<Insert Picture Here>

Oracle Database Security Solutions

Eric Cheung
Senior Manager, Technology Sales Consulting
Eric.cheung@oracle.com

May 2008

Key Drivers for Data Security

Privacy and Compliance

Sarbanes-Oxley (SOX), J-SOX, GLBA

Payment Card Industry (PCI)
HIPAA, EU Privacy Directives
Breach Disclosure Laws
COSO, COBIT frameworks
Separation of duty, Proof of compliance,
Risk Assessment and Monitoring

Insider / External Threats

Large percentage of threats go undetected
Outsourcing and off-shoring trend
Customers want to monitor insider & DBA
2

Oracle Database Security

Continuous Innovation
Data Masking
TDE Tablespace Encryption
Oracle Total Recall

Oracle Database 11g

Oracle Audit Vault

Oracle Database Vault
Transparent Data Encryption (TDE)
Real Time Masking
Secure Config Scanning

Oracle Database 10g

Oracle Database 9i

Fine Grained Auditing

Oracle Label Security
Enterprise User Security
Oracle8i
Virtual Private Database (VPD)
Database Encryption API
Strong Authentication
Oracle7
Native Network Encryption
Database Auditing
Government customer
3

Data Privacy and Regulatory Compliance

Database Security Challenges
Protecting Access
to Application Data
Database
Monitoring

De-Identifying
Information for
Sharing

Data
Encryption

Data
Classification

Oracle Database Security

Solutions for Privacy and Compliance
Database Vault
Advanced
Security

Configuration
Management

Secure
Backup

Total
Recall

Label
Security

Audit
Vault
Data
Masking

Oracle Database Security

Solutions for Privacy and Compliance

Database Vault
Advanced
Security

Configuration
Management

Secure
Backup

Total
Recall

Label
Security

Audit
Vault
Data
Masking

Oracle Database Vault

Highly Privileged User Controls
Database DBA views HR
data
Compliance and
protection from insiders

SELECT * FROM HR.EMP

DBA

HR Realm

HR APP Owner views

Fin. data

HR
HR App

Eliminates security
risks from server
consolidation

FIN Realm

FIN
FIN App

Oracle Database Vault

Real Time Access Controls

Connect .
HR
HR Application
User

Unexpected IP
address

CREATE
FIN
FIN Application
DBA

Business hours

Oracle Database Vault

Separation of Duty
Account Management
Database Vault over rides all existing administration
privileges for creating new accounts

Security administration
Database Vault administration is done using a separation
administration account from DBA or SYSDBA

Traditional database Administration

Traditional administrative tasks are separate from account
management and security administration

Major Financial Services Company

Use Case
Control Privileged Users
Prevent DBAs from accessing sensitive data in Realms
Setup multiple levels of DBAs

Control Access based upon environmental factors

Restrict hostnames authorized to access the DB
Control access based on geography

Control use of ad-hoc query tools; Enforce maintenance periods

Restrict connections by ad-hoc query tools to maintenance times or
specific users

Control Patching activity

Patching activity requires another monitoring user to be logged in

Control unauthorized database changes

10

Oracle Database Vault

Application Certification

PeopleSoft
E-Business Suite
Siebel
Oracle Content DB
Oracle Internet Directory

11

Oracle Database Security

Solutions for Privacy and Compliance
Database Vault

Advanced
Security

Configuration
Management

Secure
Backup

Total
Recall

Label
Security

Audit
Vault
Data
Masking

12

Oracle Advanced Security

Transparent Data Encryption
Protect application data
Easily encrypt sensitive data
Protect entire application tables
or specific data (credit card)
No changes to existing
applications

Built-in key management

Keys automatically generated
and managed
Integrates with Hardware
Security Modules (HSM)

75000
Data
Transparently
Decrypted

^#^ *
Data
Transparently
Encrypted

13

Transparent Data Encryption

Point-And-Click Deployment

14

Oracle Advanced Security

Encrypting Columns
Encrypt a column in an existing table:
alter table credit_rating modify (person_id encrypt)

Create a new table with an encrypted column:

create table orders (
order_id
number (12),
customer_id
number(12),
credit_card
varchar2(16) encrypt);
Note - Default algorithm is AES 192

15

Oracle Advanced Security

Encrypting Tablespaces
Create new tablespace with keyword "Encrypt"

CREATE TABLESPACE securespace2

DATAFILE
'/home/user/oradata/secure01.dbf'
SIZE 150M ENCRYPTION
DEFAULT STORAGE(ENCRYPT);

Note - Default algorithm is AES 128

16

Oracle Advanced Security

Key Management Architecture
Oracle Data
Dictionary stores
& encrypts
column keys
using master key

