Presentation is loading. Please wait.

Presentation is loading. Please wait.

15 Copyright © 2006, Oracle. All rights reserved. Database Security.

Published byMargaretMargaret Spencer Modified over 9 years ago

Similar presentations

Presentation on theme: "15 Copyright © 2006, Oracle. All rights reserved. Database Security."— Presentation transcript:

1 15 Copyright © 2006, Oracle. All rights reserved. Database Security

2 15-2 Copyright © 2006, Oracle. All rights reserved. Objectives After completing this lesson, you should be able to do the following: Implement Transparent Data Encryption (TDE) Use TDE with encrypted columns Describe Data Pump (DP) encryption Identify components of Recovery Manager (RMAN)–encrypted backups Define basic concepts of a Virtual Private Database (VPD) Apply a column-level VPD policy TDE DP RMAN VPD

3 15-3 Copyright © 2006, Oracle. All rights reserved. Oracle Transparent Data Encryption (TDE): Overview Need for secure information Automatic encryption of sensitive information: –Embedded in the Oracle database –No need to change application logic –Encrypts data and index values Using an encryption key: –Master key for the entire database –Stored in Oracle Wallet Encryption/Decryption Column and index data Wallet

4 15-4 Copyright © 2006, Oracle. All rights reserved. Oracle Transparent Data Encryption (TDE) Full Notes Page

5 15-5 Copyright © 2006, Oracle. All rights reserved. TDE Process External Security Module Wallet NameSalCardAddress JFV10000A0023Rognes 20000B1524 10000C2568 30000D1483 20000E0732 40000F3456 Clear data Encrypted data NameSalCardAddress JFVÉ&à{+”~é[Rognes ])°=#§!?&} &(è`$}{|\ç{ @”#|}#{[|è` µ£*°{}|_@} ~{([ç^“&²#è ALTER TABLE Master key SELECT|INSERT|UPDATE| CREATE TABLE Column keys

6 15-6 Copyright © 2006, Oracle. All rights reserved. Implementing Transparent Data Encryption 1.Create a wallet: automatically or by using Oracle Wallet Manager. ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/opt/oracle/product/10.2.0/db_1/))) Example sqlnet.ora entry:

7 15-7 Copyright © 2006, Oracle. All rights reserved. Implementing Transparent Data Encryption 2.Set the master key from within your instance: 3.Open the wallet from within your instance (future): 4.Create tables that contain encrypted columns: CREATE TABLE emp ( first_name VARCHAR2(128), last_name VARCHAR2(128), empID NUMBER ENCRYPT NO SALT, salary NUMBER(6) ENCRYPT USING '3DES168', comm NUMBER(6) ENCRYPT ); ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY ; ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY ;

8 15-8 Copyright © 2006, Oracle. All rights reserved. Implementing Transparent Data Encryption Full Notes Page

9 15-9 Copyright © 2006, Oracle. All rights reserved. Existing Tables and TDE Add encrypted columns: Encrypt unencrypted columns: Disable column encryption: Add or remove salt: Change keys and the encryption algorithm: ALTER TABLE emp ADD (ssn VARCHAR2(11) ENCRYPT); ALTER TABLE emp MODIFY (first_name ENCRYPT); ALTER TABLE emp MODIFY (first_name DECRYPT); ALTER TABLE emp MODIFY (first_name ENCRYPT [NO] SALT); ALTER TABLE emp REKEY USING '3DES168';

10 15-10 Copyright © 2006, Oracle. All rights reserved. Transparent Data Encryption: Considerations You cannot encrypt tables owned by SYS. LONG and LOB data types are not supported. The supported encryption algorithms are: –3DES168 –AES128 –AES192 –AES256 NO SALT must be used to encrypt index columns. TDE works with indexes for equality searches. Encrypted data must be decrypted before expressions evaluation. Best practice tip: Back up the wallet.

