Oracle Database 11g - Session1 Material

<Insert Picture Here>
Addressing Data Privacy, Regulatory Compliance,

and Insider Threats
Roxana Bradescu
Mike Blackin
Paul Needham
Sr. Director, Database

Security Product Marketing
Director, Database Security

Technology Business Unit
Director, Database Security

Product Management
New Data Security Challenges

Protecting Data Privacy is Harder Than Ever
Data Breaches
Insider Theft
Off-Shoring/Outsourcing
Data Consolidation
Databases Replacing Firewalls As Targets
Enterprise Identity Theft
Exploiting Application Vulnerabilities
2008 Oracle Corporation
New Regulatory Compliance Challenges

Costly and Complex
More global data privacy regulations

90% companies fail compliance
Costly breach disclosure laws

$239/record
Up to $35M/breach
Complex IT requirements
SAS70
SOX
GLBA
EU Directives
HIPAA
J-SOX
PCI
PIPEDA
Separation of duties
Proof of compliance
Constant self assessment
On-the-spot audit reporting
Basel II
K-SOX
Data Privacy and Regulatory Compliance

Database Security Challenges
Protecting Access
to Application Data
Protecting
Data-at-Rest
Database
Monitoring
De-Identifying
Information for
Sharing
Data
Classification
Oracle Database Security

Unrivaled Industry Firsts
Data Masking
Oracle Database 11g
TDE Tablespace Encryption

Oracle Audit Vault
Oracle Database Vault

Transparent Data Encryption (TDE)
Oracle Database 10g
Real-Time Column Masking

Secure Configuration Scanning
Client Identity Propagation

Oracle Database 9i Fine Grained Auditing
Oracle 8i
Oracle Label Security

Proxy Authentication
Enterprise User Security
Virtual Private Database (VPD)
Database Encryption API

Strong Authentication
Native Network Encryption
Oracle 7
Database Auditing
Government Customer

Solutions for Privacy and Compliance
Database Vault
Advanced
Security
47986
Audit
Vault
$5%&*
Secure
Backup
Configuration
Management
Label
Security
Total
Recall
Data
Masking

Protecting Access
to Application Data
Database
Monitoring
De-Identifying
Information for
Sharing
Protecting
Data-at-Rest
Data
Classification
What we heard from our customers

Protecting Access to Application Data
Legal says our DBA should not be able to read
patient database records, but the DBA needs to
access the database to do her job. What do we do?
Our SOX auditors require that we separate account
creation from granting privileges to accounts.
No user should be able to by-pass our application to
access information in the database directly.
How do we keep the Finance department from
running reports during production hours?
New DBAs should not be able to make database
changes without a senior DBA being present.

Database Vault
Advanced
Security
47986
Audit
Vault
$5%&*
Secure
Backup
Configuration
Management
Label
Security
Total
Recall
Data
Masking

Privileged User Controls
Prevent privileged users from
accessing data outside their
authorization
SELECT * FROM HR.EMP
DBA
Eliminate security risks from

database consolidation
Enforce Separation of Duties,
Least Privilege, and other
policies
No changes to existing
applications required
HR Realm
HR
HR App DBA
FIN Realm
FIN
FIN App DBA
10

Ad-Hoc Database Access Controls
Database Vault rules can
consider multiple external
factors
Prevent application bypass and ad-hoc access
Enforce two-admin rules
and other security policies
Out-of-the-box policies for
Oracle applications
CONNECT .
HR
Unexpected IP
address
HR Application
User
CREATE
FIN
Business hours
FIN Application
DBA
11

Separation of Duties
Security Administration
Security administrator manages Database Vault
Database Administration
DBA manages day-to-day database operations
Account Management
Account administrator creates new database accounts
Application-Specific Administration
Application administrator can manage application database
Extensible
Can separate development from test, and many other functions
12

Protecting Access
to Application Data
Database
Monitoring
De-Identifying
Information for
Sharing
Protecting
Data-at-Rest
Data
Classification
13

