<Insert Picture Here>
Oracle Database 11g Release 2 Security Update and Plans
Defense-in-Depth
<Insert Picture Here>
Program Agenda
• Today’s Threat Landscape
• Defense-in-Depth Approach
• Oracle Database Security Solutions
• Oracle Database Firewall New!
• Summary
• Q&A
Why Secure the Database?
Security Technologies Deployed
Authentication
Identity Management Network Security
Vulnerability Mgmt End Point Security
email Security
Other Security
Employee Customer
Citizen
DB Security?
How Data Gets Compromised?
Source: Verizon 2010 Data Breach Investigations Report
2010 Data Breach Investigations Report
92% of Records from Compromised Databases
Where Losses Come From?
Top Attack Techniques
% Breaches and % Records
2010 Data Breach Investigations Report
Most records lost through
‘Stolen Credentials” & “SQL Injection”
Existing Security Solutions Not Enough
Application Database Administrators
Data Must Be Protected in depth
Application Users
Botware Malware
Key Loggers Espionage
Phishing
SQL Injection
Social Engineering
Web Users
Database Security
Defense-In-Depth Approach
• Monitor and block threats before they reach databases
• Control access to data within the databases
• Track changes and audit database activity
• Encrypt data to prevent direct access
• Implement with
– Transparency – no changes to existing applications
– High Performance – no measurable impact on applications
– Accuracy – minimal false positives and negatives
Oracle Database Security
Defense-in-Depth
Access Control
• Oracle Database Vault
• Oracle Label Security
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Encryption and Masking
Auditing and Tracking
• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall
• Oracle Database Firewall
Monitoring and Blocking
Oracle Database Security
Defense-in-Depth
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Encryption and Masking
Oracle Advanced Security
End–to–end Encryption
Disk Disk
Backups Backups
Exports Exports
Off-Site Facilities
Off-Site Facilities
• Efficient encryption of all application data
• Built-in key lifecycle management
• No application changes required
• Works with Exadata and Oracle Advanced Compression
Application
Application
Oracle Advanced Security
Integrated with Oracle Enterprise Manager
TDE Column Encryption
Integrated with Oracle Enterprise Manager
Oracle Advanced Security What’s New and Coming?
• Hardware Acceleration Support
– Performance already < 10% for most applications
– 7-10x performance gain with Intel Advanced Encryption
Standard New Instructions (AES-NI) and Oracle SPARC T-3
• Key Management and HSM Support
– Certified with SafeNet, Thales, Utimaco using PKCS #11
– Planned support for Oracle’s Key Management System
Oracle Data Masking
Irreversible De-Identification
• Mask sensitive data for test and partner systems
• Sophisticated masking: Condition-based, compound, deterministic
• Extensible template library and policies for automation
• Leverage masking templates for common data types
• Integrated masking and cloning
• Masking of heterogeneous databases via database gateways
• Command line support for data masking tasks
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 40,000 BKJHHEIEDK 222-34-1345 60,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000 BENSON 323-22-2943 60,000
Production Non-Production
New
New
• Sensitive data identification based on privacy attributes
• Application Masking templates for
• E-Business Suite
Oracle Data Masking
What’s Coming?
Oracle Database Security
Defense-in-Depth
Access Control
• Oracle Database Vault
• Oracle Label Security
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Encryption and Masking
Oracle Database Vault
Separation of Duties & Privileged User Controls
• Restricts application data from privileged users
• DBA separation of duties
• Securely consolidate application data
• No application changes required
Procurement HR Finance
Application
select * from finance.customers
DBA
Oracle Database Vault
Multi-Factor Access Control Policy Enforcement
• Protect application data and prevent application by-pass
• Enforce who, where, when, and how using rules and factors
• User Factors: Name, Authentication type, Proxy Enterprise Identity
• Network Factors: Machine name, IP, Network Protocols
• Database Factors: IP, Instance, Hostname, SID
• Runtime Factors: Date, Time
Procurement HR Rebates
Application
Oracle Database Vault
Out-of-the Box Protections For Applications
• Pre-built policies with further possible customization
• Complements application security
• Transparent to existing applications
• Minimal performance overhead
• Certifications Underway:
– Oracle Hyperion
– Oracle Tax and Utilities
Oracle E-Business Suite 11i / R12
PeopleSoft Applications
Siebel, i-Flex, Retek
JD Edwards EnterpriseOne
SAP
Infosys Finacle
Oracle Label Security
Data Classification for Access Control
• Classify users and data based on business drivers
• Database enforced row level access control
• Users classification through Oracle Identity Management Suite
• Classification labels can be factors in Database Vault
Confidential Sensitive
Transactions
Report Data
Reports
Sensitive Sensitive Confidential Confidential
Public
Public
Oracle Database Security
Defense-in-Depth
Access Control
• Oracle Database Vault
• Oracle Label Security
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Encryption and Masking
Auditing and Tracking
• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall
Oracle Audit Vault
Automated Audit Collection and Reporting
• Consolidate audit data into a secure warehouse
• Create/customize compliance and entitlement reports
• Detect and raise alerts on suspicious activities
• Centralized audit policy management
• Integrated audit trail cleanup
CRM Data
ERP Data
Databases HR Data
Audit Data Audit
Data
Policies Policies Built-in Reports
Built-in Reports
Alerts Alerts
Custom Reports Custom Reports
!
