Partner Webcast - Oracle Database Security Inside-Out - Part 1: Advanced Security and Database Vault
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Partner Webcast - Oracle Database Security Inside-Out - Part 1: Advanced Security and Database Vault

on

  • 1,530 views

Businesses not only have to protect sensitive information, but also monitor access to sensitive information for both compliance and potential threats. Avoid risky third-party solutions, and leverage ...

Businesses not only have to protect sensitive information, but also monitor access to sensitive information for both compliance and potential threats. Avoid risky third-party solutions, and leverage the full potential of the #1 Database with 33 years of security innovations to safeguard data where it lives- in the database.

On 2 webcasts we explore Oracle’s comprehensive database security and compliance solutions.
Part 1: Advanced Security and Database Vault - 04 April 2013
Part 2: Audit Vault and Database Firewall (AVDF) - 11 April 2013
Find out more at https://blogs.oracle.com/imc/entry/partner_webcasts_oracle_database_security

Statistics

Views

Total Views
1,530
Views on SlideShare
1,529
Embed Views
1

Actions

Likes
2
Downloads
48
Comments
0

1 Embed 1

http://digg.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Partner Webcast - Oracle Database Security Inside-Out - Part 1: Advanced Security and Database Vault Presentation Transcript

  • 1. “This slide format serves to call attention to a quote from a prominent customer, executive, Name or thought leader in regards to a particular Title, Company Name topic.” CUSTOMER LOGOblogs.oracle.com/IMC 1 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 2. 2 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 3. Oracle Database – AdvancedSecurity And Database VaultTarek SalamaDB Options Specialist - A&C TechnologyAdoption Office MEA
  • 4. Program Agenda  Database Security Defense in Depth  Oracle Database Advanced Security Option – Network Encryption. – Transparent Data Encryption (TDE).  Oracle Database Vault – Privileged user access control. – Prevent Application Bypass.  Q&A4 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 5. What’s Driving the Need For Security?  Bring your own device culture requires a proactive approach Applications & Data Anytime Anywhere5 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 6. A Variety of Security Solutions are deployed Endpoint Security BUT still… Other Over 1B records compromised Physical Security… Security over past 6 years 174M ofVulnerability compromised records Application Security Security Management alone in 2011 Authentication 96% Of attacks were not highly difficult (+4%) Email Security & User Security 85% Of breaches took weeks or more to discover Network (+6%) Security 97% Of breaches were avoidable through simple or intermediate controls (+1%)Source: Verizon, 2012 Data Breach Investigations report 6 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 7. What do customers want from security?7 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 8. Customers Want Protection… Enterprise IS NOT Vulnerable Privacy IS NOT Violated Compliance IS Achieved & Demonstrated Minimized Costs & Effort8 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 9. What is a customers most INFORMATION Valuable Asset?9 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 10. Information Is Data Two-thirds of sensitive and regulatedinformation now resides in databases … and doubling every two years Classified Govt. Info. 48% Data Breaches Trade Secrets Caused by Insiders Competitive Bids 89% Records Stolen Using SQL Injection Plans Corporate Credit Cards 86% Hacking Used Code Source HR Data Bug Database Customer Data Stolen Credentials Citizen Data Financial DataSource: Verizon, 2007-11 & IDC, "Effective Data Leak Prevention Programs: Start by Protecting Data at the Source", August 2011 10 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 11. IT Security is $35B Market Today Data Security IS a Top PrioritySource: Forrester: The Evolution Of IT Security, 2010 To 2011, April 201111 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 12. Business Drivers for Data Security Technology Organization Management Security Concerns • Rising security threats and incidents Manage • Increasing quantity of stored data Risks • Evolving technology infrastructures Data • Continuous organizational changes Security Control Compliance Issues Costs • Multiple regulations, geographies, Solutions and jurisdictions to deal with Plan for • Periodic updates and revisions • Expanding scope of regulations Growth12 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 13. Database Security Defense In Depth13 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 14. Oracle Database Security Solutions Defense-in-Depth for Maximum Security PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption Activity Monitoring Privilege Analysis Redaction and Masking Database Firewall Sensitive Data Discovery Privileged User Controls Auditing and Reporting Configuration Management14 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 15. Oracle Database Security Solutions Defense-in-Depth for Maximum Security PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption Activity Monitoring Privilege Analysis Redaction and Masking Database Firewall Sensitive Data Discovery Privileged User Controls Auditing and Reporting Configuration Management15 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 16. Oracle Database Security Platform PREVENTIVE DETECTIVE ADMINISTRATIVE mySQL Transparent Data Encryption, Privileged User Controls, Multi-Factor Database Activity Auditing and Reporting, Secure