Oracle Database Security Solutions



Similar documents
<Insert Picture Here> Oracle Database Security Overview

<Insert Picture Here> Oracle Database Vault

An Oracle White Paper June Oracle Database 11g: Cost-Effective Solutions for Security and Compliance

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Oracle Database 11g: Security. What you will learn:

Securing Data in Oracle Database 12c

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Oracle Database 11g: Security Release 2. Course Topics. Introduction to Database Security. Choosing Security Solutions

D50323GC20 Oracle Database 11g: Security Release 2

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Complete Database Security. Thomas Kyte

Oracle Database Security

Protecting Sensitive Data Reducing Risk with Oracle Database Security

Oracle Database Security. Paul Needham Senior Director, Product Management Database Security

Oracle Database 11g: Security Release 2

Oracle Database 11g: Security

Oracle 1Z0-528 Exam Questions & Answers

Safeguard Sensitive Data in EBS: A Look at Oracle Database Vault, Transparent Data Encryption, and Data Masking. Lucy Feng

MySQL Security: Best Practices

Oracle Database 10g: Security Release 2

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Oracle Database 11g: Security

Securing Oracle E-Business Suite in the Cloud

Data Security: Strategy and Tactics for Success

<Insert Picture Here> Oracle Secure Backup 10.3 Secure Your Data, Protect Your Budget

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

Managing Oracle E-Business Suite Security

Why Add Data Masking to Your IBM DB2 Application Environment

<Insert Picture Here> Application Change Management and Data Masking

All Things Oracle Database Encryption

An Oracle White Paper March Oracle Label Security in Government and Defense Environments

Auditing Data Access Without Bringing Your Database To Its Knees

An Oracle White Paper June Security and Compliance with Oracle Database 12c

Database Security & Compliance with Audit Vault and Database Firewall. Pierre Leon Database Security

Encrypting Sensitive Data in Oracle E-Business Suite

Protecting Data Assets and Reducing Risk

Database Security. Oracle Database 12c - New Features and Planning Now

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

Oracle E-Business Suite APPS, SYSADMIN, and oracle Securing Generic Privileged Accounts. Stephen Kost Chief Technology Officer Integrigy Corporation

Oracle Database 11g Security Essentials

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

Oracle EXAM - 1Z Oracle Database 11g Security Essentials. Buy Full Product.

Efficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules

Making Database Security an IT Security Priority

An Oracle White Paper April Security and Compliance with Oracle Database 12c

Developing Value from Oracle s Audit Vault For Auditors and IT Security Professionals

APPLICATION COMPLIANCE AUDIT & ENFORCEMENT

Real-Time Database Protection and. Overview IBM Corporation

Database Security Questions HOUG Fehér Lajos. Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Oracle Database 11g Comparison Chart

How To Secure A Database From A Leaky, Unsecured, And Unpatched Server

Oracle Identity Management Securing The New Digital Experience

An Oracle White Paper August Oracle Database Auditing: Performance Guidelines

Hayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks

Obtaining Value from Your Database Activity Monitoring (DAM) Solution

Best Approaches to Database Auditing: Strengths and Weaknesses.

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

11. Oracle Recovery Manager Overview and Configuration.

Oracle Database Security

Division of IT Security Best Practices for Database Management Systems

New Oracle 12c Security Features Oracle E-Business Suite Perspective

Oracle Recovery Manager

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant

Oracle Database 11g: New Features for Administrators DBA Release 2

Oracle Advanced Security Technical White Paper. An Oracle White Paper June 2007

Governance, Risk & Compliance for Public Sector

Enterprise Database Security & Monitoring: Guardium Overview

Transparent Data Encryption: New Technologies and Best Practices for Database Encryption

Navigating Endpoint Encryption Technologies

Oracle White Paper October Oracle Advanced Security with Oracle Database 11g Release 2

Comprehensive Approach to Database Security

Oracle Database 11g: New Features for Administrators

Informatica Data Replication FAQs

Database Assessment. Vulnerability Assessment Course

<Insert Picture Here> Oracle Database Directions Fred Louis Principal Sales Consultant Ohio Valley Region

Trust but Verify: Best Practices for Monitoring Privileged Users

An Oracle White Paper January Oracle Database Backup Service A Technical White Paper

How To Ensure Financial Compliance

The Weakest Link : Securing large, complex, global Oracle ebusiness Suite solutions

Why Standardize on Oracle Database 11g Next Generation Database Management. Thomas Kyte

SafeNet DataSecure vs. Native Oracle Encryption

Configuring Backup Settings. Copyright 2009, Oracle. All rights reserved.

