<Insert Picture Here> Oracle Database Security Overview

(1)

<Insert Picture Here>

(2)

Data Security Challenges

• What to secure?

S

C

f

• Sensitive Data: Confidential, PII, regulatory

• Data in packaged and custom applications

• Secure Life cycle: creation, transit, storage, backup, test, transfer

• Can we secure it now?

• Secure using existing systems?

• Transparent?

• Loss Unauthorized access Separation of Duty

• Loss, Unauthorized access, Separation of Duty

• Will it meet business requirements?

• Flexible, Transparent, Compliant?

• Secures both custom and packaged applications?

Secures both custom and packaged applications?

• Will it reduce operational cost?

• Easy to manage?

(3)

Oracle Database Security

Defense-in-Depth for Security and Compliance

Audit

Monitoring

Configuration

Management

Vault

_Total

Recall

Database

_Label

Access Control

Vault

_Security

Encryption and Masking

Data

Advanced

(4)

Oracle Database Security

Defense-in-Depth for Security and Compliance

(5)

Oracle Advanced Security

Transparent Data Encryption

Disk Backups Exports Off-Site Facilities Application

• No application changes required

• Efficient encryption of all application data

• Built-in key lifecycle management

(6)

Security Tip

• Migrate Oracle PeopleSoft applications to encrypted

g

y

tablespaces without downtime and data loss with this

FREE downloadable script and detailed

implementation guide from here

http://www.oracle.com/technology/deploy/security/dat

b

it / df/td

t b

f

ft i

(7)

Oracle Advanced Security

Network Encryption & Strong Authentication

• Standard-based encryption for data in transit

• Strong authentication of users and servers

(8)

Oracle Secure Backup

Integrated Tape or Cloud Backup Management

• Secure data archival to tape or cloud

• Easy to administer key management

• Fastest Oracle Database tape backups

(9)

Oracle Data Masking

Irreversible De-Identification

Production Non-Production LAST_NAME SSN SALARY ANSKEKSL 111—23-1111 40,000 BKJHHEIEDK 222-34-1345 60,000 LAST_NAME SSN SALARY AGUILAR 203-33-3234 40,000 BENSON 323-22-2943 60,000 Production Non-Production BKJHHEIEDK 222 34 1345 60,000 SO 3 3 9 3 60,000

• Remove sensitive data from non-production databases

• Referential integrity preserved so applications continue to work

(10)

Large Credit Card Services Provider

Cost Effective Encryption of Card Holder Data

Business Challenges

•

Protect sensitive card holder data

•

Comply with PCI

Solution

• Deployed Oracle Advanced Security TDE

Tablespace Encryption

Business Results

•

Addressed internal and external requirements

•

Leveraged Oracle Advanced Security integration

with Hardware Security Modules for network

(11)

U.S. Pharmaceutical Tools Manufacturer

Oracle Advanced Security Protects Sensitive Data

Business Challenges

g

• Worried about protection of intellectual _{property and sensitive employee data}_{property and sensitive employee data}

Solution

• Oracle Advanced Security TDE column encryption

• Easy implementation within hours (Oracle

Solution

_PeopleSoft)

• TDE with HSM made corporate-wide standard

• Average end-user responses time: +2.5 %

•

Cost effective and transparent implementation

Business Results

•

Cost effective and transparent implementation of data encryption with no application changes

•

Protection of sensitive data at rest and on

(12)

Oracle Database Security

Defense-in-Depth for Security and Compliance

Database

_Label

Access Control

Vault

_Security

(13)

Oracle Database Vault

Separation of Duties & Privileged User Controls

Procurement

HR

Application

DBA

Finance

select * from finance.customers

• DBA separation of duties

• Limit powers of privileged users

• Securely consolidate application data

(14)

Oracle Database Vault

Multi-Factor Access Control Policy Enforcement

Procurement

HR

Rebates

Application

• Protect application data and prevent application by-pass

• Enforce who, where, when, and how using rules and factors

(15)

Oracle Label Security

Data Classification for Access Control

Transactions Report Data Sensitive Sensitive Confidential Confidential Public Public Confidential Sensitive Reports Public Public

• Classify users and data based on business drivers

• Database enforced row level access control

• Users classification through Oracle Identity Management Suite

(16)

Did you know?

• Finding User Accounts That Have Default

g

Passwords

• When you create a database in Oracle Database 11g Release 2 (11.2),

most of its default accounts are locked with the passwords expired.

• To find both locked and unlocked accounts that use default passwords,

log onto SQL*Plus using the SYSDBA privilege and then query the

DBA_USERS_WITH_DEFPWD data dictionary view.

SELECT d.username, u.account_status

FROM DBA_USERS_WITH_DEFPWD d,

DBA_USERS u WHERE d.username = u.username ORDER BY 2,1;

USERNAME ACCOUNT_STATUS

(17)

Large US Based Global Bank

Enable Secure Cost Effective Deployments

ab e Secu e Cost

ect e

ep oy e ts

• Outsource administration of multiple applications (E-Business Suite, PeopleSoft and other in-house and 3rd _{party applications)}

Business

Challenges

• “Cross Border” security controls to protect country-specific sensitive client data from DBA access in a different country

• Deploy a security solution that is certified with applications and with minimal performance overheadp

Solution

• Deployed Oracle Database Vault on 18+ applications including E-Business Suite, PeopleSoft and other internal and 3rd _party

applications to prevent privileged user access to application data

Solution

• Used Database Vault multi-factor authorization to enforce cross-border access control and to prevent “Application Bypass”

