1 copyright © 2013, oracle and/or its affiliates. all ... · • fannie mae • people’s bank of...
TRANSCRIPT
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1
Oracle数据库安全解决方案
由内而外的全面数据库安全
王睿 资深技术顾问
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 3
议题
数据安全面临的挑战
Oracle数据库安全的战略
Oracle Database 12c 的终深防御
总结
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 4
全球范围内有数十亿条数据库记录遭到侵犯 97% 的侵犯本来可通过基本控制避免
98% 的记录窃取
自数据库
84% 的记录通过失窃的凭证遭到侵犯
71% 在数分钟内被攻陷
92% 由第三方发现
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 5
Social Engineering
Sophisticated Attacks
Business Data Theft
Loss of Reputation
• Privilege Abuse
• Curiosity
• Leakage
• Accidents
• Unintended disclosures
从失误到恶意攻击 基本的安全策略无法满足当今的商业发展
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 6
“You don’t bother to just simply hack the
organization and its infrastructure; you
focus much more of your attention on
hacking the employees….”
你不仅要关注外部黑客对你的攻击,还应该更加关注内部员工的黑客行为。
攻击案例分析
Uri Rivner
Former CTO at RSA
(Security Division of EMC)
数据安全攻击目标在增加,手段在进化 DBAs, OS Admins, Developers, Multiple Copies of the Data, etc.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 7
安全事故不时发生。。。
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 8
安全事故不时发生。。。
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 9
不是“会不会”,而是“什么时候” • AT&T
• PayPal
• BofA
• Fannie Mae
• People’s Bank of China
• Best Buy
• Citibank
• Sony
• …
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 10
Manage risks when data goes into someone else’s hand
7x24 support requires many highly privileged users
Meet application’s security requirements
Meet changing compliance requirements
Provide “scrubbed” data to dev/test/partners
新的IT架构和商业模式下的数据安全问题 数据整合, 云计算, 外包服务, 合作伙伴, …
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 11
Forrester Research
网络安全
SIEM
安全信息和事件管理
Endpoint Security
电子邮件 安全
授权&用户安全
Database Security
为什么数据库容易被攻击? 80% 的IT安全计划不是用来解决数据库安全问题
“企业正面临着自身尚未发觉的风险。
这一情况正随着越来越多的攻击开始利
用合法的访问渠道侵犯数据库而越发严
重。”
Source: Forrester 2012
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 12
为什么对数据库的攻击容易成功…
The 2010 IOUG 数据安全报告
Only 28% uniformly encrypting PII
in all databases
66% not sure if web
applications subject to
SQL injection
63% don’t apply security patches
within 3 months of release
48% not aware of all
databases with
sensitive data
44% say database users
could access data
directly
70% use native auditing, only
25% automate
monitoring
Only 24% can “prevent” DBAs from
reading or tampering with
sensitive data
68% can not detect if
database users are
abusing privileges
monitoring sensitive data
reads/writes
Less than 30%
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 13
有限的数据库安全控制…
Source: 2010 Independent Oracle User Group Data Security Report
70% System users can read/tamper data stored in database files or storage
76% Cannot prevent DBAs from reading/modifying data
68% Cannot detect if database users are abusing privileges
63% Vulnerable to SQL injection attacks or not sure
48% Copy sensitive production data to non-production environments
31% Likely to get breached over the coming year
The 2010 IOUG 数据安全报告
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 14
不是“要不要做”,而是“怎么做”
FISMA SOX | COSO
PCI-DSS | COSO | COBIT | ISO17799 | ISO 27001
HIPAA
GLBA
PIPEDA
Basel II
EU Data Directives
Euro SOX J SOX
K SOX
SAS 70
AUS/PRO
UK/PRO
中国企业内部控制基本规范
中国信息安全等级保护条例
中国信息系统安全管理要求GB/T20269-2006
香港个人资料(私隐)条例
香港电子银行的监管模式指引TM-E-1
香港电子银行技术风险管理一般原则指引TM-G-1
SG-MAS IBTRM 台湾个人资料保护法
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 15
Oracle 数据库安全性解决方案 纵深防御的最大安全架构
Activity Monitoring
Database Firewall
Auditing and Reporting
主动监测
Data Masking
Privileged User Controls
Encryption & Redaction
主动预防 主动管理
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 16
Oracle数据库安全解决架构 Defense-in-Depth for Maximum Security
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE
Data Masking
Privileged User Controls
Encryption & Redaction
可防御 ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 17
加密表空间或者列
限制访问静止的数据库
应用无任何更改
两层安全秘钥管理
对CPU的负载基本为零
与现有Oracle技术无缝集成
– Exadata, Compression, ASM, GoldenGate, DataPump, log file
Oracle Advanced Security
透明数据加密 Oracle数据库主动安全选件
Disk
Backups
Exports
Off-Site
