Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vipin Samar Vice President, Oracle Database Security

Published byAndré Ivan Neiva Farias Modified over 6 years ago

Similar presentations

Presentation on theme: "Vipin Samar Vice President, Oracle Database Security"— Presentation transcript:

1

2 Vipin Samar Vice President, Oracle Database Security
Oracle Database 11g Release 2 Security Update and Plans Defense-in-Depth Vipin Samar Vice President, Oracle Database Security

3 <Insert Picture Here>
Program Agenda <Insert Picture Here> Today’s Threat Landscape Defense-in-Depth Approach Oracle Database Security Solutions Oracle Database Firewall New! Summary Q&A

4 Why Secure the Database?
Exploding Data Highly available Data Sophisticated hackers Opportunistic insiders What’s new now? Customer, Employee, Citizen, Corporate data Reputation Fines & Penalties Lot at stake Audit findings Outsourcing/offshoring Data consolidation Data breaches in sector Deployment triggers

5 Security Technologies Deployed
End Point Security Other Security Employee Customer Citizen Vulnerability Mgmt Security DB Security? Network Security Authentication Identity Management

6 How Data Gets Compromised
How Data Gets Compromised? Source: Verizon 2010 Data Breach Investigations Report 6

7 Where Losses Come From? 92% of Records from Compromised Databases
2010 Data Breach Investigations Report 6

8 Top Attack Techniques % Breaches and % Records
2010 Data Breach Investigations Report Most records lost through ‘Stolen Credentials” & “SQL Injection”

9 Existing Security Solutions Not Enough
11/29/2018 Existing Security Solutions Not Enough Botware Malware Key Loggers Espionage Phishing SQL Injection Social Engineering Web Users The list of threats are all hacker buzzwords (which many customers hate and consider scare-mongering). Enterprise concerns that CISOs and CSO’s have at the top of their list: Accidental data access and loss Fraudulent DBAs Poorly written applications Inadequate access controls Excessive privilege Un-patched applications Application Users Application Database Administrators Data Must Be Protected in depth Oracle Confidential

10 Database Security Defense-In-Depth Approach
11/29/2018 Database Security Defense-In-Depth Approach Monitor and block threats before they reach databases Control access to data within the databases Track changes and audit database activity Encrypt data to prevent direct access Implement with Transparency – no changes to existing applications High Performance – no measurable impact on applications Accuracy – minimal false positives and negatives Oracle Confidential

11 Oracle Database Security Defense-in-Depth
11/29/2018 Oracle Database Security Defense-in-Depth Encryption and Masking Oracle Advanced Security Oracle Secure Backup Oracle Data Masking Access Control Oracle Database Vault Oracle Label Security Auditing and Tracking Oracle Audit Vault Oracle Configuration Management Oracle Total Recall Monitoring and Blocking Oracle Database Firewall Oracle Confidential 11

12 Oracle Database Security Defense-in-Depth
11/29/2018 Oracle Database Security Defense-in-Depth Encryption and Masking Oracle Advanced Security Oracle Secure Backup Oracle Data Masking Oracle Confidential 12 12

13 Oracle Advanced Security End–to–end Encryption
Disk Backups Exports Off-Site Facilities Application Efficient encryption of all application data Built-in key lifecycle management No application changes required Works with Exadata and Oracle Advanced Compression

14 Oracle Advanced Security Integrated with Oracle Enterprise Manager
14

15 TDE Column Encryption Integrated with Oracle Enterprise Manager
15

16 Oracle Advanced Security What’s New and Coming?
Hardware Acceleration Support Performance already < 10% for most applications 7-10x performance gain with Intel Advanced Encryption Standard New Instructions (AES-NI) and Oracle SPARC T-3 Key Management and HSM Support Certified with SafeNet, Thales, Utimaco using PKCS #11 Planned support for Oracle’s Key Management System

17 Oracle Data Masking Irreversible De-Identification
Production Non-Production LAST_NAME SSN SALARY AGUILAR 40,000 BENSON 60,000 LAST_NAME SSN SALARY ANSKEKSL 111— 40,000 BKJHHEIEDK 60,000 Data Masking enhancements, New in Grid Control 11.1 CLI support for masking functions List masking definitions Generate and Save script Re-associate a masking definition to another target Import a masking definition Export a masking definition Data preserving Shuffle SQL Expression based mask formats Pre-masking scripts Random Decimal number generation Mask sensitive data for test and partner systems Sophisticated masking: Condition-based, compound, deterministic Extensible template library and policies for automation Leverage masking templates for common data types Integrated masking and cloning Masking of heterogeneous databases via database gateways Command line support for data masking tasks New New 17

18 Oracle Data Masking What’s Coming?
Sensitive data identification based on privacy attributes Application Masking templates for E-Business Suite Fusion Applications

19 Oracle Database Security Defense-in-Depth
11/29/2018 Oracle Database Security Defense-in-Depth Encryption and Masking Oracle Advanced Security Oracle Secure Backup Oracle Data Masking Access Control Oracle Database Vault Oracle Label Security Oracle Confidential 19 19

