Database Security

On-Premises - Overview

Mostafa Emam
Principal Solutions Engineer
Agenda

1. Industry Landscape & Trends

2. How We Look at Database Security
3. Securing On-Premises Databases
• Assess: DBSAT, Privilege Analysis
• Detect: Audit Vault and Database Firewall
• Prevent: Advanced Security, Key Vault, Database Vault,
Data masking and Subsetting, Label Security

2 Copyright © 2021, Oracle and/or its affiliates

Industry
landscape &
trends

3 Copyright © 2021, Oracle and/or its affiliates

The number of data breaches in
2020 has almost doubled with 3,950
confirmed breaches compared with
2,103 recorded breaches in 2019!

Source: Security Boulevard – as of Aug 2020

4 Copyright © 2021, Oracle and/or its affiliates
 Accounts Affected: 3B
Accounts Affected: 383M Year: 2016
Year: 2014 - 2018 Accounts Affected: 500K
Year: 2014

Accounts Affected: 147M

Year: 2017 Accounts Affected: 360M
Year: 2013

Accounts Affected: 145M

Accounts Affected: 150M
Year: 2014
Year: 2018

Accounts Affected: 106M Accounts Affected: 1M

Year: 2019 Year: 2018

Accounts Affected: 110M Accounts Affected: 100M

Year: 2013 Constant Breaches Year: 2016

5 Copyright © 2021, Oracle and/or its affiliates

 Standards and regulations force more tools

NCUA
PIPEDA FOIPPA
FS-ISAC GLBA
RU DPA
CCPA FFIEC HIPAA CIP

Patriot Act NY DFS500 JP APPI

50 STATE DATA
PRIVACY LAWS MA DPA
Dodd Frank CN GDPL
MX PDPL
BASEL III
IN PDPB HK PDPO
TH PDA
CO DPL
BR GDPL SI PDPA

SA ECTA
Cl PPL AU APP
NZ PA
FIPS
AR PDPL
140-2
6 Copyright © 2021, Oracle and/or its affiliates
The Oracle
Database Security
Story

8 Copyright © 2021, Oracle and/or its affiliates

 How do hackers attack the Database?

Users
Exploit Database
Attack Users
Attack Network

Applications Target Data

Copies

System, Application and NAMES

ADDRESSES
CREDIT CARDS
HEALTH

Database Admins
RECORD

Attack Apps
OTHER PII
SECRETS

Test Dev
Bypass Database Database Clones
Attack Admins

9 Copyright © 2021, Oracle and/or its affiliates

 How we look at Database Security

Assess Data
Assess the current state of Data stored in a database is
security for the database your organization’s most
valuable asset, but also a
source of significant risk.
Detect Data
Detect attempts to access & Users
data, especially attempts Users
that violate policy
Users and applications
connecting to your database
Prevent are prime targets

Prevent unauthorized or
out-of-policy access to data
10 Copyright © 2021, Oracle and/or its affiliates
Maximum Security Architecture
Data Redaction

Users
Database Firewall

Network Encryption

Discover Sensitive Data

Applications Database Vault
Virtual Private Database
Events Label Security
Real Application Security DF11233
$5Ha1qui
U*1
%H1
HSKQ112 A14
FASqw34 £$1
DF@£!1ah HH!
DA45S& DD1

Alerts
Transparent Oracle Test Dev
Reports Data Encryption Key Vault
Data Masking and Subsetting
Audit Data & Event
Policies Logs

Audit Vault Database Security Controls

Assess Prevent Detect Data Driven Security

14 Copyright © 2021, Oracle and/or its affiliates

Analysts agree: Oracle #1 for Database Security

KuppingerCole Oracle #1 Forrester Oracle #1 Gartner Oracle #1

Overall for Database & Big Data security “Security” criterion (4.5/5) “Security” criterion (4.5/5)

Database+Big Data Security Leadership Database-as-a-Service Wave, June 2019 Operational DBMS Critical Capabilities, Oct. 2018
Compass, Jun ‘19 https://reprints.forrester.com/#/assets/2/132/ https://www.gartner.com/doc/reprints?id=1-
RES144407/reports 5LPN68L&ct=181015&st=sb

