Oracle Database 11g Security and Compliance Solutions - By Tom Kyte

1 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

2 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information 2 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

The following is intended to outline our general product

direction. It is intended for information purposes only, and

may not be incorporated into any contract. It is not a

commitment to deliver any material, code, or functionality,

and should not be relied upon in making purchasing

decisions. The development, release, and timing of any

features or functionality described for Oracle’s products

remains at the sole discretion of Oracle.

3 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

Best Practices for Database

Security and Compliance

Tom Kyte, Sr. Technical Architect, Oracle

Troy Kitch, Sr. Manager, Database Security Product Marketing, Oracle

4 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

Program Agenda

• Enterprise Data Security Challenges

• Database Security Best Practices

• Oracle Database Security Solutions

• Defense-in-Depth

• Q&A

5 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

Database Server Breaches

Two-thirds of sensitive and regulated information now resides in databases

… and doubling every two years

Source: Verizon, 2007-11 and IDC, "Effective Data Leak Prevention Programs: Start by

Protecting Data at the Source — Your Databases", August 2011

48% Data Breaches

Caused by Insiders

89% Records Stolen

Using SQL Injection

86% Hacking Used

Stolen Credentials

Over 1B records compromised over past six years

6 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

How Secure Are Your Databases? 2011 IOUG Data Security Survey Results

24% Can prevent DBAs from accessing data and stored procedures

69% Do not monitor sensitive application data reads and writes

63% Have not taken steps to prevent SQL injection attacks or unsure

48% Copy sensitive data to development and test environments

70% Data stored in database files or storage can be read at OS level

57% Cannot prevent direct access to database (application bypass)

7 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

“Forrester estimates

that although 70%

of enterprises have

an information security plan,

only 20% of enterprises have a

database security plan.”

IT Security Not Addressing Database Security

– Only 20% Have a Plan

Source: Creating An Enterprise Database Security Plan , July 2010

Endpoint Security

Vulnerability Management

Network Security Email Security

Authentication and User Security

Database Security

8 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

Database Security Best Practices

• Prevent access to data at OS, storage, network, media layers

• Transparent data encryption for data at rest, in transit, on media

• Separation of duties for key management

• Privileged user access control to limit access to application data

• Multi-factor authorization for enforcing enterprise security policies

• Secure application consolidation

• Native Oracle and non-Oracle database auditing, centralized audit policies

• Consolidate, secure, analyze audit trail, alert on suspicious activities

• Report for compliance & security, automate database audit workflow

• Monitor Oracle & non-Oracle database traffic over the network

• Block threats like SQL injection attacks before reaching databases

• Enforce normal database activity, lightweight monitoring

• Sensitive data discovery for production

• Secure database lifecycle management, configuration scanning, patch automation

• Mask data for nonproduction development & test

Mitigate Database Bypass

Prevent Application

Bypass

Consolidate Auditing and Compliance Reporting

Monitor Database

Traffic and Block Threats

Protect All Database

Environments

9 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

Disk

Backups

Exports

Off-Site

Facilities

Mitigate Database Bypass

• Prevents access to data stored in database files, on tape, etc. by IT staff/OS users

• Efficient application data encryption without application changes

• Built-in two-tier key management for SoD with support for centralized key

management using HSM/KMS

• Strong authentication of database users for greater identity assurance

Oracle Advanced Security for authentication and encryption

Application

10 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

Prevent Application Bypass Oracle Database Vault to enforce privileged user access

Application

Procurement

HR

Finance

Application

DBA

select * from finance.customers

DBA

Security

DBA

• Automatic and customizable DBA separation of duties and protective realms

• Enforce who, where, when, and how data is accessed using rules and factors

– Enforce least privilege for privileged database users

– Prevent application by-pass and enforce enterprise data governance

• Securely consolidate application data or enable multi-tenant data management

11 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

Prevent Application Bypass

• Classify users and data based on business drivers

• Database enforced row level access control

• Users classification through Oracle Identity Management Suite

• Classification labels can be factors in other policies

• No application changes required

Oracle Label Security for data classification access control

Transactions

Report Data

Reports Confidential Sensitive

Sensitive

Confidential

Public

12 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

Consolidate Auditing & Compliance Reporting

• Consolidate database audit trail into secure centralized repository

• Detect and alert on suspicious activities, including privileged users

• Out-of-the box compliance reports for SOX, PCI, and other regulations

– E.g., privileged user audit, entitlements, failed logins, regulated data changes

• Streamline audits with report generation, notification, attestation, archiving, etc.

