Oracle Database Security Defense-in-Depth

Oracle Database Security Defense-in-Depth Nguyen Quang Huy Senior Solution Consulting Manager

Agenda

• • • •

Today’s Threat Landscape Defense-in-Depth Approach Oracle Database Security Solutions Summary

2

Security Technologies Deployed

End Point Security

Other Security

Employee email Security

Customer

Vulnerability Mgmt

Citizen Network Security

DB Security?

Authentication

Identity Management

3

How Data Gets Compromised? Source: Verizon 2010 Data Breach Investigations Report

4

4

Where Losses Come From?

92% of Records from Compromised Databases

2010 Data Breach Investigations Report

5

Top Attack Techniques % Breaches and % Records

2010 Data Breach Investigations Report

Most records lost through ‘Stolen Credentials” & “SQL Injection” 6

Oracle Database Security Defense-in-Depth Encryption and Masking • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking

Access Control • Oracle Database Vault • Oracle Label Security

Auditing and Tracking • Oracle Audit Vault • Oracle Configuration Management • Oracle Total Recall

Monitoring and Blocking • Oracle Database Firewall

7

Oracle Database Security Defense-in-Depth

Encryption and Masking • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking

8

8

Oracle Advanced Security End–to–end Encryption Disk

Backups

Exports

Application

Off-Site Facilities

• Efficient encryption of all application data • Built-in key lifecycle management • No application changes required • Works with Exadata and Oracle Advanced Compression

9

Oracle Advanced Security What’s New and Coming?

• Hardware Acceleration Support – Performance already < 10% for most applications – 7-10x performance gain with Intel Advanced Encryption Standard New Instructions (AES-NI) and Oracle SPARC T-3

• Key Management and HSM Support – Certified with SafeNet, Thales, Utimaco using PKCS #11 – Planned support for Oracle’s Key Management System

10

Oracle Data Masking Irreversible De-Identification

Production

Non-Production

LAST_NAME

SSN

SALARY

LAST_NAME

SSN

SALARY

AGUILAR

203-33-3234

40,000

ANSKEKSL

111—23-1111

40,000

BENSON

323-22-2943

60,000

BKJHHEIEDK

222-34-1345

60,000

• Mask sensitive data for test and partner systems • Sophisticated masking: Condition-based, compound, deterministic • Extensible template library and policies for automation • Leverage masking templates for common data types • Integrated masking and cloning • Masking of heterogeneous databases via database gateways New • Command line support for data masking tasks New 11

11

Oracle Data Masking What’s Coming?

• Sensitive data identification based on privacy attributes • Application Masking templates for • E-Business Suite • Fusion Applications 12

Oracle Database Security Defense-in-Depth

Encryption and Masking • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking

Access Control • Oracle Database Vault • Oracle Label Security

13

13

Oracle Database Vault Separation of Duties & Privileged User Controls

Procurement

DBA HR

Application Finance select * from finance.customers

• Restricts application data from privileged users • DBA separation of duties • Securely consolidate application data • No application changes required • Works with Oracle Exadata 14

14

Oracle Database Vault Multi-Factor Access Control Policy Enforcement

Procurement HR

Application

Rebates

• Protect application data and prevent application by-pass • Enforce who, where, when, and how using rules and factors • • • •

User Factors: Name, Authentication type, Proxy Enterprise Identity Network Factors: Machine name, IP, Network Protocols Database Factors: IP, Instance, Hostname, SID Runtime Factors: Date, Time

15

15

Oracle Database Vault Out-of-the Box Protections For Applications • Pre-built policies with further possible customization

Oracle E-Business Suite 11i / R12

• Complements application security

PeopleSoft Applications

• Transparent to existing applications • Minimal performance overhead • Certifications Underway:

Siebel, i-Flex, Retek JD Edwards EnterpriseOne

– Oracle Hyperion – Oracle Tax and Utilities

SAP Infosys Finacle

16

16

Oracle Label Security Data Classification for Access Control

Sensitive Transactions

Confidential Report Data

Public Reports

Confidential

Sensitive

• Classify users and data based on business drivers • Database enforced row level access control • Users classification through Oracle Identity Management Suite • Classification labels can be factors in Database Vault

17

17

Oracle Database Security Defense-in-Depth

Encryption and Masking • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking

Access Control • Oracle Database Vault • Oracle Label Security

Auditing and Tracking • Oracle Audit Vault • Oracle Configuration Management • Oracle Total Recall

18

18

Oracle Audit Vault Automated Audit Collection and Reporting

!

HR Data

Built-in Reports

CRM Data

ERP Data

Alerts

Audit Data

Custom Reports Policies

Databases

Auditor

• Consolidate audit data into a secure warehouse • Create/customize compliance and entitlement reports • Detect and raise alerts on suspicious activities • Centralized audit policy management • Integrated audit trail cleanup 19

19

Oracle Configuration Management Secure Configuration & Change Tracking Out-of-box Policies

User-defined Policies & Groups

3

3

Real-Time Change Detection

Industry & Regulatory Frameworks

Compliance Dashboard

3

3

3

Optimized for Oracle with Industry Specific Compliance Dashboards

• Continuous scanning against best practices and gold baselines • 200+ out-of-the-box policies spanning host, database, and middleware • Real-time detect changes to processes, files, etc • Violations can trigger emails, and create tickets • Compliance reports mapped to compliance frameworks

20

20

Oracle Database Security Defense-in-Depth Encryption and Masking • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking

Access Control • Oracle Database Vault • Oracle Label Security

Auditing and Tracking • Oracle Audit Vault • Oracle Configuration Management • Oracle Total Recall

Monitoring and Blocking • Oracle Database Firewall

21

Oracle Database Firewall First Line of Defense Allow Log Alert Substitute

Applications

Block

Alerts

Built-in Reports

Custom Reports

Policies

• Prevent unauthorized activity, application bypass and SQL injections • Highly accurate SQL grammar based analysis • Flexible enforcement options • Built-in and custom compliance reports

22

Oracle Database Firewall Security Model

White List Allow Applications

Block

• White-list based policies enforce normal or expected behavior • Evaluate factors such as time, day, network, app, etc. • Easily generate white-lists for any application • Log, alert, block or substitute out-of-policy SQL statements • Black lists to stop unwanted SQL commands, user, or schema access • Superior performance and policy scalability based upon clustering

23

Oracle Database Firewall Reporting • Database Firewall log data consolidated into reporting database

Oracle Database Firewall

• Over 130 built in reports that can be modified and customized • Entitlements reporting for database attestation and audit Oracle Database Firewall

Oracle Database Firewall

• Database activity and privileged user reports • Supports demonstrating PCI, SOX, HIPAA/HITECH, etc. controls • Optional database activity masking

24

Oracle Database Security – Big Picture

Audit consolidation

Allow

Procurement Sensitive

Log Alert Substitute

Applications

HR Confidential Rebates Public

Unauthorized Local Activity DB Consolidation Security Local DBA Privilege Mis-Use

Block

Network SQL Monitoring and Blocking

Encrypted Database

Encrypted Encrypted Backups Exports

Data Masking

25

Oracle Database Security Key Differentiators

26

For More Information

search.oracle.com

database security

oracle.com/database/security

27

27