Oracle Application Security Leon

Oracle Database Vault: Database Controls for Application Security and Regulatory Compliance Pierre Leon Database Technology Group Oracle Database Security

Noel Yuhanna Research Analyst, Forrester

“Database Vault features will be in demand, especially for databases that contain private data. Oracle is leading the pack of database makers with the new access restriction features. Microsoft, IBM, and Sybase don't have anything like this.”

© 2008 Oracle Corporation

50

Database Applications Under Attack Applications Typically Weakest Link

• Little built-in security, require DBA privileges • Vulnerable to many different exploits • SQL injections, buffer overflows, etc.

• Insiders by-passing applications to get access to unauthorised data at the database level • Phishing and malware mean even enterprise credentials can’t be trusted unconditionally • Application database consolidation means break one app, get the keys to the kingdom © 2008 Oracle Corporation

51

Database Applications Under Scrutiny Compliance Requires Securing Entire Application

• Data privacy regulations getting tougher • 90% companies fail compliance • Breach disclosure laws can cost $239/record

• “Controls In Depth” • Auditors (and Lawyers) look for preventive controls that ensure data privacy is protected • PCI DSS, SOX, GLBA, HIPAA, etc. • Separation of Duties • Least Privilege

© 2008 Oracle Corporation

52

Data Privacy and Regulatory Compliance Database Security Challenges Protecting Access to Application Data Database Monitoring

De-Identifying Information for Sharing

© 2008 Oracle Corporation

Protecting Data-at-Rest

Data Classification

53

What we heard from our customers… Protecting Access to Application Data • “Legal says our DBA should not be able to read financial records, but the DBA needs to access the database to do her job. What do we do?” • “Our SOX auditors require that we separate account creation from granting privileges to accounts.” • “No user should be able to by-pass our application to access information in the database directly.” • “How do we keep the Finance department from running reports during production hours?” • “New DBAs should not be able to make database changes without a senior DBA being present.”

© 2008 Oracle Corporation

54

STOP PRESS • Now this is an inflammatory headline but… • In the recession, data assets become even more tempting targets of opportunity. • You cannot shy away from your data protection responsibilities to your customers and your own organisation.

© 2008 Oracle Corporation

55

Oracle Database Vault Key Features Protection Realms Multi-Factor Authorisation

Separation of Duties Realm Violation Reports

Rule-Based Authorisation

No Application Changes!

© 2008 Oracle Corporation

56

Privileged User Controls Using Protection Realms • Prevent privileged users from accessing application data beyond their authorisation

SELECT * FROM HR.EMP

DBA

• Consolidate application data securely in one database • Enforce preventive controls

HR Realm HR App DBA

HR

• Separation of Duties FIN Realm

• Least Privilege FIN App DBA

© 2008 Oracle Corporation

FIN

57

Real-Time Access Control Rule-Based Multi-Factor Authorisation • Grant access to application data based on rules that consider multiple factors • Prevent application bypass and ad-hoc access • Protect application data against unintentional harm

CONNECT … HR HR Application User CREATE … FIN

• Prevent unmonitored changes • Require strong authentication for DBAs

© 2008 Oracle Corporation

FIN Application DBA

58

Built-In Database Vault Factors Extensible Via APIs USER Name

BUILT-IN FACTORS NETWORK DATABASE RUN-TIME Machine Database IP Language Name Address

Authentication Client IP Address Type Session User Network Protocols Proxy Enterprise Identity © 2008 Oracle Corporation

Database SID

Date

Database Instance

Time

Network IP Database Address Hostname

Day of Week

59

Separation of Duties Database Vault Controls

Security Administrator

Account Administrator

Database Administrator

© 2008 Oracle Corporation

Application Administrator

Extensible (e.g., Database Tester)

60

Realm Violation Reports Provable Preventive Controls

• Built-in Auditing and Reporting • Realm violation reports • Privilege reports such as “Who has the DBA Role?”

• More than 2 dozen reports total • Easy to setup and administer • Web interface • API

© 2008 Oracle Corporation

61

Oracle Application Certification Extensible Out-of-the Box Polices Protect Applications • • • • • •

Oracle PeopleSoft Oracle E-Business Suite Oracle Siebel CRM Oracle Content Database Oracle Internet Directory Separation of Duties • Data access restricted to application related accounts • No access by other privileged users with DBA role

• Application Data Access Control • Customisable CONNECT rule protects against application bypass

© 2008 Oracle Corporation

62

5 Steps to Protect Database Applications Easy to Deploy Database Vault for Any Application

1

Define Realms

2

Add SQL Command Rules (Optional)

3

Add other security policies (Optional)

4

PL/SQL scripts to deploy security policies

5

Test your application

6

Deploy

© 2008 Oracle Corporation

(

63

D E M O N S T R A T I O N

Oracle Database Vault Protecting Application Data with Realms and Multi-Factor Rules

© 2008 Oracle Corporation

64

Oracle Database Vault Case Study Financial Services Customer Customer Requirement

Database Vault Solution

Restrict DBA access to sensitive data

Realm around application data allowing only the authorised application owner to access data

Enforce application access through middle tier processes running on geographically allocated servers

Rule restricting database access based on middle tier server IP addresses

Protect mission-critical business data from intentional or accidental harmful changes

Rule restricting dropping or wiping out associated database structures

Control use of ad-hoc query tools during peak load times

Rule restricting connections by ad-hoc query tools to maintenance day/time

Enforce patching and backup to specific maintenance periods and monitor the patching process.

Rule restricting database maintenance DBA’s login to maintenance day/time Rule requiring two DBAs to authenticate during maintenance periods from internal IP addresses

© 2008 Oracle Corporation

65

Industry Leading Innovation 2007 Product Excellence Award Winner

© 2008 Oracle Corporation

66

Oracle Database Security Solutions for Privacy and Compliance Database Vault Advanced Security 47986

Audit Vault

Secure Backup

Configuration Management Total Recall

© 2008 Oracle Corporation

$5%&*

Label Security Data Masking

67

For More Information

http://search.oracle.com database security

or oracle.com/database/security

© 2008 Oracle Corporation

68

© 2008 Oracle Corporation

69

© 2008 Oracle Corporation

70

Release Wide Map of Security Products Solution

Oracle 8i

Oracle

Oracle

Oracle

Oracle

Oracle

Database

Database

Database

Database

Database

9iR1

9iR2

10g R1

10g R2

11gR1

Database Auditing Network Encryption Virtual Private Database Label Security Database Vault Audit Vault Fine Grained Auditing Total Recall EM Configuration Scanning TDE Column Encryption TDE Tablespace Encryption EM Data Masking

© 2008 Oracle Corporation

Data Masking is available starting with EM 10.2.0.4 and works against Oracle Database 9.2 and higher databases.

71