„Security Inside Out: Latest Innovations in Oracle Database 12c” Marcin Kozak, Architekt bezpieczeństwa informacji, Oracle Polska

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted1


The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Release timing for Oracle Database 12c is planned for Calendar Year 2013.

Security Inside OutLatest Innovations in Oracle Database 12c

Marcin KozakArchitekt BezpieczeństwaOracle Polska


Billions of Database Records Breached Globally97% of Breaches Were Avoidable with Basic Controls

98% records stolenfrom databases

84% records breached using stolen credentials

71% fell within minutes

92% discovered by third party


“You don’t bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees….”

Anatomy of an Attack

Uri RivnerCTO, RSA (Security Division of EMC)

Targets Increasing as Attacks Evolve DBAs, OS Admins, Developers, Multiple Copies of the Data, etc.


Forrester Research

Network Security

SIEM

Endpoint Security

Web Application

Firewall

Email Security

Authentication & User Security

Database Security

?

Why are Databases so Vulnerable?80% of IT Security Programs Don’t Address Database Security

“Enterprises are taking on risks

that they may not even be aware

of. Especially as more and more

attacks against databases exploit

legitimate access.”


Oracle Database Security SolutionsDefense-in-Depth for Maximum Security

Activity Monitoring

Database Firewall

Auditing and Reporting

DETECTIVE

Redaction and Masking

Privileged User Controls

Encryption

PREVENTIVE ADMINISTRATIVE

Sensitive Data Discovery

Configuration Management

Privilege Analysis



Activity Monitoring

Database Firewall


DETECTIVE



Encryption




Privilege Analysis


Transparent data encryption

Prevents access to data at rest

Requires no application changes

Built-in two-tier key management

“Near Zero” overhead with hardware

Integrations with Oracle technologies

– e.g. Exadata, Advanced Compression, ASM, Golden Gate, DataPump, etc.

Oracle Advanced Security

Encryption is the FoundationPreventive Control for Oracle Databases

Disk

Backups

Exports

Off-SiteFacilities

Applications


Real-time sensitive data redaction based on database session context

Library of redaction policies and point-and-click policy definition

Consistent enforcement, policies applied to data

Transparent to applications, users, and operational activities

Oracle Advanced Security

Redaction of Sensitive Data DisplayedPreventive Control for Oracle Database 12c

Credit Card Numbers4451-2172-9841-43685106-8395-2095-59387830-0032-0294-1827

Redaction Policy

xxxx-xxxx-xxxx-4368 4451-2172-9841-4368

Billing DepartmentCall Center

Application


Replace sensitive application data

Referential integrity detected/preserved

Extensible template library and formats

Application templates available

Support for masking data in non-Oracle databases

Oracle Data Masking

Masking Data for Non-Production UsePreventive Control for Oracle Databases

LAST_NAME SSN SALARY

ANSKEKSL 323—23-1111 60,000

BKJHHEIEDK 252-34-1345 40,000

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

Production

Non-Production

Dev

TestProduction


Limit DBA access to application data

Multi-factor SQL command rules

Realms create protective zones

Enforce enterprise data governance, least privilege, segregation of duties

Out of the box application policies

Database Vault

Privileged User ControlsPreventive Control for Oracle Databases

Procurement

HR

Finance

select * from finance.customers

Application DBA

Applications

SecurityDBA

DBA


Oracle Label Security

Label Based Access ControlPreventive Control for Oracle Databases

Transactions

Report Data

Reports

Confidential Sensitive

Sensitive

Confidential

Public

Virtual information partitioning for cloud, SaaS, hosting environments

Classify users and data using labels

Labels based on business drivers

Automatically enforced row level access control, transparent to applications

Labels can be factors in other policies



Activity Monitoring

Database Firewall


DETECTIVE



Encryption




Privilege Analysis


Oracle Audit Vault and Database Firewall

Database Activity Monitoring and FirewallDetective Control for Oracle and non-Oracle Databases

Monitors network traffic, detect and block unauthorized activity

Highly accurate SQL grammar analysis

Can detect/stop SQL injection attacks

Whitelist approach to enforce activity

Blacklists for managing high risk activity

Scalable secure software appliance

Block

LogAllow

AlertSubstituteApps

Whitelist Blacklist

SQL Analysis Policy

Factors

Users


Oracle Audit Vault and Database Firewall

Audit, Report, and Alert in Real-TimeDetective Control for Oracle and non-Oracle Databases

Audit Data &Event Logs

Policies

Built-inReports

Alerts

CustomReports

!

