Oracle Database 11g Release 2 Security Update and Plans Defense-in-Depth

1
(No Transcript)
2
Oracle Database 11g Release 2 Security Update
and PlansDefense-in-Depth

• Vipin Samar
• Vice President, Oracle Database Security

3
Program Agenda
ltInsert Picture Heregt

• Todays Threat Landscape
• Defense-in-Depth Approach
• Oracle Database Security Solutions
• Oracle Database Firewall New!
• Summary
• QA

4
Why Secure the Database?
5
Security Technologies Deployed
End Point Security
Other Security
Employee Customer Citizen
Vulnerability Mgmt
email Security
DB Security?
Authentication
Network Security
Identity Management
6
How Data Gets Compromised?
Source Verizon 2010
Data Breach Investigations Report
7
Where Losses Come From?
92 of Records from Compromised Databases
2010 Data Breach Investigations Report
8
Top Attack Techniques Breaches and Records
2010 Data Breach Investigations Report
Most records lost through Stolen Credentials
SQL Injection
9
Existing Security Solutions Not Enough
Web Users
Application Users
Database
Application
Administrators
Data Must Be Protected in depth
10
Database SecurityDefense-In-Depth Approach

• Monitor and block threats before they reach
  databases
• Control access to data within the databases
• Track changes and audit database activity
• Encrypt data to prevent direct access
• Implement with
• Transparency no changes to existing
  applications
• High Performance no measurable impact on
  applications
• Accuracy minimal false positives and negatives

11
Oracle Database Security
Defense-in-Depth
Encryption and Masking

• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking

Access Control

• Oracle Database Vault
• Oracle Label Security

Auditing and Tracking

• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall

Monitoring and Blocking

• Oracle Database Firewall

12
Oracle Database Security
Defense-in-Depth
Encryption and Masking

• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking

13
Oracle Advanced Security Endtoend Encryption
Application

• Efficient encryption of all application data
• Built-in key lifecycle management
• No application changes required
• Works with Exadata and Oracle Advanced Compression

14
Oracle Advanced Security
Integrated with Oracle
Enterprise Manager
15
TDE Column EncryptionIntegrated with Oracle
Enterprise Manager

16
Oracle Advanced Security
Whats New and Coming?

• Hardware Acceleration Support
• Performance already lt 10 for most applications
• 7-10x performance gain with Intel Advanced
  Encryption Standard New Instructions (AES-NI) and
  Oracle SPARC T-3
• Key Management and HSM Support
• Certified with SafeNet, Thales, Utimaco using
  PKCS 11
• Planned support for Oracles Key Management System

17
Oracle Data MaskingIrreversible De-Identification
Production
Non-Production
LAST_NAME SSN SALARY
ANSKEKSL 11123-1111 40,000
BKJHHEIEDK 222-34-1345 60,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000

• Mask sensitive data for test and partner systems
• Sophisticated masking Condition-based, compound,
  deterministic
• Extensible template library and policies for
  automation
• Leverage masking templates for common data types
• Integrated masking and cloning
• Masking of heterogeneous databases via database
  gateways
• Command line support for data masking tasks

New
New
18
Oracle Data MaskingWhats Coming?

• Sensitive data identification based on privacy
  attributes
• Application Masking templates for
• E-Business Suite
• Fusion Applications

19
Oracle Database Security
Defense-in-Depth
Encryption and Masking

• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking

Access Control

• Oracle Database Vault
• Oracle Label Security

20
Oracle Database VaultSeparation of Duties
Privileged User Controls
Procurement
DBA
HR
Application
Finance
select from finance.customers

• Restricts application data from privileged users
• DBA separation of duties
• Securely consolidate application data
• No application changes required
• Works with Oracle Exadata

21
Oracle Database VaultMulti-Factor Access Control
Policy Enforcement
Procurement
HR
Application
Rebates

• Protect application data and prevent application
  by-pass
• Enforce who, where, when, and how using rules and
  factors
• User Factors Name, Authentication type, Proxy
  Enterprise Identity
• Network Factors Machine name, IP, Network
  Protocols
• Database Factors IP, Instance, Hostname, SID
• Runtime Factors Date, Time

22
Oracle Database VaultOut-of-the Box Protections
For Applications

• Pre-built policies with further possible
  customization
• Complements application security
• Transparent to existing applications
• Minimal performance overhead
• Certifications Underway
• Oracle Hyperion
• Oracle Tax and Utilities

23
Oracle Label SecurityData Classification for
Access Control
Sensitive
Confidential
Transactions
Public
Report Data
Reports
Confidential
Sensitive

• Classify users and data based on business drivers
• Database enforced row level access control
• Users classification through Oracle Identity
  Management Suite
• Classification labels can be factors in Database
  Vault

