Security Defense-in-Depth Latest Innovations in Oracle Security Scott Grykowski, CISSP Sales Consulting Senior Manager Oracle Corporation
Agenda Database Security The World Today Defense in Depth Solution Overview Customer Success Stories Identity Management Identity Management Trends Identity Suite Overview Securing the Extended Enterprise 2
The World Today 3
Loss of Data Continuing to Grow Worldwide Two-thirds of sensitive and regulated information resides in databases And doubling every two years! 98% of records stolen from databases Over 2 billion records compromised is just the tip of the iceberg 2012 Verizon Data Breach Investigations Report Source: IDC, 2011 and Verizon Data Breach Investigations Report, 2012
Why are Databases so Vulnerable? 97% of data breaches were avoidable with basic controls But less than 20% of IT Security programs address databases Attacks against databases exploit legitimate access Attack surface is people not servers Source: Forrester, 2012 and Verizon Data Breach Investigations Report, 2012
Core Principles Defense in Depth Least Privilege Policies, Procedures, and Awareness Physical Security Perimeter Security Internal Networks Host Security Application Level Security Database Level Security Data Protection Production, Development Identity and Access Management Any user, whether apps end user or database admin, has access only as needed to perform tasks based on job function or role Need to know/compartmentalization Including DBA/OS Admins!! Governance Governance, Risk, Compliance Security Management and Monitoring Incident Response, vulnerability and threat management, configuration and change management 6
Oracle Database Security Solutions Defense-in-Depth for Maximum Security PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption Activity Monitoring Privilege Analysis Redaction and Masking Database Firewall Sensitive Data Discovery Privileged User Controls Auditing and Reporting Configuration Management 7
Solution Overview 8
Oracle Database Security Solutions Defense-in-Depth for Maximum Security PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption Activity Monitoring Privilege Analysis Redaction and Masking Database Firewall Sensitive Data Discovery Privileged User Controls Auditing and Reporting Configuration Management 9
Encryption is the Foundation Preventive Control for Oracle Databases Oracle Advanced Security Transparent data encryption in the database (Network encryption now included with DB) Prevents access to data at rest Requires no application changes Built-in two-tier key management Near Zero overhead with hardware Integrations with Oracle technologies e.g. Exadata, Advanced Compression, ASM, Golden Gate, DataPump, etc. Applications Disk Backups Exports Off-Site Facilities 10
Redaction of Sensitive Data Displayed Preventive Control for Oracle Database 12c Oracle Advanced Security Real-time sensitive data redaction based on database session context Library of redaction policies and pointand-click policy definition Consistent enforcement, policies applied to data Transparent to applications, users, and operational activities Credit Card Numbers 4451-2172-9841-4368 5106-8395-2095-5938 7830-0032-0294-1827 Redaction Policy xxxx-xxxx-xxxx-4368 4451-2172-9841-4368 Call Center Application Billing Department 11
Masking Data for Non-Production Use Preventive Control for Oracle Databases Oracle Data Masking Replace sensitive application data Extensible template library and formats Application templates available Referential integrity detected/preserved At source masking and sub-setting* Support for masking data in non-oracle databases LAST_NAME SSN SALARY AGUILAR 203-33-3234 40,000 BENSON 323-22-2943 60,000 Production Non-Production Test Dev LAST_NAME SSN SALARY ANSKEKSL 323 23-1111 60,000 *Requires use of Oracle Test Data Management Production BKJHHEIEDK 252-34-1345 40,000 12
Privileged User Controls Preventive Control for Oracle Databases Database Vault Limit DBA access to application data Multi-factor SQL command rules Realms create protective zones Enforce enterprise data governance, least privilege, segregation of duties Out of the box application policies Applications Procurement HR Finance Security DBA select * from finance.customers DBA Application DBA 13
Label Based Access Control Preventive Control for Oracle Databases Oracle Label Security Virtual information partitioning for cloud, SaaS, hosting environments Classify users and data using labels Labels based on business drivers Automatically enforced row level access control, transparent to applications Labels can be factors in other policies Confidential Sensitive Transactions Confidential Report Data Public Reports Sensitive 14
Oracle Database Security Solutions Defense-in-Depth for Maximum Security PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption Activity Monitoring Privilege Analysis Redaction and Masking Database Firewall Sensitive Data Discovery Privileged User Controls Auditing and Reporting Configuration Management 15
Oracle Audit Vault and Database Firewall Detective/Preventative - Solution for Oracle and Non-Oracle Databases Users Applications Database Firewall Allow Log Alert Substitute Block Firewall Events SOC Alerts! Auditor Security Analyst Built-in Reports Custom Reports Policies Audit Vault Audit Data OS, Directory, File System & Custom Audit Logs 16
