Gcse geography aqa a changing urban enviroments - Urbanisation
Security for heterogeneous enviroments
-
Upload
federman-hoyos -
Category
Technology
-
view
1.337 -
download
0
description
Transcript of Security for heterogeneous enviroments
1
<Insert Picture Here>
Security for Heterogeneous Environments
Federman HoyosIT Solution Architect
3
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
4
Your Information Assets Across Heterogeneous Databases
Finance
Product
Customer
Clinical Trials
Employee
5
Your Information Asset LifecycleShared with 3rd Parties
• Almost 50% of all organizations exposed Production data in non-Production environments
• Only 16% have a system in place for deidentifying sensitive data
Application Developers
IT Service Providers
Business partners
Market Research
Clinical Research
6
Your Information Asset Protection Challenge
• Ensure comprehensive protection of your information assets across heterogeneous enterprise databases
• Reduce information lifecycle costs through automation
Application Developers
IT Service Providers
Business partners
Market Research
Clinical Research
7
Secure Test System Deployments
LAST_NAME SSN SALARY
SMITH 111—23-1111 60,000
MILLER 222-34-1345 40,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Test
How Secure Test System Deployments
• Deploy secure test system by masking sensitive data• Sensitive data never leaves the database• Extensible template library and policies for automation• Sophisticated masking: Condition-based, compound, deterministic• Integrated masking and cloning• Leverage masking templates for common data types
LAST_NAME SSN SALARY
SMITH 111—23-1111 60,000
MILLER 222-34-1345 40,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Test
9
Data Masking using Oracle Enterprise ManagerCentrally controlled. Globally managed.
• Monitoring• Performance Diagnostics• Patching & Provisioning• Configuration Management• Data Masking
10
Data Masking Methodology
• Find: Catalog and identify sensitive data across enterprise databases
• Assess: Define the optimal data masking techniques
• Secure: Automate non-production systems through data masking
• Test: Ensure the integrity of applications through testing
LAST_NAME SSN SALARY
SMITH 111—23-1111 40,000
JOHNSON 222-34-1345 60,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Non-Production
11
FIND: Catalog and identify sensitive data across enterprise databases
ASSESS
SECURE
TEST
12
Catalog Sensitive Data in Your Enterprise DatabasesPerson Name Bank Account Number
Maiden Name Card Number (Credit or Debit Card Number)
Business Address Tax Registration Number or National Tax ID
Business Telephone Number Person Identification Number
Business Email Address Welfare Pension Insurance Number
Custom Name Unemployment Insurance Number
Employee Number Government Affiliation ID
User Global Identifier Military Service ID
Party Number or Customer Number Social Insurance Number
Account Name Pension ID Number
Mail Stop Article Number
GPS Location Civil Identifier Number
Student Exam Hall Ticket Number Hafiza Number
Club Membership ID Social Security Number
Library Card Number Trade Union Membership Number
Identity Card Number Pension Registration Number
Instant Messaging Address National Insurance Number
Web site Health Insurance Number
National Identifier Personal Public Service Number
Passport Number Electronic Taxpayer Identification Number
Driver’s License Number Biometrics Data
Personal Address Digital ID
Personal Telephone Number Citizenship Number
Personal Email Address Voter Identification Number
Visa Number or Work Permit Residency Number (Green Card)
• Business-driven• Criteria:
– Violate government regulations
– Violate business regulations
– Damage shareholder value through loss of
• Market capital• Valuation• Reputation• Customers• Lawsuits• Business-driven
13
FIND
ASSESS: Define the optimal data masking techniques
SECURE
TEST
14
Comprehensive Mask FormatsMask Primitives and User-extensible Mask Formats
• Mask primitives– Simple mask formats
• ALPHA• NUMERIC• DATE
– Simple mask techniques• SHUFFLE• RANDOMIZE• LOOKUP TABLE
Ensures consistent enforcement of policiesDefine once, apply everywhere
Accelerates solution deployment of maskingMask formats for common sensitive data
Enables customization of business rules Extensible mask routines
15
Mask Definition Associate Mask Formats with Identified Sensitive Columns
• Automatic discovery and enforcement of referential integrity
• Registration and enforcement of referential integrity when entered as related columns
– Application-enforced referential integrity
– Business-process based data relationships
– Non-Oracle database based referential integrity
• Imported via XML generated via SQL against meta data
16
FIND
ASSESS
SECURE: Automate non-production systems through data masking
TEST
Test System Setup for Oracle DatabasesCreating Test Databases from Production
• Enterprise Manager out-of-the-box workflows• RMAN-based clone-and-masking (Recommended)• Export-Import• Backup and Restore• Transportable Tablespace
Clone
App Meta data
DB dictionary data
T1
T2 T3
T4 T5
Business
data
Production DB
T1
T2 T3
T4 T5
Business
data
App Meta dataDB dictionary data
Test DB
Ma
sk
Test System Setup for non-Oracle Databases Creating Test Databases from Production using Oracle Gateways
Masking Process
1. Production data copied to Test
2. Sensitive data copied to Staging
3. Sensitive data masked in Staging
4. Masked data copied from Staging to Test
5. Truncate Data in Stage Database
Clone
App Meta dataDB dictionary data
T1
T2 T3
T4 T5
Business
data
Production DB
T1
T2 T3
T4 T5
Business
data
Test DB
T1
T2 T3
T4 T5
Business
data
App Meta dataDB dictionary data
Staging DB
Ma
sk
2
3
4
1
Database gateway
FIND
ASSESS
SECURE
TEST: Ensure the integrity of applications through testing
Auditing your Database Information
Oracle Database IBM
DB2Microsoft SQL Server
Sybase ASE
22
Why Audit?
