11gr2 security

<Insert Picture Here>

Oracle Database 11g Release 2 Security Update and PlansDefense-in-Depth

Vipin SamarVice President, Oracle Database Security

3

<Insert Picture Here>

Program Agenda

• Today’s Threat Landscape • Defense-in-Depth Approach• Oracle Database Security Solutions• Oracle Database Firewall New!• Summary• Q&A

4

Why Secure the Database?

5

Security Technologies Deployed

Authentication

Identity Management

Network Security

Vulnerability Mgmt

End Point Security

email Security

Other Security

Employee

Customer

Citizen

DB Security?

6

How Data Gets Compromised? Source: Verizon 2010 Data Breach Investigations Report

6

7

2010 Data Breach Investigations Report

92% of Records from Compromised Databases

Where Losses Come From?

8

Top Attack Techniques% Breaches and % Records

2010 Data Breach Investigations Report

Most records lost through‘Stolen Credentials” & “SQL Injection”

9

Existing Security Solutions Not Enough

Application Database Administrators

Data Must Be Protected in depth

Application Users

Botware

MalwareKey Loggers Espionage

Phishing

SQL Injection

Social Engineering

Web Users

10

Database SecurityDefense-In-Depth Approach

• Monitor and block threats before they reach databases• Control access to data within the databases• Track changes and audit database activity• Encrypt data to prevent direct access• Implement with– Transparency – no changes to existing applications

– High Performance – no measurable impact on applications

– Accuracy – minimal false positives and negatives

11

Oracle Database Security Defense-in-Depth

Access Control

• Oracle Database Vault

• Oracle Label Security

• Oracle Advanced Security

• Oracle Secure Backup

• Oracle Data Masking

Encryption and Masking

Auditing and Tracking

• Oracle Audit Vault

• Oracle Configuration Management

• Oracle Total Recall

• Oracle Database Firewall

Monitoring and Blocking

12






12

13

Oracle Advanced Security End–to–end Encryption

DiskDisk

BackupsBackups

ExportsExports

Off-SiteFacilitiesOff-SiteFacilities

• Efficient encryption of all application data

• Built-in key lifecycle management

• No application changes required

• Works with Exadata and Oracle Advanced Compression

ApplicationApplication

14 14

Oracle Advanced Security Integrated with Oracle Enterprise Manager

15 15

TDE Column EncryptionIntegrated with Oracle Enterprise Manager

16

Oracle Advanced Security What’s New and Coming?

• Hardware Acceleration Support– Performance already < 10% for most applications– 7-10x performance gain with Intel Advanced Encryption

Standard New Instructions (AES-NI) and Oracle SPARC T-3

• Key Management and HSM Support– Certified with SafeNet, Thales, Utimaco using PKCS #11– Planned support for Oracle’s Key Management System

17 17

Oracle Data MaskingIrreversible De-Identification

• Mask sensitive data for test and partner systems• Sophisticated masking: Condition-based, compound,

deterministic• Extensible template library and policies for automation• Leverage masking templates for common data types• Integrated masking and cloning• Masking of heterogeneous databases via database gateways• Command line support for data masking tasks

LAST_NAME SSN SALARY

ANSKEKSL 111—23-1111 40,000

BKJHHEIEDK 222-34-1345 60,000

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

Production Non-Production

New

New

18

• Sensitive data identification based on privacy attributes• Application Masking templates for

• E-Business Suite• Fusion Applications

Oracle Data MaskingWhat’s Coming?

19


19

Access Control







20 20

Oracle Database VaultSeparation of Duties & Privileged User Controls

• Restricts application data from privileged users

• DBA separation of duties

• Securely consolidate application data

• No application changes required

• Works with Oracle Exadata

Procurement

HR

Finance

Application

select * from finance.customers

DBA

21 21

Oracle Database VaultMulti-Factor Access Control Policy Enforcement

• Protect application data and prevent application by-pass

• Enforce who, where, when, and how using rules and factors• User Factors: Name, Authentication type, Proxy Enterprise Identity• Network Factors: Machine name, IP, Network Protocols• Database Factors: IP, Instance, Hostname, SID• Runtime Factors: Date, Time

Procurement

HR

RebatesApplication

22

Oracle Database VaultOut-of-the Box Protections For Applications

• Pre-built policies with further possible customization

• Complements application security

• Transparent to existing applications

• Minimal performance overhead

• Certifications Underway:

– Oracle Hyperion

– Oracle Tax and Utilities

Oracle E-Business Suite 11i / R12

PeopleSoft Applications

Siebel, i-Flex, Retek

JD Edwards EnterpriseOne

SAP

Infosys Finacle

22

23 23

Oracle Label SecurityData Classification for Access Control

• Classify users and data based on business drivers

• Database enforced row level access control

• Users classification through Oracle Identity Management Suite

• Classification labels can be factors in Database Vault

Confidential Sensitive

Transactions

Report Data

Reports

SensitiveSensitive

ConfidentialConfidential

PublicPublic

24


Access Control











24

25 25

Oracle Audit VaultAutomated Audit Collection and Reporting

• Consolidate audit data into a secure warehouse

• Create/customize compliance and entitlement reports

• Detect and raise alerts on suspicious activities

• Centralized audit policy management

• Integrated audit trail cleanup

CRM Data

ERP Data

Databases

HR Data

Audit Data

Audit Data

PoliciesPolicies

Built-inReportsBuilt-inReports

AlertsAlerts

CustomReportsCustomReports

!

