Oracle%20Database%2011g%20Lock%20Down%20Your%20Data

1
Oracle Database 11gLock Down Your Data
Privacy
Insider Threats
Compliance

• Gary Quarles
• Sales Consultant

2
Key Drivers for Data Security
Regulatory Compliance

• Sarbanes-Oxley (SOX), J-SOX, HIPAA
• GLBA
• Payment Card Industry (PCI)
• EU Privacy Directives, CA SB 1386.
• Adequate IT controls, COSO, COBIT
• Separation of duty, Proof of compliance, Risk
  Assessment and Monitoring
• Large percentage of threats go undetected
• Outsourcing and off-shoring trend
• Customers want to monitor insider/DBA

Insider/External Threats
3

Oracle
Audit Vault
Oracle Database
Vault

DB Security Evaluation 19

Transparent Data Encryption

EM Configuration Scanning
Fine
Grained Auditing (9i)
Secure
application roles
Client Identifier /
Identity propagation
Oracle Label Security
Proxy
authentication
Enterprise User Security
Global roles
Virtual Private Database (8i)
Database Encryption API Strong
authentication (PKI, Kerberos, RADIUS)
Native Network Encryption (Oracle7)
Database Auditing
Government customer
Oracle Database Security 30 years of Innovation
1977
2007
4
Data Security Components
User Management
Access Control
Core Platform Security
Monitoring
Data Protection
5
Data Security Oracle Products

• User Management
• Oracle Identity Management
• Enterprise User Security

• Access Control
• Oracle Database Vault
• Oracle Label Security
• Virtual Private Database

Core Platform Security

• Data Protection
• Oracle Advanced Security
• Oracle Secure Backup

• Monitoring
• Oracle Audit Vault
• EM Configuration Pack

6
Data Security Oracle Products

• User Management
• Oracle Identity Management
• Enterprise User Security

• Access Control
• Oracle Database Vault
• Oracle Label Security
• Virtual Private Database

Core Platform Security

• Data Protection
• Oracle Advanced Security
• Oracle Secure Backup

• Monitoring
• Oracle Audit Vault
• EM Configuration Pack

7
Enterprise User Security (EUS)

• User Management for Compliance
• Centralized User Management
• Consolidate database accounts with shared
  database schemas
• Centrally managed DBAs
• Validated with Oracle Virtual Directory
• Enterprise Strong Authentication
• Kerberos (MSFT, MIT)
• PKI (x.509v3)
• Password
• SYSDBA Strong Auth
• Database Enterprise Edition Feature
• Requires Oracle Identity Management
• Available since Oracle 8.1.6

Financial Database
Customer Database
HR Database
EUS
EUS
Oracle Identity Management
8
Data Security Oracle Products

• Access Control
• Oracle Database Vault
• Oracle Label Security
• Virtual Private Database

• User Management
• Oracle Identity Management
• Enterprise User Security

Core Platform Security

• Data Protection
• Oracle Advanced Security
• Oracle Secure Backup

• Monitoring
• Oracle Audit Vault
• EM Configuration Pack

9
Need for Stronger and Transparent Access Control

• Key Drivers
• Restrict full access to data for Privileged users
• Administrators
• Developers/QA
• Application Users
• Easily implement environment based access control
• User parameters
• Network parameters
• Database parameters
• Key Requirements
• Applying on existing legacy applications
• Support for custom policies
• Difficult to circumvent
• Minimal Performance impact

10
Oracle Database Vault
Compliance and Insider Threats

• Controls on privileged users
• Restrict DBA from application data
• Provide Separation of Duty
• Security for database and information
  consolidation
• Enforce data access security policies
• Control who, when, where and how is data accessed
• Make decision based on IP address, time, auth
• Available on Oracle Database 10g Release 2 and
  Oracle Database 9.2.0.8
• Validated with PeopleSoft
• Validation for E-Business, Siebel, and others in
  progress

Protection Realms
Reports
Multi-Factor Authorization
Command Rules
Separation of Duty
11
Oracle Database Vault Protection Realms
Realms can be easily applied to existing
applications with transparency and minimal
performance impact
12
Oracle Database VaultTransparent Multi-factor
Authorization
SELECT .
Unexpected IP address
HR account
CREATE
Business hours
FIN DBA
13
Oracle Database VaultTransparent Protection
Define Realms
(Block Highly Privileged Users)
Add SQL Command Rules (Optional)
Add other security policies (Optional)

PL/SQL scripts to deploy security policies

5
Test your application
Consider application maintenance
14
Major Financial Services CompanyUse Case

• Control Privileged Users
• Prevent DBAs from accessing sensitive data in
  Realms
• Setup multiple levels of DBAs
• Control Access based upon environmental factors
• Restrict hostnames authorized to access the DB
• Control access based on geography
• Control use of ad-hoc query tools Enforce
  maintenance periods
• Restrict connections by ad-hoc query tools to
  maintenance times
• Control Patching activity
• Patching activity requires another monitoring
  user to be logged in
• Control unauthorized database changes

15
Noel Yuhanna Research Analyst, Forrester

• The Database Vault features will be in demand,
  especially for databases that contain private
  data. Enterprises want their administrators to
  manage their databases, not data.
• Oracle is leading the pack of database makers
  with the new access restriction features.
  Microsoft, IBM and Sybase don't have anything
  like this.

