Oracle-Security_Executive-Presentation

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.1 Confidential — Oracle Restricted
Security Inside Out
with Oracle Security
Solutions
Stefan Jung; Security Sales Specialist

SAFE HARBOR STATEMENT
The following is intended to outline our general product direction. It is
intended for information purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any material, code, or functionality,
and should not be relied upon in making purchasing decisions.
The development, release, and timing of any features or functionality
described for Oracle’s products remains at the sole discretion of Oracle.

Recent Security Breaches
Causing significant financial and reputational losses
China / RSA
INCIDENT
Theft of customer
credit card data
Phishing attack
through suspicious
external user
Fraud through internal
personnel
 Surveillance /
Monitoring
 SepSegregation of
power
 Database encryption
 Access Monitoring via
Risk and Fraud
Detection
 Periodic revision of
access rights
MITIGATION
Brand value dropped
by factor 3
Costs for the bank:
USD 100 Mio.; in
addition clients such
as Lockhead Martin
affected
Loss:
USD 7 Bn.
CONSEQUENCECAUSE
Unencrypted credit
card information
Insufficient database
access protection
Installation of antivirus
software via personnel
Insufficient access
protection for files and
applications
Trader with
inappropriate access
rights for specific
applications

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.4 Confidential — Oracle RestrictedCopyright © 2012, Oracle and/or its affiliates. All rights reserved.4
32% Hacking of stolen login information
80% Stolen data from Web/App servers
96% Stolen data from DB servers
5% Abuse of accesss rights
94% Server attacks
3% Attacks on offline data
5% Attacks on file servers
Vulnerability – Key Targets
Source: Verizon Data Breach Report 2012

5
TOP
Concerns
1. Data access via mobile devices
2. Access Control & Identity Management
3. Continuous Compliance matters
4. Client specific separation of data
5. Security standards & Certifications
Hot Topics for Corporations
Quelle: CSO Online Survey 2011

New challenges through IT innovation
Imperative for secure integration
Secure integration of
social networks
Integration of mobile devices
independent of location and time
SocialMobile
Integration of new
partner networks
People
Secure, seamless integration of on-
Premise Services into Cloud Services
Cloud
Integration of data and
events in real-time
Data

Defense In Depth
What it means from Oracle‘s perspective

Dimensions of IT Security
INFRASTRUCTURE
Information & Services
DATABASE MIDDLEWARE APPLICATION INTERACTION
 Encryption of
Storage and File
Systems
 Server supported
Encryption
 Secure Server
Virtualisation and
Partitioning
 Access Rights for
OS
 Secure Integrity of
OS
Database
Authentification
Access Control
Priviledged User
Controls &
Segregation of
Duties
Activity Monitoring,
Audit & Network
Blockage
Data Encryption &
Masking
Provisioning and
Identity
Administration
Access Management
Directory Services
Identity Governance
Platform Security
Services
Policy Management
Risk & Fraud
Management
Segregation of
Duties
Risk & Compliance
Management
Configuration
Management
Transaction Control
ForensicAnalysis
Secure external,
outside-in
communication
Usage of
Smartphones,
Tablets etc.
Integration of
Devices
Cloud Security
Integration of Social
Networks
Selected
Security Aspects
A r c h i t e c t u re & G o v e r n a n c e
A Layered Model

Oracle Security Portfolio
Oracle Solution
Components
 Solaris Role Based Access Control – granular provision of duties,
according to respective assignment and integration into LDAP
 Enforcement of functional separation within OS; even stronger with
Trusted Solaris (Labeled Security).
 Solaris Zones, Immutable Zones – encapsulated, externally controllable
run time environment with limited privileges  Applications are not able to
spy out data from each other within client-specific environments.
 Signed Software Packages – easy and secure integrity control of
Operating System  Protects from infiltration of malcode.
 ZFS – unlimited number of snapshots for data security and time travel
 Traceability in case of changes, even on file level.
INFRASTRUCTURE
DATABASE MIDDLEWARE APPLICATION INTERACTION
Defense in depth: INFRASTRUCTURE
 ZFS, Tape-machine T10000-C with Hardware-Crypto – Hardware-
supported, transparent encryption within file system
 Data indecipherable from outside, even if storage location is
known.
 SPARC CPUs – fastest and most versatile Crypto functionality.
Sophisticated integration into Solaris, Java, OpenSSL, PKCS#11,
Oracle TDE  High performance and transparent encryption for
applications.
 SunRay & Oracle VDI – stateless, secure client system for desktop
environments in vulnerable areas  no data on client; no security
risks in case of loss or client exchange.

