oracle database security and audit - isaca · database security and risk assessment locate &...
TRANSCRIPT
Copyright © 2014, Reidy Database Consulting, LLC
Reidy Database Consulting, LLC Database Security and Risk Assessment
Oracle Database Security and Audit
Beyond Checklists
Copyright © 2014, Reidy Database Consulting, LLC
Reidy Database Consulting, LLC Database Security and Risk Assessment
The future - Oracle 12c
• Oracle 12c
Copyright © 2014, Reidy Database Consulting, LLC
Reidy Database Consulting, LLC Database Security and Risk Assessment
12c new security features
http://www.oracle.com/technetwork/database/security/security-compliance-wp-12c-1896112.pdf
Copyright © 2014, Reidy Database Consulting, LLC
Reidy Database Consulting, LLC Database Security and Risk Assessment
Locate & catalog sensitive data
OEM 12c
SDD
Data masking
Production database
non Production database
TSDP ASDR Data
Data
SDD - Sensitive data discovery and modeling !Data masking provides end to end automation for provisioning test databases from production in compliance with regulations. Single source can apply data privacy rules to sensitive data across enterprise-wide databases. !TSDP - Transparent sensitive data protection !Advanced security data redaction (ASDR) makes the business need-to-know decision based on declarative policy conditions.
Copyright © 2014, Reidy Database Consulting, LLC
Reidy Database Consulting, LLC Database Security and Risk Assessment
Monitoring configuration
OEM 12c
DLMP
Production database
Accounts
Entitlements
Password complexity
Maintain secure cfg
DLMP - Data lifecycle management pack
Copyright © 2014, Reidy Database Consulting, LLC
Reidy Database Consulting, LLC Database Security and Risk Assessment
Real Application Security (RAS)
• Database authorization model • Declarative security policies • Manage application security for
application users (not database users) • Manage security for application level
tasks • Application user identity to be known
during security enforcement • Return security to the database layer
Provide a uniform security model across all tiers and support multiple application user stores, including the associated roles, authentication credentials, database attributes, and application-defined attributes. !The database can natively support the application security context. The database supports integrated policy specification and enforcement for both the application and the database, so the application does not need to do this through application code. Because the database stores the application security context information, this also reduces network traffic.
Copyright © 2014, Reidy Database Consulting, LLC
Reidy Database Consulting, LLC Database Security and Risk Assessment
Copyright © 2014, Reidy Database Consulting, LLC
Reidy Database Consulting, LLC Database Security and Risk Assessment
Database vault
• Mandatory realms • Seal off application objects from all access
• Block or enforce checks on SQL commands
• Additional layer of rules and checks • Ad-hoc creation of database links • Copy tables (CTAS, copy table)
Copyright © 2014, Reidy Database Consulting, LLC
Reidy Database Consulting, LLC Database Security and Risk Assessment
Others• Code based access control
• Grant roles to stored code • New roles
• SYSDG (data guard) • SYSBACKUP (RMAN) • SYSKM (advanced key management) • AUDIT_ADMIN, AUDIT_VIEWER (unified
conditional auditing) • Role reduction (RESOURCE is removed) • System privilege reduction (UNLIMITED
TABLESPACE removed)
Copyright © 2014, Reidy Database Consulting, LLC
Reidy Database Consulting, LLC Database Security and Risk Assessment
Q&A
Copyright © 2014, Reidy Database Consulting, LLC
Reidy Database Consulting, LLC Database Security and Risk Assessment
Thank you!