OS & Storage

Directories

Databases

Oracle Database

Firewall

Custom

SecurityAnalyst

Auditor

SOC Centralized secure repository delivered

as secure, scalable software appliance

Powerful alerting - thresholds, group-by

Out-of-the box and custom reports

Consolidated multi-source reporting

Built-in fine grain segregation of duties


Built-inReports

Alerts

CustomReports

!

Oracle Audit Vault and Database FirewallNew Solution for Oracle and Non-Oracle Databases

Firewall Events

Users

Applications

Database FirewallAllow

Log

Alert

Substitute

Block

Audit Data

Audit VaultOS, Directory, File System &

Custom Audit LogsPolicies

SecurityAnalyst

Auditor

SOC




Activity Monitoring

Database Firewall


DETECTIVE



Encryption



Privilege Analysis


Oracle Database 12c Enterprise

Discover Use of Privileges and RolesAdministrative Control for Oracle Database 12c

Privilege Analysis

Create…Drop…Modify…DBA roleAPPADMIN role

Turn on privilege capture mode Report on actual privileges and roles

used in the database Helps revoke unnecessary privileges Enforce least privilege and reduce risks Increase security without disruption


Scan Oracle for sensitive data

Built-in, extensible data definitions

Discover application data models

Protect sensitive data appropriately: encrypt, redact, mask, audit…

Oracle Enterprise Manager 12c

Discover Sensitive Data and DatabasesAdministrative Control for Oracle Database 12c


Oracle Database Lifecycle Management

Configuration ManagementAdministrative Control for Oracle Databases

Discover

0 25 50 10

0

Number of servers

0 25 50 100

Number of CPUs

0 25 50 100

Memory

0 25 50 100

Local Storage (GB)

Scan & Monitor

Patch

$100K

Discover and classify databases

Scan for best practices, standards

Detect unauthorized changes

Automated remediation

Patching and provisioning



Activity Monitoring

Database Firewall


DETECTIVE



Encryption




Privilege Analysis


Oracle Database Security SolutionsCustomers Worldwide Rely on Oracle

SquareTwo Enables Fast Growth with Oracle Database Solutions

SquareTwo enables fast growth and regulatory compliance with Oracle Database security defense-in-depth solutions including Oracle Database Firewall, Oracle Data Masking, and Oracle Advanced Security

National Marrow Donor Program Database Defense-in-Depth

NMDP Secures life-saving patient and donor data with Oracle Advanced Security, Oracle Database Vault, and Oracle Data Masking

T-Mobile Protects 35 Million Subscribers Using Oracle

T-Mobile explains how they use Oracle Database Firewall, Oracle Advanced Security, and Oracle Data Masking to secure sensitive data across the organization in both Oracle and non-Oracle databases

TransUnion Interactive Uses Database Firewall for Compliance

Hear how TransUnion Interactive protects customer data and meets regulatory compliance with database actviity monitoring using Oracle Database Firewall

ETS Complies with PCI DSS Using Oracle Advanced Security

Educational Testing Service secures personally identifiable information (PII) and complies with regulatory requirements with Oracle Advanced Security


Oracle Database Security SolutionsSummary

Simple and Flexible

Enterprise Ready

Security and Compliance

Speed and Scale


Oracle Database Security Resourceswww.oracle.com/database/security

Data Sheets Whitepapers Webcasts Case Studies Events News and more…


Q&A



The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Release timing for Oracle Database 12c is planned for Calendar Year 2013.


Technology

„Security Inside Out: Latest Innovations in Oracle Database 12c” Marcin Kozak, Architekt bezpieczeństwa informacji, Oracle Polska