Oracle Database Security Defense-in-Depth

Nguyen Quang Huy Senior Solution Consulting Manager

Agenda
<Insert Picture Here>

Todays Threat Landscape Defense-in-Depth Approach Oracle Database Security Solutions Summary

Security Technologies Deployed

End Point Security

Other Security

Employee email Security Customer Citizen Network Security Vulnerability Mgmt

DB Security?

Authentication

Identity Management

How Data Gets Compromised?

Source: Verizon 2010 Data Breach Investigations Report

Where Losses Come From?

92% of Records from Compromised Databases

2010 Data Breach Investigations Report

Top Attack Techniques

% Breaches and % Records

2010 Data Breach Investigations Report

Most records lost through Stolen Credentials & SQL Injection

6

Oracle Database Security

Defense-in-Depth
Encryption and Masking
Oracle Advanced Security Oracle Secure Backup Oracle Data Masking

Access Control
Oracle Database Vault Oracle Label Security

Auditing and Tracking

Oracle Audit Vault Oracle Configuration Management Oracle Total Recall

Monitoring and Blocking

Oracle Database Firewall

Oracle Database Security

Defense-in-Depth
Encryption and Masking
Oracle Advanced Security Oracle Secure Backup Oracle Data Masking

Oracle Advanced Security

Endtoend Encryption
Disk

Backups

Exports

Application

Off-Site Facilities

Efficient encryption of all application data Built-in key lifecycle management No application changes required Works with Exadata and Oracle Advanced Compression

Oracle Advanced Security

Whats New and Coming?

Hardware Acceleration Support

Performance already < 10% for most applications 7-10x performance gain with Intel Advanced Encryption Standard New Instructions (AES-NI) and Oracle SPARC T-3

Key Management and HSM Support

Certified with SafeNet, Thales, Utimaco using PKCS #11 Planned support for Oracles Key Management System

10

Oracle Data Masking

Irreversible De-Identification

Production
LAST_NAME AGUILAR BENSON SSN 203-33-3234 323-22-2943 SALARY 40,000 60,000

Non-Production
LAST_NAME ANSKEKSL BKJHHEIEDK SSN 11123-1111 222-34-1345 SALARY 40,000 60,000

Mask sensitive data for test and partner systems Sophisticated masking: Condition-based, compound, deterministic Extensible template library and policies for automation Leverage masking templates for common data types Integrated masking and cloning Masking of heterogeneous databases via database gateways New Command line support for data masking tasks New
11
11

Oracle Data Masking

Whats Coming?

Sensitive data identification based on privacy attributes Application Masking templates for E-Business Suite Fusion Applications
12

Oracle Database Security

Defense-in-Depth
Encryption and Masking
Oracle Advanced Security Oracle Secure Backup Oracle Data Masking

Access Control
Oracle Database Vault Oracle Label Security

13

13

Oracle Database Vault

Separation of Duties & Privileged User Controls

Procurement

DBA
HR

Application
Finance select * from finance.customers

Restricts application data from privileged users DBA separation of duties Securely consolidate application data No application changes required Works with Oracle Exadata
14
14

Oracle Database Vault

Multi-Factor Access Control Policy Enforcement

Procurement HR

Application

Rebates

Protect application data and prevent application by-pass Enforce who, where, when, and how using rules and factors
User Factors: Name, Authentication type, Proxy Enterprise Identity Network Factors: Machine name, IP, Network Protocols Database Factors: IP, Instance, Hostname, SID Runtime Factors: Date, Time

15

15

Oracle Database Vault

Out-of-the Box Protections For Applications
Pre-built policies with further possible customization Complements application security Transparent to existing applications Minimal performance overhead Certifications Underway:
Oracle Hyperion Oracle Tax and Utilities SAP Infosys Finacle Siebel, i-Flex, Retek JD Edwards EnterpriseOne Oracle E-Business Suite 11i / R12 PeopleSoft Applications

16

16

Oracle Label Security

Data Classification for Access Control

Sensitive
Transactions

Confidential
Report Data

Public
Reports

Confidential

Sensitive

Classify users and data based on business drivers Database enforced row level access control Users classification through Oracle Identity Management Suite Classification labels can be factors in Database Vault

17

17

Oracle Database Security

Defense-in-Depth
Encryption and Masking
Oracle Advanced Security Oracle Secure Backup Oracle Data Masking

Access Control
Oracle Database Vault Oracle Label Security

Auditing and Tracking

Oracle Audit Vault Oracle Configuration Management Oracle Total Recall

18

18

Oracle Audit Vault

Automated Audit Collection and Reporting
HR Data

!
Audit Data

Alerts Built-in Reports Custom Reports Policies

CRM Data

ERP Data

Databases

Auditor

Consolidate audit data into a secure warehouse Create/customize compliance and entitlement reports Detect and raise alerts on suspicious activities Centralized audit policy management Integrated audit trail cleanup
19
19

Oracle Configuration Management

Secure Configuration & Change Tracking
Out-of-box Policies User-defined Policies & Groups Real-Time Change Detection Industry & Regulatory Frameworks Compliance Dashboard

Optimized for Oracle with Industry Specific Compliance Dashboards

Continuous scanning against best practices and gold baselines 200+ out-of-the-box policies spanning host, database, and middleware Real-time detect changes to processes, files, etc Violations can trigger emails, and create tickets Compliance reports mapped to compliance frameworks

20

20

Oracle Database Security

Defense-in-Depth
Encryption and Masking
Oracle Advanced Security Oracle Secure Backup Oracle Data Masking

Access Control
Oracle Database Vault Oracle Label Security

Auditing and Tracking

Oracle Audit Vault Oracle Configuration Management Oracle Total Recall

Monitoring and Blocking

Oracle Database Firewall

21

Oracle Database Firewall

First Line of Defense
Allow Log Alert Applications Substitute Block

Alerts

Built-in Reports

Custom Reports

Policies

Prevent unauthorized activity, application bypass and SQL injections Highly accurate SQL grammar based analysis Flexible enforcement options Built-in and custom compliance reports

22

Oracle Database Firewall

Security Model

White List
Allow Applications Block

White-list based policies enforce normal or expected behavior Evaluate factors such as time, day, network, app, etc. Easily generate white-lists for any application Log, alert, block or substitute out-of-policy SQL statements Black lists to stop unwanted SQL commands, user, or schema access Superior performance and policy scalability based upon clustering

23

Oracle Database Firewall

Reporting
Oracle Database Firewall

Database Firewall log data consolidated into reporting database Over 130 built in reports that can be modified and customized Entitlements reporting for database attestation and audit

Oracle Database Firewall

Oracle Database Firewall

Database activity and privileged user reports Supports demonstrating PCI, SOX, HIPAA/HITECH, etc. controls Optional database activity masking

24

Oracle Database Security Big Picture

Audit consolidation

Allow Log Alert Applications Substitute Block

Procurement Sensitive HR Confidential Rebates Public

Unauthorized Local Activity DB Consolidation Security Local DBA Privilege Mis-Use

Network SQL Monitoring and Blocking

Encrypted Database

Encrypted Encrypted Backups Exports

Data Masking

25

Oracle Database Security

Key Differentiators

26

For More Information

search.oracle.com

database security

oracle.com/database/security

27

27