Upload
amitits
View
667
Download
0
Embed Size (px)
Citation preview
<Insert Picture Here>
Oracle Database Security
Gabriel Trauvitch – Master Principal Solutions Specialist – Grid Architect
Technology Presales – Greece & SEE
2
More Data Than Ever
Source: IDC, 2008
1,800 Exabytes
Growth
Doubles
Yearly
2006 2011
3
Oracle Database Security Business Drivers
Data Consolidation Globalization Right Sourcing
Compliance Mandates
SOX
FDA Basel IIEU Directives
HIPAA
GLBA SB1386
PCI
Security Threats
Insider Threats
Industrial Espionage
Identity Theft
4
More Breaches Than Ever
Data Breach Once exposed, the data is out there – the bell can’t be un-rung
0
100
200
300
400
2005 2006 2007 2008
PUBLICLY REPORTED DATA BREACHES
630% Increase
Total Personally
Identifying Information
Records Exposed
(Millions)
Source: DataLossDB, Ponemon Institute, 2009
Average cost of a data breach $202 per record
Average total cost exceeds $6.6 million per breach
5
More Threats Than Ever…
6
Market Overview: IT Security In 2009
There has been a clear and significant shift from what was
the widely recognized state of security just a few years ago.
Protecting the organization's information assets is the top
issue facing security programs: data security (90%) is most
often cited as an important or very important issue for IT
security organizations, followed by application security (86%).
Market Overview: IT Security In 2009
- Jonathan Penn, April 22, 2009
7
Data Security Challenges
• What to secure?
• Sensitive Data: Confidential, PII, regulatory
• Data in packaged and custom applications
• Secure Life cycle: creation, transit, storage, backup, test, transfer
• Can we secure it now?
• Secure using existing systems?
• Transparent?
• Loss, Unauthorized access, Separation of Duty
• Will it meet business requirements?
• Flexible, Transparent, Compliant?
• Secures both custom and packaged applications?
• Will it reduce operational cost?
• Easy to manage?
• Performant?
8
Oracle Database Security Defense-in-Depth for Security and Compliance
Database
VaultLabel
Security
Access Control
Configuration
Management
Audit
Vault Total
Recall
Monitoring
Data
Masking
Advanced
SecuritySecure
Backup
Encryption and Masking
9
Oracle Database Security Defense-in-Depth for Security and Compliance
Data
Masking
Advanced
SecuritySecure
Backup
Encryption and Masking
10
Oracle Advanced SecurityTransparent Data Encryption
Disk
Backups
Exports
Off-Site
Facilities
• No application changes required
• Efficient encryption of all application data
• Built-in key lifecycle management
• Works with Exadata V2 Smart Scans
• Works with Oracle Advanced Compression
Application
11
Oracle Advanced SecurityNetwork Encryption & Strong Authentication
• Standard-based encryption for data in transit
• Strong authentication of users and servers
• No infrastructure changes required
• Easy to implement
12
Oracle Secure BackupIntegrated Tape or Cloud Backup Management
• Secure data archival to tape or cloud
• Easy to administer key management
• Fastest Oracle Database tape backups
• Leverage low-cost cloud storage
13
Oracle Data MaskingIrreversible De-Identification
• Remove sensitive data from non-production databases
• Referential integrity preserved so applications continue to work
• Extensible template library and policies for automation
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 40,000
BKJHHEIEDK 222-34-1345 60,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Non-Production
14
Large Credit Card Services ProviderCost Effective Encryption of Card Holder Data
Business Challenges• Protect sensitive card holder data
• Comply with PCI
Solution• Deployed Oracle Advanced Security TDE
Tablespace Encryption
Business Results• Addressed internal and external requirements
• Leveraged Oracle Advanced Security integration
with Hardware Security Modules for network
based management of TDE master encryption key
15
U.S. Pharmaceutical Tools Manufacturer Oracle Advanced Security Protects Sensitive Data
Business Challenges• Worried about protection of intellectual
property and sensitive employee data
Solution
• Oracle Advanced Security TDE column
encryption
• Easy implementation within hours (Oracle
PeopleSoft)
• TDE with HSM made corporate-wide standard
• Average end-user responses time: +2.5 %
Business Results
• Cost effective and transparent implementation
of data encryption with no application changes
• Protection of sensitive data at rest and on
backup media
16
EMEA-based Real Estate CompanyData Masking Pack accelerated availability of production data for
testing while improving DBA productivity
Business Challenges
• Custom scripts to mask sensitive data were not
able to scale to meet growing data volumes
• DBA team under increasing pressure to make
production data available to for application testing
within short time frames
Solution
• Data Masking Pack delivered an out-of-the-box
