Oracle Database Security Defense-in-Depth

Nguyen Quang HuySenior Solution Consulting Manager

2

Agenda

Todays Threat Landscape Defense-in-Depth Approach Oracle Database Security Solutions Summary

3Security Technologies Deployed

Authentication

Identity Management

Network Security

Vulnerability Mgmt

End Point Security

email Security

Other Security

EmployeeCustomer

Citizen

DB Security?

4How Data Gets Compromised? Source: Verizon 2010 Data Breach Investigations Report

4

52010 Data Breach Investigations Report

92% of Records from Compromised Databases

Where Losses Come From?

6Top Attack Techniques % Breaches and % Records

2010 Data Breach Investigations Report

Most records lost throughStolen Credentials & SQL Injection

7Oracle Database Security Defense-in-Depth

Access Control

Oracle Database Vault Oracle Label Security

Oracle Advanced Security Oracle Secure Backup Oracle Data Masking

Encryption and Masking

Auditing and Tracking

Oracle Audit Vault Oracle Configuration Management Oracle Total Recall

Oracle Database Firewall

Monitoring and Blocking

8Oracle Database Security Defense-in-Depth

Oracle Advanced Security Oracle Secure Backup Oracle Data Masking

Encryption and Masking

8

9Oracle Advanced Security Endtoend Encryption

Disk

Backups

Exports

Off-SiteFacilities

Efficient encryption of all application data

Built-in key lifecycle management

No application changes required

Works with Exadata and Oracle Advanced Compression

Application

10

Oracle Advanced Security Whats New and Coming?

Hardware Acceleration Support Performance already < 10% for most applications 7-10x performance gain with Intel Advanced Encryption

Standard New Instructions (AES-NI) and Oracle SPARC T-3

Key Management and HSM Support Certified with SafeNet, Thales, Utimaco using PKCS #11 Planned support for Oracles Key Management System

1111

Oracle Data Masking Irreversible De-Identification

Mask sensitive data for test and partner systems Sophisticated masking: Condition-based, compound,

deterministic Extensible template library and policies for automation Leverage masking templates for common data types Integrated masking and cloning Masking of heterogeneous databases via database gateways Command line support for data masking tasks

LAST_NAME SSN SALARY

ANSKEKSL 11123-1111 40,000

BKJHHEIEDK 222-34-1345 60,000

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000BENSON 323-22-2943 60,000

Production Non-Production

NewNew

12

Sensitive data identification based on privacy attributes Application Masking templates for

E-Business Suite Fusion Applications

Oracle Data Masking Whats Coming?

13

Oracle Database Security Defense-in-Depth

13

Access Control

Oracle Database Vault Oracle Label Security

Oracle Advanced Security Oracle Secure Backup Oracle Data Masking

Encryption and Masking

1414

Oracle Database Vault Separation of Duties & Privileged User Controls

Restricts application data from privileged users

DBA separation of duties

Securely consolidate application data

No application changes required

Works with Oracle Exadata

Procurement

HR

FinanceApplication

select * from finance.customers

DBA

1515

Oracle Database Vault Multi-Factor Access Control Policy Enforcement

Protect application data and prevent application by-pass

Enforce who, where, when, and how using rules and factors User Factors: Name, Authentication type, Proxy Enterprise Identity Network Factors: Machine name, IP, Network Protocols Database Factors: IP, Instance, Hostname, SID Runtime Factors: Date, Time

Procurement

HR

RebatesApplication

16

Oracle Database Vault Out-of-the Box Protections For Applications

Pre-built policies with further possible customization

Complements application security

Transparent to existing applications

Minimal performance overhead

Certifications Underway: Oracle Hyperion

Oracle Tax and Utilities

Oracle E-Business Suite 11i / R12

PeopleSoft Applications

Siebel, i-Flex, Retek

JD Edwards EnterpriseOne

SAP

Infosys Finacle

16

1717

Oracle Label Security Data Classification for Access Control

Classify users and data based on business drivers

Database enforced row level access control

Users classification through Oracle Identity Management Suite

Classification labels can be factors in Database Vault

Confidential Sensitive

Transactions

Report Data

Reports

SensitiveSensitive

ConfidentialConfidential

PublicPublic

18

Oracle Database Security Defense-in-Depth

Access Control

Oracle Database Vault Oracle Label Security

Oracle Advanced Security Oracle Secure Backup Oracle Data Masking

Encryption and Masking

Auditing and Tracking

Oracle Audit Vault Oracle Configuration Management Oracle Total Recall

18

1919

Oracle Audit Vault Automated Audit Collection and Reporting

Consolidate audit data into a secure warehouse

Create/customize compliance and entitlement reports

Detect and raise alerts on suspicious activities

Centralized audit policy management

Integrated audit trail cleanup

CRM Data

ERP Data

Databases

HR Data

Audit Data

Policies

Built-inReports

Alerts

CustomReports

!

