: Data Protection. Overview What does Data Protection include? Protecting data from unauthorized users and authorized users who are trying to.
Increasing security by disabling DML statements to a dba user in Oracle database Hakik PACI Polytechnic University of Tirana.
Module 10: Windows Firewall and Caching Fundamentals.
Module 10: Implementing Administrative Templates and Audit Policy.
IST 318 Database Administration Lecture 9 Database Security.
8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. BI Publisher Server: Administration and Security.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
Application Review and Auditing Databases Quinn Gaalswyk, CISA Ted Wallerstedt, CISA, CIA Office of Internal Audit University of Minnesota.
1 Copyright © 2009, Oracle. All rights reserved. Controlling User Access.
11 Copyright © 2007, Oracle. All rights reserved. Implementing Oracle Database Security.
Secure Data Access with SQL Server 2005 Doug Rees Associate Technologist, CM Group
6 Copyright © 2007, Oracle. All rights reserved. Managing Security and Metadata.
C Copyright © 2007, Oracle. All rights reserved. Security New Features.
 CONACT UC:  Magnific training   
Copyright © New Signature Who we are: Focused on consistently delivering great customer experiences. What we do: We help you transform your business.
1 Copyright © 2007, Oracle. All rights reserved. Installing and Setting Up the Warehouse Builder Environment.
19 Copyright © 2008, Oracle. All rights reserved. Security.
Oracle Database 12c Advanced Security Made Easy Todd Bottger and Alan Williams Database Security Team, Oracle Corp. Michelle Malcher Wells Fargo SECURITYInside-Out.
Database Security.
The powerhouse PL/SQL upgrade option: Edition-Based Redefinition (EBR)
Database Security.
Microsoft Ignite NZ October 2016 SKYCITY, Auckland.
Bethesda Cybersecurity Club
Copyright © 2013 – 2018 by Curt Hill
Presentation transcript:

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development Manager Oracle Database Security October 1, 2014

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Agenda Oracle Database Vault Controls Overview Enhancements in Oracle Database 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Agenda Oracle Database Vault Controls Overview Enhancements in Oracle Database 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Applications Bypass and Configuration Drift Oracle Confidential – Internal/Restricted/Highly Restricted5 HR Application User with powerful system privileges select * from hr.salary ANALYZE TABLE HR Finance Procurement TRUNCATE TABLE

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Restrict Access to Application Data Oracle Confidential – Internal/Restricted/Highly Restricted6 Secure data against unauthorized access Secure entire schema or individual objects Support conditional authorization (Allowed access between 1-5am) Allow authorized operational tasks (Tuning, Data Pump, jobs) Fin Realm Fin HR Realm HR HR App Fin App Privileged User SELECT ANY

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Database Command Controls Oracle Confidential – Internal/Restricted/Highly Restricted7 Current Time Factor IP Address Factor Current Time between 1 to 5am Rule IP Address = ' ' Rule Limit Maintenance Window Rule Set ANALYZE TABLE, ALTER TABLE… Command Rule AND

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault Reports Oracle Confidential – Internal/Restricted/Highly Restricted8

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Agenda Oracle Database Vault Controls Overview Enhancements in Oracle Database 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Enhancements in Oracle Database Vault 12c Oracle Confidential – Internal/Restricted/Highly Restricted10 Installed by default – Run two PL/SQL procedures (configure_dv, enable_dv) to enable Oracle Database Vault – No Oracle binary dependency Mandatory Realm – Restrict all types of access including object owners and users with object privileges Integrated with new unified auditing – Write to the database audit trail – Create and manage using the unified audit policy syntax

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Agenda Oracle Database Vault Controls Overview Enhancements in Oracle Database 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Deployment Guidelines for Oracle Database Vault Oracle Confidential – Internal/Restricted/Highly Restricted12 Who is responsible for Account mgmt Security admin Operations Separation of Duties How data should be accessed What to secure Who to authorize Design the Protection Create realms, command rules Authorize users based on their responsibility Document the security policies Implement Database Vault Functional testing Confirm protection works as designed Verify & Deploy

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Example - Secure an Application Oracle Confidential – Internal/Restricted/Highly Restricted13 Secure the application data Only the trusted application and users can connect to the database DBA_DEBRA maintains the database hosting the application "HR" Application DBA_DEBRA HR Realm HR APPS Connection Control

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Example - Secure an Application Oracle Confidential – Internal/Restricted/Highly Restricted14 Secure the application data Only the trusted application and users can connect to the database DBA_DEBRA maintains the database hosting the application "HR" Application DBA_DEBRA HR Realm HR APPS

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Realm: Secure HR schema Oracle Confidential – Internal/Restricted/Highly Restricted15

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Example - Secure an Application Oracle Confidential – Internal/Restricted/Highly Restricted16 Secure the application data Only the trusted application and users can connect to the database DBA_DEBRA maintains the database hosting the application "HR" Application DBA_DEBRA HR Realm HR APPS Connection Control