Configuration Scanning, Automated Authorization, Data Classification, and SQL Traffic Monitoring and Blocking, Patching, Configuration Change Control, Change Tracking Real-Time Alerting, Workflow Automation Sensitive Data Discovery, Data Masking Maximum Security for Oracle Security for Oracle and non-Oracle Security for Production and non- Databases: Databases Outside the Database: Production Database Environments: •Oracle Advanced Security •Oracle Audit Vault and Oracle •Oracle Database Lifecycle •Oracle Database Vault Database Firewall •Oracle Enterprise Manager •Oracle Label Security •Oracle Data Masking •Oracle Total Recall16 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 17. Oracle Database Advanced Security Options Product Overview17 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 18. Only 30% Prevent Non-Database Users from Seeing or Tampering with Data at the OS Level Is personal identity information (e.g., social security, credit card, national identifier numbers) stored in your databases encrypted?18 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 19. Only 22% Encrypt All Backups and Exports Do you encrypt all your online and offline database backups and exports?19 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 20. Evolution of Oracle Advanced Security Tablespace TDE & Hardware Column TDE Acceleration & & Wallet Key Exadata Network Management Encryption Optimizations & Strong Authentication Oracle 9i Oracle 10g Oracle 11g20 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 21. ASO Overview21 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 22. Oracle Advanced Security Protect Data from Unauthorized Database Users Disk Backups Application Exports Off-Site Facilities • Prevents “database by-pass” with complete end-to-end data encryption • Efficient application data encryption without application changes • Built-in key management with separation of duties • High performance and easy to deploy22 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 23. Transparent Data Encryption Encryption Key Architecture Hardware Security Module Tablespace Table Key Key Standard Wallet Master Key Auto-Open Wallet Local Auto-Open Oracle Wallet Wallet TDE Tablespace TDE Column Encryption Encryption23 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 24. Oracle Advanced Security Transparent Data Encryption for Columns  Support for all column types, including Oracle Database 11g SecureFile  Data is cached encrypted in the SGA  Decrypted only when you dereference it, encrypted every time you modify it  Indexing supported, but the index is indexing encrypted data (not sorted!)  Encryption keys are table specific - means cannot enforce foreign key constraints  Undo and Redo generated are encrypted24 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 25. Oracle Advanced Security Transparent Data Encryption for Tablespaces  All tables in Tablespace are encrypted – no need to identify specific columns  Data encrypted at block level as written out to disk, decrypted when read in  Data is cached in the SGA unencrypted  Index contains ‘clear text’ (blocks are encrypted) so no limitations on index use  Encryption keys are Tablespace specific – foreign key constraints can be enforced  Undo and Redo generated are encrypted25 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 26. Oracle Advanced Security Transparent Data Encryption for Media Disk Backups Exports Off-Site Facilities  TDE integrated with Oracle Data Pump for bulk export/import to OS flat files  TDE integrated with Oracle RMAN for database backup and recovery  RMAN and Data Pump compress and encrypt data  Master Key, passphrase, or both can be used to encrypt export and backup files – No need to distribute production master key with exports or backups  Master key not automatically backed up with database26 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 27. Oracle Advanced Security Transparent Data Encryption Performance Oracle Database Enterprise Edition Oracle Database Enterprise Edition 11.2.0.2 AES-256 Encryption 11.2.0.2 AES-256 Decryption (MB/CPU seconds) 10x speedup 8x speedup processing rate Encryption 559 468 57 58 Intel Xeon Intel Xeon Intel Xeon Intel Xeon Processor X5570 processor X5680 Processor X5570 processor X5680 w/o Intel® IPP w/ Intel® IPP w/o Intel® IPP w/ Intel® IPP  “Encrypting data is expensive” is a myth (started with bad third party solutions!)  Incremental CPU ~5% with 10x speed-up if cryptographic hardware available  Incremental CPU reduced even more if using Oracle Advanced Compression or Exadata Hybrid Columnar Compression (EHCC) – If compression ratio is 75%, we have to encrypt 75% less data!27 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 28. Oracle Advanced Security Database Traffic Network Encryption Network traffic entirely encrypted to prevent “man in the middle” attacks – AES, RSA RC4, and DES/3DES Data integrity checksums - prevent modification, replay, missing packet, etc. – MD5 and SHA-1 No infrastructure changes required, point-and-click implementation28 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 29. Oracle Advanced Security Transparent Data Encryption Built-In Key Management Create a wallet and generate the master key: alter system set key identified by “e3car61” Master Key Open the wallet: Oracle Wallet alter system set wallet open identified by “e3car61” Rotate master (table/tablespace keys re-encrypted): PKCS #11 API alter system set key identified by “2naf1sh”Table and Tablespace Keys Rotate table/tablespace keys (data re-encrypted) HSM alter table employee REKEY;  Generate, store, and rotate encryption keys  Two-tier key management architecture – Table and Tablespace keys