2. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Objectives
After completing this lesson, you should be able to do
the following:
• Describe fundamental security requirements
• Define the following terms:
– Least privilege
– Authorization
– Authentication
• Describe security policies
• Describe the concept of security in detail
• Preventing exploits
• Maintaining data integrity
• Protecting data
• Controlling data access
3. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Industry-Security Requirements
• Legal:
– Sarbanes-Oxley Act (SOX)
– Health Information Portability and Accountability
Act (HIPAA)
– California Breach Law
– UK Data Protection Act
• Auditing
4. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Security Standards
Recognized security standards:
• ISO 17799
• SANS Institute
• CERT/CC
Do your policies meet the standards?
5. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Fundamental Data-Security Requirements
You should know the following fundamental data-
security requirements:
• Confidentiality
• Integrity
• Availability
6. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Components for Enforcing Security
• Authentication
• Authorization
• Access control
• Auditing
7. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Security Risks
Risk analysis includes:
• External attack:
– Unauthorized users
– Denial of service
– Unauthorized data and service
access
• Internal abuse: data or service theft
• Sabotage: data or service corruption
• Complexity
8. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Principle of Least Privilege
• Install only the required software on the machine.
• Activate only the required services on the machine.
• Give operating system (OS) and database access
to only those users who require access.
• Limit access to the root or administrator account.
• Limit access to SYSDBA and SYSOPER accounts.
• Limit users’ access to only the database objects
that are required to do their jobs.
9. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Defining a Security Policy
• What is a security policy?
– A set of rules
– Specific to an area and site
– Required
– Approved by management
• What is a standard?
– Rules specific to a system or process
– Required for everyone
• What are guidelines?
– Suggestions and best practices
– Specific to a system or a process
10. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Developing Your Security Policy
The steps to develop your security policy are:
1. Assemble your security team.
2. Define your security requirements.
3. Develop procedures and systems to meet these
requirements.
4. Implement security procedures.
11. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Examining All Aspects of Security
Consider the following dimensions:
• Physical
• Personnel
• Technical
• Procedural
Example: An employee leaves his or her desk while
using an application.
12. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Implementing a Security Policy
• Implement your standards and procedures.
• Implement the plan for developing new systems
and applications.
• Monitor and enforce the policy.
• Keep systems and applications up-to-date with
security patches.
• Educate users.
13. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Hardening the Operating System
• Limit services to required services.
• Limit users.
• Use security from the service.
• Apply all security patches and workarounds.
• Protect backups.
• Test security for in-house development.
• Require strong passwords.
• Control physical access.
• Audit system activity.
• Use intrusion-detection tools.
14. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Easing Administration
• Examine the security features of the service:
– Select the features that meet your security
requirements.
– Integrate the features to simplify administration.
• Ease security administration by:
– Using single sign-on
– Delegating security authority
– Grouping users with common privileges
– Synchronizing with other sources
15. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Using a Firewall
to Restrict Network Access
Application
Web server
Database
server
Client
computers
Firewall Firewall
16. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Hardening Oracle Services
• Harden the database.
• Harden Oracle Net Services.
• Use Connection Manager as a firewall.
• Use available components:
– Fine-grained access control
– Enterprise user authentication
– Encryption
– Label security
– Strong authentication by using public key
infrastructure or Kerberos
• Harden the middle tier.
17. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Preventing Exploits
Use industry-standard practices:
• Harden the database.
• Harden the operating system.
• Harden the network.
18. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Maintaining Data Integrity
Sarbanes-Oxley requires assurance of the integrity of
the data that is used to produce financial reports.
Oracle Database 10g can provide the following:
• Standard auditing
• Fine-grained auditing
• Privileged-account auditing
• Network encryption
19. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Data Protection
Under CA-SB-1386, personally identifiable information
must be protected. Use the following techniques:
• Restrict access.
• Encrypt stored data.
• Encrypt network traffic.
• Restrict network access.
• Monitor activity.
• Harden every layer.
OKYMSEISPDTGA
MyCreditCardNum
20. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Access Control
The law requires that only certain persons may access
specific data. Access control and monitoring include:
• Implement the Virtual Private Database (VPD):
– Application context
– Fine-grained access control (FGAC)
• Use Oracle Label Security (OLS).
• Apply auditing.
21. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Summary
In this lesson, you should have learned how to:
• List and describe fundamental security
requirements
• Define the following terms:
– Principle of least privilege
– Authorization
– Authentication
• Describe some security risks and requirements
• Describe the concept of security in detail
• Preventing exploits
• Maintaining data integrity
• Protecting data
• Controlling data access
22. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Q&A