Complete database security in 4 simple steps
hi everyone I'm Russ laurenthal I'm vice president for database security here at Oracle and today I want to talk to you a little bit about four simple things that you should be doing to secure your database now we all deal with lawyers because I work in development I know kind of what's coming and if at any point during this presentation I happen to talk a little bit about something that may be coming in our next release of the database that's just me talking things always change in development you can never count on it that's what the Safe Harbor slide means but everything I'm telling you is everything I'm going to tell you it doesn't matter what version of your database you're on it really doesn't even matter if you're using Oracle or not most of the things we're talking about are Universal for any data driven application the examples that I'll give are specific to Oracle but the concepts are just simply Universal so how do you secure a database basically there are four things that you need to do the first one is you need to understand how your system is configured you need to look at the configuration parameters the setup of your database and the Oracle database in particular there are lots of different configuration parameters and most of those have nothing to do with security but there are a few that if you set them in a certain way they change the way the database behaves from a security standpoint and they can introduce unnecessary risk you want to find those settings and if you are accepting additional risk you want to make sure you do that with your eyes open you don't want to be blindly accepting things and not knowing what's going on so you assess your database to find and remove unnecessary risk the second thing you do is obvious in today's world you need to encrypt your data encryption is a fundamental security control and that means your data as it travels over the network it also means your data as it is stored within the database all data should be encrypted pretty much all of the time you need to control access to the data you don't want well in most cases everyone who can access your system shouldn't be able to access all of the data within that system they should be able to see the data that is relevant to whatever business they have to do not all of the data so you control access to the data and then the final thing you've got to do is you've got to plan for failure the bad guys are out there they are definitely trying to get at your data you want to assume that they are going to be probing your defenses and you want to audit what's going on in your database for two big reasons one of them is maybe through your auditing you catch what's going on before something bad happens and you're able to stop it from happening or maybe you don't catch what's going on but later you can go back and reconstruct what the bad guys did so that you can determine what the amount of damage was what was the blast radius of this type of attack let's take these four different things individually we'll start with adopting a secure configuration like I said the database has dozens of settings that impact security and you want to make sure that you're controlling your configuration so you don't expose additional risk now there are a couple of tools in your toolbox that can help with this all right one of them is the database security assessment tool others include things like data save or Enterprise Manager configuration dashboards but we're going to start with the database security assessment tool it's basic fundamental very very easy to get to it's a command line utility that really is a lowest common denominator if you have access to your database you can run the database security assessment tool all right so let's look at this we start by going to my Oracle support we go to the support note that talks about database security assessment tool we agree that we're going to you know abide by the terms and conditions and we download the assessment tool it's a simple zip file very very easy to use once we've got it downloaded you can see it's a pretty small file we transfer that out to our database server and we unzip it thank you we've got to make sure that we meet the prerequisites we need to have python we need to have obviously the zip and unzip utilities and we need to have Java 1.8 first we'll go ahead and run the database security assessment tool collector we'll give it the credentials to connect to our database and what we want our output file to look at the password for our database it runs and then it produces a zip file that we're going to encrypt that's what the second password is next we Analyze That collected data we run the database security assessment tool reporter we tell it where our file is located we give it the password we used when we created the file we give it another password this time it's going to produce our output file and that includes text HTML spreadsheet and Json format demos we open up the HTML and here you can see an example of what a security assessment looks like and we've just gone through and we have checked everything from user profiles to is the latest patch applied to how are your passwords being managed to all those initialization parameters that deal with security and we tell you we found this area we think this is an area of risk in this case we're looking at something that's medium risk we have users no password verification functions we can also look at this through tools like datasafe if you're running in the Oracle Cloud you might be using datasafe and there you can run a report you get a little bit nicer dashboard and we can easily compare assessments from one to another but these all do the same basic thing they tell you where you've got risk where you've made configuration choices that perhaps are introducing risks that you don't need to accept and give you a clue of how you can back out of that risk if you want to data safe has a little bit of extra things in there for example we also do user assessment we look through your users say which ones are the highest risk if they were compromised what their access is you can even drill down and see what their activities are and what their individual privileges are as well as alerting when new privileges are granted or new users are created but a assessment first thing we do from a security standpoint next thing we want to do is encrypt our data we encrypt our data in motion and for this you have industry standard transport layer security transport layer security means that you have to at a minimum issue the databases certificate and then you can choose to set up Mutual transport layer security where the client also has a certificate or you can choose not to you also have native Network encryption which is old technology been around a long time but we do keep it up to date with the latest encryption algorithms and this allows you to encrypt without certificates obviously TLS with certificates is more secure because the database is identified by a certificate but there are operational things you have to think about when you're managing certificates so oddly enough native Network encryption is very very popular even with security conscious organizations because you don't have things like the risk of a certificate expiring all right for data it rests you're normally going to encrypt using transparent data encryption transparent data encryption is one of the features of Oracle Advanced security an option for the Oracle database let's take a look at encryption and see how this works