Connor McDonald, profile picture
Uploaded byConnor McDonald
133 views

Securing data in Oracle Database 12c - 2015

The document discusses security features in Oracle Database 12c including Transparent Data Encryption (TDE), Privilege Analysis, Database Vault, Database Firewall, Data Redaction, Data Masking, and Audit Vault. It provides an overview of each technology and how they can be used to secure data at rest and in motion, monitor and control privileged access, and audit database activity. The document also outlines an agenda to cover these security controls in more depth.

Embed presentation

Securing Data in Oracle Database 12c Thomas Kyte http://asktom.oracle.com/ Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Security • Oracle is very secure • Therefore, we don’t need to be, it just happens • Besides, it is not as important as having pretty screens after all. • And if we add it later, – I’m sure it’ll be non-intrusive – And very performant – And easy to do
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Apps Users Advanced Security Data Redaction Data Masking TDE Database Vault Privilege Analysis Database Vault Privileged User Controls OS & Storage DirectoriesDatabases Custom Audit Data & Event Logs Database Firewall Oracle Maximum Security Architecture Core Components Reports Alerts Audit Vault Policies Events
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Program Agenda Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault 1 2 3 4 5 6
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Program Agenda Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault 1 2 3 4 5 6
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | • SQL Interface to key management • *New* FIPS 140-2 mode (dbfips_140) • Encrypts tablespaces or columns to secure data at rest • Requires no application changes • “Near Zero” overhead with hardware • Integrated with Oracle DB technologies – Log files, Compression, ASM, DataPump Advanced Security Transparent Data Encryption (TDE) Preventive Control for Oracle Databases Disk Backups Exports Off-Site Facilities Applications
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 10 The Challenges of Key Management Management • Proliferation of encryption wallets and keys • Authorized sharing of keys • Key availability, retention, and recovery • Custody of keys and key storage files Regulations • Physical separation of keys from encrypted data • Periodic key rotations • Monitoring and auditing of keys • Long-term retention of keys and encrypted data
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Key Management with Oracle Key Vault • Centrally manage and share keys, secrets, Oracle wallets, Java keystores, and more • Optimized for Oracle stack (Database, Middleware, Systems) and Advanced Security TDE • Robust, secure, and standards compliant (OASIS KMIP) key manager 11
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Key Vault High-Level Architecture Standby Administration Console, Alerts, Reports Secure Backups = Credential File = Oracle Wallet = Server Password= Java Keystore = Certificate Databases Servers Middleware 12
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Wallet Scenarios Oracle Advanced Security Transparent Data Encryption (TDE) 13 Single Instance GoldenGate Multiple DBs Same Machine RAC Data Guard
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Advanced Security Transparent Data Encryption (TDE) Direct Connection Scenarios 14 Single Instance Multiple DBs Same Machine RAC Data Guard GoldenGate
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Key Vault Software Appliance Platform • Turnkey solution based on hardened stack • Includes Oracle Database and security options • Open x86-64 hardware to choose from • Easy to install, configure, deploy, and patch • Separation of duties for administrative users • Full auditing, preconfigured reports, and alerts 15
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Program Agenda Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault 1 2 3 4 5 6
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Privilege Analysis  You want to use the concept of least privileges  Problem: You don’t know what privileges they really need, maybe just give them SELECT ANY TABLE  That is not very secure and hard to justify to an auditor
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Privilege Analysis Discover Use of Privileges and Roles Administrative Control for Oracle Database 12c Create… Drop… Update… DBA role APPADMIN role  Turn on privilege capture mode  Report on actual privileges and roles used in the database  Helps revoke unnecessary privileges  Enforce least privilege and reduce risks  Increase security without disruption Unused Update APPADMIN
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Program Agenda Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault 1 2 3 4 5 6
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Procurement HR Finance • Limit default powers of privileged users • Enforce policy rules inside the database • Violations audited, secured and sent to Oracle Audit Vault • No application changes required Application DBA select * from finance.customers Oracle Database Vault Privileged User and Operational Controls
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Program Agenda Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault 1 2 3 4 5 6
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Audit Vault and Database Firewall Database Activity Monitoring and Firewall Detective Control for Oracle and non-Oracle Databases  Monitors and logs database network traffic  Detects and blocks unauthorized database activity including SQL injection attacks  Highly accurate SQL grammar analysis  Whitelist approach to enforce activity  Blacklists for managing high risk activity  Scalable secure software appliance Block Log Allow Alert SubstituteApps Whitelist Blacklist SQL Analysis Policy Factors Users
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Program Agenda Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault 1 2 3 4 5 6
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Data Redaction • On-the-fly redaction based upon user name, IP address, application context, and other factors • Transparent, consistent enforcement in the database • Minimal impact on production work loads Redacting Sensitive Data for Applications Credit Card # 4451-2172-9841-4368 5106-6342-4881-5211 4891-3311-0090-5055 Policy Call Centers Decision Support Systems Systems with PII, PHI, PCI data
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Supported Transformations Original  Redacted Full Redaction 05/24/75  01/01/01 11 Rock Bluff Dr.  XXXXXXX Partial Redaction 068-35-2299  ***-**-2299 D1L86YZV8K  D1******8K RegExp Redaction jim.lee@acme.com  [redacted]@acme.com 94025-2450  94025-[hidden] Random Redaction 4022-5231-5531-9855  4943-6344-0547-0110 09/30/73  11/14/85
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 01001011001010100100 10010010010010010010 01001000100101010010 Introducing Oracle Data Masking and Subsetting Pack Reduces Risk in Sharing by Obfuscating or Removing Sensitive Data 26 NAME SALARY AGUILAR 50135.56 BENSON 35789.89 CHANDRA 60765.23 DONNER 103456.82 NAME SALARY AGUILAR 35676.24 CHANDRA 76546.89 Discover Sensitive Data Mask Data Using Format Library Subset Based on Conditions/Goal Mask/Subset in Export or on Staging Retain Application Integrity
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Program Agenda Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault 1 2 3 4 5 6
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Conditional Auditing Framework Detective Control for Oracle Database 12c  New policy- and condition-based syntax  What: CREATE, ALTER, ALL, …  Where: Set of Privileges, Roles, objects  When: IP_ADDRESS !=“10.288.241.88”  Exceptions: Except HR  Group audit settings for manageability  New roles: Audit Viewer and Audit Admin  Out-of-box audit policies  Single unified database audit trail Database Auditing IF ACTIONS CREATE AND IP_ADDRESS = THEN AND THEN
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Built-in Reports Alerts Custom Reports ! Policies Oracle Audit Vault AUDIT DATA AUDIT VAULT Firewall Events Database Firewall Detective Control for Databases, Operating Systems, … Custom
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Program Agenda Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault 1 2 3 4 5 6
Securing data in Oracle Database 12c - 2015