solution to replace custom database scripts
• High performance masking capabilities accelerated
masking process from 6 hours using database
scripts to 6 minutes using Data Masking Pack
Business Results
• 60 X performance improvement in masking process
resulted in faster turnaround of test system creation
• Improved DBA productivity by eliminating the
requirement to maintain custom scripts
17
Oracle Database Security Defense-in-Depth for Security and Compliance
Database
VaultLabel
Security
Access Control
Data
Masking
Advanced
SecuritySecure
Backup
Encryption and Masking
18
Oracle Database VaultSeparation of Duties & Privileged User Controls
• DBA separation of duties
• Limit powers of privileged users
• Securely consolidate application data
• No application changes required
• Works with Oracle Exadata V2 Database Machine
Procurement
HR
Finance
Application
select * from finance.customers
DBA
19
Oracle Database VaultMulti-Factor Access Control Policy Enforcement
• Protect application data and prevent application by-pass
• Enforce who, where, when, and how using rules and factors
• Out-of-the box policies for Oracle applications, customizable
Procurement
HR
RebatesApplication
20
Oracle Label SecurityData Classification for Access Control
• Classify users and data based on business drivers
• Database enforced row level access control
• Users classification through Oracle Identity Management Suite
• Classification labels can be factors in other policies
Confidential Sensitive
Transactions
Report Data
Reports
Sensitive
Confidential
Public
21
Large US Based Global BankEnable Secure Cost Effective Deployments
Business
Challenges
• Outsource administration of multiple applications (E-Business Suite,
PeopleSoft and other in-house and 3rd party applications)
• “Cross Border” security controls to protect country-specific sensitive
client data from DBA access in a different country
• Deploy a security solution that is certified with applications and with
minimal performance overhead
Solution
• Deployed Oracle Database Vault on 18+ applications including E-
Business Suite, PeopleSoft and other internal and 3rd party
applications to prevent privileged user access to application data
• Used Database Vault multi-factor authorization to enforce cross-
border access control and to prevent “Application Bypass”
• Over 200K users accessing these systems globally
Business
Results
• Saved over $15M a year by outsourcing/off-shoring backend
administration operations
• Addressed “Cross Border” security requirements
• Passed external audit and avoided paying fines
22
Pharmaceutical Services ProviderProtect Sensitive Customer Information and Address Regulations
Business Challenges
• Protect and secure the privacy of very sensitive customer
medical data and employee data in PeopleSoft
• Comply with internal policies and external regulations
(HIPAA, SOX, Privacy Laws)
• Prevent privileged user access to sensitive data
Solution• Deployed Oracle Database Vault with out-of-the-box
PeopleSoft protection policies
• Took 14 days to go production
Business Results
• Complied with HIPAA and other privacy regulations
• Passed external audit
• Saved on consulting costs and deployment time by using
the out-of-the-box Database Vault protection policies
• Deployed Database Vault with minimal changes to
existing internal processes and procedures
23
Large European Telecom ProviderEnable Organization to Meet Regulations
Business
Challenges
• Protect the privacy of sensitive client data in their telecom billing system
• Meet internal, European Data Security Directive, and country-specific
privacy requirements
• Prevent tampering or deletion of database objects or database users
Solution
• Used Database Vault Realms and Command Rules to prevent DBAs
from accessing sensitive data
• Used Command Rules to prevent tampering or deletion of database
objects or users
• Used multi-factor authorization to prevent “Application Bypass” based
on IP address
Business
Results
• Secure the third party billing system without any application changes
• Comply with internal, European, and country-specific privacy laws
• Cost effective preventive controls against any tampering or deletion of
database objects or users
• Maintain good performance without buying additional hardware
24
Oracle Database Security Defense-in-Depth for Security and Compliance
Database
VaultLabel
Security
Access Control
Configuration
Management
Audit
Vault Total
Recall
Monitoring
Data
Masking
Advanced
SecuritySecure
Backup
Encryption and Masking
25
Oracle Audit VaultAutomated Activity Monitoring & Audit Reporting
• Consolidate audit data into secure repository
• Detect and alert on suspicious activities
• Out-of-the box compliance reporting
• Centralized audit policy management
CRM Data
ERP Data
Databases
HR Data
Audit Data
Policies
Built-inReports
Alerts
CustomReports
!
