DB Security_ Final
-
Upload
achin-agrawal -
Category
Documents
-
view
216 -
download
0
Transcript of DB Security_ Final
-
7/31/2019 DB Security_ Final
1/13
1
Slide 1:
Welcome everyone and thank you for joining this Virtual Class.
I am Achin, working in Oracle Direct as a Sales Consultant and I will be your presenter for todays
session on DB Security.
My specialization lies in Database and Database Options, Security & High availability.
In this presentation we are going to take a look ofdifferent database security solutions their usage
in your environment to protect your environment from inside and outside threats.At the end of the presentation we will have a Q&A session.
Lets move on and check the agenda for todays presentation.
Slide 2:
Well start off with the introduction of database security in which we discuss security evolution in Oracle,
which will be followed by the importance of security solutions, what kind of threats forcing the
implementation of security solutions?
After that I will describe different database security options, its features and key capabilities.
Then we will summarize all the security solutions by their benefits.
Slide 3:
Now what happen most hackers target indiscriminately getting their hands on whatever they can getfrom vulnerable targets. On the other hand, APTs are well resourced, very capable, and persistent in
their goals to go after their target.
(Advanced = Multiple attack methods
Persistent = Not giving up easily
Threat = After specific crown jewels
Any important data may be, political data, infrastructure data, IP, or business data can be hacked or
may be changed by them.
If you remember the attack on RSA, or the Comodo RA compromise are some examples.
Some of their techniques used may not be that advanced but they can use sophisticated attacks in
conjunction with simple effective attacks to gain access to sensitive systems.
They are after your crown jewels your king thats your DATA. If your king is standing alone, forget
about APTs, even regular hackers or curious insiders could walk away with it also.Is your knight really your knight, or it is someone else acting with knights credentials.
With a determined opponent who has access to multiple attack vectors whether through a knight, rook,
or queen you need to have more than just a firewall of pawns to protect your king that is to protect
Your data
Because anytime They could jump over and checkmate you.
So BE ready with full proof security of your IT environment.
Slide 4:
I like to show this slide to let customers know that Oracle has been working in the security space pretty
much since day 1. The very first Oracle customers were in the government space. This close working
relationship with customers has enabled Oracle to stay at the forefront of database security technology.
And In the past couple years weve been focusing on delivering Database Vault, Oracle Audit Vault,Transparent Data Encryption, and Data Masking. These have been critical technologies for helping
customers meet various security and compliance challenges.
Slide 5:
This slide is based on a data breach investigations report 2011. Data breaches still continue to be an
issue for most organizations
Now this years report covers approximately 760 data breaches, the largest caseload to date, according
to the researchers. That is the number of breaches still continues to go up.
-
7/31/2019 DB Security_ Final
2/13
2
The report also found that outsiders are responsible for 92 percent of breaches, that is a significant
increase from the 2010 findings. Although the total number of insider attacks actually remained
relatively constant.
Hacking (50 percent) and malware (49 percent) were the most prominent types of attack, with many of
those attacks involving weak or stolen credentials and passwords, the report says.
So Small to medium-sized businesses represent prime attack targets for many hackers, who favor highly
automated, repeatable attacks against these more vulnerable targets,".Companies should be aware of what their employees are using at home, and how personal systems are
interacting with corporate systems. What kind of security they have in their IT environment specifically
in their database environment
One important thing as per this report
"There's a very high correlation between employees who frequently violate security policy and actual
breaches and compromises.
Lets move further and understand the bigger picture of database security.
Slide 6:
Most companies have implemented the 3 As at some level that is: Authentication, Authorization,auditing.
CLICK
Some still use generic shared accounts, which while convenient cannot be used to track the actual user
who made the change. Some still grant overly excessive privileges instead of going through the
exercise of least privileges.
This can be very dangerous as any SQL injection attack or stealing of passwords can be disastrous.
In the end you want to audit your privilege users, but unless you monitor the audit logs, auditing may
not be much of a use.
A small percentage of the companies do patching.
This means that most others are very vulnerable to attacks. We recommend that in addition to 3 As and
patching, you seriously consider the following:
CLICK1. A database firewall to reduce the threats from the web users. The firewall can understand the
SQL coming through the wire, analyzing it, and then determining whether it should be allowed
to go the database. The firewall should also be able to both monitor and block unauthorized
traffic including SQL injection attacks.