24
Oracle Database Security
Defense-in-Depth
Encryption and Masking

• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking

Access Control

• Oracle Database Vault
• Oracle Label Security

Auditing and Tracking

• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall

25
Oracle Audit VaultAutomated Audit Collection and
Reporting
Audit Data
Auditor

• Consolidate audit data into a secure warehouse
• Create/customize compliance and entitlement
  reports
• Detect and raise alerts on suspicious activities
• Centralized audit policy management
• Integrated audit trail cleanup

26
Oracle Audit Vault Consolidated Reports Span
Enterprise Databases
27
Oracle Audit Vault 10.2.3.2
Default Reports
28
Oracle Configuration ManagementSecure
Configuration Change Tracking

• Continuous scanning against best practices and
  gold baselines
• 200 out-of-the-box policies spanning host,
  database, and middleware
• Real-time detect changes to processes, files, etc
• Violations can trigger emails, and create tickets
• Compliance reports mapped to compliance frameworks

29
Oracle Database Security
Defense-in-Depth
Encryption and Masking

• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking

Access Control

• Oracle Database Vault
• Oracle Label Security

Auditing and Tracking

• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall

Monitoring and Blocking

• Oracle Database Firewall

30
Oracle Database FirewallFirst Line of Defense

• Prevent unauthorized activity, application bypass
  and SQL injections
• Highly accurate SQL grammar based analysis
• Flexible enforcement options
• Built-in and custom compliance reports

31
Oracle Database FirewallSecurity Model
White List
Allow
Block
Applications

• White-list based policies enforce normal or
  expected behavior
• Evaluate factors such as time, day, network, app,
  etc.
• Easily generate white-lists for any application
• Log, alert, block or substitute out-of-policy SQL
  statements
• Black lists to stop unwanted SQL commands, user,
  or schema access
• Superior performance and policy scalability based
  upon clustering

32
Oracle Database FirewallDeployment Architecture
In-Line Blocking and Monitoring
Out-of-Band Monitoring
Inbound SQL Traffic
HA In-Line Mode
Policy Analyzer

• In-line blocking and monitoring, or out-of-band
  monitoring modes
• Monitoring of remote databases by forwarding
  network traffic
• Centralized policy management and reporting
• High availability options for Database firewalls
  and Management Servers
• Support for multiple Oracle/non-Oracle Databases
  with the same firewall

33
Oracle Database Security Big Picture
Procurement
Procurement
HR
HR
Rebates
Rebates
34
Oracle Database SecurityKey Differentiators
35
More Oracle Database Security Presentations

• Monday
• 1230 pm Making a Business Case for Information
  Security MS 300
• 330 pm Oracle Database 11g Release 2 Security
  Defense-in-Depth MS 103
• Tuesday
• 1230 pm Real-World Deployment and Best
  Practices Oracle Audit Vault MS 104
• 200 pm Real-World Deployment and Best Practices
  Oracle Advanced Security MS 300
• 200 pm Best Practices for Ensuring the Highest
  Enterprise Database Security MS 304
• 330 pm Database Security Event Management
  Oracle Audit Vault and ArcSight MS 300
• 500 pm Real-World Deployment and Best Practices
  Oracle Database Vault MS 303
• Wednesday
• 1000 am Protect Data and Save Money Aberdeen
  MS 306
• 1130 am Preventing Database Attacks With Oracle
  Database Firewall MS 306
• 445 pm Centralized Key Management and
  Performance Oracle Advanced Security MS 306
• Thursday
• 1030 am Deploying Oracle Database 11g Securely
  on Oracle Solaris MS 104

MS Moscone South
36
Oracle Database Security Hands-on-Labs

• Monday
• Database Vault 1100AM Marriott Marquis, Salon
  10 / 11        Check Availability 
• Database Vault 500PM Marriott Marquis, Salon
  10 / 11        Check Availability
•   
• Tuesday
• Database Security 1100AM Marriott Marquis,
  Salon 10 / 11     Check Availability
• Thursday
• Advanced Security 1200PM Marriott Marquis,
  Salon 10 / 11    Check Availability
• Audit Vault 130PM Marriott Marquis, Salon 10 /
  11       Check Availability

37
Oracle Database Security Demo GroundsMoscone West

• Oracle Database Firewall
• Oracle Database Vault
• Oracle Label Security
• Oracle Audit Vault
• Oracle Advanced Security
• Oracle Database 11g Release2 Security

  Exhibition Hours
Monday, September 20 945 a.m. - 530 p.m.
Tuesday, September 21 945 a.m. - 530 p.m.
Wednesday, September 22 900 a.m. - 400 p.m.
38
The preceding is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into
any contract. It is not a commitment to deliver
any material, code, or functionality, and should
not be relied upon in making purchasing
decisions.The development, release, and timing
of any features or functionality described for
Oracles products remains at the sole discretion
of Oracle.
39
For More Information
40
A