1、Oracle 数据库安全及合规遵循解决方案,Oracle技术服务部Advanced Customer Service王伟民,Oracle Confidential,2,信息爆炸式增长,Source: IDC, 2008,1,800 Exabytes,2006,2011,Oracle Confidential,3,Data Breach,与信息泄密相关的事件,Once exposed, the data is out there the bell cant be un-rung,PUBLICLY REPORTED DATA BREACHES,Total Personally Identifyin
2、g Information Records Exposed (Millions),Source: DataLossDB, 2009,4,Oracle Database Security 业务需求驱动力,数据、业务、系统等多个层面的整合,安全性管理是一种预防性控制,安全控制可加强对法规的遵守,以满足新的隐私和公司治理法规( Sarbanes-Oxley、 HIPAA、Gramm-Leach-Bliley法案、PCI DSS等)的要求。从手动方式转变为自动化方式从检测性法规遵守控制转变为预防性控制自动化预防控制可降低遵守法规的成本自动执行职责分离 自动化的证明自动化的审计和报表编制,数据安全的驱动
3、因素,Sarbanes-Oxley (SOX), Euro SOX, HIPAAGLBAPCI DSSCA SB 1386 加州资料隐私法案Basel II 欧盟新巴塞尔资本协定企业内部控制基本规范大量的威胁未被发现离岸/外包的系统客户需要监控内部特权人员,合规性,内部/外部威胁,法规要求不断增多,美国 健康保险可携性及责任性法案(HIPAA)联邦法规第21章第11部分总统管理与预算局公告A-123美国证交会和国防部的记录保留要求美国爱国者法案Gramm-Leach-Bliley法案美国联邦量刑指南美国反海外腐败法关于市场工具的第52款 (加拿大)欧洲、中东和非洲 欧盟隐私法令英国公司法危害物
4、质限用指令 (ROHS/WEE)亚太地区中国上市公司内部控制指引企业内部控制基本规范J-SOX (日本)CLERP 9:审计改革和公司信息披露法案(澳大利亚)泰国股票交易所关于公司治理的规定全球国际会计准则新巴塞尔协议(针对全球企业)OECD公司治理原则个人卡信息数据安全标准,8,Top IT Security PrioritiesForrester: State Of Enterprise IT Security And Emerging Trends,Source: Forrester Research Inc. “The State Of Enterprise IT Security A
5、nd Emerging Trends: 2009 To 2010,” Jan. 25th 2010,企业内部控制基本规范中国版“萨班斯法案”,10,Data Masking TDE Tablespace Encryption Oracle Total Recall Oracle Audit Vault Oracle Database Vault Transparent Data Encryption (TDE) Real Time Masking Secure Config Scanning Fine Grained Auditing Oracle Label Security Enterpr
6、ise User Security Virtual Private Database (VPD) Database Encryption API Strong Authentication Native Network Encryption Database Auditing Government customer,Oracle Database Security持续创新,Oracle7,Oracle8i,Oracle Database 9i,Oracle Database 10g,Oracle Database 11g,企业数据库安全策略的三个基石,法规遵循PCI、SOX、HIPPA、EU,
7、信息安全策略与标准,统一的数据库安全策略与标准,权责分离/Role Seperation,12,Oracle Database Security & Compliance全面、综合的深度保护,加密、数据屏蔽,访问控制,监控,用户管理及认证,13,Oracle Database Security 全面、综合的深度保护,Database Vault,Label Security,访问控制,Configuration Management,Audit Vault,TotalRecall,监控,Data Masking,Advanced Security,SecureBackup,加密与屏蔽,14,O
8、racle高级安全选项安全的磁盘、磁带导出、网络传输及备份,Data Masking,Advanced Security,SecureBackup,加密与屏蔽,15,NetworkEncryption,TDE Column Encryption,TDE Tablespace Encryption,StrongAuthentication,RMAN / TDE Fully Encrypted Database Backups to Disk,Hardware Security Module,Master Key,Oracle Wallet,Encrypted Exports,Oracle高级安全
9、选项概览,Database Encryption Architecture,August 2005, Tech Choices “The Forrester Wave: Database Encryption Solutions, Q3 2005”,17,Strong authentication,Network encryption,TDE column encryption,TDE column encryption with HSM,TDE column encryption for SecureFiles,TDE tablespace encryption,TDE tablespace