Oracle wants to rein in database admins ZDnet
News, April 25, 2006
16
Data Security Oracle Products

• Access Control
• Oracle Database Vault
• Oracle Label Security
• Virtual Private Database

• User Management
• Oracle Identity Management
• Enterprise User Security

Core Platform Security

• Data Protection
• Oracle Advanced Security
• Oracle Secure Backup

• Monitoring
• Oracle Audit Vault
• EM Configuration Pack

17
Need for Label Authorizations

• Key Driver
• Extended security authorizations for need-to-know
  enforcement
• Payment Card Industry (PCI) requirement
• Protection of PII data
• Multi-level security (Government Defense)
• Key Requirements
• Transparent
• Performant
• Highly Adaptable
• Evaluated (Government Defense)

18
Oracle Label SecurityLabel Based Access Control

• Extend security authorizations
• Label authorizations
• Data Classification
• Sensitivity labels
• Flexible and Adaptable
• Database Application users
• Multiple enforcement options
• Built-in mediation routines
• Available since Oracle8i

Sensitive PII
Oracle Label Security Access Mediation
Confidential
Public
User Label Authorization
Confidential
19
Oracle Label Security Additional Factors for
Database Vault
20
Oracle Label SecurityMulti-level (row level)
Security Government Defense
Case Operation
Sensitivity Label
Start Date
Status
Pacific Alpha
Secret
Project Secure Border
Top Secret
Latin America Operation
Secret
Desert Storm
Secret
Border Protection Alpha
Top Secret
Secure Flights
Public
See OLS Best Practices for Government and Defense
TWP on OTN
21
Oracle Label SecurityManageability

• Comprehensive API Available
• Integrated with Oracle Identity Management

22
Graciela Mucci CIO, ARTEAR

• Instead of maintaining security policies in our
  applications and database, Oracle Label Security
  allowed us to apply these access controls where
  it matters most the centralized database on a
  scalable Oracle RAC system.
• Sept. 06

23
Oracle Label SecurityDeployment Guide
Identify and define labels based on company
programs and/or data New ones can be defined later
Provision user label authorizations
Database or Oracle Identity
Management - database or application users
Apply OLS functions in applications or database
Extend Database Vault Factors,
Command rules, Separation of Duty, VPD
Use GUI or API to protect application tables
(optional)
Required only if you want transparent access
mediation for multi-level security
Label data (optional)
Required only if
you want transparent access mediation for
multi-level security
24
Data Security Oracle Products

• Access Control
• Oracle Database Vault
• Oracle Label Security
• Virtual Private Database

• User Management
• Oracle Identity Management
• Enterprise User Security

Core Platform Security

• Data Protection
• Oracle Advanced Security
• Oracle Secure Backup

• Monitoring
• Oracle Audit Vault
• EM Configuration Pack

25
Need for Fine-grained Access ControlDatabase
enforced query modification

• Key Driver
• Data consolidation requires stronger security
• Large warehouses need to logically partitioned
  information
• Database enforced security simplifies
  applications
• Key Requirements
• Transparent
• Performant
• Highly Adaptable

26
Virtual Private DatabasePolicy-based query
modification

• Database enforced security policies for query
  modification
• Introduced in Oracle8i
• Attach to table, view, table column

SOCIAL SECURITY NUMBER
Added by VPD
Select from employees where account_mgt_id 148
431-395-9332
381-395-9223
27
Virtual Private DatabaseColumn Relevant Policies
(10g)
VPD Col Relevant Policy
Select cust_last_name, social_security_number
from accts
SOCIAL SECURITY NUMBER
431-395-9332
381-395-9223
28
Data Security Oracle Products

• User Management
• Oracle Identity Management
• Enterprise User Security

• Access Control
• Oracle Database Vault
• Oracle Label Security
• Virtual Private Database

Core Platform Security

• Data Protection
• Oracle Advanced Security
• Oracle Secure Backup

• Monitoring
• Oracle Audit Vault
• EM Configuration Pack

29
The Need for Encryption

• Key Drivers
• Millions of records lost and many more vulnerable
• Worldwide privacy, security and compliance
  regulations
• Personal privacy data Credit Cards, Social ID,
• PCI, California SB 1386, Country-specific laws
• Key Requirements
• Encrypting data in existing applications with
  minimal perf impact
• Automated Key Management