Auditor
Auditor
Oracle Audit Vault
Consolidated Reports Span Enterprise Databases
Oracle Audit Vault 10.2.3.2
Default Reports
Oracle Configuration Management
Secure Configuration & Change Tracking
• Continuous scanning against best practices and gold baselines
• 200+ out-of-the-box policies spanning host, database, and middleware
• Real-time detect changes to processes, files, etc
• Violations can trigger emails, and create tickets
Optimized for Oracle with Industry Specific Compliance Dashboards Optimized for Oracle with Industry Specific Compliance Dashboards
User-defined Policies &
Groups User-defined
Policies &
Groups
Real-Time Change Detection Real-Time Change
Detection Industry &
Regulatory Frameworks Industry &
Regulatory Frameworks
Compliance Dashboard Compliance
Dashboard Out-of-box
Policies Out-of-box
Policies
Oracle Database Security
Defense-in-Depth
Access Control
• Oracle Database Vault
• Oracle Label Security
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Encryption and Masking
Auditing and Tracking
• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall
• Oracle Database Firewall
Monitoring and Blocking
Oracle Database Firewall
First Line of Defense
• Prevent unauthorized activity, application bypass and SQL injections
• Highly accurate SQL grammar based analysis
• Flexible enforcement options
• Built-in and custom compliance reports
Policies Policies Built-in
Reports Built-in Reports Alerts
Alerts Custom
Reports Custom Reports Applications
Block Log Allow
Alert
Substitute
Oracle Database Firewall
Security Model
• White-list based policies enforce normal or expected behavior
• Evaluate factors such as time, day, network, app, etc.
• Easily generate white-lists for any application
• Log, alert, block or substitute out-of-policy SQL statements
• Black lists to stop unwanted SQL commands, user, or schema access
• Superior performance and policy scalability based upon clustering
White List
Applications Block
Allow
Management Server
Oracle Database Firewall
Deployment Architecture
• In-line blocking and monitoring, or out-of-band monitoring modes
• Monitoring of remote databases by forwarding network traffic
• Centralized policy management and reporting
• High availability options for Database firewalls and Management Servers
• Support for multiple Oracle/non-Oracle Databases with the same firewall
In-Line Blocking and Monitoring
HA In-Line Mode Inbound
SQL Traffic
Out-of-Band Monitoring
Management Server
Policy
Analyzer
Oracle Database Security – Big Picture
Procurement HR Rebates
Encrypted Backups Encrypted
Database Encrypted
Exports
Data Masking Audit
consolidation
Procurement HR Rebates Sensitive Sensitive Confidential Confidential
Public Public
Local DBA Privilege Mis-Use
DB Consolidation Security Unauthorized
Local Activity
Applications
Block Log Allow
Alert Substitute
Network SQL
Monitoring
and Blocking
Oracle Database Security
Key Differentiators
More Oracle Database Security Presentations
• Monday:
– 12:30 pm: Making a Business Case for Information Security MS 300 – 3:30 pm: Oracle Database 11g Release 2 Security: Defense-in-Depth MS 103
• Tuesday:
– 12:30 pm: Real-World Deployment and Best Practices : Oracle Audit Vault MS 104
– 2:00 pm: Real-World Deployment and Best Practices : Oracle Advanced Security MS 300 – 2:00 pm: Best Practices for Ensuring the Highest Enterprise Database Security MS 304
– 3:30 pm: Database Security Event Management : Oracle Audit Vault and ArcSight MS 300 – 5:00 pm: Real-World Deployment and Best Practices :Oracle Database Vault MS 303
• Wednesday:
– 10:00 am: Protect Data and Save Money: Aberdeen MS 306
– 11:30 am: Preventing Database Attacks With Oracle Database Firewall MS 306
– 4:45 pm: Centralized Key Management and Performance :Oracle Advanced Security MS 306
• Thursday:
– 10:30 am: Deploying Oracle Database 11g Securely on Oracle SolarisMS 104
MS = Moscone South
Oracle Database Security Hands-on-Labs
• Monday:
– Database Vault 11:00AM | Marriott Marquis, Salon 10 / 11 Check Availability – Database Vault 5:00PM | Marriott Marquis, Salon 10 / 11 Check Availability
• Tuesday:
– Database Security 11:00AM | Marriott Marquis, Salon 10 / 11 Check Availability
• Thursday
– Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11 Check Availability
– Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11 Check Availability
Oracle Database Security Demo Grounds
Moscone West
• Oracle Database Firewall
• Oracle Database Vault
• Oracle Label Security
• Oracle Audit Vault
• Oracle Advanced Security
• Oracle Database 11g Release2 Security
Exhibition Hours Monday, September 20 9:45 a.m. - 5:30 p.m.
Tuesday, September 21 9:45 a.m. - 5:30 p.m.
Wednesday, September 22 9:00 a.m. - 4:00 p.m.
The preceding is intended to outline our general product direction. It is intended for information
purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.
For More Information
oracle.com/database/security
search.oracle.com
database security database security