how to use the powerpoint template - oracle.com sox j sox k sox sas 70 aus/pro uk/pro
TRANSCRIPT
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
企业数据中心加固数据中心管理与安全
Oracle Confidential – Internal/Restricted/Highly Restricted
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Oracle Confidential – Internal/Restricted/Highly Restricted 2
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
议程
1
2
3
4
加强数据安全的意义
知己知彼、百战不殆
如何保护您的数据
总结
Oracle Confidential – Internal/Restricted/Highly Restricted 3
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
中国南方电网
• 服务范围:• 广东、广西、贵州、海南、云南
• 一百万平方公里,中国10%,美国10%
• 人口2亿4千万,中国17%,美国75%
• GDP1万2千亿,中国17%,美国8%
• 业务–营业收入4482 亿元
–固定资产823亿
–全球500强第134位
–员工总数31.6万人
21/8/14 Oracle Confidential 4
南网数据的价值有多大?
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
`
• 世界500强• 7大战略业务单元• 19家一级利润中心• 2,300多家实体企业• 40万在职员工人• 销售收入4046亿港元• 总资产9393亿港元
华润数据的价值有多大?
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
`
• 销售收入2202亿人民币• 15万员工• 服务Top50中的45家• 应用于140多个国家• 服务超过30亿人口• 智能手机第3
华为数据的隐藏价值是巨大和超乎想像的
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
数据泄密事件经常发生绝不使用同样的密码!不要成泄密源,不要成受害者
21/8/14 Oracle Confidential 7
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
电邮安全
SENSITIVE , REGULATED
DATA RESIDESIN DATABASES
漏洞管理
终端安全
网络安全 DOUBLING EVERY
2 YEARS真正在
远超我们的想象
Source: "Effective Data Leak Prevention Programs: Start by Protecting Data at the Source — Your Databases", IDC, August 2011
21/8/14 Oracle Confidential 8
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
98% 被盗数据来自于数据库
Oracle Confidential – Internal/Restricted/Highly Restricted 9
84% 使用盗取的用户名和密码71% 发生在几分钟里92% 是由第三方发现
来源: 2012 Data Breach Investigation Report – Verizon
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
保护数据是法规要求
FISMASOX | COSO
PCI-DSS | COSO | COBIT | ISO17799 | ISO 27001
HIPAA
GLBA
PIPEDA
Basel II
EU Data Directives
Euro SOXJ SOX
K SOX
SAS 70
AUS/PRO
UK/PRO
中国企业内部控制基本规范中国信息安全等级保护条例中国信息系统安全管理要求GB/T20269-2006
香港个人资料(私隐)条例香港电子银行的监管模式指引TM-E-1
SG-MAS IBTRM台湾个人资料保护法
21/8/14 Oracle Confidential 10
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
《中华人民共和国居民身份证法》
Oracle Confidential – Internal/Restricted/Highly Restricted 11
• 第十九条国家机关或者金融、电信、交通、教育、医疗等单位的工作人员泄露在履行职责或者提供服务过程中获得的居民身份证记载的公民个人信息,构成犯罪的,依法追究刑事责任;尚不构成犯罪的,由公安机关处十日以上十五日以下拘留,并处五千元罚款,有违法所得的,没收违法所得。
• 单位有前款行为,构成犯罪的,依法追究刑事责任;尚不构成犯罪的,由公安机关对其直接负责的主管人员和其他直接责任人员,处十日以上十五日以下拘留,并处十万元以上五十万元以下罚款,有违法所得的,没收违法所得。
• 有前两款行为,对他人造成损害的,依法承担民事责任。
自2012年1月1日起施行
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
议程
1
2
3
4
加强数据安全的意义
知己知彼、百战不殆
如何保护您的数据
总结
Oracle Confidential – Internal/Restricted/Highly Restricted 12
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
你的密码安全吗?在Oracle11g/12c使用大小写区分的密码、使用更长的密码
15Sec 862Sec
Key LengthKey Space for
Loweralpha-NumericKey Space for
Mixalpha-Numeric
8 2.821E12 2.183E14
9 1.016E14 1.353E16
10 3.656E15 8.393E17
11 1.316E17 5.203E19
12 4.738E18 3.226E21
13 1.705E20 2.000E23
14 6.141E21 1.240E25
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Switch(config)# no monitor session 1Switch(config)# monitor session 1 source interface fastEthernet0/1Switch(config)# monitor session 1 destination interface fastEthernet0/10 encapsulation dot1qSwitch(config)# end
窃听、查看数据文档、导出数据
应用
用户
网络窃听
导出文档 备份 数据文档
1) 几条简单的网络命令就
能窃取所有的数据库传输数据
2) 一条简单的OS命
令就能看到数据文档中的明文数据
3) 滥用导出文档、备份文档更难监控
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
挑战:你有对应用账号设定登入失败上限吗?应用账号被锁定又怎么办?
