Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted1
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted2
The following is inte...
Security Inside Out
Latest Innovations in Oracle Database 12c
Marcin Kozak
Architekt Bezpieczeństwa
Oracle Polska
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted4
Billions of Database ...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted7
“You don’t bother to ...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted8
Forrester Research Ne...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted9
Oracle Database Secur...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted10
Oracle Database Secu...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted11
 Transparent data e...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted12
 Real-time sensitiv...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted13
 Replace sensitive ...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted14
 Limit DBA access t...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted15
Oracle Label Securit...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted16
Oracle Database Secu...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted17
Oracle Audit Vault a...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted18
Oracle Audit Vault a...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted19
Built-in
Reports
Ale...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted20
Configuration Manage...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted21
Oracle Database 12c ...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted22
 Scan Oracle for se...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted23
Oracle Database Life...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted24
Oracle Database Secu...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted25
Oracle Database Secu...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted26
Oracle Database Secu...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted27
Oracle Database Secu...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted28
Q&A
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted29
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted30
The following is int...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted31
Upcoming SlideShare
Loading in …5
×

„Security Inside Out: Latest Innovations in Oracle Database 12c” Marcin Kozak, Architekt bezpieczeństwa informacji, Oracle Polska