CLICK
2. The other threat that you want to handle is the threat from the DBA or hackers with DBApassword credentials. You want the DBAs to do the job of tuning and managing the system, but
you do not want them to view or modify your sensitive data. You also want to ensure that even
if someone has the DBA password, they meet other factors before they are given access to the
database.
3. Encrypt the database data to reduce the threats from the OS administrator or any othersoftware running on the database machine. As the data gets backed up, you may want to
encrypt the backup to reduce threats from inadvertent losses or theft of the tapes. You also
want to encrypt the traffic to reduce the risk of someone sniffing the wire. Finally, to reduce the
threats from your test or dev teams, you want to mask the data before you give it to them.
4. Now at the end of the day, you have to allow your privileged users to do their jobs. And of
course you trust them, but by auditing their activities throughout the enterprise you can
implement trust but verify principle. You may want to collect audit data from throughout your
enterprise, analyze the data, raise alerts if needed, and then create reports for your auditors.
-
7/31/2019 DB Security_ Final
3/13
3
Slide 7:
Now were going to talk a little about the Oracle solutions that are available to help customers to secure
their data and database infrastructure. We could really spend an hour talking about each one of
these.
Let me tell you the concept of Defense in Depth:
Defense in Depth is an Information Assurance (IA) strategy where multiple layers of defense areplaced throughout an Information Technology (IT) system and addresses personnel, technology and
operations for the duration of the system's lifecycle.
The idea behind the Defense in Depth approach is that any attacker should have to break through
multiple defensive countermeasures, in order to successfully hack into the system. This increases the
likelihood of being able to identify and prevent an attack from occurring.
Slide 8:
So we are going to start with Encryption and masking layer where we are going to discuss three security
options
Advanced security options
Secure backup and database masking
Slide 9:
Lets start with advanced security option
Slide 10:
This slide demonstrates the evolution of Advance security option in oracle database.
With 9i version only network encryption and strong authentication mechanism was there.
strong authentication solutions are good as an alternative to traditional password based authentication.
In oracle 10g we introduce column TDE and wallet key management.
And with 11g, tablespace TDE and Hardware acceleration and some Exadata optimizations are also
introduced.
Hardware acceleration where tablespace encryption provides stored data protection with near-zeroperformance impact by automatically detecting and utilizing the hardware-based cryptographic
acceleration available in the new Intel Xeon 5600 CPUs (AES-NI); with this, you will achieve
encryption and decryption is 8 to 10 times faster.
Related with Exadata optimizations, TDE leverages performance and storage optimizations of the Oracle
Exadata Database Machine, including the Smart Flash Cache and Hybrid Columnar Compression (EHCC).
Slide 11:
Specifically in advanced security you will get three prime security features
The first one is Transparent Data Encryption:
It enables you to encrypt sensitive data, such as credit card numbers or social security numbers, which
are stored in your tables and tablespaces. Encrypted data is transparently decrypted for a database user
or application that has access to data.So As a security administrator, you can be sure that sensitive data is safe in case the storage media or
data file gets stolen.
And the important benefit is Key management operations which all are automated so the user or
application does not need to manage encryption keys.
Another security feature is network encryption
Network encryption refers to encrypting data as it travels across the network between the client and
server. The reason you should encrypt data at the network level, and not just the database level, is
http://en.wikipedia.org/wiki/Information_Assurancehttp://en.wikipedia.org/wiki/Information_Technologyhttp://en.wikipedia.org/wiki/System_lifecyclehttp://en.wikipedia.org/wiki/Information_Assurancehttp://en.wikipedia.org/wiki/Information_Technologyhttp://en.wikipedia.org/wiki/System_lifecycle -
7/31/2019 DB Security_ Final
4/13
4
because data can be exposed on the network level even though you have carefully encrypted it in the
database.
Let me give you an example, an intruder can use a network packet sniffer to capture information as it
travels on the network, and then spool it to a file for malicious use. So, Encrypting data on the network
prevents this sort of activity.
Now Strong Authentication
Authentication is used to prove the identity of the user. Oracle Advanced Security enables strongauthentication with Oracle authentication adapters that support various third-party authentication
services, including SSL with digital certificates.
