Oracle Database 11g Security and Compliance Solutions - By Tom Kyte

2,138 views
1,914 views

Published on

Oracle Database 11g Security and Compliance Solutions -
Presentation Slides
Oracle Webcast - Feb 2012 - http://goo.gl/T1SBIf
Tom Kyte, Sr. Technical Architect, Oracle
Troy Kitch, Sr. Manager, Database Security Product Marketing, Oracle

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
No Downloads
Views
Total views
2,138
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
159
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

Oracle Database 11g Security and Compliance Solutions - By Tom Kyte

  1. 1. 1 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information
  2. 2. 2 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information2 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  3. 3. 3 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information Best Practices for Database Security and Compliance Tom Kyte, Sr. Technical Architect, Oracle Troy Kitch, Sr. Manager, Database Security Product Marketing, Oracle
  4. 4. 4 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information Program Agenda • Enterprise Data Security Challenges • Database Security Best Practices • Oracle Database Security Solutions • Defense-in-Depth • Q&A
  5. 5. 5 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information Database Server Breaches Two-thirds of sensitive and regulated information now resides in databases … and doubling every two years Source: Verizon, 2007-11 and IDC, "Effective Data Leak Prevention Programs: Start by Protecting Data at the Source — Your Databases", August 2011 48% Data Breaches Caused by Insiders 89% Records Stolen Using SQL Injection 86% Hacking Used Stolen Credentials Over 1B records compromised over past six years
  6. 6. 6 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information How Secure Are Your Databases? 2011 IOUG Data Security Survey Results 24% Can prevent DBAs from accessing data and stored procedures 69% Do not monitor sensitive application data reads and writes 63% Have not taken steps to prevent SQL injection attacks or unsure 48% Copy sensitive data to development and test environments 70% Data stored in database files or storage can be read at OS level 57% Cannot prevent direct access to database (application bypass)
  7. 7. 7 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information “Forrester estimates that although 70% of enterprises have an information security plan, only 20% of enterprises have a database security plan.” IT Security Not Addressing Database Security – Only 20% Have a Plan Source: Creating An Enterprise Database Security Plan , July 2010 Endpoint Security Vulnerability Management Network SecurityEmail Security Authentication and User Security Database Security
  8. 8. 8 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information Database Security Best Practices • Prevent access to data at OS, storage, network, media layers • Transparent data encryption for data at rest, in transit, on media • Separation of duties for key management • Privileged user access control to limit access to application data • Multi-factor authorization for enforcing enterprise security policies • Secure application consolidation • Native Oracle and non- Oracle database auditing, centralized audit policies • Consolidate, secure, analyze audit trail, alert on suspicious activities • Report for compliance & security, automate database audit workflow • Monitor Oracle & non- Oracle database traffic over the network • Block threats like SQL injection attacks before reaching databases • Enforce normal database activity, lightweight monitoring • Sensitive data discovery for production • Secure database lifecycle management, configuration scanning, patch automation • Mask data for nonproduction development & test Mitigate Database Bypass Prevent Application Bypass Consolidate Auditing and Compliance Reporting Monitor Database Traffic and Block Threats Protect All Database Environments
  9. 9. 9 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information Disk Backups Exports Off-Site Facilities Mitigate Database Bypass • Prevents access to data stored in database files, on tape, etc. by IT staff/OS users • Efficient application data encryption without application changes • Built-in two-tier key management for SoD with support for centralized key management using HSM/KMS • Strong authentication of database users for greater identity assurance Oracle Advanced Security for authentication and encryption Application
  10. 10. 10 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information Prevent Application Bypass Oracle Database Vault to enforce privileged user access Application Procurement HR Finance Application DBA select * from finance.customers DBA Security DBA • Automatic and customizable DBA separation of duties and protective realms • Enforce who, where, when, and how data is accessed using rules and factors – Enforce least privilege for privileged database users – Prevent application by-pass and enforce enterprise data governance • Securely consolidate application data or enable multi-tenant data management
  11. 11. 11 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information Prevent Application Bypass • Classify users and data based on business drivers • Database enforced row level access control • Users classification through Oracle Identity Management Suite • Classification labels can be factors in other policies • No application changes required Oracle Label Security for data classification access control Transactions Report Data Reports Confidential Sensitive Sensitive Confidential Public