Oracle. Brief Course Content This course can be done in modular form as per the detail below. ORA-1 Oracle Database 10g: SQL 4 Weeks 4000/-

These requirements led to several challenges in deploying identity related applications within the enterprise:

Oracle Database 10g: New Features for Administrators

nshield Modules Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption

Oracle Database 11g: Security

Guardium Change Auditing System (CAS)

Transcription:

<Insert Picture Here> Oracle Database Security Solutions Eric Cheung Senior Manager, Technology Sales Consulting Eric.cheung@oracle.com May 2008

Key Drivers for Data Security Privacy and Compliance Sarbanes-Oxley (SOX), J-SOX, GLBA Payment Card Industry (PCI) HIPAA, EU Privacy Directives Breach Disclosure Laws COSO, COBIT frameworks Separation of duty, Proof of compliance, Risk Assessment and Monitoring Insider / External Threats Large percentage of threats go undetected Outsourcing and off-shoring trend Customers want to monitor insider & DBA 2

Oracle7 Oracle Database Security Continuous Innovation Oracle8i Oracle Database 9i Data Masking TDE Tablespace Encryption Oracle Total Recall Oracle Audit Vault Oracle Database Vault Transparent Data Encryption (TDE) Real Time Masking Secure Config Scanning Fine Grained Auditing Oracle Label Security Enterprise User Security Virtual Private Database (VPD) Database Encryption API Strong Authentication Native Network Encryption Database Auditing Government customer Oracle Database 10g Oracle Database 11g 3

Data Privacy and Regulatory Compliance Database Security Challenges Protecting Access to Application Data Database Monitoring Data Encryption De-Identifying Information for Sharing Data Classification 4

Oracle Database Security Solutions for Privacy and Compliance Database Vault Configuration Management Advanced Security Total Recall Secure Backup Audit Vault Data Masking Label Security 5

Oracle Database Security Solutions for Privacy and Compliance Database Vault Configuration Management Advanced Security Total Recall Secure Backup Audit Vault Data Masking Label Security 6

Oracle Database Vault Highly Privileged User Controls Database DBA views HR data Compliance and protection from insiders HR APP Owner views Fin. data Eliminates security risks from server consolidation DBA HR App FIN App SELECT * FROM HR.EMP HR Realm HR FIN Realm FIN 7

Oracle Database Vault Real Time Access Controls HR Application User FIN Application DBA Connect. CREATE Unexpected IP address HR FIN Business hours 8

Oracle Database Vault Separation of Duty Account Management Database Vault over rides all existing administration privileges for creating new accounts Security administration Database Vault administration is done using a separation administration account from DBA or SYSDBA Traditional database Administration Traditional administrative tasks are separate from account management and security administration 9

Major Financial Services Company Use Case Control Privileged Users Prevent DBAs from accessing sensitive data in Realms Setup multiple levels of DBAs Control Access based upon environmental factors Restrict hostnames authorized to access the DB Control access based on geography Control use of ad-hoc query tools; Enforce maintenance periods Restrict connections by ad-hoc query tools to maintenance times or specific users Control Patching activity Patching activity requires another monitoring user to be logged in Control unauthorized database changes 10

Oracle Database Vault Application Certification PeopleSoft E-Business Suite Siebel Oracle Content DB Oracle Internet Directory 11

Oracle Database Security Solutions for Privacy and Compliance Database Vault Configuration Management Total Recall Audit Vault Data Masking Advanced Security Secure Backup Label Security 12

Oracle Advanced Security Transparent Data Encryption Protect application data Easily encrypt sensitive data Protect entire application tables or specific data (credit card) No changes to existing applications Built-in key management Keys automatically generated and managed Integrates with Hardware Security Modules (HSM) 75000 Data Transparently Decrypted ^#^ * Data Transparently Encrypted 13

Transparent Data Encryption Point-And-Click Deployment 14

Oracle Advanced Security Encrypting Columns Encrypt a column in an existing table: alter table credit_rating modify (person_id encrypt) Create a new table with an encrypted column: create table orders ( order_id number (12), customer_id number(12), credit_card varchar2(16) encrypt); Note - Default algorithm is AES 192 15