10、 encryption with HSM,TDE with Exadata,Oracle Database 11g Release 2,Oracle Database 11g Release 1,Oracle Database 10g Release 2,Oracle Database 9i Release 2,Oracle高级安全选项功能特性分布,18,Oracle高级安全选项数据传输、存储保护,透明数据加密 (TDE)无需应用调整表空间或表字段加密对RMAN备份或Export导出加密加密 Oracle Securefiles (LOBS)内置的密钥管理自动、透明支持硬件安全模块( Hard
11、ware Security Module:HSM)网络加密SSL/TLSNative 无需数字证书高强度认证Kerberos, PKI,#*,75000,Encrypted Disks, Backups, Exports,Network Encryption,),(,Strong Authentication,19,Oracle高级安全选项Oracle 11g透明表空间加密,加密所有的应用数据加密所有的数据文件无需单独加密表字段每个表空间一个Key,Master Key保护表空间Key(2层)高效高性能与Oracle高级压缩集成无需应用调整支持所有数据类型支持索引范围扫描(Index Rang
12、e Scan),SQL Layer,data blocks“*M$bs%&d7”,undo blocks,temp blocks,flashback logs,redo logs,Buffer Cache,“SSN = 987-65-.”,加密案例UltraEdit查看数据文件(加密前),20,加密案例基于字段的加密,加密前:部门字段oracleraclinux1 $ strings test01.dbf|zb!RACDBTESTOPERATIONSBOSTON,SALESCHICAGO,RESEARCHDALLAS,ACCOUNTINGNEW YORK,21,加密后:部门字段rootracl
13、inux1 oracle# strings test01.dbf|zb!RACDBTEST:)zONEW YORK,DALLAS,Q-D0CHICAGO,BOSTON,加密案例日志文件,rootraclinux1 oracle# strings log004.dbfNEW YORK,DALLAS,CHICAGO,NZgeBOSTONNEW YORK,DALLAS,4li4IECHICAGO,BOSTON,+1.NEW YORK,DALLAS,CHICAGO,BOSTON,22,23,Oracle高级安全选项网络加密,对进出Oracle数据库的SQL数据流进行加密AES (256, 192, 1
14、28 bit keys)RSA RC4 (256, 128 bit keys)3DES (3 and 2 key)Diffie-Hellman key exchange数据完整性检查SHA-1自动检测篡改、回放、丢包,24,Oracle高级安全选项网络加密:Wireshark监控,25,Oracle Advanced Security 透明数据加密:Data Pump,Data Pump 适用于批量数据导入及导出对导出数据文件进行加密,expdp.,Encrypted Export file,#4f9kq90b23490bv#$9vj943)IB4390#90w3b0aqer9”P32,Ora
15、cle Database 11g,Note: The Data Pump expdp command can accept a passphrase or use the stronger Oracle Advanced Security MasterKey to encrypt the data,26,Oracle SecureFilesOracle 数据库 11g 新的非结构化数据类型,较本机文件系统更快、更安全地维护非结构化数据透明加密、压缩和消除重复统一的安全模型统一管理结构化数据和非结构化数据高性能和成本效益与 LOB 数据类型类似,但速度更快且功能更多保证数据库的安全性、可靠性和可
16、扩展性众多 LOB 接口,方便从 LOB 进行迁移,27,Oracle SecureFiles 较本机文件系统更快、更安全,读取性能,写入性能,Mb/Sec,Mb/Sec,文件大小 (Mb),文件大小 (Mb),28,Oracle Secure Backup 与磁带备份管理集成,Oracle Secure BackupCentralized Tape Backup Management,File System Data,UNIX,Linux,Windows,NAS,Tape,Oracle Databases,Integration with RMAN,保护备份集保护数据库的备份 自动密钥管理高
17、性能不备份已提交的事务的Undo数据高级介质管理 自动磁带循环使用 基于策略的磁带副本创建,29,Virtual Private Database 实时数据访问控制,与VPD 数据字段相关的策略可对敏感数据进行自动屏蔽,where account_mgr_id = sys_context(APP,CURRENT_MGR);,381-395-9223,431-395-9332,483-562-0912,461-978-8212,581-295-7603,181-095-1232,121-791-4212,701-495-2123,15000,17000,12000,10000,15000,250
18、00,Select * from customers;,VPD Policy,SSN,VPD,MGR ID = 148,Almost 50% of all organizations exposed Production data in non-Production environmentsOnly 16% have a system in place for deidentifying sensitive data2010 IOUG Data Security Report,Application Developers,IT Service Providers,Business partne