11 15-11 Copyright © 2006, Oracle. All rights reserved. Wallet Support for Usernames and Passwords Wallets can now hold more than just a certificate: –You can store usernames and passwords in a wallet rather than providing them on the command line. Batch job processing: –Protects exposure of usernames and passwords when listing processes on the OS Set up using: – WALLET_LOCATION in sqlnet.ora – mkstore utility connect /@db_connect_string

12 15-12 Copyright © 2006, Oracle. All rights reserved. Data Pump and Transparent Data Encryption Use your own provided column key during export and import: Also true for external tables: ENCRYPTION_PASSWORD = CREATE TABLE emp_ext ( first_name, last_name, empID, salary ENCRYPT IDENTIFIED BY "xIcf3T9u" ) ORGANIZATION EXTERNAL ( TYPE ORACLE_DATAPUMP DEFAULT DIRECTORY "D_DIR" LOCATION('emp_ext.dat') ) REJECT LIMIT UNLIMITED as select * from employees; TDE >DP RMAN VPD

13 15-13 Copyright © 2006, Oracle. All rights reserved. RMAN Encrypted Backups: Overview Three possible encryption modes for your backups: Transparent mode: –Requires Oracle Wallet –Is best suited for day-to-day backup and restore operations at the same location –Is the default encryption mode Password mode: –Requires you to provide a password –Is best suited for backups restored at remote locations Dual mode: –Can use either Oracle Wallets or passwords –Is best suited for backups restored locally and remotely TDE DP >RMAN VPD

14 15-14 Copyright © 2006, Oracle. All rights reserved. Transparent Mode Setup 1.Create a wallet: automatically or by using Oracle Wallet Manager. 2.Open the wallet from within your instance: 3.Set the master key from within your instance: 4.Configure RMAN to use transparent encryption: 5.There are no changes to your backup or recover commands. 6.Permanent configuration can be temporarily overwritten: ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY ; ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY ; CONFIGURE ENCRYPTION FOR DATABASE ON SET ENCRYPTION OFF

15 15-15 Copyright © 2006, Oracle. All rights reserved. Password Mode Setup 1.Set your RMAN session to use password encryption: 2.There are no changes to your backup commands. 3.Set your RMAN session to decrypt password- encrypted backups: 4.There are no changes to your recover commands. SET ENCRYPTION ON IDENTIFIED BY password ONLY SET DECRYPTION IDENTIFIED BY password1 {, password2,…, passwordn}

16 15-16 Copyright © 2006, Oracle. All rights reserved. Dual Mode Setup 1.Create a wallet: automatically or by using Oracle Wallet Manager. 2.Open the wallet from within your instance: 3.Set your RMAN session to use dual encryption: 4.There are no changes to your backup commands. 5.If necessary, set your RMAN session to decrypt your backups by using the password: 6.There are no changes to your recover commands. SET ENCRYPTION ON IDENTIFIED BY password SET DECRYPTION IDENTIFIED BY password1 {, password2,…, passwordn} ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY ;

17 15-17 Copyright © 2006, Oracle. All rights reserved. RMAN-Encrypted Backups: Considerations Image copy backups cannot be encrypted. COMPATIBLE must be set to at least 10.2.0. V$RMAN_ENCRYPTION_ALGORITHMS contains the list of possible encryption algorithms. Backup encryption is available only with Oracle Database Enterprise Edition. One new encryption key is used for each new encrypted backup. You can increase disk performance by using multiple channels. You can change the master key anytime without affecting your transparent encrypted backups. SET ENCRYPTION ALGORITHM 'algorithmname' CONFIGURE ENCRYPTION ALGORITHM 'algorithmname'

18 15-18 Copyright © 2006, Oracle. All rights reserved. Need for Data Privacy Examples: Employees: Protect salary and commission percent (used in the remainder of this lesson) Online banking: Protect access to accounts Web store: Supply individual shopping baskets Web host: Allow each customer to see only their own data Used in Oracle SalesOnline.com and Oracle Portal TDE DP RMAN >VPD

19 15-19 Copyright © 2006, Oracle. All rights reserved. Definition and Usage of Terms Fine-grained access control (FGAC): Use of functions Application context: To preserve user identity and serve as a secure data cache for application attributes and values Application attributes: Used by fine-grained access policies

20 15-20 Copyright © 2006, Oracle. All rights reserved. Virtual Private Database: Overview Virtual Private Database (VPD) consists of: –Fine-grained access control (FGAC) –Secure application context VPD uses policies to add conditions to SQL statements that protect sensitive data. VPD provides row-level access control. Application attributes defined inside an application context are used by fine-grained access policies.