16 Copyright © 2021, Oracle and/or its affiliates Oracle Confidential – NOT FOR PUBLIC USE
Security for Oracle Databases
On-Premises

17 Copyright © 2021, Oracle and/or its affiliates

Database Security Assessment Tool (DBSAT)
Assess

19 Copyright © 2021, Oracle and/or its affiliates

Let DBSAT help assess your security profile

Understand how (in)secure is your database

• Database securely configured Database
Securely
• Identify privileged users and risks you carry Configured?
• Discover your sensitive data for regulations
Actionable Reports
• Summary and detailed reports
• Prioritized recommendations
• CIS, STIG, GDPR findings
Analyze Oracle Database 11g and later
Stand-alone tool: Quick, Easy Sensitive Users?
FREE to current Oracle customers Data? Entitlements?

20 Copyright © 2021, Oracle and/or its affiliates

Assess your database security before hackers come knocking

Assess Configuration Identify Risky Users Discover Sensitive Data Assessment Reports
Patches Database accounts What type, where, and Summary and detailed
Data Encryption User privileges how much? information
Auditing policies User roles Prioritized, actionable
Sample pattern files for and target specific
OS file permissions Greek, German, Dutch, recommendations
Database configuration French, Spanish, Italian, Mapping to EU GDPR,
Listener configuration and Portuguese based STIG and CIS
data models as well. Benchmark
Fine-grained access
control
Runs on 11g to 21c
Oracle Databases

21 Copyright © 2021, Oracle and/or its affiliates

Sample Findings

24 Copyright © 2021, Oracle and/or its affiliates

Privilege Analysis
Assess

25 Copyright © 2021, Oracle and/or its affiliates

Privilege Analysis

Keep
Used Roles/Privileges
DBA Create …
Select …
Custom Update …
DBA role
applications
…. Audit, Consider Removing
Unused Roles/Privileges

Track privilege/role usage by a database user for a period of time

Identify and consider removing unused privileges
Minimal performance impact – processing done during report generation

Moved to core database in November 2018. No dependency on Database Vault Licensing.

26 Copyright © 2021, Oracle and/or its affiliates

Unused Privileges Report

27 Copyright © 2021, Oracle and/or its affiliates

Used Privileges Report

28 Copyright © 2021, Oracle and/or its affiliates

Privilege Analysis Benefits

Work toward a least-privilege model

Reduce the impact of a compromised DBA
account
Minimal performance impact during capture
Runs in individual CDBs or PDBs, not globally

29 Copyright © 2021, Oracle and/or its affiliates

Oracle Audit Vault and Database Firewall
Detect

30 Copyright © 2021, Oracle and/or its affiliates

Oracle Audit Vault and Database Firewall – Key differentiators

Monitoring network database activity AND Database Databases *

collecting audit records Firewall
Oracle MySQL
• Before/after values, entitlement changes , SQL Server PostgreSQL
stored procedure changes SAP Sybase IBM Db2
• SQL Injection detection and prevention
based on SQL grammar analysis & clustering
• Enforce trusted path access for applications Operating systems
& directory services
Enterprise-level scale, security, automation,
and extensibility Alerts
Linux Windows AIX Solaris
• An open schema for integration with third- Reports Active Directory
party reporting tools
• Extensible with custom collector framework Policies Audit Vault
• Supports on-premises & cloud databases Custom
• Life-cycle support for audit data, archival Application tables, XML, CSV
JSON, MongoDB, REST
Address compliance requirements (PCI,
HIPAA, GDPR, CCPA, etc.)
* Audit log collection targets can be onprem or in the cloud

31 Copyright © 2021, Oracle and/or its affiliates

View AVDF 20 Reports and Alerts

Dashboard Alerts

33 Copyright © 2021, Oracle and/or its affiliates

Oracle Audit Vault and Database Firewall Targets & Deployment Modes

• Supports both on premises and Cloud secured targets for audit log collection
• Can be deployed on-premises