20 Oracle Database Vault Separation of Duties & Privileged User Controls
Procurement DBA HR Application Finance select * from finance.customers Restricts application data from privileged users DBA separation of duties Securely consolidate application data No application changes required Works with Oracle Exadata 20

21 Oracle Database Vault Multi-Factor Access Control Policy Enforcement
Procurement HR Application Rebates Protect application data and prevent application by-pass Enforce who, where, when, and how using rules and factors User Factors: Name, Authentication type, Proxy Enterprise Identity Network Factors: Machine name, IP, Network Protocols Database Factors: IP, Instance, Hostname, SID Runtime Factors: Date, Time 21

22 Oracle Database Vault Out-of-the Box Protections For Applications
Oracle E-Business Suite 11i / R12 PeopleSoft Applications Siebel, i-Flex, Retek JD Edwards EnterpriseOne SAP Infosys Finacle Pre-built policies with further possible customization Complements application security Transparent to existing applications Minimal performance overhead Certifications Underway: Oracle Hyperion Oracle Tax and Utilities 22

23 Oracle Label Security Data Classification for Access Control
Sensitive Confidential Transactions Public Report Data Reports Confidential Sensitive Classify users and data based on business drivers Database enforced row level access control Users classification through Oracle Identity Management Suite Classification labels can be factors in Database Vault 23

24 Oracle Database Security Defense-in-Depth
11/29/2018 Oracle Database Security Defense-in-Depth Encryption and Masking Oracle Advanced Security Oracle Secure Backup Oracle Data Masking Access Control Oracle Database Vault Oracle Label Security Auditing and Tracking Oracle Audit Vault Oracle Configuration Management Oracle Total Recall Oracle Confidential 24 24

25 Oracle Audit Vault Automated Audit Collection and Reporting
CRM Data ERP Data Databases HR Data Built-in Reports Alerts Custom ! Audit Data Policies Auditor Reporting Updated PricewaterhouseCoopers consulted on built-in reports New compliance related reports out-of-the-box New entitlement reports out-of-the-box on database privileges and roles Report scheduling and notification Integrated Audit Data Cleanup Source audit data automatically cleaned up after transfer to secure central Oracle Audit Vault warehouse Consolidate audit data into a secure warehouse Create/customize compliance and entitlement reports Detect and raise alerts on suspicious activities Centralized audit policy management Integrated audit trail cleanup 25

26 Oracle Audit Vault Consolidated Reports Span Enterprise Databases
26

27 Oracle Audit Vault 10.2.3.2 Default Reports
27

28 Oracle Configuration Management Secure Configuration & Change Tracking
Optimized for Oracle with Industry Specific Compliance Dashboards User-defined Policies & Groups Real-Time Change Detection Industry & Regulatory Frameworks Compliance Dashboard Out-of-box Policies Speaker Notes: Enterprise Manager automatically detects all supported Oracle database versions once the agent is installed on a new server. Post discovery, Enterprise Manager periodically collects configuration items for all databases it manages. Compliance Policies run validations over this collected data. While a large number of policies are available out of box, new ones can be easily authored by business users. Numerous such policies can be grouped together to form Policy Groups. Some policy examples are as follows, On database, policy to check password profile settings like password lifetime, password grace time, and others are set to recommended values On database, policy to ensure that default user accounts like scott/tiger have been locked and their passwords expired On database host, policy to check if important files like data files and control files do not have world read/write access Unauthorized configuration changes generate violations, which can be used to trigger s, or update and create tickets. A large collection of reports are provided to assess compliance status and security risks. Real-time change detection helps in identifying unauthorized changes when they happen, this enables companies to respond immediately to security attacks and hacking attempts. Continuous scanning against best practices and gold baselines 200+ out-of-the-box policies spanning host, database, and middleware Real-time detect changes to processes, files, etc Violations can trigger s, and create tickets Compliance reports mapped to compliance frameworks 28

29 Oracle Database Security Defense-in-Depth
11/29/2018 Oracle Database Security Defense-in-Depth Encryption and Masking Oracle Advanced Security Oracle Secure Backup Oracle Data Masking Access Control Oracle Database Vault Oracle Label Security Auditing and Tracking Oracle Audit Vault Oracle Configuration Management Oracle Total Recall Monitoring and Blocking Oracle Database Firewall Oracle Confidential 29

30 Oracle Database Firewall First Line of Defense
Applications Block Log Allow Alert Substitute Policies Built-in Reports Alerts Custom Prevent unauthorized activity, application bypass and SQL injections Highly accurate SQL grammar based analysis Flexible enforcement options Built-in and custom compliance reports

31 Oracle Database Firewall Security Model
White List Allow Block Applications White-list based policies enforce normal or expected behavior Evaluate factors such as time, day, network, app, etc. Easily generate white-lists for any application Log, alert, block or substitute out-of-policy SQL statements Black lists to stop unwanted SQL commands, user, or schema access Superior performance and policy scalability based upon clustering

