* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Jerry Held
		                    
		                    
								Survey							
                            
		                
		                
                            
                            
								Document related concepts							
                        
                        
                    
						
						
							Transcript						
					
					Session id: 40176 Security and the Data Warehouse Kristy Edwards Principle Product Manager, Security Oracle Corporation George Lumpkin Director Product Management, DW Oracle Corporation Agenda  Data warehousing security issues  Data Warehouse security strategy – – Secure the entire DW environment Oracle database security is the foundation of a DW security strategy  Summary: Customer success stories 3 Technical challenges  More valuable data since current and historical records are stored from all parts of the organization – – – Customer profiles Company’s financial history Quarterly sales information  Performance is paramount – Security cannot adversely affect performance  More users have direct, ad-hoc query access to a data warehouse  Sensitive data stored in data marts and ETL servers 4 Business challenges  How can I consolidate multiple data marts in the same database?  How can I share the information in my data warehouse with partners and customers?  How can I ensure that my data warehouse obeys laws and regulations regarding data privacy? 5 Agenda  Data warehousing security issues  Data Warehouse security strategy – – Secure the entire DW environment Oracle database security is the foundation of a DW security strategy  Summary: Customer success stories 6 Oracle Strategy for DW Security  End-to-End Security – – Secure the entire DW process From ETL all the way through the end-user  Consolidation – Leverage consolidation to increase security  Secure Foundation – Oracle database security is the foundation of a DW security strategy 7 Consolidation Provides Better Security      Centrally managed by an expert Fewer points of attack Apply security patches quickly in one place Enforce security consistently Protect the data itself 8 Agenda  Data warehouse security issues  Data warehouse security strategy – – Secure the entire DW environment Oracle database security is the foundation of a DW security strategy  Summary: Customer success stories 9 Layers of Security      Physical Policies Perimeter and Network Applications and RDBMS OS 10 Security Trends Identity Management Audit Fine-grained Access Control OLTP Network Crypto Data Warehousing Access Control Authentication Time Oracle Database 10g Provides the Security Foundation  Security built into the server cannot be bypassed – – Consistent security policy regardless of the tool or interface used to access data Oracle preserves the identity of the user  Security is transparent to tools and applications Discoverer Business Objects Oracle DB 10g Identical Data Access Policies SQL*Plus 12 Assurance of Oracle Database 10g Security X  Builds on 15 17 independent security evaluations  Effective way to validate vendor’s security assertions – – – NCR Teradata has 0 evaluations IBM DB2 has 0 evaluations SQL Server has 1 evaluation 13 Leverage Oracle Database 10g Security 6 5 4 Audit Protect stored data 2 3 Access Control Authorize Protect data in transit u35nhnti3 1 Authenticate Marketing Finance Sales Enterprise Data Warehouse 7 Identity Management 14 Row-level Security Benefits for Data Warehousing  Consolidation – with assurance of data separation  Lower cost of ownership – Build security once, not within multiple applications  Minimizes risks through database-enforced security  Highly scalable without performance impact  Leverage RLS to protect private information in data warehouses 15 Security Issue #2 Accountability  Keep users accountable for their actions  Identify misuse of legitimate user privilege – E.g., data snoopers (e.g., why is a user accessing his own record from June 29 so often?)  Support intrusion detection 16 Solution: Fine-grained Auditing     Relevant column Audit for accountability Audit with precision Monitor data access based on content Attach audit policy to table or view – – – – with ‘WHERE’ condition Relevant column PL/SQL package DBMS_FGA to apply policies to table/view Exact query text in audit record  Data warehouses cannot afford to audit too broadly FGA Policy 17 Fine-grained Auditing Audit Policy AUDIT_CONDITION: ‘name != USER’ AUDIT_COLUMN = DIAGNOSIS Audit Record Not audited SELECT name, job, deptno FROM patients SELECT name, diagnosis FROM patients WHERE name=‘KING’ SELECT name, diagnosis FROM patients WHERE name = ‘KING’, <timestamp>, <userid>, etc. Send Alert! 