More Related Content

PDF
Presentation database security audit vault & database firewall
byxKinAnx
 
PDF
AIOUG : ODEVCYathra 2018 - Oracle Autonomous Database What Every DBA should know
bySandesh Rao
 
PDF
Performance in the Oracle Cloud
byKellyn Pot'Vin-Gorman
 
PPTX
Optimizing the Enterprise Manager 12c
byKellyn Pot'Vin-Gorman
 
PDF
Whats new in oracle trace file analyzer 18.3.0
byGareth Chapman
 
PDF
Oracle Key Vault Data Subsetting and Masking
byDLT Solutions
 
PDF
AWR and ASH in an EM12c World
byKellyn Pot'Vin-Gorman
 
PDF
AIOUG-GroundBreakers-Jul 2019 - 19c RAC
bySandesh Rao
 
Presentation database security audit vault & database firewall
byxKinAnx
 
AIOUG : ODEVCYathra 2018 - Oracle Autonomous Database What Every DBA should know
bySandesh Rao
 
Performance in the Oracle Cloud
byKellyn Pot'Vin-Gorman
 
Optimizing the Enterprise Manager 12c
byKellyn Pot'Vin-Gorman
 
Whats new in oracle trace file analyzer 18.3.0
byGareth Chapman
 
Oracle Key Vault Data Subsetting and Masking
byDLT Solutions
 
AWR and ASH in an EM12c World
byKellyn Pot'Vin-Gorman
 
AIOUG-GroundBreakers-Jul 2019 - 19c RAC
bySandesh Rao
 

What's hot

PDF
What's new in Oracle Trace File Analyzer 12.2.1.3.0
byGareth Chapman
 
PPTX
Updated Power of the AWR Warehouse, Dallas, HQ, etc.
byKellyn Pot'Vin-Gorman
 
PDF
What's new in oracle trace file analyzer 18.2.0
bySandesh Rao
 
PDF
LAD - GroundBreakers - Jul 2019 - Using Oracle Autonomous Health Framework to...
bySandesh Rao
 
PDF
AIOUG - Groundbreakers - Jul 2019 - 19 Troubleshooting Tips and Tricks for Da...
bySandesh Rao
 
