database security - storage.googleapis.com · limited database controls' 70% system users can...
TRANSCRIPT
![Page 1: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/1.jpg)
![Page 2: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/2.jpg)
Database Security
Ursula Koski | Senior Principal Architect | Oracle Corporation
![Page 3: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/3.jpg)
Ursula Koski
Senior Principal Architect• Senior Principal Architect
• Oracle User Group Liaison and OUGF Board Member
(Finland); Finnish Security Association ry Board
Member
• Joined Oracle in 2007
– Working mainly with short term database
engagements around the world. High availability
and disaster recovery area. and disaster recovery area.
– Have worked as an Oracle DBA for partners from
1994.
• Interests
– Professional: Oracle Database Evangelist,
Maximum Availability Architecture and Database
Disaster Recovery & Problem solving.
– Personal: Oracle Databases, all technical gadgets
(Geek!), traveling and reading.
![Page 4: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/4.jpg)
What is an “Advanced Persistent Threat”?Cybercrime directed at political, infrastructure, and business targets
![Page 5: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/5.jpg)
What are APTs Ultimately After?
Two Thirds of Sensitive and Regulated
Information now Resides in Databases
' and Doubling Every Two YearsClassified Govt. Info.
Trade Secrets
Source: IDC, "Effective Data Leak Prevention Programs: Start by Protecting Data at the Source — Your Databases", August 2011
Competitive Bids
Corporate Plans
Source Code
Bug Database
Credit Cards
Customer Data
Financial Data
HR Data
Citizen Data
![Page 6: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/6.jpg)
Database Sprawl Makes Attacking Easier!
Sensitive Data
Partners DW/AnalyticsReports Stand By Test DevTemp use
![Page 7: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/7.jpg)
CRM
HR
APPS Admin
DBA
OS Admin
APPS Admin
DBA
Security in a Traditional Environment
HR
ERP
DBA
OS Admin
APPS Admin
DBA
OS Admin
![Page 8: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/8.jpg)
CRM
HR
Security in a Cloud / Consolidated Environment
HR
ERP
DW
![Page 9: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/9.jpg)
“Forrester estimates
that although 70%
of enterprises have
Are Databases Adequately Protected?
EndpointSecurity
Network Security
Authentication Security
of enterprises have
an information security plan, only
20% of enterprises have a
database security plan.”
Source: Forrester Research Inc., Creating An Enterprise Database Security Plan, July 2010
Vulnerability ManagementEmail Security
Database Security
![Page 10: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/10.jpg)
Limited Database Controls'
70% System users can read/tamper data stored in database files or storage70% System users can read/tamper data stored in database files or storage
76% Cannot prevent DBAs from reading/modifying data76% Cannot prevent DBAs from reading/modifying data
68% Cannot detect if database users are abusing privileges68% Cannot detect if database users are abusing privileges
Source: 2010 Independent Oracle User Group Data Security Report
68% Cannot detect if database users are abusing privileges68% Cannot detect if database users are abusing privileges
63% Vulnerable to SQL injection attacks or not sure63% Vulnerable to SQL injection attacks or not sure
48% Copy sensitive production data to non-production environments 48% Copy sensitive production data to non-production environments
31% Likely to get breached over the coming year31% Likely to get breached over the coming year
![Page 11: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/11.jpg)
Data Security – IOUG 2010 Report
72% Do not uniformly encrypt sensitive data in all databases
76%Can not prevent privileged database users from reading/modifying
data
68% Can not detect if database users are abusing privileges68% Can not detect if database users are abusing privileges
66% Not sure if applications subject to SQL injection
48% Copy sensitive production data to non-production environments
Source: 2010 IOUG Data Security Report
![Page 12: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/12.jpg)
What are the High Value Target Systems?
From a study conducted by the Verizon RISK team in conjunction with the US Secret Service
![Page 13: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/13.jpg)
Most Records Lost from Database Servers
Type Category % Breaches % Records
Database Server Servers & Applications 25% 92%Desktop Computer End-User Devices 21% 1%
How were these records breached?
89% using SQL injection
86% using stolen credentials
By exploiting legitimate access to databases!
Source: 2010 Verizon Data Breach Investigations Report
1
![Page 14: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/14.jpg)
Opportunistic Breaches and APT
48% involved privilege misuse
40% resulted from hacking
38% utilized malware
28% employed social tactics
Source: 2010 Verizon Data Breach Investigations Report
1
![Page 15: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/15.jpg)
How did We end up Here?
