260 likes | 699 Views
Data Security. Presented by: Kiran Singh. Agenda. Introduction Some of the common compliance and regulations Overview of Oracle's Security Portfolio – 11G Oracle Database Vault Oracle Audit Vault Oracle Configuration Management Oracle Total Recall Oracle Data Masking
E N D
Data Security Presented by: Kiran Singh
Agenda • Introduction • Some of the common compliance and regulations • Overview of Oracle's Security Portfolio – 11G • Oracle Database Vault • Oracle Audit Vault • Oracle Configuration Management • Oracle Total Recall • Oracle Data Masking • Oracle Label Security • Oracle Secure Backup • Oracle Advanced Security • Implement Data Encryption • QA
Some of the Compliance Regulations.... AMERICAS • Sarbanes-Oxley (SOX ) • Healthcare Insurance Portability and Accountability Act (HIPAA) • CA SB 1386 and other State Privacy Laws • Payment Card Industry Data Security Act • FDA CFR 21 Part 11 • FISMA (Federal Info Security Mgmt Act) EMEA • EU Privacy Directives • UK Companies Act of 2006 APAC • Financial Instruments and Exchange Law (J-SOX) • CLERP 9: Audit Reform and Corporate Disclosure Act (Australia) GLOBAL • International Accounting Standards • Basel II (Global Banking) • OECD Guidelines on Corporate Governance
Americas • Sarbanes-Oxley (SOX ) - Defines which records are to be stored and for how long. The legislation affects the IT departments whose job is to store a corporation's electronic records. • Healthcare Insurance Portability and Accountability Act (HIPAA) - Require physicians to ensure they are protecting the privacy and security of patients' medical information and using a standard format when submitting electronic transactions. • CA SB 1386 and other State Privacy Laws – Regulations regarding the privacy of personal information and disclose any breach of security.
Americas • Payment Card Industry Data Security Act - Prevent credit card fraud through increased controls around data and its exposure to compromise. • FDA CFR 21 Part 11 - Implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing electronic data. • Federal Info Security Mgmt Act (FISMA) - The act requires each federal agency to develop, document, and implement an information security for the information and information systems that support the operations.
EMEA & APAC EU Privacy Directives • Regulates how personal data should be processed. UK Companies Act of 2006 • Evidence of compliance. Financial Instruments and Exchange Law (J-SOX) • Securities law and regulating securities companies in Japan. CLERP 9: Audit Reform and Corporate Disclosure Act (Australia) The Corporate Law Economic Reform Program • Companies must have adequate measures, processes and procedures to meet the obligations of the Act, especially if you're involved in auditing and company financial reporting.
GLOBAL International Accounting Standards • Financial reporting framework. Basel II (Global Banking) • Global Banking Regulations OECD Guidelines on Corporate Governance (Organization for Economic Co-operation and Development) • Global standards for business dealings
Oracle’s Security Portfolio - 11G • Oracle Database Vault • Oracle Audit Vault • Oracle Configuration Management • Oracle Total Recall • Oracle Data Masking • Oracle Label Security • Oracle Secure Backup • Oracle Advanced Security
Oracle Database Vault • Implement Access Controls - Restricts access by unauthorized database users - even for privileged users - by using access controls built into the Oracle database. • Tighten Security – Allows multiple ways to tighten security by implementing IP address and authentication methods, and limiting to who, when , where and how database can be accessed. • Address Compliance requirements - Implements separation-of-duty and real-time preventive controls. • Standard reports - Provides ability to run reports that provide information on who has what privileges, as well as information on who has been accessing the database and when. • Out-Of-The-Box Application Validation - Usescertified default policies for Oracle E-Business Suite, Oracle PeopleSoft, and Oracle Siebel CRM applications.
Oracle Audit Vault • Automating audit data collection, monitoring and reporting - Detects unauthorized activity, helps satisfying compliance regulations such as Sarbanes-Oxley. • Consolidates audit information from multiple systems - Detects data changes and protects audit data from modifications and tampering. • Supports multiple database systems: 10.2.3.1 - Supports monitoring Microsoft SQL Server 2000 and 2005, windows event viewer, IBM DB2 UDB 8.2 and 9.5, and Sybase ASE 12.5 and 15.0 databases. • Threat Detection - Alerts notification of suspicious activity across the enterprise. • Clean up at source - Removes audit data on source systems, helping further simplify audit data management after collection.