AuditorAuditor

26 26

Oracle Audit Vault Consolidated Reports Span Enterprise Databases

27 27

Oracle Audit Vault 10.2.3.2 Default Reports

28 28

Oracle Configuration ManagementSecure Configuration & Change Tracking

• Continuous scanning against best practices and gold baselines

• 200+ out-of-the-box policies spanning host, database, and middleware

• Real-time detect changes to processes, files, etc

• Violations can trigger emails, and create tickets

• Compliance reports mapped to compliance frameworks

Optimized for Oracle with Industry Specific Compliance DashboardsOptimized for Oracle with Industry Specific Compliance Dashboards

User-defined Policies &

Groups

User-defined Policies &

Groups

Real-Time Change Detection

Real-Time Change Detection

Industry & Regulatory

Frameworks

Industry & Regulatory

Frameworks

Compliance Dashboard

Compliance Dashboard

Out-of-box Policies

Out-of-box Policies

29


Access Control











• Oracle Database Firewall

Monitoring and Blocking

30

Oracle Database FirewallFirst Line of Defense

• Prevent unauthorized activity, application bypass and SQL injections

• Highly accurate SQL grammar based analysis

• Flexible enforcement options• Built-in and custom compliance reports

PoliciesPoliciesBuilt-inReportsBuilt-inReportsAlertsAlerts Custom

ReportsCustomReports

ApplicationsBlock

Log

Allow

Alert

Substitute

31

Oracle Database FirewallSecurity Model

• White-list based policies enforce normal or expected behavior • Evaluate factors such as time, day, network, app, etc.• Easily generate white-lists for any application

• Log, alert, block or substitute out-of-policy SQL statements • Black lists to stop unwanted SQL commands, user, or schema access• Superior performance and policy scalability based upon clustering

White List

Applications Block

Allow

32

Management Server

Oracle Database FirewallDeployment Architecture

• In-line blocking and monitoring, or out-of-band monitoring modes

• Monitoring of remote databases by forwarding network traffic

• Centralized policy management and reporting

• High availability options for Database firewalls and Management Servers

• Support for multiple Oracle/non-Oracle Databases with the same firewall

In-Line Blockingand Monitoring

HA In-Line Mode

Inbound SQL Traffic

Out-of-Band Monitoring

Management Server

Policy Analyzer

33

Oracle Database Security – Big Picture

Procurement

HR

Rebates

Encrypted Backups

Encrypted Database

Encrypted Exports

Data Masking

Audit consolidation

Procurement

HR

Rebates

SensitiveSensitive

ConfidentialConfidential

PublicPublic

Local DBA Privilege Mis-Use

DB Consolidation Security

Unauthorized Local Activity

ApplicationsBlock

Log

Allow

Alert

Substitute

Network SQL Monitoring

and Blocking

34

Oracle Database SecurityKey Differentiators

35

More Oracle Database Security Presentations

• Monday: – 12:30 pm: Making a Business Case for Information Security MS 300– 3:30 pm: Oracle Database 11g Release 2 Security: Defense-in-Depth MS 103

• Tuesday: – 12:30 pm: Real-World Deployment and Best Practices : Oracle Audit Vault MS 104– 2:00 pm: Real-World Deployment and Best Practices : Oracle Advanced Security MS 300– 2:00 pm: Best Practices for Ensuring the Highest Enterprise Database Security MS 304 – 3:30 pm: Database Security Event Management : Oracle Audit Vault and ArcSight MS 300– 5:00 pm: Real-World Deployment and Best Practices :Oracle Database Vault MS 303

• Wednesday: – 10:00 am: Protect Data and Save Money: Aberdeen MS 306– 11:30 am: Preventing Database Attacks With Oracle Database Firewall MS 306– 4:45 pm: Centralized Key Management and Performance :Oracle Advanced Security MS 306

• Thursday: – 10:30 am: Deploying Oracle Database 11g Securely on Oracle Solaris MS 104

MS = Moscone South

36

Oracle Database Security Hands-on-Labs

• Monday: – Database Vault 11:00AM | Marriott Marquis, Salon 10 / 11 Check Availability – Database Vault 5:00PM | Marriott Marquis, Salon 10 / 11 Check Availability

• Tuesday:

– Database Security 11:00AM | Marriott Marquis, Salon 10 / 11 Check Availability

• Thursday– Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11 Check Availability– Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11 Check Availability

37

Oracle Database Security Demo GroundsMoscone West

• Oracle Database Firewall• Oracle Database Vault• Oracle Label Security• Oracle Audit Vault• Oracle Advanced Security• Oracle Database 11g Release2 Security

Exhibition Hours

Monday, September 20 9:45 a.m. - 5:30 p.m.

Tuesday, September 21 9:45 a.m. - 5:30 p.m.

Wednesday, September 22 9:00 a.m. - 4:00 p.m.

38

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

39 39

For More Information

oracle.com/database/security

search.oracle.com

database securitydatabase security

40 40

Q&A

11gr2 security

Documents