Your SlideShare is downloading. ×
5. 2010 11-03 bucharest oracle-tech_day_security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

5. 2010 11-03 bucharest oracle-tech_day_security

905
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
905
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
80
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. <Insert Picture Here> Security for Data at the Source in Public and Private Sector 3rd November 2010, Bucharest Michael Bürger Product Director EECIS, Security and Manageability
  • 2. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  • 3. 3 Agenda • Business Drivers • DB Security in the Data Center • New 11g Features and Certifications • Customers in Vertical Industries • Conclusions
  • 4. Business Drivers for Security
  • 5. End to End Oracle Security Solutions Securing Data at the Source • Application Security • Identity and Access Management • Database Security • Infrastructure Security
  • 6. Source: Gartner DataQuest, 2008; Forrester Database Security Market Report, 2009 #1 Database, Most Secure “Most DBMS vendors offer basic security features; Oracle’s offering is most comprehensive.”
  • 7. How is Data Compromised? Source: Verizon 2010 Data Breach Investigations Report
  • 8. Entry Points DB Security 11g Business Drivers • GRC Governance, Risk Management, Compliance • Security Threats • Cost reduction
  • 9. Oracle Database Security Business Drivers Most relevant in EECIS, the minimum bundle on data level Audit Vault Label Security Reduce & avoid Security Costs Configuration Management for Policies DB Vault, DBA Access Control Compliance & Regulation Data Mask for Developers Advanced Security Option for Encryption Database Firewall Security Threats internal & external
  • 10. DB Security in the Data Center
  • 11. DB Security in the Data Center
  • 12. DB environment Application users, DBAs, Developers, Security Officer
  • 13. Securing data at rest Application users protected by Transparent Data Encryption 10g Column Transparent Data Encryption 11g Tablespace
  • 14. Securing data in motion Application users protected by Transparent Data Encryption 10g Column Transparent Data Encryption 11g Tablespace Application users protected by Transparent Data Encryption 10g Network Transparent Data Encryption 10g Tapes DB Firewall Network Realtime SQL Analyzer
  • 15. Securing data for testing Application users protected by Transparent Data Encryption 10g Column Transparent Data Encryption 11g Tablespace Application users protected by Transparent Data Encryption 10g Network Transparent Data Encryption 10g Tapes DB Firewall Network Realtime SQL Analyzer Developers protected by Data Mask 10g
  • 16. Application users protected by Transparent Data Encryption 10g Column Transparent Data Encryption 11g Tablespace Application users protected by Transparent Data Encryption 10g Network Transparent Data Encryption 10g Tapes DB Firewall Network Realtime SQL Analyzer Developers protected by Data Mask 10g Preventing unauthorized modification DBAs protected by DB Vault 9i
  • 17. Application users protected by Transparent Data Encryption 10g Column Transparent Data Encryption 11g Tablespace Application users protected by Transparent Data Encryption 10g Network Transparent Data Encryption 10g Tapes DB Firewall Network Realtime SQL Analyzer Developers protected by Data Mask 10g DBAs protected by DB Vault 9i Highly secured DB environment „preventive and detective“ Security Officer protected by Audit Vault 10g
  • 18. New 11g Features and Certifications
  • 19. 19 Oracle Advanced Security 11g Table Space Encryption, e.g. for ODB based HR systems Disk Backups Exports Off-Site Facilities • Any employee user with operating system access can sniff data and copy it • 11g Table Space Encryption for sensitive HR data at rest encryption • Data in motion traveling on network is encrypted from 10g on • Rapid implementation of 11g Table Space Encryption • No identification of the fields required, just create an encrypted table space as part of the upgrade and use that table space for HR system on ODB, rapid index queries • This is totally transparent without application change • Minimal preparation within the 11g upgrade and all the data is protected • Less administration & performance impact compared to 10g column encryption
  • 20. 20 Oracle Database Vault Privileged User Access Control on Data level and Multifactor Authorization Procurement HR Finance Application select * from finance.customers DBA Power users can access sensitive data (HR, Credit Cards) and publish it SoD, prevents unauthorized new account creation or password change (1) Application owners to create new accounts (2) DB Vault protects DBAs, they can manage the data, but can't modify (3) Security officers to grant access rights according to written policies Certified Realms to protect all tables in EBS, SAP or ISV HR Systems Brings Security Policies in production according to CIA application ratings* CIA principles: Confidentiality, Integrity and Availability, who can delete, copy or change what?
