1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 2 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Insert Information Protection Policy Classification from Slide 8
Transparent Data Encryption with Oracle Database 11g Jaime Briggs Account Manager Strategic Accounts MSc CS, CCISP, CCSK 3 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Agenda Introduction Oracle Database Defense-in-Depth Oracle Advanced Security Network Encryption Transparent Data Encryption (TDE) Key Management Strong Authentication Database Encryption Best Practices Encryption Solutions Compared Performance Application Integration Database Integration Real World Case Studies Q&A 4 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Only 30% Prevent Non-Database Users from Seeing or Tampering with Data at the OS Level Is personal identity information (e.g., social security, credit card, national identifier numbers) stored in your databases encrypted? 5 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
75% Susceptible To Data Tampering Through Network Traffic Sniffing Is application data encrypted on the network to/from your database? 6 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Only 22% Encrypt All Backups and Exports Do you encrypt all your online and offline database backups and exports? 7 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Database Security Defense in Depth Mitigate Database Bypass Prevent Application Bypass Consolidate Auditing and Compliance Reporting Monitor Database Traffic and Block Threats Protect All Database Environments Prevent access to data at OS, storage, network, media layers Transparent data encryption for data at rest, in transit, on media Separation of duties for key management Privileged user access control to limit access to application data Multi-factor authorization for enforcing enterprise security policies Secure application consolidation Native Oracle and non-oracle database auditing, centralized audit policies Consolidate, secure, analyze audit trail, alert on suspicious activities Report for compliance & security, automate database audit workflow Monitor Oracle & non-oracle database traffic over the network Block threats like SQL injection attacks before reaching databases Enforce normal database activity, lightweight monitoring Sensitive data discovery for production Secure database lifecycle management, configuration scanning, patch automation Mask data for nonproduction development & test 8 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Database Security Defense in Depth Mitigate Database Bypass Prevent Application Bypass Consolidate Auditing and Compliance Reporting Monitor Database Traffic and Block Threats Protect All Database Environments Prevent access to data at OS, storage, network, media layers Transparent data encryption for data at rest, in transit, on media Separation of duties for key management 9 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Oracle Advanced Security Protect Data from Unauthorized Database Users Disk Application Backups Exports Off-Site Facilities Prevents database by-pass with complete end-to-end data encryption Efficient application data encryption without application changes Built-in key management with separation of duties High performance and easy to deploy 10 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Oracle Advanced Security Database Traffic Network Encryption Network traffic entirely encrypted to prevent man in the middle attacks AES, RSA RC4, and DES/3DES Data integrity checksums - prevent modification, replay, missing packet, etc. MD5 and SHA-1 No infrastructure changes required, point-and-click implementation 11 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Oracle Advanced Security Transparent Data Encryption for Columns Support for all column types, including Oracle Database 11g SecureFile Data is cached encrypted in the SGA Decrypted only when you dereference it, encrypted every time you modify it Indexing supported, but the index is indexing encrypted data (not sorted!) Encryption keys are table specific - means cannot enforce foreign key constraints Undo and Redo generated are encrypted 12 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Oracle Advanced Security Transparent Data Encryption for Tablespaces All tables in tablespace are encrypted no need to identify specific columns Data encrypted at block level as written out to disk, decrypted when read in Data is cached in the SGA unencrypted Index contains clear text (blocks are encrypted) so no limitations on index use Encryption keys are tablespace specific foreign key constraints can be enforced Undo and Redo generated are encrypted 13 