• Over 200K users accessing these systems globally

Business

Results

• Saved over $15M a year by outsourcing/off-shoring backend administration operations

(18)

Pharmaceutical Services Provider

Protect Sensitive Customer Information and Address Regulations

otect Se s t e Custo e

o

at o a d

dd ess

egu at o s

•

Protect and secure the privacy of very sensitive customer medical data and employee data in PeopleSoft

Business Challenges

medical data and employee data in PeopleSoft

•

Comply with internal policies and external regulations (HIPAA, SOX, Privacy Laws)

•

Prevent privileged user access to sensitive data

Solution

• Deployed Oracle Database Vault with out-of-the-box PeopleSoft protection policies

• Took 14 days to go production

•

Complied with HIPAA and other privacy regulations

Business Results

Complied with HIPAA and other privacy regulations

•

Passed external audit

•

Saved on consulting costs and deployment time by using the out-of-the-box Database Vault protection policies

•

Deployed Database Vault with minimal changes to

•

Deployed Database Vault with minimal changes to

(19)

Large European Telecom Provider

Enable Organization to Meet Regulations

ab e O ga

at o to

eet

egu at o s

Business

•

Protect the privacy of sensitive client data in their telecom billing system

•

Meet internal, European Data Security Directive, and country-specific

Challenges

Meet internal, European Data Security Directive, and country specific privacy requirements

•

Prevent tampering or deletion of database objects or database users

• Used Database Vault Realms and Command Rules to prevent DBAs

Solution

Used Database Vault Realms and Command Rules to prevent DBAs from accessing sensitive data

• Used Command Rules to prevent tampering or deletion of database objects or users

• Used multi factor authorization to prevent “Application Bypass” based

• Used multi-factor authorization to prevent Application Bypass based on IP address

Business

•

Secure the third party billing system without any application changes

•

Comply with internal, European, and country-specific privacy laws

Business

Results

p y , p , y p p y

•

Cost effective preventive controls against any tampering or deletion of database objects or users

(20)

Oracle Database Security

Defense-in-Depth for Security and Compliance

Audit

Monitoring

Configuration

Management

Vault

_Total

Recall

Database

_Label

Access Control

Vault

_Security

(21)

Oracle Audit Vault

Automated Activity Monitoring & Audit Reporting

HR Data

!

Alerts CRM Data ERP Data Audit Data Built-in Reports Custom Reports

Databases Policies _Auditor

• Consolidate audit data into secure repository

• Detect and alert on suspicious activities

• Out-of-the box compliance reporting

(22)

Security Tip

• Want to audit users that log into the database at odd

g

hours?

• New in Oracle Database Release 11.2

A dit t t

t f

t

i

IN SESSION

• Audit statements for current session using IN SESSION

CURRENT clause

• Create a database logon trigger

• If the login time is between 7:00 PM – 6:00 AM, and not

connecting from a ‘trusted’ middle-tier, audit all activity

(23)

Oracle Database Auditing Performance

A dit sers/tables effecti el

Audit users/tables effectively

• Oracle Database 11.2

Oracle Database 11.2

• 4 – CPU 3.6 GHz, 4GB RAM

• ~250 audit records / second

• Linux 2.6.9-34.0.1.0.11.ELsmp

• Existing CPU Work Load: 50%

Audit Location

Throughput

(24)

Oracle Total Recall

Secure Change Tracking

select salary from emp AS OF TIMESTAMP '02 MAY 09 12 00 AM‘ where emp title ‘admin’ '02-MAY-09 12.00 AM‘ where emp.title = ‘admin’

• Transparently track data changes

• Efficient, tamper-resistant storage of archives

• Real-time access to historical data

(25)

Oracle Configuration Management

Vulnerability Assessment & Secure Configuration

C f Configuration Management & Audit Vulnerability Management Fix Analysis & Analytics Prioritize Policy Management Assess Classify Monitor Discover Asset Management

• Database discovery

• Continuous scanning against best practices

• Detect and prevent unauthorized configuration changes

(26)

European Healthcare Insurance Provider

Simplified Reporting and Stronger Security

•

Internal and external database audit requirements

Business Challenges

•

Internal and external database audit requirements across 10 Oracle and SQL Server databases

•

Took 3 months and 2 part time people to create the audit reports for yearly audit

N it i f i id th t

•

No monitoring for insider threats

Solution

• Oracle Audit Vault consolidated reporting on audit data from Oracle and SQL Server

• Oracle Audit Vault consolidation of audit dataOracle Audit Vault consolidation of audit data removed DBA from audit review process

•

Saved 100’s of hours in report generations

•

Worked with auditors to create customized reports f th t f th b d f lt t f

Business Results

from the out-of-the box default reports for

personalized content

(27)

Large Financial Services Provider

Stronger Controls

•

Audit credit card transactions

Business Challenges

•

20+ production Oracle databases with native auditing already turned on

•

Need for reports and no resource or budget to create and review them

Solution

• Oracle Audit Vault audit data collection and secure centralized storage

• Audit Vault proactively monitors privileged user access violations failed database logins and access violations, failed database logins, and generates forensic data

•

Passed internal audits

•

Automated reporting on credit card transactions

Business Results

p g

•

Secure consolidation of audit data

(28)

Large European Telco Provider

Address Telco Regulations on Call Records

•

Audit credit card transactions

Business Challenges

•

20+ production Oracle databases with native auditing already turned on

•

Need for reports and no resource or budget to create and review them

Solution

• Oracle Audit Vault audit data collection and secure centralized storage

• Audit Vault proactively monitors privileged user access violations failed database logins and access violations, failed database logins, and generates forensic data