Oracle Database Security Solutions Defense-in-Depth for Maximum Security PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption Activity Monitoring Privilege Analysis Redaction and Masking Database Firewall Sensitive Data Discovery Privileged User Controls Auditing and Reporting Configuration Management 17
Discover Use of Privileges and Roles Administrative Control for Oracle Database 12c Oracle Database Vault Turn on privilege capture mode Report on actual privileges and roles used in the database Helps revoke unnecessary privileges Enforce least privilege and reduce risks Increase security without disruption Privilege Analysis Create Drop Modify DBA role APPADMIN role 18
Discover Sensitive Data and Databases Administrative Control for Oracle Database 12c Oracle Enterprise Manager 12c Scan Oracle for sensitive data Built-in, extensible data definitions Discover application data models Protect sensitive data appropriately: encrypt, redact, mask, audit 19
Customer Success Stories 20
Oracle Database Security Customers www.oracle.com/goto/database/security-customers SquareTwo Enables Fast Growth with Oracle Database Solutions SquareTwo enables fast growth and regulatory compliance with Oracle Database security defense-in-depth solutions including Oracle Database Firewall, Oracle Data Masking, and Oracle Advanced Security National Marrow Donor Program Database Defense-in-Depth NMDP Secures life-saving patient and donor data with Oracle Advanced Security, Oracle Database Vault, and Oracle Data Masking T-Mobile Protects 35 Million Subscribers Using Oracle T-Mobile explains how they use Oracle Database Firewall, Oracle Advanced Security, and Oracle Data Masking to secure sensitive data across the organization in both Oracle and non-oracle databases TransUnion Interactive Uses Database Firewall for Compliance Hear how TransUnion Interactive protects customer data and meets regulatory compliance with database activity monitoring using Oracle Database Firewall ETS Complies with PCI DSS Using Oracle Advanced Security Educational Testing Service secures personally identifiable information (PII) and complies with regulatory requirements with Oracle Advanced Security 21
Agenda Database Security The World Today Defense in Depth Solution Overview Customer Success Identity Management Identity Management Trends Identity Suites Overview Securing the Extended Enterprise 22
NEW TRENDS TRANSFORMING THE IDENTITY BUSINESS Mobile Access Social Identity Cloud Security Identity Provider Internet of Things 23 Oracle Confidential
ENTERPRISE ACCESS GOVERNANCE IDENTITY MANAGEMENT DIRECTORY 24 MOBILE CLOUD
New Technologies and Services Require Integrated Technologies Governance Password Reset Privileged Accounts Access Request Roles Based Provisioning Role Mining Attestation Separation of Duties Access Web Single Sign-on Federation Mobile, Social & Cloud External Authorization SOA Security Integrated ESSO Token Services Fraud Detection Privileged Account Manager Directory LDAP Storage Virtual Directory Meta Directory Platform Security Services 25
GOVERNANCE CUSTOMERS & PROSPECTS Automate and Identify Who Has Access to What COMMON REPOSITORY CONTRACTORS & PARTNERS Cloud Applications/ Services APPS APPS APPS EMPLOYEES EMPLOYEES ACCESS ENTITLEMENT CATALOG ENTERPRISE APPLICATIONs OPERATING SYSTEMS DIRECTORY SERVICES DATABASES PRIVILEGED SYSTEMS ADMINS COMPLETE GOVERNANCE 26
Oracle Access Management 11gR2 Reference Architecture Complete Simplified Innovative Scalable 28
Oracle Directory Services Highly Scalable Easy to Deploy Unify identity across directories, databases and web services in real-time Fully integrated with Oracle databases, middleware and applications Complete Meta-data and Integration Platform Directory Services Plus Unified Directory Internet Directory Virtual Directory Directory Services Enterprise Edition 30
Oracle Mobile Security Strategy Securely Separate And Manage Corporate Apps And Data On Devices Secure Container For App Security And Control Secure Controls And Management For Enterprise Apps Extend IDM Services To Avoid Redundancy And Overlaps Separate, protect and wipe corporate applications and data Strict policies to restrict users from viewing/moving data out of container Consistent support across multiple mobile platforms Secure communication with enterprise application servers Corporate app store Common users, roles, policies, access request, cert etc. SSO for native and browser apps Risk/policy based step up and strong authentication 34
Market Overview: Oracle is the Leader Identity Management is a Business Enabler Market Every Cloud, Mobile or Social Application requires Identity Management Reducing the costs and risks of identifying who has access to what is a top priority for organizations Platform approach to identity management reduced costs by 48% and errors by 35% Oracle is the market leading provider of a complete Identity Management Platform User Provisioning Identity Governance Performance Oracle has 30,000 Identity Management Customers in 45 countries 35
Oracle Recommends: Use a Proven and Cost Effective Approach DEFENSE IN DEPTH: Approach multiple overlapping controls to secure strategic assets LEAST PRIVILEGE: Practices to ensure access is based on need to know SECURE WHAT IS STRATEGIC: Move controls closer to the systems and applications they are intended to protect 36
Join the Community Twitter twitter.com/oracleidm Facebook facebook.com/oracleidm Oracle Blogs Blogs.oracle.com/OracleIDM Oracle IdM Website oracle.com/identity 37
38