1

<Insert Picture Here>

Oracle Database 11g Release 2 Security Update and Plans

Defense-in-Depth
Vipin Samar
Vice President, Oracle Database Security
Program Agenda

Todays Threat Landscape <Insert Picture Here>

Defense-in-Depth Approach
Oracle Database Security Solutions
Oracle Database Firewall New!
Summary
Q&A

3
 Why Secure the Database?

Exploding Data
Lot at stake Audit findings
Highly available Data Outsourcing/offshoring
Sophisticated hackers Customer, Employee,
Citizen, Corporate data Data consolidation
Opportunistic insiders Data breaches in sector
Reputation
Fines & Penalties

Whats new Deployment

now? triggers

4
Security Technologies Deployed

End Point Security Other Security

Employee
email Security Vulnerability Mgmt
Customer
Citizen

Network Security DB Security? Authentication

Identity Management

5
How Data Gets Compromised?
Source: Verizon 2010 Data Breach Investigations Report

6 6
Where Losses Come From?

92% of Records from Compromised Databases

2010 Data Breach

Investigations Report

7
Top Attack Techniques
% Breaches and % Records

2010 Data Breach

Investigations Report

Most records lost through

Stolen Credentials & SQL Injection

8
 Existing Security Solutions Not Enough

Key Loggers Malware SQL Injection Espionage

Phishing Botware Social Engineering

Web Users

Application Application Database Administrators

Users

Data Must Be Protected in depth

9
 Database Security
Defense-In-Depth Approach

Monitor and block threats before they reach databases

Control access to data within the databases
Track changes and audit database activity
Encrypt data to prevent direct access
Implement with
Transparency no changes to existing applications
High Performance no measurable impact on applications
Accuracy minimal false positives and negatives

10
Oracle Database Security
Defense-in-Depth
Encryption and Masking
Oracle Advanced Security
Oracle Secure Backup
Oracle Data Masking
Access Control
Oracle Database Vault
Oracle Label Security
Auditing and Tracking
Oracle Audit Vault
Oracle Configuration Management
Oracle Total Recall

Monitoring and Blocking

Oracle Database Firewall

11
Oracle Database Security
Defense-in-Depth
Encryption and Masking
Oracle Advanced Security
Oracle Secure Backup
Oracle Data Masking

12 12
Oracle Advanced Security
Endtoend Encryption

Disk

Backups

Exports

Application
Off-Site
Facilities

Efficient encryption of all application data

Built-in key lifecycle management
No application changes required
Works with Exadata and Oracle Advanced
Compression

13
Oracle Advanced Security
Integrated with Oracle Enterprise Manager

14 14
TDE Column Encryption
Integrated with Oracle Enterprise Manager

15 15
Oracle Advanced Security
Whats New and Coming?

Hardware Acceleration Support

Performance already < 10% for most applications
7-10x performance gain with Intel Advanced Encryption
Standard New Instructions (AES-NI) and Oracle SPARC T-3
Key Management and HSM Support
Certified with SafeNet, Thales, Utimaco using PKCS #11
Planned support for Oracles Key Management System

16
 Oracle Data Masking
Irreversible De-Identification

Production Non-Production
LAST_NAME SSN SALARY LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000 ANSKEKSL 11123-1111 40,000

BENSON 323-22-2943 60,000 BKJHHEIEDK 222-34-1345 60,000

Mask sensitive data for test and partner systems

Sophisticated masking: Condition-based, compound,
deterministic
Extensible template library and policies for automation
Leverage masking templates for common data types
Integrated masking and cloning
Masking of heterogeneous databases via database gateways New
Command line support for data masking tasks New

17 17
 Oracle Data Masking
Whats Coming?

Sensitive data identification based on privacy attributes

Application Masking templates for
E-Business Suite
Fusion Applications

18
Oracle Database Security
Defense-in-Depth
Encryption and Masking
Oracle Advanced Security
Oracle Secure Backup
Oracle Data Masking
Access Control
Oracle Database Vault
Oracle Label Security

19 19
Oracle Database Vault
Separation of Duties & Privileged User Controls

Procurement
DBA
HR
Application
Finance
select * from finance.customers

Restricts application data from privileged users

DBA separation of duties
Securely consolidate application data
No application changes required
Works with Oracle Exadata

20 20
Oracle Database Vault
Multi-Factor Access Control Policy Enforcement

Procurement

HR

Application Rebates

Protect application data and prevent application by-pass

Enforce who, where, when, and how using rules and factors
User Factors: Name, Authentication type, Proxy Enterprise Identity
Network Factors: Machine name, IP, Network Protocols
Database Factors: IP, Instance, Hostname, SID
Runtime Factors: Date, Time

21 21
 Oracle Database Vault
Out-of-the Box Protections For Applications

Pre-built policies with further Oracle E-Business Suite

possible customization 11i / R12

Complements application security PeopleSoft Applications

Transparent to existing applications
Siebel, i-Flex, Retek
Minimal performance overhead
Certifications Underway:
JD Edwards EnterpriseOne
Oracle Hyperion
Oracle Tax and Utilities SAP

Infosys Finacle

22 22
Oracle Label Security
Data Classification for Access Control

Sensitive
Transactions

Confidential
Report Data
Public
Reports

Confidential Sensitive

Classify users and data based on business drivers

Database enforced row level access control
Users classification through Oracle Identity Management Suite
Classification labels can be factors in Database Vault

