Oracle Database Security Solutions

<Insert Picture Here>

Key Drivers for Data Security

• Sarbanes-Oxley (SOX), J-SOX, GLBA • Payment Card Industry (PCI)

• HIPAA, EU Privacy Directives • Breach Disclosure Laws

• COSO, COBIT frameworks

• Separation of duty, Proof of compliance, Risk Assessment and Monitoring

• Large percentage of threats go undetected • Outsourcing and off-shoring trend

• Customers want to monitor insider & DBA

Privacy and Compliance

Data Masking

TDE Tablespace Encryption Oracle Total Recall

Oracle Audit Vault

Oracle Database Vault Transparent Data Encryption (TDE)

Real Time Masking Secure Config Scanning Fine Grained Auditing

Oracle Label Security Enterprise User Security Virtual Private Database (VPD) Database Encryption API

Strong Authentication Native Network Encryption

Oracle Database Security

Continuous Innovation

Data Privacy and Regulatory Compliance

Database Security Challenges

Protecting Access

Protecting Access

to Application Data

to Application Data

Data

Data

Classification

Classification

Database

Database

Monitoring

Monitoring

De

De

-

-

Identifying

Identifying

Information for

Information for

Sharing

Sharing

Data

Data

Encryption

Encryption

Oracle Database Security

Solutions for Privacy and Compliance

Secure Backup Label Security Total Recall Data Database Vault Configuration Management Audit Vault Advanced Security

Database Vault

Oracle Database Security

Solutions for Privacy and Compliance

Data Masking Advanced Security Label Security Secure Backup Total Recall Audit Vault Configuration Management

Oracle Database Vault

Highly Privileged User Controls

•

Database DBA views HR

data

Compliance and

protection from insiders

•

HR APP Owner views

Fin. data

Eliminates security

risks from server

consolidation

DBA

HR App

SELECT * FROM HR.EMP

HR

HR Realm

FIN

Oracle Database Vault

Real Time Access Controls

HR Application User FIN Application DBA HR FIN Connect…. CREATE … Business hours Unexpected IP address

Oracle Database Vault

Separation of Duty

•

Account Management

• Database Vault over rides all existing administration privileges for creating new accounts

•

Security administration

• Database Vault administration is done using a separation administration account from DBA or SYSDBA

•

Traditional database Administration

• Traditional administrative tasks are separate from account management and security administration

Major Financial Services Company

Use Case

• Control Privileged Users

• Prevent DBAs from accessing sensitive data in Realms

• Setup multiple levels of DBAs

• Control Access based upon environmental factors

• Restrict hostnames authorized to access the DB

• Control access based on geography

• Control use of ad-hoc query tools; Enforce maintenance periods

• Restrict connections by ad-hoc query tools to maintenance times or specific users

• Control Patching activity

• Patching activity requires another monitoring user to be logged in

Oracle Database Vault

Application Certification

•

PeopleSoft

•

E-Business Suite

•

Siebel

•

Oracle Content DB

Database Vault

Oracle Database Security

Solutions for Privacy and Compliance

Data Masking

Advanced

Security

Secure

Backup

Oracle Advanced Security

Transparent Data Encryption

•

Protect application data

• Easily encrypt sensitive data

• Protect entire application tables or specific data (credit card)

• No changes to existing applications

•

Built-in key management

• Keys automatically generated and managed

• Integrates with Hardware Security Modules (HSM) Data Transparently Encrypted Data Transparently Decrypted ^#^ * 75000

Transparent Data Encryption

Oracle Advanced Security

Encrypting Columns

•

Encrypt a column in an existing table:

alter table credit_rating modify (person_id encrypt)

•

Create a new table with an encrypted column:

create table orders (

order_id number (12), customer_id number(12),

Oracle Advanced Security

Encrypting Tablespaces

•

Create new tablespace with keyword "Encrypt"

CREATE TABLESPACE securespace2 DATAFILE

'/home/user/oradata/secure01.dbf' SIZE 150M ENCRYPTION

DEFAULT STORAGE(ENCRYPT);