IT Landscape
• World moving from 2-tier to 3-tier
• Limited security considerations
Threat Landscape
• Hackers driven by fame
• Insiders were well-trusted
Security
• All applications online, and highly available
• Outsourcing, Service Providers, Cloud
• DIY tools; Automated SQL injection attacks
• Targets: Credit cards, PII, IP
Security Landscape
• Network firewall
• Anti virus software
Regulatory Landscape
• HIPAA (1996, 2003)
• EU Data Protection Directives
• Desktop security; Perimeter security
• Vulnerability management
• GLBA (1999), SOX (2002), PCI (2004, 2010)
• Various breach disclosure and privacy laws
2000 2011
1
![Page 16: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/16.jpg)
Sources of Vulnerability
• Security configuration parameters• Security configuration parameters
Applications• SQL Injection attack from outside
• Application bypassApplications
• SQL Injection attack from outside
• Application bypass
Test & Dev Partners
• Access to production data in non-secure environment
• Access to production systems for trouble shooting
Test & Dev Partners
• Access to production data in non-secure environment
• Access to production systems for trouble shooting
Configuration• Security configuration parameters
• Security patchesConfiguration
• Security configuration parameters
• Security patches
Administrative Accounts
• System administrators, DBAs, Application Administrators
• Stolen credentials, Inadequate training, Malicious insiders
Administrative Accounts
• System administrators, DBAs, Application Administrators
• Stolen credentials, Inadequate training, Malicious insiders
Operations• Direct OS access
• Lost / stolen backupsOperations
• Direct OS access
• Lost / stolen backups
![Page 17: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/17.jpg)
Concentrate on the Greatest Risk
From a study conducted by the Verizon RISK team in conjunction with the US Secret Service
Types of Hacking / Percent of Breached Records
![Page 18: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/18.jpg)
• Stolen Login Credentials were involved in 38% of Data
Breaches and 86% of Breached Records
The Two Biggest Culprits'
• SQL Injection was involved in 25% of all Data Breaches
and contributed to the loss of 89% of Breached Records
![Page 19: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/19.jpg)
Database Security – Big Picture
Encrypted Database
Compliance Scan Vulnerability
ScanData
DiscoveryActivity Audit
Patch Automation
Auditing
AuthorizationApplications
Network SQL
Monitoring
and Blocking
Data Masking
Multi-factor
authorization
Unauthorized
DBA Activity
Authorization
Authentication
![Page 20: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/20.jpg)
Discover, Scan, Configure, Patch Oracle Enterprise Manager
ConfigurationManagement
& Audit
VulnerabilityManagement
Audit
Analysis &Analytics
Act
PolicyManagement
AnalyzeClassify AdviceDiscover
AssetManagement
• Discover databases, applications, data models, sensitive data
• Continuously scan against security configuration standards
• Real time monitor file and configuration changes
• Analyze patches, resolve patch conflicts, schedule patches
![Page 21: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/21.jpg)
Audit Consolidation & Reporting Oracle Audit Vault
CRM/ERP Data
Custom App
HR Data
Audit Data
Policies
Built-inReports
Alerts
CustomReports
Auditor
!
• Consolidate audit data into secure audit warehouse
• Detect and alert on suspicious activities
• Out-of-the box compliance reporting
Policies Auditor
Audit Warehouse
![Page 22: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/22.jpg)
ApplicationsBlock
Log
Allow
Alert
Substitute
First Line of Defense on the Network Oracle Database Firewall
• Monitors database activity, and prevents attacks and SQL injections
• White-list, black-list, and exception-list based security policies based upon highly accurate SQL grammar based analysis
• In-line blocking and monitoring, or out-of-band monitoring modes
PoliciesBuilt-in
ReportsAlerts Custom
Reports
![Page 23: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/23.jpg)
Procurement
HR
Finance
Database Operational Controls Oracle Database Vault
Application select * from finance.customersFinance
• Limit powers of privileged users, and enforce SoD
• Protect application data and prevent application by-pass
• Enforce who, where, when, and how using rules and factors
• Securely consolidate application data
• No application changes required
finance.customers
DBA
![Page 24: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/24.jpg)
Transparent Data Encryption Oracle Advanced Security
Disk
Backups
Exports
Off-SiteApplication
Off-Site
Facilities
• Protects from unauthorized OS level or network access
• Efficient encryption of all application data
• Built-in key lifecycle management
• No application changes required
![Page 25: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/25.jpg)
Irreversible De-Identification Oracle Data Masking
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 40,000
BKJHHEIEDK 222-34-1345 60,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Non-Production
• Reduce fear of loss and scope of audit with irreversible de-Identification
on non-production databases
• Referential integrity preserved so applications continue to work
• Extensible template library and policies for automation
BKJHHEIEDK 222-34-1345 60,000BENSON 323-22-2943 60,000
![Page 26: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/26.jpg)
Oracle Database Security Strategy
mySQL
Low Security:
Sensitive Data Removed
Data Masking for Non-Production
Maximum Security:
Controls within Database
Encryption, Auditing, Privileged User Controls, Classification,
Change Tracking, App Security
External Controls:
Protect Oracle and Non-Oracle DB
Activity Monitoring, Auditing, Blocking Attacks, Reporting
![Page 27: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/27.jpg)
Oracle Database SecurityKey Differentiators
High Performance, AccurateHigh Performance, Accurate
Defense-in-Depth Security PlatformDefense-in-Depth Security Platform
Securing through the Life CycleSecuring through the Life Cycle
Transparently Support Existing ApplicationsTransparently Support Existing Applications
Heterogeneous SupportHeterogeneous Support
![Page 28: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/28.jpg)
Issues to Ponder?
1 Is our IP secured?1 Is our IP secured?
33
2 Can we defend against APTs and other attacks?2 Can we defend against APTs and other attacks?
3 Would we know if we were breached?3 Would we know if we were breached?
4 Do privileged users know what they should not?4 Do privileged users know what they should not?
5 Are we in compliance with all regulations?5 Are we in compliance with all regulations?
![Page 29: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/29.jpg)
What’s Your Next Move?
1 Know where is the sensitive data1 Know where is the sensitive data
2 Scan, assess, patch, audit your databases2 Scan, assess, patch, audit your databases
3 Database Firewall as first line of defense3 Database Firewall as first line of defense3 Database Firewall as first line of defense3 Database Firewall as first line of defense
4 Control the privileged users4 Control the privileged users
5 Encrypt and mask sensitive data5 Encrypt and mask sensitive data
![Page 30: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/30.jpg)
Q&AQ&A
![Page 31: Database Security - storage.googleapis.com · Limited Database Controls' 70% System users can read/tamper data stored in database files or storage 76% Cannot prevent DBAs from reading/modifying](https://reader030.vdocument.in/reader030/viewer/2022041301/5e10c98f098bff12b424a97a/html5/thumbnails/31.jpg)