Slide 12:
Lets discuss more about TDE
Oracle Advanced Security TDE provides both encryption of application tablespaces as well as individual
application table columns such as credit card and social security numbers. TDE tablespace encryption
eliminates the complexities of identifying and encrypting individual columns and achieves increased
efficiencies resulting in higher performance.
Also, Oracle Advanced Security provides a built-in, two-tier key management architecture,
consisting of a master encryption key and one or more data encryption keys. The TDE master encryption
key is used to encrypt and protect the data encryption keys. The master encryption key can beconfigured to reside in the Oracle Wallet or a hardware security module (HSM) from vendors such as
Thales, Safenet, Bull, and Utimaco.
Slide 13:
Oracle Advanced Security also provide standard-based network encryption for protecting all
communication to and from the Oracle Database. Connections can be rejected from clients that have
encryption turned off. No changes to existing applications are required, so allowing businesses to easily
deploy network encryption.
It also provides strong authentication to the database using Kerberos, PKI or RADIUS. Oracle Advanced
Security interoperates with the Microsoft Kerberos and MIT Kerberos v5. With Oracle Advanced Security,
customers can require their users to plug-in a Smart Card (CAC, HSPD-12) as part of their SSL-based
authentication to the Oracle Database.So just to iterate oracle advanced security:
Oracle Advanced Security provides a complete data encryption solution for data whether the data is at
rest in the database, moving on the network between the application servers and the database, or
backed up or exported. Data is always returned in the clear to authenticated and authorized database
users so there is no application changes required.
Slide 14:
Protect all application data quickly and easilyEncrypt the entire tablespace or specific sensitive
columns without making any changes to existing applications.
ComprehensiveTransparent encryption can be used for Oracle database traffic, disk backups, and
exports.
Cost-effectiveLeverage secure, built-in management and integration with industry-leading HardwareSecurity Modules (HSM) or other enterprise-wide management solutions.
Highest level of identity assuranceSupport for PKI, Kerberos, and RADIUS-based strong
authentication solutions.
Slide 15:
Let discuss the features and befits of oracle secure backup
Slide 16:
-
7/31/2019 DB Security_ Final
5/13
5
Oracle Secure Backup is centralized tape backup management software protecting the Oracle database
and file systems in distributed UNIX, Linux, Windows and Network Attached Storage (NAS)
environments.
From one central console, you can easy manage the distributed servers and tape devices within the
backup domain.
As Oracle is no longer just a database company, Oracle Secure Backup provides tape backup for
application files as well as the database.Integrated with Recovery Manager (RMAN), Oracle Secure Backup provides the media management
layer for RMAN backups to tape. Complete data protection for your entire environment, OSB provides
an alternative to expensive media management products.
Using OSB, tape backup management is automated through user-defined policies through the life cycle
of the backup tape from first write to tape duplication (if any) to rotation between multiple locations
(vaulting) and finally re-use when upon expiration of the tape.
Oracle database backups provide the fastest database backup to tape (about 25 40 % faster) due to
optimizations, particularly:
Unused block compression: Only used data blocks are backed up (Oracle Database 10g R2)
Backup undo optimization: Only "active" undo data is backed up (Oracle Database 11g R1)
Slide 17:OSB employs a client / server architecture:
One Admin. Server per domain houses OSB catalog
Client host Any host backed up by OSB
Media server Any host direct attached to tape device
OSB domain all hosts that are managed by admin server.graphic above would represent one OSB
domain.
Oracle database may reside on any host within the OSB domain.
Slide 18: new feature
OSB support of NDMP tape copy which utilizes the hardware for tape copy eliminating need for data to
move back through the media server during tape copy process --- OSB catalog metadata will maintain
same information using regular or server-less tape duplicationOSB will now provide flexibility to utilize software encryption (OSB client side) or hardware encryption
(LTO-4).delivering key management for both
New support for IPv6.OSB domains can now support both IPv4 and IPv6
It will Filter vaulting moves by tape pool as well as location. Additional reporting, improved leveraging
of library automation, in transit status location and many more.
Slide 19:
Data is the most important business asset. Oracle Secure Backup delivers comprehensive data
protection management with enterprise-class features and Oracle database integration in one, complete
solution.
