Best Practices in Implementing Oracle Database Security Products
White Papers
Abstract Information is the world’s new currency. Databases are the digital banks that store and retrieve valuable information. The growing number of high-profile incidents in which customer records, confidential information and intellectual property are leaked, lost or stolen has created an explosive demand for solutions that protect against the deliberate or inadvertent release of sensitive information. Moreover, numerous information-intensive government and industry regulations require organizations to protect the integrity of customer, employee and proprietary information and corporate digital assets. Security breaches can no longer be "swept under the rug" because of strict breach disclosure laws. Addressing information protection and control (IPC) is a complex challenge. Today, nearly all organizational information exists in electronic form, typically stored in databases. So, it stands to reason that enterprises must secure their databases as part of any IPC strategy to protect sensitive information and comply with regulations. Database security represents a preemptive strategy to preventing enterprise data theft and regulatory compliance infractions.
Seemakiran Head of India Operations Estuate 1183 Bordeaux Dr, Suite 4 Sunnyvale, CA 94089 Phone: +1 408-400-0680 Fax: +1 408-400-0683 www.estuate.com January 2009
Oracle is the global leader in relational database technology, and has built a rich set of database security products and database features within its product portfolio. Implementing effective database security on the Oracle platform requires a deep knowledge of the Oracle product stack and experience in real-world security implementation using Oracle. Estuate brings strong credentials to its clients in both respects, emanating from our deep Oracle product engineering roots and years of Oracle-based client work. This paper profiles the best practices in implementing Oraclebased information security that we have built from our years of experience.
ESTUATE WHITEPAPER
Complex Applications Made Easy
Estuate is a global information technology (IT) services company based in the heart of Silicon Valley. Our founders have decades of deep software product experience at Oracle, particularly in Oracle-based applications development, integration and modernization, and unmatched Oracle E-Business Suite product knowledge. Our focus is two-fold: • Providing expert software product development services to software companies • Providing high-value application implementation and management services to enterprise clients. We pride ourselves on being highly-responsive, nimble and efficient, and we are very honored to let our clients speak on our behalf. Our software product development focus includes core product development and testing, business process integration and technology modernization. Our software company clients include Arena Solutions, Cisco, Citrix, Escalate, IBM, Oracle, Performant, Pictage, Salesforce.com, DataFlux (division of SAS) and WebEx. Our enterprise application implementation and management focus is on custom application development and the full Oracle E-Business Suite platform. Our enterprise application clients include Bechtel, Fox Interactive Media, HP, Matson, Stanford University, Visa and Wells Fargo. For more information, please contact info@estuate.com or visit www.estuate.com
Copyright © 2009 Estuate Inc. All rights reserved. The entire contents of this document are subject to copyright with all rights reserved. All copyrightable text and graphics, the selection, arrangement and presentation of all information and the overall design of the document are the sole and exclusive property of Estuate.
2 © 2009 Estuate. All rights reserved.
ESTUATE WHITEPAPER
Complex Applications Made Easy
Contents
1. Overview of Oracle Security Products……...............................4 2. User Management Best Practices…………………………..…....5 3. Access Control Best Practices…………………………………...6 4. Data Protection Best Practices…………………...………….......7 5. Compliance Monitoring Best Practices…….............................9 6. Conclusion……………………………………………....................10
3 © 2009 Estuate. All rights reserved.
ESTUATE WHITEPAPER
Complex Applications Made Easy
Overview of Oracle Security Products With solutions spanning user management, access control, data protection, and monitoring/alerting for compliance management, Oracle provides a comprehensive information security architecture and best-inclass products.
Oracle Security Data Products
4 Š 2009 Estuate. All rights reserved.
ESTUATE WHITEPAPER
Complex Applications Made Easy
User Management Best Practices We have effectively used Oracle Enterprise User Security to simplify user management for a manufacturing client. We accomplished this by enabling database user accounts to be centrally managed in the Oracle Internet Directory, the core of Oracle’s Identity Management product suite. Oracle Directory Synchronization Service, part of Oracle Internet Directory, facilitates synchronization between Oracle Internet Directory and other directories and user repositories, including Microsoft Active Directory and SunONE, allowing users to authenticate data using credentials stored in one of these other repositories. Oracle Enterprise User Security provides support for strong authentication based on PKI digital certificates or Kerberos.
5 Š 2009 Estuate. All rights reserved.
ESTUATE WHITEPAPER
Complex Applications Made Easy
Access Control Best Practices Another client, a world-class university, wanted to protect highly-confidential, sensitive employee data from its organization’s internal database administrators. We accomplished this by implementing Oracle Database Vault.
