Your SlideShare is downloading. ×
  • Like
Talk IT_ Oracle_김상엽_110822
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Talk IT_ Oracle_김상엽_110822

  • 614 views
Published

 

Published in Education , Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
614
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
7
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. © 2011 Oracle Corporation
  • 2. <Insert Picture Here>Protect Your Most Sensitive DataBuild a Maximum Security ArchitectureRyan Kim | Senior Manager, Technology Readiness and Developer Program 2
  • 3. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle‘s products remains at the sole discretion of Oracle.© 2011 Oracle Corporation 3
  • 4. Agenda • Data Security Trends • How Are Threats Getting In? • What is Maximum Security Architecture • Oracle Solutions Mapped to MSA • Summary • Q&A© 2011 Oracle Corporation 4
  • 5. More data than ever… Growth Doubles Yearly 1,800 Exabytes 2006 2011Source: IDC, 2008© 2011 Oracle Corporation Oracle Confidential 5
  • 6. More breaches than ever… Data Breach Once exposed, the data is out there – the bell can’t be un-rung PUBLICLY REPORTED DATA BREACHES 400 300 630% Increase 200 100 Total Personally Identifying Information Records Exposed 0 (Millions) 2005 2006 2007 2008 Average cost of a data breach $202 per record Average total cost exceeds $6.6 million per breachSource: DataLossDB, Ponemon Institute, 2009 © 2011 Oracle Corporation Oracle Confidential 6
  • 7. More threats than ever… 70% attacks originate inside the perimeter 90% attacks perpetrated by employees with privileged access© 2011 Oracle Corporation Oracle Confidential 7
  • 8. More regulations than ever… • Federal, state, local, industry…adding more mandates every year! • Need to meet AND demonstrate compliance • Compliance costs are unsustainable ? Report and audit 90% Companies behind in complianceSource: IT Policy Compliance Group, 2007. © 2011 Oracle Corporation 8
  • 9. Compliance • 현행 개인정보 보호 법률 체계 구분 개별 법률 적용대상 소관부처 공공 부문 공공기관의 개인정보보호법 공공기관 행정안전부 민간 정보통신 정보통신망법 정보통신서비스제공자 방송통신위원회 부문 금융/신용 신용정보법 신용정보 제공/이용자 금융위원회 • 개인정보 보호법 ( 2011년 9월 시행) • 온라인/오프라인 상관없이 모든 업종에 걸쳐 적용. 공공기관의 • 정보통신망법과 신용정보법은 그대로 유지. 공공 개인정보보호법 개 • 정보통신망법과 신용정보법이 통신사업자와 인 금융기관에 먼저 적용되고 동 법률들에서 규정하지 않는 조항에 대해 개인정보 보호법이 적용됨 통신 정 정보통신망법 보 • 정보통신망법의 적용을 받던 통신 사업자이외의 준용사업자는 모두 망법 에서 삭제되고 개인정보 보 보호법의 직접 적용을 받음 금융 호 신용정보법 법 기타© 2011 Oracle Corporation 9
  • 10. Higher Costs Than Ever… • User Management Costs • User Productivity Costs • Compliance & Remediation Costs • Security Breach Remediation Costs $ It Adds Up© 2011 Oracle Corporation 10
  • 11. Biggest Barrier to Cloud Computing Adoption? Security! 74% 74% rate cloud security issues as ―very significant‖ Source: IDC© 2011 Oracle Corporation 11
  • 12. • Data Security Trends • How Are Threats Getting In? • What is Maximum Security Architecture • Oracle Solutions Mapped to MSA • Summary • Q&A© 2011 Oracle Corporation 12
  • 13. Over 900M Breached Records Resulted from Compromised Database Servers Type Category % Breaches % Records Database Server Servers & Applications 25% 92% Desktop Computer End-User Devices 21% 1% Verizon 2010 Data Breach Investigations Report© 2011 Oracle Corporation 13
  • 14. SQL Injection Attacks Against Databases Responsible for 89% of Breached Data • SQL injection is a technique for controlling responses from the database server through the web application • It can‘t be fixed by simply applying a patch, tweaking a setting, or changing a single page • SQL injection vulnerabilities are endemic, and to fix them you have to overhaul all your code. ―The versatility and effectiveness of SQL Injection make it a multi-tool of choice among cybercriminals.‖ Verizon 2010 Data Breach Investigations Report© 2011 Oracle Corporation 14
  • 15. 66% Organizations Vulnerable to SQL Injection Attacks Taken steps to prevent SQL injection attacks? 2010 IOUG Data Security Survey Report© 2011 Oracle Corporation 15
  • 16. Traditional Security Solutions Leave Data within Databases Vulnerable Key Loggers Malware SQL Injection Espionage Spear Phishing Botware Social Engineering Database Applications Database Users and Administrators Maximum Security Architecture Protects Your Most Sensitive Area: Your Data© 2011 Oracle Corporation 16
  • 17. • Data Security Trends • How Are Threats Getting In? • What is Maximum Security Architecture • Oracle Solutions Mapped to MSA • Summary • Q&A© 2011 Oracle Corporation 17
  • 18. Maximum Security Architecture Safeguards your Information Technology environment at every layer, leaving no weak link Infrastructure Security • Network Security • Hardware Security • OS / Firmware Security • Virtualization Security Database Security Identity Management • User Provisioning • Role Management Information • Entitlements Management Infrastructure • Risk-Based Access Control • Virtual Directories Databases Applications Information Rights Content Management • Track and Audit Document Usage Today we will focus on Maximum DATA • Control & Revoke Document Access • Secured Inside or Outside Firewall Security Architecture for the Database tier • Centralized Policy Administration© 2011 Oracle Corporation Oracle Confidential 18
