DB Security_ Final

7/31/2019 DB Security_ Final

1/13

1

Slide 1:

Welcome everyone and thank you for joining this Virtual Class.

I am Achin, working in Oracle Direct as a Sales Consultant and I will be your presenter for todays

session on DB Security.

My specialization lies in Database and Database Options, Security & High availability.

In this presentation we are going to take a look ofdifferent database security solutions their usage

in your environment to protect your environment from inside and outside threats.At the end of the presentation we will have a Q&A session.

Lets move on and check the agenda for todays presentation.

Slide 2:

Well start off with the introduction of database security in which we discuss security evolution in Oracle,

which will be followed by the importance of security solutions, what kind of threats forcing the

implementation of security solutions?

After that I will describe different database security options, its features and key capabilities.

Then we will summarize all the security solutions by their benefits.

Slide 3:

Now what happen most hackers target indiscriminately getting their hands on whatever they can getfrom vulnerable targets. On the other hand, APTs are well resourced, very capable, and persistent in

their goals to go after their target.

(Advanced = Multiple attack methods

Persistent = Not giving up easily

Threat = After specific crown jewels

Any important data may be, political data, infrastructure data, IP, or business data can be hacked or

may be changed by them.

If you remember the attack on RSA, or the Comodo RA compromise are some examples.

Some of their techniques used may not be that advanced but they can use sophisticated attacks in

conjunction with simple effective attacks to gain access to sensitive systems.

They are after your crown jewels your king thats your DATA. If your king is standing alone, forget

about APTs, even regular hackers or curious insiders could walk away with it also.Is your knight really your knight, or it is someone else acting with knights credentials.

With a determined opponent who has access to multiple attack vectors whether through a knight, rook,

or queen you need to have more than just a firewall of pawns to protect your king that is to protect

Your data

Because anytime They could jump over and checkmate you.

So BE ready with full proof security of your IT environment.

Slide 4:

I like to show this slide to let customers know that Oracle has been working in the security space pretty

much since day 1. The very first Oracle customers were in the government space. This close working

relationship with customers has enabled Oracle to stay at the forefront of database security technology.

And In the past couple years weve been focusing on delivering Database Vault, Oracle Audit Vault,Transparent Data Encryption, and Data Masking. These have been critical technologies for helping

customers meet various security and compliance challenges.

Slide 5:

This slide is based on a data breach investigations report 2011. Data breaches still continue to be an

issue for most organizations

Now this years report covers approximately 760 data breaches, the largest caseload to date, according

to the researchers. That is the number of breaches still continues to go up.


2/13

2

The report also found that outsiders are responsible for 92 percent of breaches, that is a significant

increase from the 2010 findings. Although the total number of insider attacks actually remained

relatively constant.

Hacking (50 percent) and malware (49 percent) were the most prominent types of attack, with many of

those attacks involving weak or stolen credentials and passwords, the report says.

So Small to medium-sized businesses represent prime attack targets for many hackers, who favor highly

automated, repeatable attacks against these more vulnerable targets,".Companies should be aware of what their employees are using at home, and how personal systems are

interacting with corporate systems. What kind of security they have in their IT environment specifically

in their database environment

One important thing as per this report

"There's a very high correlation between employees who frequently violate security policy and actual

breaches and compromises.

Lets move further and understand the bigger picture of database security.

Slide 6:

Most companies have implemented the 3 As at some level that is: Authentication, Authorization,auditing.

CLICK

Some still use generic shared accounts, which while convenient cannot be used to track the actual user

who made the change. Some still grant overly excessive privileges instead of going through the

exercise of least privileges.

This can be very dangerous as any SQL injection attack or stealing of passwords can be disastrous.

In the end you want to audit your privilege users, but unless you monitor the audit logs, auditing may

not be much of a use.

A small percentage of the companies do patching.

This means that most others are very vulnerable to attacks. We recommend that in addition to 3 As and

patching, you seriously consider the following:

CLICK1. A database firewall to reduce the threats from the web users. The firewall can understand the

SQL coming through the wire, analyzing it, and then determining whether it should be allowed

to go the database. The firewall should also be able to both monitor and block unauthorized

traffic including SQL injection attacks.

