Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an...
-
Upload
duongkhanh -
Category
Documents
-
view
214 -
download
0
Transcript of Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an...
![Page 2: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/2.jpg)
� Security Challenges
� 21 CFR Part 11
� HIPAA
� Oracle Security
Agenda
![Page 3: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/3.jpg)
Security Challenges
� Privacy of Communications
� Sensitive Data Storage
� Granular Access Control
� Scalability
� Ease of Use
� Know your Users
� Audit trail, eRecords &
eSignatures
� Is your query result read or modified in transit?
� Is your patient privacy needs met at your site?
� Can you secure certain parts of a medical record?
� Can you support 100,000s of users?
� Is it easy to use for users & administrators?
� Who is accessing the data from the web?
� Can you comply with FDA requirements?
![Page 4: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/4.jpg)
21 CFR Part 11
� Regulations that provide criteria for acceptance by FDA of electronic records, electronic signatures, and handwritten signatures executed to electronic records as equivalent to paper records and handwritten signatures executed on paper
� Requirements:– Strong Security - to ensure the authenticity, integrity, and
confidentiality of electronic records.
– Audit Trail
– Operational System Checks
– Electronic Signatures – to ensure that the signer cannot readily repudiate he signed record.
![Page 5: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/5.jpg)
� Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (HIPAA)– aka Kennedy-Kassenbaum Bill
� Administrative Simplification Act– Privacy Rule: “what” individual health information must
be protected– Security Rule: “how” healthcare organizations need to
protect health-related information
� Noncompliance would put you in jail.
What is HIPAA?
![Page 6: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/6.jpg)
Data
Security & Privacy
Privacy &integrity of
communications
uthe5t0cate
Patakosbrown
ellison
nussbaum
johnso
duffy
fitzger
cho 931
ang 973
els 666
garcia
Privacy &integrity of
data
Comprehensiveauditing
Network
HealthcareWorker
Identify&
Authenticate
DiagnosisCoverage
Office Visit
Therapy
X-Ray
Enrollment
Lab Test
Rx Shot
Cert 973
Cert Child
Outpatient
Accesscontrol
Nurse
Doctor
Clerical
Employer
![Page 7: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/7.jpg)
Data
Security & Privacy
Privacy &integrity of
communications
uthe5t0cate
Patakosbrown
ellison
nussbaum
johnso
duffy
fitzger
cho 931
ang 973
els 666
garcia
Privacy &integrity of
data
Comprehensiveauditing
Network
HealthcareWorker
Identify&
Authenticate
DiagnosisCoverage
Office Visit
Therapy
X-Ray
Enrollment
Lab Test
Rx Shot
Cert 973
Cert Child
Outpatient
Accesscontrol
Nurse
Doctor
Clerical
Employer
![Page 8: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/8.jpg)
Identification& Authentication
� Something you know – name/password
� Something you have– Smart cards (e.g. Secure ID card, AcitivCard)– X.509v3 compliant digital certificates over SSL
� Something you are– Biometric (e.g. fingerprint reader)
� Two-factor authentication� Support industry standards:
– Kerberos, RADIUS, DCE.
![Page 9: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/9.jpg)
Privacy & Integrity of Communications
� Network Encryption – Protects data privacy.– Oracle Advanced Security provides these algorithms
to encrypt Oracle Net trafficTriple DESRC4Advanced Encryption Standard
� Users do not need to use SSL or digital certificates.– SSL support (standards based encryption)
� Checksumming – Ensure data integrity– Verifies that data have not been tampered with during
transmission– Supports Message Digest 5 (MD5) and Security
Hashing Algorithm (SHA-1).
![Page 10: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/10.jpg)
Access Control – Protect Data
� Virtual Private Database
� Label Security
� Selective Data Encryption
![Page 11: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/11.jpg)
• Enables, within a single database, per-user data access with the assurance of physical data separation
• Associate security policies implemented by functions with tables or views
• Server automatically enforces security policies no matter how data is accessed
SELECT * FROM CLAIMS;
SELECT * FROM CLAIMS;
Claims Table
SELECT * FROM CLAIMS;
SELECT * FROM CLAIMS;
Virtual Private Database (VPD)
![Page 12: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/12.jpg)
User Label Dr. Murphy Sensitive : Ortho,Acute : Active
Row Label
Identifiable
Sensitive
Identifiable
Confidential
Sensitive
Sensitive
: Ambulatory
: Ortho
: Radiology
: Disease
: Ortho
: Acute
: Dep
: Active
: Ret
: Active
:Active
: Active
Data Rows
Levels
Compartments
Groups
Oracle Label Security
![Page 13: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/13.jpg)
Selective Data Encryption
� Protect select data via encryption in the database
� Examples:– Credit card numbers, patient’s SSN
� DBMS_OBFUSCATION_TOOLKIT package– Supports Data Encryption Standard (DES) and 3DES
algorithms– Supports MD5 to ensure data integrity
![Page 14: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/14.jpg)
Auditing - Provides Accountability
� Auditing by statement, by use of system privilege, by object, or by user.