穷尽登入
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
使用“应用账号”规避应用逻辑
挑战:您能够发现应用账户使用PLSQLDEV直接登入数据库吗?
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
业务用户分享数据库账户,使用自建程序
挑战:您如何知道业务用户分享数据库账户?你有设定SESSION_PER_USER吗?
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
在备份数据库更改最终用户的密码
挑战:您能发现这样的操作吗(在备份数据库更改最终用户密码)?
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
DAILY JOB CALLS DAY_EDN_SP()
更改存储过程
第三方人员DAY_EDN_SP()
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
其他挑战
• 历史遗留、经过多层的DBA角色授权
• 把数据库对象改为公共对象
• 使用远程认证
• DBA直接访问敏感数据
• 等等
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
议程
1
2
3
4
加强数据安全的意义
知己知彼、百战不殆
如何保护您的数据
总结
Oracle Confidential – Internal/Restricted/Highly Restricted 21
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
#1 评估您的数据库安全程度
21/8/14 Oracle Confidential 22
• 账户和口令控制• 访问和权限控制• 数据库安全运维• 行文监控和审计• 数据加密和脱敏
0
1
2
3
4
5
数据库防火墙
Database Firewall
数据存储和通讯加密
Oracle Advanced Security
数据库权限分离
Oracle Database Vault
数据等级分类
Oracle Label Security
数据变更纪录
Oracle Total Recall数据库高可用性
Oracle Active Data …
数据备份和恢复
Oracle Secure Backup
配置和变更管理
Oracle Lifecycle …
数据脱敏
Oracle Data Masking
身份管理
Oracle Identity …
审计追踪
Oracle Audit Vault
说明:0. 无计划 (no plan)1. 初始态 (initial)2. 待完善 (marginal)3. 稳定态 (stable)4. 经验态 (best practice)5. 完美态 (transformational)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
• 权限分离
• 数据分级
• 数据加密
• 通讯加密
• 备份加密
• 数据屏蔽
• 管理员行为追踪审计
• 用户行为追踪审计
• 用户权限变更审计
• 数据变更审计
• 数据库配置变更审计
• 存储进程变更审计
• 敏感数据操作拦截
• 非授权IP操作拦截
• 非办公时间操作拦截
• 危害操作拦截
• 可疑操作拦截
• SQL注入拦截
事后审计Auditing
事前防范Prevent
事中拦截Blocking
#2 通盘考虑和设定您将来的能力事前、事中、事后
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
#3 制定数据安全规范、制定路线图
3个月:敏感操作可审计
6个月:核心数据拿不走
12个月:整体安全能合规
第二步第一步 第三部
行文监控和审计
行文监控和审计
数据加密和脱敏
账户和口令控制
行文监控和审计
数据加密和脱敏
账户和口令控制
数据库安全运维
访问和权限控制
数据
安全
低高
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
#4 实施Oracle数据库安全方案Defense-in-Depth for Maximum Security ORACLE 产品
高级加密Advanced Security
数据脱敏和子集Data Masking & Subsetting
数据库加固Database Vault
审计和数据库防火墙Audit Vault and Database Firewall
数据库生命周期管理Database Lifecycle Management
标签安全Label Security
安全备份Secure Backup
• 敏感数据“看不见”
• 核心数据“拿不走”
• 运维操作“能审计”
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Oracle数据安全方案覆盖的控制点
应用服务器
通讯加密
用户
uthenti^(
备份数据加密
磁盘数据加密
导出数据加密
灾备库
开发/测试库
权限分离
网络审计记录
本地审计记录
定期报告
数据脱敏
配置评估
实时脱敏数据分级
权限评估
行级访问控制SQL级
访问控制
命令级访问控制
环境因子级访问控制
Schema
变更监控
数据变更监控
补丁
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
高级安全Advanced Security
Oracle Confidential – Internal/Restricted/Highly Restricted 27
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
• 对表空间或列加密
• 防止直接访问静态数据
• 不需要更改应用,完全透明
• 内建“双层”密钥管理
• 接近“零”额外负载(对SPARC和INTEL处理器)
• 集成其他Oracle技术,
–如Exadata、压缩、ASM、GoldenGate、DataPump、Log File
Advanced Security
透明数据加密
磁盘
备份
导出