929 views

Published on

Plug into the Cloud with Oracle Database 12c, 27.06.2013

Published in: Technology, News & Politics
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
929
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
71
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • To give this presentation, please watch ‘How to Position and Sell Database Security 12c Training’ here: http://oukc.oracle.com/static12/opn/login/?t=checkusercookies%7Cr=-1%7Cc=1271896458
  • http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdfKey points about the Verizon Data Breach Investigations Report: Make the case for the importance of database security; 98% of records stolen were directly from database servers. 84% of records breached were accomplished using stolen credentials, these are attackers who have been able to get a hold of usernames and passwords to further compromise additional servers within an organization. Here you can also tie this to using Identity Management solutions. 71% fell within minutes – common attack is to use SQL injections to quickly compromise the web application tier and directly extract data from within the database. Amazingly 92% of the data breaches were discovered by a third part. At this point you can ask the audience, that if they were compromised, how would they know? The final point to emphasize is that 97% of the breaches were avoidable with basic controls. And this sets us up later on to discuss those controls with preventive, detective, and administrative security controls.
  • http://www.bloomberg.com/news/2012-07-26/china-hackers-hit-eu-point-man-and-d-c-with-byzantine-candor.htmlUse this slide in EMEA
  • http://joelbrenner.com/america-the-vulnerable/#excerpthttp://joelbrenner.com/wordpress/wp-content/uploads/2011/09/AMERICA_THE_VULNERABLE_JOEL_BRENNER_EXCERPT.pdfUse this slide in NATO to tie to Embrace the Base Campaign around Joel Brenner book
  • http://blogs.rsa.com/rivner/anatomy-of-an-attack
  • http://www.oracle.com/us/corporate/analystreports/infrastructure/forrester-thlp-db-security-1445564.pdf
  • Encryption prevents database by-pass and provides the foundation on which to build security controls within database(Strong authentication and network encryption now part of the core database for all editions)
  • Key point to communicate:This new product provides customers the operational flexibility to deploy the monitoring they need based on the sensitivity and security requirements of their databases.Key features includeMonitor and control database activity on the network. Firewall can allow, log, alert, substitute and block on SQL statements on the networkFirewall uses a SQL grammar analysis engine for high performance and accuracy, an approach that is superior to 1st generation database firewalls that relied on regular expressionsPrevent SQL injections, unauthorized database access, misuse of database privilegeCapture and log database interactions on the network for forensic analysis and compliance reportingConsolidate database audit data from Oracle and non-Oracle into secure centralized repositoryConsolidate audit data from MSFT Active directory and SolarisConsolidate application specific audit Detect and alert on suspicious activities, including privileged userOut-of-the box compliance reports for SOX, PCI, and other regulationsStreamline audits: report generation, notification, attestation, archiving
  • http://www.oracle.com/us/products/database/security/customers-186772.htmlCompany: T-Mobile USA (subsidiary of Germany-based Deutsche Telekom) provideswireless voice and data communications services throughout US;Industry: Telecommunication; Employees: 35,000; Revenue:$21 BillionChallenge: Had biggest phone company breach in 2009 when an employee stole personal details of thousands of mobile phone customers and sold to rivals;Ongoingconcern about insider threat and data breachesSolution: Oracle Database, non-Oracle Databases; Oracle Database Firewall, Oracle Advanced Security, Oracle Data MaskingResult: Detected unauthorized database activity by an insider during DBFW POC; Other solutions did not detect threat, not as accurate or easy to deploy; Developing complete database security strategy based on Oracle productsCompany: Columbia University, Ivy League University; Industry: Education & ResearchChallenge: Internal requirements to protect Oracle’s PeopleSoft dataSolution: Oracle Peoplesoft, Oracle Database 1g and Oracle Advanced SecurityResult: Encrypted sensitive PII in PeopleSoft application, on disk and backupsCompany: ETS develops, administers and scores more than 50 million assessment tests annually in more than 180 countries, at over 9,000 locations worldwide;Industry: Education; Employees: 25,000 worldwide;Revenue: $1 BillionChallenge: Must address PCI DSS and ensure data privacy of student data; Non-profit, needs to keep costs low, and addresses security “just in time”Solution:Oracle Database; OraclePeoplesoft and custom applications; Oracle Advanced Security, Oracle Data Masking, Oracle Database VaultResult: Deployed TDE for sensitive columns with 10g upgrade several years back; Upgrading to 11g and moving to tablespace encryptionDeploying Oracle Data Masking for non-production environments; Starting planning for Database VaultCompany:Diamond Resorts International (DRI) is a vacation ownership,allowing persons to purchase a real estate interest in 71 managed resorts and 137 affiliated resorts in 28 countries with over 27,000 guest beds; Industry: Hospitality; Employees: 4,553 worldwide;Revenue: $30MChallenge:Need to get SOX compliant in preparation of planned IPO; IT auditors need weekly and monthly reports that would be time consumingSolution: Oracle E-Business Suite, Oracle Audit VaultResult: Deployed Oracle Audit Vault in one month; Collecting EBS database audit trail, using client_identifier to report on end-user activity, redo collector for before/after values, scheduled reports get generated and automatically sent to auditors, auditors attest and archiveCompany: Sabre HoldingsChallenge:Solution:Result:Company: BBVA CompassChallenge:Solution:Result:Company: TransUnion InteractiveChallenge:Solution:Result:Company:SquareTwo Financial is a leader in the $100 billion asset recovery and management industry through its award-winning PartnerNetwork used by Fortune 500 companies in banking, credit card, and health care industries; Industry: Financial Services; Employees: 500;Revenue: $230MChallenge:Fast growth, need to scale and accelerate all aspects of business; Need to comply to same regulations as their customers, security criticalSolution:Oracle Exadata and Exalogic; Oracle Database Firewall, Oracle Data Masking, Oracle Advanced Security Result: Addressed compliance and developments quickly with Oracle Database Firewall, Oracle Data Masking and Oracle Advanced Security/TDECompany: St. Jude Medical develops medical technology and services for cardiac rhythm management, atrial fibrillation, cardiovascular and neuromodulation; Industry: Healthcare; Employees: 16,000 worldwide; Revenue: $5.6 BillionChallenge:Global expansion and need for increased security of patient data; Subject to privacy regulations worldwide and concerned about brand; Must limit access to sensitive data and protect data privacy; Need defense-in-depth for all databases globallySolution: Oracle Advanced Security, Oracle Database Vault, Oracle Data Masking,Oracle Audit Vault, Oracle Database FirewallResult: Deployed Oracle Database Firewall with no database/application changes; Deploying all solutions based on Database Security StrategyCompany: Orbitz Worldwide is a leading global online travel company that owns and operates a strong portfolio of consumer and corporatetravel brands world.;Industry: Travel; Employees: 1,600 in 20 countries;Revenue: $767 MillionChallenge: Consolidating Oracle databases on Exadata Database Machines;Subject to PCI DSS compliance – must encrypt credit card data at rest; Must limit privileged database user access to sensitive data;Want to use database realms mitigate risks introduced by consolidationSolution:Oracle Exadata Database Machine;Oracle Advanced Security; Oracle Database VaultResult: Encrypted data at rest with no application change or impact to performance; Limited privileged user access to application data and stored proceduresCompany: National Marrow Donor Program: Be the MatchChallenge:Solution:Result:Company: Cornell University is an Ivy League school serving 20,000 undergraduate and graduate students;Industry: Education & Research; Employees: 14,000;Revenue: $2.8 BillionChallenge: Had highly publicized breach in 2009 due developer’s stolen laptop;Needed to provide regents with a plan to ensure this never happens again;Decided that developers should not test with production dataSolution:Oracle PeopleSoft; Oracle Database,Oracle Data MaskingResult: Used Oracle Data Masking to generate test databases without sensitive data; Data Masking proved accurate enough to enable application testing; Sensitive data never leaves the secure production environment
  • „Security Inside Out: Latest Innovations in Oracle Database 12c” Marcin Kozak, Architekt bezpieczeństwa informacji, Oracle Polska

