1

<Insert Picture Here>

Real-World Deployment and Best Practices with

Oracle Advanced Security
Kurt Lysy, Principal Product Manager, Oracle Database Security
Matthew Stewart, Director, Information Security, Robert Morris University
Program Agenda

• Oracle Defense-in-Depth Solutions <Insert Picture Here>

• Oracle Advanced Security Overview

• Robert Morris University Presentation
• Q&A

3
Oracle Database Security
Defense-in-Depth Encryption and Masking
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Access Control
• Oracle Database Vault
• Oracle Label Security
Auditing and Monitoring
• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall

Blocking and Logging

• Oracle Database Firewall

4 4
Oracle Advanced Security
Transparent Data Encryption (TDE)

Disk

Backups

Exports

Application
Off-Site
Facilities

• Efficient encryption of all application data

• Built-in key lifecycle management
• No application changes required
• Works with Exadata V2
• Works with Oracle Advanced Compression

5 5
 Oracle Advanced Security
Key Features

Hardware
Security
Module
Strong Network
Authentication Encryption
Master Key

Oracle Wallet

Encrypted
Exports

RMAN / TDE Fully

Encrypted Database
Backups to Disk

6 6
Oracle Advanced Security
Creating Encrypted Tablespaces

7 7
Oracle Advanced Security
Configuring TDE Column Encryption

8 8
Robert Morris University Presentation

9
 About Robert Morris University
Pittsburgh 1921
5000 | 15:1
Students from nearly
every state and 40
countries from Brazil to
Vietnam.
93 percent of our
graduates get jobs in
their field within six
The "Financier of the American
months of graduation
Revolution." He isn’t as famous as his
friend George Washington, but without
D-1 Sports
Robert Morris, the American colonies’ bold
attempt to throw off British rule never
could have succeeded.
 IT Sec at RMU
 IT Team of 20
 Security Team of 2
 With a tight budget
 The mission of RMU's Information
Security team is to deliver an
information security program that
helps to safeguard the University's
information and assets while
maintaining an open educational
environment that is compliant with
regulatory standards.
 To accomplish this mission, the
Information Security team has many
goals including assess current policies
and procedures, develop new policies to
protect University resources, assist in
establishing and strengthening
technical baselines to protect university
technical assets, react to incidents that
endanger the Institute's information,
proactively assess and monitor for
possible security weaknesses, and
educate the University community
about relevant security threats.
 IT Sec at RMU
 Many Responsibilities Including:
 Information Security
•       Security Assessments
•       Intrusion Analysis
•       Secure Network Design
•       Incident Response
•       Firewall Architectures
•       Vulnerability Assessment
•       Training/Instruction
•       Policy Development
•       Records Retention
•       Change Management
•       Negotiations /Procurement
•       Computer Forensics
•       Data Loss Prevention
•       Encryption
•       Web Application Security
•       Database Security
•       Audit/Compliance
•       End Point Security
•       Patch Management
•       Network Access Control
•       Antivirus/Anti-Spyware
•       Content Management
•       SIEM
Threats
against RMU
Hackers

Insiders

Students  Feb 2007 Ohio State University. Database

Malware
compromise at least 14,000 staff data
compromised. Another separate incident in
Phishing Feb. had 3,500 students data compromised
 Aug 2008 Laptop With Social Security
Physical Theft Numbers Stolen From University of
Access Pittsburgh
 June 2010 a bot infection compromised
Mistakes 15,806 Social Security numbers, stored in a
university database at Penn State University
 Government Regulations

Federal PA and Other

FERPA PA Breach and

HIPAA notification
GLBA Mass. Law Ch. 93H
Red Flags PCI Compliance
NCAA
 Where We Were

We were in pretty bad shape……

Oracle 8.1
Poor patch cycles
Too much access to way too many people
No web input sanitization

Very open…………Very Vulnerable

 Layered Security Approach

 Layer #1 – Proactive Software Assurance

 Applications: Web/Database
 Layer #2 - Blocking Attacks: Network-Based
 Firewalls, Email Filtering
 Layer #3 - Blocking Attacks: Host-Based
 Antivirus, Secure Configurations
 Layer #4 - Eliminating Security Vulnerabilities
 Scanning, Patch Management
 Layer #5 - Safely Supporting Authorized Users
 Encryption , Data Leak Prevention
 Layer #6 - Tools to Manage Security & Maximize Effectiveness
 Training, Organizational Memberships and Awareness