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
SQL语句
SQL> ALTER SYSTEM SET KEY IDENTIFIED BY "welcome1";
SQL> CREATE TABLESPACE securespace DATAFILE SIZE 10G ENCRYPTION
USING 'AES256' DEFAULT STORAGE(ENCRYPT);
SQL> ALTER TABLE hr_tbl MOVE securespace;
SQL> SELECT t.name, e.encryptionalg algorithm FROM v$tablespace t,
v$encrypted_tablespaces e WHERE t.ts# = e.ts#;
21/8/14 Oracle Confidential 29
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
密钥管理架构
TDE Column Encryption
TDE Tablespace Encryption
Hardware Security Module
Master Key
Oracle Wallet
TablespaceKey
TableKey
Standard Wallet
Auto-Open Wallet
LocalAuto-Open
Wallet
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
• 根据用户名、IP地址、应用、和其他因子,实时对数据进行遮蔽
• 全部、部分遮蔽
• 内建和客制化的遮蔽方式库
• 容易使用的策略定义界面
• 对典型应透明
• 不影响实际操作
Advanced Security
实时数据遮蔽
Credit Card Numbers4451-2172-9841-43685106-8395-2095-59387830-0032-0294-1827
Redaction Policy
xxxx-xxxx-xxxx-4368 4451-2172-9841-4368
Billing DepartmentCall Center Application
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
数据库加固Database Vault
Oracle Confidential – Internal/Restricted/Highly Restricted 32
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
• 拦截利用特权用户的攻击
• 建立“安全域”保护Schemas或对象
• 限制DBA访问“安全域”里的数据
• 在打补丁时限制访问“安全域”里的数据
• 支持多因子访问控制,包括环境因子级和命令级的访问控制
• 支持“双人”认证
• 强制执行权限分离,和最小权限
Database Vault
特权用户控制
Procurement
HR
Finance
select * from finance.customers
Application DBA
Applications
SecurityDBA
DBA
Unauthorized IP, Unauthorized Time
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
DBA被Database Vault收回的权限
User or Role Privilege That Is Revoked
DBA role • BECOME USER• SELECT ANY TRANSACTION• CREATE ANY JOB• CREATE EXTERNAL JOB• EXECUTE ANY PROGRAM• EXECUTE ANY CLASS• MANAGE SCHEDULER• DEQUEUE ANY QUEUE• ENQUEUE ANY QUEUE• MANAGE ANY QUEUE
IMP_FULL_DATABASE role
• BECOME USER• MANAGE ANY QUEUE
User or Role Privilege That Is Revoked
EXECUTE_CATALOG_ROLE role
• EXECUTE ON DBMS_LOGMNR• EXECUTE ON DBMS_LOGMNR_D• EXECUTE ON
DBMS_LOGMNR_LOGREP_DICT• EXECUTE ON
DBMS_LOGMNR_SESSION• EXECUTE ON DBMS_FILE_TRANSFER
PUBLIC user • EXECUTE ON UTL_FILE
SCHEDULER_ADMIN role
• CREATE ANY JOB• CREATE EXTERNAL JOB• EXECUTE ANY PROGRAM• EXECUTE ANY CLASS• MANAGE SCHEDULER
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
内建的多因子(Factors)和命令规则(Command Rules)
Build-in Factors
• User Factors• Name• Authentication type• Session User• Proxy Enterprise Identity
• Network Factors• Machine name• Client IP• Network Protocols
• Extensible• Define custom factors
Build-in Factors
• Database Factors• Database IP• Database Instance• Database Hostname• Database SID
• Runtime Factors• Language• Date• Time
Command Rules
• Connect / login• Alter table / trigger / package• Create table / index / view• Drop table / user / index• Truncate table• ….
