<Insert Picture Here>

Oracle Database Security

Gabriel Trauvitch – Master Principal Solutions Specialist – Grid Architect

Technology Presales – Greece & SEE

2

More Data Than Ever

Source: IDC, 2008

1,800 Exabytes

Growth

Doubles

Yearly

2006 2011

3

Oracle Database Security Business Drivers

Data Consolidation Globalization Right Sourcing

Compliance Mandates

SOX

FDA Basel IIEU Directives

HIPAA

GLBA SB1386

PCI

Security Threats

Insider Threats

Industrial Espionage

Identity Theft

4

More Breaches Than Ever

Data Breach Once exposed, the data is out there – the bell can’t be un-rung

0

100

200

300

400

2005 2006 2007 2008

PUBLICLY REPORTED DATA BREACHES

630% Increase

Total Personally

Identifying Information

Records Exposed

(Millions)

Source: DataLossDB, Ponemon Institute, 2009

Average cost of a data breach $202 per record

Average total cost exceeds $6.6 million per breach

5

More Threats Than Ever…

6

Market Overview: IT Security In 2009

There has been a clear and significant shift from what was

the widely recognized state of security just a few years ago.

Protecting the organization's information assets is the top

issue facing security programs: data security (90%) is most

often cited as an important or very important issue for IT

security organizations, followed by application security (86%).

Market Overview: IT Security In 2009

- Jonathan Penn, April 22, 2009

7

Data Security Challenges

• What to secure?

• Sensitive Data: Confidential, PII, regulatory

• Data in packaged and custom applications

• Secure Life cycle: creation, transit, storage, backup, test, transfer

• Can we secure it now?

• Secure using existing systems?

• Transparent?

• Loss, Unauthorized access, Separation of Duty

• Will it meet business requirements?

• Flexible, Transparent, Compliant?

• Secures both custom and packaged applications?

• Will it reduce operational cost?

• Easy to manage?

• Performant?

8

Oracle Database Security Defense-in-Depth for Security and Compliance

Database

VaultLabel

Security

Access Control

Configuration

Management

Audit

Vault Total

Recall

Monitoring

Data

Masking

Advanced

SecuritySecure

Backup

Encryption and Masking

9

Oracle Database Security Defense-in-Depth for Security and Compliance

Data

Masking

Advanced

SecuritySecure

Backup

Encryption and Masking

10

Oracle Advanced SecurityTransparent Data Encryption

Disk

Backups

Exports

Off-Site

Facilities

• No application changes required

• Efficient encryption of all application data

• Built-in key lifecycle management

• Works with Exadata V2 Smart Scans

• Works with Oracle Advanced Compression

Application

11

Oracle Advanced SecurityNetwork Encryption & Strong Authentication

• Standard-based encryption for data in transit

• Strong authentication of users and servers

• No infrastructure changes required

• Easy to implement

12

Oracle Secure BackupIntegrated Tape or Cloud Backup Management

• Secure data archival to tape or cloud

• Easy to administer key management

• Fastest Oracle Database tape backups

• Leverage low-cost cloud storage

13

Oracle Data MaskingIrreversible De-Identification

• Remove sensitive data from non-production databases

• Referential integrity preserved so applications continue to work

• Extensible template library and policies for automation

LAST_NAME SSN SALARY

ANSKEKSL 111—23-1111 40,000

BKJHHEIEDK 222-34-1345 60,000

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

Production Non-Production

14

Large Credit Card Services ProviderCost Effective Encryption of Card Holder Data

Business Challenges• Protect sensitive card holder data

• Comply with PCI

Solution• Deployed Oracle Advanced Security TDE

Tablespace Encryption

Business Results• Addressed internal and external requirements

• Leveraged Oracle Advanced Security integration

with Hardware Security Modules for network

based management of TDE master encryption key

15

U.S. Pharmaceutical Tools Manufacturer Oracle Advanced Security Protects Sensitive Data

