Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Similar documents
1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Oracle White Paper October Oracle Advanced Security with Oracle Database 11g Release 2

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Oracle Database Security

Protecting Sensitive Data Reducing Risk with Oracle Database Security

Oracle Database Security. Paul Needham Senior Director, Product Management Database Security

Oracle Database Encryption

<Insert Picture Here> Oracle Database Security Overview

Securing Data in Oracle Database 12c

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Oracle 1Z0-528 Exam Questions & Answers

Oracle Database Security Solutions

An Oracle White Paper June Encryption and Redaction in Oracle Database 12c with Oracle Advanced Security

Complete Database Security. Thomas Kyte

An Oracle White Paper June Oracle Database 11g: Cost-Effective Solutions for Security and Compliance

Guardium Change Auditing System (CAS)

Database Security & Compliance with Audit Vault and Database Firewall. Pierre Leon Database Security

<Insert Picture Here> Oracle Database Vault

An Oracle White Paper June Security and Compliance with Oracle Database 12c

Efficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

MySQL Security: Best Practices

Oracle Database 11g: Security Release 2. Course Topics. Introduction to Database Security. Choosing Security Solutions

An Oracle White Paper April Security and Compliance with Oracle Database 12c

Oracle Advanced Security Transparent Data Encryption Best Practices

Transparent Data Encryption: New Technologies and Best Practices for Database Encryption

All Things Oracle Database Encryption

Oracle Database 11g: Security. What you will learn:

D50323GC20 Oracle Database 11g: Security Release 2

Oracle Database 11g: Security Release 2

An Oracle White Paper March Oracle Transparent Data Encryption for SAP

Safeguard Sensitive Data in EBS: A Look at Oracle Database Vault, Transparent Data Encryption, and Data Masking. Lucy Feng

SafeNet DataSecure vs. Native Oracle Encryption

Oracle Database 11g: Security

Oracle Database 11g: New Features for Administrators DBA Release 2

Oracle Database 11g R1 & R2: New Features for Administrators

Database Security Questions HOUG Fehér Lajos. Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Making Database Security an IT Security Priority

Oracle Database 12c Plug In. Switch On. Get SMART.

Encrypting Sensitive Data in Oracle E-Business Suite

Data-Centric Security vs. Database-Level Security

Oracle Advanced Security Technical White Paper. An Oracle White Paper June 2007

How To Secure A Database From A Leaky, Unsecured, And Unpatched Server

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

05.0 Application Development

Oracle Database - Engineered for Innovation. Sedat Zencirci Teknoloji Satış Danışmanlığı Direktörü Türkiye ve Orta Asya

Oracle Identity Management Securing The New Digital Experience

Hayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks

Oracle 11g New Features - OCP Upgrade Exam

Oracle Database. Advanced Security Guide 12c Release 1 (12.1) E

Protecting Data Assets and Reducing Risk

Oracle Database 11g: Security

<Insert Picture Here> Oracle Database Directions Fred Louis Principal Sales Consultant Ohio Valley Region

Objectif. Participant. Prérequis. Pédagogie. Oracle Database 11g - New Features for Administrators Release 2. 5 Jours [35 Heures]

Intelligent Security Design, Development and Acquisition

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations

Oracle Privileged Account Manager 11gR2. Karsten Müller-Corbach

<Insert Picture Here>

Security Controls for the Autodesk 360 Managed Services

2015 Jože Senegačnik Oracle ACE Director

nshield Modules Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption

Oracle Database 11g: Security

Oracle Database 10g: Security Release 2

Oracle Database 12c Security and Compliance O R A C L E W H I T E P A P E R F E B R U A R Y

An Oracle White Paper January Oracle Database Backup Service A Technical White Paper

SecureAge SecureDs Data Breach Prevention Solution

<Insert Picture Here> Oracle Secure Backup 10.3 Secure Your Data, Protect Your Budget

<Insert Picture Here> How to protect sensitive data, challenges & risks

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Oracle EXAM - 1Z Oracle Database 11g Security Essentials. Buy Full Product.

An Oracle White Paper July Sustainable Compliance for the Payment Card Industry Data Security Standard

Security and Control Issues within Relational Databases

Alliance Key Manager Solution Brief

Oracle vs. SQL Server. Simon Pane & Steve Recsky First4 Database Partners Inc. September 20, 2012

An Oracle White Paper April Oracle Audit Vault and Database Firewall

Database Security. Oracle Database 12c - New Features and Planning Now

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

2009 Oracle Corporation 1

Why Add Data Masking to Your IBM DB2 Application Environment

Database Auditing & Security. Brian Flasck - IBM Louise Joosse - BPSolutions

Did you know your security solution can help with PCI compliance too?