 Database Vault: Segregation of Duties within DB. Authorized users only see ´their´ data; Administrators don´t have access to table content.
 Audit Vault & Database Firewall: Monitors and blocks unauthorized SQL traffic. Database activity is combined with detailed audit data; alerts can be
defined for specific events. Auditing can be centralized across multiple databases.
 Label Security: Allows for classification of data and mediating access to it, based on classification. Data can be classified on field level, to ensure
access for authorized users, only.
 Advanced Security, Secure Backup: Strong Authentification within DB; encrypts all application data or specific sensitive columns  Protection of
sensitive data (as required by various regulations); encryption of DB prevents theft of Backup.
 Data Masking: Masks data in DB and in transfer from DB to another, i.e. from Production to Development  developers from 3rd parties are unable
to see production data.
 Total Recall: Random time travel within data (irrespective of data changes or deletions)  allows access to any change history.
 Configuration Management: Best Practices for DB configuration; allows for online check and comparison of DB configurations  Database is
always configured – i.e. security - using Best Practices.
INFRASTRUCTURE
DATATBASE MIDDLEWARE APPLICATION INTERACTIONOracle Solution
Components
Defense in depth: DATABASE

 Identity Governance: Identity, account and role lifecycle management, Attestation/Recertification, SoD, Management of privileged accounts, Reports
on who has what rights, who has approved what etc., Self Services
 Cost reduction and prevention of errors/problems via automated administration of accounts and access rights
 Introduction of roles to simplify and automate assignments for specific task areas
 Management of privileged accounts on an individualized basis  Traceability of changes or requests
 Access Management: granular, controllable authorizations; modeling of risks during access; integration into social networks & mobile applications
(Apple, Android)  high quality user experience through SSO; SSO and authorizations are highly granular; SSO works beyond enterprise
boundaries; integratable measures to prevent risk & fraud.
 Directory Services: Storage of users and devices via standard protocols; virtualized view across multiple data sources
 central repositories as the basis for known users and devices, reusable in additional services  aggregation of existing repositories.
 Secure SOA: Protection and personalization of service calls
no unauthorisiered usuage of services; traceable on a person-by-personlevel, if required.
Defense in depth: MIDDLEWARE
INFRASTRUCTURE
DATABASE MIDDLEWARE APPLICATION INTERACTIONOracle Solution
Components

 Comprehensive Compliance Management: Platform spans complete eBusiness Suite and allows modeling and enforcement of compliance controls
on business level (controls „know“ the business processes)
 Savings on cost and time through enterprise-wide, central process management.
 Centralised Policy Administration: Policies can be extracted from the application (i.e. Siebel) and modeled via a rules engine
 enterprise-wide, central management of policies.
 Access Management: only those functions can be executed that have been assigned to the respective user
 Integration in a central Access Control and Identity Management platform: one platform for all services reduces costs and allows transparency.
Automation reduces errors and simplifies compliance / audit trails.
 Track und Audit Content and Usage: Content lifecycle management; changes can be monitored – quality assurance processes can be established.
 Logging of usage allows trail (i.e. which user has retrieved what data).
INFRASTRUCTURE
Information& Services
Components
Defense in depth: APPLICATION

 Mobile Service: Protection from calling device  iPhone, iPad and Android apps can be integrated natively.
 Social & Federation Service: Authentification of social networks (i.e. Facebook); Federations (i.e. governments, provider) can be accepted as
authentifications  New access channels like Facebook or other new, external services (i.e. booking robots) can be easily integrated.
 Oracle Access Gates: Verification for authentification and authorization occurs depending on type of call (dialogue, browser- or service- based) 
only validated calls are passed along.
 Oracle Adaptive Access: During call, examination for risks (i.e. device known / authentification strength sufficient / what is the geo location /are any
calls critical etc.). Risk assessment and launch of respective risk measures, i.e. claim additional authentification, cut off connection, reduce quantity of
results  Access controll in dependance of risk level allows for easy integration of new access channels and established services without additional
programming.
 Cloud Security: Integrated within Cloud Services for users and privileges.
 seamless usage of Cloud Services; controllable security.
INFRASTRUCTURE
Components
Defense in depth: INTERACTION

Oracle Security Solutions
Benefits for our Customers
 Services to survey and evaluate existing security concepts help to identify gaps and determine
requirements and priorities.
 Efficiency and cost savings can be realized by using integrated suite/platform approach  cost
savings of > 45%, as compared to point solutions (Source: Aberdeen “Analyzing point solutions vs. platform”, 2011).
 Oracle invests on a continuous basis to broaden its security footprint and to correspond to new
security requirements deriving from Cloud, Mobile or Social Applications.
 Support of regulatory compliance standards for audits, as well as risk and fraud detection.
 Open standards allow for integration into existing IT environments
 Oracle Security Portfolio is identified as ´leading´ with all notable analysts, such as Gartner,
Forrester & Kuppinger.
 A large number of references with different scale of implementation confirms the value deriving from
Oracle´s Security Portfolio.

