Presentation is loading. Please wait.

Presentation is loading. Please wait.

Session S311342: Do you have a Database Security Plan? Roxana Bradescu Sr. Director, Database Security Oracle Noel Yuhanna Principal Analyst Forrester.

Published byLynne Shelton Modified over 9 years ago

Similar presentations

Presentation on theme: "Session S311342: Do you have a Database Security Plan? Roxana Bradescu Sr. Director, Database Security Oracle Noel Yuhanna Principal Analyst Forrester."— Presentation transcript:

1

2 Session S311342: Do you have a Database Security Plan? Roxana Bradescu Sr. Director, Database Security Oracle Noel Yuhanna Principal Analyst Forrester Research With Guest Speaker:

3 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Safe Harbor Statement

4 Oracle Confidential 4 Agenda Introduction Your Database Security Plan Oracle Database Security Solutions Q&A

5 5 Why Enterprises Need a Plan Data Growing 3x Yearly Data Security #1 Priority Over 500M Data Records Breached Over 150 Global Data Regulations Insiders Now Pose Greatest Risk 2009 IT Security Budgets Flat or Reduced

6 6 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Do You Have A Database Security Plan? Noel Yuhanna Principal Analyst Forrester Research

7 7 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Agenda Database Security Drivers And Trends Enterprise Database Security Strategy Building A Comprehensive Database Security Plan Recommendations

8 8 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Database security drivers and trends Most organizations still have “gaps” in security approaches, especially in databases, leaving back-door open for attacks. Increasing sophisticated attacks seen and is likely to continue in near-future, with Internal threat remains high. Regulatory compliance pressure continues — PCI, SOX, HIPAA, GLBA, and EU, with many still behind. Security group becoming more prominent across industries – new Database Security Analyst role seen in large companies. Most organizations looking for a broader security framework, focusing on single vendor solutions that cover all bases.

9 9 Entire contents © 2009 Forrester Research, Inc. All rights reserved. 75% of threats come from insiders 60% of internal threats are undetected Insider threats a concern: 1.External users 2.Internal users 3.Files/Web servers 4.Administrators/DBAs/developers 5.Database vulnerability 6.Data backup Type of threat Internal users Privileged users ERP Web server Backups App server Load balancer Databases File server Firewall File server External users 1 2 4 3 5 6 Databases remain vulnerable

10 10 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Security measures taken by organizations are improving but most still behind

11 11 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Database security challenges continue to grow Lack of understanding of business data/private data. Lack of understanding of what needs to be done and where to start. Lack of expertise in database security. No clear separation of duties – among security group, DBA and architects. Privileged users have access to all data Lack of strong security process and procedures Weak data security policies – inconsistent and ad-hoc Lack of resources and time spent on database security

12 12 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Your Enterprise Database Security Strategy 2010

13 13 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Three Key Pillars Essential For Any Enterprise Database Security Information Security Policies & Standards Common Database Security Policies & Standards Regulatory Compliances – PCI, SOX, HIPAA, EU Role Separation Reporting FoundationPreventiveDetection Authentication, Authorization Access Control Discovery & Classification Network & Data-at-Rest Encryption Data Masking Patch Management Vulnerability Assessment Security Monitoring Database Auditing Change Management Availability

14 14 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Foundation Authentication, Authorization Access Control Discovery & Classification Patch Management Building a strong foundation is critical Discovery and classification –Know your databases Authentication, Authorization and Access control –Make the foundation as strong as possible.. Patch management –Other measures are not effective until patches are deployed

15 15 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Preventive builds on top of the foundation Network and Data-at-rest Encryption –Protects production databases Data masking –Protects your non-production databases Change management –Protects critical structures of your database Preventive Network & Data-at-Rest Encryption Data Masking Change Management

16 16 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Detection completes your strategy Database auditing –Alerts on data anomalies Security monitoring –Defends against real-time threats Vulnerability assessment –Checks integrity and configuration of your database Detection Vulnerability Assessment Security Monitoring Database Auditing

17 17 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Policies, Role Separation and Availability are part of the Strategy Information Security Policies & Standards Common Database Security Policies & Standards Regulatory Compliances – PCI, SOX, HIPAA, EU Role Separation Reporting FoundationPreventiveDetection Authentication, Authorization Access Control Discovery & Classification Network & Data-at-Rest Encryption Data Masking Patch Management Vulnerability Assessment Security Monitoring Database Auditing Change Management Availability