Business Challenges• Worried about protection of intellectual

property and sensitive employee data

Solution

• Oracle Advanced Security TDE column

encryption

• Easy implementation within hours (Oracle

PeopleSoft)

• TDE with HSM made corporate-wide standard

• Average end-user responses time: +2.5 %

Business Results

• Cost effective and transparent implementation

of data encryption with no application changes

• Protection of sensitive data at rest and on

backup media

16

EMEA-based Real Estate CompanyData Masking Pack accelerated availability of production data for

testing while improving DBA productivity

Business Challenges

• Custom scripts to mask sensitive data were not

able to scale to meet growing data volumes

• DBA team under increasing pressure to make

production data available to for application testing

within short time frames

Solution

• Data Masking Pack delivered an out-of-the-box

solution to replace custom database scripts

• High performance masking capabilities accelerated

masking process from 6 hours using database

scripts to 6 minutes using Data Masking Pack

Business Results

• 60 X performance improvement in masking process

resulted in faster turnaround of test system creation

• Improved DBA productivity by eliminating the

requirement to maintain custom scripts

17

Oracle Database Security Defense-in-Depth for Security and Compliance

Database

VaultLabel

Security

Access Control

Data

Masking

Advanced

SecuritySecure

Backup

Encryption and Masking

18

Oracle Database VaultSeparation of Duties & Privileged User Controls

• DBA separation of duties

• Limit powers of privileged users

• Securely consolidate application data

• No application changes required

• Works with Oracle Exadata V2 Database Machine

Procurement

HR

Finance

Application

select * from finance.customers

DBA

19

Oracle Database VaultMulti-Factor Access Control Policy Enforcement

• Protect application data and prevent application by-pass

• Enforce who, where, when, and how using rules and factors

• Out-of-the box policies for Oracle applications, customizable

Procurement

HR

RebatesApplication

20

Oracle Label SecurityData Classification for Access Control

• Classify users and data based on business drivers

• Database enforced row level access control

• Users classification through Oracle Identity Management Suite

• Classification labels can be factors in other policies

Confidential Sensitive

Transactions

Report Data

Reports

Sensitive

Confidential

Public

21

Large US Based Global BankEnable Secure Cost Effective Deployments

Business

Challenges

• Outsource administration of multiple applications (E-Business Suite,

PeopleSoft and other in-house and 3rd party applications)

• “Cross Border” security controls to protect country-specific sensitive

client data from DBA access in a different country

• Deploy a security solution that is certified with applications and with

minimal performance overhead

Solution

• Deployed Oracle Database Vault on 18+ applications including E-

Business Suite, PeopleSoft and other internal and 3rd party

applications to prevent privileged user access to application data

• Used Database Vault multi-factor authorization to enforce cross-

border access control and to prevent “Application Bypass”

• Over 200K users accessing these systems globally

Business

Results

• Saved over $15M a year by outsourcing/off-shoring backend

administration operations

• Addressed “Cross Border” security requirements

• Passed external audit and avoided paying fines

22

Pharmaceutical Services ProviderProtect Sensitive Customer Information and Address Regulations

Business Challenges

• Protect and secure the privacy of very sensitive customer

medical data and employee data in PeopleSoft

• Comply with internal policies and external regulations

(HIPAA, SOX, Privacy Laws)