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Rule – Trusted Application Oracle Confidential – Internal/Restricted/Highly Restricted17

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Rule – Trusted Administrators Oracle Confidential – Internal/Restricted/Highly Restricted18

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Rule Set – Trusted Database Connections Oracle Confidential – Internal/Restricted/Highly Restricted19 Added two rules: Is Trusted Administrators Is Trusted Application Evaluation options for rules can be 'Any True' or 'All True' Audit options: Audit on Failure Audit on Success Always Audit

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Command Rule – Control Database Connection Oracle Confidential – Internal/Restricted/Highly Restricted20

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Example – Operational Task Authorizations Oracle Confidential – Internal/Restricted/Highly Restricted21

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Agenda Oracle Database Vault Controls Overview Enhancements in Oracle 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Privilege Analysis – New to Oracle Database Vault 12c Oracle Confidential – Internal/Restricted/Highly Restricted23 Runtime analysis of roles and privileges Identifies unused privileges and roles Helps reduce attack surface Select … Update … Drop … DBA role …. DBA_DEBRA Custom Applications Runtime Capture Unused/Used Reports

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Privilege Analysis Features Oracle Confidential – Internal/Restricted/Highly Restricted24 Capture types – Database wide – Condition based (Example: login user is DBA_DEBRA) – Enabled database role (Example: DBA role is enabled) Runs inside the database authorization engine Lists used/unused privileges and roles and how they were granted Less than 5% overhead on runtime capture

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Steps for Analyzing Privileges in Oracle Database Oracle Confidential – Internal/Restricted/Highly Restricted25 Decide capture type Database-wide Condition based Enabled DB roles Create Capture Policy Enable the capture policy Run full applications tests to capture all use cases Start Capture Disable the runtime capture Generate capture reports Generate Reports Identify and remove unnecessary privileges Audit unused privileges Replace with less powerful privileges Analyze & Take Actions

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Create Capture Policy Oracle Confidential – Internal/Restricted/Highly Restricted26 DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE('HR Analysis Policy', 'Analyze privilege usage in the HR applications', 3, 'SYS_CONTEXT('USERENV', 'SESSION_USER') = 'APPS'' );

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Start Runtime Capture Oracle Confidential – Internal/Restricted/Highly Restricted27 DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE('HR Analysis Policy');

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Stop Runtime Capture & Generate Report Oracle Confidential – Internal/Restricted/Highly Restricted28 DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE('HR Analysis Policy'); DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT('HR Analysis Policy');

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Privileges Analysis Reports Oracle Confidential – Internal/Restricted/Highly Restricted29

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Unused Privileges Report Oracle Confidential – Internal/Restricted/Highly Restricted30

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Used Privileges Report Oracle Confidential – Internal/Restricted/Highly Restricted31

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Agenda Oracle Database Vault Controls Overview Enhancements in Oracle 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Summary of Oracle Database Vault Oracle Confidential – Internal/Restricted/Highly Restricted33 Control default power of privileges – Realms restrict access by privileged users – Multi-factor authorization and database command controls – Prevents configuration drift and accidental DDLs (drop table etc.) Ease of deployment – Installed by default – No application changes required – Certified policies for major applications Privilege Analysis – Runtime analysis of roles and privileges – Helps reduce attack surface

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Agenda Oracle Database Vault Controls Overview Enhancements in Oracle 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Security at OpenWorld 2014 TimeSession TitleLocation Monday 2:45 – 3:30Oracle Database Security Innovations in the Year of the Megabreaches (CON8204)Moscone South 303 Monday 5:15 – 6:00Introducing Oracle Key Vault: Centralized Keys, Wallets, and Java Keystores (CON8189)Moscone South 305 Tuesday 10:45 – 11:30Oracle Database 12c: Defense-in-Depth Security (CON8194)Moscone South 306 Tuesday 3:45 – 4:30Oracle Audit Vault and Database Firewall: What’s New and Best Practices (CON8180)Moscone South 306 Tuesday 5:00 – 5:45Oracle Database 12c’s Real Application Security: Next-Generation VPD (CON8182)Moscone South 206 Wednesday 10:15 – 11:00Oracle Advanced Security: Best Practices for Database Encryption and Redaction (CON8166)Moscone South 306 Wednesday 12:45 – 1:30Oracle Database Security Strategy and Best Practices: Customer Case Study Panel (CON8192)Moscone South 306 Wednesday 3:30 – 4:15Oracle Database Vault with Oracle Database 12c (CON8197)Moscone South 306 Thursday 9:30 – 10:15What’s New and Best Practices for Oracle Data Masking and SubsettingMoscone South Plus: Visit the Oracle Database Security pods at the Demo Grounds for one-on-one discussions and demonstrations!

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Connect With Us oracle.com/database/security oracle.com/technetwork/database/security /OracleDatabase/OracleSecurityblogs.oracle.com/ SecurityInsideOut blogs.oracle.com/ KeyManagement Oracle Database Insider/Oracle/database /OracleLearning 36

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |37