Post on 16-Nov-2014
Conocimiento y Experiencia en tecnología ORACLE
Henry GuerraConsultor de Tecnología Oracle
Grupos de Usuariosde America Latina
Grupo Oficial de Usuarios ORACLE en el Perú“Trabajo en equipo con usuarios Oracle para usuarios Oracle”
Comunidad formada por usuarios y difusores de la tecnología ORACLE que
promueven el intercambio y la generación de conocimiento asociado a la tecnología
ORACLE
afiliado a:
Oracle CorporationMisión:
“Hacer de nuestro software una fuente de ventaja competitiva continua para
nuestros clientes”
Get Better Results
Oracle Corporation
•La Compañía de Software Empresarial más Grande del Mundo
• $22.4B en ingresos FY08
• #1 en 40 categorías de producto o mercado
• 320,000 clientes en 145 países
• 20,000 partners
• $34B en 50 adquisiciones, desde 2005
• 85,000 empleados
• 5 millones de desarrolladores en las comunidades online de Oracle
•Innovación e Inversión
• Más de 3,000 productos, con más de 2,000 patentes
• $3B en Investigación y Desarrollo este año
• 20,000 desarrolladores
• 6,500 mejoras propuestas por clientes anuales
• 1 millón de estudiantes soportados
• 7,500 especialistas de soporte a clientes, hablando 27 idiomas
• 20,000 consultores de implementación
<Insert Picture Here>
Database Security Products
John Morales, Consultor Senior - DBA Database & Middleware
GBS Peru
EM Data Masking
TDE Tablespace Encryption
Oracle Audit Vault
Oracle Database Vault
Secure Backup (Tape)
TDE Column Encryption
VPD Column Masking
VPD Column Relevant
EM Secure Config Scanning
Client Identity Propagation
Fine Grained Auditing
Oracle Label Security
Proxy authentication
Enterprise User Security
Virtual Private Database (VPD)
Database Encryption API
Strong Authentication
Native Network Encryption
Database Auditing
Government customer
Oracle Database SecurityContinuous Innovation
Oracle7
Oracle8i
Oracle Database 9i
Oracle Database 10g
Oracle Database 11g
Data Security Components
User Management
Data Protection
Access Control• Controlling Privileged Users
• Custom Security Policies
• Row Level Security
Monitoring
Core Platform Security
Oracle Database Vault
• Controls on privileged users• Restrict highly privileged
users from application data
• Provide Separation of Duty
• Security for database and information consolidation
• Real time access controls• Control who, when, where
and how data is accessed
• Make decision based on IP address, time, auth…
Reports
Protection Realms
Multi-Factor
Authorization
Separation
of Duty
Command
Rules
Compliance and Insider Threats
Oracle Database Vault Realms
DBA
HR DBAHR
HR Realm
HR
• Database DBA views HR
dataselect * from HR.empCompliance and
protection from insiders
Fin
FIN DBA
• HR DBA views Fin. data
Eliminates security risks from server consolidation
Fin Realm
Fin
Realms can be easily applied to existing applications
with minimal performance impact
Oracle Database VaultCustom Policies with Multi-factor Authorization
HR account
FIN DBA
HR
FIN
SELECT ….
CREATE …
Business hours
Unexpected IP address
Oracle Label SecurityLabel Based Transparent Access Mediation
• Enables Multi-level Security
• Public, Confidential, Sensitive PII
• Data Consolidation Security
• Privacy and Compliance
• Oracle 8.1.7 and higher
• EE Security Product
• Oracle was the first to bring this
technology to commercial operating
systemsSensitive PII
Confidential
Public
Sensitive PII
PublicConfidential
Data Security Components
User Management
Data Protection• Network Encryption
• Data Encryption
• Backup Encryption
• Data Masking
• Data Privacy Shield
Access Control
Monitoring
Core Platform Security
The Need for EncryptionPrivacy and Compliance
• Millions of records lost and many more vulnerable
• Student, Faculty, Staff, Donor, Veterans Administration,…..
