Beruflich Dokumente
Kultur Dokumente
Consolidate Monitor
Mitigate Prevent Protect All
Auditing and Database
Database Application Database
Compliance Traffic and
Bypass Bypass Environments
Reporting Block Threats
Prevent access to Privileged user Native Oracle and Monitor Oracle & Sensitive data
data at OS, storage, access control to non-Oracle database non-Oracle database discovery for
network, media limit access to auditing, centralized traffic over the production
layers application data audit policies network Secure database
Transparent data Multi-factor Consolidate, secure, Block threats like lifecycle
encryption for data authorization for analyze audit trail, SQL injection management,
at rest, in transit, on enforcing enterprise alert on suspicious attacks before configuration
media security policies activities reaching databases scanning, patch
Separation of duties Secure application Report for Enforce normal automation
for key management consolidation compliance & database activity, Mask data for
security, automate lightweight nonproduction
database audit monitoring development & test
workflow
7 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
Database Security Defense in Depth
Consolidate Monitor
Mitigate Prevent Protect All
Auditing and Database
Database Application Database
Compliance Traffic and
Bypass Bypass Environments
Reporting Block Threats
8 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
Oracle Advanced Security
Protect Data from Unauthorized Database Users
Disk
Backups
Application
Exports
Off-Site
Facilities
9 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
Oracle Advanced Security
Database Traffic Network Encryption
Support for all column types, including Oracle Database 11g SecureFile
Data is cached encrypted in the SGA
Decrypted only when you dereference it, encrypted every time you modify it
Indexing supported, but the index is indexing encrypted data (not sorted!)
Encryption keys are table specific - means cannot enforce foreign key constraints
Undo and Redo generated are encrypted
11 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
Oracle Advanced Security
Transparent Data Encryption for Tablespaces
12 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
Oracle Advanced Security
Transparent Data Encryption Built-In Key Management
Create a wallet and generate the master key:
alter system set key identified by e3car61
Master Key Open the wallet:
Oracle Wallet alter system set wallet open identified by e3car61
Rotate master (table/tablespace keys re-encrypted):
PKCS #11 API
alter system set key identified by 2naf1sh
Table and Tablespace Keys Rotate table/tablespace keys (data re-encrypted)
HSM alter table employee REKEY;
13 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
Oracle Advanced Security
Transparent Data Encryption for Media
Disk
Backups
Exports
Off-Site
Facilities
TDE integrated with Oracle Data Pump for bulk export/import to OS flat files
TDE integrated with Oracle RMAN for database backup and recovery
RMAN and Data Pump compress and encrypt data
Master Key, passphrase, or both can be used to encrypt export and backup files
No need to distribute production master key with exports or backups
Master key not automatically backed up with database
14 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
Oracle Advanced Security
Strong Authentication
Strong Authentication
X50
9
v3
Application
Kerberos
15 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
Oracle Advanced Security
Transparent Data Encryption Performance
Oracle Database Enterprise Edition Oracle Database Enterprise Edition
11.2.0.2 AES-256 Encryption 11.2.0.2 AES-256 Decryption
(MB/CPU seconds)
559
468
57 58
Encrypting data is expensive is a myth (started with bad third party solutions!)
Incremental CPU ~5% with 10x speed-up if cryptographic hardware available
Incremental CPU reduced even more if using Oracle Advanced Compression
or Exadata Hybrid Columnar Compression (EHCC)
If compression ratio is 75%, we have to encrypt 75% less data!
16 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
Oracle Advanced Security
Oracle Oracle
Oracle Database Oracle Database
Database 9i Database 11g
10g Release 2 11g Release 1
Release 2 Release 2
Key Features By Oracle Database Release
Crypto accel. w/ Intel XEON 56xx w/AES-
NI
TDE tablespace encryption & Advanced
Compression / HCC
TDE with Exadata
HSM support for TDE tablespace
encryption
TDE tablespace encryption
TDE column encryption for SecureFiles
Transparent Data Encryption, Privileged User Database Activity Auditing and Reporting, Secure Configuration Scanning, Automated
Controls, Multi-Factor Authorization, Data SQL Traffic Monitoring and Blocking, Patching, Configuration Change Control,
Classification, and Change Tracking Real-Time Alerting, Workflow Automation Sensitive Data Discovery, Data Masking
Maximum Security for Oracle Databases: Security for Oracle and non-Oracle Security for Production and non-
Oracle Advanced Security Databases Outside the Database: Production Database Environments:
Oracle Database Vault Oracle Audit Vault Oracle Database Lifecycle
Oracle Label Security Oracle Database Firewall Oracle Enterprise Manager
Oracle Total Recall Oracle Data Masking
18 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
Agenda
What We Heard From Our Customers
21 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
For these labs exercises, the following infrastructure components are
running and available.
Database Security Foundation - Oracle DB 11.2.0.2 DB06
Audit Vault Server 12.1
Database Firewall Server 12.1
Advanced Security Day 1
SQLNET.CRYPTO_CHECKSUM_CLIENT=REQUIRED
SQLNET.ENCRYPTION_CLIENT=REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=(SHA1,MD5)
SQLNET.ENCRYPTION_TYPES_CLIENT=(AES256,AES192,AES128,3DES168)
Server
Rejected Accepted Requested Required
Rejected off off off ORA-12660
Client Accepted off off on on
Requested off on on on
Required ORA-12660 on on on
Stored encrypted in
tablespace header Stored encrypted in data
dictionary
31
The Basics
How to enable TDE
Do not use Oracle Wallet Manager to create Wallet
Wallet-based TDE:
Create wallet directory with proper permissions
sqlnet.ora:
ENCRYPTION_WALLET_LOCATION =
(SOURCE = (METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /some/directory/$ORACLE_SID)))
SQL> alter system set encryption key identified by wallet_password;
HSM-based TDE:
Install PKCS#11 library, configuration files from HSM vendor
sqlnet.ora:
ENCRYPTION_WALLET_LOCATION =
(SOURCE = (METHOD = HSM))
SQL> alter system set encryption key identified by hsm_auth_string;
32
LAB EXERCISE 03 PROTECTING SENSITIVE DATA
TABLESPACE LEVEL ENCRYPTION