Best Practices for implementing Database Security Comprehensive Database Security
- 1. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Best Practices for implementing Database Security Comprehensive Database Security Saikat Saha Product Director Database Security, Oracle October 02, 2017
- 2. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 2
- 3. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Privacy & Security Regulations Increasing World-Wide EU GDPR PCI NZPA APP APPI Ch GDPL HK PDPO Si PDPA Th OIA Ru DPA IT Act SAECTA MDPA APDPL CLPPL Art. 5 CDPL MPDPL FOIPPAPIPEDA NY DFS 500 48 State Data Privacy laws Patriot Act CIPHIPAA GLBA
- 4. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 98M Target DEC ‘13 1B Yahoo Dec ’16 400M Friend Finder Dec ‘16 150M eBay May ‘14 200M Experian Mar ’14 US Voters 191M, Dec 15 150M Adobe Oct ‘13 56M Home Depot Sep ‘14 76M JPMC Oct ‘14 80M Anthem Feb ‘15 2M Vodafone Oct ‘13 42M Cupid Media Jan ’13 TBs IP Sony Nov ’14 2M Orange Feb/Apr ‘14 20M Credit Bureau 12M Telecom S. Korea Jan ‘14 22M Benesse Education Jul ‘14 Japan Espionage Kaspersky Jun ‘15 400GB IP Theft Hacking Team Jul ‘15 Carphone Warehouse Aug ’15 2.4M 4M Talk Talk Oct 15 50M Turkish Govt Apr ‘16 5M VTech Nov ‘15 30M BSNL Telco Journal Jul ‘15 Kmart Oct ‘15 11M Premera Blue Cross Mar ‘15 93M Mexico Voter Apr ‘16 154M US Voter Jun ‘16 32M Ashley Madison Jul ’15 US OPM, 22M Jun ’15 15M T-Mobile Oct ’15 4.6M Scottrade Oct ’15 55M Philippines Voter list Apr ‘16 4 Data Breaches are Exploding World-Wide 3.2M Debit cards Oct ‘16 Sabre Mar ‘16 CIA Apr ‘17 77M Edmodo May ‘17 143M Equifax July ‘17
- 5. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Data is Today’s Capital • Data breaches are exploding world-wide – Databases continue to be the prime target • Fast Evolving, Stringent Regulatory Landscape – Across industries and regions – Laws that aim to protect data and citizen privacy • Data Security Strategy – Protect against multiple threat actors and multiple vectors – With built-in, comprehensive security controls – For on-premise and cloud databases 5 But in the Wrong Hands, Data Becomes the New Liability
- 6. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | XSS / Malware Changing Threat Landscape 6 Databases remain the Target Threat Actors Hackers OS Admin DBA Test & Dev End-Users Support SQL Injection Stolen Credentials Ransomware Physical Theft Privilege Escalation Network Sniffing Threat Vectors Middleware Applications Databases Operating System Network Storage Backup Threat Targets
- 7. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 7 Evaluate Prevent Detect Data Driven Security Comprehensive Database Security Controls
- 8. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Evaluate Security Risks
- 9. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 9 Situation: Hundreds of databases distributed around the globe, scattered across dozens of acquired companies; no unified configuration standard Solution: Oracle Database Security Assessment (DBSAT) Result: Significant misconfigurations identified, leading to a single configuration standard being applied everywhere Benefit: Reduced risk of breach and easier security audits against a well-defined standard Global Oil Field Services Provider Situation: Thousands of Oracle Databases managed by silos of administrators; no comprehensive picture of databases’ security posture Solution: Continuous compliance monitoring with Oracle Enterprise Manager Database Lifecycle Management Pack Result: Near-real time alerts when any database configuration drift introduces security risk Benefit: Reduced audit costs, improved security Very Large Semiconductor Manufacturer Situation: Migrating SAP installation to a new infrastructure; desire to harden deployment at the same time Solution: Oracle Database Security Assessment (DBSAT) Result: Discovered many security issues including use of default SAP application account configured for password-less login Benefit: Potential production vulnerability avoided Global Auto Manufacturer Situation: Dozens of production databases with no model of where sensitive data resides making it difficult to apply suitable security policies and controls Solution: Sensitive Data Discovery with Oracle DB Security Result: 400+ columns of SSN & other sensitive data identified Benefit: Ability to apply appropriate security controls on data US Insurance Provider Evaluative Controls – Customer Use Cases
