1
Oracle Database Security Advanced Security Option Thanos Terentes Printzios DB & Options Specialist A&C Technology Adoption Office Oracle Partner Business Development, ECEMEA 2
What is a customers INFORMATION most Valuable Asset? 3
Information is Data Two-thirds of sensitive and regulated information now resides in databases and doubling every two years HR Data Citizen Data Credit Cards Customer Data Financial Data Classified Govt. Info. 48% Data Breaches Caused by Insiders Trade Secrets 89% Records Competitive Stolen Bids Using SQL Injection Corporate Plans 86% Hacking Source Used Code Stolen Credentials Bug Database Source: Verizon, 2007-11 & IDC, "Effective Data Leak Prevention Programs: Start by Protecting Data at the Source", August 2011 4
Why Database Security? 2012 2011 Two thirds of sensitive regulated information now resides in databases, and it is doubling every 2 years. Source: "Effective Data Leak Prevention Programs: Start by Protecting Data at the Source Your Databases", IDC, August 2011 2006 2001 Of all the records breached at large organizations, 98% involved a compromised database server. Source: Verizon Business 2012 Data Breach Investigations Report, Verizon, June 2012 5
IT Security Not Addressing Database Security Databases hold the crown jewels for organizations but often don t get the strong focus they need when it comes to data security planning. Forrester estimates that although 70% of enterprises have an information security plan, only 20% of enterprises have a database security plan. Source: Creating An Enterprise Database Security Plan, July 2010 6
Data Security becoming Top IT Priority Source: Forrester Research Inc. The State Of Enterprise IT Security And Emerging Trends: 2009 To 2010, Jan. 25 th 2010 7
Why Secure the Database? Copyright 2011 Copyright Oracle. 2012, All rights Oracle reserved. and/or its affiliates. All rights reserved. 8 8
Database Security Defense in Depth Mitigate Database Bypass Prevent Application Bypass Consolidate Auditing and Compliance Reporting Monitor Database Traffic and Block Threats Protect All Database Environments Prevent access to data at OS, storage, network, media layers Transparent data encryption for data at rest, in transit, on media Separation of duties for key management Privileged user access control to limit access to application data Multi-factor authorization for enforcing enterprise security policies Secure application consolidation Native Oracle and non-oracle database auditing, centralized audit policies Consolidate, secure, analyze audit trail, alert on suspicious activities Report for compliance & security, automate database audit workflow Monitor Oracle & non-oracle database traffic over the network Block threats like SQL injection attacks before reaching databases Enforce normal database activity, lightweight monitoring Sensitive data discovery for production Secure database lifecycle management, configuration scanning, patch automation Mask data for nonproduction development & test 9
Database Security Defense in Depth Mitigate Database Bypass Prevent Application Bypass Consolidate Auditing and Compliance Reporting Monitor Database Traffic and Block Threats Protect All Database Environments Prevent access to data at OS, storage, network, media layers Transparent data encryption for data at rest, in transit, on media Separation of duties for key management 10
Advanced Security Optons Easy Data Encryption in the Database 11
Oracle Advanced Security Protect Data from Unauthorized Database Users Disk Application Backups Exports Off-Site Facilities Prevents database by-pass with complete end-to-end data encryption Efficient application data encryption without application changes Built-in key management with separation of duties High performance and easy to deploy 12
Oracle Advanced Security Database Traffic Network Encryption Network traffic entirely encrypted to prevent man in the middle attacks AES, RSA RC4, and DES/3DES Data integrity checksums - prevent modification, replay, missing packet, etc. MD5 and SHA-1 No infrastructure changes required, point-and-click implementation 13
Oracle Advanced Security Strong Authentication Authenticates users, servers, and linked databases Centralizes authentication, taking it out of the DBA s exclusive control Supports single sign-on deployments and popular directory services Enables strong multi-factor authentication 14
