Most successful businesses will take a proactive approach to safeguard their databases. Based upon the value of the assets and the risk to the database, we recommend multilayered database governance strategy that can help counter sophisticated attacks whether from inside or from outside, and meet compliance regulations at the same time.We recommend multiple controls: first, administrative controls that help you discover sensitive data, and apply very basic security and improve the processes within the company, second, detective controls which allow you to track what is being done to your databases and the related infrastructure, and monitor them, and then third preventive controls prevent the attacks, and block the threats that can lead to a data breach.Let's go into each of them one by one, and see what you can offer to your customers. This type of database governance model also allows you to do consultative selling to the customers, and recommending a path which they can then implement.
We now move towards the preventive pillar that prevents sensitive data from falling into wrong hands.The first one is data redaction, which redact sensitive data as it goes out of the database to the application users. This is very useful scenarios such as call center or partner applications where you want to redact the sensitive data for certain users without having to change the application. With Oracle data redaction, the data inside the database stays exactly how it is, but based upon policies declared within the database, it can redact data on the fly both fully and partially based upon the compliance requirements. For example in this case, the application was earlier sending the Social Security number to the call center team. The application still remains the same, but with Oracle Data Redaction, the first five digits of the Social Security numbers have been redacted for specific users. As the date of birth was also considered very sensitive, the entire date was also redacted. Oracle data redaction applies to production systems, and is very unique innovation of Oracle database, the first in the industry. Oracle Data Redaction is part of Oracle Advanced Security, and even though it was introduced in 12c, it is going to be made available for 11gR2 customers, allowing you to target your current installed base.Now moving to threat from the Operating system side. Many regulations require customers to encrypt their data. We offer Transparent Data Encryption that encrypt data within the database without any changes to your application. We support both column level as well as full tablespace level encryption ensuring that if there are any threats at the Operating system level, your sensitive data is secure. We take advantage of hardware cryptographic acceleration to reduce the performance overhead to almost negligible.The third big risk customers have is from DBAs or hackers who have compromised privileged users. Database Vault is most well known for ensuring that DBAs can continue to do their regular administrative job, but not be able to look at sensitive application tables or entire application. Database Vault goes much beyond that also including multi-factor authorization ensuring that access is only allowed under certain conditions, controlling user management, controlling role management, and enforcing proper Separation of Duty, a key requirement driven by many regulations. It is very useful for cloud, consolidation, Exadata, or where there many DBAs, junior or senior, or privileged applications running on the database. DV has been certified with dozens of Oracle and non Oracle applications.The 4th big risk to data comes when production data is copied to test and development environments, which are typically poorly protected. These activities are also typically outsourced, and thus increasing the risk of data breaches. With oracle Data Masking, we can mask or convert the data into similar looking but very different data from the original, and thus taking the system out of scope from the audit checks.Thus Oracle offers a complete set of preventive controls.
So, we now go to the second control pillar: the detective and monitoring pillar. Here, you first see your users and applications interacting with your database, whether it is Oracle, MySQL, Microsoft, Sybase, or IBM DB2. If we can monitor and control the traffic into the database, they can have a very effective control from outside the databases. Just like your regular network firewall that monitors the traffic to your enterprise in data center, a database firewall monitors all the database traffic between the users and the applications going to the databases, analyzes the traffic, allowing authorized traffic to go forward, logging the sensitive traffic, raising alerts if necessary, substituting unauthorized SQL statements with harmless ones, or even blocking them from even reaching the database. By allowing only white list traffic to go through, we are able to block SQL injection traffic from even reaching the database, and thus limiting the damage from users on the web.This we do with a highly accurate and highly performant SQL grammar-based technology, something very unique to Oracle. As this supports both Oracle and non-Oracle databases, this would enable you to reach out to the security teams within your customer base and propose a much broader enterprisewide solution.To complement the network-based database activity monitoring and blocking, we also collect the audit data whether they are coming from the databases directly, or even from the supporting infrastructure whether operating systems, directories, filesystems, or even custom audit logs to give your customers a full view of the activity within the database, whether that activity was due to a SQL statement sent by a user or application directly, or whether it was due to an internal job, or stored procedure which is not going to be visible on the network alone.Once you get this entire data whether coming from the network or from the audit logs, the audit vault analyzes the data, raises alerts on any anomalous activity, and creates reports both out-of-the-box or custom for specific regulations. In addition, you can manage the entire system whether setting your firewalls or audit settings from one place.Thus, audit vault and database firewall gives you a full view of the activity of the database, and offer very strong detective controls, unsurpassed within the industry. We support many different flexible deployment models to meet customer IT requirements.
As we had discussed in the earlier slide on discovery, the first step here is to discover and classify your assets, analyze your data whether you have any sensitive data, which tables, which applications. Since many of the attacks are indeed done through the users exploiting their high privileges and roles, customers need to analyze that data to ensure that people and even applications have only appropriate roles and privileges needed, and no more, otherwise the compromise accounts can be used to create lot more damage. You can achieve this by using database vault in 12c and enterprise manager.And then as many of the attacks take advantage of unpatched systems, you can then make sure that the systems of properly patched on schedule after addressing conflicts if any.Many attacks also take advantage of improperly configured systems including open ports, weak password policies, improper file permissions, improper grants of roles and privileges, etc. EM Lifecycle Management allows you to scan your databases, monitor the drift, recommend changes, and create configuration compliance reports for all the databases in your network.So these are your administrative controls.
Innovations in Database
Database Security, Oracle