oracle database 11g - session1 material
DESCRIPTION
vTRANSCRIPT
<Insert Picture Here>
Addressing Data Privacy, Regulatory Compliance, and Insider ThreatsRoxana BradescuSr. Director, Database Security Product Marketing
Mike BlackinDirector, Database Security Technology Business Unit
Paul NeedhamDirector, Database Security Product Management
© 2008 Oracle Corporation 2
New Data Security ChallengesProtecting Data Privacy is Harder Than Ever
• Data Breaches• Insider Theft• Off-Shoring/Outsourcing• Data Consolidation• Databases Replacing Firewalls As Targets
• Enterprise Identity Theft • Exploiting Application Vulnerabilities
© 2008 Oracle Corporation 3
New Regulatory Compliance ChallengesCostly and Complex
• More global data privacy regulations• 90% companies fail compliance
• Costly breach disclosure laws• $239/record• Up to $35M/breach
• Complex IT requirements• Separation of duties• Proof of compliance• Constant self assessment • On-the-spot audit reporting
SOX
K-SOX
GLBA
PCI
HIPAA
EU Directives
Basel II
PIPEDA
J-SOX
SAS70
© 2008 Oracle Corporation 4
Data Privacy and Regulatory ComplianceDatabase Security Challenges
Protecting Access Protecting Access to Application Datato Application Data
Data Data ClassificationClassification
Database Database Monitoring Monitoring
De-Identifying De-Identifying Information for Information for
SharingSharing
Protecting Protecting Data-at-RestData-at-Rest
© 2008 Oracle Corporation 5
Data Masking
TDE Tablespace Encryption
Oracle Audit Vault
Oracle Database Vault
Transparent Data Encryption (TDE)
Real-Time Column Masking
Secure Configuration Scanning
Client Identity Propagation
Fine Grained Auditing
Oracle Label Security
Proxy Authentication
Enterprise User Security
Virtual Private Database (VPD)
Database Encryption API
Strong Authentication
Native Network Encryption
Database Auditing
Government Customer
Oracle Database SecurityUnrivaled Industry Firsts
Oracle 7
Oracle 8i
Oracle Database 9i
Oracle Database 10g
Oracle Database 11g
© 2008 Oracle Corporation 6
Database Vault
Oracle Database Security Solutions for Privacy and Compliance
Data Masking
Advanced Security
Label Security
SecureBackup
Audit Vault
Configuration Management
47986 $5%&*
TotalRecall
© 2008 Oracle Corporation 7
Data Privacy and Regulatory ComplianceDatabase Security Challenges
Protecting Access Protecting Access to Application Datato Application Data
Data Data ClassificationClassification
Database Database MonitoringMonitoring
De-Identifying De-Identifying Information for Information for
SharingSharing
Protecting Protecting Data-at-RestData-at-Rest
© 2008 Oracle Corporation 8
What we heard from our customers…Protecting Access to Application Data
• “Legal says our DBA should not be able to read patient database records, but the DBA needs to access the database to do her job. What do we do?”
• “Our SOX auditors require that we separate account creation from granting privileges to accounts.”
• “No user should be able to by-pass our application to access information in the database directly.”
• “How do we keep the Finance department from running reports during production hours?”
• “New DBAs should not be able to make database changes without a senior DBA being present.”
© 2008 Oracle Corporation 9
Database Vault
Oracle Database Security Solutions for Privacy and Compliance
Data Masking
Advanced Security
Label Security
SecureBackup
Audit Vault
Configuration Management
47986 $5%&*
TotalRecall
© 2008 Oracle Corporation 10
• Prevent privileged users from accessing data outside their authorization
• Eliminate security risks from database consolidation
• Enforce Separation of Duties, Least Privilege, and other policies
• No changes to existing applications required
Oracle Database Vault Privileged User Controls
DBA
HR App DBA
SELECT * FROM HR.EMP
FIN App DBA
HR
HR Realm
FIN
FIN Realm
© 2008 Oracle Corporation 11
Oracle Database VaultAd-Hoc Database Access Controls
HR Application User
FIN Application DBA
HR
FIN
CONNECT ….