Disks replaced for maintenance
Customer Credit Card Numbers
Laptops stolen
Backups lost
30
Oracle Advanced SecurityTransparent Encryption
and Strong Authentication
Strong Authentication (PKI, Kerberos)
Transparent Network Encryption
With RMAN Can Encrypt Entire Backups Sent to Disk
31
Oracle Advanced SecurityTransparent Data
Encryption Manageability (11g)
32
Oracle Advanced SecurityOracle Database 11g
Enhancements

• Tablespace Encryption
• Define a new tablespace as encrypted
• No need to specify columns
• Even more transparent than existing column TDE
• Supports range scans
• Supports foreign keys
• Existing content can be moved into encrypted
  tablespaces
• SECUREFILE LOB encryption
• Hardware Security Module Integration
• Generate, store and manage master key in an
  external hardware device
• Standard PKCS 11 API allows customers to choose
  from HSM vendors

33
Transparent Data EncryptionEasy Uptake

• No changes to existing applications
• No triggers, no views
• Minimal performance impact
• Built-in key management
• No crash-course needed in encryption or key
  management just focus on business logic
• Simple alter table statement
• Include changes in a script

TDE supported by Oracle E-Business Suite and SAP
34
Transparent Data EncryptionDeployment Guide for
Column Encryption
1
Identify columns holding sensitive data Credit
Cards, SSN
2
Verify TDE supports the datatype?
TDE supports most all commonly used
datatypes
3
Verify column is not part of a Foreign Key?
Simple Data Dictionary Query
4
Encrypt existing and new data
SQLDeveloper GUI or Command line DDL, Alter
Table..
Visit OTN for a complete list of data types and
more
35
Transparent Data EncryptionDeployment Guide for
Tablespace Encryption (11g)
Identify tables holding sensitive data Credit
Card Numbers, SSN, other personally identifiable
data (PII)
Create new encrypted tablespaces
Using EM or command line
Move tables into new encrypted tablespaces
36
Data Security Oracle Products

• User Management
• Oracle Identity Management
• Enterprise User Security

• Access Control
• Oracle Database Vault
• Oracle Label Security
• Virtual Private Database

Core Platform Security

• Monitoring
• Oracle Database Auditing
• Oracle Audit Vault
• EM Configuration Pack

• Data Protection
• Oracle Advanced Security
• Oracle Secure Backup

37
Need for Auditing Database Activity

• Key Drivers
• Regulatory Compliance (SOX, PCI, Privacy, )
• Risk assessment and compensating controls
• Demonstrate controls for compliance
• Security
• Detect misuse of privileges
• Key Requirements
• Collect Audit trail data from many audit silos
• Automate review of the audit trail logs, and
  raise alerts
• Centralize audit policy management
• Secure the audit trail
• Minimize performance impact on production systems

38
Auditing in the Oracle DatabaseRobust, Flexible,
and High Fidelity Audit

• Industrys most advanced
• Robust auditing since Oracle 7 (1993)
• Audit statement, privileges, statement event,
  failure or success, SYS auditing
• Fine grained auditing introduced in Oracle9i
  (2001)
• Flexible format supporting XML, SYSLOG, database
  tables, Windows event viewer
• Use by customers today in nearly all markets
• Finance
• Healthcare
• Government

39
Oracle Database AuditingOverview

• Statement auditing
• Selective auditing of related groups of DDL/DML
  statements regarding a particular type of
  database structure or schema object
• Can be specified for all users or for only a
  select list
• Privilege auditing
• Auditing of statements that require the use of a
  system privilege
• Can be specified for all users or for only a
  select list
• Schema object auditing
• Auditing of all SELECT and DML statements that
  require the use of schema object privileges
• For all users cannot be set for a specific list
  of users

40
Oracle Database AuditingOverview

• Fine Grained Auditing
• Introduced in Oracle9i
• Policy / condition based auditing
• Audit policies stored in database, associated
  with tables
• Policy invoked (audit condition tested) when
  table is accessed can audit when specific column
  is accessed

Enforce Audit Policy in Database
... Where Salary gt 500000 AUDIT COLUMN Salary
Select name, salary from emp where...
Generate Audit Record
41
Data Security Oracle Products

• User Management
• Oracle Identity Management
• Enterprise User Security

• Access Control
• Oracle Database Vault
• Oracle Label Security
• Virtual Private Database

Core Platform Security

• Monitoring
• Oracle Database Auditing
• Oracle Audit Vault
• EM Configuration Pack

