加强数据库安全：多云和多因素身份验证 [THR3324].pdf

1、THR3324Multifactor AuthenticationStrengthening database securityRuss LowenthalVice PresidentOracle AI Database SecurityDatabase breaches almost always involve one of TWO attack methods1.Ransomware file scraping2.Compromised login credentials2Copyright 2025,Oracle and/or its affiliatesThe two most va

2、luable things you can do to secure your databases are:1.Encrypt2.Strengthen Authentication3Copyright 2025,Oracle and/or its affiliatesHow are database users authenticated?4Copyright 2025,Oracle and/or its affiliatesOperating SystemUsername/PasswordKerberosPKI CertificateRADIUSOCI IAM(passwords or to

3、kens)Microsoft Entra ID tokensLocal user multi-factor authenticationLegacy Authentication5Copyright 2025,Oracle and/or its affiliatesOS AuthenticationUsername and passwordUserALL Oracle DatabasesUsername,password verifierUserALL Oracle DatabasesUsernameStrong Authentication6Copyright 2025,Oracle and

4、/or its affiliatesKerberosPKI CertificateUserActive Directory/MITKey Distribution Center12ALL Oracle DatabasesUserSmartcard with user certificateUser certificatepublic keyALL Oracle DatabasesKerberos TicketCloud Identity7Copyright 2025,Oracle and/or its affiliatesOCI IAMMicrosoft Entra IDOCI DBaaSOC

5、I DBaaSIAM PrincipalSend token(or password)AuthenticateOCI IAMEntra ID PrincipalSend tokenAuthenticateEntra IDALL Oracle DatabasesGet tokenGet tokenMultifactor Authentication(MFA)You demand MFA for almost any important serviceShould you expect less from your database?Why multifactor?Go where the ris

6、k is.Passwords biteFallible humans,phishing,brute force,credential stuffing,post-it notes,SharePoint docs with passwords in clear text,“hidden”properties files passwords are not especially secure.but they are ubiquitousPasswords are the lowest common denominator in authentication.Almost everything s