<Insert Picture Here> Oracle Database Security Overview Tammy Bednar Sr. Principal Product Manager tammy.bednar@oracle.com
Data Security Challenges What to secure? Sensitive Data: Confidential, PII, regulatory Data in packaged and custom applications Secure Life cycle: creation, transit, storage, backup, test, transfer Can we secure it now? Secure using existing systems? Transparent? Loss, Unauthorized access, Separation of Duty Will it meet business requirements? Flexible, Transparent, Compliant? Secures both custom and packaged applications? Will it reduce operational cost? Easy to manage? Performant? 2
Oracle Database Security Defense-in-Depth for Security and Compliance Monitoring Configuration Management Audit Vault Total Recall Access Control Database Vault Label Security Encryption and Masking Advanced Security Secure Backup Data Masking 3
Oracle Database Security Defense-in-Depth for Security and Compliance Encryption and Masking Advanced Security Secure Backup Data Masking 4
Oracle Advanced Security Transparent Data Encryption Disk Backups Exports Application Off-Site Facilities No application changes required Efficient encryption of all application data Built-in key lifecycle management Works with Exadata V2 Smart Scans Works with Oracle Advanced Compression 5
Security Tip Migrate Oracle PeopleSoft applications to encrypted tablespaces without downtime and data loss with this FREE downloadable script and detailed implementation guide from here http://www.oracle.com/technology/deploy/security/dat abase-security/pdf/tde_tabsp_enc_for_psft.zip t b f ft i 6
Oracle Advanced Security Network Encryption & Strong Authentication Standard-based encryption for data in transit Strong authentication of users and servers No infrastructure changes required Easy to implement 7
Oracle Secure Backup Integrated Tape or Cloud Backup Management Secure data archival to tape or cloud Easy to administer key management Fastest Oracle Database tape backups Leverage low-cost cloud storage 8
Oracle Data Masking Irreversible De-Identification Production LAST_NAME SSN SALARY AGUILAR 203-33-3234 40,000 BENSON 323-22-2943 3 3 60,000 Non-Production LAST_NAME SSN SALARY ANSKEKSL 111 23-1111 40,000 BKJHHEIEDK 222-34-1345 60,000 Remove sensitive data from non-production databases Referential integrity preserved so applications continue to work Extensible template library and policies for automation 9
Large Credit Card Services Provider Cost Effective Encryption of Card Holder Data Business Challenges Protect sensitive card holder data Comply with PCI Solution Deployed Oracle Advanced Security TDE Tablespace Encryption Business Results Addressed internal and external requirements Leveraged Oracle Advanced Security integration with Hardware Security Modules for network based management of TDE master encryption key 10
U.S. Pharmaceutical Tools Manufacturer Oracle Advanced Security Protects Sensitive Data Business Challenges Solution Business Results Worried about protection of intellectual property and sensitive employee data Oracle Advanced Security TDE column encryption Easy implementation within hours (Oracle PeopleSoft) TDE with HSM made corporate-wide standard Average end-user responses time: +2.5 % Cost effective and transparent implementation of data encryption with no application changes Protection of sensitive data at rest and on backup media 11
Oracle Database Security Defense-in-Depth for Security and Compliance Access Control Database Vault Label Security Encryption and Masking Advanced Security Secure Backup Data Masking 12
Oracle Database Vault Separation of Duties & Privileged User Controls Application Procurement HR Finance DBA select * from finance.customers DBA separation of duties Limit powers of privileged users Securely consolidate application data No application changes required Works with Oracle Exadata V2 Database Machine 13
Oracle Database Vault Multi-Factor Access Control Policy Enforcement Procurement HR Application Rebates Protect application data and prevent application by-pass Enforce who, where, when, and how using rules and factors Out-of-the box policies for Oracle applications, customizable 14
Oracle Label Security Data Classification for Access Control Confidential Sensitive Transactions Confidential Report Data Public Reports Sensitive Classify users and data based on business drivers Database enforced row level access control Users classification through Oracle Identity Management Suite Classification labels can be factors in other policies 15
Did you know? Finding User Accounts That Have Default Passwords When you create a database in Oracle Database 11g Release 2 (11.2), most of its default accounts are locked with the passwords expired. To find both locked and unlocked accounts that use default passwords, log onto SQL*Plus using the SYSDBA privilege and then query the DBA_USERS_WITH_DEFPWD data dictionary view. SELECT d.username, u.account_status FROM DBA_USERS_WITH_DEFPWD d, DBA_USERS u WHERE d.username = u.username ORDER BY 2,1; USERNAME ACCOUNT_STATUS ----------------- -------------------------- SCOTT EXPIRED & LOCKED 16
Large US Based Global Bank Enable Secure e Cost Effective e Deployments e Business Challenges Solution Business Results Outsource administration of multiple applications (E-Business Suite, PeopleSoft and other in-house and 3 rd party applications) Cross Border security controls to protect country-specific sensitive client data from DBA access in a different country Deploy a security solution that is certified with applications and with minimal performance overhead Deployed Oracle Database Vault on 18+ applications including E- Business Suite, PeopleSoft and other internal and 3 rd party applications to prevent privileged user access to application data Used Database Vault multi-factor authorization to enforce crossborder access control and to prevent Application Bypass Over 200K users accessing these systems globally Saved over $15M a year by outsourcing/off-shoring backend administration operations Addressed Cross Border security requirements Passed external audit and avoided paying fines 17
