1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of...

39
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1

Transcript of 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of...

Page 1: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1

Page 2: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Oracle数据库安全解决方案

由内而外的全面数据库安全

王睿 资深技术顾问

Page 3: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 3

议题

数据安全面临的挑战

Oracle数据库安全的战略

Oracle Database 12c 的终深防御

总结

Page 4: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 4

全球范围内有数十亿条数据库记录遭到侵犯 97% 的侵犯本来可通过基本控制避免

98% 的记录窃取

自数据库

84% 的记录通过失窃的凭证遭到侵犯

71% 在数分钟内被攻陷

92% 由第三方发现

Page 5: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 5

Social Engineering

Sophisticated Attacks

Business Data Theft

Loss of Reputation

• Privilege Abuse

• Curiosity

• Leakage

• Accidents

• Unintended disclosures

从失误到恶意攻击 基本的安全策略无法满足当今的商业发展

Page 6: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 6

“You don’t bother to just simply hack the

organization and its infrastructure; you

focus much more of your attention on

hacking the employees….”

你不仅要关注外部黑客对你的攻击,还应该更加关注内部员工的黑客行为。

攻击案例分析

Uri Rivner

Former CTO at RSA

(Security Division of EMC)

数据安全攻击目标在增加,手段在进化 DBAs, OS Admins, Developers, Multiple Copies of the Data, etc.

Page 7: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 7

安全事故不时发生。。。

Page 8: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 8

安全事故不时发生。。。

Page 9: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 9

不是“会不会”,而是“什么时候” • AT&T

• PayPal

• BofA

• Google

• Fannie Mae

• People’s Bank of China

• Best Buy

• Citibank

• Sony

• …

Page 10: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 10

Manage risks when data goes into someone else’s hand

7x24 support requires many highly privileged users

Meet application’s security requirements

Meet changing compliance requirements

Provide “scrubbed” data to dev/test/partners

新的IT架构和商业模式下的数据安全问题 数据整合, 云计算, 外包服务, 合作伙伴, …

Page 11: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 11

Forrester Research

网络安全

SIEM

安全信息和事件管理

Endpoint Security

电子邮件 安全

授权&用户安全

Database Security

为什么数据库容易被攻击? 80% 的IT安全计划不是用来解决数据库安全问题

“企业正面临着自身尚未发觉的风险。

这一情况正随着越来越多的攻击开始利

用合法的访问渠道侵犯数据库而越发严

重。”

Source: Forrester 2012

Page 12: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 12

为什么对数据库的攻击容易成功…

The 2010 IOUG 数据安全报告

Only 28% uniformly encrypting PII

in all databases

66% not sure if web

applications subject to

SQL injection

63% don’t apply security patches

within 3 months of release

48% not aware of all

databases with

sensitive data

44% say database users

could access data

directly

70% use native auditing, only

25% automate

monitoring

Only 24% can “prevent” DBAs from

reading or tampering with

sensitive data

68% can not detect if

database users are

abusing privileges

monitoring sensitive data

reads/writes

Less than 30%

Page 13: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 13

有限的数据库安全控制…

Source: 2010 Independent Oracle User Group Data Security Report

70% System users can read/tamper data stored in database files or storage

76% Cannot prevent DBAs from reading/modifying data

68% Cannot detect if database users are abusing privileges

63% Vulnerable to SQL injection attacks or not sure

48% Copy sensitive production data to non-production environments

31% Likely to get breached over the coming year

The 2010 IOUG 数据安全报告

Page 14: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 14

不是“要不要做”,而是“怎么做”