CLICK

2. The other threat that you want to handle is the threat from the DBA or hackers with DBApassword credentials. You want the DBAs to do the job of tuning and managing the system, but

you do not want them to view or modify your sensitive data. You also want to ensure that even

if someone has the DBA password, they meet other factors before they are given access to the

database.

3. Encrypt the database data to reduce the threats from the OS administrator or any othersoftware running on the database machine. As the data gets backed up, you may want to

encrypt the backup to reduce threats from inadvertent losses or theft of the tapes. You also

want to encrypt the traffic to reduce the risk of someone sniffing the wire. Finally, to reduce the

threats from your test or dev teams, you want to mask the data before you give it to them.

4. Now at the end of the day, you have to allow your privileged users to do their jobs. And of

course you trust them, but by auditing their activities throughout the enterprise you can

implement trust but verify principle. You may want to collect audit data from throughout your

enterprise, analyze the data, raise alerts if needed, and then create reports for your auditors.


3/13

3

Slide 7:

Now were going to talk a little about the Oracle solutions that are available to help customers to secure

their data and database infrastructure. We could really spend an hour talking about each one of

these.

Let me tell you the concept of Defense in Depth:

Defense in Depth is an Information Assurance (IA) strategy where multiple layers of defense areplaced throughout an Information Technology (IT) system and addresses personnel, technology and

operations for the duration of the system's lifecycle.

The idea behind the Defense in Depth approach is that any attacker should have to break through

multiple defensive countermeasures, in order to successfully hack into the system. This increases the

likelihood of being able to identify and prevent an attack from occurring.

Slide 8:

So we are going to start with Encryption and masking layer where we are going to discuss three security

options

Advanced security options

Secure backup and database masking

Slide 9:

Lets start with advanced security option

Slide 10:

This slide demonstrates the evolution of Advance security option in oracle database.

With 9i version only network encryption and strong authentication mechanism was there.

strong authentication solutions are good as an alternative to traditional password based authentication.

In oracle 10g we introduce column TDE and wallet key management.

And with 11g, tablespace TDE and Hardware acceleration and some Exadata optimizations are also

introduced.

Hardware acceleration where tablespace encryption provides stored data protection with near-zeroperformance impact by automatically detecting and utilizing the hardware-based cryptographic

acceleration available in the new Intel Xeon 5600 CPUs (AES-NI); with this, you will achieve

encryption and decryption is 8 to 10 times faster.

Related with Exadata optimizations, TDE leverages performance and storage optimizations of the Oracle

Exadata Database Machine, including the Smart Flash Cache and Hybrid Columnar Compression (EHCC).

Slide 11:

Specifically in advanced security you will get three prime security features

The first one is Transparent Data Encryption:

It enables you to encrypt sensitive data, such as credit card numbers or social security numbers, which

are stored in your tables and tablespaces. Encrypted data is transparently decrypted for a database user

or application that has access to data.So As a security administrator, you can be sure that sensitive data is safe in case the storage media or

data file gets stolen.

And the important benefit is Key management operations which all are automated so the user or

application does not need to manage encryption keys.

Another security feature is network encryption

Network encryption refers to encrypting data as it travels across the network between the client and

server. The reason you should encrypt data at the network level, and not just the database level, is
http://en.wikipedia.org/wiki/Information_Assurancehttp://en.wikipedia.org/wiki/Information_Technologyhttp://en.wikipedia.org/wiki/System_lifecyclehttp://en.wikipedia.org/wiki/Information_Assurancehttp://en.wikipedia.org/wiki/Information_Technologyhttp://en.wikipedia.org/wiki/System_lifecycle


4/13

4

because data can be exposed on the network level even though you have carefully encrypted it in the

database.

Let me give you an example, an intruder can use a network packet sniffer to capture information as it

travels on the network, and then spool it to a file for malicious use. So, Encrypting data on the network

prevents this sort of activity.

Now Strong Authentication

Authentication is used to prove the identity of the user. Oracle Advanced Security enables strongauthentication with Oracle authentication adapters that support various third-party authentication

services, including SSL with digital certificates.

