<Insert Picture Here> Oracle Database Security Solutions Eric Cheung Senior Manager, Technology Sales Consulting Eric.cheung@oracle.com May 2008
Key Drivers for Data Security Privacy and Compliance Sarbanes-Oxley (SOX), J-SOX, GLBA Payment Card Industry (PCI) HIPAA, EU Privacy Directives Breach Disclosure Laws COSO, COBIT frameworks Separation of duty, Proof of compliance, Risk Assessment and Monitoring Insider / External Threats Large percentage of threats go undetected Outsourcing and off-shoring trend Customers want to monitor insider & DBA 2
Oracle7 Oracle Database Security Continuous Innovation Oracle8i Oracle Database 9i Data Masking TDE Tablespace Encryption Oracle Total Recall Oracle Audit Vault Oracle Database Vault Transparent Data Encryption (TDE) Real Time Masking Secure Config Scanning Fine Grained Auditing Oracle Label Security Enterprise User Security Virtual Private Database (VPD) Database Encryption API Strong Authentication Native Network Encryption Database Auditing Government customer Oracle Database 10g Oracle Database 11g 3
Data Privacy and Regulatory Compliance Database Security Challenges Protecting Access to Application Data Database Monitoring Data Encryption De-Identifying Information for Sharing Data Classification 4
Oracle Database Security Solutions for Privacy and Compliance Database Vault Configuration Management Advanced Security Total Recall Secure Backup Audit Vault Data Masking Label Security 5
Oracle Database Security Solutions for Privacy and Compliance Database Vault Configuration Management Advanced Security Total Recall Secure Backup Audit Vault Data Masking Label Security 6
Oracle Database Vault Highly Privileged User Controls Database DBA views HR data Compliance and protection from insiders HR APP Owner views Fin. data Eliminates security risks from server consolidation DBA HR App FIN App SELECT * FROM HR.EMP HR Realm HR FIN Realm FIN 7
Oracle Database Vault Real Time Access Controls HR Application User FIN Application DBA Connect. CREATE Unexpected IP address HR FIN Business hours 8
Oracle Database Vault Separation of Duty Account Management Database Vault over rides all existing administration privileges for creating new accounts Security administration Database Vault administration is done using a separation administration account from DBA or SYSDBA Traditional database Administration Traditional administrative tasks are separate from account management and security administration 9
Major Financial Services Company Use Case Control Privileged Users Prevent DBAs from accessing sensitive data in Realms Setup multiple levels of DBAs Control Access based upon environmental factors Restrict hostnames authorized to access the DB Control access based on geography Control use of ad-hoc query tools; Enforce maintenance periods Restrict connections by ad-hoc query tools to maintenance times or specific users Control Patching activity Patching activity requires another monitoring user to be logged in Control unauthorized database changes 10
Oracle Database Vault Application Certification PeopleSoft E-Business Suite Siebel Oracle Content DB Oracle Internet Directory 11
Oracle Database Security Solutions for Privacy and Compliance Database Vault Configuration Management Total Recall Audit Vault Data Masking Advanced Security Secure Backup Label Security 12
Oracle Advanced Security Transparent Data Encryption Protect application data Easily encrypt sensitive data Protect entire application tables or specific data (credit card) No changes to existing applications Built-in key management Keys automatically generated and managed Integrates with Hardware Security Modules (HSM) 75000 Data Transparently Decrypted ^#^ * Data Transparently Encrypted 13
Transparent Data Encryption Point-And-Click Deployment 14
Oracle Advanced Security Encrypting Columns Encrypt a column in an existing table: alter table credit_rating modify (person_id encrypt) Create a new table with an encrypted column: create table orders ( order_id number (12), customer_id number(12), credit_card varchar2(16) encrypt); Note - Default algorithm is AES 192 15
Oracle Advanced Security Encrypting Tablespaces Create new tablespace with keyword "Encrypt" CREATE TABLESPACE securespace2 DATAFILE '/home/user/oradata/secure01.dbf' SIZE 150M ENCRYPTION DEFAULT STORAGE(ENCRYPT); Note - Default algorithm is AES 128 16