32 Oracle Database Firewall Deployment Architecture
In-Line Blocking and Monitoring Out-of-Band Monitoring Inbound SQL Traffic HA In-Line Mode Management Server Management Server Policy Analyzer you can have 4 options: In-line In-line HA OOB OOB HA    There should be some indication that Mgt Server can also be deployed in HA mode. “Parallel Firewalls” replace with what he suggested Fatten the Tee around the out-of-band monitoring In-line blocking and monitoring, or out-of-band monitoring modes Monitoring of remote databases by forwarding network traffic Centralized policy management and reporting High availability options for Database firewalls and Management Servers Support for multiple Oracle/non-Oracle Databases with the same firewall

33 Oracle Database Security – Big Picture
Audit consolidation Applications Block Log Allow Alert Substitute Network SQL Monitoring and Blocking Local DBA Privilege Mis-Use DB Consolidation Security Unauthorized Local Activity Sensitive Confidential Public Procurement Procurement HR HR Rebates Rebates Encrypted Backups Encrypted Database Encrypted Exports Data Masking

34 Oracle Database Security Key Differentiators
Transparent Performant Certified with Applications Best-in-Class Defense-in-Depth

35 More Oracle Database Security Presentations
Monday: 12:30 pm: Making a Business Case for Information Security MS 300 3:30 pm: Oracle Database 11g Release 2 Security: Defense-in-Depth MS 103 Tuesday: 12:30 pm: Real-World Deployment and Best Practices : Oracle Audit Vault MS 104 2:00 pm: Real-World Deployment and Best Practices : Oracle Advanced Security MS 300 2:00 pm: Best Practices for Ensuring the Highest Enterprise Database Security MS 304 3:30 pm: Database Security Event Management : Oracle Audit Vault and ArcSight MS 300 5:00 pm: Real-World Deployment and Best Practices :Oracle Database Vault MS 303 Wednesday: 10:00 am: Protect Data and Save Money: Aberdeen MS 306 11:30 am: Preventing Database Attacks With Oracle Database Firewall MS 306 4:45 pm: Centralized Key Management and Performance :Oracle Advanced Security MS 306 Thursday: 10:30 am: Deploying Oracle Database 11g Securely on Oracle Solaris MS 104 MS = Moscone South

36 Oracle Database Security Hands-on-Labs
Monday: Database Vault 11:00AM | Marriott Marquis, Salon 10 / 11        Check Availability  Database Vault 5:00PM | Marriott Marquis, Salon 10 / 11        Check Availability    Tuesday: Database Security 11:00AM | Marriott Marquis, Salon 10 / 11     Check Availability Thursday Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11    Check Availability Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11       Check Availability

37 Oracle Database Security Demo Grounds Moscone West
Oracle Database Firewall Oracle Database Vault Oracle Label Security Oracle Audit Vault Oracle Advanced Security Oracle Database 11g Release2 Security Exhibition Hours Monday, September 20 9:45 a.m. - 5:30 p.m. Tuesday, September 21 Wednesday, September 22 9:00 a.m. - 4:00 p.m.

38 The preceding is intended to outline our general product direction
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

39 oracle.com/database/security
For More Information oracle.com/database/security search.oracle.com database security 39

40 Q & A 40

Download ppt "Vipin Samar Vice President, Oracle Database Security"

Similar presentations

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.
Internet of Things Security Architecture

Internet of Things Security Architecture
Oracle Audit Vault and Database Firewall

Oracle Audit Vault and Database Firewall
Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.

Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.
1. Real-World Deployment and Best Practices with Oracle Database Vault at Customers: Ross Stores Covidien Kamal Tbeileh Sr. Principal Product Manager,

1. Real-World Deployment and Best Practices with Oracle Database Vault at Customers: Ross Stores Covidien Kamal Tbeileh Sr. Principal Product Manager,
The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant

The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant
Oracle Database Security

Oracle Database Security
Miss Scarlet with a lead pipe, in the library Players: 3 to 6 Contents: Clue game board, six suspect tokens, six murder weapons, 21 cards, secret envelope,

Miss Scarlet with a lead pipe, in the library Players: 3 to 6 Contents: Clue game board, six suspect tokens, six murder weapons, 21 cards, secret envelope,
Oracle Database Vault – DBA Best Practices

Oracle Database Vault – DBA Best Practices
Vormetric Data Security

Vormetric Data Security
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
Oracle Database 12c Data Protection and Multitenancy on Oracle Solaris 11 Xiaosong Zhu Senior Software Engineer Copyright © 2014, Oracle and/or its affiliates.

Oracle Database 12c Data Protection and Multitenancy on Oracle Solaris 11 Xiaosong Zhu Senior Software Engineer Copyright © 2014, Oracle and/or its affiliates.
ORACLE DATABASE SECURITY

ORACLE DATABASE SECURITY
1. Oracle Database 11g Release 2 Security Update and Plans Defense-in-Depth Vipin Samar Vice President, Oracle Database Security.

1. Oracle Database 11g Release 2 Security Update and Plans Defense-in-Depth Vipin Samar Vice President, Oracle Database Security.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Www.softwareassist.net Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
Oracle Application Express 3.0 Joel R. Kallman Software Development Manager.

Oracle Application Express 3.0 Joel R. Kallman Software Development Manager.
Module 14: Configuring Server Security Compliance

Module 14: Configuring Server Security Compliance

Similar presentations

Ads by Google