Transparently Collects and Consolidates Audit Data using collectors
Oracle Configuration Management • Track Changes - Allows database administrators to track hardware and software configuration information for hosts and databases managed by Enterprise Manager. • Detects Patches - Helps find missing security patch. • Server management - Search on configuration data, such as Oracle home patch status, versions deployed, parameter settings, database feature use, compare the configuration of two databases or host-to-host and policy management to alert the administrator to deviations from best practices
Oracle Total Recall • Based on Flashback feature: Total Recall allows users to query data "AS OF" an earlier time in the past that helps you verify suspicious activity. • Archive Audit Data: Provides a secure, efficient, easy-to-use, and application-transparent solution for long-term storage and auditing of historical data. • Track Changes: Track and store transactional changes to a table over its lifetime. • User defined Retention: Data is permanently stored in a specified archive tablespace and will only age out after a user defined retention time. • Restrictions: Can not drop or modify column or primary key, does not support long or nested column, drop table .
Implementing Total Recall • CREATE FLASHBACK ARCHIVE DEFAULT fla1 TABLESPACE tbs1 QUOTA 10G RETENTION 1 YEAR; • CREATE FLASHBACK ARCHIVE fla2 TABLESPACE tbs2 QUOTA 10G RETENTION 2 YEAR; • ALTER TABLE hr.jobs FLASHBACK ARCHIVE; • ALTER TABLE hr.employees FLASHBACK ARCHIVE fla2; • UPDATE hr.employees SET salary = 6000 WHERE employee_id = 200; • SELECT salary FROM hr.employees AS OF TIMESTAMP TO_TIMESTAMP('2007-07-13 02:19:00', 'YYYY-MM-DD HH24:MI:SS') WHERE employee_id = 200;
Oracle Data Masking • Hide Sensitive Data - Mask sensitive production data in order to share that data with development/test, analysis groups, and business partners, etc. • Standard Masking - Provides common masking formats in the form of standard Format Library that enterprises can use to apply data privacy rules consistently. • Custom Formats - Organization with specialized masking requirements can add user defined masking. • Secure Sharing - Share production data with internal and external entities while preventing sensitive or confidential parts of the information from being disclosed to unauthorized parties.
Oracle Label Security • Controlled Access - Offers classification of data and controls access to data based on its classification. • Accessed based on Labels, Policies and groups - Sensitivity labels can be assigned to users in the form of label authorizations and associated with operations and objects inside the database using data labels. • Oracle Policy ManagerChange-Starting with Oracle Database 11gR1, Oracle Policy Manager is no longer available. Management of Oracle Label Security policies can be performed using Oracle Enterprise Manager. • Requires Client CD to install OPM for <11G.
Oracle Secure Backup • Two-Way Authentication - Offers a centralized management component and works in client-server architecture. • SSL data encryption - Transports using SSL. • Policy-based backup management - Allows fine-grained control over tape media and the backup domain. • Data Protection – Provides database and file system data protection: UNIX / Windows / Linux servers and Network Attached Storage (NAS) . • Backup encryption - Secures backup data whether tapes are onsite, offsite or lost.
Oracle Advanced Security • Transparent Data Encryption - Data can be transparently encrypted using AES with up to 256 bits, or 3DES168 at the column or tablespace level. • Network Encryption - AES (256, 192, and 128 bits) , 3DES168 (3 and 2 keys) , DES (56 and 40 bits) , RC4 (256, 128, 56, and 40 bits) , and SHA1, MD5. • Strong Authentication -Kerberos, RADIUS (Remote Authentication Dial-In User Service) , Secure Sockets Layer (with digital certificates) , PKI
Implementing Transparent Data Encryption • Specify wallet location in sqlnet.ora. • Create the encrypted wallet file (the ENCRYPTION clause is optional): • ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY “test11"; • alter system set wallet close; • alter system set encryption key identified by "test11"; #to open wallet • Column Level Encryption: • alter table HR.EMPLOYEE modify (salary encrypt); • SALARY NUMBER(8,2) ENCRYPT • DBA_ENCRYPTED_COLUMNS – View all encrypted columns in a database. • TDE, by default, applies a SALT. • No Indexes on columns with SALT. • No encryption for Foreign Key columns, uses same key for all columns in a table. • Open Wallet at startup time. • Encrypted data can be accessed/modified only when Wallet is open. • With Wallet closed non-encrytped data can still be seen.
TDE….continued • Tablespace Encryption: • Create tablespace secure datafile ‘ /u01/oradata/secure01.dbf’ size 200M encrption using ‘WES192’ Default storage (encrypt); • No restriction on Foreign Key columns. • Data Pump • By default, if you use the Data Pump export utility (EXPDP) to export data from a table with encrypted columns, the data in the resulting dump file will be in clear text, even the encrypted column data. • Use password protection for export/Import • $ expdp ops$ksingh ENCRYPTION_PASSWORD=test11 tables=employee • $ impdp ops$ksingh tables=employee #fails with ORA-39174
Q&A ? ? ? ? ksingh.50@gmail.com