23 23
Oracle Database Security
Defense-in-Depth
Encryption and Masking
Oracle Advanced Security
Oracle Secure Backup
Oracle Data Masking
Access Control
Oracle Database Vault
Oracle Label Security
Auditing and Tracking
Oracle Audit Vault
Oracle Configuration Management
Oracle Total Recall

24 24
 Oracle Audit Vault
Automated Audit Collection and Reporting

HR Data ! Alerts

Built-in
CRM Data Reports
Audit
Data Custom
ERP Data Reports

Databases Policies
Auditor

Consolidate audit data into a secure warehouse

Create/customize compliance and entitlement reports
Detect and raise alerts on suspicious activities
Centralized audit policy management
Integrated audit trail cleanup

25 25
Oracle Audit Vault
Consolidated Reports Span Enterprise Databases

26 26
Oracle Audit Vault 10.2.3.2
Default Reports

27 27
Oracle Configuration Management
Secure Configuration & Change Tracking
Out-of-box User-defined Real-Time Change Industry & Compliance
Policies Policies & Detection Regulatory Dashboard
Groups Frameworks

Optimized for Oracle with Industry Specific Compliance Dashboards

Continuous scanning against best practices and gold baselines

200+ out-of-the-box policies spanning host, database, and middleware
Real-time detect changes to processes, files, etc
Violations can trigger emails, and create tickets
Compliance reports mapped to compliance frameworks

28 28
Oracle Database Security
Defense-in-Depth
Encryption and Masking
Oracle Advanced Security
Oracle Secure Backup
Oracle Data Masking
Access Control
Oracle Database Vault
Oracle Label Security
Auditing and Tracking
Oracle Audit Vault
Oracle Configuration Management
Oracle Total Recall

Monitoring and Blocking

Oracle Database Firewall

29
 Oracle Database Firewall
First Line of Defense

Allow

Log

Alert

Substitute
Applications
Block

Alerts Built-in Custom Policies

Reports Reports

Prevent unauthorized activity, application bypass and

SQL injections
Highly accurate SQL grammar based analysis
Flexible enforcement options
Built-in and custom compliance reports

30
 Oracle Database Firewall
Security Model

White List
Allow

Block
Applications

White-list based policies enforce normal or expected behavior

Evaluate factors such as time, day, network, app, etc.
Easily generate white-lists for any application
Log, alert, block or substitute out-of-policy SQL statements
Black lists to stop unwanted SQL commands, user, or schema access
Superior performance and policy scalability based upon clustering

31
 Oracle Database Firewall
Deployment Architecture
In-Line Blocking
and Monitoring

Out-of-Band
Inbound Monitoring
SQL Traffic
HA In-Line
Mode
Management
Management Policy
Server
Server Analyzer

In-line blocking and monitoring, or out-of-band monitoring modes

Monitoring of remote databases by forwarding network traffic
Centralized policy management and reporting
High availability options for Database firewalls and Management Servers
Support for multiple Oracle/non-Oracle Databases with the same firewall

32
 Oracle Database Security Big Picture

Audit
consolidation

Unauthorized
Allow Sensitive
Procurement Local Activity
Log DB Consolidation
HR
Confidential Security
Alert
Local DBA
Substitute Rebates
Public Privilege Mis-Use
Applications
Block

Network SQL
Monitoring Encrypted Encrypted Encrypted Data
and Blocking Database Backups Exports Masking

33
Oracle Database Security
Key Differentiators

Transparent

Performant

Certified with
Applications

Best-in-Class

Defense-in-
Depth

34
 More Oracle Database Security Presentations

Monday:
12:30 pm: Making a Business Case for Information Security MS 300
3:30 pm: Oracle Database 11g Release 2 Security: Defense-in-Depth MS 103
Tuesday:
12:30 pm: Real-World Deployment and Best Practices : Oracle Audit Vault MS 104
2:00 pm: Real-World Deployment and Best Practices : Oracle Advanced Security MS 300
2:00 pm: Best Practices for Ensuring the Highest Enterprise Database Security MS 304
3:30 pm: Database Security Event Management : Oracle Audit Vault and ArcSight MS 300
5:00 pm: Real-World Deployment and Best Practices :Oracle Database Vault MS 303
Wednesday:
10:00 am: Protect Data and Save Money: Aberdeen MS 306
11:30 am: Preventing Database Attacks With Oracle Database Firewall MS 306
4:45 pm: Centralized Key Management and Performance :Oracle Advanced Security MS 306
Thursday:
10:30 am: Deploying Oracle Database 11g Securely on Oracle Solaris MS 104

MS = Moscone South

35
 Oracle Database Security Hands-on-Labs

Monday:
Database Vault 11:00AM | Marriott Marquis, Salon 10 / 11 Check Availability
Database Vault 5:00PM | Marriott Marquis, Salon 10 / 11 Check Availability

Tuesday:
Database Security 11:00AM | Marriott Marquis, Salon 10 / 11 Check Availability

Thursday
Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11 Check Availability
Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11 Check Availability

36
Oracle Database Security Demo Grounds
Moscone West

Oracle Database Firewall

Oracle Database Vault
Oracle Label Security
Oracle Audit Vault
Oracle Advanced Security
Oracle Database 11g Release2 Security

Exhibition Hours
Monday, September 20 9:45 a.m. - 5:30 p.m.
Tuesday, September 21 9:45 a.m. - 5:30 p.m.
Wednesday, September 22 9:00 a.m. - 4:00 p.m.

37
The preceding is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracles
products remains at the sole discretion of Oracle.

38
For More Information

search.oracle.com

database security

oracle.com/database/security

39 39
40 40