Data Security: Strategy and Tactics for Success

Oracle Database Security Services

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

EMC DATA DOMAIN ENCRYPTION A Detailed Review

Oracle Database 10g: New Features for Administrators

Rational AppScan & Ounce Products

Transcription:

1

Oracle Database Security Advanced Security Option Thanos Terentes Printzios DB & Options Specialist A&C Technology Adoption Office Oracle Partner Business Development, ECEMEA 2

What is a customers INFORMATION most Valuable Asset? 3

Information is Data Two-thirds of sensitive and regulated information now resides in databases and doubling every two years HR Data Citizen Data Credit Cards Customer Data Financial Data Classified Govt. Info. 48% Data Breaches Caused by Insiders Trade Secrets 89% Records Competitive Stolen Bids Using SQL Injection Corporate Plans 86% Hacking Source Used Code Stolen Credentials Bug Database Source: Verizon, 2007-11 & IDC, "Effective Data Leak Prevention Programs: Start by Protecting Data at the Source", August 2011 4

Why Database Security? 2012 2011 Two thirds of sensitive regulated information now resides in databases, and it is doubling every 2 years. Source: "Effective Data Leak Prevention Programs: Start by Protecting Data at the Source Your Databases", IDC, August 2011 2006 2001 Of all the records breached at large organizations, 98% involved a compromised database server. Source: Verizon Business 2012 Data Breach Investigations Report, Verizon, June 2012 5

IT Security Not Addressing Database Security Databases hold the crown jewels for organizations but often don t get the strong focus they need when it comes to data security planning. Forrester estimates that although 70% of enterprises have an information security plan, only 20% of enterprises have a database security plan. Source: Creating An Enterprise Database Security Plan, July 2010 6

Data Security becoming Top IT Priority Source: Forrester Research Inc. The State Of Enterprise IT Security And Emerging Trends: 2009 To 2010, Jan. 25 th 2010 7

Why Secure the Database? Copyright 2011 Copyright Oracle. 2012, All rights Oracle reserved. and/or its affiliates. All rights reserved. 8 8

Database Security Defense in Depth Mitigate Database Bypass Prevent Application Bypass Consolidate Auditing and Compliance Reporting Monitor Database Traffic and Block Threats Protect All Database Environments Prevent access to data at OS, storage, network, media layers Transparent data encryption for data at rest, in transit, on media Separation of duties for key management Privileged user access control to limit access to application data Multi-factor authorization for enforcing enterprise security policies Secure application consolidation Native Oracle and non-oracle database auditing, centralized audit policies Consolidate, secure, analyze audit trail, alert on suspicious activities Report for compliance & security, automate database audit workflow Monitor Oracle & non-oracle database traffic over the network Block threats like SQL injection attacks before reaching databases Enforce normal database activity, lightweight monitoring Sensitive data discovery for production Secure database lifecycle management, configuration scanning, patch automation Mask data for nonproduction development & test 9

Database Security Defense in Depth Mitigate Database Bypass Prevent Application Bypass Consolidate Auditing and Compliance Reporting Monitor Database Traffic and Block Threats Protect All Database Environments Prevent access to data at OS, storage, network, media layers Transparent data encryption for data at rest, in transit, on media Separation of duties for key management 10

Advanced Security Optons Easy Data Encryption in the Database 11

Oracle Advanced Security Protect Data from Unauthorized Database Users Disk Application Backups Exports Off-Site Facilities Prevents database by-pass with complete end-to-end data encryption Efficient application data encryption without application changes Built-in key management with separation of duties High performance and easy to deploy 12

Oracle Advanced Security Database Traffic Network Encryption Network traffic entirely encrypted to prevent man in the middle attacks AES, RSA RC4, and DES/3DES Data integrity checksums - prevent modification, replay, missing packet, etc. MD5 and SHA-1 No infrastructure changes required, point-and-click implementation 13

Oracle Advanced Security Strong Authentication Authenticates users, servers, and linked databases Centralizes authentication, taking it out of the DBA s exclusive control Supports single sign-on deployments and popular directory services Enables strong multi-factor authentication 14