19、rs,Market Research,Clinical Research,Data Masking Pack离线数据屏蔽,31,Data Masking Pack离线数据屏蔽,敏感数据保护对敏感数据进行转化保护不影响生产数据内置的发现功能支持利用外键定义维持表之间的关系支持客户化关系定义,测试或开发库,生产库,Data Masking版本支持,SupportOracle Database 9.2 through 11.2All Oracle Applications on the above DB platformsAvailable inOracle Enterprise Manager G
20、rid Control 10.2.0.4 11.1Oracle Enterprise Manager Database Control 11.2,Data Masking 实施方法论,Find Assess Secure Test,?,34,Oracle数据库访问控制细粒度访问控制,Database Vault,Label Security,访问控制,Data Masking,Advanced Security,SecureBackup,35,Oracle Database Vault 超级用户监控,DBA 访问 人力资源数据,合规遵循:防止内部越权,人力资源访问财务数据,消除业务系统整合导致
21、的潜在安全风险,DBA,HR App,SELECT * FROM HR.EMP,FIN App,36,Oracle Database Vault实时数据访问控制,37,Oracle Database Vault内置要素概览,用户名字认证方法会话用户代理身份网络机器名客户端IP网络协议其他可定义 客户化,数据库IP实例主机名SID运行时语言日期时间,38,Oracle Database Vault权责分离,账户管理 新账户将由Database Vault管理员创建安全管理Database Vault 使用不同于 DBA或 SYSDBA的单独账户进行管理传统的数据库管理账户管理、安全管理与传统的数
22、据库管理分离,39,Oracle Label Security基于Label 的访问控制,User Label Authorization,敏感数据保护可对数据记录行分配数据标签可对应用用户分配用户标签使用内置的算法实现对表的透明访问灵活、可定制基于策略的架构增强的选项权限经验证安全的存储过程完整的 API,Oracle Label Security Label 组件,40,Confidential,Highly Sensitive,US,Sensitive : HR : US,Level,Compartment,Group,41,Oracle Label Security 保护数据安全,细粒
23、度审计FGA鉴别数据访问权限的滥用,加密与数据库连接的所有协议防止嗅探及篡改,PKI及LDAP集中管理,强认证,数据私密性,审计,虚拟私有数据库VPD行标签安全Label Security增强行级数据安全,存储数据加密保护超级敏感数据,数据安全,网络安全,统一用户身份,42,Oracle Label Security 保护数据安全,细粒度审计FGA鉴别数据访问权限的滥用,加密与数据库连接的所有协议防止嗅探及篡改,PKI及LDAP集中管理,强认证,数据私密性,审计,虚拟私有数据库VPD行标签安全Label Security增强行级数据安全,存储数据加密保护超级敏感数据,数据安全,网络安全,统一用
24、户身份,Oracle企业版附加安全选项独特、创造性的、功能强大的行级安全系统基于VPD部件 细粒度访问控制FGAC增加基于标签访问控制的架构增加内部安全包,使用敏感标签限制内部访问该设计基于日益迫切而又严厉的政府及商业行级安全需求数据访问基于敏感标签,及可自定义的强制选项,Oracle Label Security行标签安全,VPD & OLS 区别,企业版的组成部分客户开发安全策略定制开发,企业版的安全选件Oracle提供安全策略和行标签安全架构无需开发,都提供 APIs可用于托管数据库内的集中安全在行级别限制访问,VPD,OLS,相同点?,45,Oracle Database Securi
25、ty 安全升级及配置管理,Database Vault,Label Security,Configuration Management,Audit Vault,TotalRecall,监控,Data Masking,Advanced Security,SecureBackup,46,Auditing in the Oracle Database健壮, 灵活, 精确,业界最先进语句 审计 基于Schema对象的DDL / DML权限 审计使用特定系统权限的语句特定用户或用户组细粒度审计基于策略的条件审计 灵活度高表审计支持 XML支持Windows 时间查看器及系统日志,47,Monitor,P
26、olicies,Reports,Security,Oracle Audit Vault Audit Vault概览,Oracle Databases,DB2, Sybase (beta),Microsoft SQL Server,48,Oracle Audit Vault 报表,自动数据过滤、基于条件高亮特定记录、客户化报表、图形化报表显示,49,Oracle Audit Vault 告警通过告警发现安全威胁,有效的扫描可对审计数据进行扫描可定制的告警,如:直接访问敏感数据在特定系统上新建用户权限授予DBA权限管理失败的系统登录.,50,Oracle Audit Vault 策略审计策略的集中
27、管理,策略定义集中式的策略管理SOX, HIPAA 策略审计设置可抽取已定义的策略支持手工重设策略策略分发策略可分发到特定的审计库策略维护新核准的策略将与现有策略进行比照,SOX Audit Settings,Privilege User Audit Settings,Privacy Audit Settings,Financial Database,Customer Database,HR Database,Oracle Audit Vault,51,Oracle Database Auditing审计的必要性,超级权限拥有者审计所有操作数据库层面 DDL 操作Create / drop /
