Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oracle Database Security

Published byJair Roberson Modified over 9 years ago

Similar presentations

Presentation on theme: "Oracle Database Security"— Presentation transcript:

1

2 Oracle Database Security
Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education Oracle Higher Education

3 Data Security Lifecycle
Inbound Data Network Encryption Strong Authentication Identity Management Integration Storage Transparent Data Encryption Secure Backup Monitor Configuration Scanning Audit Vault Access Control Database Vault Oracle Label Security Fusion Security Outbound Data Network Encryption

4 <Insert Picture Here>
Agenda <Insert Picture Here> Network Encryption Encryption of data in motion Strong Authentication PKI, Kerberos, Radius Data Encryption Encryption of data at rest Secure Backup Oracle DataVault DB Auditing Audit Vault

5 Network Security Threats
1. Data Theft 2. Data Modification or Replay $50,000 $500.00 My competitor sees my bids in a sealed auction. 3. Data Disruption Packet stolen Order never arrives

6 Network Encryption Provided by Oracle for nearly a decade
Encrypts all communication with the database AES RSA RC4 (40-, 56-, 128-, 256-bit keys) DES (40-, 56-bit) and 3DES (2- and 3-key) Data integrity with checksums MD5, SHA-1 Automatically detects modifications, replays, missing packets Easy to setup A short summary of the Network Encryption part of the Oracle Advanced Security Option. The Oracle Advanced Security Option was first introduced with Oracle 7.3. Oracle Advanced Security completed a FIPS-140/1 evaluation with Oracle The ‘Network Encryption’ part of Oracle Advanced Security encrypts all SQL*Net communication to and from the database, and provides broad support for many encryption algorithms. We’ll add new ones to them as they gain industry momentum. The latest addition in Oracle9i Release 2 was the AES encryption algorithm.

7 <Insert Picture Here>
Agenda <Insert Picture Here> Network Encryption Encryption of data in motion Strong Authentication PKI, Kerberos, Radius Data Encryption Encryption of data at rest Secure Backup Oracle Data Vault DB Auditing Audit Vault

8 Strong Authentication
Kerberos Ease of deployment makes this a popular choice PKI Large customers are working on full scale deployments Strong interest among large Universities Oracle supports SSL accelerators Radius Database integrates with RADIUS

9 <Insert Picture Here>
Agenda <Insert Picture Here> Network Encryption Encryption of data in motion Strong Authentication PKI, Kerberos, Radius Data Encryption Encryption of data at rest Secure Backup Oracle Data Vault DB Auditing Audit Vault

10 The Need for Encryption
Worldwide privacy, security laws and regulations Sarbanes-Oxley PCI California SB 1386 Country-specific laws Disks replaced for maintenance Data worthless if encrypted Customer Credit Card Numbers Laptops stolen Backups lost

11 The DBMS_CRYPTO Package
Formerly DBMS_OBFUSCATION (Release 8) Extensive control of options Generate as many, or as few keys as you desire Granular access control, Manual salt generation, algorithm selection, chaining mode Limited Transparency

12 Transparent Data Encryption
Integrated with the Oracle database for simplicity Alter table encrypt column … Provides application transparency No API calls, database triggers or views required Media protection of PII data Social security numbers Credit Card Numbers Performance Works with existing indexes for fast searches Transparent Data Encryption is easy to use and fulfills all the requests listed on the previous page. We made it very easy to encrypt columns in tables. No views, no triggers, and your applications doesn’t need to be changed; your applications won’t notice any difference, and neither won’t your users. It protects you from the consequences of SB 1386, because now you cannot only encrypt personally identifiable information, you can also store the key someplace else. You cannot get more security without a performance penalty, more security requires more processing cycles. TDE works with indexes for equality search, even if the index is build by the encrypted column.

