1 Copyright 2012, Oracle and/or its affiliates.

All rights Public Information

reserved.
 The following is intended to outline our general product
direction. It is intended for information purposes only, and
may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality,
and should not be relied upon in making purchasing
decisions. The development, release, and timing of any
features or functionality described for Oracles products
remains at the sole discretion of Oracle.

2 Copyright 2012, Oracle and/or its affiliates. All rights PublicInformation

Insert InformationProtection Policy Classification from Slide 8
reserved.
11g Database Security
Encrypting Sensitive Data using Oracle Advanced Security

David Evora Sales Consulting Manager

Agenda
Agenda
 When in Doubt, Encrypt
Encryption Recognized as Defensible Safeguard
Security Breach Notification Law recognized encryption as
a safeguard against data breaches
Encryption is now a de-facto solution for regulatory
compliance with all data privacy and breach notification
laws
Encryption holds up in courts and audits
Based on well-known mathematically proven algorithms
Used by governments world wide to protect top secret data
Customers expect it
ValueClick paid $2.9M to settle FTC claims alleging they
published online privacy policies claiming they encrypted
customer information when they didnt

6 Copyright 2012, Oracle and/or its affiliates. All rights

reserved.
 Database Security Defense in Depth

Consolidate Monitor
Mitigate Prevent Protect All
Auditing and Database
Database Application Database
Compliance Traffic and
Bypass Bypass Environments
Reporting Block Threats

Prevent access to Privileged user Native Oracle and Monitor Oracle & Sensitive data
data at OS, storage, access control to non-Oracle database non-Oracle database discovery for
network, media limit access to auditing, centralized traffic over the production
layers application data audit policies network Secure database
Transparent data Multi-factor Consolidate, secure, Block threats like lifecycle
encryption for data authorization for analyze audit trail, SQL injection management,
at rest, in transit, on enforcing enterprise alert on suspicious attacks before configuration
media security policies activities reaching databases scanning, patch
Separation of duties Secure application Report for Enforce normal automation
for key management consolidation compliance & database activity, Mask data for
security, automate lightweight nonproduction
database audit monitoring development & test
workflow

7 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
 Database Security Defense in Depth

Consolidate Monitor
Mitigate Prevent Protect All
Auditing and Database
Database Application Database
Compliance Traffic and
Bypass Bypass Environments
Reporting Block Threats

Prevent access to data at OS, storage, network, media layers

Transparent data encryption for data at rest, in transit, on media
Separation of duties for key management

8 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
 Oracle Advanced Security
Protect Data from Unauthorized Database Users
Disk

Backups

Application
Exports

Off-Site
Facilities

Prevents database by-pass with complete end-to-end data encryption

Efficient application data encryption without application changes
Built-in key management with separation of duties
High performance and easy to deploy

9 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
 Oracle Advanced Security
Database Traffic Network Encryption

Network traffic entirely encrypted to prevent man in the middle attacks

AES, RSA RC4, and DES/3DES
Data integrity checksums - prevent modification, replay, missing packet, etc.
MD5 and SHA-1
No infrastructure changes required, point-and-click implementation
10 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
 Oracle Advanced Security
Transparent Data Encryption for Columns

Support for all column types, including Oracle Database 11g SecureFile
Data is cached encrypted in the SGA
Decrypted only when you dereference it, encrypted every time you modify it
Indexing supported, but the index is indexing encrypted data (not sorted!)
Encryption keys are table specific - means cannot enforce foreign key constraints
Undo and Redo generated are encrypted

11 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
 Oracle Advanced Security
Transparent Data Encryption for Tablespaces

All tables in tablespace are encrypted no need to identify specific columns

Data encrypted at block level as written out to disk, decrypted when read in
Data is cached in the SGA unencrypted
Index contains clear text (blocks are encrypted) so no limitations on index use
Encryption keys are tablespace specific foreign key constraints can be enforced
Undo and Redo generated are encrypted