FISMA SOX | COSO

PCI-DSS | COSO | COBIT | ISO17799 | ISO 27001

HIPAA

GLBA

PIPEDA

Basel II

EU Data Directives

Euro SOX J SOX

K SOX

SAS 70

AUS/PRO

UK/PRO

中国企业内部控制基本规范

中国信息安全等级保护条例

中国信息系统安全管理要求GB/T20269-2006

香港个人资料(私隐)条例

香港电子银行的监管模式指引TM-E-1

香港电子银行技术风险管理一般原则指引TM-G-1

SG-MAS IBTRM 台湾个人资料保护法

Page 15: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 15

Oracle 数据库安全性解决方案 纵深防御的最大安全架构

Activity Monitoring

Database Firewall

Auditing and Reporting

主动监测

Data Masking

Privileged User Controls

Encryption & Redaction

主动预防 主动管理

Sensitive Data Discovery

Configuration Management

Privilege Analysis

Page 16: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 16

Oracle数据库安全解决架构 Defense-in-Depth for Maximum Security

Activity Monitoring

Database Firewall

Auditing and Reporting

DETECTIVE

Data Masking

Privileged User Controls

Encryption & Redaction

可防御 ADMINISTRATIVE

Sensitive Data Discovery

Configuration Management

Privilege Analysis

Page 17: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 17

加密表空间或者列

限制访问静止的数据库

应用无任何更改

两层安全秘钥管理

对CPU的负载基本为零

与现有Oracle技术无缝集成

– Exadata, Compression, ASM, GoldenGate, DataPump, log file

Oracle Advanced Security

透明数据加密 Oracle数据库主动安全选件

Disk

Backups

Exports

Off-Site

Facilities

Applications

Page 18: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 18

基于用户名、IP地址、应用上下文、或者其他应用要素实时的编撰显示内容

多种转换方式Full, partial, fixed

redaction

内置多种转换规则或者实时定义规则

对应用程序完全透明

无需更改数据库常规操作

Oracle Advanced Security

敏感数据的编撰显示 数据库主动安全选件

Credit Card Numbers 4451-2172-9841-4368

5106-8395-2095-5938

7830-0032-0294-1827

Redaction Policy

xxxx-xxxx-xxxx-4368 4451-2172-9841-4368

Billing Department Call Center Application

Page 19: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 19

052-51-2147 XXX-XX-2147

支持的转换

存储的数据 编辑的结果

10/09/1992

[email protected] [hidden]@acme.com

4451-2172-9841-4368 4943-6344-0547-0110

全部

部分

正则

随机

01/01/2001

Page 20: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 20

使用 Enterprise Manager 编辑

Page 21: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 21

屏蔽敏感的应用数据

主动监测和实施约束关系

可扩展的模板库和格式

与Real Application Testing集成

支持屏蔽非Oracle 数据库

Oracle Data Masking

对非生产用途数据的屏蔽 Oracle数据库主动安全选件

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

Non-production

Test

Production

LAST_NAME SSN SALARY

ANSKEKSL 323-23-1111 60,000

BKJHHEIEDK 252-34-1345 40,000 Dev

Page 22: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 22

封闭对敏感数据的访问,即使在为应用程序 DBA 和支持分析师提供紧急访问时

为敏感数据或者对象定义Realms或者保护区

限制DBA对受realm保护数据的访问

限制对敏感数据的访问,即使是在升级补丁的过程中

支持多因素的SQL访问限制规则

强制企业数据治理,职责分离和最小特权

Oracle Database Vault

用户权限的控制 Oracle数据库主动安全选件

Procurement

HR

Finance

select * from finance.customers

Application

DBA

Applications

Security

DBA

DBA

Page 23: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 23

Oracle Database Vault Privilege User Access Control

Application

Procurement

HR

Finance

Application

DBA

select * from finance.customers

DBA

Security

DBA

Automatic and customizable DBA separation of duties

Enforce who, where, when, and how data is accessed using rules and factors

– Enforce least privilege for privileged database users

– Prevent compromised privileged users accounts from accessing application data

Securely consolidate application data and prevent application bypass

Prevent ad hoc changes to the database by administrators

Page 24: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 24

Oracle Database Vault Realms

Application

Procurement

HR

Finance

Application

DBA

select * from finance.customers

DBA

Security

DBA

• Realms are protections zones (firewalls) inside the database to protect

application data

• Use realms to control the use of system privileges to specific accounts or roles

• Default realms to address database governance

• Out-of-the box realms to protect popular Oracle and non-Oracle applications

Page 25: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 25

Oracle Database Vault Strong Operational Controls Inside the Database

Application

Procurement

HR

Finance

• Rules to control how users can execute almost any SQL statement inside the database

• Command rules can take into account built-in and custom factors (numerous built in)

• Command rules can be system-wide, schema specific, and object specific

• Out-of-the box command rules for Oracle and non-Oracle applications

Built-in Factors:

User Factors

- Name

- Authentication type

- Session User

- Proxy Enterprise Identity

Network Factors

- Machine name

- Client IP

- Network Protocols

Database Factors

- Database IP

- Database Instance

- Database Hostname

- Database SID

Runtime Factors

- Language

- Date/Day of Week

- Time

Page 26: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 27

Oracle数据库安全解决架构 Defense-in-Depth for Maximum Security

Activity Monitoring

Database Firewall

Auditing and Reporting

可检测监控

Data Masking

Privileged User Controls

Encryption & Redaction

PREVENTIVE ADMINISTRATIVE

Sensitive Data Discovery

Configuration Management

Privilege Analysis

Page 27: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 28

Oracle Audit Vault and

Database Firewall

数据库活动检测和防火墙 Oracle和非Oracle数据库安全的监测选件

监控并记录数据库访问的网络流量

检测并阻止未授权的数据库活动并防止SQL注入

高准确率的SQL语法分析

白名单方式来执行允许的活动

黑名单来管理高危险的活动

可扩展的安全软件设备

Block

Log

Allow

Alert

Substitute Apps

Whitelist Blacklist

SQL Analysis Policy

Factors

Users

Page 28: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 29

Oracle Audit Vault and

Database Firewall

审计, 报告, 实时告警 Oracle和非Oracle数据库安全的监测选件

Audit Data & Event Logs

OS & Storage

Directories

Databases

Oracle Database Firewall

Custom

收集并分析审计和事件数据

集中的安全审计库

整合的多源的报告

开箱即用和用户定制的报告

集中的实时告警信息

细粒度的职责分离分析

安全的、可扩展的软件设备

Policies

Reports

Alerts !