34 Copyright © 2021, Oracle and/or its affiliates

Break for 10 Mins

35 Copyright © 2021, Oracle and/or its affiliates

Advanced Security
Prevent

36 Copyright © 2021, Oracle and/or its affiliates

 Advanced Security Option

Data Transparent
Redaction Data
Encryption
Disks

Authorized Sensitive Data DF11233 U*1 Backups

4012-8888-8888-1881
Display 4012-8888-8888-1881
$5Ha1qui %H1
HSKQ112 A14

XXXX-XXXX-XXXX-1881
5454-5454-5454-5454
5111-1111-1111-1118
FASqw 34 £$1
DF@ £!1ah HH! Exports
DA45S& DD1

Applications Off-Site Facilities

Redacted Encrypted
Display Data

37 Copyright © 2021, Oracle and/or its affiliates

Transparent Data Encryption
Prevent

38 Copyright © 2021, Oracle and/or its affiliates

Why Encrypt Data?

Reduce risk of a data breach

• Data-at-rest, backups, exports are encrypted
Regulatory compliance
• Government regulation to protect personal data (GDPR, CCPA), patient data (HIPAA), credit card
data (PCI-DSS), frequently require companies to encrypt

e.g. Under
GDPR:

39 Copyright © 2021, Oracle and/or its affiliates

Oracle Transparent Data Encryption (TDE)

Disks
Clear Data
Encrypted Network Connection OTHER
TABLESPACE
DF11233 U*1
$5Ha1qui %H1 Backups
HSKQ112 A14
FASqw 34 £$1
HCM DF@ £!1ah HH!
DA45S& DD1 Exports
(TLS or Native Encryption) TABLESPACE
Applications Off-Site Facilities
Encrypted
Data
Software Key
Keystore Vault

Encrypts entire application tablespaces or an application column

Protects the database files on disk and in backups
No application changes required
Integrated with the Oracle technology stack

40 Copyright © 2021, Oracle and/or its affiliates

TDE Key Architecture
Oracle
Two-tier encryption key Key Vault
• Data Encryption Key (Table or Tablespace Key)
• Key Encrypting Key (Master Key)
Table
Key

TDE
Data encryption keys are created and managed by Encrypted
TDE automatically Master Columns

OR Key
The master encryption key encrypts the data TDE
Encrypted
encryption keys Tablespace
Key Tablespace

The master key typically is stored outside of the database

• Wallet Oracle
• Key Management System (Key Vault) Wallet

41 Copyright © 2021, Oracle and/or its affiliates

Data Redaction
Prevent

42 Copyright © 2021, Oracle and/or its affiliates

Data Redaction (Part of Advanced Security Option)

Authorized
Display

4012-8888-8888-1881
Sensitive Data
XXXX-XXXX-XXXX-1881 4012-8888-8888-1881
5454-5454-5454-5454
Redacted 5111-1111-1111-1118
Display Applications

• Dynamic masking of application data based upon user name, IP, application
context, and other session factors
• Library of redaction policies and point-and-click policy definition
• No impact on operational activities

43 Copyright © 2021, Oracle and/or its affiliates

 Redacted PCI
Data

Clear PII Data

Call Center Operator

Copyright © 2021, Oracle and/or its affiliates

Supported Transformations

Stored Data Redacted Data

Full 10/09/1079 01/01/2001

Partial 987-65-4328 XXX-XX-4328

Regex [email protected] [hidden]@example.com

Random 5105105105105100 5500000000000004

46 Copyright © 2021, Oracle and/or its affiliates

Oracle Key Vault
Prevent

47 Copyright © 2021, Oracle and/or its affiliates

Oracle Key Vault for Key Storage and Management – Key Differentiators

Purpose-built centralized key store & lifecycle management

for Oracle Advanced Security TDE master keys
• Optimized for TDE master key management
• Manage encryption keys for thousands of databases
• Supports RAC, Data Guard, Exadata, Multitenant
Archive wallets, Java keystore, and secrets for long-term
retention and easy recovery
Multi-master 16 node cluster for continuous key availability
across multiple data centers
• Read-write and read-only nodes
• Fast local access with global consistency
Enterprise-level scale, security, automation, extensibility
• Integration with popular HSMs for root-of-trust
• Easy to automate using RESTful interface
• Field-proven Oracle technology stack
• Standards compliant (OASIS KMIP)
48 Copyright © 2021, Oracle and/or its affiliates
 Oracle Key Vault ZDLRA
Key Management Use-Cases Secrets
Management

