1 / 40

Oracle Database 11g Release 2 Security Update and Plans Defense-in-Depth

Oracle Database 11g Release 2 Security Update and Plans Defense-in-Depth. Vipin Samar Vice President, Oracle Database Security. Program Agenda . <Insert Picture Here>. Today’s Threat Landscape Defense-in-Depth Approach Oracle Database Security Solutions Oracle Database Firewall New!

callum
Download Presentation

Oracle Database 11g Release 2 Security Update and Plans Defense-in-Depth

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Oracle Database 11g Release 2 Security Update and PlansDefense-in-Depth Vipin Samar Vice President, Oracle Database Security

  2. Program Agenda <Insert Picture Here> • Today’s Threat Landscape • Defense-in-Depth Approach • Oracle Database Security Solutions • Oracle Database Firewall New! • Summary • Q&A

  3. Why Secure the Database?

  4. Security Technologies Deployed End Point Security Other Security Employee Customer Citizen Vulnerability Mgmt email Security DB Security? Authentication Network Security Identity Management

  5. How Data Gets Compromised? Source: Verizon 2010 Data Breach Investigations Report 6

  6. Where Losses Come From? • 92% of Records from Compromised Databases 2010 Data Breach Investigations Report

  7. Top Attack Techniques% Breaches and % Records 2010 Data Breach Investigations Report • Most records lost through • ‘Stolen Credentials” & “SQL Injection”

  8. Existing Security Solutions Not Enough Key Loggers Malware SQL Injection Espionage Phishing Botware Social Engineering Web Users Application Users Database Application Administrators Data Must Be Protected in depth

  9. Database SecurityDefense-In-Depth Approach • Monitor and block threats before they reach databases • Control access to data within the databases • Track changes and audit database activity • Encrypt data to prevent direct access • Implement with • Transparency – no changes to existing applications • High Performance – no measurable impact on applications • Accuracy – minimal false positives and negatives

  10. Oracle Database SecurityDefense-in-Depth Encryption and Masking • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking Access Control • Oracle Database Vault • Oracle Label Security Auditing and Tracking • Oracle Audit Vault • Oracle Configuration Management • Oracle Total Recall Monitoring and Blocking • Oracle Database Firewall

  11. Oracle Database SecurityDefense-in-Depth Encryption and Masking • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking 12

  12. Disk Backups Exports Off-Site Facilities Oracle Advanced Security End–to–end Encryption Application • Efficient encryption of all application data • Built-in key lifecycle management • No application changes required • Works with Exadata and Oracle Advanced Compression

  13. Oracle Advanced Security Integrated with Oracle Enterprise Manager 14

  14. TDE Column EncryptionIntegrated with Oracle Enterprise Manager 15

  15. Oracle Advanced Security What’s New and Coming? • Hardware Acceleration Support • Performance already < 10% for most applications • 7-10x performance gain with Intel Advanced Encryption Standard New Instructions (AES-NI) and Oracle SPARC T-3 • Key Management and HSM Support • Certified with SafeNet, Thales, Utimaco using PKCS #11 • Planned support for Oracle’s Key Management System

  16. Oracle Data MaskingIrreversible De-Identification Production Non-Production • Mask sensitive data for test and partner systems • Sophisticated masking: Condition-based, compound, deterministic • Extensible template library and policies for automation • Leverage masking templates for common data types • Integrated masking and cloning • Masking of heterogeneous databases via database gateways • Command line support for data masking tasks New New 17

  17. Oracle Data MaskingWhat’s Coming? • Sensitive data identification based on privacy attributes • Application Masking templates for • E-Business Suite • Fusion Applications

  18. Oracle Database SecurityDefense-in-Depth Encryption and Masking • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking Access Control • Oracle Database Vault • Oracle Label Security 19

  19. Oracle Database VaultSeparation of Duties & Privileged User Controls Procurement DBA HR Application Finance select * from finance.customers • Restricts application data from privileged users • DBA separation of duties • Securely consolidate application data • No application changes required • Works with Oracle Exadata 20

  20. Oracle Database VaultMulti-Factor Access Control Policy Enforcement Procurement HR Application Rebates • Protect application data and prevent application by-pass • Enforce who, where, when, and how using rules and factors • User Factors: Name, Authentication type, Proxy Enterprise Identity • Network Factors: Machine name, IP, Network Protocols • Database Factors: IP, Instance, Hostname, SID • Runtime Factors: Date, Time 21

  21. Oracle Database VaultOut-of-the Box Protections For Applications Oracle E-Business Suite 11i / R12 • Pre-built policies with further possible customization • Complements application security • Transparent to existing applications • Minimal performance overhead • Certifications Underway: • Oracle Hyperion • Oracle Tax and Utilities PeopleSoft Applications Siebel, i-Flex, Retek JD Edwards EnterpriseOne SAP Infosys Finacle 22