Security

Analyst

Auditor

SOC

Page 29: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 30

Oracle Audit Vault 和数据库防火墙 针对 Oracle 和非 Oracle 数据库的新检测控制

审计/事件仓库

安全

经理

报告

用户

应用程序

阻止

日志

允许

警告

替代

! 警报

数据库防火墙

防火墙事件

自定义服务器

操作系统、目录和自定义审计日志

审计人员

策略

Page 30: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 31

Oracle数据库安全解决架构 Defense-in-Depth for Maximum Security

Activity Monitoring

Database Firewall

Auditing and Reporting

DETECTIVE

Data Masking

Privileged User Controls

Encryption & Redaction

PREVENTIVE 可管理

Sensitive Data Discovery

Configuration Management

Privilege Analysis

Page 31: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 32

Oracle Database Vault

角色与权限使用分析 Administrative Control for Oracle Database 12c

Create…

Drop…

Update…

DBA role

APPADMIN role

开启特权分析捕获模式

报告在数据库中使用的实际权限和角色

根据需要撤销不必要的权限和角色

帮助执行最小权限并降低风险

在不中断业务的情况下提高数据库的安全性

Unused

Update

APPADMIN

Privilege

Analysis

Page 32: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 33

扫描数据库查找敏感数据

创建并维护应用程序数据模型

保护敏感数据,通过encrypt,

redact, mask, audit…

Oracle Enterprise Manager 12c

发现敏感数据 Administrative Control for Oracle Databases

Page 33: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 34

Oracle Database Lifecycle Management

配置管理 Administrative Control for Oracle Databases

Discover

Scan & Monitor

Patch

Discover and classify databases

Scan for secure configuration against a

library of best practices and standards

Detect unauthorized changes

Automated remediation

Patching and provisioning

Page 34: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 35

Oracle 数据库安全性解决方案 保护关键数据架构

活动监视

数据库防火墙

审计和报告

可检测

特权用户控制

多因素授权

加密与屏蔽

可预防 可管理

数据发现

和分类

漏洞扫描

数据库生命周期管理

Page 35: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 36

用户案例 Enterprise Ready, Simple, Flexible, Scalable

Page 36: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 37

T-Mobile 保护 Oracle 和非 Oracle 数据库中的客户数据

挑战

保护 Oracle 和非 Oracle 数据库中的敏感数据(PCI、CPNI、SPII)

无需更改应用程序代码即可监视数据库威胁,包括 SQL 注入攻击和数据收获

全面、直观地了解数据库活动

了解敏感数据正受到哪些类型的更改

解决方案

借助 Database Firewall、TDE 和 Data Masking 构建全面的数据库安全纵深防御战略,彻底解决数据安全问题

通过数据库活动监视防止来自内部和外部的威胁

数小时即完成部署和设置;已成功阻止少数失窃帐户收获数据

在全美国范围内提供无线语音、消息和数据服务的提供商

美国第四大的无线企业,拥有超过 3,500 万用户

行业:电信

Page 37: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 38

SquareTwo Financial 解决合规性问题,实现职责分离

挑战

需要遵守各种法规:GLBA、HIPAA、SOX 和 PCI

证明遵守 Sarbanes-Oxley 要求的职责分离

快速扩展 IT 安全以适应公司 37% 的快速增长

在保持增长的情况下,最大程度降低对 590 万个账户的影响

无需更改应用程序即可保护 Exadata 数据库云服务器

解决方案

借助 Database Firewall、TDE 和 Data Masking 构建全面的数据库安全纵深防御战略,彻底解决合规性问题

通过数据库活动监视防止来自内部和外部的威胁,包括 SQL 注入攻击

保护 Exadata 和 SQL Server 数据库活动

规模达 1,000 亿美元的资产

回收和管理行业领先者

合作伙伴网络由银行、信用卡和医疗保健行业的《财富》500 强企业使用

行业:金融服务

Page 38: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 39

Page 39: 1 Copyright © 2013, Oracle and/or its affiliates. All ... · • Fannie Mae • People’s Bank of China • Best Buy ... • Rules to control how users can execute almost any SQL

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 40