Oracle Confidential – Internal/Restricted/Highly Restricted 35
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
安全报告
Object Privilege Reports
• Object Access By PUBLIC Report• Object Access Not By PUBLIC
Report• Direct Object Privileges Report• Object Dependencies Report
Database Account System Privileges Reports
• Direct System Privileges By Database Account Report
• Direct and Indirect System Privileges By Database Account Report
• Hierarchical System Privileges by Database Account Report
• ANY System Privileges for Database Accounts Report
• System Privileges by Privilege Report
Sensitive Object Reports
• Execute Privileges to Strong SYS Packages Report
• Access to Sensitive ObjectsReport
• Public Execute Privilege To SYS/PL/SQL Procedures Report
• Accounts with SYSDBA/SYSOPER Privilege Report
Oracle Confidential – Internal/Restricted/Highly Restricted 36
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
安全报告
Privilege Management – Summary Reports
• Privileges Distribution By Grantee Report
• Privileges Distribution By Grantee, Owner Report
• Privileges Distribution By Grantee, Owner, Privilege Report
Powerful Database Accounts and Roles Reports
• WITH ADMIN Privilege Grant Report
• Accounts With DBA Roles Report• Security Policy Exemption Report• BECORE USER Report• ALTER SYSTEM or ALTER SESSION
Report• Password History Access Report• WITH GRANT Privileges Report• Roles/Account That Have a Given
Role Report• Database Account With Catalog
Roles Report• AUDIT Privileges Report
Initialization Parameters and Profiles Reports
• Security Related Database Parameters Report
• Resource Profiles Report• System Resource Limits Report
Oracle Confidential – Internal/Restricted/Highly Restricted 37
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
安全报告
Database Account Password Reports
• Database Account Default Password Report
• Database Account Status Report
Other Security VulnerabilityReports
• Java Policy Grants Report• OS Directory Objects Report• Objects Dependent on Dynamic
SQL Report• Unwrapped PL/SQL Package
Bodies Report• Username/Password Tables
Report• Tablespace Quotas Report• Non-Owner Object Trigger
Report
Oracle Confidential – Internal/Restricted/Highly Restricted 38
Database Vault Reports
• Realm Audit Report• Command Rule Audit Report• Factor Audit Report• Label Security Integration Audit
Report• Core Database Vault Audit Trail
Report • Secure Application Role Audit
Report
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
• Turn on privilege capture mode
• Report on actual privileges and roles used in the database
• Helps revoke unnecessary privileges
• Enforce least privilege and reduce risks
• Increase security without disruption
Oracle Database Vault
分析用户权限和角色
Create…Drop…Update…DBA roleAPPADMIN role
UnusedUpdateAPPADMIN
Privilege Analysis
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
审计和数据库防火墙Audit Vault and Database Firewall
Oracle Confidential – Internal/Restricted/Highly Restricted 40
