Scribd Logo
Upload

Welcome to Scribd!

  • Agenda: Oracle Database Security Oracle Database Security

    Uploaded by

    Đỗ Văn Tuyên
    13 views4 pages
    The document outlines an agenda to discuss Oracle database security options mappings and Oracle Identity Management. It presents two whiteboard diagrams showing potential security vulnerabilities in an Oracle database including privileged users accessing business data and backup data being accessible if lost or stolen. Solutions proposed to address the vulnerabilities include protecting sensitive data when migrating environments and ensuring data in transit is secure.

    Original Description:

    Original Title

    End-to-End-Security-whiteboard

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document outlines an agenda to discuss Oracle database security options mappings and Oracle Identity Management. It presents two whiteboard diagrams showing potential security vulnerabilities in an Oracle database including privileged users accessing business data and backup data being accessible if lost or stolen. Solutions proposed to address the vulnerabilities include protecting sensitive data when migrating environments and ensuring data in transit is secure.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    13 views4 pages

    Agenda: Oracle Database Security Oracle Database Security

    Uploaded by

    Đỗ Văn Tuyên
    The document outlines an agenda to discuss Oracle database security options mappings and Oracle Identity Management. It presents two whiteboard diagrams showing potential security vulnerabilities in an Oracle database including privileged users accessing business data and backup data being accessible if lost or stolen. Solutions proposed to address the vulnerabilities include protecting sensitive data when migrating environments and ensuring data in transit is secure.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    21/09/2011

    Agenda

    • Oracle Database Security Options Mappings

    <Insert Picture Here>


    • Oracle Identity Management (idM/OIM)

    End to End Security – White board


    Niel Pandya

    Oracle Database Security Oracle Database Security


    Vulnerabilities Vulnerabilities

    Potential Risks Potential Risks


    User A User C User A User C
    User B User B

    1. Sysadmin can read 1. Privileged Users such as


    sensitive data in disk DBAs can access business
    data
    Control

    Control

    Application 2. Backup data is in Application


    clear, hence high risk 2. DBA become the main
    if tape/disk is “suspect” when data
    lost/stolen in transit Database breaches happen. How
    Dev/ Developers or in offsite location HR Finance Customer Dev/ Developers can they be above
    DBA DBA
    Database Test Testers Test Testers suspicion while focusing
    Optimization & maintenance on their core task; i.e
    administration and fine-
    tuning?
    Sysadmin Offsite Location Sysadmin Offsite Location
    E E E E E E
    E Internal / E Internal /
    Transportation External Transportation External
    Provider Party Provider Party

    3 4

    Oracle Database Security Oracle Database Security


    Vulnerabilities Vulnerabilities

    Potential Risks Potential Risks


    User A User C User A User C
    User B User B

    1. How do you protect 1. Data in transit, which in


    sensitive/confidential the clear is vulnerable to
    data when migrating snooping
    Control

    Control

    Application from production to Application


    development/test
    environment? Network
    Administrator <E>
    Database Database
    DBA
    HR Finance Customer <M> Dev/ Developers DBA
    HR Finance Customer <M> Dev/ Developers
    Test Testers Test Testers
    Optimization & maintenance Optimization & maintenance

    Sysadmin Offsite Location Sysadmin Offsite Location


    E E E E E E
    E Internal / E Internal /
    Transportation External Transportation External
    Provider Party Provider Party

    5 6

    1
    21/09/2011

    Potential Risks
    Oracle Database Security Oracle Database Security
    Vulnerabilities Vulnerabilities 1. How do you consolidate
    audit data from different
    Potential Risks databases?
    User A User C User A User C
    User B User B

    1. How do you ensure 2. How do you ensure that


    sensitive field are visible your audit data is not
    to authorized users only? being tampered?
    Control

    Control
    Application Application
    2. How do you enforce fine- 3. How do you perform
    Network
    Administrator <E> grained access? E.g. user Network
    Administrator <E> audit reporting for
    Database A can view customer data Database compliance purpose?
    DBA
    HR Finance Customer <M> Dev/ Developers from east region while
    DBA
    HR Finance Customer <M> Dev/ Developers
    Test Testers user B is restricted to Test Testers
    Centralized Auditors
    Optimization & maintenance customer data from west Optimization & maintenance
    Audit Separation of duties
    region? Repository
    Audit
    Administrator

    Sysadmin Offsite Location Sysadmin Offsite Location


    E E E E E E
    E Internal / E Internal /
    Transportation External Transportation External
    Provider Party Provider Party