Evolution of Oracle Advanced Security Network Encryption & Strong Authentication Column TDE & Wallet Key Management Tablespace TDE & Hardware Acceleration & Exadata Optimizations Oracle 9i Oracle 10g Oracle 11g 15

Transparent Data Encryption Encryption Key Architecture Hardware Security Module Tablespace Key Table Key Standard Wallet Auto-Open Wallet Master Key Local Auto-Open Wallet Oracle Wallet TDE Tablespace Encryption TDE Column Encryption 16

Oracle Advanced Security Transparent Data Encryption for Columns Support for all column types, including Oracle Database 11g SecureFile Data is cached encrypted in the SGA Decrypted only when you dereference it, encrypted every time you modify it Indexing supported, but the index is indexing encrypted data (not sorted!) Encryption keys are table specific - means cannot enforce foreign key constraints Undo and Redo generated are encrypted 17

Oracle Advanced Security Transparent Data Encryption for Tablespaces All tables in tablespace are encrypted no need to identify specific columns Data encrypted at block level as written out to disk, decrypted when read in Data is cached in the SGA unencrypted Index contains clear text (blocks are encrypted) so no limitations on index use Encryption keys are tablespace specific foreign key constraints can be enforced Undo and Redo generated are encrypted 18

Encrypted Tablespaces in Exadata X2 Exadata Smart Scans Encrypted tablespaces can be Smart Scanned Query processing is offloaded to the storage cells Hybrid Columnar Compression Crypto processing occurs on compressed data Results in much less data to encrypt & decrypt Exadata Cryptographic Acceleration Intel AES-NI and Oracle SPARC hardware accelerate the crypto processing by 5x or more 19

Oracle Advanced Security Transparent Data Encryption Built-In Key Management Table and Tablespace Keys Master Key Oracle Wallet PKCS #11 API HSM Create a wallet and generate the master key: alter system set key identified by e3car61 Open the wallet: alter system set wallet open identified by e3car61 Rotate master (table/tablespace keys re-encrypted): alter system set key identified by 2naf1sh Rotate table/tablespace keys (data re-encrypted) alter table employee REKEY; Generate, store, and rotate encryption keys Two-tier key management architecture Table and Tablespace keys used to encrypt data (stored in database for performance) Master key used to encrypt Table and Tablespace keys Master key is stored in External Security Module (outside the database) Oracle Wallet (PKCS #12 file) Hardware Security Module (HSM) meets FIPS & Common Criteria reqs using PKCS#11 API Separation of duties -- wallet password is separate from System or DBA password 20

Oracle Advanced Security Transparent Data Encryption for Media Disk Backups Exports Off-Site Facilities TDE integrated with Oracle Data Pump for bulk export/import to OS flat files TDE integrated with Oracle RMAN for database backup and recovery RMAN and Data Pump compress and encrypt data Master Key, passphrase, or both can be used to encrypt export and backup files No need to distribute production master key with exports or backups Master key not automatically backed up with database 21

Oracle Advanced Security Strong Authentication Strong Authentication Application Kerberos X509 v3 TDE returns clear text data to authenticated, authorized database users Critical to protect against stolen credentials & increase assurance of database user identities, especially privileged application users and DBAs Strong authentication schemes supported Kerberos, PKI & RADIUS (for 1 time passwords tokens, risk-based authentication, etc.) 22

Ease of Deployment Data At Rest Encryption Architectural Considerations Disk Easy and Secure Oracle Database NAS Encryption Application Hard and Not Secure Security 23

Encryption processing rate (MB/CPU seconds) Oracle Advanced Security Transparent Data Encryption Performance Oracle Database Enterprise Edition 11.2.0.2 AES-256 Encryption 10x speedup Oracle Database Enterprise Edition 11.2.0.2 AES-256 Decryption 8x speedup 559 468 57 58 Intel Xeon Processor X5570 w/o Intel IPP Intel Xeon processor X5680 w/ Intel IPP Intel Xeon Processor X5570 w/o Intel IPP Intel Xeon processor X5680 w/ Intel IPP Encrypting data is expensive is a myth (started with bad third party solutions!) Incremental CPU ~5% with 10x speed-up if cryptographic hardware available Incremental CPU reduced even more if using Oracle Advanced Compression or Exadata Hybrid Columnar Compression (EHCC) If compression ratio is 75%, we have to encrypt 75% less data! 24

