Presentation - Oracle Database Security Defense-In-Depth
-
Upload
kinankazuki104 -
Category
Documents
-
view
42 -
download
0
description
Transcript of Presentation - Oracle Database Security Defense-In-Depth
-
Oracle Database Security Defense-in-Depth
Nguyen Quang HuySenior Solution Consulting Manager
-
2
Agenda
Todays Threat Landscape Defense-in-Depth Approach Oracle Database Security Solutions Summary
-
3Security Technologies Deployed
Authentication
Identity Management
Network Security
Vulnerability Mgmt
End Point Security
email Security
Other Security
EmployeeCustomer
Citizen
DB Security?
-
4How Data Gets Compromised? Source: Verizon 2010 Data Breach Investigations Report
4
-
52010 Data Breach Investigations Report
92% of Records from Compromised Databases
Where Losses Come From?
-
6Top Attack Techniques % Breaches and % Records
2010 Data Breach Investigations Report
Most records lost throughStolen Credentials & SQL Injection
-
7Oracle Database Security Defense-in-Depth
Access Control
Oracle Database Vault Oracle Label Security
Oracle Advanced Security Oracle Secure Backup Oracle Data Masking
Encryption and Masking
Auditing and Tracking
Oracle Audit Vault Oracle Configuration Management Oracle Total Recall
Oracle Database Firewall
Monitoring and Blocking
-
8Oracle Database Security Defense-in-Depth
Oracle Advanced Security Oracle Secure Backup Oracle Data Masking
Encryption and Masking
8
-
9Oracle Advanced Security Endtoend Encryption
Disk
Backups
Exports
Off-SiteFacilities
Efficient encryption of all application data
Built-in key lifecycle management
No application changes required
Works with Exadata and Oracle Advanced Compression
Application
-
10
Oracle Advanced Security Whats New and Coming?
Hardware Acceleration Support Performance already < 10% for most applications 7-10x performance gain with Intel Advanced Encryption
Standard New Instructions (AES-NI) and Oracle SPARC T-3
Key Management and HSM Support Certified with SafeNet, Thales, Utimaco using PKCS #11 Planned support for Oracles Key Management System
-
1111
Oracle Data Masking Irreversible De-Identification
Mask sensitive data for test and partner systems Sophisticated masking: Condition-based, compound,
deterministic Extensible template library and policies for automation Leverage masking templates for common data types Integrated masking and cloning Masking of heterogeneous databases via database gateways Command line support for data masking tasks
LAST_NAME SSN SALARY
ANSKEKSL 11123-1111 40,000
BKJHHEIEDK 222-34-1345 60,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000BENSON 323-22-2943 60,000
Production Non-Production
NewNew
-
12
Sensitive data identification based on privacy attributes Application Masking templates for
E-Business Suite Fusion Applications
Oracle Data Masking Whats Coming?
-
13
Oracle Database Security Defense-in-Depth
13
Access Control
Oracle Database Vault Oracle Label Security
Oracle Advanced Security Oracle Secure Backup Oracle Data Masking
Encryption and Masking
-
1414
Oracle Database Vault Separation of Duties & Privileged User Controls
Restricts application data from privileged users
DBA separation of duties
Securely consolidate application data
No application changes required
Works with Oracle Exadata
Procurement
HR
FinanceApplication
select * from finance.customers
DBA
-
1515
Oracle Database Vault Multi-Factor Access Control Policy Enforcement
Protect application data and prevent application by-pass
Enforce who, where, when, and how using rules and factors User Factors: Name, Authentication type, Proxy Enterprise Identity Network Factors: Machine name, IP, Network Protocols Database Factors: IP, Instance, Hostname, SID Runtime Factors: Date, Time
Procurement
HR
RebatesApplication
-
16
Oracle Database Vault Out-of-the Box Protections For Applications
Pre-built policies with further possible customization
Complements application security
Transparent to existing applications
Minimal performance overhead
Certifications Underway: Oracle Hyperion
Oracle Tax and Utilities
Oracle E-Business Suite 11i / R12
PeopleSoft Applications
Siebel, i-Flex, Retek
JD Edwards EnterpriseOne
SAP
Infosys Finacle
16
-
1717
Oracle Label Security Data Classification for Access Control
Classify users and data based on business drivers
Database enforced row level access control
Users classification through Oracle Identity Management Suite
Classification labels can be factors in Database Vault
Confidential Sensitive
Transactions
Report Data
Reports
SensitiveSensitive
ConfidentialConfidential
PublicPublic
-
18
Oracle Database Security Defense-in-Depth
Access Control
Oracle Database Vault Oracle Label Security
Oracle Advanced Security Oracle Secure Backup Oracle Data Masking
Encryption and Masking
Auditing and Tracking
Oracle Audit Vault Oracle Configuration Management Oracle Total Recall
18
-
1919
Oracle Audit Vault Automated Audit Collection and Reporting
Consolidate audit data into a secure warehouse
Create/customize compliance and entitlement reports
Detect and raise alerts on suspicious activities
Centralized audit policy management
Integrated audit trail cleanup
CRM Data
ERP Data
Databases
HR Data
Audit Data
Policies
Built-inReports
Alerts
CustomReports
!