12 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
 Oracle Advanced Security
Transparent Data Encryption Built-In Key Management
Create a wallet and generate the master key:
alter system set key identified by e3car61
Master Key Open the wallet:
Oracle Wallet alter system set wallet open identified by e3car61
Rotate master (table/tablespace keys re-encrypted):
PKCS #11 API
alter system set key identified by 2naf1sh
Table and Tablespace Keys Rotate table/tablespace keys (data re-encrypted)
HSM alter table employee REKEY;

Generate, store, and rotate encryption keys

Two-tier key management architecture
Table and Tablespace keys used to encrypt data (stored in database for performance)
Master key used to encrypt Table and Tablespace keys
Master key is stored in External Security Module (outside the database)
Oracle Wallet (PKCS #12 file)
Hardware Security Module (HSM) meets FIPS & Common Criteria reqs using PKCS#11 API
Separation of duties -- wallet password is separate from System or DBA password

13 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
 Oracle Advanced Security
Transparent Data Encryption for Media
Disk

Backups

Exports

Off-Site
Facilities

TDE integrated with Oracle Data Pump for bulk export/import to OS flat files
TDE integrated with Oracle RMAN for database backup and recovery
RMAN and Data Pump compress and encrypt data
Master Key, passphrase, or both can be used to encrypt export and backup files
No need to distribute production master key with exports or backups
Master key not automatically backed up with database
14 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
 Oracle Advanced Security
Strong Authentication

Strong Authentication

X50
9
v3
Application
Kerberos

TDE returns clear text data to authenticated, authorized database users

Critical to protect against stolen credentials & increase assurance of database
user identities, especially privileged application users and DBAs
Strong authentication schemes supported
Kerberos, PKI & RADIUS (for 1 time passwords tokens, risk-based authentication, etc.)

15 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
 Oracle Advanced Security
Transparent Data Encryption Performance
Oracle Database Enterprise Edition Oracle Database Enterprise Edition
11.2.0.2 AES-256 Encryption 11.2.0.2 AES-256 Decryption
(MB/CPU seconds)

10x speedup 8x speedup

processing rate
Encryption

559
468
57 58

Intel Xeon Intel Xeon Intel Xeon Intel Xeon

Processor X5570 processor X5680 Processor X5570 processor X5680
w/o Intel IPP w/ Intel IPP w/o Intel IPP w/ Intel IPP

Encrypting data is expensive is a myth (started with bad third party solutions!)
Incremental CPU ~5% with 10x speed-up if cryptographic hardware available
Incremental CPU reduced even more if using Oracle Advanced Compression
or Exadata Hybrid Columnar Compression (EHCC)
If compression ratio is 75%, we have to encrypt 75% less data!

16 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
Oracle Advanced Security
Oracle Oracle
Oracle Database Oracle Database
Database 9i Database 11g
10g Release 2 11g Release 1
Release 2 Release 2
Key Features By Oracle Database Release
Crypto accel. w/ Intel XEON 56xx w/AES-
NI
TDE tablespace encryption & Advanced
Compression / HCC
TDE with Exadata
HSM support for TDE tablespace
encryption
TDE tablespace encryption
TDE column encryption for SecureFiles

HSM support for TDE column encryption

TDE column encryption
Network encryption & Integrity
17 Copyright 2012, Oracle and/or its affiliates. All rights
Strong authentication
reserved.
Public Information

 Oracle Database Security Platform

Transparent Data Encryption, Privileged User Database Activity Auditing and Reporting, Secure Configuration Scanning, Automated
Controls, Multi-Factor Authorization, Data SQL Traffic Monitoring and Blocking, Patching, Configuration Change Control,
Classification, and Change Tracking Real-Time Alerting, Workflow Automation Sensitive Data Discovery, Data Masking