• Its all about protecting sensitive data, maintaining customer trust, and protecting the business
• Trust-but-verify that your employees are only performing operations required by the business• Detective controls to monitor what is really going on• Reduce the curiosity seekers from looking at data• Compliance demands that privileged users be monitored
• Know what is going on before others tell you• Cost of compliance
• Eliminate costly and complex scripts for reporting• Reduce reporting costs for specific compliance audits • SOX, PCI, HIPAA, SAS 70, STIG
23
Database Auditing and Applications Why Auditors Want to Audit Databases
• Monitor privileged application user accounts for non-compliant activity• Audit non-application access to sensitive data (credit card, financial
data, personal identifiable information, etc)
• Verify that no one is trying to bypass the application controls/security • PO line items are changed so it does not require more approvals
• Verify shared accounts are not be abused by non-privileged users• Application bypass - Use of application accounts to view application
data
24
What Do You Need To Audit?
DatabaseAudit Requirements
SOXPCI DSS
HIPAA/HITECH
Basel II FISMA GLBA
Accounts, Roles & GRANT changes ● ● ● ● ● ●
Failed Logins and other Exceptions ● ● ● ● ● ●
Privileged User Activity ● ● ● ● ● ●
Access to Sensitive Data (SELECTs…) ● ● ● ● ●
Data Changes (INSERT, UPDATE, …) ● ●
Schema Changes (DROP, ALTER…) ● ● ● ● ● ●
25
Oracle Database
IBM DB2
Microsoft SQL Server
Oracle Audit VaultTrust-but-Verify
Sybase ASE
Consolidate and Secure Audit Data
Out-of-the Box Compliance Reports
Alert on Security Threats
Lower IT Costs With Entitlements & Audit Policies
27
Oracle Audit VaultOracle Database Audit Support
• Database Audit Tables• Collect audit data for standard and fine-grained auditing
• Oracle audit trail from OS files• Collect audit records written in XML or standard text file
• Operating system Windows Event Viewer & SYSLOG• Collect Oracle database audit records
• Redo log• Extract before/after values and DDL changes to table
• Database Vault specific audit records
28
29
The Access Reports filter the audit content based on event and categories, such as Data Access: select, insert, update, delete.., and User Sessions: login, logout, etc. The Oracle Audit Vault Auditor’s Guide list the events that are collected and mapped to the categories.
30
The Entitlement Reports can be used for internal/external auditors to view Oracle database users and their privileges. You can view all Oracle databases and their users or filter by an individual database to view the privileges. The compare capability provides a report on changes to user privileges from one snapshot time to another.
31
The Alerts Report content can be accessed from the Dashboard or you can view all alerts that have been generated at one time.The critical and warning alert reports track critical and warning alerts. An alert is raised when data in a single audit record matches a predefined alert rule condition.
Alerts can be defined for
• Directly viewing sensitive columns• Creating users on sensitive systems• Role grants on sensitive systems• “DBA” grants on all systems• Failed logins for application user
32
Oracle Audit Vault Audit Trail Clean-Up: DBMS_AUDIT_MGMT
• Automatically deletes Oracle audit trails from target after they are securely inserted into Audit Vault
• Reduces DBA manageability challenges with audit trails
Database
2) Update last inserted record
1) Transfer audit trail data
3) Delete older audit records
33
Setting Client Identifier with Applications
User A connects
User B connects
OracleApplication Server
OracleDatabase
• Any application running on Oracle database can set the client identifier
Application sets client_info to User A
Application resets client_info to User B
Audit Record uses client_identifier
Protecting access to your Databases
Existing Security Solutions Not Enough
Application Database Administrators
Data Must Be Protected at the Source
Database Application Users
BotwareMalwareKey Loggers Espionage
Spear PhishingSQL Injection
Social Engineering
SQL Injection ReviewThe biggest danger to cyber security
DatabaseApp Server
Millions of
attacks
Successful
attack
Data and/or credential theft
Malware injection
SQL command
• Successful attack• Query database• Modify data• Deliver malware
• Implications• Lost data• Monetary theft• Steal credentials / deny service
Database
FirewallApp Server
Attacks blocked!!!