Oracle Advanced Security Key Management Architecture Master key stored in PKCS#12 wallet Oracle Data Dictionary stores & encrypts column keys using master key Security DBA opens wallet containing master key Transparent Data Encryption Application users FIN application data encrypted using column key HR application data encrypted using column key 17
Oracle Advanced Security Key Management Architecture withhsm Master key stored in HSM Oracle Data Dictionary stores & encrypts column keys using master key Security DBA opens wallet containing master key Transparent Data Encryption Application users FIN application data encrypted using column key HR application data encrypted using column key 18
Oracle Secure Backup Integrated Tape Backup Management Improved Security and Manageability Backup encryption for file systems added Automated backup of OSB catalog Policy-based migration from Virtual Tape Library (VTL) to tape Advanced media management Vaulting provides automatic rotation of tapes between multiple locations Tape duplication based on policies Sun StorageTek ACSLS support Improved Performance No backup (and reads) of committed undo Oracle Databases Integration with RMAN File System Data UNIX Windows Linux NAS Oracle Secure Backup Centralized Tape Backup Management Tape 19
Oracle Database Security Solutions for Privacy and Compliance Database Vault Configuration Management Advanced Security Total Recall Secure Backup Audit Vault Data Masking Label Security 20
Oracle Label Security Access Control by Data Classification Data Additional access control check Database verifies requestor has table privileges first (select,update,insert,.) Label Security mediates additional access based on sensitivity assigned to the data or operation Specialized security solution Components Users label authorizations Data labels Special user privileges Enforcement options Highly Sensitive Sensitive Confidential Sensitive Highly Sensitive User Label Authorization "Security Clearance" 21
Sensitivity Label Components More Than Just levels Sensitivity Level Highly Sensitive Sensitive Confidential Sensitive 22
Sensitivity Label Components More Than Just levels Sensitivity Level Plus Zero or More Compartments Highly Sensitive HR PII FIN LEGAL Sensitive Confidential Sensitive : HR 23
Sensitivity Label Components More Than Just levels Sensitivity Level Plus Zero or More Compartments Highly Sensitive Sensitive HR PII FIN LEGAL Plus Zero or More Groups US Europe Global Confidential Sensitive : HR : US 24
Oracle Enterprise Manager 25
Oracle Label Security Flexible Policy Model HR Policy Law Enforcement Government Policy Confidential Level 1 Confidential Levels Sensitive Highly Sensitive Level 2 Level 3 Secret Top Secret Compartments PII Data Investigation Internal Affairs Drug Enforcement Desert Storm Border Protection Groups HR REP Senior HR REP Local Jurisdiction FBI NATO Homeland Security Justice 26
Oracle Label Security Additional Use Cases Embed in Database Vault Command Rules Compare label authorization in command rules for separation of duty customization Embed in Data Masking decisions Use with VPD column real time data masking to decide whether to NULL out PII data returned in query Notate application users current working label authorization on information portals 27
Oracle Database Security Solutions for Privacy and Compliance Database Vault Configuration Management Advanced Security Total Recall Secure Backup Audit Vault Data Masking Label Security 28
Off-Line Data Masking Oracle Enterprise Manager Automates production data masking LAST_NAME SSN SALARY Easily mask existing application data AGUILAR BENSON 203-33-3234 323-22-2943 40,000 60,000 No impact on production database Production Database Cloned Database Built-in data relationship discovery Use foreign key definitions Define custom data relationships LAST_NAME ANSKEKSL BKJHHEIEDK SSN 111 23-1111 111-34-1345 SALARY 40,000 60,000 29
Real-Time Data Masking Virtual Private Database Masking Null out or clear table columns for all or specific table rows Select * from customers; VPD where account_mgr_id = sys_context('app','current_mgr'); SSN 701-495-2123 121-791-4212 181-095-1232 581-295-7603 431-395-9332 381-395-9223 483-562-0912 461-978-8212 25000 15000 10000 12000 17000 15000 VPD Policy APP 30
Oracle Database Security Solutions for Privacy and Compliance Database Vault Configuration Management Advanced Security Total Recall Audit Vault Data Masking Secure Backup Label Security 31