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
审计和数据库防火墙
防火墙事件
用户
应用
数据库防火墙
Allow
Log
Alert
Substitute
Block
数据库审计记录
审计服务器
报告
!告警
策略
审计员
安全管理员
操作系统、目录、档案系统、应用审计记录
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
• 监控和记录数据库网络活动
• 侦测和拦截非授权的数据库活动,包括SQL注入
• 先进的SQL语法分析
• 灵活的白名单/黑名单策略
• 语句级的策略定制
• 容易安装、部署简单
数据库防火墙
数据库活动监控和防火墙
回答“何事何时何地何人,如何”的问题
拦截
记录
通过
告警
替代应用
白名单 黑名单
SQL分析 安全策略
用户
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
• 收集和分析审计纪录或事件
• 集中的安全审计库
• 集中的报告
• 开箱即用和客制化的报告
• 灵活和接近实时的告警
• 容易安装、部署简单
Audit Vault
审计, 报告, 实时告警
审计纪录和事件
操作系统
文件系统和目录
数据库
数据库防火墙
客户应用
策略
报告
告警!
Security Analyst
Auditor
SOC
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
数据库防火墙灵活的部署方式
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
部署数据库防火墙的“5不 3赢”
5 不 3 赢
• 不影响生产系统
• 不影响数据库性能
• 不需改变应用和数据库
• 不使用代理
• 不局限于Oracle数据库
• 赢:使用先进的网络嗅探技术和数据库语法解析技术
• 赢:快速部署 (2-3 天)
• 赢:效果立杆见影
** For SPAN mode
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
集中的审计纪录
集中式的审计纪录。
如支持不同的数据库审计和操作系统审计
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
集中的审计纪录
集中式的审计纪录例如:Oracle DB,Windows Server, MSSQL, Linux等等
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
集中的审计纪录
可从不同地方收集审计纪录。例如:表、目录、事件日志等等
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
开箱即用的活动报告
开箱即用的活动报告。例如
- 数据访问- 数据更改- 数据更改前后值- 数据结构变更- 登录失败- 用户登录和登出- 权限更改- 审计设定变更- 等等
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
开箱即用的权限报告
开箱即用的权限报告。例如
- 用户账号- 用户权限- 用户角色- 数据库角色- 系统权限- 对象权限- 等等
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
例子:用户权限变更报告
Create meaningful users.Remove snapshot time, tablespace
举例: 用户权限变更报告发现用户HELEN在9/12/2013多了DBA权限
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
例子:存储过程变更审计报告
存储过程变更审计报告
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
开箱即用合规报告
开箱即用合规报告例如
- PCI- GLBA- HIPPA- SOX- DPA
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
灵活的基于条件的告警
灵活的基于条件的告警。例如,如果不是%HR%用户访问%JOBS%表,提出告警。
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
数据库生命周期管理Lifecycle Management Pack
Oracle Confidential – Internal/Restricted/Highly Restricted 55
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
• 发现和分类数据库
• 提供数据库安全最佳实践和400+以上的安全标准
• 扫描数据库,评估数据库安全
• 侦测非授权的变更,对比变更
• 补丁管理和实施
• 数据库生成和复制
DB Lifecycle Management Pack
定期评估
发现数据库
扫描、;评分、监控数据库
补丁
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
例子: EM定期评估数据库安全状况,提供一站式仪表盘
Oracle 57
安全标准 vs. (# of targets, violations, avg score)
目标 vs. (# standards, violations, avg score)
未纳入管理的目标
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
EM 提供300+数据库安全标准• Single Instance Database
– Basic Security Configuration for Oracle Database
– High Security Configuration for Oracle Database
– Certification for Oracle Database
– Configuration Best Practices for Oracle Database
– Patchable Configuration for Oracle Database
– Storage Best Practices for Oracle Database
– Support Policy for Oracle Database
• Listener
– Basic Security Configuration for Oracle Listener
