• Aucun résultat trouvé

La sécurité oracle database 11gR2

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "La sécurité oracle database 11gR2"

Copied!
40
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)
(2)

<Insert Picture Here>

Oracle Database 11g Release 2 Security Update and Plans

Defense-in-Depth

(3)

<Insert Picture Here>

Program Agenda

• Today’s Threat Landscape

• Defense-in-Depth Approach

• Oracle Database Security Solutions

• Oracle Database Firewall New!

• Summary

• Q&A

(4)

Why Secure the Database?

(5)

Security Technologies Deployed

Authentication

Identity Management Network Security

Vulnerability Mgmt End Point Security

email Security

Other Security

Employee Customer

Citizen

DB Security?

(6)

How Data Gets Compromised?

Source: Verizon 2010 Data Breach Investigations Report

(7)

2010 Data Breach Investigations Report

92% of Records from Compromised Databases

Where Losses Come From?

(8)

Top Attack Techniques

% Breaches and % Records

2010 Data Breach Investigations Report

Most records lost through

‘Stolen Credentials” & “SQL Injection”

(9)

Existing Security Solutions Not Enough

Application Database Administrators

Data Must Be Protected in depth

Application Users

Botware Malware

Key Loggers Espionage

Phishing

SQL Injection

Social Engineering

Web Users

(10)

Database Security

Defense-In-Depth Approach

• Monitor and block threats before they reach databases

• Control access to data within the databases

• Track changes and audit database activity

• Encrypt data to prevent direct access

• Implement with

– Transparency – no changes to existing applications

– High Performance – no measurable impact on applications

– Accuracy – minimal false positives and negatives

(11)

Oracle Database Security

Defense-in-Depth

Access Control

Oracle Database Vault

Oracle Label Security

Oracle Advanced Security

Oracle Secure Backup

Oracle Data Masking

Encryption and Masking

Auditing and Tracking

Oracle Audit Vault

Oracle Configuration Management

Oracle Total Recall

Oracle Database Firewall

Monitoring and Blocking

(12)

Oracle Database Security

Defense-in-Depth

Oracle Advanced Security

Oracle Secure Backup

Oracle Data Masking

Encryption and Masking

(13)

Oracle Advanced Security

End–to–end Encryption

Disk Disk

Backups Backups

Exports Exports

Off-Site Facilities

Off-Site Facilities

• Efficient encryption of all application data

• Built-in key lifecycle management

• No application changes required

• Works with Exadata and Oracle Advanced Compression

Application

Application

(14)

Oracle Advanced Security

Integrated with Oracle Enterprise Manager

(15)

TDE Column Encryption

Integrated with Oracle Enterprise Manager

(16)

Oracle Advanced Security What’s New and Coming?

• Hardware Acceleration Support

– Performance already < 10% for most applications

– 7-10x performance gain with Intel Advanced Encryption

Standard New Instructions (AES-NI) and Oracle SPARC T-3

• Key Management and HSM Support

– Certified with SafeNet, Thales, Utimaco using PKCS #11

– Planned support for Oracle’s Key Management System

(17)

Oracle Data Masking

Irreversible De-Identification

• Mask sensitive data for test and partner systems

• Sophisticated masking: Condition-based, compound, deterministic

• Extensible template library and policies for automation

• Leverage masking templates for common data types

• Integrated masking and cloning

• Masking of heterogeneous databases via database gateways

• Command line support for data masking tasks

LAST_NAME SSN SALARY

ANSKEKSL 111—23-1111 40,000 BKJHHEIEDK 222-34-1345 60,000

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000 BENSON 323-22-2943 60,000

Production Non-Production

New

New

(18)

• Sensitive data identification based on privacy attributes

• Application Masking templates for

• E-Business Suite

Oracle Data Masking

What’s Coming?