Master key stored

in PKCS#12 wallet

Security DBA
opens wallet
containing master
key

Transparent
Data
Encryption

Application users

FIN application
data encrypted
using column
key

HR application
data encrypted
using column
key

17

Oracle Advanced Security

Key Management Architecture withHSM
Oracle Data
Dictionary stores
& encrypts
column keys
using master key

Master key stored

in HSM

Security DBA
opens wallet
containing master
key

Transparent
Data
Encryption

Application users

FIN application
data encrypted
using column
key

HR application
data encrypted
using column
key

18

Oracle Secure Backup

Integrated Tape Backup Management
Improved Security and
Manageability
Backup encryption for file systems
added
Automated backup of OSB catalog
Policy-based migration from Virtual
Tape Library (VTL) to tape

Oracle Databases

File System Data

UNIX

Integration with

RMAN

Windows

Linux
NAS

Advanced media management

Vaulting provides automatic rotation
of tapes between multiple locations
Tape duplication based on policies
Sun StorageTek ACSLS support

Oracle Secure Backup

Centralized Tape Backup Management

Improved Performance
No backup (and reads) of committed
undo

Tape
19

Oracle Database Security

Solutions for Privacy and Compliance
Database Vault
Advanced
Security

Configuration
Management

Secure
Backup

Total
Recall
Audit
Vault
Data
Masking

Label
Security

20

Oracle Label Security

Access Control by Data Classification
Additional access control check

Data
Highly Sensitive

Database verifies requestor has

table privileges first (select,update,insert,.)
Label Security mediates additional
access based on sensitivity
assigned to the data or operation
Specialized security solution

Sensitive

Confidential

Components

Users label authorizations

Data labels
Special user privileges
Enforcement options

Sensitive

Highly Sensitive

User Label Authorization "Security Clearance"

21

Sensitivity Label Components

More Than Just levels

Sensitivity Level
Highly
Sensitive

Sensitive

Confidential

Sensitive
22

Sensitivity Label Components

More Than Just levels

Sensitivity Level
Highly
Sensitive

Plus Zero or More Compartments

HR

PII

FIN

LEGAL

Sensitive

Confidential

Sensitive : HR
23

Sensitivity Label Components

More Than Just levels

Sensitivity Level
Highly
Sensitive

Plus Zero or More Compartments

HR

PII

FIN

LEGAL

Plus Zero or More Groups

Sensitive
US

Europe

Global

Confidential

Sensitive : HR : US
24

Oracle Enterprise Manager

25

Oracle Label Security

Flexible Policy Model
HR Policy

Levels

Compartments

Groups

Law
Enforcement

Government
Policy

Level 1
Confidential
Level 2
Sensitive
Highly Sensitive Level 3

Confidential
Secret
Top Secret

PII Data
Investigation

Internal Affairs
Drug
Enforcement

Desert Storm
Border
Protection

HR REP
Senior HR REP

Local
Jurisdiction
FBI
Justice

NATO
Homeland
Security

26

Oracle Label Security

Additional Use Cases
Embed in Database Vault Command Rules
Compare label authorization in command rules for separation
of duty customization

Embed in Data Masking decisions

Use with VPD column real time data masking to decide
whether to NULL out PII data returned in query

Notate application users current working label

authorization on information portals

27

Oracle Database Security

Solutions for Privacy and Compliance
Database Vault
Advanced
Security

Configuration
Management

Secure
Backup

Total
Recall

Label
Security

Audit
Vault

Data
Masking
28

Off-Line Data Masking

Oracle Enterprise Manager

Automates production data

masking
Easily mask existing
application data
No impact on production
database

LAST_NAME

SSN

SALARY

AGUILAR

203-33-3234

40,000

BENSON

323-22-2943

60,000

Cloned
Database

Production
Database

Built-in data relationship

discovery
Use foreign key definitions
Define custom data
relationships

LAST_NAME

SSN

SALARY

ANSKEKSL

11123-1111

40,000

BKJHHEIEDK

111-34-1345

60,000

29

Real-Time Data Masking

Virtual Private Database Masking
Null out or clear table columns for all or
specific table rows
Select * from
customers;
VPD

licy
Po
D
VP

where account_mgr_id =
sys_context('APP','CURRENT_MGR');

APP
SSN

701-495-2123

25000

121-791-4212
181-095-1232

15000

581-295-7603

12000

431-395-9332

17000

381-395-9223

15000

10000

483-562-0912
461-978-8212

30

Oracle Database Security

Solutions for Privacy and Compliance
Database Vault
Advanced
Security

Configuration
Management

Secure
Backup

Total
Recall
Audit
Vault

Label
Security
Data
Masking

31

Auditing in the Oracle Database

Robust, Flexible, and High Fidelity Audit
Industrys most advanced
Statement - audit DDL / DML based structure type or schema object
Privilege - audit statements that use system privileges
Specific user or group of users