• Worldwide privacy, security and compliance regulations
• Payment Card Industry (PCI)
• Country-specific laws
Credit
Card Numbers
Disks replaced
for maintenanceLaptops stolen
Backups lost
Oracle Advanced SecurityTransparent Data Encryption at Rest and in Transit
• Network Encryption
• Native encryption for fast easy setup
• Secure Sockets Layer (SSL)
• Data at Rest Encryption
• Column (10gR2)
• RMAN backup (10gR2)
• Tablespace (11g)
• Data Pump export files (11g)
• Key Management
• Built-in two tier architecture
• Oracle Wallet (PKCS #12)
Strong
Authentication
Network Encryption
Data
Written
To Disk
Transparently
Encrypted
Data
Transparently
Decrypted
Through
SQL Interface
Encrypt
Database
Backups
Oracle
Secure
Backup
• Password-based authentication
• Strong authentication with 3rd party industry leaders
• Kerberos, CyberSafe, DCE
• Smart cards, token cards (SecurID), biometrics
• Industry-standard RADIUS allows authentication vendors to
integrate solution
• Smart cards, fingerprints, voice, etc.
• Strong authentication within a PKI
• X.509v3 certificates
Oracle Advanced SecurityStrong Authentication
Oracle Advanced SecurityNetwork Encryption
• Network Encryption includes a sequenced,
cryptographic checksum with every packet before it
is sent
• Uses the industry-standard integrity algorithms• MD5
• SHA-1 (with SSL)
• Automatically detects:
• Modifications
• Replays of packets
• Missing packets
Oracle Advanced SecurityTransparent Data Encryption (TDE)
• Column level encryption (10gR2)
• Transparent to existing applications
• Faster compared to home-grown approaches
• Complements DBMS_CRYPTO package (10gR1)
• Addresses PCI, SB1386, and other privacy requirements
• Tablespace level encryption (11g)
• For encrypting entire application data
• Supports foreign keys and range scan
• LOB encryption - aka Secure Files (11g)
• Master Key protection in hardware using PKCS #11 (11g)
Specifying Encryption Parameters
Oracle Secure Backup Integrated Tape Backup Management
• Protects entire environment• Oracle Database 11g, Oracle
Database 10g, Oracle9i
• Application files (OSB 10.2)
• Built-in Oracle advantage
• Single-vendor advantage
• Fastest backup for Oracle
• 25-40% faster than competition
• Express version
• OSB express protects one server to one attached tape drive
• No encryption
• Bundled with Oracle Database
Oracle Secure BackupCentralized Tape Backup Management
File System Data
UNIX Linux
Windows NAS
Tape
Oracle Databases
Integration with
RMAN
Data Masking – 10g2
11g + for Grid Control Integration
• Protect PII and sensitive
data during test, support,
and analysis
• Social Sec., Credit Card
• Business sensitive data
• In-house or off-shore
• Masking process
• Identify data to mask
• Define format mask or
choose from library
• Schedule masking job
• Customized masking rules
Need for Data Masking
• Key Drivers
• Privacy and compliance
• HIPAA, Breach Notification Laws
• EU Data Privacy Directive
• Application testing
• Offshore application development
• Offshore / In-house software QA
• Key Requirements
• Support database and application referential integrity
• Minimal performance impact
• Protect against reverse transformation
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
D’SOUZA 989-22-2403 80,000
FIORANO 093-44-3823 45,000
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 40,000
BKJHHEIEDK 111-34-1345 60,000
KDDEHLHESA 111-97-2749 80,000
FPENZXIEK 111-49-3849 45,000
Data Masking PackOracle Enterprise Manager
• Automates production data masking
• Mask data from a production database
• Define rules once
• Data relationship discovery
• Automates data relationship
enforcement using existing foreign keys
• Enter custom data relationships known
to the application
• Rules repository
• Format library, masking definitions
• Testing
• View sample data before masking
Production
Test
Clone/ Staging
Test
Mask
Data Security Components
User Management
Data Protection
Access Control
Monitoring• Enterprise Audit
• Configuration Mgmt Pack
Core Platform Security
Oracle Audit Vault Overview Trust-but-Verify
• Collect and Consolidate Audit Data• Oracle 9i Release 2 and higher
• Simplify Compliance Reporting• Built-in reports
• Open warehouse schema
• Detect and Prevent Insider Threats• Detect and alert proactively on
suspicious activity early
• Scale and Security• Database Vault, Advanced Security
• Partitioning
• Lower IT Costs with Audit Policies• Centrally manage and provision audit settings
28
Oracle 10gR2Oracle 10gR1
Oracle 9iR2
(Future)Other Sources,
Databases
Monitor Policies
Reports Security
Oracle Audit Vault ReportsOut-of-the-box Audit Assessments & Custom Reports
• Out-of-the-box reports
• Privileged user activity
• Access to sensitive data
• Role grants
• DDL activity
• Login/logout
• User-defined reports
• What privileged users did on the financial database?