PDF
TFA_Whats_New_in version 12.1.2.8.4
bySandesh Rao
 
PDF
Oracle Trace File Analyzer Overview
byGareth Chapman
 
PDF
Oracle Autonomous Health Service- For Protecting Your On-Premise Databases- F...
bySandesh Rao
 
PDF
Using Machine Learning to Debug complex Oracle RAC Issues
byAnil Nair
 
PDF
What's new in Oracle and Exachk version 18.4.0
bySandesh Rao
 
PDF
AWR, ASH with EM13 at HotSos 2016
byKellyn Pot'Vin-Gorman
 
PDF
Exachk Customer Presentation
bySandesh Rao
 
PDF
Step by Step instructions to install Cluster Domain deployment model
byAnil Nair
 
PDF
15 Troubleshooting Tips and Tricks for database 21c - OGBEMEA KSAOUG
bySandesh Rao
 
PDF
AUSOUG - NZOUG-GroundBreakers-Jun 2019 - 19c RAC
bySandesh Rao
 
PDF
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
bySandesh Rao
 
PDF
Whats new in oracle orachk & exachk 18.4.0
byGareth Chapman
 
PDF
Whats new in oracle ORAchk & EXAchk 18.3.0
byGareth Chapman
 
PDF
What's new in Oracle ORAchk & EXAchk 19.2
bySandesh Rao
 
PDF
How to Use EXAchk Effectively to Manage Exadata Environments
bySandesh Rao
 
What's new in Oracle Trace File Analyzer 12.2.1.3.0
byGareth Chapman
 
Updated Power of the AWR Warehouse, Dallas, HQ, etc.
byKellyn Pot'Vin-Gorman
 
What's new in oracle trace file analyzer 18.2.0
bySandesh Rao
 
LAD - GroundBreakers - Jul 2019 - Using Oracle Autonomous Health Framework to...
bySandesh Rao
 
AIOUG - Groundbreakers - Jul 2019 - 19 Troubleshooting Tips and Tricks for Da...
bySandesh Rao
 
TFA_Whats_New_in version 12.1.2.8.4
bySandesh Rao
 
Oracle Trace File Analyzer Overview
byGareth Chapman
 
Oracle Autonomous Health Service- For Protecting Your On-Premise Databases- F...
bySandesh Rao
 
Using Machine Learning to Debug complex Oracle RAC Issues
byAnil Nair
 
What's new in Oracle and Exachk version 18.4.0
bySandesh Rao
 
AWR, ASH with EM13 at HotSos 2016
byKellyn Pot'Vin-Gorman
 
Exachk Customer Presentation
bySandesh Rao
 
Step by Step instructions to install Cluster Domain deployment model
byAnil Nair
 
15 Troubleshooting Tips and Tricks for database 21c - OGBEMEA KSAOUG
bySandesh Rao
 
AUSOUG - NZOUG-GroundBreakers-Jun 2019 - 19c RAC
bySandesh Rao
 
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
bySandesh Rao
 
Whats new in oracle orachk & exachk 18.4.0
byGareth Chapman
 
Whats new in oracle ORAchk & EXAchk 18.3.0
byGareth Chapman
 
What's new in Oracle ORAchk & EXAchk 19.2
bySandesh Rao
 
How to Use EXAchk Effectively to Manage Exadata Environments
bySandesh Rao
 

Similar to Securing data in Oracle Database 12c - 2015

PDF
Oracle database 12c security and compliance
byFITSFSd
 
PPTX
Security Inside Out: Latest Innovations in Oracle Database 12c
byTroy Kitch
 
PPTX
Oracle 11g security - 2014
byConnor McDonald
 
PPTX
Oracle Database Security
byTroy Kitch
 
PDF
Best Practices for implementing Database Security Comprehensive Database Secu...
byKal BO
 
PDF
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
byEdgar Alejandro Villegas
 
PDF
Oracle advance security transparent data encryption best practices
byFITSFSd
 
PPTX
Autonomous Database Security Features
bySinanPetrusToma
 
PDF
Security In Oracle Database V19c
byalixa13
 
PPTX
Innovations dbsec-12c-pub
byOracleIDM
 
DOCX
how to protect your sensitive data using oracle database vault
byAnar Godjaev
 
PPTX
Vault_KT.pptx
bySDPL Technologies
 
PDF
DOAG Oracle Database Vault
byStefan Oehrli
 
PDF
5. 2010 11-03 bucharest oracle-tech_day_security
byDoina Draganescu
 
DOCX
How to protect your sensitive data using oracle database vault / Creating and...
byAnar Godjaev
 