  12. 12. 12 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information Consolidate Auditing & Compliance Reporting • Consolidate database audit trail into secure centralized repository • Detect and alert on suspicious activities, including privileged users • Out-of-the box compliance reports for SOX, PCI, and other regulations – E.g., privileged user audit, entitlements, failed logins, regulated data changes • Streamline audits with report generation, notification, attestation, archiving, etc. Oracle Audit Vault for real-time database activity monitoring CRM Data ERP Data Databases HR Data Audit Data Policies Built-in Reports Alerts Custom Reports ! Auditor
  13. 13. 13 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information Consolidate Auditing & Compliance Reporting • Transparently track application data changes over time • Efficient, tamper-resistant storage of archives in the database • Real-time access to historical application data using SQL • Simplified incident forensics and recovery Oracle Total Recall for automated change tracking select salary from emp AS OF TIMESTAMP '02-MAY-09 12.00 AM‘ where emp.title = ‘admin’
  14. 14. 14 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information Block Log Allow Alert Substitute Monitor Database Traffic and Block Threats Oracle Database Firewall for activity monitoring, blocking PoliciesBuilt-in Reports Alerts Custom Reports • Blocks unauthorized access like SQL injections from reaching databases • SQL grammar analysis ensures accuracy, enforcement, and scalability • White lists and black lists enforce application activity without false positives • Scalable architecture provides enterprise performance in all deployment modes • Built-in and custom compliance reports for SOX, PCI, and other regulations Applications
  15. 15. 15 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information Protect Database Environment: Production • Discover and classify databases into security policy groups • Scan databases against 400+ best practices and industry standards, custom enterprise- specific configuration policies, and enforce security compliance • Detect and prevent unauthorized database configuration changes, trouble ticket tracking • Automated patching and secure provisioning Discover Scan and Monitor Patch Oracle Enterprise Manager for secure database lifecycle
  16. 16. 16 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information Protect Database Environment: Nonproduction • Make application data securely available in non-production environments • Prevent application developers and testers from seeing production data • Extensible template library and policies for data masking automation • Referential integrity automatically preserved so applications continue to work • Integration with Real Application Testing and Test Data Management Oracle Data Masking for protecting insecure environments LAST_NAME SSN SALARY ANSKEKSL 111—23-1111 60,000 BKJHHEIEDK 222-34-1345 40,000 LAST_NAME SSN SALARY AGUILAR 203-33-3234 40,000 BENSON 323-22-2943 60,000 Production Non-Production Data Never Leaves Database
  17. 17. 17 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information Encrypting Personally Identifiable Information Defense in Depth Security of Patient Donor Data • Privileged user access controls • Encrypting production and masking nonproduction data • HIPPA/HITECH Compliance Oracle Database Vault Oracle Advanced Security Oracle Data Masking Database Security Best Practices Case Studies • Monitoring privileged users, sensitive data updates and more • Secure central audit repository • Sarbanes-Oxley Act Compliance Audit, Alert & Report on Application Logs Oracle Audit Vault • Transparent data encryption • No application changes or performance impact • PCI DSS compliance Oracle Advanced Security
  18. 18. 18 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information Oracle Database Security Strategy Encryption, Privileged User Controls, Classification Activity Monitoring, Auditing, Blocking Attacks, Reporting MySQL Database Lifecycle Management, Data Masking for Non-Production Maximum Security: Controls within Database Low Security: Sensitive Data Removed External Controls: Protect Oracle & Non-Oracle Database Defense-in-depth
  19. 19. 19 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information Questions To Consider… • Do you know where all sensitive data resides? • Would you know if your data was breached? • Are you aware of all your regulatory mandates? • What best practices are you following, where are holes?
  20. 20. 20 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information Q&A
  21. 21. 21 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information Database Security Best Practices • Best Practices For – Database Activity Monitoring and Blocking, Feb 29 – Database Auditing, Alerting and Reporting, Mar 28 – Transparent Data Encryption, Apr 25 – Database Privileged User Access Control, May 30 Monthly Webcast Series
  22. 22. 22 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information For More Information oracle.com/database/security search.oracle.com or database security
  23. 23. 23 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information
  24. 24. 24 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public Information

×