Best Practices in Implementing                            Oracle Database Security Products      White Papers          Abs...
ESTUATE         WHITEPAPER                                                                                 Complex Applica...
ESTUATE     WHITEPAPER                                                                      Complex Applications Made Easy...
ESTUATE         WHITEPAPER                                                                            Complex Applications...
ESTUATE          WHITEPAPER                                                                                Complex Applica...
ESTUATE          WHITEPAPER                                                                              Complex Applicati...
ESTUATE          WHITEPAPER                                                                                Complex Applica...
ESTUATE          WHITEPAPER                                                                                 Complex Applic...
ESTUATE          WHITEPAPER                                                                                  Complex Appli...
ESTUATE          WHITEPAPER                                                                               Complex Applicat...
Upcoming SlideShare
Loading in …5
×

Best Practices in Implementing Oracle Database Security Products

3,301
-1

Published on

Information is the world’s new currency. Databases are the digital banks that store and retrieve valuable information. The growing number of high-profile incidents in which customer records, confidential information and intellectual property are leaked, lost or stolen has created an explosive demand for solutions that protect against the deliberate or inadvertent release of sensitive information.Oracle is the global leader in relational database technology, and has built a rich set of database security products and database features within its product portfolio.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,301
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
80
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Best Practices in Implementing Oracle Database Security Products