  • 21. Oracle Database Firewall First Line of Defense • Monitor db activity to prevent unauthorized db access, SQL injections, privilege or role escalation, illegal access to sensitive data, etc, according to Security Policies • SQL grammar analysis for Firewall activities (allow, log, alert, substitute, block) • Scalable architecture provides enterprise performance in all deployment modes • Built-in and custom compliance reports for SOX, PCI, and other regulations • Whitelists or blacklists consider time of day, day of week, network, application, etc PoliciesBuilt-in Reports Alerts Custom Reports Applications Block Log Allow Alert Substitute
  • 22. Fastest high volume DB Security Machine Brings Security Policies in Production with Exadata Zero impact 11g R2 TableSpace Encryption Secure high volume Network Traffic Encryption Fastest real time SQL analyzer hacker resistant Compliant data center consolidation Sensitive Data Warehouse access control
  • 23. Customers in Vertical Industries
  • 24. Oracle DB Security cross-industry EECIS Banking Telecommunication Public Sector Retail, Utilities, other Telecommunications Insurances CIPSCIPS
  • 25. Case Study – Public Sector Romania DB Vault, Advanced Security • From the business point of view, the use of Advanced Security and DB Vault facilitates the reduction of risks like information theft or leaks, fraudulent alterations of data, and bad publicity • From the technical point of view, the solution will have to protect all private data used by key applications • Implementation will be done by Oracle Partner, with 1 year left for finishing the project • Customer does not take reference calls or visits BUSINESS CHALLENGE • Nation-wide project with confidential data • The business drivers are regulations and preventive concepts • DB Security part of a larger project • Customer expects to insure the confidentiality of stored data, in transfer and storage, while preventing unauthorized access from privileged accounts. RESULTS ORACLE SOLUTION • Customer in Public Sector bought DB Vault and Advanced Security in Nov 2009 • Products are used on all servers • Customer also uses Oracle IdM Access Manager for web access control • Oracle gained a strong vendor position at customer with significant footprint for Enterprise Security
  • 26. Case Study – Telecom in Central Europe DB Vault, Advanced Security • Pilot release of implementation in progress • DB Vault and ASO Encryption to protect and encrypt sensitive customer data Siebel CRM is running on • The success in implementation is the only criteria which may lead to next phase of the project • Delivery of project by Oracle partner Accenture • Customer is not taking reference calls or visits BUSINESS CHALLENGE • Drivers: Big gap between IT and Business Bring Business processes to IT and develop relevant IT services Project start at 2007 Service Order management - Tower Merger of 2 Telecom companies Integrated Order Management (IOM) based on SIEBEL IT recognized that SIEBEL is not enough…(many logic need to be implemented in level of integration, processes, custom apps) Data security is crucial, Security violations as a business driver to invest in Security solutions. Customer Data Security & Compliance requirements (ISO27001 Compliance regulation relevant for Telco) • Partner: Accenture RESULTS ORACLE SOLUTION • Oracle technology on site: DB, IAS, SOA Suite 10 (first major adoption of SOA in this country) • FMW stack + DB EE, Partitioning, RAC, Advanced Security, Db Vault, Diag, Tun, Config packs in Dec 2009. • Managed systems: IOM based on SIEBEL • Oracle is trusted technology vendor (Presales) and advisor of Eastern European ICCC Competence Center Bratislava • Sales process: • Longterm relationships with Enterprise Architect, DB admin, Development unit managers and senior developers, etc. • Good cooperation between partner and Oracle ASR
  • 27. Case Study – Bankart Financial Services DB Vault, Audit Vault • Reaching PCI compliance is expected from business point of view • Technically. Bankart decided for Oracle centric PCI approach • Project has started in June 2009, first phase (change of an application, use od DB Vault and set-up Audit Vault) until 2010 • Internal IT together with local security partner OSI • Customer has published a snapshot story and is available for reference calls and visits BUSINESS CHALLENGE • Bankart is the largest Credit Card processing company in Slovenia • PCI Compliance was business demand • CIO started internal project to reach PCI compliance in one year • Avoiding costs and simplifying the audit reporting RESULTS ORACLE SOLUTION • Customer bought Audit and Database Vault in May 2009 • All Production and Test systems are managed by DB Sec component, together with MS SQL server as one Audit source • Platform is HP-UX, Oracle 10gR2, MS SQL 2005 • Other DB Sec products (Advanced Security - TDE, Conf. Mgm. Packs) are still under evaluation