Slide 12:

Lets discuss more about TDE

Oracle Advanced Security TDE provides both encryption of application tablespaces as well as individual

application table columns such as credit card and social security numbers. TDE tablespace encryption

eliminates the complexities of identifying and encrypting individual columns and achieves increased

efficiencies resulting in higher performance.

Also, Oracle Advanced Security provides a built-in, two-tier key management architecture,

consisting of a master encryption key and one or more data encryption keys. The TDE master encryption

key is used to encrypt and protect the data encryption keys. The master encryption key can beconfigured to reside in the Oracle Wallet or a hardware security module (HSM) from vendors such as

Thales, Safenet, Bull, and Utimaco.

Slide 13:

Oracle Advanced Security also provide standard-based network encryption for protecting all

communication to and from the Oracle Database. Connections can be rejected from clients that have

encryption turned off. No changes to existing applications are required, so allowing businesses to easily

deploy network encryption.

It also provides strong authentication to the database using Kerberos, PKI or RADIUS. Oracle Advanced

Security interoperates with the Microsoft Kerberos and MIT Kerberos v5. With Oracle Advanced Security,

customers can require their users to plug-in a Smart Card (CAC, HSPD-12) as part of their SSL-based

authentication to the Oracle Database.So just to iterate oracle advanced security:

Oracle Advanced Security provides a complete data encryption solution for data whether the data is at

rest in the database, moving on the network between the application servers and the database, or

backed up or exported. Data is always returned in the clear to authenticated and authorized database

users so there is no application changes required.

Slide 14:

Protect all application data quickly and easilyEncrypt the entire tablespace or specific sensitive

columns without making any changes to existing applications.

ComprehensiveTransparent encryption can be used for Oracle database traffic, disk backups, and

exports.

Cost-effectiveLeverage secure, built-in management and integration with industry-leading HardwareSecurity Modules (HSM) or other enterprise-wide management solutions.

Highest level of identity assuranceSupport for PKI, Kerberos, and RADIUS-based strong

authentication solutions.

Slide 15:

Let discuss the features and befits of oracle secure backup

Slide 16:


5/13

5

Oracle Secure Backup is centralized tape backup management software protecting the Oracle database

and file systems in distributed UNIX, Linux, Windows and Network Attached Storage (NAS)

environments.

From one central console, you can easy manage the distributed servers and tape devices within the

backup domain.

As Oracle is no longer just a database company, Oracle Secure Backup provides tape backup for

application files as well as the database.Integrated with Recovery Manager (RMAN), Oracle Secure Backup provides the media management

layer for RMAN backups to tape. Complete data protection for your entire environment, OSB provides

an alternative to expensive media management products.

Using OSB, tape backup management is automated through user-defined policies through the life cycle

of the backup tape from first write to tape duplication (if any) to rotation between multiple locations

(vaulting) and finally re-use when upon expiration of the tape.

Oracle database backups provide the fastest database backup to tape (about 25 40 % faster) due to

optimizations, particularly:

Unused block compression: Only used data blocks are backed up (Oracle Database 10g R2)

Backup undo optimization: Only "active" undo data is backed up (Oracle Database 11g R1)

Slide 17:OSB employs a client / server architecture:

One Admin. Server per domain houses OSB catalog

Client host Any host backed up by OSB

Media server Any host direct attached to tape device

OSB domain all hosts that are managed by admin server.graphic above would represent one OSB

domain.

Oracle database may reside on any host within the OSB domain.

Slide 18: new feature

OSB support of NDMP tape copy which utilizes the hardware for tape copy eliminating need for data to

move back through the media server during tape copy process --- OSB catalog metadata will maintain

same information using regular or server-less tape duplicationOSB will now provide flexibility to utilize software encryption (OSB client side) or hardware encryption

(LTO-4).delivering key management for both

New support for IPv6.OSB domains can now support both IPv4 and IPv6

It will Filter vaulting moves by tape pool as well as location. Additional reporting, improved leveraging

of library automation, in transit status location and many more.

Slide 19:

Data is the most important business asset. Oracle Secure Backup delivers comprehensive data

protection management with enterprise-class features and Oracle database integration in one, complete

solution.

