Maximum Security Architecture

Because of how valuable your data is, protecting it against theft and unauthorized use is perhaps your biggest challenge. Databases need more security than the bare minimum.   In this episode, Lois Houston and Nikita Abraham, along with Greg Genovese, talk about how Oracle’s data-driven security features work together to create a maximum security architecture.   Oracle MyLearn: https://mylearn.oracle.com/ Oracle University Learning Community: https://education.oracle.com/ou-community LinkedIn: https://www.linkedin.com/showcase/oracle-university/ Twitter: https://twitter.com/Oracle_Edu   Special thanks to Arijit Ghosh, David Wright, Ranbir Singh, and the OU Studio Team for helping us create this episode.   ---------------------------------------------------------   Episode Transcript:   00;00;00;00 - 00;00;38;18 Welcome to the Oracle University Podcast, the first stop on your cloud journey. During this series of informative podcasts, we'll bring you foundational training on the most popular Oracle technologies. Let's get started. Hello and welcome to the Oracle University Podcast. I'm Lois Houston, Director of Product Innovation and Go to Market Programs with Oracle University, and with me is Nikita Abraham, Principal Technical Editor.   00;00;38;20 - 00;01;01;20 Hello again! In today's episode, we're going to talk with Oracle Database Specialist Greg Genovese about Oracle's Maximum Security Architecture. Hi, Greg. Thanks for joining us today. We have so much sensitive information in our databases so I get why a data thief would try to attack and steal data. But how do they actually do it? Databases don't just operate in a vacuum.   00;01;01;23 - 00;01;26;01 A database is accessed often through a firewall by users and applications. Speaking of those firewalls, if an attacker has managed to penetrate into the internal network, they may choose to go after data traveling over that network. This type of attack is much less likely to be detected than attempts to access the database directly. Another popular attack is against the underlying data files, database backups, or database exports.   00;01;26;04 - 00;01;49;19 Here again, if the attacker is successful, they may be able to steal the entire database without even having to try to log in. Oh my goodness! That sounds terrible. If none of those options work, perhaps the database has an unpatched vulnerability. In many cases, there are automated attack toolkits that help exploit these vulnerabilities.   00;01;49;21 - 00;02;18;29 And let's not forget those non-production copies of the database. What's a non-production copy of a database? In many systems, the test and development instances are effectively just clones of production and are hardly ever monitored as closely as production databases. In most cases, there are copies of database for test, development, stage, and user acceptance testing or UAT. Databases persist data into a storage medium and run on servers with operating systems and peripherals.   00;02;19;02 - 00;02;49;16 All of these are managed by administrators. And administrators are a hacker's favorite point of attack. If they can compromise an admin account, they are in with elevated privileges and in most cases zero controls over what they can do. If the attackers can't compromise an admin account, they can often compromise an end user account. Lower privileges, but often still with access to the data or able to be used as a stepping stone to get that access.   00;02;49;19 - 00;03;20;20 Also, applications make an attractive target too. They are frequently more exposed than a database or database server and often even available from outside of the corporate firewall. That's a lot, Greg. There are just so many points of attack. So then how do I keep my database safe? Securing an Oracle Database is much like securing any other system. You are protecting your data, which could be intellectual property, financial data, personal data about your customers or your staff, or most likely a combination of all three of these things.   00;03;20;22 - 00;03;44;06 Because data is valuable, you need to guard against its theft and misuse. This data is used for business purposes and that means users and applications connect to the database and you need to safeguard that data with security controls that restrict access to the data according to your corporate policy. To do this, you'll need to do three things: assess, detect, and prevent.   00;03;44;06 - 00;04;17;01 Assess, detect, prevent. Okay. But how do you assess and what are you actually assessing? Assess the system to determine its current state and develop a remediation plan. Is the system configured properly? Are patches applied regularly? How are user privileges managed? And are you enforcing these privileges? What types and how much sensitive data is the system holding? Your existing investment in the Oracle Database gives you the features and utilities you need to assess your database and identify areas for improvement and risk reduction.   