  • 28. Case Study – Bank in Munich Germany Advanced Security and DB Vault for SAP HR • Customer is compliant with internal security policies (regulations) • Only authorized HR employees have data access to HR data. Privileged users like DBA’s, network administrators, system administrators aren’t able to access the HR data • Oracle Partner was involved as consulting firm and system integrator, the solution is implemented and works with SAP • The customer is not taking reference calls BUSINESS CHALLENGE • The customer wanted to protect SAP HR data against unauthorized access • The customer wanted to comply with internal security policies • It was a HR project so HR compartment was the sponsor • There was a re-organization SAP project and data privacy was an important part of this project. • Only authorized HR employees should have access to HR data. Privileged users like DBA’s, network administrators, system administrators shouldn’t be able to access the HR data RESULTS ORACLE SOLUTION • The customers purchased the Oracle Advanced Security and Oracle Database Vault to prevent the unauthorized access to sensitive HR data in August 2009 • It is one of the first “DB Vault for SAP” implementations worldwide • 10 CPU’s SUN Solaris system is now protected with Oracle Advanced Security and Oracle Database Vault, both products are certified for SAP/R3
  • 29. Case Study – ApoBank Germany DB Vault and ASO for ODB based ISV HR • DB Vault is supporting segregation of duty and enables to protocol all changes in data schema, DBAs can manage but can't see data • ASO Advanced Security Option is including Encryption, ASO is encrypting data • on disc • Incl. Back-up's • and in motion for data traveling on the network save against insider threats, nobody can modificate or copy sensitive HR data • Cost savings achieved based on server consolidation for centralized HR data and secure HR process optimization • The customer is taking reference calls and visits BUSINESS CHALLENGE • Business drivers • to centralize high sensitive HR data on less servers for cost savings and more efficiency in HR processes • to protect this type of sensitive HR data containing salary info but transparent to the HR application • No segregation of duties before, DB administration and HR did had the same rights to copy, change or delete data • Target to strictly split access rights, only HR can see the data RESULTS ORACLE SOLUTION • Customer does have 2.000 employees across Germany • DB Vault and Advanced Security Option purchased in 2008 • Partner MT AG involved in implementation • Oracle Encryption is working application transparent, means without any change of HR system running on Oracle Database
  • 30. Case Study – CMC Markets Financial Services UK DB Vault and ASO for E-Business Suite HR • Segregation of Duties has been achieved according to Security polices and vertical industry regulations • Protection the privacy of sensitive data • Customer data • Employee data such as salary information • The customer is taking reference calls and visits BUSINESS CHALLENGE • The customer is focused on providing access to online trading markets across the globe • The key business driver to ensure customers reputation by keeping customer and salary data confidential versus insider threats • To comply with vertical industry specific regulations in financial services. • Simplify the audit process by providing a secure audit infrastructure RESULTS ORACLE SOLUTION • Oracle DB Vault, Advanced Security Option and Audit Vault purchased in 2008 • This is the first EBS customer in Europe with DB Security • DB Security in production with • RAC Real Application Cluster • EBS E-Business Suite incl. HR data • Oracle Database 10g
  • 31. Case Study – Bank in Ukraine DB Vault for Flexcube • Oracle Database Vault provides a transparent solution for mitigating the risk of insider threats and complying with regulations. • Oracle Database Vault restricts ad-hoc database changes and enforces controls over how, when and where the most sensitive application data can be accessed. • Proposed solution must be fully implemented in three months after the new core banking system is launched. • To adopt Oracle Database Vault technologies, the customer is working with Oracle’s local partner. BUSINESS CHALLENGE • The banking customer is concerning about the risk of unauthorized access by privileged users to sensitive banking information. • The bank intents to bring its system into compliance with existing and newly emerging regulations as well as industry best practices. • The solution must provide flexible, transparent and highly adaptable security controls that require no application changes. RESULTS ORACLE SOLUTION • Customer bought Oracle Database Vault in January 2010 as a first step in his Security initiative • DB Vault provides powerful security controls for protecting banking applications and sensitive data. • Oracle Database Vault protects the core banking system Oracle Flexcube on the server with 12 CPU's. • The next step under consideration are Advanced Security and Audit Vault to bring the system to the highest security level.
  • 32. Conclusions
  • 33. Conclusions to Protect Data at the Source? • Logical bundle „preventive“ • Advanced Security • DB Vault • Data Masking Pack • Extend to „detective“ solutions • Audit Vault • DB Firewall
  • 34. Vertical Industry Security E2E StrategicVerticalValue Public Sector: DB Security part of Public Sector Tenders to fit EU Data Privacy Regulations and avoid Security Threats. DB Vault, Audit Vault, Data Mask and Advanced Security for DB SaaS/Cloud and for encrypting backups and masking non-production testing data. Financial Services and Retail: Vertical industry regulations such as PCI require DB Security in context of Credit Card payments. DB Vault, Audit Vault, Advanced Security, Data Masking & DB Firewall for defense-in-depth security for Oracle DB. Utilities and other industries: Oracle end-to-end Security, DB Security, plus Identity and Access Management plus Applications Security. Communications: DB Security fits Siebel CRM projects. DB Vault, Advanced Security and Data Mask to ensure that sensitive customer data can be only accessed by authorized staff.
  • 35. 35 michael.buerger@oracle.com