Comparable products separately license advanced features; OSB does not. Advanced capabilities are

inclusive in the Oracle Secure Backup low-cost, per tape drive license simplifying license managementwithout compromising functionality.

Slide 20:

Hers comes Oracle Database Masking Pack

Slide 21:


6/13

6

Businesses often need to share sensitive data about business operations or customers to allow in-house

developers or offshore testers to perform application development and testing. This has the potential to

expose the business, its officers, employees and even their customers to risk. Oracle

Enterprise Manager Data Masking Pack can help protect businesses with minimal effort. It provides a

comprehensive easy-to-use solution to share production data with internal and external entities while

preventing sensitive or confidential parts of the information from being disclosed to unauthorized parties

Data Masking Pack provides IT organizations the ability to share copies of production data with otherinternal and external parties by replacing sensitive or confidential information with realistic but scrubbed

data.

So by this your organization will achieves data security compliance through privacy and confidentiality

polices on shared production data

It will help you to Provides secure, scalable and automated solution to create test environments from

production data using bulk masking

Enables rapid your DBA productivity through the use of application masking template

Slide 22:

Database masking pack comes with a centralized library of out-of-the-box mask formats for common

types of sensitive data, such as credit card numbers, phone numbers, national identifiers (social security

number for US, national insurance number for UK).So By leveraging the Format Library, your organizations can apply data privacy rules to sensitive data

across enterprise-wide databases from a single source and thus, ensure consistent compliance with

regulations.

It provides you the view where you can view your sample data also.

Prior to mask execution, Oracle Data Masking Pack performs several pre-mask validation checks, such

as validating that the mask formats matches the table data types, checking for space, to ensure that the

masking process is error-free.

If you compare to traditional masking processes that are typically slow, Oracle Data Masking Pack uses

highly efficient parallelized bulk operations to replace the original sensitive data with masked data.

Because the entire data masking process is done in place, enterprises can be assured of a greater sense

of security knowing that the sensitive data would never leave the database during the masking process.

Slide 23:

Using Oracle Data Masking Packs search capabilities, information security administrators can quickly

search the database to identify sensitive data.

In some applications, the same sensitive data is maintained in multiple tables related by referential

(primary key-foreign key) relationships, e.g. employee numbers in a Human Resources application.

Oracle Data Masking Pack discovers these relationships and masks all related data elements

automatically while preserving referential relationships.

Lets talk about some masking techniques:

Slide 24:

Oracle Data Masking Pack provides a variety of sophisticated masking techniques to meet application

requirements while ensuring data privacy. For example,Condition-based masking: this technique makes it possible to apply different mask formats to the

same data set depending on the rows that match the conditions. For example, applying different

national identifier masks based on country of origin.

Compound masking: this technique ensures that a set of related columns is masked as a group to

ensure that the masked data across the related columns retain the same relationship, e.g. city, state,

zip values need to be consistent after masking.


7/13

7

Deterministic masking: this technique ensures repeatable masked values after a mask run.

Enterprise may use this technique to ensure that certain values, e.g. a customer number gets masked to

the same value across all databases.

Slide 25:

So by this we completed Last layer of defense and now 3rd layer of defense in which we are going to

talk about database Vault and label security solution,

Slide 26:

Lets start with oracle database Vault another security product for protecting applications and sensitive

data.

Slide 27:

Oracle Database Vault provides 6 key pieces of security functionality. The concept of a REALM is the

most important. You can think of a REALM as a protection boundary or firewall you define inside the

database. Realms are easy to define and once in place, they prevent powerful users such as the DBA

from getting at application data.

Multi-Factor Authorization is another extremely important addition provided by Database Vault. Some

of you may be familiar with the term multi-factor authentication. Multi-factor authorization is similar inthat it enables a series of security checks prior to giving access to a database, application or application

table. For example, you can tell Database Vault to check things like IP address and time of day prior

before giving access to the database, application or a specific Realm, its very flexible.

The security behind Database Vault is managed by a security account and not the Oracle DBA or

SYSDBA, this provides separation of duty, meaning the DBA isnt the one who controls the REALMS,

FACTORS and so forth.

