You are on page 1of 34

<Insert Picture Here>

Oracle Database Security


Gabriel Trauvitch Master Principal Solutions Specialist Grid Architect
Technology Presales Greece & SEE

More Data Than Ever

Growth Doubles Yearly

1,800 Exabytes
2006 2011

Source: IDC, 2008

Oracle Database Security


Business Drivers
Industrial Espionage Identity Theft Insider Threats

Security Threats

Data Consolidation Globalization Right Sourcing


SOX EU Directives FDA HIPAA Basel II

Compliance Mandates

PCI
GLBA SB1386

More Breaches Than Ever


Data Breach
Once exposed, the data is out there the bell cant be un-rung
PUBLICLY REPORTED DATA BREACHES
400

300

630% Increase

200

100

Total Personally Identifying Information Records Exposed (Millions)

0 2005 2006 2007 2008

Average cost of a data breach $202 per record Average total cost exceeds $6.6 million per breach
Source: DataLossDB, Ponemon Institute, 2009

More Threats Than Ever

Market Overview: IT Security In 2009

There has been a clear and significant shift from what was the widely recognized state of security just a few years ago. Protecting the organization's information assets is the top issue facing security programs: data security (90%) is most often cited as an important or very important issue for IT security organizations, followed by application security (86%).
Market Overview: IT Security In 2009 - Jonathan Penn, April 22, 2009

Data Security Challenges


What to secure?
Sensitive Data: Confidential, PII, regulatory Data in packaged and custom applications Secure Life cycle: creation, transit, storage, backup, test, transfer

Can we secure it now?


Secure using existing systems? Transparent? Loss, Unauthorized access, Separation of Duty

Will it meet business requirements?


Flexible, Transparent, Compliant? Secures both custom and packaged applications?

Will it reduce operational cost?


Easy to manage? Performant?

Oracle Database Security


Defense-in-Depth for Security and Compliance
Monitoring

Configuration Management
Access Control

Audit Vault

Total Recall

Database Vault
Encryption and Masking

Label Security

Advanced Security

Secure Backup

Data Masking

Oracle Database Security


Defense-in-Depth for Security and Compliance

Encryption and Masking

Advanced Security

Secure Backup

Data Masking

Oracle Advanced Security


Transparent Data Encryption
Disk

Backups

Exports

Application

Off-Site Facilities

No application changes required Efficient encryption of all application data Built-in key lifecycle management Works with Exadata V2 Smart Scans Works with Oracle Advanced Compression
10

Oracle Advanced Security


Network Encryption & Strong Authentication

Standard-based encryption for data in transit Strong authentication of users and servers

No infrastructure changes required


Easy to implement

11

Oracle Secure Backup


Integrated Tape or Cloud Backup Management

Secure data archival to tape or cloud Easy to administer key management Fastest Oracle Database tape backups Leverage low-cost cloud storage

12

Oracle Data Masking


Irreversible De-Identification

Production
LAST_NAME AGUILAR SSN 203-33-3234 SALARY 40,000

Non-Production
LAST_NAME SSN SALARY

ANSKEKSL
BKJHHEIEDK

11123-1111
222-34-1345

40,000
60,000

BENSON

323-22-2943

60,000

Remove sensitive data from non-production databases Referential integrity preserved so applications continue to work Extensible template library and policies for automation

13

Large Credit Card Services Provider


Cost Effective Encryption of Card Holder Data

Business Challenges

Protect sensitive card holder data Comply with PCI


Deployed Oracle Advanced Security TDE Tablespace Encryption

Solution

Business Results

Addressed internal and external requirements Leveraged Oracle Advanced Security integration
with Hardware Security Modules for network based management of TDE master encryption key

14

U.S. Pharmaceutical Tools Manufacturer


Oracle Advanced Security Protects Sensitive Data
Worried about protection of intellectual property and sensitive employee data Oracle Advanced Security TDE column encryption Easy implementation within hours (Oracle PeopleSoft) TDE with HSM made corporate-wide standard Average end-user responses time: +2.5 %

Business Challenges

Solution

Cost effective and transparent implementation

Business Results

of data encryption with no application changes Protection of sensitive data at rest and on backup media

15

EMEA-based Real Estate Company


Data Masking Pack accelerated availability of production data for testing while improving DBA productivity
Custom scripts to mask sensitive data were not able to scale to meet growing data volumes DBA team under increasing pressure to make production data available to for application testing within short time frames Data Masking Pack delivered an out-of-the-box solution to replace custom database scripts High performance masking capabilities accelerated masking process from 6 hours using database scripts to 6 minutes using Data Masking Pack 60 X performance improvement in masking process resulted in faster turnaround of test system creation Improved DBA productivity by eliminating the requirement to maintain custom scripts

Business Challenges

Solution

Business Results

16

Oracle Database Security


Defense-in-Depth for Security and Compliance

Access Control

Database Vault
Encryption and Masking

Label Security

Advanced Security

Secure Backup

Data Masking

17

Oracle Database Vault


Separation of Duties & Privileged User Controls

Procurement HR

DBA

Application
Finance select * from finance.customers

DBA separation of duties Limit powers of privileged users Securely consolidate application data No application changes required Works with Oracle Exadata V2 Database Machine
18

Oracle Database Vault


Multi-Factor Access Control Policy Enforcement

Procurement HR

Application

Rebates

Protect application data and prevent application by-pass Enforce who, where, when, and how using rules and factors Out-of-the box policies for Oracle applications, customizable