  1. 1. Best Practices in Implementing Oracle Database Security Products White Papers Abstract Information is the world’s new currency. Databases are the digital banks that store and retrieve valuable information. The growing number of high-profile incidents in which customer records, confidential information and intellectual property are leaked, lost or stolen has created an explosive demand for solutions that protect against the deliberate or inadvertent release of sensitive information. Moreover, numerous information-intensive government and industry regulations require organizations to protect the integrity of customer, employee and proprietary information and corporate digital assets. Security breaches can no longer be "swept under the rug" because of strict breach disclosure laws. Addressing information protection and control (IPC) is a complex challenge. Today, nearly all organizational information exists in electronic form, typically stored in databases. So, it stands to reason that enterprises must secure their databases as part of any IPC strategy to protect sensitive information and comply with regulations. Database security represents a preemptive strategy to preventing enterprise data theft and regulatory compliance infractions.Seemakiran Oracle is the global leader in relational database technology,Head of India Operations and has built a rich set of database security products and database features within its product portfolio. Implementing effective database security on the Oracle platform requires aEstuate deep knowledge of the Oracle product stack and experience1183 Bordeaux Dr, Suite 4 in real-world security implementation using Oracle. Estuate brings strong credentials to its clients in both respects,Sunnyvale, CA 94089 emanating from our deep Oracle product engineering rootsPhone: +1 408-400-0680 and years of Oracle-based client work.Fax: +1 408-400-0683 This paper profiles the best practices in implementing Oracle-www.estuate.com based information security that we have built from our years of experience.January 2009
  2. 2. ESTUATE WHITEPAPER Complex Applications Made EasyEstuate is a global information technology (IT) services company based in the heart of Silicon Valley.Our founders have decades of deep software product experience at Oracle, particularly in Oracle-basedapplications development, integration and modernization, and unmatched Oracle E-Business Suiteproduct knowledge. Our focus is two-fold: • Providing expert software product development services to software companies • Providing high-value application implementation and management services to enterprise clients.We pride ourselves on being highly-responsive, nimble and efficient, and we are very honored to let ourclients speak on our behalf.Our software product development focus includes core product development and testing, businessprocess integration and technology modernization. Our software company clients include ArenaSolutions, Cisco, Citrix, Escalate, IBM, Oracle, Performant, Pictage, Salesforce.com, DataFlux (divisionof SAS) and WebEx.Our enterprise application implementation and management focus is on custom application developmentand the full Oracle E-Business Suite platform. Our enterprise application clients include Bechtel, FoxInteractive Media, HP, Matson, Stanford University, Visa and Wells Fargo.For more information, please contact info@estuate.com or visit www.estuate.com Copyright © 2009 Estuate Inc. All rights reserved. The entire contents of this document are subject to copyright with all rights reserved.All copyrightable text and graphics, the selection, arrangement and presentation of all information and the overall design of the document are the sole and exclusive property of Estuate. 2 © 2009 Estuate. All rights reserved.
  3. 3. ESTUATE WHITEPAPER Complex Applications Made Easy Contents1. Overview of Oracle Security Products……...............................42. User Management Best Practices…………………………..…....53. Access Control Best Practices…………………………………...64. Data Protection Best Practices…………………...………….......75. Compliance Monitoring Best Practices…….............................96. Conclusion……………………………………………....................10 3 © 2009 Estuate. All rights reserved.
  4. 4. ESTUATE WHITEPAPER Complex Applications Made Easy Overview of Oracle Security ProductsWith solutions spanning user management, access control, data protection, and monitoring/alerting forcompliance management, Oracle provides a comprehensive information security architecture and best-in-class products. Oracle Security Data Products 4 © 2009 Estuate. All rights reserved.
  5. 5. ESTUATE WHITEPAPER Complex Applications Made EasyUser Management Best PracticesWe have effectively used Oracle Enterprise User Security to simplify user management for amanufacturing client. We accomplished this by enabling database user accounts to be centrally managedin the Oracle Internet Directory, the core of Oracle’s Identity Management product suite. Oracle DirectorySynchronization Service, part of Oracle Internet Directory, facilitates synchronization between OracleInternet Directory and other directories and user repositories, including Microsoft Active Directory andSunONE, allowing users to authenticate data using credentials stored in one of these other repositories.Oracle Enterprise User Security provides support for strong authentication based on PKI digitalcertificates or Kerberos. 5 © 2009 Estuate. All rights reserved.
  6. 6. ESTUATE WHITEPAPER Complex Applications Made EasyAccess Control Best PracticesAnother client, a world-class university, wanted to protect highly-confidential, sensitive employee datafrom its organization’s internal database administrators. We accomplished this by implementing OracleDatabase Vault.Oracle Database Vault Oracle Database Vault OverviewOracle Database Vault provides enterprises with protection from insider threats and inadvertent leakageof sensitive application data. Access to application data by users and database administrators (DBAs) iscontrolled using Database Vault realms, command rules and multifactor authorization. Database Vaultaddresses access privilege by separating access to application data from traditional database andsecurity administration responsibilities. Database Vault realms block ANY-type privileges (SELECT ANY)commonly available to DBAs from being used to access application data. Using multifactor authorization,database access can be easily restricted based on IP address, time of day and other parameters.Command rules enable Database Vault security administrators to associate rule sets or policies withOracle Database commands. Combined with multifactor authorization, command rules allow powerfulpolicies to be deployed inside the database, further reducing the security risk associated with insidersbypassing the application.Additionally, Database Vault’s numerous out-of-the-box reports address a wide range of security metrics,such as attempted data access requests blocked by Realms. For example, if a DBA attempts to accessdata from an application table protected by a Realm, Database Vault creates an audit record in aspecially-protected table within Database Vault. A Realm violation report makes it easy to view theseaudit records. 6 © 2009 Estuate. All rights reserved.