Comparable products separately license advanced features; OSB does not. Advanced capabilities are
inclusive in the Oracle Secure Backup low-cost, per tape drive license simplifying license managementwithout compromising functionality.
Slide 20:
Hers comes Oracle Database Masking Pack
Slide 21:
-
7/31/2019 DB Security_ Final
6/13
6
Businesses often need to share sensitive data about business operations or customers to allow in-house
developers or offshore testers to perform application development and testing. This has the potential to
expose the business, its officers, employees and even their customers to risk. Oracle
Enterprise Manager Data Masking Pack can help protect businesses with minimal effort. It provides a
comprehensive easy-to-use solution to share production data with internal and external entities while
preventing sensitive or confidential parts of the information from being disclosed to unauthorized parties
Data Masking Pack provides IT organizations the ability to share copies of production data with otherinternal and external parties by replacing sensitive or confidential information with realistic but scrubbed
data.
So by this your organization will achieves data security compliance through privacy and confidentiality
polices on shared production data
It will help you to Provides secure, scalable and automated solution to create test environments from
production data using bulk masking
Enables rapid your DBA productivity through the use of application masking template
Slide 22:
Database masking pack comes with a centralized library of out-of-the-box mask formats for common
types of sensitive data, such as credit card numbers, phone numbers, national identifiers (social security
number for US, national insurance number for UK).So By leveraging the Format Library, your organizations can apply data privacy rules to sensitive data
across enterprise-wide databases from a single source and thus, ensure consistent compliance with
regulations.
It provides you the view where you can view your sample data also.
Prior to mask execution, Oracle Data Masking Pack performs several pre-mask validation checks, such
as validating that the mask formats matches the table data types, checking for space, to ensure that the
masking process is error-free.
If you compare to traditional masking processes that are typically slow, Oracle Data Masking Pack uses
highly efficient parallelized bulk operations to replace the original sensitive data with masked data.
Because the entire data masking process is done in place, enterprises can be assured of a greater sense
of security knowing that the sensitive data would never leave the database during the masking process.
Slide 23:
Using Oracle Data Masking Packs search capabilities, information security administrators can quickly
search the database to identify sensitive data.
In some applications, the same sensitive data is maintained in multiple tables related by referential
(primary key-foreign key) relationships, e.g. employee numbers in a Human Resources application.
Oracle Data Masking Pack discovers these relationships and masks all related data elements
automatically while preserving referential relationships.
Lets talk about some masking techniques:
Slide 24:
Oracle Data Masking Pack provides a variety of sophisticated masking techniques to meet application
requirements while ensuring data privacy. For example,Condition-based masking: this technique makes it possible to apply different mask formats to the
same data set depending on the rows that match the conditions. For example, applying different
national identifier masks based on country of origin.
Compound masking: this technique ensures that a set of related columns is masked as a group to
ensure that the masked data across the related columns retain the same relationship, e.g. city, state,
zip values need to be consistent after masking.
-
7/31/2019 DB Security_ Final
7/13
7
Deterministic masking: this technique ensures repeatable masked values after a mask run.
Enterprise may use this technique to ensure that certain values, e.g. a customer number gets masked to
the same value across all databases.
Slide 25:
So by this we completed Last layer of defense and now 3rd layer of defense in which we are going to
talk about database Vault and label security solution,
Slide 26:
Lets start with oracle database Vault another security product for protecting applications and sensitive
data.
Slide 27:
Oracle Database Vault provides 6 key pieces of security functionality. The concept of a REALM is the
most important. You can think of a REALM as a protection boundary or firewall you define inside the
database. Realms are easy to define and once in place, they prevent powerful users such as the DBA
from getting at application data.
Multi-Factor Authorization is another extremely important addition provided by Database Vault. Some
of you may be familiar with the term multi-factor authentication. Multi-factor authorization is similar inthat it enables a series of security checks prior to giving access to a database, application or application
table. For example, you can tell Database Vault to check things like IP address and time of day prior
before giving access to the database, application or a specific Realm, its very flexible.
The security behind Database Vault is managed by a security account and not the Oracle DBA or
SYSDBA, this provides separation of duty, meaning the DBA isnt the one who controls the REALMS,
FACTORS and so forth.