Command rules are another important addition, this enables rules to be associated with database

commands, the rule is evaluated prior to allowing the command to execute, a powerful feature.

Oracle Database Vault also provides auditing, so that you can track when a REALM has blocked

someone from attempting to access an application. In addition, over 3 dozen security related reports

are provided out-of-the-box.

Slide 28:

Lets first take a look at Database Vault Realms. Here we have a database, lets assume that this is a

consolidated database. As you would expect you have the DBA as well as several other applications,

here weve included an HR and Financial application.

One of the problems faced in this type of situation is that the DBA can, if he or she wished to do so, use

their powerful privileges to take a look at application data. CLICK

Even the possibility of this happening can be prevented using Database Vault Realms. CLICK

Simply place a Realm around the HR application and the DBA will no longer be able to use his powerful

privileges to access the application. CLICK

Another situation. Application owners tend to have very powerful privileges. In a consolidated

environment, its very likely that youll have more than one application and thus several powerful users

in the database above and beyond the DBA.In this example, its possible for the HR DBA to look at the Financial application data. CLICK Obviously

this wouldnt be a good situation, especially if it was during the financial reporting quite period. Using a

Database Vault Realm, CLICK

the Financial application can be protected from powerful application owners.

CLICK

Summary, Realms can be easily applied to existing applications and with minimal performance impact.

Slide 29 see the slides carefully and click


8/13

8

In addition, to Realms, Database Vault also delivers Command Rules and Multi-Factor Authorization.

Command Rules actually provide the ability to instruct the database to evaluate conditions prior to

allowing a database command to execute.

Combined with Multi-Factor authorization, this provides an extremely powerful tool to limit and restrict

access to databases and applications.

Lets take another example. Here Im showing a database with a single application and the DBA. One

of the common problems customers have faced from a compliance perspective is unauthorized activity inthe database.

This may mean that additional database accounts or application tables have been created. This can

raise alarms with auditors because it can point toward lax internal controls.

Using a command rule, Database Vault gives the ability to control the conditions under which a

command is allowed to execute. For example, a command rule can be associated with the database

Alter System. command.

CLICK

Perhaps your policy states that all alter system commands have to be executed from a connection

originating from the server hosting the database. The command rule can check the IP address and

reject the command.

CLICK

So the rule based on IP address blocks the action. CLICKPerhaps a powerful application DBA creates a new table, command rules combined with multi-factor

authorization can block this action.

CLICK

In summary, command rules and multi-factor provide the flexibility to meet operational security

requirements.

Slide 30:

Benefits:

Pro-actively safeguard application data stored in the Oracle databaseRestrict access by

unauthorized database userseven privileged usersby using powerful access controls built into the Oracle

database.

Address regulatory requirementsImplement separation-of-duty and other real-time preventive controls.

Restrict ad-hoc access to application data Prevent application-bypass with multi-factor policies that

are enforced in the database for high security and performance.

Deploy with confidenceUse certified default policies for Oracle E-Business Suite, Oracle PeopleSoft,

and Oracle Siebel CRM applications.

Slide 31:

Lets move forward and discuss the features and roles of Label security

Slide 32:

Oracle Label Security is the industry's most advanced label based access control product. LabelSecurity was originally developed for Oracle's government customers to support multi-level security

(MLS).

Oracle Label Security provides the ability to transparently mediate access based on data labels and a

user label. The data labels and user labels are stored in a secure dictionary inside the Oracle database

or centrally within Oracle Identity Management.

This example shows a simple set of labels and two groups of users with user labels ranging from

Sensitive to Highly Sensitive.


9/13

9

Today Oracle Label Security is used by customers outside government and defense to address various

security requirements related to securing privacy related information or complying with compliance

mandates.

Some of the really nice features of Oracle Label Security is that is provides a flexible policy based

architecture and provides a variety of enforcement options such as controlling select operations only or

select and update operations. It also provides numerous built-in privileges that allow Oracle Label

Security to adapt to most customer requirements. Theres also a complete API that allows Oracle LabelSecurity to be used in very innovative ways.

Slide 33:

So oracle label security adds extensive protection for sensitive information by enabling row level access

control so it controls access to the contents of a row by comparing that rows label with a users label

and privileges.

