1 / 25

Data Security

Data Security. Presented by: Kiran Singh. Agenda. Introduction Some of the common compliance and regulations Overview of Oracle's Security Portfolio – 11G Oracle Database Vault Oracle Audit Vault Oracle Configuration Management Oracle Total Recall Oracle Data Masking

jacob
Télécharger la présentation

Data Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Security Presented by: Kiran Singh

  2. Agenda • Introduction • Some of the common compliance and regulations • Overview of Oracle's Security Portfolio – 11G • Oracle Database Vault • Oracle Audit Vault • Oracle Configuration Management • Oracle Total Recall • Oracle Data Masking • Oracle Label Security • Oracle Secure Backup • Oracle Advanced Security • Implement Data Encryption • QA

  3. Some of the Compliance Regulations.... AMERICAS • Sarbanes-Oxley (SOX ) • Healthcare Insurance Portability and Accountability Act (HIPAA) • CA SB 1386 and other State Privacy Laws • Payment Card Industry Data Security Act • FDA CFR 21 Part 11 • FISMA (Federal Info Security Mgmt Act) EMEA • EU Privacy Directives • UK Companies Act of 2006 APAC • Financial Instruments and Exchange Law (J-SOX) • CLERP 9: Audit Reform and Corporate Disclosure Act (Australia) GLOBAL • International Accounting Standards • Basel II (Global Banking) • OECD Guidelines on Corporate Governance

  4. Americas • Sarbanes-Oxley (SOX ) - Defines which records are to be stored and for how long. The legislation affects the IT departments whose job is to store a corporation's electronic records. • Healthcare Insurance Portability and Accountability Act (HIPAA) - Require physicians to ensure they are protecting the privacy and security of patients' medical information and using a standard format when submitting electronic transactions. • CA SB 1386 and other State Privacy Laws – Regulations regarding the privacy of personal information and disclose any breach of security.

  5. Americas • Payment Card Industry Data Security Act - Prevent credit card fraud through increased controls around data and its exposure to compromise. • FDA CFR 21 Part 11 - Implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing electronic data. • Federal Info Security Mgmt Act (FISMA) - The act requires each federal agency to develop, document, and implement an information security for the information and information systems that support the operations.

  6. EMEA & APAC EU Privacy Directives • Regulates how personal data should be processed. UK Companies Act of 2006 • Evidence of compliance. Financial Instruments and Exchange Law (J-SOX) • Securities law and regulating securities companies in Japan. CLERP 9: Audit Reform and Corporate Disclosure Act (Australia) The Corporate Law Economic Reform Program • Companies must have adequate measures, processes and procedures to meet the obligations of the Act, especially if you're involved in auditing and company financial reporting.

  7. GLOBAL International Accounting Standards • Financial reporting framework. Basel II (Global Banking) • Global Banking Regulations OECD Guidelines on Corporate Governance (Organization for Economic Co-operation and Development) • Global standards for business dealings

  8. Regulations and Requirements

  9. Oracle’s Security Portfolio - 11G • Oracle Database Vault • Oracle Audit Vault • Oracle Configuration Management • Oracle Total Recall • Oracle Data Masking • Oracle Label Security • Oracle Secure Backup • Oracle Advanced Security

  10. Oracle Database Vault • Implement Access Controls - Restricts access by unauthorized database users - even for privileged users - by using access controls built into the Oracle database. • Tighten Security – Allows multiple ways to tighten security by implementing IP address and authentication methods, and limiting to who, when , where and how database can be accessed. • Address Compliance requirements - Implements separation-of-duty and real-time preventive controls. • Standard reports - Provides ability to run reports that provide information on who has what privileges, as well as information on who has been accessing the database and when. • Out-Of-The-Box Application Validation - Usescertified default policies for Oracle E-Business Suite, Oracle PeopleSoft, and Oracle Siebel CRM applications.

  11. Oracle Database Vault Home Page 11

  12. Oracle Audit Vault • Automating audit data collection, monitoring and reporting - Detects unauthorized activity, helps satisfying compliance regulations such as Sarbanes-Oxley. • Consolidates audit information from multiple systems - Detects data changes and protects audit data from modifications and tampering. • Supports multiple database systems: 10.2.3.1 - Supports monitoring Microsoft SQL Server 2000 and 2005, windows event viewer, IBM DB2 UDB 8.2 and 9.5, and Sybase ASE 12.5 and 15.0 databases. • Threat Detection - Alerts notification of suspicious activity across the enterprise. • Clean up at source - Removes audit data on source systems, helping further simplify audit data management after collection.