Auditing in the Oracle Database Robust, Flexible, and High Fidelity Audit Industry s most advanced Statement - audit DDL / DML based structure type or schema object Privilege - audit statements that use system privileges Specific user or group of users Fine grained auditing (Oracle9i) Enterprise Edition conditional auditing feature Select statements only (Oracle9i) Updates, inserts, and delete statements (Oracle Database 10g) Flexible Audit table and OS file destinations (OS is most performant) Supports XML format Windows event viewer & SYSLOG 32
Oracle Audit Vault Protect Your Enterprise With Auditing Manage Audit Data Centrally secure audit data from Oracle databases Centrally manage Oracle database audit settings Detect suspicous activities Monitor database users especially privileged users Alert on unauthorized activities Simplify compliance reporting Built-in compliance reports Define custom reports Report Monitor Enforce Secure Oracle Database 9i Release 2 (Future) Other Sources, Oracle Database 10g Databases Oracle Database Release 1 11g Oracle Database 10g Release 2 33
Audit Vault Reports Out-of-the-box Audit Assessments & Custom Reports Out-of-the-box reports Privileged user activity Access to sensitive data Role grants, DDL activity Custom reports Published warehouse schema Use Oracle or 3 rd party tools User-defined reports What privileged users did on the financial database? What user A did across multiple databases? Who accessed sensitive data? 34
Oracle Audit Vault Manageability Audit Vault Dashboard Enterprise overview Alerts on audit events Drill down reports Audit Vault administration Audit Vault Policies Collection of audit settings for databases Provision database audit settings centrally for compliance policies Compare against existing audit settings on source Demonstrate compliance with internal mandates 35
Oracle Audit Vault Respository Scalable, Flexible & Secure Performance and Scalability Scale to Terabytes with partitioning Data warehouse enables business intelligence and analysis Security Separation of duty Privileged users can't modify audit data Data protected in transit from source to Audit Vault 36
Introducing Oracle Total Recall Tamper-Resistant Real-Time Database Archiving Automated table snapshots record changes to data Complements auditing who v. what Optimized to minimize performance overhead Historical data can be retained as long as needed for regulatory compliance and forensic analysis Automatically prevents end users from changing historical data Seamless access to archived historical data Historical data stored in the database for real-time access Stored in compressed form to minimize storage requirements select * from product_information AS OF TIMESTAMP '02-MAY-05 12.00 AM where product_id = 3060 37
Tracking Compliance Over Time Compliance Trend across IT infrastructure 38
Example of Security Policy Rules Over 250 Built-in Policy Rules Database Services Enable listener logging Password-protect listeners Disallow default listener name Ensure listener log file is valid and owned by Oracle Ensure listener host name is specified with IP Database File Permissions Init.ora should have restricted file permission Files in $OH/bin should be owned by Oracle Data files should be owned by Oracle Database Profile/Configuration Default Passwords Disallow access to objects by a fixed user link Disallow default tablespace set to SYSTEM Set password_grace_time Limit or deny access to DBMS_LOB Set password_reuse_max Avoid using utl_file_dir parameter Host Detect open ports Detect insecure services Ensure NTFS file system type (Windows) Application Server HTTPD has minimal privileges Use HTTP/S Apache logging should be on Demo applications disabled Disable default banner page Disable access to unused directories Disable directory indexing Forbid access to certain packages Disable packages not used by DAD owner Remove unused DAD configurations Password complexity enabled 39
Learn More http://search.oracle.com database security Technology Overview Visit: oracle.com/database/security View Whitepapers and webinars Technical Information, Demos, Software Visit OTN: otn.oracle.com -> products -> database -> security and compliance 40
41
Release Wide Map of Security Products Solution Oracle 8i Oracle Database 9iR1 Oracle Database 9iR2 Oracle Database 10g R1 Oracle Database 10g R2 Oracle Database 11gR1 Database Auditing Network Encryption Virtual Private Database Label Security Privileged User Controls Enterprise User Security Fine Grained Auditing Client Identifier EM Configuration Scanning TDE Column Encryption TDE Tablespace Encryption EM Data Masking Data Masking is available starting with EM 10.2.0.4 and works against Oracle Database 9.2 and higher databases. 42
43