- 10. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Prevent Data Compromise
- 11. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Reducing the Risk from Malicious Users Oracle Database Vault 11 Separation of Duty Over Privileged Account Least Privilege Protect Sensitive Data Minimize impact to • Applications • Performance • High Availability • Operations Prevent Database Change
- 12. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Disks Exports Backups Transparent Data Encryption Encrypted Storage d$f8#;!90Wz@Yg#3 Redacted Applications Data Redaction Oracle Advanced Security 12
- 13. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Advanced Security Transparent Data Encryption (TDE) 13 Disks Exports Off-Site Facilities • Encrypts columns or entire tablespaces • Protects the database files on disk and on backups • High-speed performance • Transparent to applications, no changes required • Integrated with Oracle DB technologies Applications Encrypted Data Backups Clear Data d$f8#; !90Wz Yg#3R qR+% @Ue#3 R+%K# *HH$7 #9Vlka
- 14. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | TDE Integration with Oracle Database 14 Database Technologies Example Points of Integration TDE Support High-Availability Clusters Oracle Real Application Clusters (RAC), Data Guard, Active Data Guard Backup and Restore Oracle Recovery Manager (RMAN), Oracle Secure Backup Export and Import Oracle Data Pump Export and Import Database Replication Oracle Golden Gate Pluggable Databases Oracle Multitenant Option Engineered Systems Oracle Exadata Smart Scans Storage Management Oracle Automatic Storage Management (ASM) Data Compression Oracle Standard, Advanced , and Hybrid Columnar Compression
- 15. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Key Vault – Centralized Key Management 15 Oracle Wallet Upload & Download Oracle Database Online Master Key ASM Storage Nodes ASM Cluster File Systems (Encrypted) Online Master Key Credential File Upload & Download Java Keystore Upload & Download MySQL Keys Solaris Crypto Keys
- 16. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 16 Situation: Fourteen independent operating units consolidating different Oracle eBusiness Suite (EBS) instances; requirement to support migration and test Solution: Data Masking with eBusiness Suite templates Result: Substantial reduction in risk (and risk-mitigation costs) by removing sensitive data from non-production systems Benefit: Initial consolidation of three business units was accomplished in the first year Consumer Goods Manufacturer Situation: Hortonworks Hadoop with sensitive/classified information Solution: BigData SQL, Oracle Data Redaction and Virtual Private Database (VPD) across Oracle DB and Hadoop Result: Ability to restrict user access to sensitive data in data lake Benefit: Data from a single big data repository can be shared among agencies while maintaining adherence to data classification policies European Government Ministry Situation: Board of Directors mandate to encrypt databases for critical applications by end of 2017 Solution: Transparent Data Encryption with Oracle Key Vault Result: Encrypted 50 databases containing sensitive customer data Benefit: Information protection throughout data lifecycle at scale with automated key management Diversified Telecommunications Company Situation: 1,000s of databases; recent breach led to evaluation of security practices, and how they could be improved Solution: Transparent Data Encryption and Oracle Database Vault Result: Most databases encrypted within the first year. Database Vault security realms protect data from privileged accounts Benefit: Confidentiality of data throughout the data lifecycle and protection from data loss from stolen privileged user credentials Top Global Bank Preventive Controls – Customer Use Cases
- 17. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 17 Detect Anomalies, Support Investigations
- 18. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Audit Data, Event Logs Database Firewall Network Events Audit Vault Monitor and Audit Enterprise Databases 18 Security Alerts SIEM Reports, Alerts Ad-hoc queries Security Analyst