Auditor

2020

Oracle Configuration Management Secure Configuration & Change Tracking

Continuous scanning against best practices and gold baselines 200+ out-of-the-box policies spanning host, database, and middleware

Real-time detect changes to processes, files, etc

Violations can trigger emails, and create tickets

Compliance reports mapped to compliance frameworks

Optimized for Oracle with Industry Specific Compliance Dashboards

User-defined Policies &

Groups

Real-Time Change Detection

Industry & Regulatory

Frameworks

Compliance Dashboard

Out-of-box Policies

3 3 33 3

21

Oracle Database Security Defense-in-Depth

Access Control

Oracle Database Vault Oracle Label Security

Oracle Advanced Security Oracle Secure Backup Oracle Data Masking

Encryption and Masking

Auditing and Tracking

Oracle Audit Vault Oracle Configuration Management Oracle Total Recall

Oracle Database Firewall

Monitoring and Blocking

22

Oracle Database Firewall First Line of Defense

Prevent unauthorized activity, application bypass and SQL injections

Highly accurate SQL grammar based analysis

Flexible enforcement options Built-in and custom compliance reports

PoliciesBuilt-inReportsAlertsCustomReports

ApplicationsBlock

Log

Allow

Alert

Substitute

23

Oracle Database Firewall Security Model

White-list based policies enforce normal or expected behavior Evaluate factors such as time, day, network, app, etc. Easily generate white-lists for any application

Log, alert, block or substitute out-of-policy SQL statements Black lists to stop unwanted SQL commands, user, or schema access Superior performance and policy scalability based upon clustering

White List

Applications Block

Allow

24

Oracle Database Firewall

Oracle Database Firewall Reporting

Database Firewall log data consolidated into reporting database

Over 130 built in reports that can be modified and customized

Entitlements reporting for database attestation and audit

Database activity and privileged user reports

Supports demonstrating PCI, SOX, HIPAA/HITECH, etc. controls

Optional database activity masking

Oracle Database Firewall Oracle Database Firewall

25

Oracle Database Security Big Picture

Procurement

HR

Rebates

Encrypted Backups

Encrypted Database

Encrypted Exports

Data Masking

Audit consolidation

Procurement

HR

Rebates

SensitiveSensitive

ConfidentialConfidential

PublicPublicLocal DBA

Privilege Mis-Use

DB Consolidation Security

Unauthorized Local Activity

ApplicationsBlock

Log

Allow

Alert

Substitute

Network SQL Monitoring

and Blocking

26

Oracle Database Security Key Differentiators

2727

For More Information

oracle.com/database/security

search.oracle.com

database security

Oracle Database Security Defense-in-DepthAgendaSecurity Technologies DeployedHow Data Gets Compromised? Source: Verizon 2010 Data Breach Investigations ReportWhere Losses Come From?Top Attack Techniques% Breaches and % RecordsOracle Database Security Defense-in-DepthOracle Database Security Defense-in-DepthOracle Advanced Security Endtoend EncryptionOracle Advanced Security Whats New and Coming? Oracle Data MaskingIrreversible De-IdentificationOracle Data MaskingWhats Coming?Oracle Database Security Defense-in-DepthOracle Database VaultSeparation of Duties & Privileged User ControlsOracle Database VaultMulti-Factor Access Control Policy EnforcementOracle Database VaultOut-of-the Box Protections For ApplicationsOracle Label SecurityData Classification for Access ControlOracle Database Security Defense-in-DepthOracle Audit VaultAutomated Audit Collection and ReportingOracle Configuration ManagementSecure Configuration & Change TrackingOracle Database Security Defense-in-DepthOracle Database FirewallFirst Line of DefenseOracle Database FirewallSecurity ModelOracle Database FirewallReportingOracle Database Security Big PictureOracle Database SecurityKey DifferentiatorsFor More Information