CREATE …
Business hours
Unexpected IP address
• Database Vault rules can consider multiple external factors
• Prevent application by-pass and ad-hoc access
• Enforce two-admin rules and other security policies
• Out-of-the-box policies for Oracle applications
© 2008 Oracle Corporation 12
Oracle Database VaultSeparation of Duties
• Security Administration
• Security administrator manages Database Vault
• Database Administration• DBA manages day-to-day database operations
• Account Management
• Account administrator creates new database accounts
• Application-Specific Administration• Application administrator can manage application database
• Extensible• Can separate development from test, and many other functions
© 2008 Oracle Corporation 13
Data Privacy and Regulatory ComplianceDatabase Security Challenges
Protecting Access Protecting Access to Application Datato Application Data
Data Data ClassificationClassification
Database Database MonitoringMonitoring
De-Identifying De-Identifying Information for Information for
SharingSharing
Protecting Protecting Data-at-RestData-at-Rest
© 2008 Oracle Corporation 14
What we heard from our customers…Protecting Data-at-Rest
• “Our PCI auditors say we have to encrypt credit card data.”
• “We need to encrypt personal identity information to comply with EU Data Privacy but cannot change our applications.”
• “We want to manage medical images in our database but they have to be encrypted for HIPAA compliance.”
• “We don’t want users with operating system file ‘read’ access to be able to walk away with our database.”
• “We send back-up tapes off-site and need to make sure they are secure even if off-site facility is compromised.”
© 2008 Oracle Corporation 15
Database Vault
Oracle Database Security Solutions for Privacy and Compliance
Data Masking
Advanced Security
Label Security
SecureBackup
Audit Vault
Configuration Management
47986 $5%&*
TotalRecall
© 2008 Oracle Corporation 16
Oracle Advanced SecurityTransparent Data Encryption (TDE)
• Protect sensitive application data by encrypting:• Specific columns (credit cards)• Entire application tables• New SecureFile type (images, documents)
• Automated built-in key management• Two-tier scheme for separation of duties• Hardware Security Modules (HSM)
integration
• No changes to applications required
NetworkEncryption
^#^ *75000
© 2008 Oracle Corporation 17
Transparent Data EncryptionPoint-And-Click Deployment
© 2008 Oracle Corporation 18
Oracle Secure Backup Integrated Encrypted Tape Backup Management
Oracle Secure Backup
File SystemsFile Systems
UNIX Linux
Windows NAS
Oracle Oracle DatabasesDatabases
• Secure data protection for entire Oracle environment
• Policy-based encryption for domain, host, backup, or tape
• Automated encryption key management for tape backups
• Transparent recovery decryption by authorized users
© 2008 Oracle Corporation 19
Data Privacy and Regulatory ComplianceDatabase Security Challenges
Protecting Access Protecting Access to Application Datato Application Data
Data Data ClassificationClassification
Database Database MonitoringMonitoring
De-Identifying De-Identifying Information for Information for
SharingSharing
Protecting Protecting Data-at-RestData-at-Rest
© 2008 Oracle Corporation 20
What we heard from our customers…Data Classification
• “We want to restrict access to data in our database on a need to know basis.”
• “We want to label our customer accounts to assign high-value accounts to strategic account managers.”
• “We want to consolidate sensitive information in a single database for better business intelligence but we need to compartmentalize access.”
• “We need to apply labels to our data to comply with HIPAA.”• “We want to label our international accounts so we can
assign to local managers and not violate data privacy regulations.”
© 2008 Oracle Corporation 21
Database Vault
Oracle Database Security Solutions for Privacy and Compliance
Data Masking
Advanced Security
Label Security
SecureBackup
Audit Vault
Configuration Management
47986 $5%&*
TotalRecall
© 2008 Oracle Corporation 22
Oracle Label SecurityData Classification
• Classify records by assigning a label
• Label transparently stored in a hidden tamper-resistant column
• Use classification label to enforce security policies
• “Need to Know” - assign labels to application users so can only access data with same or lower classification
• Labels can be "factors" in Oracle Database Vault policies
Confidential
Highly Sensitive
Sensitive
User Label Authorizations
Sensitive Highly Sensitive
© 2008 Oracle Corporation 23
Point-And-Click Data ClassificationEasy to Deploy Labels
© 2008 Oracle Corporation 24
Data Privacy and Regulatory ComplianceDatabase Security Challenges
Protecting Access Protecting Access to Application Datato Application Data
Data Data ClassificationClassification
Database Database MonitoringMonitoring
De-Identifying De-Identifying Information for Information for
SharingSharing
Protecting Protecting Data-at-RestData-at-Rest
© 2008 Oracle Corporation 25
What we heard from our customers…De-Identifying Information for Sharing
• “Our Shipping Department employees need to get order information but should not see credit card numbers.”
