Oracle Database Security

1
The twenty-four/seven database
Oracle Database Security
David YahalomSenior database consultant
davidy_at_xpert.com www.xpert.comwww.davidyahalom.c
om
2

• Security Drivers (and constraints)
• Enterprise value resides in Bits (I.P.) not
  Atoms (factories). Google Vs. Ford.
  
• Data everywhere, must be accurate, fast and
  available.
  
• Security must be Transparent to the end user.
• Security decisions increasingly tied to
  compliance (regulatory or in-house).
  

3

• Security Drivers (and constraints)
• Network security is well known and understood
  (VPN, Firewall).
  
• Attackers now going where data resides.
• Legitimate and authenticated users are a
  concern.
  

4

• Inbound Data
• Network Encryption
• Strong Authentication
• Identity Management

• Storage
• Transparent Data Encryption
• Secure Backup

• Monitor
• Database Vault.
• Audit Vault.
• Configuration Scanning.

• Access Control
• Database Vault
• Oracle Label Security
• Oracle VPD

• Outbound Data
• Network Encryption
• Data Masking

5

• A 2007 Oracle survey found that a DBA usually
  spend less than 7 of total work time on database
  security.
  

6

• Database Security is NOT a one time
  project.Database Security is a on-going
  process.
  
• Add a security-focused DBA to the security
  department.
  

7

• The secure database solutions
• Oracle Database Vault.
• Oracle Advanced Security.
• Oracle Audit Vault
• Virtual Private Database.
• Fine-Grained Auditing.
• Secure Backup.

8
Network
Oracle Database
End Client
DBA
Backup Medium
9
Oracle Security Solution Oracle Advanced Security
10

• Flowing Resting data
• Worry about Encryption in the land.
• Data at rest is a critical security concern
  (encrypt the heart of your data).
  

11
Network Security Threats
Data Theft
Data Modification or Replay
My competitor sees my bids in a sealed auction.
500.00
50,000
Data Disruption
Packet stolenOrder never arrives
12
Oracle Advanced Security Oracle Advanced Securi
ty is a security option for the Oracle
Database.Oracle Advanced Security combines
network encryption, database encryption and
strong authentication together to help customers
address privacy and compliance requirements.
13

• Oracle Advanced Security
• Transparent Data Encryption the datafile is
  safe!
  
• Network protocol traffic encryption
  integrity.
  
• Strong Authentication (Kerberos, RADIUS, SSL,
  PKI).
  
• Encryption standards
• RC4, DES, 3DES, AES.
• MD5 SH1 data integrity.

14
Network
Oracle Database
End Client
DBA
Backup Medium
15
Oracle Security Solution Oracle Database Vault
16
Database Vault Authoritative security studies h
ave documented that more than 80 of information
system data losses and attacks have been
perpetrated by 'insiders' those authorized with
some level of access to the system and its
data. 80 of threats come from insiders.
65 of internal threats are undetected.
17
(No Transcript)
18
Database Vault Oracle Database Vault addresses
common regulatory compliance requirements and
reduces the risk of
insider threats.
19

• Database Vault
• Preventing highly privileged users (DBA) from
  accessing application data.
  
• Enforcing separation of duty (DBA cant create
  users, view data).
  
• Providing controls over who, when, where and how
  applications, data and databases can be
  accessed.
  
• Can be added to existing application
  environments without changes to the existing
  application code.

20
Wallet password is separate from
System or DBA password
No access to wallet
DBA starts up Database
Security DBA opens wallet containing master key
21
Network
Oracle Database
End Client
DBA
Backup Medium
22
Oracle Security Solution Oracle Virtual Private D
atabase
23
Virtual Private Database Also known as Fine Gra
ined Access Control, provides powerful row-level
security capabilitiesFor example, VPD can be
used restrict access to data during business
hours.
24
Virtual Private DatabaseTransparently
modifying requests for data to present a partial
view of the tables to the users based on a set of
defined criteria. select from accounts
changes to select from accounts where am_na
me BOAZ'
25
Virtual Private Database Oracle Label Security
optional add-on for providing easy to use
interface for row-level security. No coding
needed.
26
Network
Oracle Database
End Client
DBA
Backup Medium
27
Oracle Security Solution Oracle Secure Backup
28
Secure Backup The next generation centralized t
ape backup management delivers advanced media
management and backup encryption for file systems
and Oracle.
29

• Secure Backup
• Optimized tape backup for Oracle increasing
  backup performance by 10 25.
  
• Secure data protection - 256 AES backup
  encryption for file systems protecting backup
  data when tapes are onsite, offsite or lost.
  
• Integrated to EM RMAN tape backups can now be
  done by the DBA.

30
Network
Oracle Database
End Client
DBA
Backup Medium
31
Oracle Security Solution Oracle Audit Vault
32
Audit Vault Oracle Audit Vault turns audit data
into a key security resource to help address
today's security and compliance challenges.
Oracle Audit Vault automates the audit
collection, integrates sources, simply compliance
reporting and provides scale and security.
33

• Audit Vault
• Logon failures, privilege usage, data access,
  object
  access, and other activities
  
• Statement, privilege, schema object and
  content-based auditing.
  
• Alerts compliance reports.
• Audit data warehouse report generation.

34
(No Transcript)
35
Oracle Security Solution The Complete Secure Data
base
36
Network
Oracle Database
End Client
DBA
Backup Medium
37
Thank You!