Protecting Data-at-Rest
Our PCI auditors say we have to encrypt credit card data.
We need to encrypt personal identity information to
comply with EU Data Privacy but cannot change our
applications.
We want to manage medical images in our database but
they have to be encrypted for HIPAA compliance.
We dont want users with operating system file read
access to be able to walk away with our database.
We send back-up tapes off-site and need to make sure
they are secure even if off-site facility is compromised.
14

Database Vault
Advanced
Security
47986
Audit
Vault
$5%&*
Secure
Backup
Configuration
Management
Label
Security
Total
Recall
Data
Masking
15
Oracle Advanced Security

Transparent Data Encryption (TDE)
Protect sensitive application data by
encrypting:
Network
Encryption
Specific columns (credit cards)

Entire application tables
New SecureFile type (images, documents)
Automated built-in key management

Two-tier scheme for separation of duties
Hardware Security Modules (HSM)
integration
75000
No changes to applications required
16
^#^ *
Transparent Data Encryption

Point-And-Click Deployment
17
Oracle Secure Backup

Integrated Encrypted Tape Backup Management
Secure data protection for
entire Oracle environment
Oracle
Databases
Policy-based encryption for

domain, host, backup, or tape
Automated encryption key
management for tape backups
UNIX
Windows
Linux
NAS
Oracle Secure Backup
Transparent recovery
decryption by authorized users
File Systems
18

Protecting Access
to Application Data
Database
Monitoring
De-Identifying
Information for
Sharing
Protecting
Data-at-Rest
Data
Classification
19

Data Classification
We want to restrict access to data in our database on a
need to know basis.
We want to label our customer accounts to assign highvalue accounts to strategic account managers.
We want to consolidate sensitive information in a single
database for better business intelligence but we need to
compartmentalize access.
We need to apply labels to our data to comply with HIPAA.
We want to label our international accounts so we can
assign to local managers and not violate data privacy
regulations.
20

Database Vault
Advanced
Security
47986
Audit
Vault
$5%&*
Secure
Backup
Configuration
Management
Label
Security
Total
Recall
Data
Masking
21
Oracle Label Security

Data Classification
Classify records by assigning
a label
Highly Sensitive
Sensitive
Label transparently stored in a

hidden tamper-resistant column
Use classification label to

enforce security policies
Confidential
User Label Authorizations
Need to Know - assign labels to

application users so can only
access data with same or lower
classification
Labels can be "factors" in Oracle
Database Vault policies
Sensitive
22
Highly Sensitive
Point-And-Click Data Classification

Easy to Deploy Labels
23

Protecting Access
to Application Data
Database
Monitoring
De-Identifying
Information for
Sharing
Protecting
Data-at-Rest
Data
Classification
24

De-Identifying Information for Sharing
Our Shipping Department employees need to get
order information but should not see credit card
numbers.
Weve outsourced Customer Account management
and need to make sure off-shore agents only see tax
IDs for the accounts they manage.
Off-shore development contractors need production
data for testing but we cannot provide them with
employee names or social security numbers.
Our analysts need to build actuarial models based on
real data but HIPAA requires that they cannot see
actual patient names or doctor names.
25

Database Vault
Advanced
Security
47986
Audit
Vault
$5%&*
Secure
Backup
Configuration
Management
Label
Security
Total
Recall
Data
Masking
26
Enterprise Manager Data Masking Pack

Off-Line Data Masking
Turn sensitive information
into non-sensitive
information for sharing
Consistent masking via
extensible format library
Maintains referential
integrity for applications
Automated data masking
for databases enterprisewide
LAST_NAME
CREDIT_CARD
AGUILAR
4408041254369873
80.00
BENSON
4417123456789112
60.00
Production
Database
AMT
Mask
Cloned
Database
LAST_NAME
CREDIT_CARD
AMT
ANSKEKSL
4111111111111111
80.00
BKJHHEIEDK
4408041234567890
60.00
27
Virtual Private Database