and what we're going to do is we're going to start with the database no user tablespace is created all no no real data in there it's a fresh database we're going to create two tablespaces one of them is a clear table space one is encrypted when we look at these two data files for the table spaces there's no data in the clear table space no data in the encrypted tablespace because we just encrypted it or just created it rather now we're going to create a table in each data in each tablespace and all we're going to do is create that table and then we're going to insert a single record into each table we're not going to commit so we still expect to see no data here we look at the at the data files we do a quick strings on it and when we check this there's no data in there this is to be expected now we'll commit and do a checkpoint to force the database to write to the files and we'll go out and we'll take a look at our table spaces again when we look we can see the clear Russ was here but the encrypt doesn't show up at all if we look at that clear table spaces data file there's our test clear Russ was here when we look at the encrypted data file remember there was nothing in there before look what we see now a bunch of gobbledygook this is encrypted data and this is how simple encrypting the data is with an Oracle database the third thing we want to do the third thing is we need to control access to data this is probably the most interesting thing that you get to work on because there are so many ways to control encryption because there are so many ways to control access in an Oracle database you can control it based upon data attributes on session attributes on objects on commands there are so many features to do this but one of my favorite is something called database fall and this is an area where you get a lot of power with the Oracle database so let's take a quick look at data baseball and again we're going to start with the database where database fault isn't even configured I'm going to take you from Zero to Hero in one step so here we can see no database fault configured and we will go ahead we will create a database fault owner and a database fault manager these are for separation of Duties once we configure database fault these users will be used we'll Grant permissions for these guys to log in and create a session and that's all we need to do now what we're going to do is we're going to configure database fault and notice that I'm doing this assist DBA takes just a second and then what we're going to do is we are going to log out assists and log back in as the database Vault owner okay but before we do that let's go ahead and check to make sure that we've got our we're in the right container we'll make sure that we don't have any invalid objects out there because when we run database fault it does a complete privilege recheck and now we'll close our plugable database because we've made this configuration change and we want to restart it with the new with the new database of all configuration going so we bounce our plugable database we'll go back to SQL Developer because we closed and restarted the database I've got to reconnect so I'll reconnect as my different users I've logged in as you notice I've got several different sessions here so make it easy to switch back and forth between sessions here in the demo now all we've done so far is enable database fault that did a few things it instituted some basic separation of Duties CIS dbas for example can't create users anymore but I haven't done anything really to protect data yet so when I go in and I look at a table like this that obviously has some sensitive data in it I can still see that I can see that as a DBA I can see that as someone who has granted direct object privileges to it and of course I can see that as the schema owner now I'm going to go in as the database fault administrator and I'm going to put some security around this the first thing I'm going to do is I'm going to create a realm a logical construct to hold security privileges and then I'm going to go through and I'm going to add the entire application schema to that realm and I'm going to Grant only the application owner access to that schema no one else can see it and by no one else I mean dbas people who have direct object grants database Vault overrides everything so I'll go in and I will change my uh my session and I'll try logging into someone with direct object privileges I can't see the data okay insufficient privileges I will change and I will become CIS DBA can't see the data and here what I've done is in just a few minutes I have protected this application data which in most cases is a sensitive data from these compromised privileged user accounts because you know we didn't really go into a lot of setup for this but the way most databases get had is someone actually compromises account and just logs in and steals the data and administrator accounts are the favorite ones to compromise so here we've got database fault and we've controlled access fourth thing we want to do is we want to make sure that we are auditing what goes on in our database to support those two use cases one maybe detect something before it gets out of hand two something does happen we want to be able to go back and see what happened and what data was accessed for that what we're going to use is Unified audit unified audit was brand new a decade ago back in Oracle 12. now it's pretty old very mature um but what we're going to do is we are going to use unified audit to audit some common security issues if someone tries to log into the database and fails well we want to know that that's a good security of that if someone creates a new user or tries to create a new user or grants roles to that user we want to know that that's a security of that and if someone is changing structures within the database changing the definition of the data we want to know that too here our main tool is built in the database unified audit but optional tools would include things like audible database firewall or the auditing capabilities of data safe where we're going to collect this audit data from the database and move that into a repository for analysis alerting reporting all of that stuff that we need to do from a compliance standpoint so let's take a look at auditing in action and we'll start again clean system I've purged the audit Trail there's no real data in there that one record you see is the fact that I purged it that always gets audited when you purchase your audit Trail but all set to go and what I'm going to do is I'm going to connect the databases someone with privileges to control auditing okay so you can see I'm an audit Vault administrator I'm sorry I'm an audit administrator and I'll again check to see what roles I have and I have that audit administrator role and I'm just going to go ahead and turn on three of the default audit policies logon failures anything that has to do with database fault and any of the secure configuration stuff these are now all active and activity so let's create some activity I'm going to go in and I'm going to try notice I'm CIS I'm going to try and create a user called Bob now remember I turned on database Vault and our last piece of security so this should fail because dbas can't create data anymore and sure enough it does fail generated an audit record all right uh let's see what else can I do I could try and go in as a different user and this time I'll go in as the database Vault account manager and I will create Bob but this time because I'm the right user I do have the