Beruflich Dokumente
Kultur Dokumente
Mike Blackin
Paul Needham
Data Breaches
Insider Theft
Off-Shoring/Outsourcing
Data Consolidation
Databases Replacing Firewalls As Targets
Enterprise Identity Theft
Exploiting Application Vulnerabilities
Complex IT requirements
SAS70
SOX
GLBA
EU Directives
HIPAA
J-SOX
PCI
PIPEDA
Separation of duties
Proof of compliance
Constant self assessment
On-the-spot audit reporting
Basel II
K-SOX
Database
Monitoring
De-Identifying
Information for
Sharing
Data
Classification
Oracle 8i
Audit
Vault
$5%&*
Secure
Backup
Configuration
Management
Label
Security
Total
Recall
Data
Masking
De-Identifying
Information for
Sharing
Protecting
Data-at-Rest
Data
Classification
Audit
Vault
$5%&*
Secure
Backup
Configuration
Management
Label
Security
Total
Recall
Data
Masking
DBA
HR Realm
HR
HR App DBA
FIN Realm
FIN
FIN App DBA
10
CONNECT .
HR
Unexpected IP
address
HR Application
User
CREATE
FIN
Business hours
FIN Application
DBA
11
Database Administration
DBA manages day-to-day database operations
Account Management
Account administrator creates new database accounts
Application-Specific Administration
Application administrator can manage application database
Extensible
Can separate development from test, and many other functions
12
De-Identifying
Information for
Sharing
Protecting
Data-at-Rest
Data
Classification
13
14
Audit
Vault
$5%&*
Secure
Backup
Configuration
Management
Label
Security
Total
Recall
Data
Masking
15
75000
16
^#^ *
17
Oracle
Databases
UNIX
Windows
Linux
NAS
Transparent recovery
decryption by authorized users
File Systems
18
De-Identifying
Information for
Sharing
Protecting
Data-at-Rest
Data
Classification
19
20
Audit
Vault
$5%&*
Secure
Backup
Configuration
Management
Label
Security
Total
Recall
Data
Masking
21
Highly Sensitive
Sensitive
Confidential
Sensitive
22
Highly Sensitive
23
De-Identifying
Information for
Sharing
Protecting
Data-at-Rest
Data
Classification
24
25
Audit
Vault
$5%&*
Secure
Backup
Configuration
Management
Label
Security
Total
Recall
Data
Masking
26
LAST_NAME
CREDIT_CARD
AGUILAR
4408041254369873
80.00
BENSON
4417123456789112
60.00
Production
Database
AMT
Mask
Cloned
Database
LAST_NAME
CREDIT_CARD
AMT
ANSKEKSL
4111111111111111
80.00
BKJHHEIEDK
4408041234567890
60.00
27
sys_context('APP','CURRENT_MGR');
DP
VP
y
olic
SSN
701-495-2123
25000
121-791-4212
181-095-1232
15000
581-295-7603
12000
APP
10000
431-395-9332
17000
381-395-9223
15000
483-562-0912
461-978-8212
28
De-Identifying
Information for
Sharing
Protecting
Data-at-Rest
Data
Classification
29
30
Audit
Vault
$5%&*
Secure
Backup
Configuration
Management
Label
Security
Total
Recall
Data
Masking
31
32
Oracle Database
Audit Data
33
Other Sources
(Future)
User-defined reports
What privileged users did on
the financial database?
What user A did across
multiple databases?
Who accessed sensitive data?
34
35
Flexible Reporting
Open warehouse schema
Oracle Business Intelligence Publisher or Application Express
Custom or 3rd party tools
Secure
Privileged Audit Vault users can't modify audit data
Data encrypted in transit from source to Audit Vault
36
37
38
39
Host
Application Server
Database Profile/Configuration
Default Passwords
Disallow access to objects by a fixed user link
Disallow default tablespace set to SYSTEM
Set password_grace_time
Limit or deny access to DBMS_LOB
Set password_reuse_max
Avoid using utl_file_dir parameter
40
Peter Bass
Sr. Database Administrator
Transcontinental
Implementation of Enterprise Manager
Security policies with round the clock
monitoring and reporting helped demonstrate
to our SOX auditors that Transcontinental was
in control of their IT environment.
41
De-Identifying
Information for
Sharing
Protecting
Data-at-Rest
Data
Classification
42
http://search.oracle.com
database security
or
oracle.com/database/security
43
Q&
A
44
45
Oracle
8i
Oracle
Oracle
Oracle
Oracle
Oracle
Database
Database
Database
Database
Database
9iR1
9iR2
10g R1
10g R2
11gR1
DatabaseAuditing
NetworkEncryption
VirtualPrivateDatabase
LabelSecurity
DatabaseVault
AuditVault
FineGrainedAuditing
TotalRecall
EMConfigurationScanning
TDEColumnEncryption
TDETablespaceEncryption
EMDataMasking
2008 Oracle Corporation
46