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Oracle Advanced Security Transparent Data Encryption Built-In Key Management Table and Tablespace Keys Master Key Oracle Wallet PKCS #11 API HSM Create a wallet and generate the master key: alter system set key identified by e3car61 Open the wallet: alter system set wallet open identified by e3car61 Rotate master (table/tablespace keys re-encrypted): alter system set key identified by 2naf1sh Rotate table/tablespace keys (data re-encrypted) alter table employee REKEY; Generate, store, and rotate encryption keys Two-tier key management architecture Table and Tablespace keys used to encrypt data (stored in database for performance) Master key used to encrypt Table and Tablespace keys Master key is stored in External Security Module (outside the database) Oracle Wallet (PKCS #12 file) Hardware Security Module (HSM) meets FIPS & Common Criteria reqs using PKCS#11 API Separation of duties -- wallet password is separate from System or DBA password 14 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Oracle Advanced Security Transparent Data Encryption for Media Disk Backups Exports Off-Site Facilities TDE integrated with Oracle Data Pump for bulk export/import to OS flat files TDE integrated with Oracle RMAN for database backup and recovery RMAN and Data Pump compress and encrypt data Master Key, passphrase, or both can be used to encrypt export and backup files No need to distribute production master key with exports or backups Master key not automatically backed up with database 15 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Oracle Advanced Security Strong Authentication Strong Authentication Application Kerberos X509 v3 TDE returns clear text data to authenticated, authorized database users Critical to protect against stolen credentials & increase assurance of database user identities, especially privileged application users and DBAs Strong authentication schemes supported Kerberos, PKI & RADIUS (for 1 time passwords tokens, risk-based authentication, etc.) 16 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Ease of Deployment Data At Rest Encryption Architectural Considerations Disk Application Hard and Not Secure NAS Encryption Security Easy and Secure Oracle Database 17 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Oracle Advanced Security Transparent Data Encryption Performance Encryption processing rate (MB/CPU seconds) Oracle Database Enterprise Edition 11.2.0.2 AES-256 Encryption 57 10x speedup 559 Intel Xeon Intel Xeon Processor X5570 w/ processor X5680 w/ o Intel IPP Intel IPP Oracle Database Enterprise Edition 11.2.0.2 AES-256 Decryption 58 Intel Xeon Processor X5570 w/o Intel IPP 8x speedup 468 Intel Xeon processor X5680 w/ Intel IPP Encrypting data is expensive is a myth (started with bad third party solutions!) Incremental CPU ~5% with 10x speed-up if cryptographic hardware available Incremental CPU reduced even more if using Oracle Advanced Compression or Exadata Hybrid Columnar Compression (EHCC) If compression ratio is 75%, we have to encrypt 75% less data! 18 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Oracle Advanced Security Applications and Column TDE Command line syntax for scripts and custom applications Encrypt column in existing table: SQL> alter table clients modify (cr_card_nbr encrypt) Encrypt column in new table: SQL> create table customers( first_name varchar2(64), last_name varchar2(64) encrypt using AES256, cr_card_nbr varchar2(32) encrypt no salt nomac ); Numerous Oracle and non-oracle application certifications Oracle E-Business Suite 11i and Release 12 Oracle PeopleSoft Enterprise 8.46+ Oracle Siebel CRM 7.7+ SAP 640 and 700 Oracle Internet Directory 10.1.4.2 Oracle Internet Directory 10.1.4.2 iflex FLEXCUBE 10.0 RETEK Retail Sales Audit (RESA): RESA 12.0+ and 13.0 (Oracle Database 10gR2) RESA 13.1 (Oracle Database 11gR1) 19 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Oracle Advanced Security Applications and Tablespace TDE Command line syntax for scripts and custom applications SQL> create tablespace SECURE datafile /opt/enc_tbs.dbf size 100M encryption using AES256 default storage(encrypt); Can t encrypt existing tablespaces Can use partitioning and dbms_redefinition to move data into new encrypted tablespaces without downtime or application changes Numerous Oracle and non-oracle application certifications Oracle E-Business Suite 11i and Release 12 Oracle PeopleSoft Enterprise 8.48+ Oracle Siebel CRM 8.0+ Oracle JD Edwards EnterpriseOne SAP 640_EX2+ (UNIX and Linux) 20 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Oracle Advanced Security Case Study Interactive, Inc. is the consumer subsidiary of TransUnion, a global leader in credit and information management, which maintains credit histories on an estimated 500 million consumers worldwide. Challenge Must comply w/ PCI DSS requirements for encryption Many custom apps: LOB data type Solution Considered all options including tokenization and disk encryption Oracle Advanced Security w/ TDE Benefits Zero application changes needed saved significant time and cost Zero down time with deployment of tablespace encryption Key rotation does not require downtime or impact performance Works seamless with Oracle Database partitioning, compression, etc. Satisfied all auditor requirements! 