used to encrypt data (stored in database for performance) – Master key used to encrypt Table and Tablespace keys  Master key is stored in External Security Module (outside the database) – Oracle Wallet (PKCS #12 file) – Hardware Security Module (HSM) meets FIPS & Common Criteria reqs using PKCS#11 API  Separation of duties -- wallet password is separate from System or DBA password29 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 30. Oracle Advanced Security Strong Authentication Strong Authentication X509 v3 Application Kerberos  TDE returns clear text data to authenticated, authorized database users  Critical to protect against stolen credentials & increase assurance of database user identities, especially privileged application users and DBAs  Strong authentication schemes supported – Kerberos, PKI & RADIUS (for 1 time passwords tokens, risk-based authentication, etc.)30 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 31. Encryption is the Foundation Preventive Control for Oracle DatabasesOracle Advanced Security Disk Transparent data encryption Backups Prevents access to data at rest Exports Requires no application changes Built-in two-tier key management Off-Site Facilities “Near Zero” overhead with hardware Applications Integrations with Oracle technologies e.g. Exadata, Advanced Compression, ASM, Golden Gate, DataPump, etc. 31 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 32. Summary of Oracle Advanced Security Key Points to Remember  Secure – Protects sensitive data against a range of threats  Compliant – Accelerates compliance projects requiring encryption  Transparent – Transparent to existing applications  Fast – Offers high-speed cryptographic performance  Easy – Installed with the database, has built-in key management  Standards-Based – Follows accepted encryption standards  Battle-Tested – Used for years by thousands of Oracle customers on diverse systems across multiple industries32 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 33. Oracle Database Vault Product Overview33 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 34. 76% Have No Preventive Controls on Privileged Database Users or UnsureCan you prevent DBAs & other privileged database users from reading/tamperingwith sensitive information in financial, HR, or other business applications?34 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 35. Three-Fourths Don’t Have Safeguards To Prevent Accidental Harm to DatabasesAny safeguards preventing a database administrator from accidentally droppinga table or unintentionally causing harm to critical application databases?35 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 36. Managing Database Users and Security Tuning Create Security Recovery Policies to protect data Managing DBAs Senior Security DBA Admin Accounts Admin Junior Create and manage DBA Database Users Backup Application Patch user Install36 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 37. Enforce Application Security Controls Oracle Database Vault to enforce privileged user access Security DBA Procurement Application DBA Application HR Finance DBA select * from finance.customers  Automatic and customizable DBA separation of duties and protective realms  Enforce who, where, when, and how data is accessed using rules and factors – Enforce least privilege for privileged database users – Prevent application by-pass and enforce enterprise data governance  Securely consolidate application data or enable multi-tenant data management37 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 38. Oracle Database Vault Privileged User and Operational Controls Procurement HR Application select * from Finance finance.customers DBA • Limit default powers of privileged users • Enforce policy rules inside the database • Violations audited, secured and sent to Oracle Audit Vault • No application changes required38 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 39. Prevent Application Bypass Classify Data and Users to Automate Access Control Sensitive Transactions Confidential Report Data Public Reports Confidential Sensitive • Classify users and data based on business drivers • Database enforced row level access control • Users classification through Oracle Identity Management Suite • Classification labels can be factors in other policies • No application changes required39 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 40. Oracle Database Vault Realms Security Application DBA Procurement Application DBA HR Finance DBA select * from finance.customers • Realms are protections zones (firewalls) inside the database to protect application data • Use realms to control the use of system privileges to specific accounts or roles • Default realms to address database governance • Out-of-the box realms to protect popular Oracle and non-Oracle applications40 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 41. Oracle Database Vault Strong Operational Controls Inside the Database Procurement Application HR Finance • Rules to control how users can execute almost any SQL statement inside the database • Command rules can take into account built-in and custom factors (numerous built in) • Command rules can be system-wide, schema specific, and object specific • Out-of-the box command rules for Oracle and non-Oracle applications41 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 42. Oracle Database Vault Alerts and Reports Separation of duties Procurement Multi-factor access HR Alerts/Reports Finance • Generate audit events on realm violations and command rule exceptions  Demonstrate compliance using built-in reports for – Realms – Command rules – Entitlements such as who has the DBA role  Integrated with Oracle