    1. 1. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted1
    2. 2. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted2 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Release timing for Oracle Database 12c is planned for Calendar Year 2013.
    3. 3. Security Inside Out Latest Innovations in Oracle Database 12c Marcin Kozak Architekt Bezpieczeństwa Oracle Polska
    4. 4. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted4 Billions of Database Records Breached Globally 97% of Breaches Were Avoidable with Basic Controls 98% records stolen from databases 84% records breached using stolen credentials 71% fell within minutes 92% discovered by third party
    5. 5. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted7 “You don’t bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees….” Anatomy of an Attack Uri Rivner CTO, RSA (Security Division of EMC) Targets Increasing as Attacks Evolve DBAs, OS Admins, Developers, Multiple Copies of the Data, etc.
    6. 6. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted8 Forrester Research Network Security SIEM Endpoint Security Web Application Firewall Email Security Authentication & User Security Database Security Why are Databases so Vulnerable? 80% of IT Security Programs Don’t Address Database Security “Enterprises are taking on risks that they may not even be aware of. Especially as more and more attacks against databases exploit legitimate access.”
    7. 7. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted9 Oracle Database Security Solutions Defense-in-Depth for Maximum Security Activity Monitoring Database Firewall Auditing and Reporting DETECTIVE Redaction and Masking Privileged User Controls Encryption PREVENTIVE ADMINISTRATIVE Sensitive Data Discovery Configuration Management Privilege Analysis
    8. 8. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted10 Oracle Database Security Solutions Defense-in-Depth for Maximum Security Activity Monitoring Database Firewall Auditing and Reporting DETECTIVE Redaction and Masking Privileged User Controls Encryption PREVENTIVE ADMINISTRATIVE Sensitive Data Discovery Configuration Management Privilege Analysis
    9. 9. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted11  Transparent data encryption  Prevents access to data at rest  Requires no application changes  Built-in two-tier key management  “Near Zero” overhead with hardware  Integrations with Oracle technologies – e.g. Exadata, Advanced Compression, ASM, Golden Gate, DataPump, etc. Oracle Advanced Security Encryption is the Foundation Preventive Control for Oracle Databases Disk Backups Exports Off-Site Facilities Applications
    10. 10. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted12  Real-time sensitive data redaction based on database session context  Library of redaction policies and point- and-click policy definition  Consistent enforcement, policies applied to data  Transparent to applications, users, and operational activities Oracle Advanced Security Redaction of Sensitive Data Displayed Preventive Control for Oracle Database 12c Credit Card Numbers 4451-2172-9841-4368 5106-8395-2095-5938 7830-0032-0294-1827 Redaction Policy xxxx-xxxx-xxxx-4368 4451-2172-9841-4368 Billing Department Call Center Application
    11. 11. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted13  Replace sensitive application data  Referential integrity detected/preserved  Extensible template library and formats  Application templates available  Support for masking data in non-Oracle databases Oracle Data Masking Masking Data for Non-Production Use Preventive Control for Oracle Databases LAST_NAME SSN SALARY ANSKEKSL 323—23-1111 60,000 BKJHHEIEDK 252-34-1345 40,000 LAST_NAME SSN SALARY AGUILAR 203-33-3234 40,000 BENSON 323-22-2943 60,000 Production Non-Production Dev Test Production
    12. 12. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted14  Limit DBA access to application data  Multi-factor SQL command rules  Realms create protective zones  Enforce enterprise data governance, least privilege, segregation of duties  Out of the box application policies Database Vault Privileged User Controls Preventive Control for Oracle Databases Procurement HR Finance select * from finance.customers Application DBA Applications Security DBA DBA
    13. 13. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted15 Oracle Label Security Label Based Access Control Preventive Control for Oracle Databases Transactions Report Data Reports Confidential Sensitive Sensitive Confidential Public  Virtual information partitioning for cloud, SaaS, hosting environments  Classify users and data using labels  Labels based on business drivers  Automatically enforced row level access control, transparent to applications  Labels can be factors in other policies
    14. 14. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted16 Oracle Database Security Solutions Defense-in-Depth for Maximum Security Activity Monitoring Database Firewall Auditing and Reporting DETECTIVE Redaction and Masking Privileged User Controls Encryption PREVENTIVE ADMINISTRATIVE Sensitive Data Discovery Configuration Management Privilege Analysis
