You are on page 1of 40

1

<Insert Picture Here>

Oracle Database 11g Release 2 Security Update and Plans Defense-in-Depth


Vipin Samar Vice President, Oracle Database Security

Program Agenda
Todays Threat Landscape Defense-in-Depth Approach Oracle Database Security Solutions Oracle Database Firewall New! Summary Q&A
<Insert Picture Here>

Why Secure the Database?

Exploding Data Highly available Data Sophisticated hackers Opportunistic insiders

Lot at stake
Customer, Employee, Citizen, Corporate data Reputation Fines & Penalties

Audit findings Outsourcing/offshoring Data consolidation Data breaches in sector

Whats new now?

Deployment triggers

Security Technologies Deployed

End Point Security

Other Security

Employee email Security Customer Citizen Network Security Vulnerability Mgmt

DB Security?

Authentication

Identity Management

How Data Gets Compromised?


Source: Verizon 2010 Data Breach Investigations Report

Where Losses Come From?

92% of Records from Compromised Databases

2010 Data Breach Investigations Report

Top Attack Techniques


% Breaches and % Records

2010 Data Breach Investigations Report

Most records lost through Stolen Credentials & SQL Injection


8

Existing Security Solutions Not Enough


Key Loggers Phishing Malware Botware SQL Injection Espionage

Social Engineering

Web Users

Application Users

Application

Database

Administrators

Data Must Be Protected in depth

Database Security
Defense-In-Depth Approach

Monitor and block threats before they reach databases Control access to data within the databases Track changes and audit database activity Encrypt data to prevent direct access Implement with
Transparency no changes to existing applications High Performance no measurable impact on applications Accuracy minimal false positives and negatives

10

Oracle Database Security


Defense-in-Depth
Encryption and Masking
Oracle Advanced Security Oracle Secure Backup Oracle Data Masking

Access Control
Oracle Database Vault Oracle Label Security

Auditing and Tracking


Oracle Audit Vault Oracle Configuration Management Oracle Total Recall

Monitoring and Blocking


Oracle Database Firewall

11

Oracle Database Security


Defense-in-Depth
Encryption and Masking
Oracle Advanced Security Oracle Secure Backup Oracle Data Masking

12

12

Oracle Advanced Security


Endtoend Encryption
Disk

Backups

Exports

Application

Off-Site Facilities

Efficient encryption of all application data Built-in key lifecycle management No application changes required Works with Exadata and Oracle Advanced Compression

13

Oracle Advanced Security


Integrated with Oracle Enterprise Manager

14

14

TDE Column Encryption


Integrated with Oracle Enterprise Manager

15

15

Oracle Advanced Security


Whats New and Coming?

Hardware Acceleration Support


Performance already < 10% for most applications 7-10x performance gain with Intel Advanced Encryption Standard New Instructions (AES-NI) and Oracle SPARC T-3

Key Management and HSM Support


Certified with SafeNet, Thales, Utimaco using PKCS #11 Planned support for Oracles Key Management System

16

Oracle Data Masking


Irreversible De-Identification

Production
LAST_NAME AGUILAR BENSON SSN 203-33-3234 323-22-2943 SALARY 40,000 60,000

Non-Production
LAST_NAME ANSKEKSL BKJHHEIEDK SSN 11123-1111 222-34-1345 SALARY 40,000 60,000

Mask sensitive data for test and partner systems Sophisticated masking: Condition-based, compound, deterministic Extensible template library and policies for automation Leverage masking templates for common data types Integrated masking and cloning Masking of heterogeneous databases via database gateways New Command line support for data masking tasks New
17
17

Oracle Data Masking


Whats Coming?

Sensitive data identification based on privacy attributes Application Masking templates for E-Business Suite Fusion Applications
18

Oracle Database Security


Defense-in-Depth
Encryption and Masking
Oracle Advanced Security Oracle Secure Backup Oracle Data Masking

Access Control
Oracle Database Vault Oracle Label Security

19

19

Oracle Database Vault


Separation of Duties & Privileged User Controls

Procurement HR

DBA

Application
Finance select * from finance.customers

Restricts application data from privileged users DBA separation of duties Securely consolidate application data No application changes required Works with Oracle Exadata
20
20

Oracle Database Vault


Multi-Factor Access Control Policy Enforcement

Procurement HR

Application

Rebates

Protect application data and prevent application by-pass Enforce who, where, when, and how using rules and factors
User Factors: Name, Authentication type, Proxy Enterprise Identity Network Factors: Machine name, IP, Network Protocols Database Factors: IP, Instance, Hostname, SID Runtime Factors: Date, Time

21

21

Oracle Database Vault


Out-of-the Box Protections For Applications
Pre-built policies with further possible customization Complements application security Transparent to existing applications Minimal performance overhead Certifications Underway:
Oracle Hyperion Oracle Tax and Utilities SAP Infosys Finacle Siebel, i-Flex, Retek JD Edwards EnterpriseOne Oracle E-Business Suite 11i / R12 PeopleSoft Applications

22

22

Oracle Label Security


Data Classification for Access Control

Sensitive
Transactions

Confidential
Report Data

Public
Reports

Confidential

Sensitive

Classify users and data based on business drivers Database enforced row level access control Users classification through Oracle Identity Management Suite Classification labels can be factors in Database Vault