Real-Time Data Masking
Policy based real-time masking
Return all records but redact sensitive columns
Optionally unmask select records if user authorized
Select * from
customers;
148
VPD adds where account_mgr_id =
sys_context('APP','CURRENT_MGR');
DP
VP
y
olic
SSN
701-495-2123
25000
121-791-4212
181-095-1232
15000
581-295-7603
12000
APP
10000
431-395-9332
17000
381-395-9223
15000
483-562-0912
461-978-8212
28

Protecting Access
to Application Data
Database
Monitoring
De-Identifying
Information for
Sharing
Protecting
Data-at-Rest
Data
Classification
29

Database Monitoring
To comply with SOX and HIPAA, we need to produce
monthly reports for our auditors to prove that our IT
controls are working. And thats all we do all month.
We need to monitor who did what, when, and how to our
databases. And we need to be alerted if something looks
suspicious.
We want to check for database security vulnerabilities like
open ports, pre-defined account passwords, etc.
We want to self-assess on a continuous basis to ensure
we are in compliance before our auditors show up.
Our database configuration is secure. How do we keep it
from drifting?
30

Database Vault
Advanced
Security
47986
Audit
Vault
$5%&*
Secure
Backup
Configuration
Management
Label
Security
Total
Recall
Data
Masking
31
Auditing in the Oracle Database

Robust, Flexible, and High Fidelity Audit
Industrys most advanced DBMS auditing
Audit all SQL statements

Audit access to specific database objects
Audit statements that use system privileges
Audit activity by specific user or group of users
Audit Login/Logout
Fine grained auditing for conditional auditing

Flexible
Audit table and OS file destinations
Supports XML format
Windows event viewer & SYSLOG
32
Oracle Audit Vault

Monitor Database Activity with a Secure Audit Data Warehouse
Manage Audit Data

Centrally manage all Oracle
database audit settings
Secure consolidation of audit data
from all Oracle databases
Oracle Audit Vault
Detect suspicous activities

Monitor all database users
especially privileged users
Alert on unauthorized activities
Simplify compliance reporting

Built-in compliance reports
Define custom reports
Oracle Database
Audit Data
33
Other Sources
(Future)
Audit Vault Reports

Out-of-the-box Audit Assessments and Reports
Out-of-the-box reports
Privileged user activity
Access to sensitive data
Role grants, DDL activity
User-defined reports
What privileged users did on
the financial database?
What user A did across
multiple databases?
Who accessed sensitive data?
34
Oracle Audit Vault Management

Easy to Use Dashboards and Policy Settings
Audit Dashboard
Enterprise overview
Alerts on audit events
Drill down reports
Audit Policy Management

Collection of audit settings for databases
Provision database audit settings centrally for compliance policies
Compare against existing audit settings on source
Demonstrate compliance with internal mandates
35
Oracle Audit Vault Repository

Scalable, Flexible & Secure Audit Data Warehouse
Performance and Scalability
Built-in partitioning
Enterprise-scale
Flexible Reporting
Open warehouse schema
Oracle Business Intelligence Publisher or Application Express
Custom or 3rd party tools
Secure
Privileged Audit Vault users can't modify audit data
Data encrypted in transit from source to Audit Vault
36
Introducing Oracle Total Recall

Tamper-Resistant Real-Time Database Archiving
Automated table snapshots record changes to data
Complements auditing who v. what
Optimized to minimize performance overhead
Historical data can be retained as long as needed for

regulatory compliance and forensic analysis
Automatically prevents end users from changing historical data
Seamless access to archived historical data

Historical data stored in the database for real-time access
Stored in compressed form to minimize storage requirements
select * from product_information AS OF TIMESTAMP
'02-MAY-05 12.00 AM where product_id = 3060
37
Oracle Configuration Management

Enterprise Monitoring for Security & Compliance
Continuous configuration security vulnerability and
compliance assessment
More than 240 best practices built-in
Compliance dashboard tracks scores for industry
standards (CIS, COBIT)
Configuration comparison against golden standards
and history tracking
Automated corrective actions and problem ticket
creation for fast remediation
38
Tracking Compliance Over Time