Pharmaceutical Services Provider Protect Sensitive e Customer Information o and Address Regulations Business Challenges Solution Business Results Protect and secure the privacy of very sensitive customer medical data and employee data in PeopleSoft Comply with internal policies and external regulations (HIPAA, SOX, Privacy Laws) Prevent privileged user access to sensitive data Deployed Oracle Database Vault with out-of-the-box PeopleSoft protection policies Took 14 days to go production Complied with HIPAA and other privacy regulations Passed external audit Saved on consulting costs and deployment time by using the out-of-the-box Database Vault protection policies Deployed Database Vault with minimal changes to existing internal processes and procedures 18
Large European Telecom Provider Enable Organization at to Meet Regulations Business Challenges Solution Business Results Protect the privacy of sensitive client data in their telecom billing system Meet internal, European Data Security Directive, and country-specific privacy requirements Prevent tampering or deletion of database objects or database users Used Database Vault Realms and Command Rules to prevent DBAs from accessing sensitive data Used Command Rules to prevent tampering or deletion of database objects or users Used multi-factor authorization to prevent Application Bypass based on IP address Secure the third party billing system without any application changes Comply py with internal, European, and country-specific privacy laws Cost effective preventive controls against any tampering or deletion of database objects or users Maintain good performance without buying additional hardware 19
Oracle Database Security Defense-in-Depth for Security and Compliance Monitoring Configuration Management Audit Vault Total Recall Access Control Database Vault Label Security Encryption and Masking Advanced Security Secure Backup Data Masking 20
Oracle Audit Vault Automated Activity Monitoring & Audit Reporting HR Data! Alerts CRM Data ERP Data Audit Data Built-in Reports Custom Reports Databases Policies Auditor Consolidate audit data into secure repository Detect and alert on suspicious activities Out-of-the box compliance reporting Centralized audit policy management 21
Security Tip Want to audit users that log into the database at odd hours? New in Oracle Database Release 11.2 Audit statements t t for current session using IN SESSION CURRENT clause Create a database logon trigger If the login time is between 7:00 PM 6:00 AM, and not connecting from a trusted middle-tier, audit all activity AUDIT ALL STATEMENTS IN SESSION CURRENT; 22
Oracle Database Auditing Performance Audit users/tables effectively el Oracle Database 11.2 ~250 audit records / second 4 CPU 3.6 GHz, 4GB RAM Linux 2.6.9-34.0.1.0.11.ELsmp Existing CPU Work Load: 50% Audit Location Throughput Degradation Additional CPU Used above 50% OS file 1.39% 1.45% XML format file 1.70% 3.51% XML format file + SQL Text 3.22% 4.56% Database Tables 3.84% 4.55% Database Tables +SQLText 11.93% 13.95% 23
Oracle Total Recall Secure Change Tracking select salary from emp AS OF TIMESTAMP '02-MAY-09 09 12.00 AM where emp.title = admin Transparently track data changes Efficient, tamper-resistant storage of archives Real-time access to historical data Enables forensics and error correction 24
Oracle Configuration Management Vulnerability Assessment & Secure Configuration Discover Classify Assess Prioritize Fix Monitor Asset Management Policy Management Vulnerability Management Configuration Management & Audit Analysis & Analytics Database discovery Continuous scanning against best practices Detect and prevent unauthorized configuration changes Change management compliance reports 25
European Healthcare Insurance Provider Simplified Reporting and Stronger Security Business Challenges Solution Business Results Internal and external database audit requirements across 10 Oracle and SQL Server databases Took 3 months and 2 part time people to create the audit reports for yearly audit No monitoring i for insider id threatst Oracle Audit Vault consolidated reporting on audit data from Oracle and SQL Server Oracle Audit Vault consolidation of audit data removed DBA from audit review process Saved 100 s of hours in report generations Worked with auditors to create customized reports from the out-of-the th box default reports for personalized content Estimated return on investments in less than 18 months 26
Large Financial Services Provider Stronger Controls Business Challenges Solution Business Results Audit credit card transactions 20+ production Oracle databases with native auditing already turned on Need for reports and no resource or budget to create and review them Oracle Audit Vault audit data collection and secure centralized storage Audit Vault proactively monitors privileged user access violations, failed database logins, and generates forensic data Passed internal audits Automated reporting on credit card transactions Secure consolidation of audit data Detected policy violations of database activity Deployed in production in 3 months 27
Large European Telco Provider Address Telco Regulations on Call Records Business Challenges Solution Business Results Audit credit card transactions 20+ production Oracle databases with native auditing already turned on Need for reports and no resource or budget to create and review them Oracle Audit Vault audit data collection and secure centralized storage Audit Vault proactively monitors privileged user access violations, failed database logins, and generates forensic data Passed internal audits Automated reporting on credit card transactions Secure consolidation of audit data Detected policy violations of database activity Deployed in production in 3 months 28
Oracle Database Security Defense-in-Depth for Security and Compliance Monitoring Configuration Management Audit Vault Total Recall Access Control Database Vault Label Security Encryption and Masking Advanced Security Secure Backup Data Masking 29
For More Information search.oracle.com database security oracle.com/database/security / 30
Oracle Products Available Online Oracle Store Buy Oracle license and support Buy Oracle license and support online today at oracle.com/store
32
33