13 Separation of duties Wallet password is separate from
System or DBA password No access to wallet DBA starts up Database Separation of duties is one of the cornerstones for good security. As long as the ‘SecurityDBA’ does not open the wallet, even the DBA, who normally is not affected by any security policies, cannot see the encrypted data in clear text, even if he has access to the database files on disk. If he does a ‘select * from table’, he’ll get an error message when this statement includes an encrypted column. Security DBA opens wallet containing master key

14 Master key and column keys
Column keys encrypted by master key Master key stored in PKCS#12 wallet Here you can see how Oracle makes it possible to store the key someplace else than the encrypted data. The master key (one per database) is stored in file on a floppy disk or a server’s hard disk. The master key is used to encrypt the column keys, which are stored in the database. These column keys (one per table) are used to encrypt the data in the table column. Security DBA opens wallet containing master key Column keys encrypt data in columns

15 Oracle Secure Backup: Tape Backup Management
Highest levels of tape data protection at the lowest cost! Fastest & Best Integrated tape backup for the Oracle Database Recovery Manager (RMAN) integration Enterprise Manager (EM) interface Maximum security options Free version (limited functionality) will ship with the Oracle Database Oracle Databases Integration with RMAN File System Data UNIX Linux Windows NAS Oracle Secure Backup Centralized Tape Backup Management Tape

16 Why Use Oracle Secure Backup?
Intelligent integration with RMAN delivering the best performance and security for database backups Database tape backups can now be seamlessly managed by Database Administrators (DBA) or storage group Scalable from the department to the data center Easily managed using Enterprise Manager (EM) Single technical support resource for entire backup solution expedites problem resolution Reliable data protection at lower cost and complexity For the Oracle Database and file system data

17 End to End Security Oracle Advanced Security
Strong Authentication Oracle Advanced Security Network Encryption Oracle Advanced Security Transparent Data Encryption Data Automatically Decrypted Through SQL Interface Data Written To Disk Automatically Encrypted Here is how the Advanced Security Option helps you protect from authenticating your users, over encrypting data in transit, to encrypting data at rest, on active servers or backup tapes. Encryption and decryption is done transparently. Data Encrypted On Backup Files

18 <Insert Picture Here>
Agenda <Insert Picture Here> Network Encryption Encryption of data in motion Strong Authentication PKI, Kerberos, Radius Data Encryption Encryption of data at rest Secure Backup Oracle Data Vault DB Auditing Audit Vault

19 Data Vault Objectives Multi-factored approach to database security
Protect and share data assets using environmental factors for assurance Defense in depth approach Protect application schemas from system privileges Database Server as Database Appliance Lock Down, Hardened Software and Privileges Comprehensive Audit Policy Separation of Duties

20 Data Vault Protected Schema
Protect Data Vault metadata from tampering Remove metadata dependency on SYS schema Access to protected schema only through the administrative roles Provide separation of duties by different administrative roles Password required for SYS login No OSDBA group membership

21 <Insert Picture Here>
Agenda <Insert Picture Here> Network Encryption Encryption of data in motion Strong Authentication PKI, Kerberos, Radius Data Encryption Encryption of data at rest Secure Backup Oracle DataVault DB Auditing Audit Vault

22 Oracle Database 10g Auditing
Audit & monitor database activity Logon failures, privilege usage, data access, object access,and other activities Standard Audit Trail (over 250 audit actions) Gives first level of information about access to the database Statement auditing Privilege auditing Schema Object auditing Fine-Grained Auditing (FGA) Gives second level of information about specific operations to the database Enables you to monitor data access based on content. AUDITING

23 Fine-grained auditing (FGA)
Beginning with Oracle9i Database, Oracle provides the capability to audit specific rows within a table. This is accomplished using the DBMS_FGA package. Features Attach audit policy to table or view Specify audit condition using a SQL predicate User’s query text with bind variables are written to audit record upon a triggering audit event Event handler can alert administrator to triggering condition (e.g. write record to log, send page)