Maximum Security for Oracle Databases: Security for Oracle and non-Oracle Security for Production and non-
Oracle Advanced Security Databases Outside the Database: Production Database Environments:
Oracle Database Vault Oracle Audit Vault Oracle Database Lifecycle
Oracle Label Security Oracle Database Firewall Oracle Enterprise Manager
Oracle Total Recall Oracle Data Masking

18 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
Agenda
 What We Heard From Our Customers

Our PCI auditors say we have to encrypt credit card data

whether it is in motion, rest, or storage.
We need to encrypt personal identity information to
comply with EU Data Privacy but cannot change our
applications.
We want to store medical records in our database but we
need to encrypt to comply with CA AB 1298.
We send back-ups off-site and need to make sure they
are secure even if off-site facility is compromised.
 Database Security Workshop
ASO Lab Exercises
LAB CONFIGURATION ADVANCED SECURITY OPTION

LAB EXERCISE 00 DATABASE - ADVANCED SECURITY OPTION OVERVIEW

LAB EXERCISE 01 CONFIGURING AND DEMONSTRATING NETWORK ENCRYPTION

LAB EXERCISE 02 PROTECTING SENSITIVE DATA COLUMN LEVEL ENCRYPTION

LAB EXERCISE 03 PROTECTING SENSITIVE DATA TABLESPACE LEVEL

ENCRYPTION
LAB EXERCISE 04 REVIEW OF ENCRYPTION WALLET
(Optional)
LAB EXERCISE 05 PROTECTING SENSITIVE DATA AND OPTIMIZING STORAGE WITH
ADVANCED COMPRESSION ON DISK & BACKUPS

21 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
For these labs exercises, the following infrastructure components are
running and available.
Database Security Foundation - Oracle DB 11.2.0.2 DB06
Audit Vault Server 12.1
Database Firewall Server 12.1
 Advanced Security Day 1

0. ADVANCED SECURITY OVERVIEW

1. CONFIGURING AND DEMONSTRATING NETWORK ENCRYPTION

2. CREATION OF THE ENCRYPTION WALLET

3. PROTECTING SENSITIVE DATA TABLESPACE LEVEL ENCRYPTION

4. WALLET MANAGEMENT OPERATIONS

5. PROTECTING SENSITIVE DATA AND OPTIMIZING STORAGE WITH ADVANCED

COMPRESSION ON DISK & BACKUPS

 ASO : Overview

All scripts used in this lab exercise can be found in the

directory
/home/oracle/aso_scripts
 Oracle Advanced Security
Advanced Protection for the Oracle Database
Transparently encrypts data-at-rest in Oracle databases and
Transparent Data securely manages the encryption keys
Encryption (TDE) Protects against theft or loss of disks and backup media
Stops OS users from inspecting the tablespace files

Locks-down the database network connections

Network Encryption Prevents network sniffing and replay attacks

Strong Signs-in database users via Kerberos, PKI, or Radius

Authentication Avoids weak passwords that can be stolen or cracked

25 Copyright 2012, Oracle and/or its affiliates. All rights

reserved.
LAB EXERCISE 01 CONFIGURING AND DEMONSTRATING
NETWORK ENCRYPTION

In this lab exercise, you will accomplish the following:

1. Configure sqlnet.ora for supporting network encryption

2. Use tcpdump to demonstrate the before and after effect when
the Advanced Networking Option (network encryption) is being
used.

Test cmd : sqlplus APPS_DBA_HARVEY/Manager_1@db06

 Configuring sqlnet.ora For Network
Encryption
NOTE: In a demo environment, such as with a single
VM Ware image, the server and client parameters can
be placed into the same sqlnet.ora (shown below)
SQLNET.CRYPTO_CHECKSUM_SERVER=REQUIRED
SQLNET.ENCRYPTION_SERVER=REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA1,MD5)
SQLNET.ENCRYPTION_TYPES_SERVER=(AES256,AES192,AES128,3DES168)