• Prevent privileged user access to sensitive data

Solution• Deployed Oracle Database Vault with out-of-the-box

PeopleSoft protection policies

• Took 14 days to go production

Business Results

• Complied with HIPAA and other privacy regulations

• Passed external audit

• Saved on consulting costs and deployment time by using

the out-of-the-box Database Vault protection policies

• Deployed Database Vault with minimal changes to

existing internal processes and procedures

23

Large European Telecom ProviderEnable Organization to Meet Regulations

Business

Challenges

• Protect the privacy of sensitive client data in their telecom billing system

• Meet internal, European Data Security Directive, and country-specific

privacy requirements

• Prevent tampering or deletion of database objects or database users

Solution

• Used Database Vault Realms and Command Rules to prevent DBAs

from accessing sensitive data

• Used Command Rules to prevent tampering or deletion of database

objects or users

• Used multi-factor authorization to prevent “Application Bypass” based

on IP address

Business

Results

• Secure the third party billing system without any application changes

• Comply with internal, European, and country-specific privacy laws

• Cost effective preventive controls against any tampering or deletion of

database objects or users

• Maintain good performance without buying additional hardware

24

Oracle Database Security Defense-in-Depth for Security and Compliance

Database

VaultLabel

Security

Access Control

Configuration

Management

Audit

Vault Total

Recall

Monitoring

Data

Masking

Advanced

SecuritySecure

Backup

Encryption and Masking

25

Oracle Audit VaultAutomated Activity Monitoring & Audit Reporting

• Consolidate audit data into secure repository

• Detect and alert on suspicious activities

• Out-of-the box compliance reporting

• Centralized audit policy management

CRM Data

ERP Data

Databases

HR Data

Audit Data

Policies

Built-inReports

Alerts

CustomReports

!

Auditor

26

Oracle Total RecallSecure Change Tracking

select salary from emp AS OF TIMESTAMP

'02-MAY-09 12.00 AM„ where emp.title = „admin‟

• Transparently track data changes

• Efficient, tamper-resistant storage of archives

• Real-time access to historical data

• Enables forensics and error correction

27

Oracle Configuration ManagementVulnerability Assessment & Secure Configuration

• Database discovery

• Continuous scanning against best practices

• Detect and prevent unauthorized configuration changes

• Change management compliance reports

ConfigurationManagement

& Audit

VulnerabilityManagement

Fix

Analysis &Analytics

Prioritize

PolicyManagement

AssessClassify MonitorDiscover

AssetManagement

28

European Healthcare Insurance Provider Simplified Reporting and Stronger Security

Business Challenges

• Internal and external database audit requirements

across 10 Oracle and SQL Server databases

• Took 3 months and 2 part time people to create the

audit reports for yearly audit

• No monitoring for insider threats

Solution

• Oracle Audit Vault consolidated reporting on audit

data from Oracle and SQL Server

• Oracle Audit Vault consolidation of audit data

removed DBA from audit review process

Business Results

• Saved 100‟s of hours in report generations

• Worked with auditors to create customized reports

from the out-of-the box default reports for

personalized content

• Estimated return on investments in less than 18

months

29

Large Financial Services ProviderStronger Controls

Business Challenges

• Audit credit card transactions

• 20+ production Oracle databases with native

auditing already turned on

• Need for reports and no resource or budget to

create and review them

Solution

• Oracle Audit Vault audit data collection and secure

centralized storage

• Audit Vault proactively monitors privileged user

access violations, failed database logins, and

generates forensic data

Business Results

• Passed internal audits

• Automated reporting on credit card transactions

• Secure consolidation of audit data

• Detected policy violations of database activity

• Deployed in production in 3 months

30

Large European Telco Provider Address Telco Regulations on Call Records

Business Challenges

• Audit credit card transactions

• 20+ production Oracle databases with native

auditing already turned on

• Need for reports and no resource or budget to

create and review them

Solution

• Oracle Audit Vault audit data collection and secure

centralized storage

• Audit Vault proactively monitors privileged user

access violations, failed database logins, and

generates forensic data

Business Results

• Passed internal audits

• Automated reporting on credit card transactions

• Secure consolidation of audit data

• Detected policy violations of database activity

• Deployed in production in 3 months

31

Oracle Database Security Defense-in-Depth for Security and Compliance

Database

VaultLabel

Security

Access Control

Configuration

Management

Audit

Vault Total

Recall

Monitoring

Data

Masking

Advanced

SecuritySecure

Backup

Encryption and Masking

32

For More Information

oracle.com/database/security

search.oracle.com

database security

33

34