Data Security: Strategy and
Tactics for Success
DatabaseVisions,Inc. Fairfax, Va
Oracle Gold Partner Solution Provider Oracle Security Specialized
Overview
Cloud Computing presents dynamic
challenges to data architectures. Effective Cloud Governance, Risk, and Compliance in a shared, elastic environment requires a strategic approach:
data security plan
Cloud computing
computing framework in which elastic,
scalable, often virtualized resources are provided as a service over the Internet.
Users may have no knowledge, expertise, or
Cloud computing models
NIST describes cloud computing in three service models:
software as a service (SaaS),
infrastructure as a services (IaaS)
data security plan
Provide management guidelines and cost
justification for organization's data lifecycle access controls & information assurance
When do security breaches occur
Who is agent of security breach
What is cost of security breach
identify sensitive data
Classify all data elements of enterprise
Label all data elements of enterprise with
ACCESS CLASSIFICATION
* Personal Identifiable Information, PII * National Numbers, SSN
* Salaries, Financials, Bonuses, PCI * Strategic Intellectual Assets, R&D,
protect sensitive data
Use tools to protect sensitive data
* encryption
* fine-grained access privileges * separation of duties
monitor sensitive data
Executive dashboard visibility of sensitive
data access, and security controls in effect
daily, event based reports of sensitive
data access & suspicious access patterns
monitor sensitive data access real-time
use predictive adaptive, analytic
data security tactics
Use Oracle database features, product
options, and 3rd party tools to execute your
strategic data security plan.
User Management
Access Controls
Monitoring
User management
Oracle Identity Management, OIM, automates
adding, updating, deleting user account
provisions from directories and applications
Oracle Enterprise Users, defines user in
directory for application lifecyle throughout the enterprise. OIM infrastructure, an
LDAP-compliant directory service to centrally store and manage users.
enterprise users: techniques
Two Tiered Architectures: DB & MW Admin ORACLE_BASE/ORACLE_HOME ORACLE_BASE/MW_HOME/WL_HOME[wlsever_10_3] ORACLE_BASE/MW_HOME/oes_coherence ORACLE_BASE/MW_HOME/oracle_common ORACLE_BASE/MW_HOME/user_projects/domains/oes_admin ORACLE_BASE/MW_HOME/oes_client
Access controls overview
At all times, “Least Privilege” access
permissions and security policies
Control row-level security at database table,
view, synonym, column-level
Prevent unauthorized access from
development and production teams
Access controls: FGAC
Virtual Private Database: FGAC
Create policies, for who can access what
rows by controlling WHERE clause
Oracle Label Security: VPD + row “column
Access controls: Multi-Factor
Multi-Factor Access Controls [MFAC]: who,
what statement, when, where, how data is accessed or audited
Implemented using Oracle Database Vault, or
Access controls: SoD
SEPARATION of DUTIES: Oracle Database
Vault
Divide privilege user (DBA) access among
several database roles to ensure no user has full control over data and system configuration
Prevents SYS user (DBA privileged) access
monitoring
Oracle Audit Vault, alerts suspicious access
of sensitive data, records ALL SQL
processing of database for compliance in secure repository for audit compliance
Enterprise Manager Configuration Pack,
collect information about system hardware, operating system, database tier, application tier for compliance and stability
data protection: mask
Oracle Data Masking, obfuscates sensitive
information: credit card, social security number, patient, or customer names,
Data can be replaced with realistic values.
Because Data Masking preserves application integrity, it allows production data to be safely used for non-production purposes
Data protection: encryption
Oracle Advanced Security, Transparent Data
Encryption for tablespace or column
Encryption provides “get out of jail free” pass
in event of data breach, as defined by government regulatory statutes such as California Senate Bill 1386
Data protection: backup
Oracle Secure Backup, centralized Tape
Backup System integrated with Oracle
Enterprise Manager and RMAN to encrypt data at rest
Protect heterogeneous file systems,
NAS,SAN
25-40% faster than comparable media
oracle 11g security options
Advanced Security Options Data Masking
Audit Vault Label Security Database Vault Total Recall
OEM Change Management Pack OEM Diagnostics Pack
OEM Tuning Pack Oracle Secure Backup
Options vs licensed features
Oracle 11g EE Options Oracle 11g Licensed Features
Data Masking PL/SQL, sql string functions, custom repository
Audit Vault Table trigger, PL/SQL, sys_context(), custom repository Label Security Virtual Private Database
Total Recall LogMiner
OEM Tuning Pack Explain plain, PL/SQL, custom repository
Database Vault - MFAC Table trigger, PL/SQL, sys_context(), custom repository Database Vault - SoD No
Advanced Security Options No OEM Change Management
Pack
No
Oracle security applications
Identity Management Suite:
Oracle Identity Directory Oracle Directory Integration Platform Oracle Virtual Directory Oracle Directory Services Manager Oracle Identify Federation
Identity and Asset Management Suite:
Oracle Identity Management Oracle Adaptive Access Management Oracle Access Management Oracle Identity Navigator
Enterprise virtualization
Sun Ray Software
Oracle Secure Global Desktop Oracle Virtual Box
summary
Be STRATEGIC in creating a data security plan and roadmap for your organization.
Be mindful of your organization's BUDGET, use knowledge of Oracle 11g licensed features
and unlicensed “options” to execute
information assurance and governance, risk and compliance obligations
more [email protected]
DatabaseVisions,Inc. an Oracle Systems Integrator and Reseller is Specialized in Oracle Database Security and frequently provides Deep Dive Consultations with
Federal and Commercial Account Managers to help modernize next-generation data