Oracle Audit Vault for real-time database activity monitoring

CRM Data

ERP Data

Databases

HR Data

Audit Data

Policies

Built-in Reports

Alerts

Custom Reports

!

Auditor

13 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

Consolidate Auditing & Compliance Reporting

• Transparently track application data changes over time

• Efficient, tamper-resistant storage of archives in the database

• Real-time access to historical application data using SQL

• Simplified incident forensics and recovery

Oracle Total Recall for automated change tracking

select salary from emp AS OF TIMESTAMP

'02-MAY-09 12.00 AM‘ where emp.title = ‘admin’

14 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

Block

Log

Allow

Alert

Substitute

Monitor Database Traffic and Block Threats Oracle Database Firewall for activity monitoring, blocking

Policies Built-in Reports

Alerts Custom Reports

• Blocks unauthorized access like SQL injections from reaching databases

• SQL grammar analysis ensures accuracy, enforcement, and scalability

• White lists and black lists enforce application activity without false positives

• Scalable architecture provides enterprise performance in all deployment modes

• Built-in and custom compliance reports for SOX, PCI, and other regulations

Applications

15 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

Protect Database Environment: Production

• Discover and classify databases into security policy groups

• Scan databases against 400+ best practices and industry standards, custom enterprise-

specific configuration policies, and enforce security compliance

• Detect and prevent unauthorized database configuration changes, trouble ticket tracking

• Automated patching and secure provisioning

Discover Scan and Monitor Patch

Oracle Enterprise Manager for secure database lifecycle

16 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

Protect Database Environment: Nonproduction

• Make application data securely available in non-production environments

• Prevent application developers and testers from seeing production data

• Extensible template library and policies for data masking automation

• Referential integrity automatically preserved so applications continue to work

• Integration with Real Application Testing and Test Data Management

Oracle Data Masking for protecting insecure environments

LAST_NAME SSN SALARY

ANSKEKSL 111—23-1111 60,000

BKJHHEIEDK 222-34-1345 40,000

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

Production Non-Production

Data Never Leaves Database

17 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

Encrypting Personally

Identifiable Information

Defense in Depth Security

of Patient Donor Data

• Privileged user access controls

• Encrypting production and

masking nonproduction data

• HIPPA/HITECH Compliance

Oracle Database Vault

Oracle Advanced Security

Oracle Data Masking

Database Security Best Practices Case Studies

• Monitoring privileged users,

sensitive data updates and more

• Secure central audit repository

• Sarbanes-Oxley Act Compliance

Audit, Alert & Report on

Application Logs

Oracle Audit Vault

• Transparent data encryption

• No application changes or

performance impact

• PCI DSS compliance

Oracle Advanced Security

18 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

Oracle Database Security Strategy

Encryption, Privileged User

Controls, Classification

Activity Monitoring, Auditing,

Blocking Attacks, Reporting

MySQL

Database Lifecycle Management,

Data Masking for Non-Production

Maximum Security: Controls within Database

Low Security: Sensitive Data Removed

External Controls: Protect Oracle & Non-Oracle Database

Defense-in-depth

19 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

Questions To Consider…

• Do you know where all sensitive data resides?

• Would you know if your data was breached?

• Are you aware of all your regulatory mandates?

• What best practices are you following, where are holes?

20 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

Q&A

21 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

Database Security Best Practices

• Best Practices For

– Database Activity Monitoring and Blocking, Feb 29

– Database Auditing, Alerting and Reporting, Mar 28

– Transparent Data Encryption, Apr 25

– Database Privileged User Access Control, May 30

Monthly Webcast Series

22 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

For More Information

oracle.com/database/security

search.oracle.com

or

database security

23 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information

24 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Public Information