GoldenGate 19.1
Java Keystore encrypted trail files

Oracle Wallet Solaris Crypto Keys

Oracle DB Deployments
Key Vault Cluster
• Single DB Instance (up to 16 nodes)
• Multiple DBs on same machine
• Multi-tenant
• RAC
• GoldenGate Oracle Database TDE
• Data Guard ACFS Volume
• Exadata, engineered systems Encryption Keys
• ExaC@C
• Autonomous Database
on ExaC@C
Online
Upload/download

4949 Copyright © 2021, Oracle and/or its affiliates

Oracle Key Vault
Main Use Cases

Download
Use Case 1
Upload / Download
Upload
Wallet Backup
Wallet

Use Case 2
Online Master Key

Master Key

Fetch
Use Case 3
Secrets Management Register
User

Secrets
App
50 Copyright © 2021, Oracle and/or its affiliates
What’s New with Oracle Key Vault 21?

1 Responsive, scalable user interface

2 Reduced TCO and improved security
3 New use cases – secrets management

53 Copyright © 2021, Oracle and/or its affiliates

Responsive, Scalable User Interface

• Oracle Key Vault 21 features a new responsive

user interface
• Easy to navigate, simplifying common use-cases
• Optimized for large deployments
• Transparently adapts to different display sizes

• New dashboards enable administrators to

quickly drill down and understand the various
keys, secrets and other security objects under
management

54 Copyright © 2021, Oracle and/or its affiliates

Oracle Key Vault Deployment Models

• Supports both on premises and Cloud endpoints

• Can be deployed on-premises or in OCI compute using the Marketplace vm image

57 Copyright © 2021, Oracle and/or its affiliates

Data Masking and Subsetting
Prevent

58 Copyright © 2021, Oracle and/or its affiliates

Proliferation of sensitive data increases security risk

Testing Development Cloud Partners Analytics Demo Training Research & More...

Production

59 Copyright © 2021, Oracle and/or its affiliates

 Your dilemma
To do, or not to do

Your wish Your concern

• Get actionable insights from your data • Avoid proliferation of sensitive data to
to take smarter business decisions DataThe
Masking non-production environments
• Use realistic data for development and Solution?
and • Comply with data privacy regulations
analysis Subsetting such as GDPR
• Quickly share data with developers, data • Minimize time and storage costs
scientists, and partners

60 Copyright © 2021, Oracle and/or its affiliates

Data Masking and Subsetting
Data Masking
• Integrates with Sensitive Data Discovery that
helps understand the sensitive data you have
• Provides comprehensive and flexible masking
options that can generate realistic data to
meet diverse requirements
• Preserves application integrity
• Is easy-to-use, without requiring technical
skills
61 Copyright © 2021, Oracle and/or its affiliates
Data Subsetting
• Extracts only relevant data and discards
unnecessary data
• Provides different subsetting options to meet
various business requirements
• Preserves application integrity
• Integrates with Data Masking to provide
comprehensive solution
Oracle Data Masking and Subsetting
Minimize proliferation of sensitive data to non-production environment

Production Sensitive Data Discovery

Non-Production
Comprehensive Masking Options

SSN Goal/Condition Based Subsetting

463-62-9832
576-40-7056 01001011001010100100100100100
518-12-6157 1001001001001001000100101010
SSN
In-Database or In-Export Masking
281-50-3106 01001001001110010010010010010
463-62-9832
01000010010010111001001010100
555-12-1234
Credit Card 10010101010011010100101010010 Support for Cloud and Non-Oracle DBs
3715-4691-3277-83990000011111111000 Credit Card
5136-6247-3878-3201 3715-4691-3277-8399
3599-4570-2897-4452
5331-3219-2331-9437 5555-5555-5555-4444 Workload Capture & Clone Masking