18 18 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Taking Your Strategy Into Action: Database Security Plan

19 19 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Database security plan “ Although, most enterprises have a data security or information security plan, but only 20 percent have a database security plan” – Forrester Research

20 20 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Top five reasons why most don’t have a database security plan 1.Most organizations don’t know how to create one - the content, structure or format. 2.Security group don’t have the expertise to build one. 3.DBAs don’t have the time. 4.Many organizations feel that data security plan alone is good enough, so why bother. 5.Many don’t have budget or resources available to build one.

21 21 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Without a database security plan – you are running a high-risk environment!! Basic level database security is not good enough any more! Without a database security plan: –Gaps are likely to exist, making your environment highly vulnerable –Likely to spend more time and efforts on piecemeal approaches that creates inconsistent environment –End-to-end security implementations are often weak.

22 22 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Database security plan workflow Database Security Plan policies DBA Manager DSA, Security Officer Data/Information Security Policies Database Environment Compliances

23 23 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Seven steps in building a successful database security plan Step 1. Establishing a team Step 2. Understanding data security policies and compliances Step 3. Understanding your database environment Step 5. Training and accountability Step 6. Baseline and risk assessment Step 7. Refining security plan Step 4. Establishing security policies

24 24 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Step 1. Establishing a team Without a team, security planning is likely to fail, since it requires collaboration amongst various roles and groups. The team should comprise of the following: –Security: CISO or Security Director/Officer –Database: DBA Manager or Data Management Manager –Application: Apps Manager (optional) –Architecture: Enterprise or Data Architect (optional) –Infrastructure: Infrastructure or Systems Mgr (optional)

25 25 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Step 2. Understanding data security policies and compliance requirements Organizations should leverage data security/information security policies to build a database security plan. Understand data security policies and only use those that are applicable to databases or your environment– such as changing passwords every quarterly. Understand the impact of various compliances such as PCI, HIPAA, GLBA, SOX and EU on databases, but act on all, not one at a time. Get security group involved in data security and compliance discussions.

26 26 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Step 3. Understanding database environment – Discovery & Classification Understand which DBMSes and releases are deployed. Take a full inventory of all databases deployed including production and non-production - test, development, Q&A, staging, HA and DR. Understand platforms used by databases – Operating system, hardware and virtualized environments. Understand which databases contain sensitive data, classify them, based on classification policies. Classification categories: #1 – highly sensitive (E.g. credit card numbers), #2 sensitive (E.g. Names and addresses) and #3- not sensitive.

27 27 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Step 4. Establishing security policies Develop security policies over time focusing on key areas such as: –Authentication and Authorization –Data access – users, privileged users and DBAs –Database administration procedures –Encryption and data masking –Non-production database security –Installations, upgrades and migrations –Security patches –Detecting and recovering from attacks –Etc.

28 28 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Security policies: Database backup Typical security policies for database backups for critical databases containing sensitive data would include: –Backup procedure policy: How database backups should be taken? Who should take backups? What is the frequency of backups? How is the backup moved to tape? Where should the tapes be stored? –Backup encryption policy: Which databases should be encrypted? And what are the levels of encryption to be used? –Backup retention policy: How long should backups be stored? When and how should data on tapes be removed?

29 29 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Security policies: Data-at-rest database encryption Typical security policies for database encryption for critical databases containing sensitive data would include: –Keys management: How are keys generated? Where are the keys stored in the database or external – such as an appliance or file? How many keys are required? What encryption level is used? –Approach: What encryption approach needs to be taken column-level, table-level, tablespace-level, or file-level? Which databases should implement encryption?

30 30 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Security Policies: Data Masking Typical security policies for data masking for critical databases containing sensitive data would include: –Approach: Extract mask and load (EML) or Extract load and mask (ELM) approach to take. –Masking algorithm: What algorithm to use – shuffling, randomize, new data generation, increment, decrement, look-up, etc. –Columns to mask: What category columns to mask?