Administrators can easily add selective row restrictive policies to existing databases by means of the

user friendly graphical interface provided by EM database control.

So a label security administrator defines a set of labels for data and users along with authorization for

users and program units which govern access to specify protected objects.

Slide 34:User labels can also be used inside Database Vault as Factors; these factors become components for

multi-factor authorizations, so

for example the privilege to execute a certain command (like drop table) is only allowed when the

users clearance dominates a certain minimum (for example, at least Sensitive), and when the

database is accessed from a certain network subnet, which indicates that the user is in the office and

not some random, insecure Internet Caf.

Likewise, VPD policies can determine if columns should be hidden or shown based on user clearance

labels.

The current working label can be displayed in an informative section of an application Web page, for

example to avoid trouble tickets when users claim they cant see information they expect to see.

Slide 35: Restricts access to those with appropriate clearanceAllows administrators to classify every row in a

table, ensuring access to sensitive data is restricted to users with the appropriate clearance level.

Enforces regulatory complianceProvides a policy-based administration model that enables

organizations to establish custom data classification schemes for implementing "need-to-know" access for their

applications.

FlexibleLabels can be used as factors within Oracle Database Vault command rules for multi-factor

authorization polices. Oracle Label Security integrates with Oracle Identity Management, enabling centralized

management of policy definitions, and is part of Oracle's comprehensive portfolio of database security solutions.

Slide 36:

So by this we covered two layers Encryption and masking and another layer access control

And now we are entering into 2nd layer of defense:

Here we will talk about oracle audit vault and total recall

Slide 37:Satisfying compliance regulations and mitigating security risks are two of the top security challengesbusinesses face today. Lets see what Audit vault provide to meet these challenges
http://www.oracle.com/us/products/database/options/database-vault/index.htmlhttp://www.oracle.com/us/products/middleware/identity-management/index.htmlhttp://www.oracle.com/us/products/database/security/index.htmlhttp://www.oracle.com/us/products/database/options/database-vault/index.htmlhttp://www.oracle.com/us/products/middleware/identity-management/index.htmlhttp://www.oracle.com/us/products/database/security/index.html


10/13


11/13

11

these challenges by ensuring complete, secure, and easy tracking, retention and management of allyour historical data.

Slide 43:

Organizations spend a large amount of time and money making sure that their applications correctly

track history such as sales, payments etc and leaving the rest of their full data without full contextual

history. That means it provides change tracking to any of your application data.You just turn it on and the database automatically tracks the before and after value. The change history

is maintained in a very efficient tamper resistant archive within the database and is easily accessible via

SQL.

This capability is critical not just for forensic analysis but also regulations like SOX that require tracking

changes to certain kind of information.

Oracle Total recall option securely track and query historical data for any database table without the cost

or performance impact with the help Flashback Data Archiver.

FDA is a logical container for managing historical information and because of FDA is it possible to

automatically and transparently track all of the changes to any set of tables in oracle database 11g and

you can query data in those tables as any point in time or over any interval within the specified

retention period with minimal performance impact.

Slide 44:

As I said oracle Total Recall can transparently track historical changes to all data stored in an Oracle

database in a very secure and efficient manner.

This is a great complement to auditing. With Total Recall you can take snapshots of all data changes.

Total Recall has been optimized to minimize the overhead of tracking changes and amount of storage

required to store the change data in the database itself in order to allow seamless real-time access to

the historical data. The historical data is completely protected from accidental or malicious update from

the end users. That means that no one not even administrators - can update historical data directly.

So you can configure historical data capture in a matter of minutes, and will provide your customers

with a centralized and seamlessly queryable historical data store that makes the most efficient use of all

your resources be it CPU, Storage or admin time, and reduces your cost of compliance. You use

Flashback Data Archive in the same manner as other Flashback features to view or restore the data as

of a time (or time range) in the past.

One of the main new features in 11g Release 2 enables the schema of a tracked table to evolve, and

Total Recall will automatically adjust accordingly.

There is no limit on how long you can store the historical data for as the this data is stored in the

database itself. So, if you want to store the history for 7 years or above, go ahead. Total Recall can

handle any retention period your business requires. And you can query data as of any point in time in

the past by simply using the AS OF SQL clause.

