Month, Day, Year

Venue
City

Oracles Maximum Database Security Architecture

Marcin Kozak
1 Software Architect, Security
Copyright 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
 Program Agenda

The State of Security

Oracle Maximum Database Security
Architecture
Protecting Enterprise Databases
What is the threat?
How is it exploited?
How can you protect against it?
Q&A

2 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
 Why Maximum Security?

Two Thirds of Sensitive and Regulated

Information now Resides in Databases
and Doubling Every Two Years
Classified Govt. Info.
Trade Secrets
Competitive Bids
Corporate Plans
Credit Cards Source Code
HR Data Customer Data Bug Database
Citizen Data Financial Data

3 Copyright 2011, Oracle and/or its affiliates. All rights Source: "Effective Data Leak Prevention Programs: Start by Protecting Data at
reserved. the Source Your Databases", IDC, August 2011
 The 2000-2010 Decade Landscape

IT Landscape
Highly available and scalable
Outsourcing, offshoring, Third Party Service Providers
Threat Landscape
SQL Injection introduced (Oct 2000), Insider Threats
Advanced Persistent Threats (APT), Organized Crime, State Sponsored,.
Regulatory Landscape
SOX (2002), C-SOX (2003), J-SOX (2006), Australian CLERP-9 (2004),
Payment Card Industry (2.0 in Oct 2010), Breach disclosure laws

4 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
 Landscape Looking Ahead

IT Landscape
Vanishing perimeter dissolves insider/outsider differences
Data consolidation, massive warehouses
Public/private cloud, partner, globalization
Threat Landscape
Sophisticated hacking tools, bot networks, supply chain
Cyber terrorism and warfare sponsored by nation states
Databases to become a prime target
Regulatory Landscape
Moving from pure detective controls to preventive controls
All countries and states joining in protecting PII data

5 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
 Is IT Security Addressing Databases?

Network Security

Forrester estimates
that although 70% Authentication Endpoint
Security Security
of enterprises have
an information security plan, only 20%
of enterprises have a
Database
database security plan. Security Vulnerability
Email Security Management

6 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
Source: Creating An Enterprise Database Security Plan, Forrester Reseach Inc. July 2010
 Database Security Big Picture
Compliance
Data Vulnerability
Scan
Discovery Scan
Patch
Activity Audit
Automation

Auditing Encrypted Database

Applications Authorization Data Masking

Authentication
Network SQL Monitoring
and Blocking

Unauthorized Multi-factor
DBA Activity authorization

7 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
 Sources of Vulnerability
Attacks can come from anywhere
SQL Injection attack
Applications Application Bypass

Access to production data in non-secure environment

Test and Dev Access to production systems for trouble shooting

Administrative Account System admin, DBA, Application admins

Misuse Stolen credential, Inadequate training, Malicious Insiders

Lost / Stolen Backups

Operations Direct OS Access

8 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
 Sources of Vulnerability
Attacks can come from anywhere
SQL Injection attack
Application Users Application Bypass

Access to production data in non-secure environment

Test and Dev Access to production systems for trouble shooting

Administrative Account System admin, DBA, Application admins

Misuse Stolen credential, Inadequate training, Malicious Insiders

Lost / Stolen Backups

Operations Direct OS Access

9 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
 Operations

Data files can be accessed directly at the operating system

What (OS) level, bypassing all database controls

Gain access to OS root account, Oracle software account,

How Oracle DBA account
Copy or search raw database files

Protection Encrypt database files

OS level auditing
Strategy Limit accounts on production servers

10 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
 Transparent Data Encryption
Oracle Advanced Security
Disk

Backups

Exports
Application
Off-Site
Facilities

Protects from unauthorized OS level or network access

Efficient encryption of all application data
Built-in key lifecycle management
No application changes required

11 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
 Account Misuse

SQL Injection
Applications Application Bypass

Access to production data in non-secure environment

Test and Dev Access to production systems for trouble shooting

System admin, DBA, Application admins

Administrative Account
Stolen credential, Inadequate training, Malicious
Misuse Insiders

Lost / Stolen Backups

Operations Direct OS Access

12 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
 Account Misuse

What Privileged accounts are a targets of attack

How Privileged accounts have unfettered access

Protection Limit administrative account access to the database

Audit privileged user activity
Strategy Preventive controls around application data

13 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
 Database Operational Controls
Oracle Database Vault

Procurement

HR
Application select * from
Finance finance.customers

DBA
Limit powers of privileged users, and enforce SoD
Protect application data and prevent application by-pass
Enforce who, where, when, and how using rules and factors
Securely consolidate application data
No application changes required

14 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
 Audit Consolidation & Reporting
Oracle Audit Vault
!
Alerts
HR Data
Built-in
CRM/ERP Data Audit Reports
Data Custom
Custom App Reports
Policies Auditor

Consolidate audit data into secure repository

Detect and alert on suspicious activities
Out-of-the box compliance reporting

15 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
 Test and Dev

SQL Injection attack

Applications Application Bypass

Access to production data in non-secure environment

Test and Dev Access to production systems for trouble shooting

Administrative Account System admin, DBA, Application admins

Misuse Stolen credential, Inadequate training, Malicious Insiders

Lost / Stolen Backups

Operations Direct OS Access

16 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
 Test and Dev

Product data frequently copied to development and test

What PII data unnecessarily exposed

Test and dev systems may not be as well monitored or

How protected as production systems

Protection Mask sensitive production data before transferring

Strategy Restrict connectivity between test/dev and production

17 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
 Irreversible De-Identification
Oracle Data Masking

Production Non-Production
LAST_NAME SSN SALARY LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000 ANSKEKSL 11123-1111 40,000

BENSON 323-22-2943 60,000 BKJHHEIEDK 222-34-1345 60,000

Reduce scope of audit with irreversible de-Identification on non-

production databases
Referential integrity preserved so applications continue to work
Extensible template library and policies for automation

18 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
 Applications

SQL Injection attack

Applications Application Bypass

Access to production data in non-secure environment

Test and Dev Access to production systems for trouble shooting

Administrative Account System admin, DBA, Application admins

Misuse Stolen credential, Inadequate training, Malicious Insiders

Lost / Stolen Backups

Operations Direct OS Access

19 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
 Applications

Applications may be vulnerable to SQL Injection attacks

What Legacy applications particularly vulnerable

How Application input fields can be misused

Protection Monitor in-bound application SQL

Strategy Block unauthorized SQL before it reaches the database

20 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
 First Line of Defense on the Network
Oracle Database Firewall
Allow
Log
Alert
Substitute
Applications
Block

Alerts Built-in Custom Policies

Reports Reports

Monitors database activity, and prevents attacks and SQL injections

White-list, black-list, and exception-list based security policies based upon
highly accurate SQL grammar based analysis
In-line blocking and monitoring, or out-of-band monitoring modes
21 Copyright 2011, Oracle and/or its affiliates. All rights
reserved.
 Issues to Ponder?

1 Is our IP secured?

2 Can we defend against APTs and other attacks?

3 Would we know if we were breached?

4 Do privileged users know what they should not?

5 Are we in compliance with all regulations?

22 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
 Q&A

23 Copyright 2011, Oracle and/or its affiliates. All rights

reserved.
24 Copyright 2011, Oracle and/or its affiliates. All rights
reserved.
25 Copyright 2011, Oracle and/or its affiliates. All rights
reserved.