DOCX
Database Security – Issues and Best PracticesOutline
byOllieShoresna
 
PPT
Oracle Transparent Data Encryption (TDE) 12c
byNabeel Yoosuf
 
PDF
SOUG Day Oracle 21c New Security Features
byStefan Oehrli
 
PDF
Security in oracle
byssuser40bb47
 
PDF
security in oracle database
byssuser40bb47
 
Oracle database 12c security and compliance
byFITSFSd
 
Security Inside Out: Latest Innovations in Oracle Database 12c
byTroy Kitch
 
Oracle 11g security - 2014
byConnor McDonald
 
Oracle Database Security
byTroy Kitch
 
Best Practices for implementing Database Security Comprehensive Database Secu...
byKal BO
 
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
byEdgar Alejandro Villegas
 
Oracle advance security transparent data encryption best practices
byFITSFSd
 
Autonomous Database Security Features
bySinanPetrusToma
 
Security In Oracle Database V19c
byalixa13
 
Innovations dbsec-12c-pub
byOracleIDM
 
how to protect your sensitive data using oracle database vault
byAnar Godjaev
 
Vault_KT.pptx
bySDPL Technologies
 
DOAG Oracle Database Vault
byStefan Oehrli
 
5. 2010 11-03 bucharest oracle-tech_day_security
byDoina Draganescu
 
How to protect your sensitive data using oracle database vault / Creating and...
byAnar Godjaev
 
Database Security – Issues and Best PracticesOutline
byOllieShoresna
 
Oracle Transparent Data Encryption (TDE) 12c
byNabeel Yoosuf
 
SOUG Day Oracle 21c New Security Features
byStefan Oehrli
 
Security in oracle
byssuser40bb47
 
security in oracle database
byssuser40bb47
 

More from Connor McDonald

PDF
Flashback ITOUG
byConnor McDonald
 
PDF
Sangam 19 - PLSQL still the coolest
byConnor McDonald
 
PDF
Sangam 19 - Analytic SQL
byConnor McDonald
 
PDF
UKOUG - 25 years of hints and tips
byConnor McDonald
 
PDF
Sangam 19 - Successful Applications on Autonomous
byConnor McDonald
 
PDF
Sangam 2019 - The Latest Features
byConnor McDonald
 
PDF
UKOUG 2019 - SQL features
byConnor McDonald
 
PDF
APEX tour 2019 - successful development with autonomous
byConnor McDonald
 
PDF
APAC Groundbreakers 2019 - Perth/Melbourne
byConnor McDonald
 
PDF
OOW19 - Flashback, not just for DBAs
byConnor McDonald
 
PDF
OOW19 - Read consistency
byConnor McDonald
 
PDF
OOW19 - Slower and less secure applications
byConnor McDonald
 
PDF
OOW19 - Killing database sessions
byConnor McDonald
 
PDF
OOW19 - Ten Amazing SQL features
byConnor McDonald
 
PDF
Latin America Tour 2019 - 18c and 19c featues
byConnor McDonald
 
PDF
Latin America tour 2019 - Flashback
byConnor McDonald
 
PDF
Latin America Tour 2019 - 10 great sql features
byConnor McDonald
 
PDF
Latin America Tour 2019 - pattern matching
byConnor McDonald
 
PDF
Latin America Tour 2019 - slow data and sql processing
byConnor McDonald
 
PDF
ANSI vs Oracle language
byConnor McDonald
 
Flashback ITOUG
byConnor McDonald
 
Sangam 19 - PLSQL still the coolest
byConnor McDonald
 
Sangam 19 - Analytic SQL
byConnor McDonald
 
UKOUG - 25 years of hints and tips
byConnor McDonald
 
Sangam 19 - Successful Applications on Autonomous
byConnor McDonald
 
Sangam 2019 - The Latest Features
byConnor McDonald
 
UKOUG 2019 - SQL features
byConnor McDonald
 
APEX tour 2019 - successful development with autonomous
byConnor McDonald
 
APAC Groundbreakers 2019 - Perth/Melbourne
byConnor McDonald
 
OOW19 - Flashback, not just for DBAs
byConnor McDonald
 
OOW19 - Read consistency
byConnor McDonald
 
OOW19 - Slower and less secure applications
byConnor McDonald
 
OOW19 - Killing database sessions
byConnor McDonald
 
OOW19 - Ten Amazing SQL features
byConnor McDonald
 
Latin America Tour 2019 - 18c and 19c featues
byConnor McDonald
 
Latin America tour 2019 - Flashback
byConnor McDonald
 
Latin America Tour 2019 - 10 great sql features
byConnor McDonald
 
Latin America Tour 2019 - pattern matching
byConnor McDonald
 
Latin America Tour 2019 - slow data and sql processing
byConnor McDonald
 
ANSI vs Oracle language
byConnor McDonald
 

Recently uploaded

PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PPTX
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
PDF
A paper in the leading academic journal Telecommunication Policy cited Scott ...
byScott M. Graffius
 
