1. <Insert Picture Here>
Oracle Database Security
Gabriel Trauvitch – Master Principal Solutions Specialist – Grid Architect
Technology Presales – Greece & SEE
2. More Data Than Ever
Growth
Doubles
Yearly
1,800 Exabytes
2006 2011
Source: IDC, 2008
2
3. Oracle Database Security
Business Drivers
Industrial Espionage
Security
Threats
Identity Theft Insider Threats
Data Consolidation
Globalization
Right Sourcing
SOX HIPAA PCI
Compliance
Mandates
EU FDA Basel II GLBA SB1386
Directives
3
4. More Breaches Than Ever
Data Breach Once exposed, the data is out there – the bell can’t be un-rung
PUBLICLY REPORTED DATA BREACHES
400
300
630%
Increase
200
100
Total Personally
Identifying Information
Records Exposed 0
(Millions) 2005 2006 2007 2008
Average cost of a data breach $202 per record
Average total cost exceeds $6.6 million per breach
Source: DataLossDB, Ponemon Institute, 2009
4
6. Market Overview: IT Security In 2009
There has been a clear and significant shift from what was
the widely recognized state of security just a few years ago.
Protecting the organization's information assets is the top
issue facing security programs: data security (90%) is most
often cited as an important or very important issue for IT
security organizations, followed by application security (86%).
Market Overview: IT Security In 2009
- Jonathan Penn, April 22, 2009
6
7. Data Security Challenges
• What to secure?
• Sensitive Data: Confidential, PII, regulatory
• Data in packaged and custom applications
• Secure Life cycle: creation, transit, storage, backup, test, transfer
• Can we secure it now?
• Secure using existing systems?
• Transparent?
• Loss, Unauthorized access, Separation of Duty
• Will it meet business requirements?
• Flexible, Transparent, Compliant?
• Secures both custom and packaged applications?
• Will it reduce operational cost?
• Easy to manage?
• Performant?
7
8. Oracle Database Security
Defense-in-Depth for Security and Compliance
Monitoring Audit
Vault Total
Configuration
Management Recall
Access Control
Database Label
Vault Security
Encryption and Masking
Advanced Data
Secure
Security Masking
Backup
8
9. Oracle Database Security
Defense-in-Depth for Security and Compliance
Encryption and Masking
Advanced Data
Secure
Security Masking
Backup
9
10. Oracle Advanced Security
Transparent Data Encryption
Disk
Backups
Exports
Application
Off-Site
Facilities
• No application changes required
• Efficient encryption of all application data
• Built-in key lifecycle management
• Works with Exadata V2 Smart Scans
• Works with Oracle Advanced Compression
10
11. Oracle Advanced Security
Network Encryption & Strong Authentication
• Standard-based encryption for data in transit
• Strong authentication of users and servers
• No infrastructure changes required
• Easy to implement
11
12. Oracle Secure Backup
Integrated Tape or Cloud Backup Management
• Secure data archival to tape or cloud
• Easy to administer key management
• Fastest Oracle Database tape backups
• Leverage low-cost cloud storage
12
13. Oracle Data Masking
Irreversible De-Identification
Production Non-Production
LAST_NAME SSN SALARY LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000 ANSKEKSL 111—23-1111 40,000
BENSON 323-22-2943 60,000 BKJHHEIEDK 222-34-1345 60,000
• Remove sensitive data from non-production databases
• Referential integrity preserved so applications continue to work
• Extensible template library and policies for automation
13
14. Large Credit Card Services Provider
Cost Effective Encryption of Card Holder Data
• Protect sensitive card holder data
Business Challenges
• Comply with PCI
• Deployed Oracle Advanced Security TDE
Solution Tablespace Encryption
• Addressed internal and external requirements
Business Results • Leveraged Oracle Advanced Security integration
with Hardware Security Modules for network
based management of TDE master encryption key
14
15. U.S. Pharmaceutical Tools Manufacturer
Oracle Advanced Security Protects Sensitive Data
• Worried about protection of intellectual
Business Challenges property and sensitive employee data
• Oracle Advanced Security TDE column
encryption
• Easy implementation within hours (Oracle
Solution PeopleSoft)
• TDE with HSM made corporate-wide standard
• Average end-user responses time: +2.5 %
• Cost effective and transparent implementation
of data encryption with no application changes
Business Results
• Protection of sensitive data at rest and on
backup media
15
16. EMEA-based Real Estate Company
Data Masking Pack accelerated availability of production data for
testing while improving DBA productivity
• Custom scripts to mask sensitive data were not
able to scale to meet growing data volumes
Business Challenges • DBA team under increasing pressure to make
production data available to for application testing
within short time frames
• Data Masking Pack delivered an out-of-the-box
solution to replace custom database scripts
Solution • High performance masking capabilities accelerated
masking process from 6 hours using database
scripts to 6 minutes using Data Masking Pack
• 60 X performance improvement in masking process
resulted in faster turnaround of test system creation
Business Results
• Improved DBA productivity by eliminating the
requirement to maintain custom scripts
16
17. Oracle Database Security
Defense-in-Depth for Security and Compliance
Access Control
Database Label
Vault Security
Encryption and Masking
Advanced Data
Secure
Security Masking
Backup
17
18. Oracle Database Vault
Separation of Duties & Privileged User Controls
Procurement
DBA
HR
Application
Finance
select * from finance.customers
• DBA separation of duties
• Limit powers of privileged users
• Securely consolidate application data
• No application changes required
• Works with Oracle Exadata V2 Database Machine
18
19. Oracle Database Vault
Multi-Factor Access Control Policy Enforcement
Procurement
HR
Application Rebates
• Protect application data and prevent application by-pass
• Enforce who, where, when, and how using rules and factors
• Out-of-the box policies for Oracle applications, customizable
19
20. Oracle Label Security
Data Classification for Access Control
Sensitive
Transactions
Confidential
Report Data
Public
Reports
Confidential Sensitive
• Classify users and data based on business drivers
