11gr2 security
TRANSCRIPT
1
<Insert Picture Here>
Oracle Database 11g Release 2 Security Update and PlansDefense-in-Depth
Vipin SamarVice President, Oracle Database Security
3
<Insert Picture Here>
Program Agenda
• Today’s Threat Landscape • Defense-in-Depth Approach• Oracle Database Security Solutions• Oracle Database Firewall New!• Summary• Q&A
4
Why Secure the Database?
5
Security Technologies Deployed
Authentication
Identity Management
Network Security
Vulnerability Mgmt
End Point Security
email Security
Other Security
Employee
Customer
Citizen
DB Security?
6
How Data Gets Compromised? Source: Verizon 2010 Data Breach Investigations Report
6
7
2010 Data Breach Investigations Report
92% of Records from Compromised Databases
Where Losses Come From?
8
Top Attack Techniques% Breaches and % Records
2010 Data Breach Investigations Report
Most records lost through‘Stolen Credentials” & “SQL Injection”
9
Existing Security Solutions Not Enough
Application Database Administrators
Data Must Be Protected in depth
Application Users
Botware
MalwareKey Loggers Espionage
Phishing
SQL Injection
Social Engineering
Web Users
10
Database SecurityDefense-In-Depth Approach
• Monitor and block threats before they reach databases• Control access to data within the databases• Track changes and audit database activity• Encrypt data to prevent direct access• Implement with– Transparency – no changes to existing applications
– High Performance – no measurable impact on applications
– Accuracy – minimal false positives and negatives
11
Oracle Database Security Defense-in-Depth
Access Control
• Oracle Database Vault
• Oracle Label Security
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Encryption and Masking
Auditing and Tracking
• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall
• Oracle Database Firewall
Monitoring and Blocking
12
Oracle Database Security Defense-in-Depth
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Encryption and Masking
12
13
Oracle Advanced Security End–to–end Encryption
DiskDisk
BackupsBackups
ExportsExports
Off-SiteFacilitiesOff-SiteFacilities
• Efficient encryption of all application data
• Built-in key lifecycle management
• No application changes required
• Works with Exadata and Oracle Advanced Compression
ApplicationApplication
14 14
Oracle Advanced Security Integrated with Oracle Enterprise Manager
15 15
TDE Column EncryptionIntegrated with Oracle Enterprise Manager
16
Oracle Advanced Security What’s New and Coming?
• Hardware Acceleration Support– Performance already < 10% for most applications– 7-10x performance gain with Intel Advanced Encryption
Standard New Instructions (AES-NI) and Oracle SPARC T-3
• Key Management and HSM Support– Certified with SafeNet, Thales, Utimaco using PKCS #11– Planned support for Oracle’s Key Management System
17 17
Oracle Data MaskingIrreversible De-Identification
• Mask sensitive data for test and partner systems• Sophisticated masking: Condition-based, compound,
deterministic• Extensible template library and policies for automation• Leverage masking templates for common data types• Integrated masking and cloning• Masking of heterogeneous databases via database gateways• Command line support for data masking tasks
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 40,000
BKJHHEIEDK 222-34-1345 60,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Non-Production
New
New
18
• Sensitive data identification based on privacy attributes• Application Masking templates for
• E-Business Suite• Fusion Applications
Oracle Data MaskingWhat’s Coming?
19
Oracle Database Security Defense-in-Depth
19
Access Control
• Oracle Database Vault
• Oracle Label Security
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Encryption and Masking
20 20
Oracle Database VaultSeparation of Duties & Privileged User Controls
• Restricts application data from privileged users
• DBA separation of duties
• Securely consolidate application data
• No application changes required
• Works with Oracle Exadata
Procurement
HR
Finance
Application
select * from finance.customers
DBA
21 21
Oracle Database VaultMulti-Factor Access Control Policy Enforcement
• Protect application data and prevent application by-pass
• Enforce who, where, when, and how using rules and factors• User Factors: Name, Authentication type, Proxy Enterprise Identity• Network Factors: Machine name, IP, Network Protocols• Database Factors: IP, Instance, Hostname, SID• Runtime Factors: Date, Time
Procurement
HR
RebatesApplication
22
Oracle Database VaultOut-of-the Box Protections For Applications
• Pre-built policies with further possible customization
• Complements application security
• Transparent to existing applications
• Minimal performance overhead
• Certifications Underway:
– Oracle Hyperion
– Oracle Tax and Utilities
Oracle E-Business Suite 11i / R12
PeopleSoft Applications
Siebel, i-Flex, Retek
JD Edwards EnterpriseOne
SAP
Infosys Finacle
22
23 23
Oracle Label SecurityData Classification for Access Control
• Classify users and data based on business drivers
• Database enforced row level access control
• Users classification through Oracle Identity Management Suite
• Classification labels can be factors in Database Vault
Confidential Sensitive
Transactions
Report Data
Reports
SensitiveSensitive
ConfidentialConfidential
PublicPublic
24
Oracle Database Security Defense-in-Depth
Access Control
• Oracle Database Vault
• Oracle Label Security
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Encryption and Masking
Auditing and Tracking
• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall
24
25 25
Oracle Audit VaultAutomated Audit Collection and Reporting
• Consolidate audit data into a secure warehouse
• Create/customize compliance and entitlement reports
• Detect and raise alerts on suspicious activities
• Centralized audit policy management
• Integrated audit trail cleanup
CRM Data
ERP Data
Databases
HR Data
Audit Data
Audit Data
PoliciesPolicies
Built-inReportsBuilt-inReports
AlertsAlerts
CustomReportsCustomReports
!