  • 19. Maximum Data Security Architecture 1. Perimeter Defense 2. Monitoring Detect & Audit Mis-use Reverse Secure & Undo Configuration Damage 3. Access Control Privileged Multi-factor User Authorization Controls 4. Encryption & Masking Mask Data Encrypt Used in Dev. Data In- Protect Data & Testing Transit Backups© 2011 Oracle Corporation 19
  • 20. Oracle Configuration Management Vulnerability Assessment & Secure Configuration Discover Classify Assess Prioritize Fix Monitor Asset Configuration Policy Vulnerability Analysis & Management Management Management Management Analytics & Audit REQUIREMENTS: 1. Discovers Databases, OS, Hosts, remote end-points, apps & apps servers 2. Continuous scanning vs. 375+ best practices & industry standards, extensible 3. Detect, prevent and roll-back unauthorized configuration changes real time 4. Change management compliance reports 5. Platform & vendor agnostic© 2011 Oracle Corporation 20
  • 21. Detection & Auditing Against Mis-use Automated Activity Monitoring & Audit Reporting HR Data ! Alerts Built-in CRM Data Reports Audit Data Custom ERP Data Reports Policies Databases Auditor REQUIREMENTS: 1. Automated Oracle and non-Oracle database activity monitoring 2. Detect and alert on suspicious activities 3. Out-of-the box compliance reports 4. Custom forensic reports 5. Centralized management of audit policies (SOX, custom, etc.)© 2011 Oracle Corporation 21
  • 22. Reverse and Undo Damaged Data Secure Change Tracking select salary from emp AS OF TIMESTAMP 02-MAY-09 12.00 AM‗ where emp.title = ‗admin‘ REQUIREMENTS: 1. Transparently track data changes 2. Efficient, tamper-resistant storage of archives 3. Real-time access to historical data 4. Simplified forensics and error correction 5. Ability to roll-back and undo damaged records, eliminating problems© 2011 Oracle Corporation 22
  • 23. Separation of Duties Privileged User Access Control and Multifactor Authorization Procurement DBA HR Application Finance select * from finance.customers REQUIREMENTS: 1. Keep privileged database users from abusing their powers 2. Address Separation of Duties requirements 3. Enforce security policies and block unauthorized database activities 4. Prevent application by-pass to protect application data 5. Securely consolidate application data 6. Requires no application changes© 2011 Oracle Corporation 23
  • 24. Prevent Unauthorized Insider Access Data Classification for Access Control Sensitive Transactions Confidential Report Data Public Reports Confidential Sensitive REQUIREMENTS: 1. Classify users and data based on business drivers 2. Database enforced row level access control 3. Users classification through Oracle Identity Management Suite 4. Classification labels can be factors in other policies 5. Certified with Oracle Database and is application agnostic© 2011 Oracle Corporation 24
  • 25. Encrypt Sensitive or In-transit Data Comprehensive Standards-Based Encryption Disk Backups Exports Off-Site Facilities REQUIREMENTS: 1. Transparent data at rest encryption 2. Data stays encrypted when backed up 3. Encryption for data in transit 4. Strong authentication of users and servers 5. Certified with Oracle Database© 2011 Oracle Corporation 25
  • 26. Securely Backup & Store Data Archives Integrated Tape or Cloud Backup Management REQUIREMENTS: 1. Secure data archival to tape or cloud 2. Easy to administer key management 3. Fastest Oracle Database tape backups 4. Leverage low-cost cloud storage© 2011 Oracle Corporation 26
  • 27. Mask data used in development & test Irreversible De-Identification Production Non-Production LAST_NAME SSN SALARY LAST_NAME SSN SALARY AGUILAR 203-33-3234 40,000 ANSKEKSL 111—23-1111 60,000 BENSON 323-22-2943 60,000 BKJHHEIEDK 222-34-1345 40,000 REQUIREMENTS: 1. Remove sensitive data from non-production databases 2. Referential integrity preserved so applications continue to work 3. Sensitive data never leaves the database 4. Extensible template library and policies for automation 5. Supports heterogeneous Database envrionments© 2011 Oracle Corporation 27
  • 28. Application of MSA to Safeguard your Data Recap of how to secure your business’ most valuable asset Encryption and Masking Encrypt Sensitive & In-transit Data Protect Data Back-ups Mask Data for Dev. & Testing Use Access Control Control Privileged Users Multi-factor Authorization Auditing and Monitoring Secure Configurations Encryption & Masking Detect and Audit Mis-use Reverse and undo Damage Access Control Auditing & Monitoring Blocking and Logging Blocking & Logging Perimeter Defense© 2011 Oracle Corporation 28
  • 29. • Data Security Trends • How Are Threats Getting In? • What is Maximum Security Architecture • Oracle Solutions Mapped to MSA • Summary • Q&A© 2011 Oracle Corporation 29