***Diversity is amongst ALL layers***

 Where We Are

Moving to Oracle Database 11g on 64-bit Enterprise

Linux
Oracle Advanced Security
Patch management process
Input sanitization
Reduced access…. Not perfect yet but good progress
Web defenses
 Where We Are

Oracle Adv. Security

provides us with
 Network Encryption
 Encryption of data in motion
 Transparent Data Encryption
(TDE)
 Encryption of data at rest
 Tablespace TDE
 Strong authentication
(certificate-based
authentication)
 Where We Are

 At-rest data encryption feature only

in Oracle Database 11g
 Based on block level encryption that
encrypts on writes and decrypts on
reads
 Data is encrypted/decrypted at the
I/O (block) level and not in memory
(unlike TDE column encryption,
which performs the encryption in
the PGA of the server process)
 Only encryption penalty is associated
with I/O, so encryption performance
overall is better than for TDE column
encryption
 SQL access paths are unchanged and
all data types are supported (could
be some I/O penalty assigned by the
CBO, however)
 How Did We Get There?

 Week 1, 2 days:
 SSCP kickoff meeting : Overview of network encryption and TDE
 Identified application data to be encrypted
 Ran healthcheck script in upgrade environment
 Create initial draft of TDE tablespace encryption functional use cases

 Week 2, 2 days:
 Deployed TDE tablespace encryption in upgrade environment
 Performed use case testing of TDE tablespace encryption

 Week 3, 4 days:
 Complete deployment of TDE tablespace encryption
 Deploy network encryption in upgrade environment
 Perform use case testing of network encryption
 Knowledge transfer sessions
 Performance Testing
 The applications team
identified a set of five core test
application queries that would
be tested and performance
compared across the
configurations:
 student registration via Patriot
client
 checksheet batch processing
 IRSE load processing
 nightly processing
 catalog course search
 The approach taken for each four
test queries was to take event
10046 level 12 SQL traces within
SQL Plus using the procedure
DBMS_SYSTEM.SET_EV,
followed by running each
generated tracefile through
TKPROF.
 The level 12 SQL traces were
performed in each of the three
test configurations.
Performance Testing Results (secs)
Where We Are Going
What is the Security Pack?

• A team of deployment security experts to assist

customers with going live with our database security
products
• Products that we assist with:
– Advanced Security, Database Vault, Audit Vault, Label
Security, Database Firewall
• Customer agrees to be a reference
• Have your Oracle account rep nominate you for this
valuable program!

24 24
 More Oracle Database Security Presentations

• Monday:
– 12:30 pm: Making a Business Case for Information Security MS 300
– 3:30 pm: Oracle Database 11g Release 2 Security: Defense-in-Depth
MS 103
• Tuesday:
– 12:30 pm: Real-World Deployment and Best Practices : Oracle Audit Vault MS 104
– 2:00 pm: Real-World Deployment and Best Practices : Oracle Advanced Security MS 300
– 3:30 pm: Database Security Event Management : Oracle Audit Vault and ArcSight MS 300
– 5:00 pm: Real-World Deployment and Best Practices :Oracle Database Vault MS 303
• Wednesday:
– 10:00 am: Protect Data and Save Money: Aberdeen MS 306
– 11:30 am: Preventing Database Attacks With Oracle Database Firewall MS 306
– 4:45 pm: Centralized Key Management and Performance :Oracle Advanced Security MS 306
• Thursday:
– 10:30 am: Deploying Oracle Database 11g Securely on Oracle Solaris
MS 104

MS = Moscone South

25
 Oracle Database Security Hands-on-Labs

• Monday:
– Database Vault 11:00AM | Marriott Marquis, Salon 10 / 11        Check Availability 
– Database Vault 5:00PM | Marriott Marquis, Salon 10 / 11        Check Availability
  
• Tuesday:
– Database Security 11:00AM | Marriott Marquis, Salon 10 / 11     Check Availability

• Thursday
– Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11    Check Availability
– Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11       Check Availability

26
Oracle Database Security Demo Grounds
Moscone West

• Oracle Database Firewall

• Oracle Database Vault
• Oracle Label Security
• Oracle Audit Vault
• Oracle Advanced Security
• Oracle Database 11g Release2 Security

  Exhibition Hours
Monday, September 20 9:45 a.m. - 5:30 p.m.
Tuesday, September 21 9:45 a.m. - 5:30 p.m.
Wednesday, September 22 9:00 a.m. - 4:00 p.m.

27
For More Information

search.oracle.com

database security

oracle.com/database/security

28 28
Q&
A
29 29