Oracle Advanced Security Encrypting Tablespaces Create new tablespace with keyword "Encrypt" CREATE TABLESPACE securespace2 DATAFILE '/home/user/oradata/secure01.dbf' SIZE 150M ENCRYPTION DEFAULT STORAGE(ENCRYPT); Note - Default algorithm is AES 128 16

Oracle Advanced Security Key Management Architecture Master key stored in PKCS#12 wallet Oracle Data Dictionary stores & encrypts column keys using master key Security DBA opens wallet containing master key Transparent Data Encryption Application users FIN application data encrypted using column key HR application data encrypted using column key 17

Oracle Advanced Security Key Management Architecture withhsm Master key stored in HSM Oracle Data Dictionary stores & encrypts column keys using master key Security DBA opens wallet containing master key Transparent Data Encryption Application users FIN application data encrypted using column key HR application data encrypted using column key 18

Oracle Secure Backup Integrated Tape Backup Management Improved Security and Manageability Backup encryption for file systems added Automated backup of OSB catalog Policy-based migration from Virtual Tape Library (VTL) to tape Advanced media management Vaulting provides automatic rotation of tapes between multiple locations Tape duplication based on policies Sun StorageTek ACSLS support Improved Performance No backup (and reads) of committed undo Oracle Databases Integration with RMAN File System Data UNIX Windows Linux NAS Oracle Secure Backup Centralized Tape Backup Management Tape 19

Oracle Database Security Solutions for Privacy and Compliance Database Vault Configuration Management Advanced Security Total Recall Secure Backup Audit Vault Data Masking Label Security 20

Oracle Label Security Access Control by Data Classification Data Additional access control check Database verifies requestor has table privileges first (select,update,insert,.) Label Security mediates additional access based on sensitivity assigned to the data or operation Specialized security solution Components Users label authorizations Data labels Special user privileges Enforcement options Highly Sensitive Sensitive Confidential Sensitive Highly Sensitive User Label Authorization "Security Clearance" 21

Sensitivity Label Components More Than Just levels Sensitivity Level Highly Sensitive Sensitive Confidential Sensitive 22

Sensitivity Label Components More Than Just levels Sensitivity Level Plus Zero or More Compartments Highly Sensitive HR PII FIN LEGAL Sensitive Confidential Sensitive : HR 23

Sensitivity Label Components More Than Just levels Sensitivity Level Plus Zero or More Compartments Highly Sensitive Sensitive HR PII FIN LEGAL Plus Zero or More Groups US Europe Global Confidential Sensitive : HR : US 24

Oracle Enterprise Manager 25

Oracle Label Security Flexible Policy Model HR Policy Law Enforcement Government Policy Confidential Level 1 Confidential Levels Sensitive Highly Sensitive Level 2 Level 3 Secret Top Secret Compartments PII Data Investigation Internal Affairs Drug Enforcement Desert Storm Border Protection Groups HR REP Senior HR REP Local Jurisdiction FBI NATO Homeland Security Justice 26

Oracle Label Security Additional Use Cases Embed in Database Vault Command Rules Compare label authorization in command rules for separation of duty customization Embed in Data Masking decisions Use with VPD column real time data masking to decide whether to NULL out PII data returned in query Notate application users current working label authorization on information portals 27

Oracle Database Security Solutions for Privacy and Compliance Database Vault Configuration Management Advanced Security Total Recall Secure Backup Audit Vault Data Masking Label Security 28

Off-Line Data Masking Oracle Enterprise Manager Automates production data masking LAST_NAME SSN SALARY Easily mask existing application data AGUILAR BENSON 203-33-3234 323-22-2943 40,000 60,000 No impact on production database Production Database Cloned Database Built-in data relationship discovery Use foreign key definitions Define custom data relationships LAST_NAME ANSKEKSL BKJHHEIEDK SSN 111 23-1111 111-34-1345 SALARY 40,000 60,000 29

Real-Time Data Masking Virtual Private Database Masking Null out or clear table columns for all or specific table rows Select * from customers; VPD where account_mgr_id = sys_context('app','current_mgr'); SSN 701-495-2123 121-791-4212 181-095-1232 581-295-7603 431-395-9332 381-395-9223 483-562-0912 461-978-8212 25000 15000 10000 12000 17000 15000 VPD Policy APP 30