Facilities
Applications
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 18
基于用户名、IP地址、应用上下文、或者其他应用要素实时的编撰显示内容
多种转换方式Full, partial, fixed
redaction
内置多种转换规则或者实时定义规则
对应用程序完全透明
无需更改数据库常规操作
Oracle Advanced Security
敏感数据的编撰显示 数据库主动安全选件
Credit Card Numbers 4451-2172-9841-4368
5106-8395-2095-5938
7830-0032-0294-1827
Redaction Policy
xxxx-xxxx-xxxx-4368 4451-2172-9841-4368
Billing Department Call Center Application
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 19
052-51-2147 XXX-XX-2147
支持的转换
存储的数据 编辑的结果
10/09/1992
[email protected] [hidden]@acme.com
4451-2172-9841-4368 4943-6344-0547-0110
全部
部分
正则
随机
01/01/2001
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 20
使用 Enterprise Manager 编辑
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 21
屏蔽敏感的应用数据
主动监测和实施约束关系
可扩展的模板库和格式
与Real Application Testing集成
支持屏蔽非Oracle 数据库
Oracle Data Masking
对非生产用途数据的屏蔽 Oracle数据库主动安全选件
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Non-production
Test
Production
LAST_NAME SSN SALARY
ANSKEKSL 323-23-1111 60,000
BKJHHEIEDK 252-34-1345 40,000 Dev
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 22
封闭对敏感数据的访问,即使在为应用程序 DBA 和支持分析师提供紧急访问时
为敏感数据或者对象定义Realms或者保护区
限制DBA对受realm保护数据的访问
限制对敏感数据的访问,即使是在升级补丁的过程中
支持多因素的SQL访问限制规则
强制企业数据治理,职责分离和最小特权
Oracle Database Vault
用户权限的控制 Oracle数据库主动安全选件
Procurement
HR
Finance
select * from finance.customers
Application
DBA
Applications
Security
DBA
DBA
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 23
Oracle Database Vault Privilege User Access Control
Application
Procurement
HR
Finance
Application
DBA
select * from finance.customers
DBA
Security
DBA
Automatic and customizable DBA separation of duties
Enforce who, where, when, and how data is accessed using rules and factors
– Enforce least privilege for privileged database users
– Prevent compromised privileged users accounts from accessing application data
Securely consolidate application data and prevent application bypass
Prevent ad hoc changes to the database by administrators
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 24
Oracle Database Vault Realms
Application
Procurement
HR
Finance
Application
DBA
select * from finance.customers
DBA
Security
DBA
• Realms are protections zones (firewalls) inside the database to protect
application data
• Use realms to control the use of system privileges to specific accounts or roles
• Default realms to address database governance
• Out-of-the box realms to protect popular Oracle and non-Oracle applications
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 25
Oracle Database Vault Strong Operational Controls Inside the Database
Application
Procurement
HR
Finance
• Rules to control how users can execute almost any SQL statement inside the database
• Command rules can take into account built-in and custom factors (numerous built in)
• Command rules can be system-wide, schema specific, and object specific
• Out-of-the box command rules for Oracle and non-Oracle applications
Built-in Factors:
User Factors
- Name
- Authentication type
- Session User
- Proxy Enterprise Identity
Network Factors
- Machine name
- Client IP
- Network Protocols
Database Factors
- Database IP
- Database Instance
- Database Hostname
- Database SID
Runtime Factors
- Language
- Date/Day of Week
- Time
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 27
Oracle数据库安全解决架构 Defense-in-Depth for Maximum Security
Activity Monitoring
Database Firewall
Auditing and Reporting
可检测监控
Data Masking
Privileged User Controls
Encryption & Redaction
PREVENTIVE ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 28
Oracle Audit Vault and
Database Firewall
数据库活动检测和防火墙 Oracle和非Oracle数据库安全的监测选件
监控并记录数据库访问的网络流量
检测并阻止未授权的数据库活动并防止SQL注入
高准确率的SQL语法分析
白名单方式来执行允许的活动
黑名单来管理高危险的活动
可扩展的安全软件设备
Block
Log
Allow
Alert
Substitute Apps
Whitelist Blacklist
SQL Analysis Policy
Factors
Users
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 29
Oracle Audit Vault and
Database Firewall
审计, 报告, 实时告警 Oracle和非Oracle数据库安全的监测选件
Audit Data & Event Logs
OS & Storage
Directories
Databases
Oracle Database Firewall
Custom
收集并分析审计和事件数据
集中的安全审计库
整合的多源的报告
开箱即用和用户定制的报告
集中的实时告警信息
细粒度的职责分离分析
安全的、可扩展的软件设备
Policies
Reports
Alerts !