PDF
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
PDF
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PDF
Philippine Agricultural Engineering Standard_Hand Tractor .pdf
by6xfrnmdp4b
 
PDF
Zniber Partners. Audience Foresight for Confident Decisions
bySamuel Zniber
 
PPTX
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
PPTX
Accelerate Innovation with Engineering R&D Services
byChetu
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
PPT
connectives-linking words in English.ppt
byAmrMohammed82
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PDF
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
PDF
January Patch Tuesday
byIvanti
 
PDF
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
PDF
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
PPTX
congo red stain nd PAS STAIN histopathology
bybushrariaz1240
 
PDF
Effective Ai powered mock interview .pdf
byamazingnishusingh766
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
A paper in the leading academic journal Telecommunication Policy cited Scott ...
byScott M. Graffius
 
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
Philippine Agricultural Engineering Standard_Hand Tractor .pdf
by6xfrnmdp4b
 
Zniber Partners. Audience Foresight for Confident Decisions
bySamuel Zniber
 
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
Accelerate Innovation with Engineering R&D Services
byChetu
 
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
connectives-linking words in English.ppt
byAmrMohammed82
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
January Patch Tuesday
byIvanti
 
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
congo red stain nd PAS STAIN histopathology
bybushrariaz1240
 
Effective Ai powered mock interview .pdf
byamazingnishusingh766
 

Securing data in Oracle Database 12c - 2015

  • 2.
    Securing Data in OracleDatabase 12c Thomas Kyte http://asktom.oracle.com/ Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
  • 3.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  • 4.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Security • Oracle is very secure • Therefore, we don’t need to be, it just happens • Besides, it is not as important as having pretty screens after all. • And if we add it later, – I’m sure it’ll be non-intrusive – And very performant – And easy to do
  • 5.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. |
  • 6.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Apps Users Advanced Security Data Redaction Data Masking TDE Database Vault Privilege Analysis Database Vault Privileged User Controls OS & Storage DirectoriesDatabases Custom Audit Data & Event Logs Database Firewall Oracle Maximum Security Architecture Core Components Reports Alerts Audit Vault Policies Events
  • 7.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Program Agenda Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault 1 2 3 4 5 6
  • 8.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Program Agenda Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault 1 2 3 4 5 6
  • 9.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | • SQL Interface to key management • *New* FIPS 140-2 mode (dbfips_140) • Encrypts tablespaces or columns to secure data at rest • Requires no application changes • “Near Zero” overhead with hardware • Integrated with Oracle DB technologies – Log files, Compression, ASM, DataPump Advanced Security Transparent Data Encryption (TDE) Preventive Control for Oracle Databases Disk Backups Exports Off-Site Facilities Applications
  • 10.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | 10 The Challenges of Key Management Management • Proliferation of encryption wallets and keys • Authorized sharing of keys • Key availability, retention, and recovery • Custody of keys and key storage files Regulations • Physical separation of keys from encrypted data • Periodic key rotations • Monitoring and auditing of keys • Long-term retention of keys and encrypted data
  • 11.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Key Management with Oracle Key Vault • Centrally manage and share keys, secrets, Oracle wallets, Java keystores, and more • Optimized for Oracle stack (Database, Middleware, Systems) and Advanced Security TDE • Robust, secure, and standards compliant (OASIS KMIP) key manager 11
  • 12.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Oracle Key Vault High-Level Architecture Standby Administration Console, Alerts, Reports Secure Backups = Credential File = Oracle Wallet = Server Password= Java Keystore = Certificate Databases Servers Middleware 12
  • 13.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Oracle Wallet Scenarios Oracle Advanced Security Transparent Data Encryption (TDE) 13 Single Instance GoldenGate Multiple DBs Same Machine RAC Data Guard
  • 14.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Oracle Advanced Security Transparent Data Encryption (TDE) Direct Connection Scenarios 14 Single Instance Multiple DBs Same Machine RAC Data Guard GoldenGate