21 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Oracle Advanced Security Case Study has been delivering academic excellence with professional focus for nearly 90 years. Offers 60 undergraduate & 20 graduate degree programs to 4,000 students. Challenge Growing threat from hackers Need to comply with regulations calling for encrypting Personally Identifiable Information (PII) Solution Wanted end-to-end data encryption quickly and at low cost Oracle Advanced Security Benefits Oracle Advanced Security provided encryption of data in motion and at rest, media encryption, and strong authentication (using PKI certificates). Oracle Advanced Security deployed in 3 weeks Student and university data protected University regulatory compliance enhanced 22 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Oracle Advanced Security Case Study is the world's leading provider of diagnostic testing, information and services that patients and doctors need to make better healthcare decisions. Pioneer in developing innovative diagnostic tests & advanced healthcare information technology solutions that help improve patient care. Challenge Concerned about protection of IP Secure sensitive employee data Solution High-performance encryption w/ HSM Oracle Advanced Security w/ Column TDE Benefits Implemented Oracle s PeopleSoft data encryption with Oracle Advanced Security with Column TDE in a few hours no application changes required Observed average end-user response time increase of ~2.5 % Used HSM to manage TDE Master Key in high assurance hardware Made Oracle Advanced Security TDE the corporate data encryption standard 23 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Oracle Advanced Security Case Studies Protecting PII and PCI 50 Million Tests Per Year Defense in Depth Security of Patient and Donor Data Encrypting Personally Identifiable Information Encrypt tester s personal data Transparent encryption of data at rest and on backups PCI DSS Compliance Secure patient and donor data Encrypting production and masking nonproduction data HIPPA/HITECH Compliance Transparent data encryption No application changes or performance impact PCI DSS compliance 24 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Oracle Database Security Platform Transparent Data Encryption, Privileged User Controls, Multi-Factor Authorization, Data Classification, and Change Tracking Maximum Security for Oracle Databases: Oracle Advanced Security Oracle Database Vault Oracle Label Security Oracle Total Recall Database Activity Auditing and Reporting, SQL Traffic Monitoring and Blocking, Real-Time Alerting, Workflow Automation Security for Oracle and non-oracle Databases Outside the Database: Oracle Audit Vault Oracle Database Firewall Secure Configuration Scanning, Automated Patching, Configuration Change Control, Sensitive Data Discovery, Data Masking Security for Production and non- Production Database Environments: Oracle Database Lifecycle Oracle Enterprise Manager Oracle Data Masking 25 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
Oracle Advanced Security Oracle Database Oracle Database Key Features By Oracle 9i Release 2 Database 10g Release Release 2 Crypto accel. w/ Intel XEON 56xx w/aes-ni TDE tablespace encryption & Advanced Compression / HCC TDE with Exadata HSM support for TDE tablespace encryption Oracle Database 11g Release 1 Oracle Database 11g Release 2 TDE tablespace encryption ü ü TDE column encryption for SecureFiles ü ü HSM support for TDE column encryption ü ü TDE column encryption ü ü ü Network encryption & Integrity ü ü ü ü Strong authentication ü ü ü ü ü ü ü ü 26 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
For More Information search.oracle.com database security or oracle.com/goto/database/advanced-security oracle.com/goto/database/security-customers 27 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
28 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information Q&A
29 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
30 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information