  7. 7. ESTUATE WHITEPAPER Complex Applications Made EasyData Protection Best Practices Transparent Data Encryption OverviewOracle Advanced SecurityWe have successfully implemented data protection policies and procedures for several Estuate clientsusing Oracle Advanced Security. Oracle Advanced Security Transparent Data Encryption (TDE) providesthe most advanced encryption capabilities for protecting sensitive information without requiring anychanges to the existing application. TDE is a native database solution that is completely transparent toexisting applications with no triggers, views or other application changes required. Data is transparentlyencrypted when written to disk, and transparently decrypted after an application user has successfullyauthenticated and passed all authorization checks. Authorization checks include verifying that the userhas the necessary read/update privileges. TDE can be used to encrypt columns that contain sensitivedata, or entire database objects residing in a tablespace. Tablespace encryption ensures all databaseobjects are encrypted at the file system level. When the database reads data blocks from the encryptedtablespace, it transparently decrypts the data blocks. TDE also supports storing the TDE masterencryption key on a hardware security module (HSM) device. This provides an even higher level ofassurance protecting the TDE master key, as well as centralized key management in a clusteredenvironment.Advanced Security also provides strong protection for data in transit by using comprehensive networkencryption capabilities. Advanced Security’s easy-to-deploy, comprehensive network encryption providesboth native network encryption and SSL/TLS-based encryption. In addition, it can be configured to acceptor reject communication from clients not using encryption, providing optimal deployment flexibility.Configuration of network security is managed using the Oracle Network Configuration administration tool,allowing businesses to easily deploy network encryption without any changes to applications. 7 © 2009 Estuate. All rights reserved.
  8. 8. ESTUATE WHITEPAPER Complex Applications Made EasyOracle Secure Backup (OSB)We have also implemented effective backup security for Estuate clients using Oracle’s comprehensivetape backup solution for Oracle databases and file systems. Tight integration with the Oracle Databaseprovides optimal security and performance, eliminating backup of any associated database UNDO data.A centralized administrative server provides a single point of control for enterprise-wide tape backup andany associated encryption keys. The administrative server maintains a tape backup catalog and managessecurity policies for distributed servers and tape devices. OSB encrypts data before the data leaves thedatabase, resulting in continuous data security when in transit to the tape drive unit. OSB also providesthe ability to back up and encrypt file systems directly to tape.Oracle Data Masking PackWe use Oracle Data Masking Pack to maintain the confidentiality of sensitive or confidential client data indevelopment, test or staging environments. The Data Masking Pack uses an irreversible process toreplace sensitive data with realistic-looking but scrubbed data based on masking rules, and ensures thatthe original data cannot be retrieved or recovered. The Data Masking Pack provides out-of-the-box maskprimitives for various data types, such as random numbers, random digits, random dates and constants,as well as built-in masking routines, such as shuffling, which shuffles the values in a column acrossdifferent rows. The Data Masking Pack helps maintain the integrity of the application while maskingsensitive data. 8 © 2009 Estuate. All rights reserved.
  9. 9. ESTUATE WHITEPAPER Complex Applications Made EasyCompliance Monitoring Best Practices Oracle Audit Vault OverviewOracle Audit VaultWe use Oracle Audit Vault as an effective security compliance monitoring tool for our clients.Audit Vault transparently collects and consolidates audit data from multiple databases across theenterprise, providing valuable insight into who did what to which data when, including privileged userswho have direct access to the database. The integrity of audit data is ensured by using sophisticatedcontrols, including Oracle Database Vault and Oracle Advanced Security. Access to the audit data withinAudit Vault is strictly controlled. Privileged DBA users cannot view or modify the audit data, and evenauditors are prevented from modifying the audit data.Audit Vault provides proactive threat detection through alerting. Event alerts help mitigate risk and protectfrom insider threats by providing proactive notification of suspicious activity across the enterprise. AuditVault continuously monitors the inbound audit data, evaluating audit data against alert conditions. Alertscan be associated with any auditable database event, including system events such as changes toapplication tables, role grants and privileged user creation on sensitive systems. Audit Vault providesgraphical summaries of activities causing alerts. In addition, database audit settings are centrallymanaged and monitored from within Audit Vault to ensure consistent auditing policies across theenterprise. 9 © 2009 Estuate. All rights reserved.
  10. 10. ESTUATE WHITEPAPER Complex Applications Made EasyConclusionUsing Oracle Database Security products, we have delivered a full range of data security solutions to ourclients across the spectrum of user management, access control, data protection and compliancemonitoring business processes. We find that Oracle Database Security products, when properlyimplemented using our best practices, provide comprehensive, world-class information security across allOracle-based applications. 10 © 2009 Estuate. All rights reserved.

×