18 Benefits for Data Warehousing  Audit analysis – – – Fewer, but more precise, audit records Reduce false or misleading audits makes it easier to analyze audit records SQL text gives insight to intent of the query  Accountability and deterrence – Minimizes security risks if a user knows he/she being monitored  Supports fact tables and materialized views 19 Security Issue #3 Protect Data In Transit  Stored data has inherent protection of user authentication, access control, audit  Data traveling over network does not have these protections  80% of data loss is to insiders 20 Solution: Network Encryption  Oracle Advanced Security encrypts all communication with the database – Uses standard algorithms     – – AES 3DES, DES RC4 Diffie-Hellman key exchange Supplies SSL Secures all protocols into the database  Net8, IIOP, Thin JDBC 21 Benefits for Data Warehousing  Minimizes security risks since data traveling over the network is encrypted  Protects all network communications with Oracle with minimal impact  Easy to deploy – 6 sqlnet.ora parameters 22 Security Issue #4 Protect Stored Data  Especially sensitive information requires additional layer of security – – social security numbers credit card numbers  Mitigate threats – – hackers compromising the OS and reading database files malicious DBA 23 Solution: Stored Data Encryption  Oracle DB 10g has a new encrypt/decrypt interface called DBMS_CRYPTO – – – AES, 3DES and DES encryption MD5, MD4 and SHA-1 cryptographic hashes Supports all datatypes (LOB, BLOB, CLOB)  Application provides key generation, management, recovery – – Encryption keys must be stored somewhere Can be stored in a database file, on the OS, in application, on diskette, etc.  Don’t solve access control problem with encryption 24 Stored Data Encryption Benefits  Minimizes security risks by storing very sensitive data encrypted  Oracle Database 10g supports third party security solutions 25 Security Issue #1 Access Control  Not all users should have access to all the data in the data warehouse – – Database must preserve user identity to determine exactly what the user can access Database must control access 26 Access Control  Object-level security – – Authorization Roles and privileges  Manage locally or centrally – Role-based Access Control (RBAC)  Row-level Security (RLS) – – – – Control access within objects Fine-grained access control Virtual Private Database Oracle Label Security 27 Virtual Private Database  Data access is managed at the database level – – – – Fine-Grained Access Control Application Context Users only see data that they have access to Row-level access control  Add policy to any table, view or synonym – Administrator binds PL/SQL package with table using Oracle-supplied API (dbms_rls) VPD Policy Table or View 28 VPD for Data Warehousing  Server dynamically rewrites SQL – – Query modification based on PL/SQL package assigned to an object “Where” clause appended to SQL statement Access to his/her territory’s sales Western Sales Rep Product Manager SELECT sum(s) FROM SALES_HISTORY; where terr_id=10; where prod_id=12; Access to one product’s sales across all territories 1MM rows 29 VPD for Data Warehousing  No sacrifice in SQL performance – All performance features (indexes, parallelism, partitioning, etc) apply to VPD-based queries  Fact Tables – – – Policies can be applied to very large fact tables Most popular implementation Secures data at the source  Materialized Views – – Policies can be applied to summaries Materialized Views increase performance, and VPD increases security 30 Oracle Label Security for DW  Out-of-the-box, row level security – – Built on VPD Extends VPD by adding label-based access control  Same benefits as VPD, but works out of the box  Installable product vs. “write your own” – Data access is based on sensitivity labels and customizable enforcement options  Labels can be applied to fact tables and/or materialized views 31 Oracle Label Security for DW Oracle Label Security authorizations sensitive : testscore : District Schools Superintendent Student Fact Table Fname Lname Ana Adams Mona Patel Jen Chu Ron Alta Score 155 150 175 145 Sensitivity Label sensitive:testscore:JFK High sensitive:testscore:MLK High sensitive:testscore:MLK High sensitive:testscore:JFK High Oracle Label Security authorizations sensitive : testscore : JFK High OK x x All OK JFK Principal 32 Agenda  Data warehouse security issues  Data warehouse security strategy – – Secure the entire DW environment Oracle database security is the foundation of a DW security strategy  Summary: Customer success stories 33 Business challenges  How can I consolidate multiple data marts in the same database?  How can I share the information in my data warehouse with partners and customers?  How can I ensure that my data warehouse obeys laws and regulations regarding data privacy? 