Fine grained auditing (Oracle9i)

Enterprise Edition conditional auditing feature
Select statements only (Oracle9i)
Updates, inserts, and delete statements (Oracle Database 10g)

Flexible
Audit table and OS file destinations (OS is most performant)
Supports XML format
Windows event viewer & SYSLOG
32

Oracle Audit Vault

Protect Your Enterprise With Auditing

Manage Audit Data

Centrally secure audit data from
Oracle databases

Report Monitor Enforce Secure

Centrally manage Oracle

database audit settings

Detect suspicous activities

Monitor database users
especially privileged users
Alert on unauthorized activities

Simplify compliance reporting

Built-in compliance reports

Oracle Database
9i Release 2

(Future)
Other Sources,
Databases
Oracle Database 10g
Oracle Database
Release 1
11g
Oracle Database
10g Release 2

Define custom reports

33

Audit Vault Reports

Out-of-the-box Audit Assessments & Custom Reports
Out-of-the-box reports
Privileged user activity
Access to sensitive data
Role grants, DDL activity

Custom reports
Published warehouse schema
Use Oracle or 3rd party tools

User-defined reports
What privileged users did
on the financial database?
What user A did across
multiple databases?
Who accessed sensitive
data?

34

Oracle Audit Vault

Manageability
Audit Vault Dashboard

Enterprise overview
Alerts on audit events
Drill down reports
Audit Vault administration

Audit Vault Policies

Collection of audit settings for
databases
Provision database audit settings
centrally for compliance policies
Compare against existing audit
settings on source
Demonstrate compliance with internal
mandates
35

Oracle Audit Vault Respository

Scalable, Flexible & Secure
Performance and Scalability
Scale to Terabytes with partitioning
Data warehouse enables business
intelligence and analysis

Security
Separation of duty
Privileged users can't modify audit data
Data protected in transit from source to
Audit Vault

36

Introducing Oracle Total Recall

Tamper-Resistant Real-Time Database Archiving
Automated table snapshots record changes to data
Complements auditing who v. what
Optimized to minimize performance overhead

Historical data can be retained as long as needed for

regulatory compliance and forensic analysis
Automatically prevents end users from changing historical data

Seamless access to archived historical data

Historical data stored in the database for real-time access
Stored in compressed form to minimize storage requirements
select * from product_information AS OF TIMESTAMP
'02-MAY-05 12.00 AM where product_id = 3060

37

Tracking Compliance Over Time

Compliance Trend across IT infrastructure

38

Example of Security Policy Rules

Over 250 Built-in Policy Rules
Database Services

Host

Enable listener logging

Password-protect listeners
Disallow default listener name
Ensure listener log file is valid and owned by
Oracle
Ensure listener host name is specified with IP

Database File Permissions

Init.ora should have restricted file permission

Files in $OH/bin should be owned by Oracle
Data files should be owned by Oracle

Database Profile/Configuration

Default Passwords
Disallow access to objects by a fixed user link
Disallow default tablespace set to SYSTEM
Set password_grace_time
Limit or deny access to DBMS_LOB
Set password_reuse_max
Avoid using utl_file_dir parameter

Detect open ports

Detect insecure services
Ensure NTFS file system type (Windows)

Application Server

HTTPD has minimal privileges

Use HTTP/S
Apache logging should be on
Demo applications disabled
Disable default banner page
Disable access to unused directories
Disable directory indexing
Forbid access to certain packages
Disable packages not used by DAD owner
Remove unused DAD configurations
Password complexity enabled

39

Learn More
http://search.oracle.com
database security
Technology Overview
Visit: oracle.com/database/security
View Whitepapers and webinars

Technical Information, Demos, Software

Visit OTN: otn.oracle.com -> products ->
database -> security and compliance

40

41

Release Wide Map of Security Products

Solution

Oracle
8i

Oracle

Oracle

Oracle

Oracle

Oracle

Database

Database

Database

Database

Database

9iR1

9iR2

10g R1

10g R2

11gR1

Database Auditing
Network Encryption
Virtual Private Database
Label Security
Privileged User Controls
Enterprise User Security
Fine Grained Auditing
Client Identifier
EM Configuration Scanning
TDE Column Encryption
TDE Tablespace Encryption
EM Data Masking

Data Masking is available starting with EM 10.2.0.4 and works against Oracle Database 9.2 and higher databases.

42

43