Evolution of Oracle Advanced Security Network Encryption & Strong Authentication Column TDE & Wallet Key Management Tablespace TDE & Hardware Acceleration & Exadata Optimizations Oracle 9i Oracle 10g Oracle 11g 15
Transparent Data Encryption Encryption Key Architecture Hardware Security Module Tablespace Key Table Key Standard Wallet Auto-Open Wallet Master Key Local Auto-Open Wallet Oracle Wallet TDE Tablespace Encryption TDE Column Encryption 16
Oracle Advanced Security Transparent Data Encryption for Columns Support for all column types, including Oracle Database 11g SecureFile Data is cached encrypted in the SGA Decrypted only when you dereference it, encrypted every time you modify it Indexing supported, but the index is indexing encrypted data (not sorted!) Encryption keys are table specific - means cannot enforce foreign key constraints Undo and Redo generated are encrypted 17
Oracle Advanced Security Transparent Data Encryption for Tablespaces All tables in tablespace are encrypted no need to identify specific columns Data encrypted at block level as written out to disk, decrypted when read in Data is cached in the SGA unencrypted Index contains clear text (blocks are encrypted) so no limitations on index use Encryption keys are tablespace specific foreign key constraints can be enforced Undo and Redo generated are encrypted 18
Encrypted Tablespaces in Exadata X2 Exadata Smart Scans Encrypted tablespaces can be Smart Scanned Query processing is offloaded to the storage cells Hybrid Columnar Compression Crypto processing occurs on compressed data Results in much less data to encrypt & decrypt Exadata Cryptographic Acceleration Intel AES-NI and Oracle SPARC hardware accelerate the crypto processing by 5x or more 19
Oracle Advanced Security Transparent Data Encryption Built-In Key Management Table and Tablespace Keys Master Key Oracle Wallet PKCS #11 API HSM Create a wallet and generate the master key: alter system set key identified by e3car61 Open the wallet: alter system set wallet open identified by e3car61 Rotate master (table/tablespace keys re-encrypted): alter system set key identified by 2naf1sh Rotate table/tablespace keys (data re-encrypted) alter table employee REKEY; Generate, store, and rotate encryption keys Two-tier key management architecture Table and Tablespace keys used to encrypt data (stored in database for performance) Master key used to encrypt Table and Tablespace keys Master key is stored in External Security Module (outside the database) Oracle Wallet (PKCS #12 file) Hardware Security Module (HSM) meets FIPS & Common Criteria reqs using PKCS#11 API Separation of duties -- wallet password is separate from System or DBA password 20
Oracle Advanced Security Transparent Data Encryption for Media Disk Backups Exports Off-Site Facilities TDE integrated with Oracle Data Pump for bulk export/import to OS flat files TDE integrated with Oracle RMAN for database backup and recovery RMAN and Data Pump compress and encrypt data Master Key, passphrase, or both can be used to encrypt export and backup files No need to distribute production master key with exports or backups Master key not automatically backed up with database 21
Oracle Advanced Security Strong Authentication Strong Authentication Application Kerberos X509 v3 TDE returns clear text data to authenticated, authorized database users Critical to protect against stolen credentials & increase assurance of database user identities, especially privileged application users and DBAs Strong authentication schemes supported Kerberos, PKI & RADIUS (for 1 time passwords tokens, risk-based authentication, etc.) 22
Ease of Deployment Data At Rest Encryption Architectural Considerations Disk Easy and Secure Oracle Database NAS Encryption Application Hard and Not Secure Security 23
Encryption processing rate (MB/CPU seconds) Oracle Advanced Security Transparent Data Encryption Performance Oracle Database Enterprise Edition 11.2.0.2 AES-256 Encryption 10x speedup Oracle Database Enterprise Edition 11.2.0.2 AES-256 Decryption 8x speedup 559 468 57 58 Intel Xeon Processor X5570 w/o Intel IPP Intel Xeon processor X5680 w/ Intel IPP Intel Xeon Processor X5570 w/o Intel IPP Intel Xeon processor X5680 w/ Intel IPP Encrypting data is expensive is a myth (started with bad third party solutions!) Incremental CPU ~5% with 10x speed-up if cryptographic hardware available Incremental CPU reduced even more if using Oracle Advanced Compression or Exadata Hybrid Columnar Compression (EHCC) If compression ratio is 75%, we have to encrypt 75% less data! 24