X
Attacks
logged
Oracle Database FirewallFirst Line of Defense
• Monitor database activity to prevent unauthorized database access, SQL injections, privilege or role escalation, illegal access to sensitive data, etc.
• Highly accurate SQL grammar based analysis without costly false positives
• Flexible SQL level enforcement options based on white lists and black lists• Scalable architecture provides enterprise performance in all deployment modes• Built-in and custom compliance reports for SOX, PCI, and other regulations
PoliciesBuilt-inReportsAlerts Custom
Reports
ApplicationsBlock
Log
Allow
Alert
Substitute
Oracle Database FirewallPositive Security Model
• “Allowed” behavior can be defined for any user or application• Whitelist can take into account built-in factors such as time of day,
day of week, network, application, etc.• Automatically generate whitelists for any application• Transactions found not to match the policy instantly rejected• Database will only process data how you want and expect
White List
Applications Block
Allow
Oracle Database FirewallNegative Security Model
• Stop specific unwanted SQL commands, user or schema access• Prevent privilege or role escalation and unauthorized access to sensitive data• Blacklist can take into account built-in factors such as time of day, day of
week, network, application, etc.• Selectively block any part of transaction in context to your business and
security goals
Block
Allow
Black List
Applications
Block
Log
Allow
Alert
Substitute
• Innovative SQL grammar technology reduces millions of SQL statements into a small number of SQL characteristics or “clusters”
• Superior performance and policy scalability• Flexible enforcement at SQL level: block, substitute, alert and pass, log only
• SQL substitution foils attackers without disrupting applications• Zero day protection without false positives
SELECT * FROM accountsBecomesSELECT * FROM dual where 1=0
Oracle Database FirewallPolicy Enforcement
Applications
Reporting
Speeding deployment means lower cost
• Database Firewall log data consolidated into reporting database
• Over 130 built in reports that can be modified/customized
• Entitlement report for database attestation
• Activity and privileged user reports
• Supports demonstrating PCI, SOX, HIPAA, etc.
• Write your own reports
43
Unique to Oracle
Oracle Database FirewallDatabase Activity Masking
• Prevents creating yet another database with sensitive and regulated data • Sensitive and regulated information contained in SQL statements can be
masked or redacted in real-time prior to being logged• Flexible masking policies allow masking all data or just specific columns• Critical for organizations who want to monitor and log all database activity
Oracle Database FirewallArchitecture
• Low TCO Oracle Enterprise Linux based “software appliance”• Supports Intel-based hardware platforms for vertical and horizontal scalability• Policy enforcement separated from policy management and reporting for
scalability and performance• Optional lightweight agents that reside within the database or the OS• Supports Oracle and non-Oracle Databases, and is application agnostic
Database
FirewallsHA Mode
Database Firewall Management Server Policy Analyzer
Local Monitor
Oracle Database FirewallFast and Flexible Deployments
• In-Line: All database traffic goes through the Oracle Database Firewall• Out-of-Band/Passive: Database Firewall connected to a SPAN port or TAP• Optional Host Based Remote or Local Monitors
• Can send network traffic from the database host to the Database Firewall
• Can send non-network database activity to the Database Firewall to identify unauthorized use of local console or remote sessions
Database Servers
Users
Out-of-BandDatabase Firewall
Application Servers
In-Line HostBasedAgent
Router
• Database Vault
• Label Security• Identity
Management
• Data Masking
Oracle Security SolutionsComplete Defense-in-Depth
• Audit Vault
Encryption & Masking
AccessControl
Auditing
• Database Firewall
Monitoring & Blocking
• Comprehensive – single vendor addresses all your requirements
• Transparent – no changes to existing applications or databases
• Easy to deploy – point and click interfaces deliver value within hours
• Cost Effective – integrated solutions reduce risk and lower TCO
• Proven – #1 Database with over 30 years of security innovation!
Demo…DEMO
En el booth de Oracle Solution Specialist le podemos brindar información sobre los servicios que ofrecemos
y de Nuestras Soluciones