Slide 45:

Total Recall 11g Release 2 has 3 main areas of enhancements:

1. We allow more table alteration than before.

2. Flashback queries support altered tables in the archive.

3. Performance has been improved.

4.

Slide 46:

So now the first line of defense

Oracle database firewall


12/13

12

Slide 47:

Oracle Database Firewall acts as the first line of defense for databases,

Slide 48:

Oracle Database Firewall is an active, real-time database firewall solution that provides white list, black

list and exception list policies, intelligent and accurate alerts, and monitoring with very low management

and administrative costs.Oracle Database Firewall is independent of the database configuration and operation. This independent

boundary of protective shielding helps reduce the risk of data loss and helps organizations manage an

ever changing landscape of regulations.

Unlike traditional SQL firewalls that relied on identifying out-of-policy SQL using strategies such as

regular expressions, string matching, and schema comparison, Oracle Database Firewall delivers

intelligent database firewall security, enabling policies to be set and adapted quickly and accurately.

Organizations can choose to deploy Oracle Database Firewall in blocking mode as a database policy

enforcement system to protect their database assets, or to just monitor database activity for

supplemental auditing and compliance purposes.

Oracle Database Firewall monitors data access, enforces access policies, highlights anomalies and helps

protect against network based attacks originating from outside or inside the organization.

Attacks based on SQL injection can be blocked by comparing SQL against the approved white list ofapplication SQL. Oracle Database Firewall is unique and offers organizations a first line of defense,

protecting databases from threats and helping meet regulatory compliance requirement.

Slide 49:

Oracle Database Firewall enforces zero-defect database security policies using a white list security

model. The white list policy is a set of approved SQL statements that can be sent to the database.

Oracle Database Firewall compares SQL traffic with the approved white list and then based upon the

policy, it chooses to block, substitute or alert on the SQL statement.

The Oracle Database Firewall baseline can be configured to block all out-of-policy events. This can be

implemented as

Block the SQL statement

Modify the request using SQL statement substitutionAlert on all out of policy SQL statements, in addition to or in lieu of blocking

Slide 50:

In addition to the white list, positive security enforcement model, Oracle Database Firewall also supports

a black list model that enables policies to specify blocking of specific SQL statements. As with white list

policies, black list policies can be configured to allow specific statements based on factors such as IP

address, time of day and program.

Slide 51:

The Oracle Database Firewall Management Server centrally manages Oracle Database

Firewall policies, consolidates data from the Oracle Database Firewalls, stores database

activity data, and provides dozens of out-of-the-box reports.And the management dashboard of oracle database firewall provides you immense

flexibility for Policy Management which delivers simple and easy to use policy management tools

that build upon the powerful strengths of the SQL grammar-based analysis approach.

Then Reporting in which dozens of predefined reports can be used for Sarbanes-Oxley (SOX),

Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and

Accountability Act (HIPAA) and other privacy and compliance regulations.

Also you can add customize reports and new reports.


13/13

13

User Role Auditing Which allows customers to audit and approve changes to user roles in the

databases on a specified database server.

Slide 52:

So by this we have completed all database security solutions that comes in defense in depth approach

and now lets summarize them

Slide 53:

So all the solutions we discussed today are integrated with your database and are transparent so no

changes are required to your existing applications or infrastructure, making them all very cost effective.

As I already mentioned Data breach investigations have shown that security controls must be multi-

layered to protect against threats that range from account misuse to SQL injection attacks.

In addition, the ever changing regulatory landscape and renewed focus on privacy demonstrates the

need for solutions to be transparent and cost effective to deploy.

Oracle Advanced Security and Oracle Database Vault provide encryption and access controls to prevent

account misuse from outside or inside the Oracle database.

Oracle Audit Vault and Oracle Database Firewall provide detailed audit and monitoring capabilities,

including the ability to monitor both Oracle and non-Oracle databases and prevent SQL injection attacks

from reaching the database.

Slide 54:

By this note I conclude this session Thank you all for your attention and now we turn it over to Q&A.

DB Security_ Final

Documents

Transcript of DB Security_ Final