(19)

Oracle Database Security

Defense-in-Depth

Access Control

Oracle Database Vault

Oracle Label Security

Oracle Advanced Security

Oracle Secure Backup

Oracle Data Masking

Encryption and Masking

(20)

Oracle Database Vault

Separation of Duties & Privileged User Controls

• Restricts application data from privileged users

• DBA separation of duties

• Securely consolidate application data

• No application changes required

Procurement HR Finance

Application

select * from finance.customers

DBA

(21)

Oracle Database Vault

Multi-Factor Access Control Policy Enforcement

• Protect application data and prevent application by-pass

• Enforce who, where, when, and how using rules and factors

• User Factors: Name, Authentication type, Proxy Enterprise Identity

• Network Factors: Machine name, IP, Network Protocols

• Database Factors: IP, Instance, Hostname, SID

• Runtime Factors: Date, Time

Procurement HR Rebates

Application

(22)

Oracle Database Vault

Out-of-the Box Protections For Applications

• Pre-built policies with further possible customization

• Complements application security

• Transparent to existing applications

• Minimal performance overhead

• Certifications Underway:

– Oracle Hyperion

– Oracle Tax and Utilities

Oracle E-Business Suite 11i / R12

PeopleSoft Applications

Siebel, i-Flex, Retek

JD Edwards EnterpriseOne

SAP

Infosys Finacle

(23)

Oracle Label Security

Data Classification for Access Control

• Classify users and data based on business drivers

• Database enforced row level access control

• Users classification through Oracle Identity Management Suite

• Classification labels can be factors in Database Vault

Confidential Sensitive

Transactions

Report Data

Reports

Sensitive Sensitive Confidential Confidential

Public

Public

(24)

Oracle Database Security

Defense-in-Depth

Access Control

Oracle Database Vault

Oracle Label Security

Oracle Advanced Security

Oracle Secure Backup

Oracle Data Masking

Encryption and Masking

Auditing and Tracking

Oracle Audit Vault

Oracle Configuration Management

Oracle Total Recall

(25)

Oracle Audit Vault

Automated Audit Collection and Reporting

• Consolidate audit data into a secure warehouse

• Create/customize compliance and entitlement reports

• Detect and raise alerts on suspicious activities

• Centralized audit policy management

• Integrated audit trail cleanup

CRM Data

ERP Data

Databases HR Data

Audit Data Audit

Data

Policies Policies Built-in Reports

Built-in Reports

Alerts Alerts

Custom Reports Custom Reports

!

Auditor

Auditor

(26)

Oracle Audit Vault

Consolidated Reports Span Enterprise Databases

(27)

Oracle Audit Vault 10.2.3.2

Default Reports

(28)

Oracle Configuration Management

Secure Configuration & Change Tracking

• Continuous scanning against best practices and gold baselines

• 200+ out-of-the-box policies spanning host, database, and middleware

• Real-time detect changes to processes, files, etc

• Violations can trigger emails, and create tickets

Optimized for Oracle with Industry Specific Compliance Dashboards Optimized for Oracle with Industry Specific Compliance Dashboards

User-defined Policies &

Groups User-defined

Policies &

Groups

Real-Time Change Detection Real-Time Change

Detection Industry &

Regulatory Frameworks Industry &

Regulatory Frameworks

Compliance Dashboard Compliance

Dashboard Out-of-box

Policies Out-of-box

Policies

     

   

(29)

Oracle Database Security

Defense-in-Depth

Access Control

Oracle Database Vault

Oracle Label Security

Oracle Advanced Security

Oracle Secure Backup

Oracle Data Masking

Encryption and Masking

Auditing and Tracking

Oracle Audit Vault

Oracle Configuration Management

Oracle Total Recall

Oracle Database Firewall

Monitoring and Blocking

(30)

Oracle Database Firewall

First Line of Defense

• Prevent unauthorized activity, application bypass and SQL injections

• Highly accurate SQL grammar based analysis

• Flexible enforcement options

• Built-in and custom compliance reports

Policies Policies Built-in

Reports Built-in Reports Alerts

Alerts Custom

Reports Custom Reports Applications

Block Log Allow

Alert

Substitute

(31)

Oracle Database Firewall

Security Model

• White-list based policies enforce normal or expected behavior

• Evaluate factors such as time, day, network, app, etc.

• Easily generate white-lists for any application

• Log, alert, block or substitute out-of-policy SQL statements

• Black lists to stop unwanted SQL commands, user, or schema access

• Superior performance and policy scalability based upon clustering

White List

Applications Block

Allow

(32)

Management Server

Oracle Database Firewall

Deployment Architecture

• In-line blocking and monitoring, or out-of-band monitoring modes

• Monitoring of remote databases by forwarding network traffic

• Centralized policy management and reporting

• High availability options for Database firewalls and Management Servers

• Support for multiple Oracle/non-Oracle Databases with the same firewall

In-Line Blocking and Monitoring

HA In-Line Mode Inbound

SQL Traffic

Out-of-Band Monitoring

Management Server

Policy

Analyzer

(33)