Oracle Advanced Security Applications and Column TDE Command line syntax for scripts and custom applications Encrypt column in existing table: SQL> alter table clients modify (cr_card_nbr encrypt) Encrypt column in new table: SQL> create table customers( first_name varchar2(64), last_name varchar2(64) encrypt using AES256, cr_card_nbr varchar2(32) encrypt no salt nomac ); Numerous Oracle and non-oracle application certifications Oracle E-Business Suite 11i and Release 12 Oracle PeopleSoft Enterprise 8.46+ Oracle Siebel CRM 7.7+ SAP 640 and 700 Oracle Internet Directory 10.1.4.2 Oracle Internet Directory 10.1.4.2 iflex FLEXCUBE 10.0 RETEK Retail Sales Audit (RESA): RESA 12.0+ and 13.0 (Oracle Database 10gR2) RESA 13.1 (Oracle Database 11gR1) 25
Oracle Advanced Security Applications and Tablespace TDE Command line syntax for scripts and custom applications SQL> create tablespace SECURE datafile /opt/enc_tbs.dbf size 100M encryption using AES256 default storage(encrypt); Can t encrypt existing tablespaces Can use partitioning and dbms_redefinition to move data into new encrypted tablespaces without downtime or application changes Numerous Oracle and non-oracle application certifications Oracle E-Business Suite 11i and Release 12 Oracle PeopleSoft Enterprise 8.48+ Oracle Siebel CRM 8.0+ Oracle JD Edwards EnterpriseOne SAP 640_EX2+ (UNIX and Linux) 26
Oracle Advanced Security Advanced Protection for the Oracle Database Transparent Data Encryption (TDE) Transparently encrypts data-at-rest in Oracle databases and securely manages the encryption keys Protects against theft or loss of disks and backup media Stops OS users from inspecting the tablespace files Network Encryption Locks-down the database network connections Prevents network sniffing and replay attacks Strong Authentication Signs-in database users via Kerberos, PKI, or Radius Avoids weak passwords that can be stolen or cracked 27
How to Encrypt Your Existing Data Online encryption using Online Table Redefinition (OTR) Driven by PL/SQL scripts (DBMS_REDEFINITION) Copies in background, synchronizes deltas, renames at the end Achieves zero downtime Offline encryption using popular Oracle data movement tools Oracle DataPump Export/Import ALTER TABLE MOVE And more 28
Assisted Application Migration How To guides and automated migration scripts are available for select Oracle Applications These resources make online migration of data into encrypted tablespaces straightforward (using OTR) Application packages are available for download from the TDE Homepage on Oracle Technology Network Additional Partner Support available at Partner Hub ISV Migration Center 29
Database Security Big Picture Activity Audit Data Discovery Compliance Scan Vulnerability Scan Patch Automation Applications Network SQL Monitoring and Blocking Auditing Authorization Authentication Encrypted Database Data Masking Unauthorized DBA Activity Multi-factor authorization 30
Oracle Database Security Platform Transparent Data Encryption, Privileged User Controls, Multi-Factor Authorization, Data Classification, and Change Tracking Maximum Security for Oracle Databases: Oracle Advanced Security Oracle Database Vault Oracle Label Security Oracle Total Recall Database Activity Auditing and Reporting, SQL Traffic Monitoring and Blocking, Real-Time Alerting, Workflow Automation Security for Oracle and non-oracle Databases Outside the Database: Oracle Audit Vault Oracle Database Firewall Secure Configuration Scanning, Automated Patching, Configuration Change Control, Sensitive Data Discovery, Data Masking Security for Production and non- Production Database Environments: Oracle Database Lifecycle Oracle Enterprise Manager Oracle Data Masking 31
Oracle Maximum Security Architecture Secure Configuration Scanning Patch Management Enterprise Manager Applications Oracle Audit Vault Procurement Sensitive Auditing Authorization Confidential HR Authentication Rebates Public Unauthorized DBA Activity Multi-factor Authorization DB Consolidation Security Oracle Database Vault Oracle Database Firewall Encrypted Database Encrypted Traffic Oracle Advanced Security Mask For Test and Dev Oracle Data Masking 32
Q&A You can also address your questions at the local South Africa Partner Hub ISV Migration Center http://blogs.oracle.com/imc partner.imc@beehiveonline.oracle.com 33
34
35