    7 8

    Oracle Database Security Potential Risks


    1. How do you monitor DB activity
    Oracle Database Security Solution Map
    Vulnerabilities to prevent unauthorized DB
    access, SQL injections, privilege
    Database FW
    or role escalation, illegal access
    User A User C User A User C
    User B
    to sensitive data, etc. User B

    2. How can you generate Whitelist


    (with built-in factors such as
    time of day, day of week, n/w,
    Control

    Control

    Application app, etc.) to allow access or Label Security


    Application
    blacklist to prevent access?
    Network
    Administrator <E> 3. How to ensure low false positive Network
    Administrator <E> Advanced Security (NE)
    Database and false negative? Database
    DBA
    HR Finance Customer <M> Dev/ Developers DBA
    HR Finance Customer <M> Dev/
    Database Data Developers
    Test Testers
    Vault Masking
    Test Testers
    Centralized Centralized
    Optimization & maintenance
    Auditors
    Optimization & maintenance Audit Auditors

    Audit Audit
    Repository
    Separation of duties
    Vault
    Repository
    Separation of duties

    Audit Audit
    Administrator Administrator

    Sysadmin Sysadmin
    Advanced Security ESecure
    Offsite Location Offsite Location
    E E E E E
    E Internal / (TDE / TE) Backup E Internal /
    Transportation External Transportation External
    Provider Party Provider Party

    9 10

    Security Reference Architecture Security Reference Architecture –


    Oracle Coverage
    Domains Domains
    Identity Management

    Identity Management
    Network Security

    Security Standards and Policies

    Network Security

    Security Standards and Policies


    Audit and Reporting / Incident Response

    Audit and Reporting / Incident Response


    Physical / Personal Security

    Physical / Personal Security


    Data Security

    Data Security
    Control and Management

    Control and Management

    External External
    Firewalls DMZ Firewalls DMZ
    Connectivity Connectivity

    Wireless Intrusion Vulnerability Wireless Intrusion Vulnerability


    Access Detection Scanning Access Detection Scanning

    Authentication Authorisation Access Control Authentication Authorisation Access Control


    Components

    Components

    User Data User Data


    BCP / DR BCP / DR
    Management Management Management Management

    Anti Virus Anti Virus


    O/S Hardening Backups O/S Hardening Backups
    / Spam / Spam

    Data Data
    Encryption Cryptography Encryption Cryptography
    Classification Classification

    11 12

    2
    21/09/2011

    Oracle Security Strategy Oracle Identity Management

    Identity Administration Access Management Directory Services

    Access Manager

    Identity Manager Adaptive Access Manager Directory Server EE


    Information Rights Mgmt Internet Directory
    Identity Federation Virtual Directory
    Entitlements Server
    Identity & Access Governance

    Identity Analytics

    Oracle Platform Security Services

    Operational Manageability

    Management Pack For Identity Management

    Oracle Confidential – For Internal Use Only


    13 13 14

    Example: Secured Database Access Question & Answer


    Database Security Options

    ‘Cloned’
    Database
    LNAME SSN SALARY
    ���������

    LJOH 111-56-9876 $125,000


    TDPQQ 111-76-1234 $229,500 Oper ational Data DBA /
    Database
    DBA M anag er
    TNJQI 111-78-2198 $ 53,700 Protect Data from Vault
    Protect Data View and Alteration
    Anonymize in Motion with as well as Insider
    Select SALARY
    from users;
    X
    sensitive Test Network Threat using
    & Dev data
    Alter system.
    X
    Encryption using Database Vault Alter table..
    using Data Advanced Security * Example roles and privs
    Masking Option
    Secured
    Production Operational
    Database
    Database Alter table …. DBA
    Consolidate
    Database Audit Select SALARY from USERS;
    data using
    Audit Vault

    Protect User and Sensitive Data LNAME SSN SALARY


    at Rest by Encrypting Database KING 123-45-6789 $125,000
    SCOTT 987-65-4321 $229,500
    Columns using SMITH 345-67-8912 $ 53,700 Securely Backup Data To
    Advanced Security Option Tape with Secure Backup
    LNAME CREDIT_CARD EXP_DATE
    KING 1234-5678-9123 04-2010
    SCOTT 2345-6789-4321 09-2012
    SMITH 9876-5432-1987 01-2011 15 16

    3
    ���������������������������������������������������������������������������
    ���������������������������������������������������������������������������������
    �����������������������������������������������������

    You might also like