00;04;17;01 - 00;04;53;21 And how do you detect and prevent? Detect attempts to access data outside of policy and identify anomalies in data access. Almost all database activity is repetitive, so anomalies are frequently a leading-edge indicator of attempted data theft. Prevent access to the data that doesn't go through the database control mechanisms, sniffing traffic over the network, reading the underlying data storage layer, or misuse of database exports and backups. Block inappropriate access to data through control mechanisms that consider the context of the access, not just the identity of the account accessing the data.   00;04;53;21 - 00;05;10;23 Oracle provides industry-leading capabilities for each of these security control objectives. Our team can help you identify the right technical enforcement for virtually any control objective.   00;05;10;25 - 00;05;40;14 Have you been wanting to earn an Oracle certification? Well, there's never been a better time than the present. Now through August 31st, you can choose from over 20 different Oracle certifications and take up to four exams for free, including foundation, associate, and professional level Oracle Cloud Infrastructure certifications. You can also learn and get certified on Oracle Cloud Applications Business Processes for Human Capital Management, Financials, Customer Experience, Supply Chain, and Procurement.   00;05;40;17 - 00;06;07;09 And did I mention this was all free? Oracle Cloud training and certifications empower you to explore limitless possibilities in the cloud landscape. Gain the knowledge and skills needed to design, deploy, secure, and operate modern cloud infrastructure and applications with confidence. You can go to education.oracle.com for more details. What are you waiting for? Get certified today.   00;06;07;12 - 00;06;34;19 Welcome back! Greg, I'm sure every database has a basic level of security, right? There are some things we expect to always be done. What we call the baseline security posture. Establishing the baseline security posture involves several types of different controls. We'll assess the system state, prevent unauthorized activity, and detect activity that is relevant to our security controls. Our first control is assessing the database configuration.   00;06;34;22 - 00;06;59;08 We want to ensure that we haven't made configuration decisions that introduce unnecessary risk into the environment. We'll also check to make sure that the database is current on all security patches. And how do we check this? For this, we have two tools available to us: Database Security Assessment tool or DBSAT and Data Safe. DBSAT is a free utility available for download via My Oracle Support.   00;06;59;08 - 00;07;23;28 Data Safe is a cloud service that is included at no additional cost with Oracle Cloud Database Services. Data Safe is also available for on-prem databases, but there is an additional cost for those. Users and applications connect to the database. We want to ensure that if they are connecting with username and password, we're practicing good password discipline. We also want to consider the use of strong authentication.   00;07;24;00 - 00;07;50;10 Your Oracle database supports Kerberos, TKI certificate, and multi-factor authentication. We'll want to make sure that those users are really able to connect to the database, identifying dormant accounts and checking to be sure we haven't granted privileges that don't make sense in our environment. Here again, DBSAT and Data Safe help by pointing out the use of such things like select any table privileges or grants of the DBA roles.   00;07;50;12 - 00;08;15;06 We should also check that database accounts are actually using the privileges we grant. Is there any way to monitor the privileges we grant? Privilege analysis monitors privilege usage, and can report on privileges that an account has which are not being used. We can then remove those unnecessary privileges, reducing the attack surface presented by those users. Note that privilege analysis is only available for Oracle Enterprise Edition Database.   00;08;15;09 - 00;08;47;03 It is not present in Oracle Standard Edition. Users are inserting and updating data and also retrieving data. That data is traveling over the network, and in most cases, we want you to encrypt the data to reduce the chances that an attacker can simply sniff the network to steal data. And are there different types of encryption? The Oracle database supports two different types of network encryption, native network encryption, which is certificate lists and usually requiring zero change to the applications to implement. And industry standard certificate-based TLS.   00;08;47;05 - 00;09;12;12 Depending on how many users connect to our database and how many databases we have, we may want to implement centralized authentication. Your Oracle database supports two types of centralized user management. One feature, Enterprise User Security, is available on all currently-supported database versions and allows the Oracle database to consult an Oracle LDAP directory for users and role membership.   