Command rules are another important addition, this enables rules to be associated with database
commands, the rule is evaluated prior to allowing the command to execute, a powerful feature.
Oracle Database Vault also provides auditing, so that you can track when a REALM has blocked
someone from attempting to access an application. In addition, over 3 dozen security related reports
are provided out-of-the-box.
Slide 28:
Lets first take a look at Database Vault Realms. Here we have a database, lets assume that this is a
consolidated database. As you would expect you have the DBA as well as several other applications,
here weve included an HR and Financial application.
One of the problems faced in this type of situation is that the DBA can, if he or she wished to do so, use
their powerful privileges to take a look at application data. CLICK
Even the possibility of this happening can be prevented using Database Vault Realms. CLICK
Simply place a Realm around the HR application and the DBA will no longer be able to use his powerful
privileges to access the application. CLICK
Another situation. Application owners tend to have very powerful privileges. In a consolidated
environment, its very likely that youll have more than one application and thus several powerful users
in the database above and beyond the DBA.In this example, its possible for the HR DBA to look at the Financial application data. CLICK Obviously
this wouldnt be a good situation, especially if it was during the financial reporting quite period. Using a
Database Vault Realm, CLICK
the Financial application can be protected from powerful application owners.
CLICK
Summary, Realms can be easily applied to existing applications and with minimal performance impact.
Slide 29 see the slides carefully and click
-
7/31/2019 DB Security_ Final
8/13
8
In addition, to Realms, Database Vault also delivers Command Rules and Multi-Factor Authorization.
Command Rules actually provide the ability to instruct the database to evaluate conditions prior to
allowing a database command to execute.
Combined with Multi-Factor authorization, this provides an extremely powerful tool to limit and restrict
access to databases and applications.
Lets take another example. Here Im showing a database with a single application and the DBA. One
of the common problems customers have faced from a compliance perspective is unauthorized activity inthe database.
This may mean that additional database accounts or application tables have been created. This can
raise alarms with auditors because it can point toward lax internal controls.
Using a command rule, Database Vault gives the ability to control the conditions under which a
command is allowed to execute. For example, a command rule can be associated with the database
Alter System. command.
CLICK
Perhaps your policy states that all alter system commands have to be executed from a connection
originating from the server hosting the database. The command rule can check the IP address and
reject the command.
CLICK
So the rule based on IP address blocks the action. CLICKPerhaps a powerful application DBA creates a new table, command rules combined with multi-factor
authorization can block this action.
CLICK
In summary, command rules and multi-factor provide the flexibility to meet operational security
requirements.
Slide 30:
Benefits:
Pro-actively safeguard application data stored in the Oracle databaseRestrict access by
unauthorized database userseven privileged usersby using powerful access controls built into the Oracle
database.
Address regulatory requirementsImplement separation-of-duty and other real-time preventive controls.
Restrict ad-hoc access to application data Prevent application-bypass with multi-factor policies that
are enforced in the database for high security and performance.
Deploy with confidenceUse certified default policies for Oracle E-Business Suite, Oracle PeopleSoft,
and Oracle Siebel CRM applications.
Slide 31:
Lets move forward and discuss the features and roles of Label security
Slide 32:
Oracle Label Security is the industry's most advanced label based access control product. LabelSecurity was originally developed for Oracle's government customers to support multi-level security
(MLS).
Oracle Label Security provides the ability to transparently mediate access based on data labels and a
user label. The data labels and user labels are stored in a secure dictionary inside the Oracle database
or centrally within Oracle Identity Management.
This example shows a simple set of labels and two groups of users with user labels ranging from
Sensitive to Highly Sensitive.
-
7/31/2019 DB Security_ Final
9/13
9
Today Oracle Label Security is used by customers outside government and defense to address various
security requirements related to securing privacy related information or complying with compliance
mandates.
Some of the really nice features of Oracle Label Security is that is provides a flexible policy based
architecture and provides a variety of enforcement options such as controlling select operations only or
select and update operations. It also provides numerous built-in privileges that allow Oracle Label
Security to adapt to most customer requirements. Theres also a complete API that allows Oracle LabelSecurity to be used in very innovative ways.
Slide 33:
So oracle label security adds extensive protection for sensitive information by enabling row level access
control so it controls access to the contents of a row by comparing that rows label with a users label
and privileges.