• Database enforced row level access control
• Users classification through Oracle Identity Management Suite
• Classification labels can be factors in other policies
20
21. Large US Based Global Bank
Enable Secure Cost Effective Deployments
• Outsource administration of multiple applications (E-Business Suite,
PeopleSoft and other in-house and 3rd party applications)
Business • “Cross Border” security controls to protect country-specific sensitive
Challenges client data from DBA access in a different country
• Deploy a security solution that is certified with applications and with
minimal performance overhead
• Deployed Oracle Database Vault on 18+ applications including E-
Business Suite, PeopleSoft and other internal and 3rd party
applications to prevent privileged user access to application data
Solution • Used Database Vault multi-factor authorization to enforce cross-
border access control and to prevent “Application Bypass”
• Over 200K users accessing these systems globally
• Saved over $15M a year by outsourcing/off-shoring backend
Business administration operations
Results • Addressed “Cross Border” security requirements
• Passed external audit and avoided paying fines
21
22. Pharmaceutical Services Provider
Protect Sensitive Customer Information and Address Regulations
• Protect and secure the privacy of very sensitive customer
medical data and employee data in PeopleSoft
Business Challenges • Comply with internal policies and external regulations
(HIPAA, SOX, Privacy Laws)
• Prevent privileged user access to sensitive data
• Deployed Oracle Database Vault with out-of-the-box
Solution PeopleSoft protection policies
• Took 14 days to go production
• Complied with HIPAA and other privacy regulations
• Passed external audit
• Saved on consulting costs and deployment time by using
Business Results
the out-of-the-box Database Vault protection policies
• Deployed Database Vault with minimal changes to
existing internal processes and procedures
22
23. Large European Telecom Provider
Enable Organization to Meet Regulations
• Protect the privacy of sensitive client data in their telecom billing system
Business • Meet internal, European Data Security Directive, and country-specific
Challenges privacy requirements
• Prevent tampering or deletion of database objects or database users
• Used Database Vault Realms and Command Rules to prevent DBAs
from accessing sensitive data
• Used Command Rules to prevent tampering or deletion of database
Solution objects or users
• Used multi-factor authorization to prevent “Application Bypass” based
on IP address
• Secure the third party billing system without any application changes
• Comply with internal, European, and country-specific privacy laws
Business
• Cost effective preventive controls against any tampering or deletion of
Results database objects or users
• Maintain good performance without buying additional hardware
23
24. Oracle Database Security
Defense-in-Depth for Security and Compliance
Monitoring Audit
Vault Total
Configuration
Management Recall
Access Control
Database Label
Vault Security
Encryption and Masking
Advanced Data
Secure
Security Masking
Backup
24
25. Oracle Audit Vault
Automated Activity Monitoring & Audit Reporting
HR Data ! Alerts
Built-in
CRM Data Reports
Audit
Data Custom
ERP Data Reports
Databases Policies
Auditor
• Consolidate audit data into secure repository
• Detect and alert on suspicious activities
• Out-of-the box compliance reporting
• Centralized audit policy management
25
26. Oracle Total Recall
Secure Change Tracking
select salary from emp AS OF TIMESTAMP
'02-MAY-09 12.00 AM„ where emp.title = „admin‟
• Transparently track data changes
• Efficient, tamper-resistant storage of archives
• Real-time access to historical data
• Enables forensics and error correction
26
28. European Healthcare Insurance Provider
Simplified Reporting and Stronger Security
• Internal and external database audit requirements
across 10 Oracle and SQL Server databases
Business Challenges • Took 3 months and 2 part time people to create the
audit reports for yearly audit
• No monitoring for insider threats
• Oracle Audit Vault consolidated reporting on audit
data from Oracle and SQL Server
Solution
• Oracle Audit Vault consolidation of audit data
removed DBA from audit review process
• Saved 100‟s of hours in report generations
• Worked with auditors to create customized reports
from the out-of-the box default reports for
Business Results personalized content
• Estimated return on investments in less than 18
months
28
29. Large Financial Services Provider
Stronger Controls
• Audit credit card transactions
• 20+ production Oracle databases with native
Business Challenges auditing already turned on
• Need for reports and no resource or budget to
create and review them
• Oracle Audit Vault audit data collection and secure
centralized storage
Solution • Audit Vault proactively monitors privileged user
access violations, failed database logins, and
generates forensic data
• Passed internal audits
• Automated reporting on credit card transactions
Business Results • Secure consolidation of audit data
• Detected policy violations of database activity
• Deployed in production in 3 months
29
30. Large European Telco Provider
Address Telco Regulations on Call Records
• Audit credit card transactions
• 20+ production Oracle databases with native
Business Challenges auditing already turned on
• Need for reports and no resource or budget to
create and review them
• Oracle Audit Vault audit data collection and secure
centralized storage
Solution • Audit Vault proactively monitors privileged user
access violations, failed database logins, and
generates forensic data
• Passed internal audits
• Automated reporting on credit card transactions
Business Results • Secure consolidation of audit data
• Detected policy violations of database activity
• Deployed in production in 3 months
30
31. Oracle Database Security
Defense-in-Depth for Security and Compliance
Monitoring Audit
Vault Total
Configuration
Management Recall
Access Control
Database Label
Vault Security
Encryption and Masking
Advanced Data
Secure
Security Masking
Backup
31
32. For More Information
search.oracle.com
database security
oracle.com/database/security
32