21 15-21 Copyright © 2006, Oracle. All rights reserved. Virtual Private Database: Features Column-level VPD enforces row-level access control based on accessed security columns. With customization, you can define static and nonstatic policies. Using shared policies, you can associate one policy with multiple objects. Policy type can be INDEX. Policy predicate text string can be of size 32 KB.

22 15-22 Copyright © 2006, Oracle. All rights reserved. Column-Level VPD: Example Statements are not always rewritten. Consider a policy protecting the SALARY and COMMISSION_PCT columns of the EMPLOYEES table. Fine-grained access control is: –Not needed for this query: –Enforced for these queries: SQL> SELECT last_name, salary 2 FROM employees; SQL> SELECT last_name FROM employees; SQL> SELECT * FROM employees;

23 15-23 Copyright © 2006, Oracle. All rights reserved. Creating a Column-Level Policy 1.Grant the privilege. 2.Create the function. 3.Apply the policy to the object. BEGIN dbms_rls.add_policy(object_schema => 'hr', object_name => 'employees', policy_name => 'hr_policy', function_schema =>'hr', policy_function => 'hrsec', statement_types =>'select,insert', sec_relevant_cols=>'salary,commission_pct'); END; /

24 15-24 Copyright © 2006, Oracle. All rights reserved. Summary In this lesson, you should have learned how to: Implement Transparent Data Encryption Use TDE with encrypted columns Describe Data Pump encryption Identify components of RMAN-encrypted backups Define basic concepts of a Virtual Private Database Apply a column-level VPD policy

25 15-25 Copyright © 2006, Oracle. All rights reserved. Practice Overview: Using Oracle Database Security This practice covers the following topics: Implementing TDE by creating an encrypted wallet and encryption keys Using TDE with encrypted columns

26 15-26 Copyright © 2006, Oracle. All rights reserved. Full Notes Page

Download ppt "15 Copyright © 2006, Oracle. All rights reserved. Database Security."

Similar presentations

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.
18 Copyright © Oracle Corporation, 2001. All rights reserved. Transporting Data Between Databases.

18 Copyright © Oracle Corporation, All rights reserved. Transporting Data Between Databases.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
1. 2 Introduction This presentation describes introduction of data encryption into Oracle databases and how “Transparent Data Encryption” in Oracle 11g.

1. 2 Introduction This presentation describes introduction of data encryption into Oracle databases and how “Transparent Data Encryption” in Oracle 11g.
یا ذالامن و الامان. Virtual Private Database Mohammad Amin Sabbaghian.

یا ذالامن و الامان. Virtual Private Database Mohammad Amin Sabbaghian.
8 Copyright © 2004, Oracle. All rights reserved. Creating LOVs and Editors.

8 Copyright © 2004, Oracle. All rights reserved. Creating LOVs and Editors.
Administering User Security

Administering User Security
Configuring Recovery Manager

Configuring Recovery Manager
4 Copyright © 2008, Oracle. All rights reserved. Configuring Backup Specifications.

4 Copyright © 2008, Oracle. All rights reserved. Configuring Backup Specifications.
9 Copyright © Oracle Corporation, 2001. All rights reserved. Oracle Recovery Manager Overview and Configuration.

9 Copyright © Oracle Corporation, All rights reserved. Oracle Recovery Manager Overview and Configuration.
ORACLE DATABASE SECURITY

ORACLE DATABASE SECURITY
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.
10 Copyright © 2005, Oracle. All rights reserved. Implementing Oracle Database Security.

10 Copyright © 2005, Oracle. All rights reserved. Implementing Oracle Database Security.
Oracle TDE -11gR2.

Oracle TDE -11gR2.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
1 Copyright © 2005, Oracle. All rights reserved. Introduction.

1 Copyright © 2005, Oracle. All rights reserved. Introduction.
13 Copyright © Oracle Corporation, 2001. All rights reserved. RMAN Complete Recovery.

13 Copyright © Oracle Corporation, All rights reserved. RMAN Complete Recovery.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Recovery Manager Overview Target Database Recovery Catalog Database Enterprise Manager Recovery Manager (RMAN) Media Options Server Session.

Recovery Manager Overview Target Database Recovery Catalog Database Enterprise Manager Recovery Manager (RMAN) Media Options Server Session.

Similar presentations

Ads by Google