28、 alter tableCreate / drop / alter userCreate / drop database linkCreate / drop / alter view登录失败敏感数据访问审计对高密级数据访问进行审计,52,Oracle Audit Vault$AV_HOME/demo/secconf.sql,ALTER ANY PROCEDURECREATE ANY JOBDROP ANY TABLEALTER ANY TABLECREATE ANY LIBRARYDROP PROFILEALTER DATABASECREATE ANY PROCEDUREDROP USERAL
29、TER PROFILECREATE ANY TABLEEXEMPT ACCESS POLICYAUDIT ROLE BY ACCESS,CREATE EXTERNAL JOBGRANT ANY OBJECT PRIVILEGEALTER SYSTEMCREATE PUBLIC DATABASE LINKGRANT ANY PRIVILEGEALTER USERCREATE SESSIONGRANT ANY ROLEAUDIT SYSTEMCREATE USERAUDIT SYSTEM BY ACCESSDROP ANY PROCEDURE,53,Oracle Audit VaultCPU 资源
30、开销,Original workload CPU 1.08% for 10 audit/sec caseOriginal workload CPU 1.56% for 100 audit/sec case,Audit Source,*Internal testing: Source: 4x32GB 3GHz Intel Xeons RHEL3.0, running 2 Oracle Database 10.2.0.3.0 AV Server: 2x6GB 3GHz Intel Xeons RHEL3.0, AV Server 10.2.2.0.0,54,Oracle Total Recall安
31、全变更跟踪,select salary from emp AS OF TIMESTAMP 02-MAY-09 12.00 AM where emp.title = admin,“透明的”数据变更历史、痕迹跟踪高效、安全的归档数据管理及维护可对历史/归档数据的实时数据访问提供真实详尽的数据(供“错误修复”/“争议裁决”),55,Oracle Configuration ManagementVulnerability Assessment & Secure Configuration,数据库发现与系统管理基于最佳实践的定期安全扫描对非授权配置调整进行主动防止及侦测内置了大量符合公司治理的配置管理报
32、表,ConfigurationManagement& Audit,VulnerabilityManagement,Fix,Analysis &Analytics,Prioritize,PolicyManagement,Assess,Classify,Monitor,Discover,AssetManagement,56,Configuration Management Pack安全的配置管理,Oracle Database Firewall 数据库防火墙,Application,Database,Administrators,Data Must Be Protected at the Sour
33、ce,Database Application Users,Web Users,Oracle Database Firewall 数据库防火墙业务驱动,Customers need first line of defence to monitor and protect against existing and emerging threatsHackers breach databases from the web exploiting vulnerabilities in applicationsStolen credentials exploited for unauthorized u
34、se,Application,Database,Database Firewall,Monitor database activity to help prevent unauthorized activity, application bypass and SQL injectionsHighly accurate SQL grammar based analysisWhite-list, black-list, and exception-list based security policiesBuilt-in and custom compliance reports for regul
35、ations,Oracle Database Firewall 数据库防火墙前沿防护,White-list based policies enforce normal or expected behavior Policies evaluate factors such as time, day, network, and applicationEasily generate white-lists for any applicationOut of policy SQL statements can be logged, alerted, blocked or substituted wit