Oracle Advanced Security

Key Management Architecture

Master key stored in PKCS#12 wallet Security DBA opens wallet containing master key Oracle Data Dictionary stores & encrypts column keys using master key

Transparent Data Encryption FIN application data encrypted using column key HR application data encrypted using column

Oracle Advanced Security

Key Management Architecture withHSM

Master key stored in HSM Security DBA opens wallet containing master key HR application data encrypted using column key Application users Transparent Data Encryption FIN application data encrypted using column key Oracle Data Dictionary stores & encrypts column keys using master key

Oracle Secure Backup

Integrated Tape Backup Management

Oracle Secure Backup

Centralized Tape Backup Management

File System Data

File System Data

UNIX Linux Windows NAS Oracle Databases Oracle Databases Integration with RMAN

• Improved Security and Manageability

• Backup encryption for file systems added

• Automated backup of OSB catalog

• Policy-based migration from Virtual Tape Library (VTL) to tape

• Advanced media management

• Vaulting provides automatic rotation of tapes between multiple locations

• Tape duplication based on policies

• Sun StorageTek ACSLS support

Database Vault

Oracle Database Security

Solutions for Privacy and Compliance

Data Masking Advanced Security

Label

Security

Oracle Label Security

Access Control by Data Classification

•

Additional access control check

• Database verifies requestor has table privileges first (select,update,insert,.)

• Label Security mediates additional access based on sensitivity

assigned to the data or operation

• Specialized security solution

•

Components

• Users label authorizations

• Data labels

• Special user privileges

Confidential Highly Sensitive

Sensitive

Sensitive Highly Sensitive

Sensitivity Label Components

More Than Just levels

Confidential

Sensitivity Level

Sensitive

Sensitive

Sensitivity Label Components

More Than Just levels

Confidential

Sensitivity Level

_{Plus Zero or More Compartments}

Sensitive Highly

Sensitive HR PII FIN LEGAL

Sensitive : HR

Sensitive : HR

Sensitivity Label Components

More Than Just levels

Confidential

Sensitivity Level

_{Plus Zero or More Compartments}

Sensitive Highly

Sensitive HR PII FIN LEGAL

Plus Zero or More Groups

US Europe Global

Sensitive : HR : US

Sensitive : HR : US

Oracle Label Security

Flexible Policy Model

NATO Homeland Security Local Jurisdiction FBI Justice HR REP Senior HR REP Desert Storm Border Protection Internal Affairs Drug Enforcement PII Data Investigation Confidential Secret Top Secret Level 1 Level 2 Level 3 Confidential Sensitive Highly Sensitive Government Policy Law Enforcement HR Policy

Levels

Levels

Compartments

Compartments

Groups

Groups

Oracle Label Security

Additional Use Cases

•

Embed in Database Vault Command Rules

• Compare label authorization in command rules for separation of duty customization

•

Embed in Data Masking decisions

• Use with VPD column real time data masking to decide whether to NULL out PII data returned in query

•

Notate application users current working label

Database Vault

Oracle Database Security

Solutions for Privacy and Compliance

Data

Masking

Off-Line Data Masking

Oracle Enterprise Manager

•

Automates production data

masking

• Easily mask existing application data

• No impact on production database

•

Built-in data relationship

discovery

• Use foreign key definitions

• Define custom data relationships 60,000 323-22-2943 BENSON 40,000 203-33-3234 AGUILAR SALARY SSN LAST_NAME 40,000 111—23-1111 ANSKEKSL SALARY SSN LAST_NAME Cloned Database Production Database

Real-Time Data Masking

Virtual Private Database Masking

•

Null out or clear table columns for all or

specific table rows

where account_mgr_id = sys_context('APP','CURRENT_MGR'); 381-395-9223 431-395-9332 483-562-0912 581-295-7603 181-095-1232 121-791-4212 701-495-2123 15000 17000 12000 10000 15000 25000 Select * from customers; APP VPD P olicy SSN VPD