Pre-installed in Enterprise Manager

62 Copyright © 2021, Oracle and/or its affiliates

Data Masking
Comprehensive and flexible masking formats

Common predefined masking formats

• Credit Card Number
• Social Security Number
• National Insurance Number
… and more
Flexibility to customize masking formats
• Fixed number / string
• Random numbers / strings / dates / list
• Substitute, Encrypt, Shuffle, Nullify
• User Defined PL/SQL Function
… and more
Sample masked values help preview and validate
the masked data

63 Copyright © 2021, Oracle and/or its affiliates

Data Masking
Examples

Mask based on conditions Shuffle records Generate deterministic output

Country Identifier Country Identifier Health Records Health Records
CA 226-956-324 CA 368-132-576 HR Emp ID First Name
US 610-02-9191 US 829-37-4729 324 Charlie

UK JX 75 67 44 C UK AI 80 56 31 D Emp ID First Name 986 Murali

324 Albert
986 Hussain Emp ID First Name
324 Charlie

FIN 986 Murali

Generate random values while preserving format Mask operating system files stored as LOBs
Name License# Name License# LOB LOB
Search : [0-9]{10}
Richard 7ZPN788 Richard 5AMC942 3178973456 Replace : * **********
Rishabh DL 12TC 0204 Rishabh KP 73GD 1948 6509876745 **********

65 Copyright © 2021, Oracle and/or its affiliates

Data Subsetting
Goal or condition based subsetting

Relative Table Size Condition Based

100M Rows 0100101100101010010010

20M Rows 0100100100100100100100
2M Rows 10001001010100101010101
Extract ASIA Sales
01010100101010010101010
10001010010010101010101
0101001011000101010010

Table Partitions

JAN JAN
SALES SALES

FEB FEB

EMEA APAC

66 Copyright © 2021, Oracle and/or its affiliates

Break for 10 Mins

67 Copyright © 2021, Oracle and/or its affiliates

Database Vault
Prevent

68 Copyright © 2021, Oracle and/or its affiliates

Protect Against
Privileged User Attacks
APPS

in the Database
CloudOps SYS

User

DBA
Sensitive Data What about the front door?
4012-8888-8888-1881 Database Vault
5454-5454-5454-5454
5111-1111-1111-1118

Lock the back door

OS, Network, ID CREDIT_CARD_NUM

Storage Admin
DF112334ggU*1
1 4012-8888-8888-1881
2 5454-5454-5454-5454
$5Ha1qui%43H1
3 5111-1111-13111-1118
Transparent Data Encryption
HSKQ112A144e
4 5454-5454-5999-5454
5 3111-8811-1111-1118
FASqw34£$14g!
6 3478-5352-5411-8744

Administrator
7 4758-0341-1111-1118

Encrypted
Data

69 Copyright © 2021, Oracle and/or its affiliates

 Oracle Database Vault
Reducing the Risk from Malicious Users

Minimize impact to
• Applications
• Performance
• High Availability
• Operations

Separation of Duty
Separation of Duty

Trusted Path

Protect Sensitive Data

Over Privileged Account
Trusted Path

Trusted Path
Prevent Database Change

70 Copyright © 2021, Oracle and/or its affiliates

Database Vault Realm
Protects Sensitive Data from Unauthorized Access

select * from Has “select any table”

finance.sales privilege
PL/SQL

DBA

• Limit default powers of privileged users

• Enforce policy rules inside the database
• Mandatory Realms block direct object grants
• Violations audited, secured and collected by Oracle Audit Vault and Database Firewall

71 Copyright © 2021, Oracle and/or its affiliates

Database Vault Command Rules
Enforce a Trusted Path and Control Database Changes

TRUNCATE TABLE PROCUREMENT

CREATE PACKAGE PAYROLL

Time
DBA
CONNECT
FINANCE
IP Address

• Prevents Human Error in Production Databases

• Control database configuration changes for security and compliance
• Protect application data and prevent application by-pass
• Enforce who, where, when, and how data can be accessed using
factors such as time, IP address, and program name
72 Copyright © 2021, Oracle and/or its affiliates
How to Easily Adopt Database Vault?