36、h a harmless SQL statementSQL substitution foils attackers without disrupting applications,White List,Applications,Block,Allow,Oracle Database Firewall 数据库防火墙 基于乐观安全模型的增强防护,Oracle Database Firewall 数据库防火墙基于悲观安全模型的增强防护,Stop specific unwanted SQL commands, user, or schema accessPrevent privilege or ro
37、le escalation and unauthorized access to sensitive dataBlack list policies can evaluate factors such as day, time, network, and application,Block,Allow,Black List,Applications,Block,Log,Allow,Alert,Substitute,Innovative SQL grammar technology reduces millions of SQL statements into a small number of
38、 SQL characteristics or “clusters”Flexible enforcement at SQL level: block, substitute, alert and pass, log onlySQL substitution foils attackers without disrupting applicationsCentralized policy management and reportingSuperior performance and policy scalability,Oracle Database Firewall 数据库防火墙Scalab
39、le and Safe Policy Enforcement,Applications,Oracle Database Firewall 数据库防火墙报表,Database Firewall log data consolidated into reporting databaseDozens of built in reports that can be modified and customizedDatabase activity and privileged user reportsEntitlements reporting for database attestation and
40、auditSupports demonstrating controls for PCI, SOX, HIPAA, etc.Logged SQL statements can be sanitized of sensitive PII data,Oracle Database Firewall 数据库防火墙架构,In-line blocking and monitoring, or out-of-band monitoring modesHigh availability with parallel firewallsMonitoring of remote databases by forw
41、arding network trafficApplication agnosticSupport for Oracle and non-Oracle Databases,In-Line Blockingand Monitoring,HA Mode,Inbound SQL Traffic,Out-of-Band Monitoring,Policy Analyzer,65,Oracle Database Security 全面、综合的深度保护,Database Vault,Label Security,Access Control,Configuration Management,Audit V
42、ault,TotalRecall,Monitoring,Data Masking,Advanced Security,SecureBackup,Encryption and Masking,Current, Planned Use of Enabling Technologies (all respondents),Using planned vs. current as a proxy for year-over-year growth rates shows near-term market opportunity Current evaluations indicate strong m
43、arket interest in database encryption, data masking, tokenization,Current Use of Enabling Technologies (by Maturity Class),Best-in-Class have more aggressively deployed a variety of technologies designed to protect the database,68,一、Oracle数据库安全评估服务,常见业务“痛点”合规遵循、内部治理难以获得来自IT系统的支持过度授权,如授予应用用户DBA角色缺省安装
44、、缺省用户及口令、弱口令、口令重复且永不过期备份数据随意存放,如保存在移动存储设备不透明的间接授权导致对象/系统权限放大版本老、旧,一、Oracle数据库安全评估服务,69,安全评估服务流程,安全评估调查问卷:Questionnaire检查清单:Check List 评估工具Security Assessment Tool/SATOracle安全信息定制脚本Remote Diagnosis Assistant/RDA交付文档:Report of Finding/RoF,70,专用安全评估工具数据库安全评估工具 对Oracle数据库执行信息收集、执行内置的安全分析 生产“问题发现报告”,结合问卷调查、客户交流反馈、RDA等,可作为初始评估建议 可从用户配置、系统环境、权限/角色、审计及监控四个方面对数据库进行检查 支持Oracle多个版本,