Platform reduces Cost vs. Point Solutions
Aberdeen Study
48% Cost Savings
More
Responsive48%
Fewer Audit
Deficiencies35%
Benefits Oracle IAM
Advantage
Increased End- User
Productivity
• Emergency access
• End user self service
• 11% faster
• 30% faster
Reduced Risk • Suspend/revoke/de-
provision end user access
• 46% faster
Enhanced Agility • Integrate a new app faster
with the IAM infrastructure
• Integrate a new user role
faster
• 64% faster
• 73% faster
Enhanced Security
and Compliance
• Reduce unauthorised
access
• Reduce audit deficiencies
• 14% fewer
• 35% fewer
Reduced Total Cost • Reduce total cost of IAM
initiatives
• 48% lower
Source: Aberdeen “Analysing point solutions vs. platform” 2011

ORACLE Security Customers

ORACLE Managed Cloud Services
Aligned with the ISO 27000 Framework
Security
Organization
Operations
Management
System Acquisition
& Maintenance
Security Policy
Legal Compliance
Human
Resources
Security
Asset Management
Physical &
Environmental
Security
Incident
Management
Privileged
Access
Control
Business
Continuity
& DR

Oracle Security Services
Successful implementation of sustainable security concepts
Consulting &
Planning
Concept & Realisation Provisioning Operations & MaintenanceAnalysis & Assessment
Oracle Technology Assessments
´As-Is´ Assessment based on Maturity Model - Best Practice
comparisons - Evaluation and development of adequate
measures - Recommendations and further potential areas.
Oracle Managed Services
Prepare operational concept, Operations@Oracle or
@Customer, Standard and Premium Security
Services
Oracle Insight Workshop
Discovery of business goals and pains, Gap-Analyse,
Development of a solution proposal, based on concrete
benefits, investment and costing / ROI
Focus on DB
technology
and IAM
strategy
Fokus on
Business
Processes
Oracle Consulting
Consulting and support for complete Oracle Security Product Portfolio ,
based on specific customer requirements
Consulting,
Realisation,
Go-Live,
Maintenance
Highly secure
operations of
Oracle
technologies

Learnings from numerous client engagements
Aspire to DEFENSE IN DEPTH1
Work under the Principle of LEAST AUTHORIZATION2
Put the Focus on DATA SECURITY3
FEDERATE IDENTITIES – Work across corporate boundaries4
Ensure SECURE WEB SERVICES5
Establish secure MANAGEMENT OF SECURITY INFORMATION6
Secure the complete AUDIT TRAIL7
Conduct UPDATED ANALYSIS and provide proof of security threats8
Provide SECURITY AS A SERVICE9
Key recommendations

APPENDIX

Database Security - Resources
Web Sites
http://www.oracle.com/database/security
http://www.oracle.com/technetwork/database/security
Customer
Success Stories
http://www. oracle.com/goto/database/security-customers
Newsletter Security Inside Out
Database Insider
Social Media
LindkedIn Group: Database Insider
Twitter: Oracle Database
Blogs http://blogs.oracle.com/securityinsideout
http://blogs.oracle.com/databaseinsider

ORACLE IAM Security
INDUSTRY LEADERSHIP
User Provisioning Identity Governance Web Access Management
These graphics were published by Gartner, Inc. as part of a larger research document and should be evaluated in
the context of the entire document. Gartner does not endorse any vendor, product or service depicted in its
research publications, and does not advise technology users to select only those vendors with the highest ratings.
Gartner research publications consist of the opinions of Gartner's research organization and should not be
construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this
research, including any of warranties of merchantability or fitness for a particular purpose.
30.000 Customers in 45 Countries

Oracle-Security_Executive-Presentation

More Related Content

What's hot

Viewers also liked

Similar to Oracle-Security_Executive-Presentation

Oracle-Security_Executive-Presentation