- 19. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 19 Situation: 100s of production databases containing sensitive IP; need to monitor for potential attacks and support compliance audits Solution: Oracle Audit Vault and Database Firewall Result: 200+ databases monitored within 3 months with regular reporting of audit information Benefit: Improved visibility and reporting for regulatory audits Multinational Semiconductor Company Situation: Need to comply with PCI DSS, SOX and GLBA Solution: Oracle Database Firewall Result: Monitoring of peak loads of 10k transactions/sec while maintaining database performance Benefit: Improved database traffic visibility Consumer Credit Reporting Company Situation: Public health record system; requirement for bank- strength security features Solution: Oracle Database Firewall Result: Monitoring access to health records in multivendor systems (Oracle MySQL, Sybase, IBM, MS SQL Server) to detect suspicious or inappropriate behavior Benefit: Improved posture for this patient “opt-in” service National Health Ministry Situation: Heterogeneous DB environment supporting over 700 stores in US, Canada, Japan, Australia and Mexico; requirement to comply with complex world-wide privacy regulations Solution: Oracle Audit Vault and Database Firewall Result: Monitor over 400 databases (Oracle, IBM DB2, Microsoft SQL Server) with daily activity reporting from audit logs Benefit: Improved security and streamlined compliance reporting North American Retailer Detective Controls – Customer Use Cases
- 20. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Data-Driven Access Control Russ DE HR Franck FR Marketing Paolo SP Consulting Luca IT Corporate Karen NE Sales Bob US Eng Mary US Eng Jim CA Eng Leslie MX Eng
- 21. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 21 Situation: Consolidated patient data; HIPAA/HITRUST requirement for patient consent prior to data sharing Solution: Oracle Label Security Result: Enforcement of data access based with labels indicating patient consent status Benefit: Compliance with HITRUST requirements with minimal system modifications US Healthcare Provider Situation: Hundreds of business analysts needing access to raw data, but not access to certain sensitive data elements Solution: Virtual Private Database Result: Column-level access controlled by data values Benefit: Analysts were able to access data objects without risk of proliferation of sensitive data Large Asset Management Company Situation: Securing multiple departmental applications from accessing Billing/utility data from diverse sources Solution: Real Application Security data realms/columns Result: Applications leverage common data access policy enforcement at database Benefit: Cost savings; no access controls per applications Electric Utility Service Provider Situation: Managing data for both commercial and government customers; US ITAR regulations Solution: Oracle Label Security Result: Ability to comply with ITAR requirements for data using existing information systems Benefit: Reduced systems and management costs Defense/Commercial Manufacturer Data-Driven Security Controls – Customer Use Cases
- 22. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 22 Evaluate Prevent Detect Data Driven Security Comprehensive Database Security Controls
- 23. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Crypto Toolkit for Applications Row Level SecurityKey Management Data Encryption EVALUATE Comprehensive Database Security Controls PREVENT DETECT DATA DRIVEN SECURITY Security Configuration Sensitive Data Discovery Privilege Analysis DBA & Operation Controls Database Auditing Database Firewall Real Application Security Label based Security Centralized Monitoring Security Assessment Alerting & Reporting Data Redaction Data Masking and Subsetting 23 Defense in depth Security
- 24. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | SECURITY INSIDE-OUT Security close to the data: Eliminates guesswork, maximizes performance, application transparency ENTERPRISE DEPLOYMENTS Across multiple systems: Operating systems, heterogeneous databases, applications, Cloud, … Oracle Database Security Strategy DEFENSE-IN-DEPTH SECURITY CONTROLS Overlapping controls: Encryption, masking, auditing, monitoring, access control, redaction, … ANTICIPATE THREATS & MITIGATE Transparent Data Encryption, DBA Control, Redaction, Masking, Privilege Analysis, DB Firewall, RAS, Cloud, … 24
- 25. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 25
- 26. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 26