• “We’ve outsourced Customer Account management and need to make sure off-shore agents only see tax IDs for the accounts they manage.”
• “Off-shore development contractors need production data for testing but we cannot provide them with employee names or social security numbers.”
• “Our analysts need to build actuarial models based on real data but HIPAA requires that they cannot see actual patient names or doctor names.”
© 2008 Oracle Corporation 26
Database Vault
Oracle Database Security Solutions for Privacy and Compliance
Data Masking
Advanced Security
Label Security
SecureBackup
Audit Vault
Configuration Management
47986 $5%&*
TotalRecall
© 2008 Oracle Corporation 27
Enterprise Manager Data Masking PackOff-Line Data Masking
• Turn sensitive information into non-sensitive information for sharing
• Consistent masking via extensible format library
• Maintains referential integrity for applications
• Automated data masking for databases enterprise-wide
Cloned Database
MaskProduction Database
LAST_NAME CREDIT_CARD AMT
AGUILAR 4408041254369873 80.00
BENSON 4417123456789112 60.00
LAST_NAME CREDIT_CARD AMT
ANSKEKSL 4111111111111111 80.00
BKJHHEIEDK 4408041234567890 60.00
© 2008 Oracle Corporation 28
Virtual Private Database Real-Time Data Masking
• Policy based real-time masking• Return all records but redact sensitive columns• Optionally unmask select records if user authorized
where account_mgr_id = sys_context('APP','CURRENT_MGR');
381-395-9223
431-395-9332
483-562-0912
461-978-8212
581-295-7603
181-095-1232
121-791-4212
701-495-2123
15000
17000
12000
10000
15000
25000
Select * from customers;
APP
VPD Policy
SSN
VPD adds148
© 2008 Oracle Corporation 29
Data Privacy and Regulatory ComplianceDatabase Security Challenges
Protecting Access Protecting Access to Application Datato Application Data
Data Data ClassificationClassification
Database Database Monitoring Monitoring
De-Identifying De-Identifying Information for Information for
SharingSharing
Protecting Protecting Data-at-RestData-at-Rest
© 2008 Oracle Corporation 30
What we heard from our customers…Database Monitoring
• “To comply with SOX and HIPAA, we need to produce monthly reports for our auditors to prove that our IT controls are working. And that’s all we do all month.”
• “We need to monitor who did what, when, and how to our databases. And we need to be alerted if something looks suspicious.”
• “We want to check for database security vulnerabilities like open ports, pre-defined account passwords, etc.”
• “We want to self-assess on a continuous basis to ensure we are in compliance before our auditors show up.”
• “Our database configuration is secure. How do we keep it from drifting?”
© 2008 Oracle Corporation 31
Database Vault
Oracle Database Security Solutions for Privacy and Compliance
Data Masking
Advanced Security
Label Security
SecureBackup
Audit Vault
Configuration Management
47986 $5%&*
TotalRecall
© 2008 Oracle Corporation 32
Auditing in the Oracle DatabaseRobust, Flexible, and High Fidelity Audit
• Industry’s most advanced DBMS auditing• Audit all SQL statements• Audit access to specific database objects• Audit statements that use system privileges• Audit activity by specific user or group of users• Audit Login/Logout
• Fine grained auditing for conditional auditing• Flexible
• Audit table and OS file destinations• Supports XML format• Windows event viewer & SYSLOG
© 2008 Oracle Corporation 33
Oracle Audit Vault Monitor Database Activity with a Secure Audit Data Warehouse
• Manage Audit Data• Centrally manage all Oracle
database audit settings
• Secure consolidation of audit data from all Oracle databases
• Detect suspicous activities• Monitor all database users –
especially privileged users
• Alert on unauthorized activities
• Simplify compliance reporting• Built-in compliance reports
• Define custom reports
Other Sources
(Future)Oracle Database
Audit Data
Oracle Audit VaultOracle Audit Vault
© 2008 Oracle Corporation 34
Audit Vault ReportsOut-of-the-box Audit Assessments and Reports
• Out-of-the-box reports• Privileged user activity• Access to sensitive data• Role grants, DDL activity
• User-defined reports• What privileged users did on
the financial database?• What user ‘A’ did across
multiple databases?• Who accessed sensitive data?