19

Oracle Label Security


Data Classification for Access Control

Sensitive
Transactions

Confidential
Report Data

Public
Reports

Confidential

Sensitive

Classify users and data based on business drivers Database enforced row level access control Users classification through Oracle Identity Management Suite Classification labels can be factors in other policies

20

Large US Based Global Bank


Enable Secure Cost Effective Deployments
Outsource administration of multiple applications (E-Business Suite, PeopleSoft and other in-house and 3rd party applications) Cross Border security controls to protect country-specific sensitive client data from DBA access in a different country Deploy a security solution that is certified with applications and with minimal performance overhead Deployed Oracle Database Vault on 18+ applications including EBusiness Suite, PeopleSoft and other internal and 3rd party applications to prevent privileged user access to application data Used Database Vault multi-factor authorization to enforce crossborder access control and to prevent Application Bypass Over 200K users accessing these systems globally Saved over $15M a year by outsourcing/off-shoring backend administration operations Addressed Cross Border security requirements Passed external audit and avoided paying fines

Business Challenges

Solution

Business Results

21

Pharmaceutical Services Provider


Protect Sensitive Customer Information and Address Regulations
Protect and secure the privacy of very sensitive customer

Business Challenges

medical data and employee data in PeopleSoft Comply with internal policies and external regulations (HIPAA, SOX, Privacy Laws) Prevent privileged user access to sensitive data Deployed Oracle Database Vault with out-of-the-box PeopleSoft protection policies Took 14 days to go production

Solution

Business Results

Complied with HIPAA and other privacy regulations Passed external audit Saved on consulting costs and deployment time by using
the out-of-the-box Database Vault protection policies Deployed Database Vault with minimal changes to existing internal processes and procedures

22

Large European Telecom Provider


Enable Organization to Meet Regulations
Protect the privacy of sensitive client data in their telecom billing system Meet internal, European Data Security Directive, and country-specific
privacy requirements Prevent tampering or deletion of database objects or database users Used Database Vault Realms and Command Rules to prevent DBAs from accessing sensitive data Used Command Rules to prevent tampering or deletion of database objects or users Used multi-factor authorization to prevent Application Bypass based on IP address

Business Challenges

Solution

Business Results

Secure the third party billing system without any application changes Comply with internal, European, and country-specific privacy laws Cost effective preventive controls against any tampering or deletion of
database objects or users Maintain good performance without buying additional hardware

23

Oracle Database Security


Defense-in-Depth for Security and Compliance
Monitoring

Configuration Management
Access Control

Audit Vault

Total Recall

Database Vault
Encryption and Masking

Label Security

Advanced Security

Secure Backup

Data Masking

24

Oracle Audit Vault


Automated Activity Monitoring & Audit Reporting
HR Data

!
Audit Data

Alerts Built-in Reports Custom Reports Policies

CRM Data

ERP Data

Databases

Auditor

Consolidate audit data into secure repository Detect and alert on suspicious activities Out-of-the box compliance reporting Centralized audit policy management

25

Oracle Total Recall


Secure Change Tracking
select salary from emp AS OF TIMESTAMP '02-MAY-09 12.00 AM where emp.title = admin

Transparently track data changes Efficient, tamper-resistant storage of archives Real-time access to historical data Enables forensics and error correction

26

Oracle Configuration Management


Vulnerability Assessment & Secure Configuration

Discover Asset Management

Classify Policy Management

Assess

Prioritize

Fix

Monitor Analysis & Analytics

Vulnerability Management

Configuration Management & Audit

Database discovery Continuous scanning against best practices Detect and prevent unauthorized configuration changes Change management compliance reports

27

European Healthcare Insurance Provider


Simplified Reporting and Stronger Security

Internal and external database audit requirements

Business Challenges

across 10 Oracle and SQL Server databases Took 3 months and 2 part time people to create the audit reports for yearly audit No monitoring for insider threats Oracle Audit Vault consolidated reporting on audit data from Oracle and SQL Server Oracle Audit Vault consolidation of audit data removed DBA from audit review process

Solution

Saved 100s of hours in report generations Worked with auditors to create customized reports

Business Results

from the out-of-the box default reports for personalized content Estimated return on investments in less than 18 months

28

Large Financial Services Provider


Stronger Controls
Audit credit card transactions 20+ production Oracle databases with native

Business Challenges

auditing already turned on Need for reports and no resource or budget to create and review them

Solution

Oracle Audit Vault audit data collection and secure centralized storage Audit Vault proactively monitors privileged user access violations, failed database logins, and generates forensic data

Business Results

Passed internal audits Automated reporting on credit card transactions Secure consolidation of audit data Detected policy violations of database activity Deployed in production in 3 months

29

Large European Telco Provider


Address Telco Regulations on Call Records
Audit credit card transactions 20+ production Oracle databases with native

Business Challenges

auditing already turned on Need for reports and no resource or budget to create and review them

Solution

Oracle Audit Vault audit data collection and secure centralized storage Audit Vault proactively monitors privileged user access violations, failed database logins, and generates forensic data

Business Results

Passed internal audits Automated reporting on credit card transactions Secure consolidation of audit data Detected policy violations of database activity Deployed in production in 3 months

30

Oracle Database Security


Defense-in-Depth for Security and Compliance
Monitoring

Configuration Management
Access Control

Audit Vault

Total Recall

Database Vault
Encryption and Masking

Label Security

Advanced Security

Secure Backup

Data Masking

31

For More Information


search.oracle.com

database security

oracle.com/database/security

32

33

34