� Customizes auditing with triggers
� Enables organizations to define specific audit policies that can alert administrators and serve as an intrusion detection system.
� Captures exact SQL statement. Together with Flashback Query, auditing can recreate the exact records returned to a user.
� Audits SYSDBA and SYSOPER – separate auditors and DBAs.
![Page 15: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/15.jpg)
Oracle Secure 3-Tier Architecture
Client/Server
HTTP/SSL
Browser Clients
Advanced Security Encryption
• x.509 certificate• Single Sign-on
Advanced SecurityLDAP
Advanced Security/SSL
• x.509 certificate• Single Sign-on
Oracle9i Application Server
Application AccessLDAP
Oracle Label Security DB Encryption
Fine Grained AuditingFlashback Query
Oracle Internet Directory
![Page 16: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/16.jpg)
MicrosoftSS2000
IBMDB2
OracleSecuritySecurityChallengesChallenges
NoNo
NoNo
NoNoNoNo
LimitedLimited
NoNo
NoNoNoNo
YesYes
YesYes
YesYesYesYes
Data EncryptionFine-grained Auditing
Label-based Access ControlVirtual Private Database
SecurityFeatures
Security Feature Comparison
![Page 17: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/17.jpg)
MicrosoftSS2000
IBMDB2
OracleSecuritySecurityChallengesChallenges
00
00
1100
00
00
0000
33
33
1111
ITSEC, levels E3/F-C2ITSEC, levels E3/F-B1
000044Common Criteria, level EAL-4
TCSEC, Level C2TCSEC, Level B1
SecurityCriteria
000022Russian Criteria, levels III, IV
000011FIPS 140-1, level 2
11001515TOTAL
15 Independent Security Evaluations
![Page 18: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/18.jpg)
Availability & Business Continuity
Primary Site
Synchronous
Backup Site
Asynchronous
Backup Site
![Page 19: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/19.jpg)
Availability & Business Continuity
Primary Site
Synchronous
Backup Site
Asynchronous
Backup Site
![Page 20: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/20.jpg)
PCASSO Project
� SAIC and UCSD – Patient and health care providers access patients’ complete medical records over the Internet
� 178,000 patients
� “In defining those levels, we needed to separately protect highly sensitive information that – by law-requires special protection. …Label-based access control is ideal for this purpose”
– Dixie Baker, corporate VP of technology and CTO for SAIC’s healthcare practice
(Patient Centered Access to Secure Systems Online)
![Page 21: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/21.jpg)
Summary: Oracle features to achieve HIPAA goals
Oracle9i Features
Database EncryptionNetwork Encryption
Restricts Data AccessData Sensitivity Labels
Comprehensive AuditingUser Management
Single Sign-on
Independent EvaluationUser Authentication
Assurance
Data Privacy
YesYes
YesYes
YesYes
YesYes
YesYes
YesYes
YesYes
YesYes
YesYes
YesYes
Data Security
YesYesYesYes
YesYes
YesYes
YesYes
YesYes
YesYes
YesYes
YesYes
YesYes
UserIdentity
YesYes
YesYes
YesYes
YesYes
YesYes
Auditing
YesYes
YesYes
YesYes
![Page 22: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/22.jpg)
Resources
![Page 23: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/23.jpg)
Discussion Forums: Security & Security Sample Code
![Page 24: Oracle Security - The Open · PDF filepolicies that can alert administrators and serve as an intrusion detection system. Captures exact SQL statement. Together with Flashback Query,](https://reader034.fdocuments.us/reader034/viewer/2022051717/5a705d237f8b9ac0538bea4a/html5/thumbnails/24.jpg)
Sept 10, 2003 Life Sciences User Group Meeting at Oracle World, San Francisco
� Security Presentations:– Johnson & Johnson,
Building a Secure Infrastructure with Oracle in Life Sciences - J & J PKI and Secure Connectivity to Oracle
– Massachusetts General HospitalSecure Enterprise Access for Phenotypic Research at Mass General Hospital & HIPAA
– Wyeth21 CFR Part 11 via Oracle Auditing at WyethResearch