Administrators can easily add selective row restrictive policies to existing databases by means of the
user friendly graphical interface provided by EM database control.
So a label security administrator defines a set of labels for data and users along with authorization for
users and program units which govern access to specify protected objects.
Slide 34:User labels can also be used inside Database Vault as Factors; these factors become components for
multi-factor authorizations, so
for example the privilege to execute a certain command (like drop table) is only allowed when the
users clearance dominates a certain minimum (for example, at least Sensitive), and when the
database is accessed from a certain network subnet, which indicates that the user is in the office and
not some random, insecure Internet Caf.
Likewise, VPD policies can determine if columns should be hidden or shown based on user clearance
labels.
The current working label can be displayed in an informative section of an application Web page, for
example to avoid trouble tickets when users claim they cant see information they expect to see.
Slide 35: Restricts access to those with appropriate clearanceAllows administrators to classify every row in a
table, ensuring access to sensitive data is restricted to users with the appropriate clearance level.
Enforces regulatory complianceProvides a policy-based administration model that enables
organizations to establish custom data classification schemes for implementing "need-to-know" access for their
applications.
FlexibleLabels can be used as factors within Oracle Database Vault command rules for multi-factor
authorization polices. Oracle Label Security integrates with Oracle Identity Management, enabling centralized
management of policy definitions, and is part of Oracle's comprehensive portfolio of database security solutions.
Slide 36:
So by this we covered two layers Encryption and masking and another layer access control
And now we are entering into 2nd layer of defense:
Here we will talk about oracle audit vault and total recall
Slide 37:Satisfying compliance regulations and mitigating security risks are two of the top security challengesbusinesses face today. Lets see what Audit vault provide to meet these challenges
http://www.oracle.com/us/products/database/options/database-vault/index.htmlhttp://www.oracle.com/us/products/middleware/identity-management/index.htmlhttp://www.oracle.com/us/products/database/security/index.htmlhttp://www.oracle.com/us/products/database/options/database-vault/index.htmlhttp://www.oracle.com/us/products/middleware/identity-management/index.htmlhttp://www.oracle.com/us/products/database/security/index.html -
7/31/2019 DB Security_ Final
10/13
-
7/31/2019 DB Security_ Final
11/13
11
these challenges by ensuring complete, secure, and easy tracking, retention and management of allyour historical data.
Slide 43:
Organizations spend a large amount of time and money making sure that their applications correctly
track history such as sales, payments etc and leaving the rest of their full data without full contextual
history. That means it provides change tracking to any of your application data.You just turn it on and the database automatically tracks the before and after value. The change history
is maintained in a very efficient tamper resistant archive within the database and is easily accessible via
SQL.
This capability is critical not just for forensic analysis but also regulations like SOX that require tracking
changes to certain kind of information.
Oracle Total recall option securely track and query historical data for any database table without the cost
or performance impact with the help Flashback Data Archiver.
FDA is a logical container for managing historical information and because of FDA is it possible to
automatically and transparently track all of the changes to any set of tables in oracle database 11g and
you can query data in those tables as any point in time or over any interval within the specified
retention period with minimal performance impact.
Slide 44:
As I said oracle Total Recall can transparently track historical changes to all data stored in an Oracle
database in a very secure and efficient manner.
This is a great complement to auditing. With Total Recall you can take snapshots of all data changes.
Total Recall has been optimized to minimize the overhead of tracking changes and amount of storage
required to store the change data in the database itself in order to allow seamless real-time access to
the historical data. The historical data is completely protected from accidental or malicious update from
the end users. That means that no one not even administrators - can update historical data directly.
So you can configure historical data capture in a matter of minutes, and will provide your customers
with a centralized and seamlessly queryable historical data store that makes the most efficient use of all
your resources be it CPU, Storage or admin time, and reduces your cost of compliance. You use
Flashback Data Archive in the same manner as other Flashback features to view or restore the data as
of a time (or time range) in the past.
One of the main new features in 11g Release 2 enables the schema of a tracked table to evolve, and
Total Recall will automatically adjust accordingly.