Oracle Database Security Solutions for Privacy and Compliance Database Vault Configuration Management Advanced Security Total Recall Audit Vault Data Masking Secure Backup Label Security 31

Auditing in the Oracle Database Robust, Flexible, and High Fidelity Audit Industry s most advanced Statement - audit DDL / DML based structure type or schema object Privilege - audit statements that use system privileges Specific user or group of users Fine grained auditing (Oracle9i) Enterprise Edition conditional auditing feature Select statements only (Oracle9i) Updates, inserts, and delete statements (Oracle Database 10g) Flexible Audit table and OS file destinations (OS is most performant) Supports XML format Windows event viewer & SYSLOG 32

Oracle Audit Vault Protect Your Enterprise With Auditing Manage Audit Data Centrally secure audit data from Oracle databases Centrally manage Oracle database audit settings Detect suspicous activities Monitor database users especially privileged users Alert on unauthorized activities Simplify compliance reporting Built-in compliance reports Define custom reports Report Monitor Enforce Secure Oracle Database 9i Release 2 (Future) Other Sources, Oracle Database 10g Databases Oracle Database Release 1 11g Oracle Database 10g Release 2 33

Audit Vault Reports Out-of-the-box Audit Assessments & Custom Reports Out-of-the-box reports Privileged user activity Access to sensitive data Role grants, DDL activity Custom reports Published warehouse schema Use Oracle or 3 rd party tools User-defined reports What privileged users did on the financial database? What user A did across multiple databases? Who accessed sensitive data? 34

Oracle Audit Vault Manageability Audit Vault Dashboard Enterprise overview Alerts on audit events Drill down reports Audit Vault administration Audit Vault Policies Collection of audit settings for databases Provision database audit settings centrally for compliance policies Compare against existing audit settings on source Demonstrate compliance with internal mandates 35

Oracle Audit Vault Respository Scalable, Flexible & Secure Performance and Scalability Scale to Terabytes with partitioning Data warehouse enables business intelligence and analysis Security Separation of duty Privileged users can't modify audit data Data protected in transit from source to Audit Vault 36

Introducing Oracle Total Recall Tamper-Resistant Real-Time Database Archiving Automated table snapshots record changes to data Complements auditing who v. what Optimized to minimize performance overhead Historical data can be retained as long as needed for regulatory compliance and forensic analysis Automatically prevents end users from changing historical data Seamless access to archived historical data Historical data stored in the database for real-time access Stored in compressed form to minimize storage requirements select * from product_information AS OF TIMESTAMP '02-MAY-05 12.00 AM where product_id = 3060 37

Tracking Compliance Over Time Compliance Trend across IT infrastructure 38

Example of Security Policy Rules Over 250 Built-in Policy Rules Database Services Enable listener logging Password-protect listeners Disallow default listener name Ensure listener log file is valid and owned by Oracle Ensure listener host name is specified with IP Database File Permissions Init.ora should have restricted file permission Files in $OH/bin should be owned by Oracle Data files should be owned by Oracle Database Profile/Configuration Default Passwords Disallow access to objects by a fixed user link Disallow default tablespace set to SYSTEM Set password_grace_time Limit or deny access to DBMS_LOB Set password_reuse_max Avoid using utl_file_dir parameter Host Detect open ports Detect insecure services Ensure NTFS file system type (Windows) Application Server HTTPD has minimal privileges Use HTTP/S Apache logging should be on Demo applications disabled Disable default banner page Disable access to unused directories Disable directory indexing Forbid access to certain packages Disable packages not used by DAD owner Remove unused DAD configurations Password complexity enabled 39

Learn More http://search.oracle.com database security Technology Overview Visit: oracle.com/database/security View Whitepapers and webinars Technical Information, Demos, Software Visit OTN: otn.oracle.com -> products -> database -> security and compliance 40

41

Release Wide Map of Security Products Solution Oracle 8i Oracle Database 9iR1 Oracle Database 9iR2 Oracle Database 10g R1 Oracle Database 10g R2 Oracle Database 11gR1 Database Auditing Network Encryption Virtual Private Database Label Security Privileged User Controls Enterprise User Security Fine Grained Auditing Client Identifier EM Configuration Scanning TDE Column Encryption TDE Tablespace Encryption EM Data Masking Data Masking is available starting with EM 10.2.0.4 and works against Oracle Database 9.2 and higher databases. 42

43