– High Security Configuration for Oracle Listener
• Automatic Storage Management
– Storage Best Practices for ASM
– Patchable Configuration for ASM
• Cluster Database
– Basic Security Configuration for RAC Database, & Instance
– High Security Configuration for RAC Database, & Instance
– Certification for RAC Database
– Configuration Best Practices for RAC Database
– Patchable Configuration for RAC Database
– Storage Best Practices for RAC Database
– Support Policy for RAC Database
• Exadata
– Configuration Monitoring for Exadata Compute Node, Compute Node Networking, Compute Node Time
• Pluggable Database ( NEW )
– Storage Best Practices for Pluggable Database
– Configuration Best Practices for Pluggable Database
– Basic Security Configuration for Pluggable Database
Oracle 58
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Reports Schema Changes in Real Time into DB Alert Logvia ENABLE_DDL_LOGGING
• ALTER/CREATE/DROP/TRUNCATE CLUSTER
• ALTER/CREATE/DROP FUNCTION
• ALTER/CREATE/DROP INDEX
• ALTER/CREATE/DROP OUTLINE
• ALTER/CREATE/DROP PACKAGE
• ALTER/CREATE/DROP PACKAGE BODY
• ALTER/CREATE/DROP PROCEDURE
• ALTER/CREATE/DROP PROFILE
• ALTER/CREATE/DROP SEQUENCE
• CREATE/DROP SYNONYM
• ALTER/CREATE/DROP/RENAME/TRUNCATE TABLE
• ALTER/CREATE/DROP TRIGGER
• ALTER/CREATE/DROP TYPE
• ALTER/CREATE/DROP TYPE BODY
• DROP USER
• ALTER/CREATE/DROP VIEW
Oracle 59
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
数据脱敏和数据子集Data Masking & Subsetting
Oracle Confidential – Internal/Restricted/Highly Restricted 60
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
• 遮蔽敏感的业务数据
• 检测/保留参照完整性
• 提供多种脱敏方法:随机值、列表值、固定对应值、洗牌、组合值、条件值等等
• 提供内建的和可扩展的脱敏方式库
• 支持非Oracle数据库的数据脱敏
• 集成Real Application Testing
Data Masking & Subsetting
灵活强大的数据脱敏
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
开发测试库
测试
生产库
LAST_NAME SSN SALARY
ANSKEKSL 323-23-1111 60,000
BKJHHEIEDK 252-34-1345 40,000开发
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
从源数据库上直接采集数据子集和脱敏
• 导出数据时采集数据子集和脱敏
• 减少敏感数据泄露的风险
• 但要考虑对生产库的性能影响
010010110010101001001001001001001001001001001000100101010010010010011100100100100100100100001001001011100100101010010010101010011010100101010010
数据子集和脱敏Data Pump File
方法二
Prod Test
先产生数据子集
在进行脱敏
010010110010101001001001001001001001001001001000100101010010010010011100100100100100100100001001001011100100101010010010101010011010100101010010
Prod
数据子集 脱敏
方法一
Test
Public 62
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
议程
1
2
3
4
加强数据安全的意义
知己知彼、百战不殆
如何保护您的数据
总结
Oracle Confidential – Internal/Restricted/Highly Restricted 63
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
总结
• 数据安全面临的问题比想象中严重
• 必须全盘考虑数据安全能力,事前、事中、事后
• Oracle提供完整的数据安全方案,包括
– 数据加密、脱敏、子集、实时脱敏
– 超级权限用户控制、多因子访问控制、命令控制、SQL语句控制、行级别的访问控制
– 完整的审计记录:包括网络和数据库本身的审计
• 实施容易
– ASO、DV为数据库内嵌产品
– Data Masking and Subsetting,Lifecycle Management为企业管理器内嵌产品
– DBFW部署不影响数据库
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 65
问题
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 66