Database Vault

Oracle Database Security

Solutions for Privacy and Compliance

Data Advanced Security Label Security Secure Backup

Total

Recall

Audit

Vault

Configuration

Management

Auditing in the Oracle Database

Robust, Flexible, and High Fidelity Audit

•

Industry’s most advanced

• Statement - audit DDL / DML based structure type or schema object

• Privilege - audit statements that use system privileges

• Specific user or group of users

•

Fine grained auditing (Oracle9i)

• Enterprise Edition conditional auditing feature

• Select statements only (Oracle9i)

• Updates, inserts, and delete statements (Oracle Database 10g)

•

Flexible

• Audit table and OS file destinations (OS is most performant)

• Supports XML format

Oracle Audit Vault

Protect Your Enterprise With Auditing

Oracle Database 10g Release 2 Oracle Database 10g Release 1 Oracle Database 9i Release 2 (Future) Other Sources, Databases Monitor Enforce Report Secure Oracle Database 11g

•

Manage Audit Data

• Centrally secure audit data from Oracle databases

• Centrally manage Oracle database audit settings

•

Detect suspicous activities

• Monitor database users – especially privileged users

• Alert on unauthorized activities

Audit Vault Reports

Out-of-the-box Audit Assessments & Custom Reports

•

Out-of-the-box reports

• Privileged user activity

• Access to sensitive data

• Role grants, DDL activity

•

Custom reports

• Published warehouse schema

• Use Oracle or 3rd _{party tools}

•

User-defined reports

• What privileged users did on the financial database?

• What user ‘A’ did across multiple databases?

• Who accessed sensitive data?

Oracle Audit Vault

Manageability

• Audit Vault Dashboard

• Enterprise overview

• Alerts on audit events

• Drill down reports

• Audit Vault administration

• Audit Vault Policies

• Collection of audit settings for databases

• Provision database audit settings centrally for compliance policies

• Compare against existing audit settings on source

Oracle Audit Vault Respository

Scalable, Flexible & Secure

•

Performance and Scalability

• Scale to Terabytes with partitioning

• Data warehouse enables business intelligence and analysis

•

Security

• Separation of duty

• Privileged users can't modify audit data

• Data protected in transit from source to Audit Vault

Introducing Oracle Total Recall

Tamper-Resistant Real-Time Database Archiving

•

Automated table “snapshots” record changes to data

• Complements auditing – who v. what

• Optimized to minimize performance overhead

•

Historical data can be retained as long as needed for

regulatory compliance and forensic analysis

• Automatically prevents end users from changing historical data

•

Seamless access to archived historical data

• Historical data stored in the database for real-time access

• Stored in compressed form to minimize storage requirements

Tracking Compliance Over Time

Example of Security Policy Rules

Over 250 Built-in Policy Rules

Host

• Detect open ports

• Detect insecure services

• Ensure NTFS file system type (Windows) Application Server

• HTTPD has minimal privileges • Use HTTP/S

• Apache logging should be on • Demo applications disabled • Disable default banner page

• Disable access to unused directories • Disable directory indexing

• Forbid access to certain packages

• Disable packages not used by DAD owner • Remove unused DAD configurations

• Password complexity enabled Database Services

• Enable listener logging • Password-protect listeners • Disallow default listener name

• Ensure listener log file is valid and owned by Oracle

• Ensure listener host name is specified with IP Database File Permissions

• Init.ora should have restricted file permission • Files in $OH/bin should be owned by Oracle • Data files should be owned by Oracle

Database Profile/Configuration • Default Passwords

• Disallow access to objects by a fixed user link • Disallow default tablespace set to SYSTEM • Set password_grace_time

Learn More

Technology Overview

•

Visit: oracle.com/database/security

• View Whitepapers and webinars

Technical Information, Demos, Software

•

Visit OTN:

otn.oracle.com

-> products ->

database -> security and compliance

http://search.oracle.com

EM Configuration Scanning TDE Column Encryption Client Identifier

Enterprise User Security

TDE Tablespace Encryption Privileged User Controls

Release Wide Map of Security Products

Solution

Virtual Private Database Network Encryption Oracle 8i Oracle Database 9iR2 Oracle Database 10g R1 Oracle Database 11gR1 Oracle Database 10g R2 Oracle Database 9iR1 Database Auditing Label Security