Oracle Database Vault
Oracle Database Vault Overview
Oracle Database Vault provides enterprises with protection from insider threats and inadvertent leakage of sensitive application data. Access to application data by users and database administrators (DBAs) is controlled using Database Vault realms, command rules and multifactor authorization. Database Vault addresses access privilege by separating access to application data from traditional database and security administration responsibilities. Database Vault realms block ANY-type privileges (SELECT ANY) commonly available to DBAs from being used to access application data. Using multifactor authorization, database access can be easily restricted based on IP address, time of day and other parameters. Command rules enable Database Vault security administrators to associate rule sets or policies with Oracle Database commands. Combined with multifactor authorization, command rules allow powerful policies to be deployed inside the database, further reducing the security risk associated with insiders bypassing the application. Additionally, Database Vault’s numerous out-of-the-box reports address a wide range of security metrics, such as attempted data access requests blocked by Realms. For example, if a DBA attempts to access data from an application table protected by a Realm, Database Vault creates an audit record in a specially-protected table within Database Vault. A Realm violation report makes it easy to view these audit records.
6 Š 2009 Estuate. All rights reserved.
ESTUATE WHITEPAPER
Complex Applications Made Easy
Data Protection Best Practices
Transparent Data Encryption Overview
Oracle Advanced Security We have successfully implemented data protection policies and procedures for several Estuate clients using Oracle Advanced Security. Oracle Advanced Security Transparent Data Encryption (TDE) provides the most advanced encryption capabilities for protecting sensitive information without requiring any changes to the existing application. TDE is a native database solution that is completely transparent to existing applications with no triggers, views or other application changes required. Data is transparently encrypted when written to disk, and transparently decrypted after an application user has successfully authenticated and passed all authorization checks. Authorization checks include verifying that the user has the necessary read/update privileges. TDE can be used to encrypt columns that contain sensitive data, or entire database objects residing in a tablespace. Tablespace encryption ensures all database objects are encrypted at the file system level. When the database reads data blocks from the encrypted tablespace, it transparently decrypts the data blocks. TDE also supports storing the TDE master encryption key on a hardware security module (HSM) device. This provides an even higher level of assurance protecting the TDE master key, as well as centralized key management in a clustered environment. Advanced Security also provides strong protection for data in transit by using comprehensive network encryption capabilities. Advanced Security’s easy-to-deploy, comprehensive network encryption provides both native network encryption and SSL/TLS-based encryption. In addition, it can be configured to accept or reject communication from clients not using encryption, providing optimal deployment flexibility. Configuration of network security is managed using the Oracle Network Configuration administration tool, allowing businesses to easily deploy network encryption without any changes to applications.
7 Š 2009 Estuate. All rights reserved.
ESTUATE WHITEPAPER
Complex Applications Made Easy
Oracle Secure Backup (OSB) We have also implemented effective backup security for Estuate clients using Oracle’s comprehensive tape backup solution for Oracle databases and file systems. Tight integration with the Oracle Database provides optimal security and performance, eliminating backup of any associated database UNDO data. A centralized administrative server provides a single point of control for enterprise-wide tape backup and any associated encryption keys. The administrative server maintains a tape backup catalog and manages security policies for distributed servers and tape devices. OSB encrypts data before the data leaves the database, resulting in continuous data security when in transit to the tape drive unit. OSB also provides the ability to back up and encrypt file systems directly to tape.
Oracle Data Masking Pack We use Oracle Data Masking Pack to maintain the confidentiality of sensitive or confidential client data in development, test or staging environments. The Data Masking Pack uses an irreversible process to replace sensitive data with realistic-looking but scrubbed data based on masking rules, and ensures that the original data cannot be retrieved or recovered. The Data Masking Pack provides out-of-the-box mask primitives for various data types, such as random numbers, random digits, random dates and constants, as well as built-in masking routines, such as shuffling, which shuffles the values in a column across different rows. The Data Masking Pack helps maintain the integrity of the application while masking sensitive data.
8 Š 2009 Estuate. All rights reserved.
ESTUATE WHITEPAPER
Complex Applications Made Easy
Compliance Monitoring Best Practices
Oracle Audit Vault Overview
Oracle Audit Vault We use Oracle Audit Vault as an effective security compliance monitoring tool for our clients. Audit Vault transparently collects and consolidates audit data from multiple databases across the enterprise, providing valuable insight into who did what to which data when, including privileged users who have direct access to the database. The integrity of audit data is ensured by using sophisticated controls, including Oracle Database Vault and Oracle Advanced Security. Access to the audit data within Audit Vault is strictly controlled. Privileged DBA users cannot view or modify the audit data, and even auditors are prevented from modifying the audit data. Audit Vault provides proactive threat detection through alerting. Event alerts help mitigate risk and protect from insider threats by providing proactive notification of suspicious activity across the enterprise. Audit Vault continuously monitors the inbound audit data, evaluating audit data against alert conditions. Alerts can be associated with any auditable database event, including system events such as changes to application tables, role grants and privileged user creation on sensitive systems. Audit Vault provides graphical summaries of activities causing alerts. In addition, database audit settings are centrally managed and monitored from within Audit Vault to ensure consistent auditing policies across the enterprise.
9 Š 2009 Estuate. All rights reserved.
ESTUATE WHITEPAPER
Complex Applications Made Easy
Conclusion Using Oracle Database Security products, we have delivered a full range of data security solutions to our clients across the spectrum of user management, access control, data protection and compliance monitoring business processes. We find that Oracle Database Security products, when properly implemented using our best practices, provide comprehensive, world-class information security across all Oracle-based applications.
10 Š 2009 Estuate. All rights reserved.