    15. 15. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted17 Oracle Audit Vault and Database Firewall Database Activity Monitoring and Firewall Detective Control for Oracle and non-Oracle Databases  Monitors network traffic, detect and block unauthorized activity  Highly accurate SQL grammar analysis  Can detect/stop SQL injection attacks  Whitelist approach to enforce activity  Blacklists for managing high risk activity  Scalable secure software appliance Block Log Allow Alert SubstituteApps Whitelist Blacklist SQL Analysis Policy Factors Users
    16. 16. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted18 Oracle Audit Vault and Database Firewall Audit, Report, and Alert in Real-Time Detective Control for Oracle and non-Oracle Databases Audit Data & Event Logs Policies Built-in Reports Alerts Custom Reports ! OS & Storage Directories Databases Oracle Database Firewall Custom Security Analyst Auditor SOC  Centralized secure repository delivered as secure, scalable software appliance  Powerful alerting - thresholds, group-by  Out-of-the box and custom reports  Consolidated multi-source reporting  Built-in fine grain segregation of duties
    17. 17. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted19 Built-in Reports Alerts Custom Reports ! Oracle Audit Vault and Database Firewall New Solution for Oracle and Non-Oracle Databases Firewall Events Users Applications Database Firewall Allow Log Alert Substitute Block Audit Data Audit Vault OS, Directory, File System & Custom Audit Logs Policies Security Analyst Auditor SOC
    18. 18. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted20 Configuration Management Oracle Database Security Solutions Defense-in-Depth for Maximum Security Activity Monitoring Database Firewall Auditing and Reporting DETECTIVE Redaction and Masking Privileged User Controls Encryption PREVENTIVE ADMINISTRATIVE Sensitive Data Discovery Privilege Analysis
    19. 19. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted21 Oracle Database 12c Enterprise Discover Use of Privileges and Roles Administrative Control for Oracle Database 12c Privilege Analysis Create… Drop… Modify… DBA role APPADMIN role  Turn on privilege capture mode  Report on actual privileges and roles used in the database  Helps revoke unnecessary privileges  Enforce least privilege and reduce risks  Increase security without disruption
    20. 20. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted22  Scan Oracle for sensitive data  Built-in, extensible data definitions  Discover application data models  Protect sensitive data appropriately: encrypt, redact, mask, audit… Oracle Enterprise Manager 12c Discover Sensitive Data and Databases Administrative Control for Oracle Database 12c
    21. 21. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted23 Oracle Database Lifecycle Management Configuration Management Administrative Control for Oracle Databases Discover Scan & Monitor Patch  Discover and classify databases  Scan for best practices, standards  Detect unauthorized changes  Automated remediation  Patching and provisioning
    22. 22. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted24 Oracle Database Security Solutions Defense-in-Depth for Maximum Security Activity Monitoring Database Firewall Auditing and Reporting DETECTIVE Redaction and Masking Privileged User Controls Encryption PREVENTIVE ADMINISTRATIVE Sensitive Data Discovery Configuration Management Privilege Analysis
    23. 23. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted25 Oracle Database Security Solutions Customers Worldwide Rely on Oracle  SquareTwo Enables Fast Growth with Oracle Database Solutions SquareTwo enables fast growth and regulatory compliance with Oracle Database security defense-in-depth solutions including Oracle Database Firewall, Oracle Data Masking, and Oracle Advanced Security  National Marrow Donor Program Database Defense-in-Depth NMDP Secures life-saving patient and donor data with Oracle Advanced Security, Oracle Database Vault, and Oracle Data Masking  T-Mobile Protects 35 Million Subscribers Using Oracle T-Mobile explains how they use Oracle Database Firewall, Oracle Advanced Security, and Oracle Data Masking to secure sensitive data across the organization in both Oracle and non-Oracle databases  TransUnion Interactive Uses Database Firewall for Compliance Hear how TransUnion Interactive protects customer data and meets regulatory compliance with database actviity monitoring using Oracle Database Firewall  ETS Complies with PCI DSS Using Oracle Advanced Security Educational Testing Service secures personally identifiable information (PII) and complies with regulatory requirements with Oracle Advanced Security
    24. 24. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted26 Oracle Database Security Solutions Summary Simple and Flexible Enterprise Ready Security and Compliance Speed and Scale
    25. 25. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted27 Oracle Database Security Resources www.oracle.com/database/security  Data Sheets  Whitepapers  Webcasts  Case Studies  Events  News  and more…
    26. 26. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted28 Q&A
    27. 27. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted29
    28. 28. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted30 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Release timing for Oracle Database 12c is planned for Calendar Year 2013.
    29. 29. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted31

    ×