  • 30. Oracle Solutions Mapped to MSA Integrated products to deliver MSA capabilities for your Databases Encryption and Masking Encryption and Masking Encrypt Sensitive & In-transit Data Advanced Security Option Protect Data Back-ups Secure Back-up Mask Data for Dev. & Testing Use Data Masking Pack Access Control Access Control Control Privileged Users Database Vault Multi-factor Authorization Label Security Auditing and Monitoring Auditing and Monitoring Secure Configurations Configuration Management Pack Detect and Audit Mis-use Audit Vault Reverse and undo Damage Total Recall Blocking and Logging Blocking and Logging Perimeter Defense Database Firewall© 2011 Oracle Corporation 30
  • 31. Daewoo Securities Protecting Against Insider Threats • Internal threats are major concern in Daewoo Securities. Several major companies in Korea have experienced data leaks Business • Daewoo Securities had granted a high number of access Challenges privileges to super users, such as IT administrators. • Non standard security solutions to protecting the company data • Oracle Database Solution • Oracle Database Vault • Oracle Advance Security • Protected confidential HR data from being accessed by privileges users such as IT administrators, while ensuring Business Results they could still login to systems to complete their jobs • Enhance information protecting by encrypting data in the database and whenever it leaves the repository© 2011 Oracle Corporation 31
  • 32. Dongguk University Automated Audit Data Collection, Improved Security, Reduced Costs with Reporting • Students use the system to manage their profiles and timetables online while teachers and staff use it to organize course details and Business other important administrative tasks. One of the most important Challenges parts of the deployment was the rollout of an auditing system to provide control over user privilege rights and strengthen security. • Oracle Database Solution • Oracle Real Application Clusters • Oracle Audit Vault • Automated the collection and consolidation of audit data, which lowered the risk of insider security threats • Provided audit controls which verified that only the authorized application user was performing the specified database tasks Business • Made the auditing process easy by providing useful information Results such as user name, corresponding IP addresses, and role in the application • Allowed reports and audit policy functions to be viewed on screen, eliminating the cost and time associated with completing manual audits© 2011 Oracle Corporation 32
  • 33. Cornell University Masks all sensitive data used for testing, training and development in their PeopleSoft environment • Ensure reliable access to operational and academic systems Business across a decentralized IT environment, including PeopleSoft Challenges applications and a Blackboard learning system • Implemented Enterprise Manager to automate monitoring the university‘s IT infrastructure—including databases, middleware, and servers—saving time for IT managers and increasing Solution transparency across the IT infrastructure • Deployed Data Masking Pack as a component within Enterprise Manager (EM) to protect sensitive student info. • Data Masking obfuscated all sensitive data from PeopleSoft environments used for testing, training, and development Business • EM enabled Cornell to be more proactive as an IT department— Results preventing or resolving performance problems before they‘re noticed, and in anticipating the needs of students, faculty and staff© 2011 Oracle Corporation 33
  • 34. • Data Security Trends • How Are Threats Getting In? • What is Maximum Security Architecture • Oracle Solutions Mapped to MSA • Summary • Q&A© 2011 Oracle Corporation 34
  • 35. Oracle Database Security Solutions Fits the Maximum Data Security Architecture framework • Comprehensive – single vendor addresses all your requirements • Transparent – no changes to existing applications or databases • Easy to deploy – point-n-click interfaces deliver value within hours • Cost effective – integrated solutions reduce risk and lower TCO • Proven – #1 Database with over 30 years of info security innovation! Perimeter Auditing and Access Encryption Security Monitoring Control & Masking • Database Firewall • Audit Vault • Database Vault • Advanced Security • Total Recall • Label Security • Secure Backup • Configuration • Identity • Data Masking Management Management© 2011 Oracle Corporation 35
  • 36. Part of an End-to-End Security Solution Data Security is a key part of the overall Maximum Security Architecture that covers your entire IT spectrum Infrastructure Security Database Security Identity Management Information Infrastructure Information Rights Management Databases Applications© 2011 Oracle Corporation Oracle Confidential 36
  • 37. Oracle Security Customers are everywhere Financial Services Transportation & Services Manufacturing & Technology Telecommunication Public Sector Retail Oracle Confidential© 2011 Oracle Corporation 37
  • 38. Because Oracle is #1 and Most Secure Microsoft 18.1% Other 12.6% IBM 20.7% Oracle 48.6% ―Most DBMS vendors offer basic security features; Oracle‘s offering is most comprehensive.‖Source: Gartner DataQuest, 2008; Forrester Database Security Market Report, 2009 © 2011 Oracle Corporation 38
  • 39. © 2011 Oracle Corporation 39
  • 40. © 2011 Oracle Corporation 40