AuditorAuditor
26 26
Oracle Audit Vault Consolidated Reports Span Enterprise Databases
27 27
Oracle Audit Vault 10.2.3.2 Default Reports
28 28
Oracle Configuration ManagementSecure Configuration & Change Tracking
• Continuous scanning against best practices and gold baselines
• 200+ out-of-the-box policies spanning host, database, and middleware
• Real-time detect changes to processes, files, etc
• Violations can trigger emails, and create tickets
• Compliance reports mapped to compliance frameworks
Optimized for Oracle with Industry Specific Compliance DashboardsOptimized for Oracle with Industry Specific Compliance Dashboards
User-defined Policies &
Groups
User-defined Policies &
Groups
Real-Time Change Detection
Real-Time Change Detection
Industry & Regulatory
Frameworks
Industry & Regulatory
Frameworks
Compliance Dashboard
Compliance Dashboard
Out-of-box Policies
Out-of-box Policies
29
Oracle Database Security Defense-in-Depth
Access Control
• Oracle Database Vault
• Oracle Label Security
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Encryption and Masking
Auditing and Tracking
• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall
• Oracle Database Firewall
Monitoring and Blocking
30
Oracle Database FirewallFirst Line of Defense
• Prevent unauthorized activity, application bypass and SQL injections
• Highly accurate SQL grammar based analysis
• Flexible enforcement options• Built-in and custom compliance reports
PoliciesPoliciesBuilt-inReportsBuilt-inReportsAlertsAlerts Custom
ReportsCustomReports
ApplicationsBlock
Log
Allow
Alert
Substitute
31
Oracle Database FirewallSecurity Model
• White-list based policies enforce normal or expected behavior • Evaluate factors such as time, day, network, app, etc.• Easily generate white-lists for any application
• Log, alert, block or substitute out-of-policy SQL statements • Black lists to stop unwanted SQL commands, user, or schema access• Superior performance and policy scalability based upon clustering
White List
Applications Block
Allow
32
Management Server
Oracle Database FirewallDeployment Architecture
• In-line blocking and monitoring, or out-of-band monitoring modes
• Monitoring of remote databases by forwarding network traffic
• Centralized policy management and reporting
• High availability options for Database firewalls and Management Servers
• Support for multiple Oracle/non-Oracle Databases with the same firewall
In-Line Blockingand Monitoring
HA In-Line Mode
Inbound SQL Traffic
Out-of-Band Monitoring
Management Server
Policy Analyzer
33
Oracle Database Security – Big Picture
Procurement
HR
Rebates
Encrypted Backups
Encrypted Database
Encrypted Exports
Data Masking
Audit consolidation
Procurement
HR
Rebates
SensitiveSensitive
ConfidentialConfidential
PublicPublic
Local DBA Privilege Mis-Use
DB Consolidation Security
Unauthorized Local Activity
ApplicationsBlock
Log
Allow
Alert
Substitute
Network SQL Monitoring
and Blocking
34
Oracle Database SecurityKey Differentiators
35
More Oracle Database Security Presentations
• Monday: – 12:30 pm: Making a Business Case for Information Security MS 300– 3:30 pm: Oracle Database 11g Release 2 Security: Defense-in-Depth MS 103
• Tuesday: – 12:30 pm: Real-World Deployment and Best Practices : Oracle Audit Vault MS 104– 2:00 pm: Real-World Deployment and Best Practices : Oracle Advanced Security MS 300– 2:00 pm: Best Practices for Ensuring the Highest Enterprise Database Security MS 304 – 3:30 pm: Database Security Event Management : Oracle Audit Vault and ArcSight MS 300– 5:00 pm: Real-World Deployment and Best Practices :Oracle Database Vault MS 303
• Wednesday: – 10:00 am: Protect Data and Save Money: Aberdeen MS 306– 11:30 am: Preventing Database Attacks With Oracle Database Firewall MS 306– 4:45 pm: Centralized Key Management and Performance :Oracle Advanced Security MS 306
• Thursday: – 10:30 am: Deploying Oracle Database 11g Securely on Oracle Solaris MS 104
MS = Moscone South
36
Oracle Database Security Hands-on-Labs
• Monday: – Database Vault 11:00AM | Marriott Marquis, Salon 10 / 11 Check Availability – Database Vault 5:00PM | Marriott Marquis, Salon 10 / 11 Check Availability
• Tuesday:
– Database Security 11:00AM | Marriott Marquis, Salon 10 / 11 Check Availability
• Thursday– Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11 Check Availability– Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11 Check Availability
37
Oracle Database Security Demo GroundsMoscone West
• Oracle Database Firewall• Oracle Database Vault• Oracle Label Security• Oracle Audit Vault• Oracle Advanced Security• Oracle Database 11g Release2 Security
Exhibition Hours
Monday, September 20 9:45 a.m. - 5:30 p.m.
Tuesday, September 21 9:45 a.m. - 5:30 p.m.
Wednesday, September 22 9:00 a.m. - 4:00 p.m.
38
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
39 39
For More Information
oracle.com/database/security
search.oracle.com
database securitydatabase security
40 40
Q&A