34 Case Study: Province of British Columbia  Business requirements – – Consolidated financial information for 28 Ministries Individual Ministry data mart look and feel  Security issues – – Confidentiality of inter-Ministry financial budgetary and expenditure information Users require different levels of access - Ministry staff restricted to their data, Controller General staff have open access for consolidated and audit reporting  Oracle VPD solves data warehouse security issues – – No separate data marts All financial information for 28 Ministries stored in one database 35 Business challenges  How can I consolidate multiple data marts in the same database?  How can I share the information in my data warehouse with partners and customers?  How can I ensure that my data warehouse obeys laws and regulations regarding data privacy? 36 Case Study: Data Syndicator  Business requirements – – Deliver marketing research data to companies cost-effectively Deliver timely web-based information to customers  Security issues – – Separate proprietary information between each company Within each company, users require different levels of access  Oracle VPD solves data warehouse security issues – – – – Terabyte+ DW with all customer information in one table Did not need to build complex security layer Does not have to maintain a separate data warehouse for each customer (30+) Generate the same report for multiple customers quickly 37 Business challenges  How can I consolidate multiple data marts in the same database?  How can I share the information in my data warehouse with partners and customers?  How can I ensure that my data warehouse obeys laws and regulations regarding data privacy? 38 Case Study: Los Angeles Unified School District  Business requirements – – Provide its 750,000 students information about themselves Web-based access for administrators to grades, test scores, graduation rates and demographics  Security and privacy issues – Confidentiality of student information based on California Education Code and the Family Education Rights and Privacy Act of 1974  Oracle VPD solves data warehouse security issues – – Student information stored the same data warehouse Different types of users get different levels of access – student, teacher, principal, district manager, district-wide programs manager 39 Data Warehouse Security Summary  Security is crucial for data warehouses – – Data warehouses contain valuable data Users have direct access to data  Security adds value to data warehouses – Enables efficiency via consolidation  Oracle’s data warehouse customers rely on our security solutions 40 Next Steps…. Security and Identity Management Sessions  Identity Management for Database Applications  Oracle Platform Security: Solving RealWorld Problems  Ask the Security Expert  Unbreakable: What We Learned  Securing J2EE Applications with Oracle Identity Management  Planning Your Oracle Identity Management Deployment  Improving Information Assurance of Linux  Oracle and Thor: Identity Management Provisioning  Implementing Identity Management at Lawrence Livermore National Labs Thursday 3:15 Rm. 120 41 Next Steps… Oracle DEMOgrounds – – – – – – – Virtual Private Database Column Enforcement Oracle Label Security Directory Integration Directory Based Database Authentication Single Sign-On CA & PKI Platform Windows Integration & eBusiness Provisioning Highly Available LDAP 42 Next Steps… Oracle Security Command Center (Booth 1736) Win a Dell Axim X5 handheld device           A4vison Accela Acsys Biometrics Alert Technologies Ascendent Telecommunicatons BIO-Key International Compressus Dell Environmax eSpatial nCipher          Netegrity PCI Geomatics PlanGraphics 3Ship Analytics Targusinfo Thor Technologies Vigilos Waveset Xybernaut  Applications Security (Booth 841)  Vormetric (Booth 2243) 43 Next Steps for DW / BI Data Warehousing DB Sessions Monday Tuesday 11:00 AM #40153, Room 304 8:30 AM #40125, Room 130 Oracle Warehouse Builder: New Oracle Database 10g Release Oracle Database 10g: A Spatial VLDB Case Study 3:30 PM #40176, Room 303 3:30 PM #40177, Room 303 Security and the Data Warehouse Building a Terabyte Data Warehouse, Using Linux and RAC 4:00 PM #40166, Room 130 5:00 PM #40043, Room 104 Oracle Database 10g SQL Model Clause Data Pump in Oracle Database 10g: Foundation for Ultrahigh-Speed Data Movement 44 For More Info On Oracle BI/DW Go To http://otn.oracle.com/products/bi/db/dbbi.html Next Steps for DW / BI Data Warehousing DB Sessions Thursday 8:30 AM #40179, Room 304 Oracle Database 10g Data Warehouse Backup and Recovery Business Intelligence and Data Warehousing Demos All Four Days In The Oracle Demo Campground Oracle Database 10g Oracle OLAP 11:00 AM #36782, Room 304 Experiences with Real-Time Data Warehousing using Oracle 10g 1:00PM #40150, Room 102 Oracle Data Mining Oracle Warehouse Builder Oracle Application Server 10g Turbocharge your Database, Using the Oracle Database 10g SQLAccess Advisor 45 For More Info On Oracle BI/DW Go To http://otn.oracle.com/products/bi/db/dbbi.html Reminder – please complete the OracleWorld online session survey Thank you. 46
 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                            