1Copyright 2005, Oracle. All rights reserved.Security Requirements1-2Copyright 2005, Oracle. All rights reserved.ObjectivesAfter completing this lesson, you should be able to do the following: Describe fundamental security requirements Define the following terms: Least privilege Authorization Authentication Describe security policies Describe the concept of security in detail1-3Copyright 2005, Oracle. All rights reserved.Industry-Security RequirementsLegal: Sarbanes-Oxley Act (SOX) Health Information Portability and Accountability Act (HIPAA) California Breach Law UK Data Protection Act Auditing1-4Copyright 2005, Oracle. All rights reserved.Hidden1-5Copyright 2005, Oracle. All rights reserved.Security StandardsRecognized security standards: ISO 17799 SANS Institute CERT/CCDo your policies meet the standards?1-6Copyright 2005, Oracle. All rights reserved.Fundamental Data-Security RequirementsYou should know the following fundamental data- security requirements: Confidentiality Integrity Availability1-7Copyright 2005, Oracle. All rights reserved.(hidden)1-8Copyright 2005, Oracle. All rights reserved.Components for Enforcing SecurityAuthentication Authorization Access control Auditing1-9Copyright 2005, Oracle. All rights reserved.Security RisksRisk analysis includes: External attack: Unauthorized users Denial of service Unauthorized data and service access Internal abuse: data or service theft Sabotage: data or service corruption Complexity1-10Copyright 2005, Oracle. All rights reserved.hidden1-11Copyright 2005, Oracle. All rights reserved.Risk AnalysisVulnerabilityThreatControlAttackPreventProtectDiscover1-12Copyright 2005, Oracle. All rights reserved.Principle of Least PrivilegeInstall only the required software on the machine. Activate only the required services on the machine. Give operating system (OS) and database access to only those users who require access. Limit access to the root or administrator account. Limit access to SYSDBA and SYSOPER accounts.Limit users access to only the database objects that are required to do their jobs.1-13Copyright 2005, Oracle. All rights reserved.Defining a Security PolicyWhat is a security policy? A set of rules Specific to an area and site Required Approved by management What is a standard? Rules specific to a system or process Required for everyone What are guidelines? Suggestions and best practices Specific to a system or a process1-14Copyright 2005, Oracle. All rights reserved.hidden1-15Copyright 2005, Oracle. All rights reserved.Developing Your Security PolicyThe steps to develop your security policy are: 1.Assemble your security team. 2.Define your security requirements. 3.Develop procedures and systems to meet these requirements. 4.Implement security procedures.1-16Copyright 2005, Oracle. All rights reserved.Examining All Aspects of SecurityConsider the following dimensions: Physical Personnel Technical Procedural Example: An employee leaves his or her desk while using an application.1-17Copyright 2005, Oracle. All rights reserved.Implementing a Security PolicyImplement your standards and procedures. Implement the plan for developing new systems and applications. Monitor and enforce the policy. Keep systems and applications up-to-date with security patches. Educate users.1-18Copyright 2005, Oracle. All rights reserved.Defense in DepthUsing the concept of “defense in depth”: Enforce security policies Train users Harden the operating system Use firewalls Use network security Use database-security features1-19Copyright 2005, Oracle. All rights reserved.Hardening the Operating SystemLimit services to required services. Limit users. Use security from the service. Apply all security patches and workarounds. Protect backups. Test security for in-house development. Require strong passwords. Control physical access. Audit system activity. Use intrusion-detection tools.1-20Copyright 2005, Oracle. All rights reserved.hidden1-21Copyright 2005, Oracle. All rights reserved.Easing AdministrationExamine the security features of the service: Select the features that meet your security requirements. Integrate the features to simplify administration. Ease security administration by: Using single sign-on Delegating security authority Grouping users with common privileges Synchronizing with other sources1-22Copyright 2005, Oracle. All rights reserved.hidden1-23Copyright 2005, Oracle. All rights reserved.Using a Firewall to Restrict Network AccessApplication Web serverDatabase serverClient computersFirewallFirewall1-24Copyright 2005, Oracle. All rights reserved.Hardening Oracle ServicesHarden the database. Harden Oracle Net Services. Use Connection Manager as a firewall. Use available components: Fine-grained access control Enterprise user authentication Encryption Label securi