  13. Transparently Collects and Consolidates Audit Data using collectors

  14. Oracle Configuration Management • Track Changes - Allows database administrators to track hardware and software configuration information for hosts and databases managed by Enterprise Manager. • Detects Patches - Helps find missing security patch. • Server management - Search on configuration data, such as Oracle home patch status, versions deployed, parameter settings, database feature use, compare the configuration of two databases or host-to-host and policy management to alert the administrator to deviations from best practices

  15. Oracle Total Recall • Based on Flashback feature: Total Recall allows users to query data "AS OF" an earlier time in the past that helps you verify suspicious activity. • Archive Audit Data: Provides a secure, efficient, easy-to-use, and application-transparent solution for long-term storage and auditing of historical data. • Track Changes: Track and store transactional changes to a table over its lifetime. • User defined Retention: Data is permanently stored in a specified archive tablespace and will only age out after a user defined retention time. • Restrictions: Can not drop or modify column or primary key, does not support long or nested column, drop table .

  16. Implementing Total Recall • CREATE FLASHBACK ARCHIVE DEFAULT fla1 TABLESPACE tbs1 QUOTA 10G RETENTION 1 YEAR; • CREATE FLASHBACK ARCHIVE fla2 TABLESPACE tbs2 QUOTA 10G RETENTION 2 YEAR; • ALTER TABLE hr.jobs FLASHBACK ARCHIVE; • ALTER TABLE hr.employees FLASHBACK ARCHIVE fla2; • UPDATE hr.employees SET salary = 6000 WHERE employee_id = 200; • SELECT salary FROM hr.employees AS OF TIMESTAMP TO_TIMESTAMP('2007-07-13 02:19:00', 'YYYY-MM-DD HH24:MI:SS') WHERE employee_id = 200;

  17. Oracle Data Masking • Hide Sensitive Data - Mask sensitive production data in order to share that data with development/test, analysis groups, and business partners, etc. • Standard Masking - Provides common masking formats in the form of standard Format Library that enterprises can use to apply data privacy rules consistently. • Custom Formats - Organization with specialized masking requirements can add user defined masking. • Secure Sharing - Share production data with internal and external entities while preventing sensitive or confidential parts of the information from being disclosed to unauthorized parties.

  18. Define Column Mask Page

  19. Oracle Label Security • Controlled Access - Offers classification of data and controls access to data based on its classification. • Accessed based on Labels, Policies and groups - Sensitivity labels can be assigned to users in the form of label authorizations and associated with operations and objects inside the database using data labels. • Oracle Policy ManagerChange-Starting with Oracle Database 11gR1, Oracle Policy Manager is no longer available. Management of Oracle Label Security policies can be performed using Oracle Enterprise Manager. • Requires Client CD to install OPM for <11G.

  20. Oracle Secure Backup • Two-Way Authentication - Offers a centralized management component and works in client-server architecture. • SSL data encryption - Transports using SSL. • Policy-based backup management - Allows fine-grained control over tape media and the backup domain. • Data Protection – Provides database and file system data protection: UNIX / Windows / Linux servers and Network Attached Storage (NAS) . • Backup encryption - Secures backup data whether tapes are onsite, offsite or lost.

  21. Backup and Media Management- OSB Web tool

  22. Oracle Advanced Security • Transparent Data Encryption - Data can be transparently encrypted using AES with up to 256 bits, or 3DES168 at the column or tablespace level. • Network Encryption - AES (256, 192, and 128 bits) , 3DES168 (3 and 2 keys) , DES (56 and 40 bits) , RC4 (256, 128, 56, and 40 bits) , and SHA1, MD5. • Strong Authentication -Kerberos, RADIUS (Remote Authentication Dial-In User Service) , Secure Sockets Layer (with digital certificates) , PKI

  23. Implementing Transparent Data Encryption • Specify wallet location in sqlnet.ora. • Create the encrypted wallet file (the ENCRYPTION clause is optional):    • ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY “test11"; • alter system set wallet close; • alter system set encryption key identified by "test11"; #to open wallet • Column Level Encryption: • alter table HR.EMPLOYEE modify (salary encrypt); • SALARY NUMBER(8,2) ENCRYPT • DBA_ENCRYPTED_COLUMNS – View all encrypted columns in a database. • TDE, by default, applies a SALT. • No Indexes on columns with SALT. • No encryption for Foreign Key columns, uses same key for all columns in a table. • Open Wallet at startup time. • Encrypted data can be accessed/modified only when Wallet is open. • With Wallet closed non-encrytped data can still be seen.

  24. TDE….continued • Tablespace Encryption: • Create tablespace secure datafile ‘ /u01/oradata/secure01.dbf’ size 200M encrption using ‘WES192’ Default storage (encrypt); • No restriction on Foreign Key columns. • Data Pump • By default, if you use the Data Pump export utility (EXPDP) to export data from a table with encrypted columns, the data in the resulting dump file will be in clear text, even the encrypted column data. • Use password protection for export/Import • $ expdp ops$ksingh ENCRYPTION_PASSWORD=test11 tables=employee • $ impdp ops$ksingh tables=employee #fails with ORA-39174

  25. Q&A ? ? ? ? ksingh.50@gmail.com

More Related