31 31 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Security Policies: Auditing Typical security policies for Auditing for critical databases containing sensitive data would include: –Approach: How will the data be audited? What all things need to be audited? Frequency of auditing? Should logs be centralized in a repository? –Databases: Which databases should be audited? Which columns, users, tables to audit? –Reports: What reports to generate? Frequency? Alerts to be generated?

32 32 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Step 5. Training and accountability All DBAs and privileged users that access critical databases should be given training on how to protect data and databases, and measures that are being taken in the database security plan to limit data access, restrict certain processes and other measures. Take suggestions from DBAs, developers, testers, and others on how to improve security. Individuals should be held accountable for any unauthorized usage or access.

33 33 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Step 6. Establishing baseline with risk assessment Without baseline, its difficult to measure success or failure of your database security plan. Each of the security policies should have a threat level assigned – High, medium or low based depending on the assessment of the environment. Risk assessment should be performed on a regular basis – weekly or even daily for high-risk databases depending on the classification level.

34 34 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Step 7. Refine database security plan on a regular basis Database security is an ongoing initiative not a one time process, it requires refining database security plan on a regular basis – monthly or quarterly to adapt to new technologies, compliances and business requirements. The database security team should meet on a regularly basis at least weekly if not more to determine risk levels, and improving database security policies and procedures.

35 35 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Database Security Plan Template

36 36 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Sample database security plan template Executive Summary: Overview and vision. Team involved: List personnel involved Database classifications and alerts: How to classify them, alert levels, what data is sensitive.. Database security policies: This is the core of the plan Risk Assessment and baseline: How to assess risk and develop a baseline, reporting and alerting. Recovering from attack: Process and procedures to follow Best practices: Typically not covered as a policy Exceptions: Override on security policy xxx based on approval from xxx

37 37 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Typical database security policy template: Policy: Database password change control DSP control number:…. DSP 34… Ref number (Data/Info Security): IT849 Date created:….. …. Data modified:… Summary: ….. Risk level: …. Implementation: –Applies to Databases: … –Approach to take: … –Frequency to run: …......

38 38 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Security policy example: Policy: Database password change control DSP control # DSP 34… Ref #(Data/Info Security): IT849 Date created: 8/1/2009 Data modified: 8/1/2009 Description: All user passwords should be triggered to change every quarter, including administrator level passwords. This is a corporate level security requirement ….. Risk level: Medium Implementation: –Applies to Databases: All Category-1 databases on Oracle, SQL Server and DB2 –Approach to take: For Oracle, change parameter to trigger password change, to be done by DBA. –Frequency to run: For every new account created, parameter needs to be set.’ –Assessment: Run weekly reports on Category-1 databases…

39 39 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Recommendations Database security strategy is essential for all enterprises, start out with the foundation and build with preventive and detection layers. Start out building a database security plan with few polices, refining and expanding over time. Build enterprise-wide database security plan, not just for a department or region. Remember the best database security plan is one that’s unique, create one that’s relevant to your organization. Database security plan cannot be successful without security group being involved or without incorporating data security policies.

40 40 Entire contents © 2009 Forrester Research, Inc. All rights reserved. Thank you Noel Yuhanna Principal Analyst Forrester Research

41 Oracle Confidential 41 Oracle Database Security Solutions Detection Advanced Security Secure Backup Data Masking Encryption & Masking Access Control Database Vault Label Security Monitoring Configuration Management Audit Vault Total Recall

42 42 Oracle Advanced Security Efficient encryption of all application data Standard-based encryption for data in transit No application changes required Disk Backups Exports Off-Site Facilities

43 43 Oracle Data Masking Remove sensitive data from non-production databases Referential integrity preserved so applications continue to work Sensitive data never leaves the database Extensible template library and policies for automation LAST_NAMESSNSALARY ANSKEKSL111 — 23-111160,000 BKJHHEIEDK222-34-134540,000 LAST_NAMESSNSALARY AGUILAR203-33-323440,000 BENSON323-22-294360,000 ProductionNon-Production

44 44 Oracle Database Vault Limit powers of privileged users – enforce Separation of Duties Enforce who, where, when, and how using rules and factors Protect application data by preventing application by-pass Out-of-the box policies for Oracle applications Procurement HR Finance Application select * from finance.customers DBA

45 Oracle Audit Vault Consolidate audit data into secure repository Detect and alert on suspicious activities Out-of-the box compliance reporting Centralized audit policy management CRM Data ERP Data Databases HR Data Audit Data Policies Built-in Reports Alerts Custom Reports ! Auditor