• Data Protection
• Oracle Advanced Security
• Oracle Secure Backup

42
Oracle Audit Vault Trust-but-Verify

• Collect and Consolidate Audit Data
• Oracle 9i Release 2 and higher
• Simplify Compliance Reporting
• Built-in reports
• Custom reports
• Detect and Prevent Insider Threats
• Alert suspicious activity
• Scale and Security
• Robust Oracle Database technology
• Database Vault, Advanced Security
• Partitioning
• Lower IT Costs with Audit Policies
• Centrally manage/provision audit settings

Monitor
Policies
Security
Reports
Oracle Database 9iR2
(Future)Other Sources,Databases
Oracle Database 10gR1
Oracle Database 11gR1
Oracle Database 10gR2
43
Audit Vault ReportsOut-of-the-box Audit
Assessments Custom Reports

• Out-of-the-box reports
• Privileged user activity
• Access to sensitive data
• Role grants
• DDL activity
• Login/logout
• User-defined reports
• What privileged users did on the financial
  database?
• What user A did across multiple databases?
• Who accessed sensitive data?
• Custom reports
• Oracle BI Publisher, Application Express, or 3rd
  party tools

44
Oracle Audit Vault Data WarehouseScalable,
Flexible Secure

• Audit Warehouse
• Enable business intelligence and analysis
• Performance and Scalability
• Built-in partitioning
• Scales to Terabytes
• Security
• Separation of Duty
• Oracle Database Vault
• Oracle Advanced Security
• Oracle RAC certified

45
Oracle Audit VaultManageability

• Audit Vault Dashboard
• Enterprise overview
• Alerts and Reports
• Administration
• Audit Policies
• Audit Vault Policies
• Provision database audit settings centrally for
  compliance policies
• Collection of audit settings on the databases
• Compare against existing audit settings on source
• Demonstrate compliance

46
Ari Kaplan President Independent Oracle Users
Group (IOUG)

• "If they're smart, a DBA can modify data and
  cover their tracks since DBAs tend to have
  unlimited access to databases. The technologies
  in Oracle's vaulting software make that
  impossible since every action a DBA executes
  effectively goes into a lockbox that they are
  powerless to modify."
• July '07

47
Integrating with Oracle Audit VaultLevels of
Integration

• Leverage native database auditing beneath Apps
• Turn ON database auditing under application for
  compliance specific events (DDL, DBA logins)
• Low performance impact utilizing OS audit trail
  records
• Fine-grained-audit (FGA) specific to sensitive
  tables
• End-user Identity Propagation
• Pass "Client identifier from mid-tier or
  initialize after connection, recorded in Audit
  trail
• Extensible reporting
• Build customer reports against Audit Vault
  warehouse
• Use Audit Vault SDK for application specific
  auditing

48
Oracle Audit VaultTransparently collecting audit
data
1
Define Audit Policies
Privileged Users, DDL, Fine Grained
Audit (Sensitive Data)
2
Configure Collectors
Aud, OS, Redo
3
Setup Alerts
New User Creations, Sensitive
Data Access
4
Run Reports
Out-of-the-box or build custom
using open data warehouse schema
49
Data Security Oracle Products

• User Management
• Oracle Identity Management
• Enterprise User Security

• Access Control
• Oracle Database Vault
• Oracle Label Security
• Virtual Private Database

Core Platform Security

• Data Protection
• Oracle Advanced Security
• Oracle Secure Backup

• Monitoring
• Oracle Audit Vault
• EM Configuration Pack

50
Oracle Database 11gCore Database Security
Enhancements

• Secure Configuration
• Continuation of Secure By Default initiative
  started in Oracle9i
• Password management settings
• Audit sensitive administrative operations by
  default
• Stronger password verifier
• Case sensitive passwords
• Backward compatibility mode
• Expanded Kerberos support
• Support principal names up to 2000 characters in
  length
• Cross realm support

51
A
52
Release wide map of Security Products
Solution
Oracle Database 9iR2
Oracle Database 10g R1
Oracle Database 11gR1
Oracle Database 10g R2
Oracle Database 9iR1
Oracle 8i
Database Auditing
Fine Grained Auditing
Virtual Private Database
Label Security
Client Identifier
Enterprise User Security
Network Encryption
Encryption API
Transparent Data Encryption
Tablespace Encryption
Privileged User Controls
Command Rules / Factors
53
Learn More

• Technology Overview
• Visit oracle.com/securityView Whitepapers and
  webinars
• Technical Information, Demos, Software
• Visit OTN otn.oracle.com -gt products -gt database
  -gt security and compliance
• PCI matrix
• Step by step examples for Database Vault,
  Transparent Data Encryption and more

54
(No Transcript)