Oracle Advanced Security Applications and Column TDE Command line syntax for scripts and custom applications Encrypt column in existing table: SQL> alter table clients modify (cr_card_nbr encrypt) Encrypt column in new table: SQL> create table customers( first_name varchar2(64), last_name varchar2(64) encrypt using AES256, cr_card_nbr varchar2(32) encrypt no salt nomac ); Numerous Oracle and non-oracle application certifications Oracle E-Business Suite 11i and Release 12 Oracle PeopleSoft Enterprise 8.46+ Oracle Siebel CRM 7.7+ SAP 640 and 700 Oracle Internet Directory 10.1.4.2 Oracle Internet Directory 10.1.4.2 iflex FLEXCUBE 10.0 RETEK Retail Sales Audit (RESA): RESA 12.0+ and 13.0 (Oracle Database 10gR2) RESA 13.1 (Oracle Database 11gR1) 25

Oracle Advanced Security Applications and Tablespace TDE Command line syntax for scripts and custom applications SQL> create tablespace SECURE datafile /opt/enc_tbs.dbf size 100M encryption using AES256 default storage(encrypt); Can t encrypt existing tablespaces Can use partitioning and dbms_redefinition to move data into new encrypted tablespaces without downtime or application changes Numerous Oracle and non-oracle application certifications Oracle E-Business Suite 11i and Release 12 Oracle PeopleSoft Enterprise 8.48+ Oracle Siebel CRM 8.0+ Oracle JD Edwards EnterpriseOne SAP 640_EX2+ (UNIX and Linux) 26

Oracle Advanced Security Advanced Protection for the Oracle Database Transparent Data Encryption (TDE) Transparently encrypts data-at-rest in Oracle databases and securely manages the encryption keys Protects against theft or loss of disks and backup media Stops OS users from inspecting the tablespace files Network Encryption Locks-down the database network connections Prevents network sniffing and replay attacks Strong Authentication Signs-in database users via Kerberos, PKI, or Radius Avoids weak passwords that can be stolen or cracked 27

How to Encrypt Your Existing Data Online encryption using Online Table Redefinition (OTR) Driven by PL/SQL scripts (DBMS_REDEFINITION) Copies in background, synchronizes deltas, renames at the end Achieves zero downtime Offline encryption using popular Oracle data movement tools Oracle DataPump Export/Import ALTER TABLE MOVE And more 28

Assisted Application Migration How To guides and automated migration scripts are available for select Oracle Applications These resources make online migration of data into encrypted tablespaces straightforward (using OTR) Application packages are available for download from the TDE Homepage on Oracle Technology Network Additional Partner Support available at Partner Hub ISV Migration Center 29

Database Security Big Picture Activity Audit Data Discovery Compliance Scan Vulnerability Scan Patch Automation Applications Network SQL Monitoring and Blocking Auditing Authorization Authentication Encrypted Database Data Masking Unauthorized DBA Activity Multi-factor authorization 30

Oracle Database Security Platform Transparent Data Encryption, Privileged User Controls, Multi-Factor Authorization, Data Classification, and Change Tracking Maximum Security for Oracle Databases: Oracle Advanced Security Oracle Database Vault Oracle Label Security Oracle Total Recall Database Activity Auditing and Reporting, SQL Traffic Monitoring and Blocking, Real-Time Alerting, Workflow Automation Security for Oracle and non-oracle Databases Outside the Database: Oracle Audit Vault Oracle Database Firewall Secure Configuration Scanning, Automated Patching, Configuration Change Control, Sensitive Data Discovery, Data Masking Security for Production and non- Production Database Environments: Oracle Database Lifecycle Oracle Enterprise Manager Oracle Data Masking 31

Oracle Maximum Security Architecture Secure Configuration Scanning Patch Management Enterprise Manager Applications Oracle Audit Vault Procurement Sensitive Auditing Authorization Confidential HR Authentication Rebates Public Unauthorized DBA Activity Multi-factor Authorization DB Consolidation Security Oracle Database Vault Oracle Database Firewall Encrypted Database Encrypted Traffic Oracle Advanced Security Mask For Test and Dev Oracle Data Masking 32

Q&A You can also address your questions at the local South Africa Partner Hub ISV Migration Center http://blogs.oracle.com/imc partner.imc@beehiveonline.oracle.com 33

34

35

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information