DB Security Workshop @ Oracle Montreal
dedicated several posts on the importance of being a Data Steward, and the
consequences of not doing so, or in my
case having been prevented
from doing so within the government due to my ethnicity. But I digress… back to stressing
the significance of recurrent security training.
Last week, a colleague and I participated in an extremely interesting one-day workshop at Oracle’s offices here in Montreal focused on information protection, privacy and accountability. Here are some of the notes I jotted down (full slides here) please excuse their terseness in advance:
It should be of no surprise, that a Verizon study report on data breaches reveals that 70% are from internal users. There are several strategies below you can use, and, by the way, if you did not catch K. Brian Kelley’s Bulletproof Security Strategy Webcast, it is worth the time.
Data breach legislation examples: CA Senate Bill 1386 Security Breach Notification
Up and coming Bill C-12 Canadian data protection will make data breach notifications mandatory (everyone say YAY!)
Beware of Malware
and hacking, since DBs are the top of the list for data breaches, because as we
database admin.s already know, 92% of the corporate data
is located there.
Breaches disclosure laws can cost companies $240/record (burnt, and ruins some companies)
IOUG data security report says that 44% of users could access
48% not aware of all DBs with sensitive data
Obviously, the DBA working on these institutions did not have a chance
to implement Database Security Best Practices for the Vigilant DBA J
and regulations are greater than ever - BASEL is the new acronym we heard also.
Fragmented response is typical and it is an afterthought to fix security – but as I have said before, Databases are not a place to be lax on Security!
Solutions: consolidate, automate and embed!
Oracle Security Inside Out, encryption, masking, multi-factor
authorization, secure configuration
Auditing and monitoring, blocking and logging, Access control (proper access management)
HSM Hardware Security Device
Big picture is that there should be a DB firewall, another additional security layer
– network SQL monitoring activity (to prevent unauthorized db access), stop SQL injections, privilege or role escalation, and blocking.
Encrypted backups, encrypted Bus, encrypted exports, and data masking.
Highly accurate sql grammar based analysis.
DB data can
be sensitive, confidential or public:
audited with unauthorized local activity, consolidated DB security
TDE: Transparent DB encryption does not require
application changes; there is an Oracle security wallet
built-in key management, RMAN encrypt backups to disk, and encrypt export files from Data pump
Master key has to be safeguarded because it controls all (chose the role of who should be our Master Key holder – delegate to the responsible within a the security team, if available).
If you lose the Master key, you are SCREWED! L
All table space can be encrypted since it is highly efficient
Only REAL DBAs can open the Oracle Wallet (oops, sorry, that is an inside joke).
Oracle encryption lab, we came across a tool to validate whether the data was
actually encrypted in the file (perhaps a file you can use too with SQL Server
Khexedit allows us to view individual records from DBFs (data base files). We can see the data unless TDE is enabled, since the TXT interprets the Hexi data value.
So after altering the column to encrypt it, we can no longer find the data:
If you lose your keys – well, just do not lose them (or at least upon
generation, give them to the security team or your Boss/Manager, etc. to be
sure they are safe).
For more details here is a great FAQ on Oracle Transparent Data Encryption (you can be I am going to read up on SQL Server’s implementation of TDE next )
During the workshop we also covered Network encryption + strong authentication. Standard based encryption for data in transit, strong authentication of users and servers, no infrastructure changes required, easy to implement
Secure Backup product. Integrated Tape or Cloud BU management
Masking removes the sensitive data from non-prod dbs – a good practice for refreshes to all other environments outside of production!
Irreversible de-identification, while keeping referential integrity so apps continue to work
Sensitive data never leaves the DB
DB Vault handles Separation of duties and privileged user controls (let DBAs work with HR data without compromising sensitive info).
Out of the box compliance reports,
centralized audit policy management.
Limits powers of privileged users by restricting highly privileged users to certain operations,
Securely consolidate application data
No application changes required.
Consolidate audit data into secure repository
private DBs are were the vault will be used – access restriction features make Oracle the lead
DB factor to secure, by IP, by account, by
realm violation audit reports can be built-in
Reports such as who is really in the DBA role
Prevent DBA from accessing application data, pre-build policies include realms and command rules, complements application security, transparent to existing applications, customizable.
Label security – classifying users
Total Recall – secure change tracking
transparently track data changes
Efficient, tamper-resistant storage of archives,
real-time access to historical data,
simplified forensics and error correction
Data explosion depends on each application – those that are well developed will auto-aggregate the data to save rows (as VM VCenter databases do rather nicely).
Oracle Configuration management is much like grid control (aka enterprise manager)
Continuous scanning against 375+ best practices and industry standards, extensible
Detect and prevent unauthorized configuration changes
change management compliance reports...
A matter of taking the time to implement recommendations.
Rule of thumb: When in doubt, encrypt
encryption is a defacto expectation to protect data
PCI says any traces of Credit Card data have to be encrypted
encrypt personal identity info to comply with EU Data privacy
Medical records in DB might need to comply with CAAB 1298
Off-site backups should be encrypted.
Advanced security over the network…and then we dove into the labs.
End of notes and warning - Failing to be vigilant with data could also result in the loss of billions of dollars of public money, a situation I unfortunately witnessed first-hand six months after I had internally provided a report detailing an audit failure at Canada’s largest public Institutionalized pension fund manager, the Quebec Deposit and Investment Fund (CDP Capital).
PS – if anyone is interested in Oracle Enterprise Manager 12c, here’s a great webcast: