Securitatea platformei tehnologice Oracle Dorian Cernev Consultant Vanzari Tehnologie Oracle Romania 27 septembrie 2005

Agenda Asigurarea securitatii datelor in Baza de Date; Protejarea datelor in timpul transferului in retea; Securitate in Serverul de Aplicatie; Arhitectura pentru disponibilitate maxima;

Securitate End-to-End Utilizatori Date Controlul accesului ALLEN 12029 KYTE 17045 CAREY 12032 JOHNSON 18029 BLAKE 17170 SCOTT 14220 KING 18031 SMITH gAMES fONES MIER ByAgE SCOjd sfING Audit Org 10 Org 20 Admin Org 30 Securitatea si integritatea comunicatiilor uthenticate Retea Autentificare Securitatea si integritatea datelor

Oracle Virtual Private Database VPD = Row Label Security (FGAC) + Application Context Alternativa pentru View-uri Alternativa pentru logica la nivel de aplicatie Serverul aplica politica de securitate automat indiferent de tipiul accesului Rescriere dinamica a frazei SQL adaugand clauze WHERE in dependenta de context Optimizare, cache SQL generat SELECT * FROM DATA_TAB; DATA_TAB SELECT * FROM DATA_TAB;

Oracle Label Security Produs complet bazat pe etichete la nivel de rand Utilizeaza tehnologii si metode demonstrate Interfata grafica pentru administrare Pentru utilizatori (controlul accesului) Pentru date (etichete de rand) Nu necesita programare Eticheta rand Rand date Nivel Compartimente Grupuri Confidential Public Top Secret : Oncology : Radiology : Lab : X-ray : Patient : WP : Research : Admin : HR User Label Scott Confidential : Oncology : Patient

Criptare in Baza de Date Protectie la nivel de element Criptarea datelor confidentiale (informatii de securitate nationala, carti de credit, parole acces, etc.) Interpretarea datelor imposibila. DBMS_CRYPTO Criptare AES128/192/256, 3DES, RC4, DES Integritate (suma de control) SHA1, MD5, MD4, HMAC Criptare pt. noi tipuri de date CLOB, BLOB si RAW SALARIU (Criptat) KING sfING SCOTT SCjd BLAKE BygE SMITH SMTH JAMES gAMES JONES fONES MILLER MIER

Audit in Procesul de securitate: Prevenire, Detectare si Raspuns Autentificare, Controlul Accesului Detectare si Raspuns Auditing in Baza de Date Audit la nivel de utilizator, obiect, actiune, privilegiu. Inregistrarea actiunilor finalizate cu succes sau insucces Imbunatatiri Audit 10g DB_EXTENDED, capteaza SQL complet inclusiv select Legatura cu flashback sau log-uri pentru a vedea setul de date rezultant

SSL – protectie date in tranzit SSL – Standard de facto Internet Suporta certificate X.509 (server-only si client-server) Comunicatie SSL intre Aplication Server si Baza de Date Browser Clients SSL Net8 HTTP/SSL Oracle Application Server Oracle Database Server

Oracle asigura Integritatea datelor Suma de control criptografica aplicata fiecarui pachet inainte de trimitere Sunt folositi algoritmi standard MD5 si SHA-1 Suma de control criptografica secventiala detecteaza automat: Modificari pachete Pachete in plus Pachete lipsa Incalcarile protocolului aduc la intreruperea operatiei in curs si sunt inregistrate in fisiere log.

Securitate Oracle 10gAS Identity Management Single Sign-On Integrare cu Oracle Internet Directory Securitate Java2 Servicii de Autentificare si Autorizare Java (JAAS) Securitate Servicii Web

Oracle Internet Directory Scalabilitate Millioane de utilizatori Mii de conexiuni simultane Disponibilitate Inalta Replicare multimaster Hot backup/recovery, RAC, etc. Management Monitorizare multi-nod Securitate Roluri / politici de access Audit Clienti LDAP Consola Admin Directory Oracle Internet Directory Server Database

Single Sign-on OracleAS Single Sign-on OID PKI, pwd, OracleAS Enabled Environment ERP, CRM, … eMail OracleAS Single Sign-on Portal PKI, pwd, Autentificare Win2000 Partener SSO (Netegrity, RSA, Oblix) SecureID, Biokey, Federation / Liberty Mediu SSO de la Pareneri Extranet OID

Arhitectura pentru disponibilitate maxima OracleAS 10g OracleAS 10g WAN Retea dedicata Presenter notes: Here are the Main Components of the Maximum Availability Architecture: The most important characteristic of MAA is having a Secondary site with identical configuration as the Primary site, which allows for the same service levels regardless of the site that is handling client requests. From an administration perspective, it promotes a consistent set of procedures and processes across sites, reducing management effort. Working from the bottom up, the Highly Available Database tier focuses on two important Oracle technologies: Real Application Clusters, or RAC, is used as protection from host and instance failures; Data Guard is leveraged as protection from human errors, and site and data failures. MAA dictates that there is a RAC cluster at each site. The primary site services client requests, the secondary site is kept in sync using Data Guard. Moving up the stack to the Highly Available Application tier is Oracle9iAS. Oracle9iAS includes two main components – Web Cache and OC4J. The piece that links it all together is a Redundant network infrastructure, with the critical component being a fast, dedicated network between the sites. And finally, configuration and operational Best practices make this a robust architecture that prevents or detects and recovers from outages within a tolerable MTTR. The MAA best practices are the main ingredient in maintaining and sustaining an HA environment. MAA is an HA solution that encompasses both the “how to build” and “how to use” questions. RAC Data Guard RAC Site de baza Site Disaster Recovery

NATO NATO a standardizat cu Oracle E-Business Suite si modulele de Financiar si iProcurement 19 Sedii Centrale cu circa 700 utilizatori in 12 tari. “Implementarea Oracle E-Business Suite pune la dispozitia NATO un mecanism cu ajutorul caruia putem atinge obiectivele propuse si asigura dezvoltarea unui sistem de management al informatiilor centralizat. Implementarea cu succes a proiectului este o noua si indrazneata provocare, dar am completa incredere ca impreuna cu Oracle vom asigura un sistem modern standardizat ce va opera in toate tarile membere NATO.” - NATO Programme Director, Mr David Oakley

Cine utilizeaza Oracle

I & I N T R E B A R I R A S P U N S U R I R