Oracle Database Security – Big Picture

Procurement HR Rebates

Encrypted Backups Encrypted

Database Encrypted

Exports

Data Masking Audit

consolidation

Procurement HR Rebates Sensitive Sensitive Confidential Confidential

Public Public

Local DBA Privilege Mis-Use

DB Consolidation Security Unauthorized

Local Activity

Applications

Block Log Allow

Alert Substitute

Network SQL

Monitoring

and Blocking

(34)

Oracle Database Security

Key Differentiators

(35)

More Oracle Database Security Presentations

• Monday:

12:30 pm: Making a Business Case for Information Security MS 3003:30 pm: Oracle Database 11g Release 2 Security: Defense-in-Depth MS 103

• Tuesday:

12:30 pm: Real-World Deployment and Best Practices : Oracle Audit Vault MS 104

2:00 pm: Real-World Deployment and Best Practices : Oracle Advanced Security MS 3002:00 pm: Best Practices for Ensuring the Highest Enterprise Database Security MS 304

3:30 pm: Database Security Event Management : Oracle Audit Vault and ArcSight MS 3005:00 pm: Real-World Deployment and Best Practices :Oracle Database Vault MS 303

• Wednesday:

10:00 am: Protect Data and Save Money: Aberdeen MS 306

11:30 am: Preventing Database Attacks With Oracle Database Firewall MS 306

4:45 pm: Centralized Key Management and Performance :Oracle Advanced Security MS 306

• Thursday:

10:30 am: Deploying Oracle Database 11g Securely on Oracle SolarisMS 104

MS = Moscone South

(36)

Oracle Database Security Hands-on-Labs

• Monday:

Database Vault 11:00AM | Marriott Marquis, Salon 10 / 11 Check Availability Database Vault 5:00PM | Marriott Marquis, Salon 10 / 11 Check Availability

• Tuesday:

Database Security 11:00AM | Marriott Marquis, Salon 10 / 11 Check Availability

• Thursday

Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11 Check Availability

Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11 Check Availability

(37)

Oracle Database Security Demo Grounds

Moscone West

Oracle Database Firewall

Oracle Database Vault

Oracle Label Security

Oracle Audit Vault

Oracle Advanced Security

Oracle Database 11g Release2 Security

Exhibition Hours Monday, September 20 9:45 a.m. - 5:30 p.m.

Tuesday, September 21 9:45 a.m. - 5:30 p.m.

Wednesday, September 22 9:00 a.m. - 4:00 p.m.

(38)

The preceding is intended to outline our general product direction. It is intended for information

purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any

material, code, or functionality, and should not be relied upon in making purchasing decisions.

The development, release, and timing of any

features or functionality described for Oracle’s

products remains at the sole discretion of Oracle.

(39)

For More Information

oracle.com/database/security

search.oracle.com

database security database security

(40)

Q & A

Références

Télécharger maintenant ( PPT - 40 Page - 3.11 MB )

Documents relatifs

Middleware Management with Oracle Enterprise Manager

You will learn how you can proactively monitor your production middleware applications running on Oracle Application Server, Oracle WebLogic Server, Oracle SOA suite such as Oracle

Oracle Recovery Manager

New in Oracle Database 10g Release 1, Flash Recovery Area allows administrators to setup notifications on disk space usage and automate obsolescence of expired backup sets, via

Oracle Database 10 g :

In Part I, “Critical Database Concepts,” you will see an overview of Oracle Database 10g’s options, how to install the Oracle software, how to create or upgrade a database, and

Oracle Database 11g

It’s also a good idea to check if any low cardinality indexes are being used, because this type of an index will make the database read a large number of data blocks into the

Database 11 g Oracle

The Oracle Advanced Compression option includes the following types of compression: • Compression of OLTP table data • Compression of unstructured data with SecureFiles • Compression

Oracle Enterprise Manager Grid Control 11gR1: Business Service Management

Chapter 2, Modeling IT Infrastructure Using Oracle Enterprise Manager 11gR1, will introduce Oracle Enterprise Manager related concepts such as Targets, Metrics, Alerts,

Oracle Essentials Oracle Database 11g

It describes how Oracle Enterprise Manager, the Automatic Workload Repos- itory, and the Automatic Database Diagnostic Monitor are used for performance monitoring and management,

Oracle Integrated Lights Out Manager (ILOM) 3.0

Host has been powered off ALOM compatibility shell sends this message whenever the SC requests a host power off, including when a user types the poweroff command.