46 Oracle Confidential 46 Oracle Total Recall select salary from emp AS OF TIMESTAMP '02-MAY-09 12.00 AM‘ where emp.title = ‘admin’ Transparently track data changes Efficient, tamper-resistant storage of archives Real-time access to historical data Simplified forensics and error correction

47 Oracle Confidential 47 Oracle Configuration Management Database discovery Continuous scanning against 375+ best practices and industry standards, extensible Detect and prevent unauthorized configuration changes Change management compliance reports Monitor Configuration Management & Audit Vulnerability Management Fix Analysis & Analytics Prioritize Policy Management AssessClassify Monitor Discover Asset Management

48 Oracle Confidential 48 Oracle Solutions Key to Your Database Security Plan Comprehensive Integrated Transparent Cost-Effective Monitoring Access Control Encryption & Masking

49 Oracle Confidential 49 Q & A

50 Oracle Database Security Learn More At These Oracle Sessions S311340Classify, Label, and Protect: Data Classification and Security with Oracle Label Security Monday 14:30 - 15:30 Moscone South Room 307 S308113Oracle Data Masking Pack: The Ultimate DBA Survival Tool in the Modern World Tuesday 11:30 - 12:30 Moscone South Room 102 S311338All About Data Security and Privacy: An Industry PanelTuesday 13:00 - 14:00 Moscone South Room 103 S311455Tips/Tricks for Auditing PeopleSoft and Oracle E- Business Suite Applications from the Database Tuesday 14:30 - 15:30 Moscone South Room 306 S311339Meet the Database Security Development Managers: Ask Your Questions Tuesday 16:00 - 17:00 Moscone South Room 306 S311345Database Auditing Demystified: The What, the How, and the Why Tuesday 17:30 - 18:30 Moscone South Room 306 S311342Do You Have a Database Security Plan?Wednesday 11:45 - 12:45 Moscone South Room 102 S311332Encrypt Your Sensitive Data Transparently in 30 Minutes or Less Wednesday 13:00 - 13:30 Moscone South Room 103 S311337Secure Your Existing Application Transparently in 30 Minutes or Less Wednesday 13:45 - 14:15 Moscone South Room 103 S311344Securing Your Oracle Database: The Top 10 ListWednesday 17:00 - 18:00 Moscone South Room 308 S311343Building an Application? Think Data Security FirstThursday 13:30 - 14:30 Moscone South Room 104

51 For More Information oracle.com/database/security search.oracle.com or database security

52

Download ppt "Session S311342: Do you have a Database Security Plan? Roxana Bradescu Sr. Director, Database Security Oracle Noel Yuhanna Principal Analyst Forrester."

Similar presentations

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.
Internet of Things Security Architecture

Internet of Things Security Architecture
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
1. Real-World Deployment and Best Practices with Oracle Database Vault at Customers: Ross Stores Covidien Kamal Tbeileh Sr. Principal Product Manager,

1. Real-World Deployment and Best Practices with Oracle Database Vault at Customers: Ross Stores Covidien Kamal Tbeileh Sr. Principal Product Manager,
The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant

The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant
Miss Scarlet with a lead pipe, in the library Players: 3 to 6 Contents: Clue game board, six suspect tokens, six murder weapons, 21 cards, secret envelope,

Miss Scarlet with a lead pipe, in the library Players: 3 to 6 Contents: Clue game board, six suspect tokens, six murder weapons, 21 cards, secret envelope,
“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”

“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.
ISecurity Complete Product Series For System i. About Raz-Lee Internationally renowned System i solutions provider Founded in 1983; 100% focused on System.

ISecurity Complete Product Series For System i. About Raz-Lee Internationally renowned System i solutions provider Founded in 1983; 100% focused on System.
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
Www.lumension.com © Copyright 2008 - Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.

© Copyright Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Advanced Metadata Modeling Modeling for the Oracle Business Intelligence Cloud.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Advanced Metadata Modeling Modeling for the Oracle Business Intelligence Cloud.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Best Practices for Upgrading Oracle PeopleSoft Environments

Best Practices for Upgrading Oracle PeopleSoft Environments

Similar presentations

Ads by Google