Use Simulation Mode!

Simulate new controls in production before enabling
Certify application with Database Vault
Develop Database Vault security configuration during dev-test-deploy

73 Copyright © 2021, Oracle and/or its affiliates

 Application Certification with Database Vault
Simulation Mode – Violations are Logged, Not Enforced

Simulation Mode
• Reduce upfront analysis
• Reduce cycles

Analyze Security Test Analyze

Application Controls Application Errors
Simulation
(Simulation Mode) Log Application
Certified with
Database Vault

74 Copyright © 2021, Oracle and/or its affiliates

Database Vault Operations Control with 19c

Benefit
• New use case for multitenant database for
on-premises customers
• Transparently prevent Cloud Admin
(infrastructure DBA) access to PDB data
• Protected by default for every PDB customer – no
customer action required
• No special SOD processes for PDB customers –
operate the same way they do today
• Adds to any existing PDB customer Database Vault
protections - without changes
• Simpler, faster Database Vault
implementation

75 Copyright © 2021, Oracle and/or its affiliates

Database Vault Operations Control with 19c

• Enable DV in CDB root

• Enable DV Operations Control by DV Admin
• CDB root common users are prevented
from accessing PDB local data by default
PDB Local – transparent to PDB customers
• Customers can enable/disable DV in their
PDB Common XYZ XYZ XYZ
PDB – No impact
CDB Root XYZ • Exceptions are possible (for example, MDSYS
– to allow access by MDSYS to PDB data)
Multitenant Container Database • DV Ops Control can be disabled/enabled for a
PDB for troubleshooting
• Complementary protection with PDB
lockdown profile which prevents PDB users
from impacting other PDBs and the database

76 Copyright © 2021, Oracle and/or its affiliates

Oracle Database Vault
Challenges Addressed

Protect Sensitive Data Separation of Duty Database Command Rules,

Trusted Path

77 Copyright © 2021, Oracle and/or its affiliates

Label Security
Users

78 Copyright © 2021, Oracle and/or its affiliates

 Oracle Label Security

• Controls access to classified data based on the

classification of the data and the security label
of the user
Sensitive • Restrict exposure of sensitive data based on
the security label of the user
Confidential • Restrict access to data using ad hoc tools
Sensitive based on the security label of the user
Confidential Public • Controls on database operations permitted
based on the security label of the user
User Label User Label

Data Label stored

in hidden column

79 Copyright © 2021, Oracle and/or its affiliates

Controlling Access to Personal Data

Advanced Security Redaction Factors

USERS Database Vault Command Control Factors

Authorize
Users Control Access to Sensitive Data

LABELS DATA
Label Data
Confidential
Sensitive

80 Copyright © 2021, Oracle and/or its affiliates

 Comprehensive Security Controls for Oracle Databases

Assess Data
Config-Assessment(DBSAT, DBLM) Label Security
Data Discovery Virtual Private Database (VPD)
Privilege Analysis* Real Application Security (RAS)*
DB Cryptographic Toolkit

Detect Data
Activity Auditing & Users
Audit Vault Users
Database Firewall* Password, PKI, Kerberos, Radius
Proxy Users, Password Profiles
Roles and Privileges
Prevent Oracle & Active Directory
Transparent Data Encryption & Key Vault
Data Masking, Data Redaction
Database Vault*
81 Copyright © 2021, Oracle and/or its affiliates * Unique to Oracle
Questions !!!!

82 Copyright © 2021, Oracle and/or its affiliates

Thank you
Mostafa H Emam
Principal Solutions Engineer

83 Copyright © 2021, Oracle and/or its affiliates