• What user „A‟ did across multiple databases?
• Which non-app. users accessed sensitive data?
• Warehouse schema published
• Oracle BI Publisher or 3rd party tools
29
Oracle Audit Vault PoliciesEnterprise-wide Security & Compliance view
• Audit Policies - collection of audit settings on the databases
• Compare new settings against existing audit settings on source
• Apply audit settings centrally
• Demonstrate compliance to auditors
Audit Vault
Administrator
Financial
Database
Student
Database
HR
Database
FERPA
Audit
Settings
Privilege
User Audit
Settings
Student
Privacy
Audit
Settings
30
EM Config. Mgmt Pack for Database Compliance-driven Secure Configuration Policies
• Automate Database Security Assessment
• Database Parameters
• Database Profile
• Database Access
• Database File Permissions
• Post-installation Checks
• Track Configuration Drift across all monitored
databases
• Supports 8i and higher database releases
• Maps to COBIT, CIS, and Oracle‟s best practices
Compliance Score Trends
Oracle Database 11gSecurity Manageability
• Integrated with EM
• Label Security
• Virtual Private Database
• Application Context
• Enterprise Security
Manager
• Transparent Data
Encryption
Summary:
Oracle Database Security Products
Transparent Data EncryptionProtect Information without change to
the application by transparently
encrypting and decrypting data
Oracle Label SecurityControl access using labels
and classifications
Virtual Private DatabaseBuild custom security policies
Oracle Secure BackupData-to-tape encryption
protects against the misuse of
sensitive information if backup
tapes are stolen
Fine-Grained AuditingDBAs specify the
conditions necessary to
generate an audit record
Oracle Audit VaultAdministrators can consolidate and protect
audit information, enabling centralized
analysis and reporting on audit data.Oracle Identity ManagementWith Oracle Enterprise User Security,
DBAs manage database users
and authorizations in one
central place.
Oracle Database Vault
• Control access to data and applications, even among administrators.
• Build Rules and Realms to restrict access.
• Multifactor authorization enforces how, when, and where applications can be accessed by verifying IP address, authentication method, and time of day.
EM Data Masking
TDE Tablespace Encryption
Oracle Audit Vault
Oracle Database Vault
Secure Backup (Tape)
TDE Column Encryption
VPD Column Masking
VPD Column Relevant
EM Secure Config Scanning
Client Identity Propagation
Fine Grained Auditing
Oracle Label Security
Proxy authentication
Enterprise User Security
Virtual Private Database (VPD)
Database Encryption API
Strong Authentication
Native Network Encryption
Database Auditing
Government customer
Oracle Database SecurityContinuous Innovation
Oracle7
Oracle8i
Oracle Database 9i
Oracle Database 10g
Oracle Database 11g
Oracle Data Privacy ShieldPrivacy Vault Security
ODPS Identity Protection Application
Maintain Privacy Vault Data
ODPS Privacy Vault
DB Auth
Realms
Rules
VPD
Auditing
Restrict SSN column level access
Restrict authorized actions based on rules
Restrict use of system privileges (e.g. DBA access)
Implement role-based security
Trust but verify
Defense In Depth Securityinside the ODPS Privacy Vault
TDEEncrypt SSN column