Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Oracle dbsat

Rainer MeisriemlerMaster Principal Sales ConsultantArchitects for Cloud- & On-Premise-TechnologiesEmail : rainer.meisriemler@oracle.comTel: 0711/ 72840162

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Disclaimer

The information in this document may not be construed or used as legal advice about the content, interpretation or application of any law, regulation or regulatory guideline. Customers and prospective customers must seek their own legal counsel to understand the applicability of any law or regulation on their processing of personal data, including through the use of any vendor’s products or services.

Oracle Public 3

4Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Evolving Regulatory Landscape

CDPL

CLPPL

APDPL

APP

NZPA

SAECTA

MPDPL

MDPA

EU GDPR Ru DPA

Th OIA

IT Act

Si PDPA

APPICh GDPL

HK PDPO

Art. 5

GLBA

HIPAA

Patriot Act

PIPEDA

CIP

NY DFS500

FOIPPA

PCI

48 State Data Privacy

Laws

5Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

(ISC)² Secure Berlin5

Ist die Burgmauer alleine heute ausreichend?

6Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Quelle https://www.heise.de/newsticker/meldung/Hacker-zwacken-Rechenleistung-von-Behoerde-ab-um-Kryptogeld-zu-schuerfen-3938113.html

7Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

SECURITYzwischen Systemen

SECURITYin jeder Schicht

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

SECURITYzwischen den Schichten

Oracle´s Security Konzept: Burggraben, Burgmauer, Burg-...

9Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

ORACLE End-to-End SecurityÜbersicht

Governance, Risk & Compliance Access & Certification Review, Anomaly Detection,User Provisioning, Entitlements Management

Mobile Security, Privileged UsersDirectory Services, Identity Governance Entitlements Management, Access Management

Encryption, Masking, Redaction, Key ManagementPrivileged User Control, Big Data Security, Secure Config

Solaris Trusted Extensions,LDAP Host Access Control

Secure Live Migration

Cryptographic Acceleration Application Data Integrity

Secure backup, Disk EncryptionILM Security

9

Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Oracle Database Security Assessment Tool

10

11Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

GDPR deadline is coming...Wo anfangen? Nach was muss ich überhaupt schauen? Welche Daten habe ichüberhaupt? Skills? Aufwand?

Ist meine Datenbank sicher konfiguriert?Wo sind meine sensiblen und sensitiven Daten?

Wer hat Zugriff auf meine sensitiven Daten?Welche Security Kontrollen/Policies sind aktiv?

Haben wir ein spezialisiertes DB Security Know-How ? Kennen wir alle Sicherheitslücken?

Haben wir die Zeit für eine Sicherheitsanalyse?Was soll als erstes gemacht werden?

Was sind die Risiken?

12Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

DBSAT Ansprechpartner beim Kunden?

IT-Sicherheit (CSO), IT-Sicherheitsbeauftragter …IT Management

ManagementFachseite

DBA Management Datenbankadministration

Entwickler Datenschutzbeauftragter (!!)

13Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Oracle Database Security Assessment Tool (DBSAT)

• Verstehen wie (un)sicher eine DB ist

– Report über allgemeinen Security Status

– Auffinden von Benutzer, Berechtigungen und Risiken

– Entdecken von sensitiven Daten

• Weiterverwendbare Assessment Berichte

– Zusammenfassung und Detail Informationen

– Priorisierte Empfehlungen

– Mapping auf EU GDPR und CIS Benchmark

• Stand-alone light weight tool: Quick, Easy

• FREE für alle Oracle Kunden

Datenbank sicher konfiguriert?

Benutzer? Berechtigungen?

Welche sensitiven Daten habe ich?

14Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

• Herunterladen des Tools von Oracle Support (2138254.1)

Database Security Assessment Tool (DBSAT)

Confidential – Oracle Public14

Aufgaben und Anwendungszwecke

• Analyse Sicherheitsbedarf (sensible Daten entdecken)

• Schnelles Auswerten von Risiken für Oracle-Datenbanken

• Findet schnell sicherheitsrelevante Fehlkonfigurationen

• Verringerung der Angriffsfläche und des Risikos

• Empfehlungen helfen Ihre sensiblen Daten zu schützen

• Erhöht die Sicherheit Ihrer Oracle Datenbank

Die Unterstützung für die deutsche Sprache ist zur Zeit noch in Arbeit !

15Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

• Herunterladen des Tools von Oracle Support (2138254.1)

Database Security Assessment Tool (DBSAT)

Confidential – Oracle Public15

Risiken ermitteln

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 16

Wie kannDBSAT auf dem Pfad zu Kompliance helfen?

18Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Security Assessment Flow Discovery

18

Spreadsheet

Text

HTML

DBSAT DiscoveryDBSAT Discovery

10g, 11g, 12c

21Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Report: What Sensitive Data We Have? How Much? Sensitive Data Landscape Summary

* Number of unique Tables with Sensitive Data.

** Number of unique Rows with Sensitive Data.

22Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Report: Which Tables Have Sensitive Data? How Much? Table Summary

23Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Use Case: Which Columns Have Sensitive Data? How Much? Sensitive Column Details

25Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Security Assessment Flow

25

Spreadsheet

Text

HTML

DBSAT ReporterDBSAT Collector

10g, 11g, 12c

26Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Beispiel: Security Findings

26

…

27Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Anatomy of a Finding

Details of the Finding

Rationale and Recommendations

Mapping to Regulations

Can be Evaluate, Advisory, Pass, Low Risk, Medium Risk, High Risk

Category of the Finding

Applicability to Regulations

28Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Summary Output with Prioritized Findings

Use Case: Is the Database Securely Configured?

29Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Use Case: Users and Their Entitlements? Users with DBA Role Granted Directly and Indirectly

Indirect GrantUser DEBRA got the DBA role indirectly via the role APP_ROLE

30Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Example Finding that relates to GDPR Article/Recital

e.g Article 32Security of Processing

31Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Report in Multiple Formats

HTML JSON

Spreadsheet Text

34Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Einfach zu handhaben

• Aktuelle Version über My Oracle Support (Doc ID: 2138254.1) erhältlichoder über OTN : http://www.oracle.com/technetwork/database/security/dbsat/overview/index.html

• Verfügbar für alle Datenbank-Kunden mit aktivem Support-Vertrag

• Support für Oracle Datenbank 10g, 11g, 12c and 18c

• Kostenfrei nutzbar

• Einfach & nicht Invasiv:Sammeln Sie Informationen, indem Sie 'dbsat collect' auf dem Ziel ausführen

– Nur Lese-Rechte werden benötigt

– Plattform unabhängig

– Ausgabedatei ist mit einem Passwort verschlüsselt

– Führen Sie 'dbsat report' auf dem Ziel oder wo anders aus

34

36Copyright © 2018, Oracle and/or its affiliates. All rights reserved.