00;09;12;14 - 00;09;46;13 The other feature, centrally managed users, was new in Oracle 18c and allows the Oracle database to connect to Microsoft Active Directory for users and role membership. Is there a way for us to know what users are doing? For this, we use database auditing. The Oracle database offers a comprehensive auditing capability, and you will usually want to audit database connections, especially failed logins, as well as data control language, including creation of users and privilege grants, and data definition language like creation of stored procedures, database links, and more.   00;09;46;16 - 00;10;16;06 All of these are fairly rare in most databases, so this level of auditing presents minimal performance impact. Finally, we want to make sure that we know what sensitive data resides in the database. Is the baseline security posture appropriate for the level of risk presented by the data? Or should we do more to protect our data? Here we return to DBSAT or Data Safe, which allow us to scan the database for sensitive data reporting on what types of data are found and how much of it there is.   00;10;16;06 - 00;10;41;24 All of the controls we've talked about so far are baseline. These are things we think any database should do and everything we've discussed so far can be done without additional costs, products, or options. But what if I want more than normal baseline security? Maybe my database contains personal information, financial information, intellectual property, or something else that requires more than just basic security.   00;10;41;25 - 00;11;08;13 Since that data is eventually being persisted on disk, in backups, and in exports, we'll want to protect it from attack there. Here is where transparent data encryption comes into play. If we encrypt data, that means there is an encryption key that we need to protect and distribute securely. For this, we can use Oracle Key Vault. Remember, those administrators with privileges and access to special data? We’ll want to protect against them as well.   00;11;08;15 - 00;11;40;17 And for this, we'll use Database Vault. Could you tell us more about Database Vault? Database Vault lets us separate the duties of database administration from access to the data within the database. Database Vault also protects against a compromised application server, locking down application accounts so they can only access data from within the normal context of the application. When data is accessed from outside of the application, we may want to provide additional protection for high value data columns like credit card numbers or taxpayer IDs.   00;11;40;19 - 00;12;07;01 For this, we can use data redaction to hide sensitive data on the fly as it leaves the database. And for those non-production clones, the database we talked about, we’ll simply remove sensitive data from them, replacing it with realistic looking "safe data" that does not present a security risk, but still allows application development and testing to continue. We can either use Data Safe or Enterprise Manager’s data masking and subsetting pack.   00;12;07;03 - 00;12;30;02 We seem to have done a lot to protect the database, but is there a way to detect attempts to break in and steal data? For that, we’ll configure auditing within the database and feed audit events to a centralized audit vault for analysis, reporting, and even alert generation. We'll also use database firewall to examine incoming connections and SQL statements for anomalies and violation of policy.   00;12;30;04 - 00;13;00;15 And if we choose to, we can go one step further and actually block out policy activity with the firewall. And of course, events from the database firewall flow into the audit vault server for analysis, reporting and again, alert generation. We've talked about assessing security, detecting inappropriate activity, and preventing unauthorized access to data. But there is a fourth type of database security control that is unique to databases called database-driven security.   00;13;00;17 - 00;13;27;15 These controls are used to provide fine-grained access control at the data row or column levels. Oracle database provides a variety of data-driven security features, including Real Application Security and Label Security. All these controls, working together, create the maximum security architecture or MSA. Not every database requires the full MSA, but many databases require something much more than just standard baseline security protocols.   00;13;27;17 - 00;13;52;13 Thanks, Greg, for joining us today. To learn more about Oracle's Maximum Security Architecture, visit mylearn.oracle.com and head over to the Oracle Cloud Data Management Foundations Workshop. That brings us to the end of this episode. Join us next week for a discussion on Oracle Cloud Infrastructure's Maximum Availability Architecture. Until then, this is Lois Houston and Nikita Abraham signing off.   00;13;52;15 - 00;16;33;21 That's all for this episode of the Oracle University Podcast. If you enjoyed listening, please click Subscribe to get all the latest episodes. We'd also love it if you would take a moment to rate and review us on your podcast app. See you again on the next episode of the Oracle University Podcast.