Oracle DB Security

8/14/2019 Oracle DB Security

1/29


2/29


3/29

Data Security Lifecycle

Inbound Data Network Encryption Strong Authentication Identity Management Integration

Storage Transparent Data Encryption Secure Backup

Access Control Database Vault Oracle Label Security Fusion Security

Outbound Data Network Encryption

Monitor Configuration Scanning Audit Vault


4/29

Agenda

Network Encryption Encryption of data in motion

Strong Authentication PKI, Kerberos, Radius

Data Encryption Encryption of data at rest

Secure Backup

Oracle DataVault

DB Auditing Audit Vault


5/29

Network Security Threats

2. Data Modification or Replay

3. Data Disruption

Packet stolenOrder never arrives

$500.00

1. Data Theft

My competitor sees

my bids in a sealedauction.

$50,000


6/29

Network Encryption

Provided by Oracle for nearly a decade

Encrypts all communication with the database AES

RSA RC4 (40-, 56-, 128-, 256-bit keys)

DES (40-, 56-bit) and 3DES (2- and 3-key)

Data integrity with checksums MD5, SHA-1

Automatically detects modifications, replays, missing

packets

Easy to setup


7/29

Agenda




Secure Backup

Oracle Data Vault



8/29

Strong Authentication

Kerberos Ease of deployment makes this a popular choice

PKI Large customers are working on full scale deployments

Strong interest among large Universities Oracle supports SSL accelerators

Radius Database integrates with RADIUS


9/29

Agenda




Secure Backup

Oracle Data Vault



10/29

The Need for Encryption

Worldwide privacy, security laws and regulations Sarbanes-Oxley

PCI

California SB 1386

Country-specific laws

Customer CreditCard Numbers

Disks replacedfor maintenance

Laptops stolenBackups lost

Data worthless if encrypted


11/29

The DBMS_CRYPTO Package

Formerly DBMS_OBFUSCATION (Release 8)

Extensive control of options Generate as many, or as few keys as you desire

Granular access control, Manual salt generation, algorithm

selection, chaining mode

Limited Transparency


12/29

Transparent Data Encryption

Integrated with the Oracle database for simplicity Alter table encrypt column

Provides application transparency No API calls, database triggers or views required

Media protection of PII data Social security numbers

Credit Card Numbers

Performance Works with existing indexes for

fast searches


13/29

Separation of duties

DBA starts upDatabase

Security DBA opens walletcontaining master key

Wallet password is separate fromSystem or DBA password

No accessto wallet


14/29

Master key and column keys

Column keys encryptedby master key

Master key storedin PKCS#12 wallet

Security DBA opens walletcontaining master key Column keys encrypt

data in columns


15/29

Oracle Secure Backup:

Tape Backup Management

Highest levels of tape dataprotection at the lowest cost!

Fastest & Best Integratedtape backup for the OracleDatabase

-Recovery Manager(RMAN) integration

-Enterprise Manager(EM) interface

Maximum security options

Free version (limitedfunctionality) will ship with theOracle Database

Oracle Secure BackupCentralized Tape Backup Management

Oracle DatabasesOracle Databases

Integration with

RMAN

File System DataFile System Data

UNIX Linux

Windows NAS

Tape


16/29

Why Use Oracle Secure Backup?

Scalable from the department to the data center

Database tape backups can now be seamlessly managed byDatabase Administrators (DBA) or storage group

Intelligent integration with RMAN delivering the bestperformance and security for database backups

Easily managed using Enterprise Manager (EM)

Single technical support resource for entire backup solutionexpedites problem resolution

Reliable data protection at lower cost and complexity

For the Oracle Database and file system data


17/29

End to End Security

Data EncryptedOn Backup Files

DataWrittenTo Disk

AutomaticallyEncrypted

Data

AutomaticallyDecryptedThrough

SQL Interface

Oracle Advanced SecurityNetwork Encryption

Oracle Advanced SecurityStrong Authentication

OracleAdvancedSecurityTransparentData Encryption


18/29

Agenda




Secure Backup

Oracle Data Vault



19/29

Data Vault Objectives

Multi-factored approach to database security Protect andshare data assets using environmental factors for

assurance

Defense in depth approach

Protect application schemas from system privileges

Database Server as Database Appliance Lock Down, Hardened Software and Privileges

Comprehensive Audit Policy

Separation of Duties


20/29


21/29

Agenda




Secure Backup

Oracle DataVault



22/29

AUDITING

Audit & monitor database activity Logon failures, privilege usage, data access,

object access,and other activities

Standard Audit Trail (over 250 audit actions) Gives first level of information about access to

the database Statement auditing Privilege auditing Schema Object auditing

Fine-Grained Auditing (FGA) Gives second level of information about specificoperations to the database

Enables you to monitor data accessbased on content.

Oracle Database 10gAuditing


23/29

Fine-grained auditing (FGA)

Beginning with Oracle9iDatabase, Oracle provides thecapability to audit specific rows within a table. This isaccomplished using the DBMS_FGA package.

Features Attach audit policy to table or view

Specify audit condition using a SQL predicate

Users query text with bind variables are written to audit record upona triggering audit event

Event handler can alert administrator to triggering condition (e.g.write record to log, send page)


24/29

10gR210gR1

Oracle 9iR2(Future)

Other Sources,Databases

Monitor Policies

Reports Security

Collect and ConsolidateAudit Data

Simplify ComplianceReporting

Detect and PreventInsider Threats

Scale and Security

Lower IT Costs WithAudit Policies


25/29

Oracle Audit VaultOracle Database Vault

DB Security Evaluation #19


EM Configuration Scanning

Fine Grained Auditing (9i)

Secure application roles

Client Identifier / Identity propagation

Oracle Label SecurityProxy authentication

Enterprise User Security

Global roles

Virtual Private Database (8i)

Database Encryption API

Strong authentication (PKI, Kerberos, RADIUS)

Native Network Encryption (Oracle7)

Database Auditing

Government customer

Oracle Database Security30 years of Innovation

20071977


26/29

Agenda




Secure Backup

Oracle DataVault



27/29

For More Information

http://search.oracle.com

or

oracle.com/security



28/29


29/29

Oracle DB Security

Documents

Transcript of Oracle DB Security