Auditor
-
2020
Oracle Configuration Management Secure Configuration & Change Tracking
Continuous scanning against best practices and gold baselines 200+ out-of-the-box policies spanning host, database, and middleware
Real-time detect changes to processes, files, etc
Violations can trigger emails, and create tickets
Compliance reports mapped to compliance frameworks
Optimized for Oracle with Industry Specific Compliance Dashboards
User-defined Policies &
Groups
Real-Time Change Detection
Industry & Regulatory
Frameworks
Compliance Dashboard
Out-of-box Policies
3 3 33 3
-
21
Oracle Database Security Defense-in-Depth
Access Control
Oracle Database Vault Oracle Label Security
Oracle Advanced Security Oracle Secure Backup Oracle Data Masking
Encryption and Masking
Auditing and Tracking
Oracle Audit Vault Oracle Configuration Management Oracle Total Recall
Oracle Database Firewall
Monitoring and Blocking
-
22
Oracle Database Firewall First Line of Defense
Prevent unauthorized activity, application bypass and SQL injections
Highly accurate SQL grammar based analysis
Flexible enforcement options Built-in and custom compliance reports
PoliciesBuilt-inReportsAlertsCustomReports
ApplicationsBlock
Log
Allow
Alert
Substitute
-
23
Oracle Database Firewall Security Model
White-list based policies enforce normal or expected behavior Evaluate factors such as time, day, network, app, etc. Easily generate white-lists for any application
Log, alert, block or substitute out-of-policy SQL statements Black lists to stop unwanted SQL commands, user, or schema access Superior performance and policy scalability based upon clustering
White List
Applications Block
Allow
-
24
Oracle Database Firewall
Oracle Database Firewall Reporting
Database Firewall log data consolidated into reporting database
Over 130 built in reports that can be modified and customized
Entitlements reporting for database attestation and audit
Database activity and privileged user reports
Supports demonstrating PCI, SOX, HIPAA/HITECH, etc. controls
Optional database activity masking
Oracle Database Firewall Oracle Database Firewall
-
25
Oracle Database Security Big Picture
Procurement
HR
Rebates
Encrypted Backups
Encrypted Database
Encrypted Exports
Data Masking
Audit consolidation
Procurement
HR
Rebates
SensitiveSensitive
ConfidentialConfidential
PublicPublicLocal DBA
Privilege Mis-Use
DB Consolidation Security
Unauthorized Local Activity
ApplicationsBlock
Log
Allow
Alert
Substitute
Network SQL Monitoring
and Blocking
-
26
Oracle Database Security Key Differentiators
-
2727
For More Information
oracle.com/database/security
search.oracle.com
database security
Oracle Database Security Defense-in-DepthAgendaSecurity Technologies DeployedHow Data Gets Compromised? Source: Verizon 2010 Data Breach Investigations ReportWhere Losses Come From?Top Attack Techniques% Breaches and % RecordsOracle Database Security Defense-in-DepthOracle Database Security Defense-in-DepthOracle Advanced Security Endtoend EncryptionOracle Advanced Security Whats New and Coming? Oracle Data MaskingIrreversible De-IdentificationOracle Data MaskingWhats Coming?Oracle Database Security Defense-in-DepthOracle Database VaultSeparation of Duties & Privileged User ControlsOracle Database VaultMulti-Factor Access Control Policy EnforcementOracle Database VaultOut-of-the Box Protections For ApplicationsOracle Label SecurityData Classification for Access ControlOracle Database Security Defense-in-DepthOracle Audit VaultAutomated Audit Collection and ReportingOracle Configuration ManagementSecure Configuration & Change TrackingOracle Database Security Defense-in-DepthOracle Database FirewallFirst Line of DefenseOracle Database FirewallSecurity ModelOracle Database FirewallReportingOracle Database Security Big PictureOracle Database SecurityKey DifferentiatorsFor More Information