Compliance Trend Across IT infrastructure
39
Example of Security Policies

Over 240 Built-in Best Practices
Database Services
Host
Application Server
Enable listener logging

Password-protect listeners
Disallow default listener name
Ensure listener log file is valid with correct
ownership
Ensure listener host name is specified with IP
Database File Permissions
Init.ora should have restricted file permission

Files in $OH/bin should be owned by Oracle
Data files should be owned by Oracle
Database Profile/Configuration
Default Passwords
Disallow access to objects by a fixed user link
Disallow default tablespace set to SYSTEM
Set password_grace_time
Limit or deny access to DBMS_LOB
Set password_reuse_max
Avoid using utl_file_dir parameter
Detect open ports

Detect insecure services
Ensure NTFS file system type (Windows)
HTTPD has minimal privileges

Use HTTP/S
Apache logging should be on
Demo applications disabled
Disable default banner page
Disable access to unused directories
Disable directory indexing
Forbid access to certain packages
Disable packages not used by DAD owner
Remove unused DAD configurations
Password complexity enabled
40
Peter Bass
Sr. Database Administrator
Transcontinental
Implementation of Enterprise Manager
Security policies with round the clock
monitoring and reporting helped demonstrate
to our SOX auditors that Transcontinental was
in control of their IT environment.
41

Protecting Access
to Application Data
Database
Monitoring
De-Identifying
Information for
Sharing
Protecting
Data-at-Rest
Data
Classification
42
For More Information
http://search.oracle.com
database security
or
oracle.com/database/security
43
Q&
A
44
45
Release Wide Map of Security Products

Solution
Oracle
8i
Oracle
Oracle
Oracle
Oracle
Oracle
Database
Database
Database
Database
Database
9iR1
9iR2
10g R1
10g R2
11gR1
DatabaseAuditing
NetworkEncryption
VirtualPrivateDatabase
LabelSecurity
DatabaseVault
AuditVault
FineGrainedAuditing
TotalRecall
EMConfigurationScanning
TDEColumnEncryption
TDETablespaceEncryption
EMDataMasking
46

Oracle Database 11g - Session1 Material

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Oracle Database 11g - Session1 Material

Hochgeladen von

Copyright:

Verfügbare Formate

<Insert Picture Here>

Addressing Data Privacy, Regulatory Compliance,

Sr. Director, Database

Director, Database Security

Director, Database Security

New Data Security Challenges

2008 Oracle Corporation

New Regulatory Compliance Challenges

More global data privacy regulations

Costly breach disclosure laws

2008 Oracle Corporation

Data Privacy and Regulatory Compliance

2008 Oracle Corporation

Oracle Database Security

TDE Tablespace Encryption

Oracle Database Vault

Real-Time Column Masking

Client Identity Propagation

Oracle Label Security

Database Encryption API

2008 Oracle Corporation

Oracle Database Security

2008 Oracle Corporation

Data Privacy and Regulatory Compliance

2008 Oracle Corporation

What we heard from our customers

Oracle Database Security

2008 Oracle Corporation

Oracle Database Vault

SELECT * FROM HR.EMP

Eliminate security risks from

2008 Oracle Corporation

Oracle Database Vault

2008 Oracle Corporation

Oracle Database Vault

2008 Oracle Corporation

Data Privacy and Regulatory Compliance

2008 Oracle Corporation

What we heard from our customers

Oracle Database Security

2008 Oracle Corporation

Oracle Advanced Security

Specific columns (credit cards)

Automated built-in key management

No changes to applications required

2008 Oracle Corporation

Transparent Data Encryption

2008 Oracle Corporation

Oracle Secure Backup

Policy-based encryption for

Oracle Secure Backup

2008 Oracle Corporation

Data Privacy and Regulatory Compliance

2008 Oracle Corporation

What we heard from our customers

Oracle Database Security

2008 Oracle Corporation

Oracle Label Security

Label transparently stored in a

Use classification label to

User Label Authorizations

Need to Know - assign labels to

Point-And-Click Data Classification

2008 Oracle Corporation