Auditor
26
Oracle Total RecallSecure Change Tracking
select salary from emp AS OF TIMESTAMP
'02-MAY-09 12.00 AM„ where emp.title = „admin‟
• Transparently track data changes
• Efficient, tamper-resistant storage of archives
• Real-time access to historical data
• Enables forensics and error correction
27
Oracle Configuration ManagementVulnerability Assessment & Secure Configuration
• Database discovery
• Continuous scanning against best practices
• Detect and prevent unauthorized configuration changes
• Change management compliance reports
ConfigurationManagement
& Audit
VulnerabilityManagement
Fix
Analysis &Analytics
Prioritize
PolicyManagement
AssessClassify MonitorDiscover
AssetManagement
28
European Healthcare Insurance Provider Simplified Reporting and Stronger Security
Business Challenges
• Internal and external database audit requirements
across 10 Oracle and SQL Server databases
• Took 3 months and 2 part time people to create the
audit reports for yearly audit
• No monitoring for insider threats
Solution
• Oracle Audit Vault consolidated reporting on audit
data from Oracle and SQL Server
• Oracle Audit Vault consolidation of audit data
removed DBA from audit review process
Business Results
• Saved 100‟s of hours in report generations
• Worked with auditors to create customized reports
from the out-of-the box default reports for
personalized content
• Estimated return on investments in less than 18
months
29
Large Financial Services ProviderStronger Controls
Business Challenges
• Audit credit card transactions
• 20+ production Oracle databases with native
auditing already turned on
• Need for reports and no resource or budget to
create and review them
Solution
• Oracle Audit Vault audit data collection and secure
centralized storage
• Audit Vault proactively monitors privileged user
access violations, failed database logins, and
generates forensic data
Business Results
• Passed internal audits
• Automated reporting on credit card transactions
• Secure consolidation of audit data
• Detected policy violations of database activity
• Deployed in production in 3 months
30
Large European Telco Provider Address Telco Regulations on Call Records
Business Challenges
• Audit credit card transactions
• 20+ production Oracle databases with native
auditing already turned on
• Need for reports and no resource or budget to
create and review them
Solution
• Oracle Audit Vault audit data collection and secure
centralized storage
• Audit Vault proactively monitors privileged user
access violations, failed database logins, and
generates forensic data
Business Results
• Passed internal audits
• Automated reporting on credit card transactions
• Secure consolidation of audit data
• Detected policy violations of database activity
• Deployed in production in 3 months
31
Oracle Database Security Defense-in-Depth for Security and Compliance
Database
VaultLabel
Security
Access Control
Configuration
Management
Audit
Vault Total
Recall
Monitoring
Data
Masking
Advanced
SecuritySecure
Backup
Encryption and Masking
32
For More Information
oracle.com/database/security
search.oracle.com
database security
33
34