Professional Documents
Culture Documents
DatabaseSecruity Whythelongface JamesAnthony
DatabaseSecruity Whythelongface JamesAnthony
eDBA 2010
About
e-DBA
Founded
1998
Highest
level
CerFed
PlaFnum
Partner
status
Oracle
Technology
Partner
of
the
Year
2010
Oracle
User
Group
Award
Winner
2010
x
4
System
AdministraFon
&
Management
Database
7
>
11g
Development
APEX
Database
Security
Oracle
SoXware
Management
eDBA 2010
Agenda
Database-Centric
InformaFon
Security
Database
Security
Oracle
Database
Security
SoluFons
Defense-in-Depth
Q&A
eDBA
2010
3
eDBA 2010
SAS 70 AUS/PRO
eDBA 2010
Only
21%
uniformly
encrypFng
PII
in
all
databases
Only
20%
uniformly
encrypt
database
trac
Only
12%
uniformly
encrypt
database
backups/exports
50%
not
aware
of
all
databases
with
sensiFve
data
48%
say
database
users
could
access
data
directly
70%
use
naFve
audiFng,
only
18%
automate
monitoring
61%
cannot
prevent
DBAs
from
reading
or
tampering
with
sensiFve
data
67%
can
not
detect
if
they
were
eDBA 2010
Non default & Strong passwords Centralized Credentials for all users (esp. Privileged Users) User Lifecycle Management Strong authentication Secure Configuration (best practice)
Privileged User Controls. Reduction in shared account usage. Who, When, Where, How? Data Classification. Row and Column level control.
Data at Rest Data in Motion Masking of Data in Live and Test Dump File Encryption Backup Encryption
Auditing at database level Targeted Auditing (e.g. high value) Audit Consolidation Pro-active alerting Audit data protection Attestation of policy compliance Change Discipline and Detection
CRM
DBA, Developer or Application User Directory Services provides central authentication
DEV
Database
Defense-in-Depth
Monitoring
ConguraFon
Management
Audit
Vault
Total
Recall
Access
Control
Database
Vault
Label
Security
EncrypFon
&
Masking
Access
Control
Monitoring
eDBA 2010
13
Database
Defense-in-Depth
Monitoring
ConguraFon
Management
Audit
Vault
Total
Recall
Access
Control
Database
Vault
Label
Security
EncrypFon
&
Masking
Access
Control
Monitoring
eDBA 2010
14
Exports
ApplicaFon
O-Site FaciliFes
Complete encrypFon for data at rest No applicaFon changes required Ecient encrypFon of all applicaFon data Built-in key lifecycle management
eDBA 2010
15
Standard-based encrypFon for data in transit Strong authenFcaFon of users and servers No infrastructure changes required Easy to implement
eDBA 2010
16
Secure data archival to tape or cloud Easy to administer key management Fastest Oracle Database tape backups Leverage low-cost cloud storage
eDBA 2010
17
Non-ProducFon
LAST_NAME NI_NUM AD124578A BC985412R SALARY 60,000 40,000
Remove sensiFve data from non-producFon databases ReferenFal integrity preserved so applicaFons conFnue to work SensiFve data never leaves the database Extensible template library and policies for automaFon
eDBA 2010
18
Database
Defense-in-Depth
Monitoring
ConguraFon
Management
Audit
Vault
Total
Recall
Access
Control
Database
Vault
Label
Security
EncrypFon
&
Masking
Access
Control
Monitoring
eDBA 2010
19
HR Finance
select * from nance.customers DBA separaFon of duFes Limit powers of privileged users Securely consolidate applicaFon data No applicaFon changes required
eDBA 2010
20
Rebates
Protect applicaFon data and prevent applicaFon by-pass Enforce who, where, when, and how using rules and factors Out-of-the box policies for Oracle applicaFons, customizable
eDBA 2010
21
CondenFal
Report
Data
Public
Reports
CondenFal
SensiFve
Classify users and data based on business drivers Database enforced row level access control Users classicaFon through Oracle IdenFty Management Suite ClassicaFon labels can be factors in other policies
eDBA 2010
22
Database
Defense-in-Depth
Monitoring
Congura7on
Management
Audit
Vault
Total
Recall
Access
Control
Database
Vault
Label
Security
EncrypFon
&
Masking
Access
Control
Monitoring
eDBA 2010
23
CRM Data
ERP Data
Audit Data
Databases
Auditor
Consolidate audit data into secure repository Detect and alert on suspicious acFviFes Out-of-the box compliance reporFng Centralized audit policy management
eDBA 2010
24
Transparently track data changes Ecient, tamper-resistant storage of archives Real-Fme access to historical data Simplied forensics and error correcFon
eDBA 2010
25
ConguraFon
Management
Vulnerability
Assessment
&
Secure
ConguraFon
Assess
PrioriFze
Fix
Vulnerability Management
Database
discovery
ConFnuous
scanning
against
375+
best
pracFces
and
industry
standards,
extensible
Detect
and
prevent
unauthorized
conguraFon
changes
Change
management
compliance
reports
eDBA
2010
26
Database
Defense-in-Depth
Monitoring
ConguraFon
Management
Audit
Vault
Total
Recall
Access
Control
Database
Vault
Label
Security
EncrypFon
&
Masking
Access
Control
Monitoring
eDBA 2010
28
Summary
eDBA 2010
29
eDBA 2010