24 Collect and Consolidate Audit Data
Simplify Compliance Reporting Monitor Policies Detect and Prevent Insider Threats Reports Security Lower IT Costs With Audit Policies To summarize, Oracle Audit Vault can transparently collect and consolidate audit data from Oracle databases beginning with Oracle 9i Release 2 and higher. In the future other databases and sources will be supported as well. Oracle Audit Vault helps organizations simplify compliance reporting with both built in and custom reports. Oracle Audit Vault can detect and prevent insider threats by alerting you to suspicious activity. Oracle Audit Vault helps organizations lower IT costs with audit policies with centralized management of database audit settings and policies. Oracle Audit Vault is the industry’s most secure and scalable audit warehouse Scale and Security (Future) Other Sources, Databases Oracle 9iR2 10gR2 10gR1

25 Oracle Database Security
Oracle Audit Vault Oracle Database Vault DB Security Evaluation #19 Transparent Data Encryption EM Configuration Scanning Fine Grained Auditing (9i) Secure application roles Client Identifier / Identity propagation Oracle Label Security Proxy authentication Enterprise User Security Global roles Virtual Private Database (8i) Database Encryption API Strong authentication (PKI, Kerberos, RADIUS) Native Network Encryption (Oracle7) Database Auditing Government customer Oracle Database Security 30 years of Innovation I like to show this slide to let customers know that Oracle has been working in the security space pretty much since day 1. The very first Oracle customers were in the government space. This close working relationship with customers has enabled Oracle to stay at the forefront of database security technology. It’s important to note hear that the Oracle Database has the most advanced auditing technology of any database on the market. In fact, ever since Oracle7 was introduced, Oracle has had quite sophisticated auditing. Oracle9i extended the auditing capabilities with Fine Grained or Policy based auditing. This allows you to put a specific audit policy on sensitive data and generate audit records only when the policy is violated. For example, say someone other than the application owner (perhaps the DBA) looks at sensitive financial information. As you can see we’ve delivered a great deal of technology over the years. Last year we completed our 19th independent evaluation of the Oracle database. This was completed under the Common Criteria at EAL4. Note that we will be evaluating Oracle Audit Vault. 1977 2007

26 <Insert Picture Here>
Agenda <Insert Picture Here> Network Encryption Encryption of data in motion Strong Authentication PKI, Kerberos, Radius Data Encryption Encryption of data at rest Secure Backup Oracle DataVault DB Auditing Audit Vault

27 Transparent Data Encryption
For More Information Transparent Data Encryption or oracle.com/security

28

29

Download ppt "Oracle Database Security"

Similar presentations

ITEC474 INTRODUCTION.

ITEC474 INTRODUCTION.
POC Security System High security system combining PIN-on-Card, information security, physical access, control and alarm – all in one system.

POC Security System High security system combining PIN-on-Card, information security, physical access, control and alarm – all in one system.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.

Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.
The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant

The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant
Database Vault Marco Alamanni

Database Vault Marco Alamanni
Miss Scarlet with a lead pipe, in the library Players: 3 to 6 Contents: Clue game board, six suspect tokens, six murder weapons, 21 cards, secret envelope,

Miss Scarlet with a lead pipe, in the library Players: 3 to 6 Contents: Clue game board, six suspect tokens, six murder weapons, 21 cards, secret envelope,
1. 2 Introduction This presentation describes introduction of data encryption into Oracle databases and how “Transparent Data Encryption” in Oracle 11g.

1. 2 Introduction This presentation describes introduction of data encryption into Oracle databases and how “Transparent Data Encryption” in Oracle 11g.
Dell Compellent and SafeNet KeySecure

Dell Compellent and SafeNet KeySecure
Securing the Borderless Network March 21, 2000 Ted Barlow.

Securing the Borderless Network March 21, 2000 Ted Barlow.
Lisa Farmer, Cedo Vicente, Eric Ahlm

Lisa Farmer, Cedo Vicente, Eric Ahlm
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
15 Copyright © 2006, Oracle. All rights reserved. Database Security.

15 Copyright © 2006, Oracle. All rights reserved. Database Security.
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
ORACLE DATABASE SECURITY

ORACLE DATABASE SECURITY
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Barracuda Networks Steve Scheidegger Commercial Account Manager 734-887-2422

Barracuda Networks Steve Scheidegger Commercial Account Manager

Similar presentations

Ads by Google