1、,Oracle Database Security,Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education Oracle Higher Education,Data Security Lifecycle,Inbound DataNetwork EncryptionStrong AuthenticationIdentity Management Integration,StorageTransparent Data EncryptionSecure Back
2、up,Access ControlDatabase VaultOracle Label SecurityFusion Security,Outbound DataNetwork Encryption,MonitorConfiguration ScanningAudit Vault,Agenda,Network Encryption Encryption of data in motion Strong Authentication PKI, Kerberos, Radius Data Encryption Encryption of data at rest Secure Backup Ora
3、cle DataVault DB Auditing Audit Vault,Network Security Threats,2. Data Modification or Replay,3. Data Disruption,Packet stolen Order never arrives,$500.00,1. Data Theft,My competitor sees my bids in a sealed auction.,$50,000,Network Encryption,Provided by Oracle for nearly a decade Encrypts all comm
4、unication with the database AES RSA RC4 (40-, 56-, 128-, 256-bit keys) DES (40-, 56-bit) and 3DES (2- and 3-key) Data integrity with checksums MD5, SHA-1 Automatically detects modifications, replays, missing packets Easy to setup,Agenda,Network Encryption Encryption of data in motion Strong Authenti
5、cation PKI, Kerberos, Radius Data Encryption Encryption of data at rest Secure Backup Oracle Data Vault DB Auditing Audit Vault,Strong Authentication,Kerberos Ease of deployment makes this a popular choice PKI Large customers are working on full scale deployments Strong interest among large Universi
6、ties Oracle supports SSL accelerators Radius Database integrates with RADIUS,Agenda,Network Encryption Encryption of data in motion Strong Authentication PKI, Kerberos, Radius Data Encryption Encryption of data at rest Secure Backup Oracle Data Vault DB Auditing Audit Vault,The Need for Encryption,W
7、orldwide privacy, security laws and regulations Sarbanes-Oxley PCI California SB 1386 Country-specific laws,Customer Credit Card Numbers,Disks replaced for maintenance,Laptops stolen,Backups lost,Data worthless if encrypted,The DBMS_CRYPTO Package,Formerly DBMS_OBFUSCATION (Release 8) Extensive cont
8、rol of options Generate as many, or as few keys as you desire Granular access control, Manual salt generation, algorithm selection, chaining mode Limited Transparency,Transparent Data Encryption,Integrated with the Oracle database for simplicity Alter table encrypt column Provides application transp
9、arency No API calls, database triggers or views required Media protection of PII data Social security numbers Credit Card Numbers Performance Works with existing indexes for fast searches,Separation of duties,DBA starts up Database,Security DBA opens wallet containing master key,Wallet password is s
10、eparate from System or DBA password,No access to wallet,Master key and column keys,Column keys encrypted by master key,Master key stored in PKCS#12 wallet,Security DBA opens wallet containing master key,Column keys encrypt data in columns,Oracle Secure Backup: Tape Backup Management,Highest levels o
11、f tape data protection at the lowest cost! Fastest & Best Integrated tape backup for the Oracle Database Recovery Manager (RMAN) integration Enterprise Manager (EM) interface Maximum security options Free version (limited functionality) will ship with the Oracle Database,Oracle Secure Backup Central
12、ized Tape Backup Management,Tape,Why Use Oracle Secure Backup?,Scalable from the department to the data center,Database tape backups can now be seamlessly managed by Database Administrators (DBA) or storage group,Intelligent integration with RMAN delivering the best performance and security for data
13、base backups,Easily managed using Enterprise Manager (EM),Single technical support resource for entire backup solution expedites problem resolution,Reliable data protection at lower cost and complexity For the Oracle Database and file system data,End to End Security,Data Encrypted On Backup Files,Da
14、ta Written To Disk Automatically Encrypted,Data Automatically Decrypted Through SQL Interface,Oracle Advanced Security Network Encryption,Oracle Advanced Security Strong Authentication,Oracle Advanced Security Transparent Data Encryption,Agenda,Network Encryption Encryption of data in motion Strong
15、Authentication PKI, Kerberos, Radius Data Encryption Encryption of data at rest Secure Backup Oracle Data Vault DB Auditing Audit Vault,Data Vault Objectives,Multi-factored approach to database security Protect and share data assets using environmental factors for assurance Defense in depth approach
16、 Protect application schemas from system privileges Database Server as Database Appliance Lock Down, Hardened Software and Privileges Comprehensive Audit Policy Separation of Duties,Data Vault Protected Schema,Protect Data Vault metadata from tampering Remove metadata dependency on SYS schema Access
17、 to protected schema only through the administrative roles Provide separation of duties by different administrative roles Password required for SYS login No OSDBA group membership,Agenda,Network Encryption Encryption of data in motion Strong Authentication PKI, Kerberos, Radius Data Encryption Encry
18、ption of data at rest Secure Backup Oracle DataVault DB Auditing Audit Vault,AUDITING,Audit & monitor database activity Logon failures, privilege usage, data access, object access,and other activitiesStandard Audit Trail (over 250 audit actions) Gives first level of information about access to the d
19、atabase Statement auditing Privilege auditing Schema Object auditingFine-Grained Auditing (FGA) Gives second level of information about specific operations to the database Enables you to monitor data access based on content.,Oracle Database 10g Auditing,Fine-grained auditing (FGA),Beginning with Ora
20、cle9i Database, Oracle provides the capability to audit specific rows within a table. This is accomplished using the DBMS_FGA package.Features Attach audit policy to table or view Specify audit condition using a SQL predicate Users query text with bind variables are written to audit record upon a tr
21、iggering audit event Event handler can alert administrator to triggering condition (e.g. write record to log, send page),10gR2,10gR1,Oracle 9iR2,(Future) Other Sources, Databases,Monitor,Policies,Reports,Security,Oracle Audit VaultOracle Database Vault DB Security Evaluation #19Transparent Data Encr
22、yption EM Configuration Scanning Fine Grained Auditing (9i)Secure application rolesClient Identifier / Identity propagationOracle Label SecurityProxy authenticationEnterprise User SecurityGlobal rolesVirtual Private Database (8i)Database Encryption APIStrong authentication (PKI, Kerberos, RADIUS)Nat
23、ive Network Encryption (Oracle7) Database Auditing Government customer,Oracle Database Security 30 years of Innovation,2007,1977,Agenda,Network Encryption Encryption of data in motion Strong Authentication PKI, Kerberos, Radius Data Encryption Encryption of data at rest Secure Backup Oracle DataVault DB Auditing Audit Vault,For More Information,http:/,or Data Encryption,