23

23

Oracle Database Security


Defense-in-Depth
Encryption and Masking
Oracle Advanced Security Oracle Secure Backup Oracle Data Masking

Access Control
Oracle Database Vault Oracle Label Security

Auditing and Tracking


Oracle Audit Vault Oracle Configuration Management Oracle Total Recall

24

24

Oracle Audit Vault


Automated Audit Collection and Reporting
HR Data

!
Audit Data

Alerts Built-in Reports Custom Reports Policies

CRM Data

ERP Data

Databases

Auditor

Consolidate audit data into a secure warehouse Create/customize compliance and entitlement reports Detect and raise alerts on suspicious activities Centralized audit policy management Integrated audit trail cleanup
25
25

Oracle Audit Vault


Consolidated Reports Span Enterprise Databases

26

26

Oracle Audit Vault 10.2.3.2


Default Reports

27

27

Oracle Configuration Management


Secure Configuration & Change Tracking
Out-of-box Policies User-defined Policies & Groups Real-Time Change Detection Industry & Regulatory Frameworks Compliance Dashboard

Optimized for Oracle with Industry Specific Compliance Dashboards

Continuous scanning against best practices and gold baselines 200+ out-of-the-box policies spanning host, database, and middleware Real-time detect changes to processes, files, etc Violations can trigger emails, and create tickets Compliance reports mapped to compliance frameworks

28

28

Oracle Database Security


Defense-in-Depth
Encryption and Masking
Oracle Advanced Security Oracle Secure Backup Oracle Data Masking

Access Control
Oracle Database Vault Oracle Label Security

Auditing and Tracking


Oracle Audit Vault Oracle Configuration Management Oracle Total Recall

Monitoring and Blocking


Oracle Database Firewall

29

Oracle Database Firewall


First Line of Defense
Allow Log Alert Applications Substitute Block

Alerts

Built-in Reports

Custom Reports

Policies

Prevent unauthorized activity, application bypass and SQL injections Highly accurate SQL grammar based analysis Flexible enforcement options Built-in and custom compliance reports

30

Oracle Database Firewall


Security Model

White List
Allow Applications Block

White-list based policies enforce normal or expected behavior Evaluate factors such as time, day, network, app, etc. Easily generate white-lists for any application Log, alert, block or substitute out-of-policy SQL statements Black lists to stop unwanted SQL commands, user, or schema access Superior performance and policy scalability based upon clustering

31

Oracle Database Firewall


Deployment Architecture
In-Line Blocking and Monitoring Out-of-Band Monitoring HA In-Line Mode Management Management Server Server Policy Analyzer

Inbound SQL Traffic

In-line blocking and monitoring, or out-of-band monitoring modes Monitoring of remote databases by forwarding network traffic Centralized policy management and reporting High availability options for Database firewalls and Management Servers Support for multiple Oracle/non-Oracle Databases with the same firewall

32

Oracle Database Security Big Picture

Audit consolidation

Allow Log Alert Applications Substitute Block

Sensitive Procurement
HR Confidential Rebates Public

Unauthorized Local Activity DB Consolidation Security Local DBA Privilege Mis-Use

Network SQL Monitoring and Blocking

Encrypted Database

Encrypted Encrypted Backups Exports

Data Masking

33

Oracle Database Security


Key Differentiators

Transparent Performant Certified with Applications Best-in-Class Defense-inDepth

34

More Oracle Database Security Presentations


Monday:
12:30 pm: Making a Business Case for Information Security 3:30 pm: Oracle Database 11g Release 2 Security: Defense-in-Depth MS 300 MS 103 MS 104 MS 300 MS 304 MS 300 MS 303 MS 306 MS 306 MS 306 MS 104

Tuesday:
12:30 pm: Real-World Deployment and Best Practices : Oracle Audit Vault 2:00 pm: Real-World Deployment and Best Practices : Oracle Advanced Security 2:00 pm: Best Practices for Ensuring the Highest Enterprise Database Security 3:30 pm: Database Security Event Management : Oracle Audit Vault and ArcSight 5:00 pm: Real-World Deployment and Best Practices :Oracle Database Vault

Wednesday:
10:00 am: Protect Data and Save Money: Aberdeen 11:30 am: Preventing Database Attacks With Oracle Database Firewall 4:45 pm: Centralized Key Management and Performance :Oracle Advanced Security

Thursday:
10:30 am: Deploying Oracle Database 11g Securely on Oracle Solaris

MS = Moscone South
35

Oracle Database Security Hands-on-Labs


Monday: Database Vault 11:00AM | Marriott Marquis, Salon 10 / 11 Database Vault 5:00PM | Marriott Marquis, Salon 10 / 11 Tuesday: Database Security 11:00AM | Marriott Marquis, Salon 10 / 11 Thursday Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11 Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11

Check Availability Check Availability

Check Availability

Check Availability Check Availability

36

Oracle Database Security Demo Grounds


Moscone West Oracle Database Firewall Oracle Database Vault Oracle Label Security Oracle Audit Vault Oracle Advanced Security Oracle Database 11g Release2 Security
Exhibition Hours Monday, September 20 Tuesday, September 21 Wednesday, September 22 9:45 a.m. - 5:30 p.m. 9:45 a.m. - 5:30 p.m. 9:00 a.m. - 4:00 p.m.
37

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracles products remains at the sole discretion of Oracle.

38

For More Information

search.oracle.com

database security

oracle.com/database/security

39

39

40

40