Privileges under database at all to do that this one will succeed again it's going to generate an auto record because I said to audit this type of activity I'll Grant privileges to Bob create session okay I'll Grant a role to Bob DBA all of these things are creating an audit Trail so that I could see who did it when they did it where they did it from go back to sis I'll Grant DBA before I fail because I didn't have privileges to Grant DBA I was just the user admin okay you can see our audit records and when we kind of scroll over and look it's a pretty wide table there's a lot of data in that audit table we can see some things were done as the database fault administrator some were done as the audit administrator but we can see someone did something to Bob someone had a log on failure all of these things were audited along the way okay let's do a little bit more I'm going to try and log into the database and I'll log in as Bob with a password of Bob which of course is not my password you watch me use a more secure password when I did this I'll try connecting as a Joe the password of Mary and again this is not going to succeed because that's not Joe's password or anything I've got a Joe in this database all right and we go back and again we look at our audit Trail and we can see sure enough if we scroll over just a little bit that we came in from a different client as different users and we tried to do different things if we look in data safe same type of information is available but again you get a little bit more with it you get the ability to generate reports and do analytics a little bit more easily and you can generate alerts when certain things happen so data safe gives you more to this but you've got all the tools you need inside of your database right so here's our records and again you can see that complete record everything that happened as we were doing our audit activity all right so that's it I told you it was four simple things and it really is four simple things you need to make sure you understand your configuration you need to monitor your configuration if your configuration changes you should be checking it periodically so you know about this a lot of breaches happen not just because of compromised accounts but because someone forgot to apply a patch or changed a setting while they were troubleshooting something and forgot to change it back so check your configuration not as a one-time activity that is a periodic ongoing Standard Security process encrypt your data at Rest In Motion data should be encrypted control access to the data and I showed you one tool database fault there are lots of different ways to control access they have different advantages and disadvantages in use cases you can spend a lot of time here and finally audit access to your data I did cheat with one thing I tried to keep this as as as clean as systems I could but because I'm in multi-tenant because I'm using a plugable database just full disclosure here when I enabled database Vault before I had done that I had already enabled database fault in the container database with multi-tenant you can have database fault just in the container or you can have it in the container and the plugable if you just have it in the container mainly what you're doing there is preventing container administrators from seeing plugable data if you have it in the plug well that's when you get those finer grain rules like I was saying uh I very carefully when I was talking about auditing didn't say the fourth and final thing because there's no such thing as final when it comes to security there is always more you can do when you've got these four simple projects done here are a few other things you might want to consider key management for your encrypted data this is for the data at rest encrypting is really easy it is exactly as easy as I showed you you create the encrypted table space you put the data in there it's automatically encrypted when you select it the database automatically decrypts it if you have privileges to see it Key Management takes a little bit more work the default way that a lot of things store Keys is on an encrypted file within the database server now think about this you're encrypting the data to protect someone who has operating system level access from seeing those data files and seeing the data that's in them does it really make sense to have the encryption key on the database server usually not that's why you need things like key Vault so you can move the encryption keys outside of the database server take a look at Key Vault if you're on premises or oci vault if you're running your databases in the Oracle cloud a lot of us copy our production databases back to non-production tested development systems if you're doing that you can do everything I just talked about but that may lock down your development system to the point where the developers can't practically use it also evaluators Auditors tend to be a little bit upset as you begin to proliferate sensitive data into multiple repositories because every time you add a copy of a database that's just one more chance for that data to be to be accessed and stolen so a very good security technique is to scramble the data in your non-production copy of the database tools that can do this are things like data safe for Enterprise managers data masking and subsetting and then another project and this one is really really popular in today's world is take a look at how your users are authenticating I was showing you username and password not the best way to authenticate to a database try and go beyond passwords your Oracle databases support Kerberos authentication certificate based authentication radius which is a real common way to get to multi-factor authentication we support tokens we started doing this a couple of years ago in 19c Azure Ado off two tokens and or Oracle clouds IAM tokens all of these are better options for database authentication that can reduce the risk that an app that an application account gets compromised or a user account gets compromised and improve your security so what you can shift from using the username and password to Stronger Authentication if you want to play around with this everything I've shown you you can get hands on for free our GitHub repository that's listed here on screen if you look all the way over on the right hand side you'll see something called live labs live Labs is a wonderful resource because not just security but most things in Oracle that have to do with the database there is a Hands-On lab out there where you can check an environment out from our Cloud on our dime and go through and practice with that environment and learn how to use the features if you're specifically interested in the security Labs bit.ly slash go live Labs DB SEC we'll take you there and if you really like security the second Wednesday of every month my team my product managers host office hours and bit.ly slash ask Tom dbsec is
how you can find out what the schedule is for the office hours what the topic is for that month if you can't attend live you know it's a global global world you could be sitting somewhere around the world from where we're doing this and the time we're holding off hours isn't convenient to you don't worry we record them we post the recordings a couple of days after the event and you can always go back and see what's going on with it thanks for joining us if you'd like to again if you if you like security these are great resources for you all right and um that's it thank you again for giving me your time today
2023-04-14 10:26