Security
Analyst
Auditor
SOC
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 30
Oracle Audit Vault 和数据库防火墙 针对 Oracle 和非 Oracle 数据库的新检测控制
审计/事件仓库
安全
经理
报告
用户
应用程序
阻止
日志
允许
警告
替代
! 警报
数据库防火墙
防火墙事件
自定义服务器
操作系统、目录和自定义审计日志
审计人员
策略
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 31
Oracle数据库安全解决架构 Defense-in-Depth for Maximum Security
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE
Data Masking
Privileged User Controls
Encryption & Redaction
PREVENTIVE 可管理
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 32
Oracle Database Vault
角色与权限使用分析 Administrative Control for Oracle Database 12c
Create…
Drop…
Update…
DBA role
APPADMIN role
开启特权分析捕获模式
报告在数据库中使用的实际权限和角色
根据需要撤销不必要的权限和角色
帮助执行最小权限并降低风险
在不中断业务的情况下提高数据库的安全性
Unused
Update
APPADMIN
Privilege
Analysis
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 33
扫描数据库查找敏感数据
创建并维护应用程序数据模型
保护敏感数据,通过encrypt,
redact, mask, audit…
Oracle Enterprise Manager 12c
发现敏感数据 Administrative Control for Oracle Databases
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 34
Oracle Database Lifecycle Management
配置管理 Administrative Control for Oracle Databases
Discover
Scan & Monitor
Patch
Discover and classify databases
Scan for secure configuration against a
library of best practices and standards
Detect unauthorized changes
Automated remediation
Patching and provisioning
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 35
Oracle 数据库安全性解决方案 保护关键数据架构
活动监视
数据库防火墙
审计和报告
可检测
特权用户控制
多因素授权
加密与屏蔽
可预防 可管理
数据发现
和分类
漏洞扫描
数据库生命周期管理
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 36
用户案例 Enterprise Ready, Simple, Flexible, Scalable
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 37
T-Mobile 保护 Oracle 和非 Oracle 数据库中的客户数据
挑战
保护 Oracle 和非 Oracle 数据库中的敏感数据(PCI、CPNI、SPII)
无需更改应用程序代码即可监视数据库威胁,包括 SQL 注入攻击和数据收获
全面、直观地了解数据库活动
了解敏感数据正受到哪些类型的更改
解决方案
借助 Database Firewall、TDE 和 Data Masking 构建全面的数据库安全纵深防御战略,彻底解决数据安全问题
通过数据库活动监视防止来自内部和外部的威胁
数小时即完成部署和设置;已成功阻止少数失窃帐户收获数据
在全美国范围内提供无线语音、消息和数据服务的提供商
美国第四大的无线企业,拥有超过 3,500 万用户
行业:电信
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 38
SquareTwo Financial 解决合规性问题,实现职责分离
挑战
需要遵守各种法规:GLBA、HIPAA、SOX 和 PCI
证明遵守 Sarbanes-Oxley 要求的职责分离
快速扩展 IT 安全以适应公司 37% 的快速增长
在保持增长的情况下,最大程度降低对 590 万个账户的影响
无需更改应用程序即可保护 Exadata 数据库云服务器
解决方案
借助 Database Firewall、TDE 和 Data Masking 构建全面的数据库安全纵深防御战略,彻底解决合规性问题
通过数据库活动监视防止来自内部和外部的威胁,包括 SQL 注入攻击
保护 Exadata 和 SQL Server 数据库活动
规模达 1,000 亿美元的资产
回收和管理行业领先者
合作伙伴网络由银行、信用卡和医疗保健行业的《财富》500 强企业使用
行业:金融服务
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 39
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 40