SQLNET.CRYPTO_CHECKSUM_CLIENT=REQUIRED
SQLNET.ENCRYPTION_CLIENT=REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=(SHA1,MD5)
SQLNET.ENCRYPTION_TYPES_CLIENT=(AES256,AES192,AES128,3DES168)

27 Copyright 2012, Oracle and/or its affiliates. All rights

reserved.
 Negotiating Network Encryption:
SQLNET.ENCRYPTION_SERVER/CLIENT
REJECTED
Used if you do not elect to enable encryption, even if required by the other side
FUGGETABOUTIT, I wont encrypt, I wont, I wont, I wont!
ACCEPTED (default)
Used to enable encryption if required or requested by the other side
Like dude, I dont have a preference, but Ill encrypt if you wanna.
REQUESTED
Used to enable encryption if other side permits it
I really wanna encrypt, but lets go with whatever YOU want!
REQUIRED
Used to enable encryption or preclude the connection
Encrypt me or Im not gonna talk to you!

28 Copyright 2012, Oracle and/or its affiliates. All rights

reserved.
 Behavior Of Setting Parameters
SQLNET.ENCRYPTION_SERVER &
SQLNET.ENCRYPTION_CLIENT

Server
Rejected Accepted Requested Required
Rejected off off off ORA-12660
Client Accepted off off on on
Requested off on on on
Required ORA-12660 on on on

Remember: When ORA-12660 is thrown, the connection is refused.

29 Copyright 2012, Oracle and/or its affiliates. All rights

reserved.
LAB EXERCISE 02 CREATION OF THE ENCRYPTION WALLET

In this lab exercise, you will accomplish the following:

1. Modify the SQLNET.ORA file to specify the wallet location

2. Create the TDE encryption wallet to be used.
 The Basics
2-tier key architecture
Hardware
Security Module Oracle Wallet
Master
Encryption
Key

TDE tablespace encryption: TDE column encryption:

One tablespace key One table key for all

for each encrypted encrypted columns
tablespace in a table

Stored encrypted in
tablespace header Stored encrypted in data
dictionary

31
The Basics
How to enable TDE
Do not use Oracle Wallet Manager to create Wallet
Wallet-based TDE:
Create wallet directory with proper permissions
sqlnet.ora:
ENCRYPTION_WALLET_LOCATION =
(SOURCE = (METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /some/directory/$ORACLE_SID)))
SQL> alter system set encryption key identified by wallet_password;
HSM-based TDE:
Install PKCS#11 library, configuration files from HSM vendor
sqlnet.ora:
ENCRYPTION_WALLET_LOCATION =
(SOURCE = (METHOD = HSM))
SQL> alter system set encryption key identified by hsm_auth_string;
32
 LAB EXERCISE 03 PROTECTING SENSITIVE DATA
TABLESPACE LEVEL ENCRYPTION

In this lab exercise, you will accomplish the following:

1. Create a new encrypted tablespace.

2. Store application data in the encrypted tablespace.
3. Review the contents on disk in the table space and encrypted
tablespace on disk.
 LAB EXERCISE 04 WALLET MANAGEMENT OPERATIONS

In this lab exercise, you will perform the following:

1. Open Wallet and show the encryption wallet status

2. Perform a rekey of the master key
3. Review the Wallet Keys
 LAB EXERCISE 05 PROTECTING SENSITIVE DATA AND
OPTIMIZING STORAGE WITH ADVANCED COMPRESSION ON
DISK & BACKUPS

In this lab exercise, you will :

1. Demonstrate the usage and expected characteristics of combining

Tablespace Encryption within the Advanced Security Option and
Advanced Compression.
2. Encrypt Data Pump archives using encryption from the Advanced
Security Option to further protect information in created archives.
3. Encrypt RMAN using encryption from the Advanced Security
Option to further protect information in created backups.
Agenda
37 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.
38 Copyright 2012, Oracle and/or its affiliates. All rights Public Information
reserved.