1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

Transcription

1 1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

2 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 2 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Insert Information Protection Policy Classification from Slide 8

3 Privileged User Access Control with Oracle Database 11g Jaime Briggs Account Manager Strategic Accounts MSc CS, CCISP, CCSK 3 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

4 Agenda Privileged User Risks Separation of Duties & Least Privilege Oracle Database Vault Demos Summary Q&A 4 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

5 How Do Data Breaches Occur? 48% involved privilege misuse (+26%) 40% resulted from hacking (-24%) 38% utilized malware (<>) 28% employed social tactics (+16%) 15% comprised physical attacks (+6%) 2010 Data Breach Investigations Report 5 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

6 Where Does Breached Data Come From? 2010 Data Breach Investigations Report 6 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

7 76% Have No Preventive Controls on Privileged Database Users or Unsure Can you prevent DBAs & other privileged database users from reading/tampering with sensitive information in financial, HR, or other business applications? 7 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

8 Three-Fourths Don t Have Safeguards To Prevent Accidental Harm to Databases Any safeguards preventing a database administrator from accidentally dropping a table or unintentionally causing harm to critical application databases? 8 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

9 Separation of Duties 9 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information Source:

10 Least Privilege 10 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information Source:

11 Database Security Defense in Depth Mitigate Database Bypass Prevent Application Bypass Consolidate Auditing and Compliance Reporting Monitor Database Traffic and Block Threats Protect All Database Environments Prevent access to data at OS, storage, network, media layers Transparent data encryp:on for data at rest, in transit, on media Separa:on of du:es for key management Privileged user access control to limit access to applica:on data Mul:- factor authoriza:on for enforcing enterprise security policies Secure applica:on consolida:on Na:ve Oracle and non- Oracle database audi:ng, centralized audit policies Consolidate, secure, analyze audit trail, alert on suspicious ac:vi:es Report for compliance & security, automate database audit workflow Monitor Oracle & non- Oracle database traffic over the network Block threats like SQL injec:on alacks before reaching databases Enforce normal database ac:vity, lightweight monitoring Sensi:ve data discovery for produc:on Secure database lifecycle management, configura:on scanning, patch automa:on Mask data for nonproduc:on development & test 11 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

12 Database Security Defense in Depth Mitigate Database Bypass Prevent Application Bypass Consolidate Auditing and Compliance Reporting Monitor Database Traffic and Block Threats Protect All Database Environments Privileged user access control to limit access to application data Multi-factor authorization for enforcing enterprise security policies Secure application consolidation 12 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

13 Oracle Database Vault Privilege User Access Control Application Procurement HR Security DBA Application DBA Finance DBA select * from finance.customers Automatic and customizable DBA separation of duties Enforce who, where, when, and how data is accessed using rules and factors Enforce least privilege for privileged database users Prevent compromised privileged users accounts from accessing application data Securely consolidate application data and prevent application bypass Prevent ad hoc changes to the database by administrators 13 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

14 Oracle Database Vault Realms Application Procurement HR Security DBA Application DBA Finance DBA select * from finance.customers Realms are protections zones (firewalls) inside the database to protect application data Use realms to control the use of system privileges to specific accounts or roles Default realms to address database governance Out-of-the box realms to protect popular Oracle and non-oracle applications 14 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

15 Oracle Database Vault Strong Operational Controls Inside the Database Application Procurement HR Finance Built-in Factors: User Factors - Name - Authentication type - Session User - Proxy Enterprise Identity Network Factors - Machine name - Client IP - Network Protocols Database Factors - Database IP - Database Instance - Database Hostname - Database SID Runtime Factors - Language - Date/Day of Week - Time Rules to control how users can execute almost any SQL statement inside the database Command rules can take into account built-in and custom factors (numerous built in) Command rules can be system-wide, schema specific, and object specific Out-of-the box command rules for Oracle and non-oracle applications 15 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

16 Oracle Database Vault Alerts and Reports Separation of duties Multi-factor access Procurement HR Alerts/Reports Finance Generate audit events on realm violations and command rule exceptions Demonstrate compliance using built-in reports for Realms Command rules Entitlements such as who has the DBA role Integrated with Oracle Audit Vault and Oracle Enterprise Manager for near real time alerting and monitoring 16 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

17 Demo 17 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

18 Oracle Database Vault Protection for Oracle and non-oracle Application Data Pre-built policies include realms and command rules Prevent DBA from accessing application data Prevent DBA from tampering with application objects Complement application security Customizable Oracle E-Business Suite 11i / R12 Oracle JD Edwards EnterpriseOne Oracle PeopleSoft Oracle Siebel SAP Oracle Retail Applications (Retek) Oracle Financial Services (i-flex) Oracle Utilities Applications Oracle Enterprise Taxation Management Finacle from Infosys 18 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

19 Oracle Database Vault Secure Application Consolidation and Outsourcing $$$ Risk Consolidation results in multiple privileged accounts in a single database Oracle Database Vault enforces trusted paths to applications data Isolates consolidated apps from each other and prevents privilege escalation Enables outsourcing backend operations without giving access to data Secures applications data in the cloud 19 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

20 Oracle Database Security: Defense-in-Depth Transparent Data Encryption, Privileged User Controls, Multi-Factor Authorization, Data Classification, and Change Tracking Maximum Security for Oracle Databases: Oracle Advanced Security Oracle Database Vault Oracle Label Security Oracle Total Recall Database Activity Auditing and Reporting, SQL Traffic Monitoring and Blocking, Real-Time Alerting Security for Oracle and non-oracle Databases Outside the Database: Oracle Audit Vault Oracle Database Firewall Secure Configuration Scanning, Automated Patching, Configuration Change Control, Data Masking for Test and Development Security for Production and non- Production Database Environments: Oracle Database Lifecycle Management Oracle Data Masking 20 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

21 For More Information search.oracle.com database security or oracle.com/goto/database/database-vault oracle.com/goto/database/security-customers 21 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

22 22 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information Q&A

23 23 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

24 24 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information