There is no limit on how long you can store the historical data for as the this data is stored in the
database itself. So, if you want to store the history for 7 years or above, go ahead. Total Recall can
handle any retention period your business requires. And you can query data as of any point in time in
the past by simply using the AS OF SQL clause.
Slide 45:
Total Recall 11g Release 2 has 3 main areas of enhancements:
1. We allow more table alteration than before.
2. Flashback queries support altered tables in the archive.
3. Performance has been improved.
4.
Slide 46:
So now the first line of defense
Oracle database firewall
-
7/31/2019 DB Security_ Final
12/13
12
Slide 47:
Oracle Database Firewall acts as the first line of defense for databases,
Slide 48:
Oracle Database Firewall is an active, real-time database firewall solution that provides white list, black
list and exception list policies, intelligent and accurate alerts, and monitoring with very low management
and administrative costs.Oracle Database Firewall is independent of the database configuration and operation. This independent
boundary of protective shielding helps reduce the risk of data loss and helps organizations manage an
ever changing landscape of regulations.
Unlike traditional SQL firewalls that relied on identifying out-of-policy SQL using strategies such as
regular expressions, string matching, and schema comparison, Oracle Database Firewall delivers
intelligent database firewall security, enabling policies to be set and adapted quickly and accurately.
Organizations can choose to deploy Oracle Database Firewall in blocking mode as a database policy
enforcement system to protect their database assets, or to just monitor database activity for
supplemental auditing and compliance purposes.
Oracle Database Firewall monitors data access, enforces access policies, highlights anomalies and helps
protect against network based attacks originating from outside or inside the organization.
Attacks based on SQL injection can be blocked by comparing SQL against the approved white list ofapplication SQL. Oracle Database Firewall is unique and offers organizations a first line of defense,
protecting databases from threats and helping meet regulatory compliance requirement.
Slide 49:
Oracle Database Firewall enforces zero-defect database security policies using a white list security
model. The white list policy is a set of approved SQL statements that can be sent to the database.
Oracle Database Firewall compares SQL traffic with the approved white list and then based upon the
policy, it chooses to block, substitute or alert on the SQL statement.
The Oracle Database Firewall baseline can be configured to block all out-of-policy events. This can be
implemented as
Block the SQL statement
Modify the request using SQL statement substitutionAlert on all out of policy SQL statements, in addition to or in lieu of blocking
Slide 50:
In addition to the white list, positive security enforcement model, Oracle Database Firewall also supports
a black list model that enables policies to specify blocking of specific SQL statements. As with white list
policies, black list policies can be configured to allow specific statements based on factors such as IP
address, time of day and program.
Slide 51:
The Oracle Database Firewall Management Server centrally manages Oracle Database
Firewall policies, consolidates data from the Oracle Database Firewalls, stores database
activity data, and provides dozens of out-of-the-box reports.And the management dashboard of oracle database firewall provides you immense
flexibility for Policy Management which delivers simple and easy to use policy management tools
that build upon the powerful strengths of the SQL grammar-based analysis approach.
Then Reporting in which dozens of predefined reports can be used for Sarbanes-Oxley (SOX),
Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and
Accountability Act (HIPAA) and other privacy and compliance regulations.
Also you can add customize reports and new reports.
-
7/31/2019 DB Security_ Final
13/13
13
User Role Auditing Which allows customers to audit and approve changes to user roles in the
databases on a specified database server.
Slide 52:
So by this we have completed all database security solutions that comes in defense in depth approach
and now lets summarize them
Slide 53:
So all the solutions we discussed today are integrated with your database and are transparent so no
changes are required to your existing applications or infrastructure, making them all very cost effective.
As I already mentioned Data breach investigations have shown that security controls must be multi-
layered to protect against threats that range from account misuse to SQL injection attacks.
In addition, the ever changing regulatory landscape and renewed focus on privacy demonstrates the
need for solutions to be transparent and cost effective to deploy.
Oracle Advanced Security and Oracle Database Vault provide encryption and access controls to prevent
account misuse from outside or inside the Oracle database.
Oracle Audit Vault and Oracle Database Firewall provide detailed audit and monitoring capabilities,
including the ability to monitor both Oracle and non-Oracle databases and prevent SQL injection attacks
from reaching the database.
Slide 54:
By this note I conclude this session Thank you all for your attention and now we turn it over to Q&A.