Oracle数据库安全架构.pptxVIP

Oracle Database Maximum Security ArchitectureProtecting Critical Data Assets[CON8803]Scott RotondoConsulting MTSOracle Database SecurityOctober 27, 2015Copyright ? 2015, Oracle and/or its affiliates. All rights reserved. |Your Database – An Irresistible TargetSimplified Application ModelBypass ApplicationExploit DatabaseExploit ApplicationTest/Dev CopyBypass DatabaseAppsUsersAccess Exported DataAbuse Privileged AccountsAdministratorsStorageAttack #1: Exploit the ApplicationGet the application to reveal information that wasn’t intendedHow can this happen?Bug in the application’s access control logicSQL injectionExploits the application’s privileges to read and write the databaseDefensesData Redaction limits sensitive data handled by the applicationDatabase Firewall examines SQL from the application and blocks abnormal statementsOracle Advanced Security RedactionAuthorized DisplayPolicyCredit Card #5105-1051-05108888-88885454-5454-5454Redacted DisplayApplicationBusiness apps including display screens, reports, dashboards, panelsNew and legacy applicationsCardholder dataNational identifiersPersonally Identifiable InfoMedical Record DataAnd moreIdentify sensitive data, possibly using Enterprise ManagerBest for data that is displayed but not interpreted by applicationPrevents compromise due to application bugs and protects all applications that use the same dataOracle Database FirewallDifferentiates normal SQL statements used by application vs abnormal SQL from attackerUses SQL parser, not just regular expressions, to recognize statementsStart by monitoring unexpected SQLLater move to blockingWhitelist of expected statements for maximum securityAlso supports blacklist policiesUsersAppsDatabase FirewallEventsAlertsReportsAudit VaultPoliciesAttack #2: Bypass the Application / Exploit the DatabaseConnect to the database and access the data directlyBypasses any controls enforced by the applicationDefensesHarden and monitor the database configurationImple