Audit Vault and Oracle Enterprise Manager for near real time alerting and monitoring42 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 43. Oracle Database Vault Out-of-the Box Policies Protection For Oracle and non-Oracle Application Data  Pre-built policies include realms Oracle E-Business Suite and command rules 11i / R2  Prevent DBA from accessing PeopleSoft Applications application data  Prevent privileged users from Siebel, i-Flex tampering with application objects JD Edwards EnterpriseOne  Complements application security  Transparent to existing applications SAP  Customizable Infosys FinacleOracle Notes: 852482.1, 1195205.1, 207959.1 43 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 44. Summary of Database Vault Key Points to Remember  Enforces – Trusted paths to applications data  Isolates – Consolidated apps from each other and prevents privilege escalation  Enables – Outsourcing backend operations without giving access to data  Secures – Applications data in the cloud  Consolidation – Results in multiple privileged accounts in a single database  Restrict - Ad-Hoc access to application data by preventing application bypass with multi-factor policies  Addresses - Compliance with regulatory requirements that call for separation of duties and least privilege44 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 45. Separation of the duets is the Foundation Database Vault Security DBA Limit DBA access to application data Procurement Application Multi-factor SQL command rules HR DBA Realms create protective zones Finance Enforce enterprise data governance, select * from finance.customers least privilege, segregation of duties Applications Out of the box application policies DBA45 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 46. ASO And DBV Value Proposition Value to Customer Value to Partner Enforcing regulations compliance & standards Minimize costs of offering compliance services Reduction of Managing Multiple Solutions per Effective prevention of unauthorized, intentional Application or unintentional, database operations Out-of-the-box functionalities reduce solutions Prevent privileged user access to application complexity & enhance flexibility data on IP, application type, and time of day Ease of deployment & High availability of expertise Protecting against internal & external threats Proven, efficient, future-proof from one single vendor End-to-end enterprise security from one vendor Certified, out-of-the-box polices for leading – no support issues, staff already familiar applications Increased competitiveness/revenues by protecting Enforce real time access controls the end user’s data and reputation46 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 47. Security Future Extensions Security Improvements Block database bypass at the Operating System. Migrate keys between wallet and Automatic backup of wallets. Wallet storage directly in Oracle File System. Installation by default. New roles for backup , key management, and auditing. Simplified authorizations for day to day DBA tasks. 47 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 48. Oracle Database Security Partner Support and Resources48 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 49. Oracle Database Security Partner Resell Requirements • OPN member at Gold+ in good standing • Acceptance into Oracle Database Knowledge Zone • Valid Oracle Full Use Program Distribution Agreement • NO competency or specialization requirementshttp://www.oracle.com/partners/en/knowledge-zone/database/database-021468.htm 49 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 50. OPN “Security” Specialization Business Criteria RequiredCustomer References 3 Resell or# Of Transactions * Non-Commission Co-sell or 2 Referral Competency Criteria Required•Oracle Database 11g Security Sales Specialist Recommended Training 2•Oracle Database 11g Security Sales Specialist•Oracle Database 11g Security PreSales Specialist Recommended Training 2•Oracle Database 11g Security PreSales SpecialistGeneral Product Support Assessment (v3.0) OrOracle Database 11g Security Technology Support Specialist acceptable: Count before March 1, 2013 - valid until March 1, 2014 1•Recommended Training•Oracle Database 11g Security Technology Support Specialist•Oracle Database 11g Security Certified Implementation Specialist.Oracle Database 11g Security Essentials (1Z0-528) 1•Recommended Training•Oracle Database 11g Security Implementation Specialist50 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 51. For More Information http://www.oracle.com/us/products/database/security/overview/index.html http://www.oracle.com/partners/en/knowledge-zone/database/database- 021468.htm search.oracle.com database security or oracle.com/database/security51 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 52. Key Take Away & Next Steps52 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 53. Database Security Inside Out Database 11g Value  The industrys most advanced & proven technology to safeguard data where it lives.  Ensure data privacy & integrity.  Effectively protect against insider threats.  Enable regulatory compliance & meet regulatory mandates.  Easy to integrate - No changes to applications required.53 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 54. Thank You !tarek.salama@oracle.com 54 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 55. 55 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 56. “This slide format serves to call attention to a quote from a prominent customer, executive, Name or thought leader in regards to a particular Title, Company Name topic.” CUSTOMER LOGOblogs.oracle.com/IMC56 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.