© 2008 Oracle Corporation 35
Oracle Audit Vault ManagementEasy to Use Dashboards and Policy Settings
• Audit Dashboard
• Enterprise overview
• Alerts on audit events
• Drill down reports
• Audit Policy Management
• Collection of audit settings for databases
• Provision database audit settings centrally for compliance policies
• Compare against existing audit settings on source
• Demonstrate compliance with internal mandates
© 2008 Oracle Corporation 36
Oracle Audit Vault RepositoryScalable, Flexible & Secure Audit Data Warehouse
• Performance and Scalability
• Built-in partitioning
• Enterprise-scale
• Flexible Reporting• Open warehouse schema • Oracle Business Intelligence Publisher or Application Express• Custom or 3rd party tools
• Secure
• Privileged Audit Vault users can't modify audit data
• Data encrypted in transit from source to Audit Vault
© 2008 Oracle Corporation 37
Introducing Oracle Total RecallTamper-Resistant Real-Time Database Archiving
• Automated table “snapshots” record changes to data• Complements auditing – who v. what
• Optimized to minimize performance overhead
• Historical data can be retained as long as needed for regulatory compliance and forensic analysis• Automatically prevents end users from changing historical data
• Seamless access to archived historical data• Historical data stored in the database for real-time access
• Stored in compressed form to minimize storage requirements
select * from product_information AS OF TIMESTAMP
'02-MAY-05 12.00 AM‘ where product_id = 3060
© 2008 Oracle Corporation 38
Oracle Configuration Management Enterprise Monitoring for Security & Compliance
• Continuous configuration security vulnerability and compliance assessment
• More than 240 best practices built-in• Compliance dashboard tracks scores for industry
standards (CIS, COBIT)• Configuration comparison against golden standards
and history tracking• Automated corrective actions and problem ticket
creation for fast remediation
© 2008 Oracle Corporation 39
Tracking Compliance Over TimeCompliance Trend Across IT infrastructure
© 2008 Oracle Corporation 40
Example of Security PoliciesOver 240 Built-in Best Practices
Host• Detect open ports• Detect insecure services• Ensure NTFS file system type (Windows)
Application Server• HTTPD has minimal privileges• Use HTTP/S• Apache logging should be on• Demo applications disabled• Disable default banner page• Disable access to unused directories• Disable directory indexing• Forbid access to certain packages• Disable packages not used by DAD owner• Remove unused DAD configurations• Password complexity enabled
Database Services• Enable listener logging• Password-protect listeners• Disallow default listener name• Ensure listener log file is valid with correct
ownership• Ensure listener host name is specified with IP
Database File Permissions• Init.ora should have restricted file permission• Files in $OH/bin should be owned by Oracle• Data files should be owned by Oracle
Database Profile/Configuration• Default Passwords• Disallow access to objects by a fixed user link• Disallow default tablespace set to SYSTEM• Set password_grace_time• Limit or deny access to DBMS_LOB• Set password_reuse_max• Avoid using utl_file_dir parameter
© 2008 Oracle Corporation 41
“Implementation of Enterprise Manager Security policies with round the clock
monitoring and reporting helped demonstrate to our SOX auditors that Transcontinental was
in control of their IT environment.”
Peter BassSr. Database Administrator
Transcontinental
© 2008 Oracle Corporation 42
Data Privacy and Regulatory ComplianceDatabase Security Challenges
Protecting Access Protecting Access to Application Datato Application Data
Data Data ClassificationClassification
Database Database Monitoring Monitoring
De-Identifying De-Identifying Information for Information for
SharingSharing
Protecting Protecting Data-at-RestData-at-Rest
© 2008 Oracle Corporation 43
For More Information
http://search.oracle.com
or
oracle.com/database/security
database security
© 2008 Oracle Corporation 44
Q&A
© 2008 Oracle Corporation 45
© 2008 Oracle Corporation 46
EM Configuration Scanning
TDE Column Encryption
Total Recall
Audit Vault
TDE Tablespace Encryption
Database Vault
Release Wide Map of Security Products
Solution
Virtual Private Database
Network Encryption
Oracle
8i
Oracle
Database
9iR2
Oracle
Database
10g R1
Oracle
Database
11gR1
Oracle
Database
10g R2
EM Data Masking
Oracle
Database
9iR1
Database Auditing
Label Security
Fine Grained Auditing