  • 15.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Oracle Key Vault Software Appliance Platform • Turnkey solution based on hardened stack • Includes Oracle Database and security options • Open x86-64 hardware to choose from • Easy to install, configure, deploy, and patch • Separation of duties for administrative users • Full auditing, preconfigured reports, and alerts 15
  • 16.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Program Agenda Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault 1 2 3 4 5 6
  • 17.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Privilege Analysis  You want to use the concept of least privileges  Problem: You don’t know what privileges they really need, maybe just give them SELECT ANY TABLE  That is not very secure and hard to justify to an auditor
  • 18.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Privilege Analysis Discover Use of Privileges and Roles Administrative Control for Oracle Database 12c Create… Drop… Update… DBA role APPADMIN role  Turn on privilege capture mode  Report on actual privileges and roles used in the database  Helps revoke unnecessary privileges  Enforce least privilege and reduce risks  Increase security without disruption Unused Update APPADMIN
  • 19.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Program Agenda Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault 1 2 3 4 5 6
  • 20.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Procurement HR Finance • Limit default powers of privileged users • Enforce policy rules inside the database • Violations audited, secured and sent to Oracle Audit Vault • No application changes required Application DBA select * from finance.customers Oracle Database Vault Privileged User and Operational Controls
  • 21.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Program Agenda Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault 1 2 3 4 5 6
  • 22.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Oracle Audit Vault and Database Firewall Database Activity Monitoring and Firewall Detective Control for Oracle and non-Oracle Databases  Monitors and logs database network traffic  Detects and blocks unauthorized database activity including SQL injection attacks  Highly accurate SQL grammar analysis  Whitelist approach to enforce activity  Blacklists for managing high risk activity  Scalable secure software appliance Block Log Allow Alert SubstituteApps Whitelist Blacklist SQL Analysis Policy Factors Users
  • 23.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Program Agenda Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault 1 2 3 4 5 6
  • 24.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Oracle Data Redaction • On-the-fly redaction based upon user name, IP address, application context, and other factors • Transparent, consistent enforcement in the database • Minimal impact on production work loads Redacting Sensitive Data for Applications Credit Card # 4451-2172-9841-4368 5106-6342-4881-5211 4891-3311-0090-5055 Policy Call Centers Decision Support Systems Systems with PII, PHI, PCI data
  • 25.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Supported Transformations Original  Redacted Full Redaction 05/24/75  01/01/01 11 Rock Bluff Dr.  XXXXXXX Partial Redaction 068-35-2299  ***-**-2299 D1L86YZV8K  D1******8K RegExp Redaction jim.lee@acme.com  [redacted]@acme.com 94025-2450  94025-[hidden] Random Redaction 4022-5231-5531-9855  4943-6344-0547-0110 09/30/73  11/14/85
  • 26.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | 01001011001010100100 10010010010010010010 01001000100101010010 Introducing Oracle Data Masking and Subsetting Pack Reduces Risk in Sharing by Obfuscating or Removing Sensitive Data 26 NAME SALARY AGUILAR 50135.56 BENSON 35789.89 CHANDRA 60765.23 DONNER 103456.82 NAME SALARY AGUILAR 35676.24 CHANDRA 76546.89 Discover Sensitive Data Mask Data Using Format Library Subset Based on Conditions/Goal Mask/Subset in Export or on Staging Retain Application Integrity
  • 27.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Program Agenda Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault 1 2 3 4 5 6
  • 28.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Conditional Auditing Framework Detective Control for Oracle Database 12c  New policy- and condition-based syntax  What: CREATE, ALTER, ALL, …  Where: Set of Privileges, Roles, objects  When: IP_ADDRESS !=“10.288.241.88”  Exceptions: Except HR  Group audit settings for manageability  New roles: Audit Viewer and Audit Admin  Out-of-box audit policies  Single unified database audit trail Database Auditing IF ACTIONS CREATE AND IP_ADDRESS = THEN AND THEN
  • 29.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Built-in Reports Alerts Custom Reports ! Policies Oracle Audit Vault AUDIT DATA AUDIT VAULT Firewall Events Database Firewall Detective Control for Databases, Operating Systems, … Custom
  • 30.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | Program Agenda Transparent Data Encryption (TDE), Key Vault Privilege Analysis Database Vault Database Firewall Data Redaction, Data Masking, Fine Grained Access Control Audit Vault 1 2 3 4 5 6