  22. Oracle Label SecurityData Classification for Access Control Sensitive Confidential Transactions Public Report Data Reports Confidential Sensitive • Classify users and data based on business drivers • Database enforced row level access control • Users classification through Oracle Identity Management Suite • Classification labels can be factors in Database Vault 23

  23. Oracle Database SecurityDefense-in-Depth Encryption and Masking • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking Access Control • Oracle Database Vault • Oracle Label Security Auditing and Tracking • Oracle Audit Vault • Oracle Configuration Management • Oracle Total Recall 24

  24. Policies HR Data ! Alerts CRM Data Built-in Reports ERP Data Custom Reports Databases Oracle Audit VaultAutomated Audit Collection and Reporting Audit Data Auditor • Consolidate audit data into a secure warehouse • Create/customize compliance and entitlement reports • Detect and raise alerts on suspicious activities • Centralized audit policy management • Integrated audit trail cleanup 25

  25. Oracle Audit Vault Consolidated Reports Span Enterprise Databases 26

  26. Oracle Audit Vault 10.2.3.2 Default Reports 27

  27. Out-of-box Policies User-defined Policies & Groups Real-Time Change Detection Industry & Regulatory Frameworks Compliance Dashboard      Optimized for Oracle with Industry Specific Compliance Dashboards Oracle Configuration ManagementSecure Configuration & Change Tracking • Continuous scanning against best practices and gold baselines • 200+ out-of-the-box policies spanning host, database, and middleware • Real-time detect changes to processes, files, etc • Violations can trigger emails, and create tickets • Compliance reports mapped to compliance frameworks 28

  28. Oracle Database SecurityDefense-in-Depth Encryption and Masking • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking Access Control • Oracle Database Vault • Oracle Label Security Auditing and Tracking • Oracle Audit Vault • Oracle Configuration Management • Oracle Total Recall Monitoring and Blocking • Oracle Database Firewall

  29. Oracle Database FirewallFirst Line of Defense Allow Log Alert Substitute Applications Block Built-in Reports Custom Reports Alerts Policies • Prevent unauthorized activity, application bypass and SQL injections • Highly accurate SQL grammar based analysis • Flexible enforcement options • Built-in and custom compliance reports

  30. Oracle Database FirewallSecurity Model White List Allow Block Applications • White-list based policies enforce normal or expected behavior • Evaluate factors such as time, day, network, app, etc. • Easily generate white-lists for any application • Log, alert, block or substitute out-of-policy SQL statements • Black lists to stop unwanted SQL commands, user, or schema access • Superior performance and policy scalability based upon clustering

  31. Oracle Database FirewallDeployment Architecture In-Line Blocking and Monitoring Management Server Management Server Out-of-Band Monitoring Inbound SQL Traffic HA In-Line Mode Policy Analyzer • In-line blocking and monitoring, or out-of-band monitoring modes • Monitoring of remote databases by forwarding network traffic • Centralized policy management and reporting • High availability options for Database firewalls and Management Servers • Support for multiple Oracle/non-Oracle Databases with the same firewall

  32. Oracle Database Security – Big Picture Audit consolidation Sensitive Unauthorized Local Activity Procurement Procurement Allow Confidential DB Consolidation Security Log HR HR Public Alert Local DBA Privilege Mis-Use Substitute Rebates Rebates Applications Block Network SQL Monitoring and Blocking Encrypted Database Data Masking Encrypted Backups Encrypted Exports

  33. Oracle Database SecurityKey Differentiators

  34. More Oracle Database Security Presentations • Monday: • 12:30 pm: Making a Business Case for Information Security MS 300 • 3:30 pm: Oracle Database 11g Release 2 Security: Defense-in-Depth MS 103 • Tuesday: • 12:30 pm: Real-World Deployment and Best Practices : Oracle Audit Vault MS 104 • 2:00 pm: Real-World Deployment and Best Practices : Oracle Advanced Security MS 300 • 2:00 pm: Best Practices for Ensuring the Highest Enterprise Database Security MS 304 • 3:30 pm: Database Security Event Management : Oracle Audit Vault and ArcSight MS 300 • 5:00 pm: Real-World Deployment and Best Practices :Oracle Database Vault MS 303 • Wednesday: • 10:00 am: Protect Data and Save Money: Aberdeen MS 306 • 11:30 am: Preventing Database Attacks With Oracle Database Firewall MS 306 • 4:45 pm: Centralized Key Management and Performance :Oracle Advanced Security MS 306 • Thursday: • 10:30 am: Deploying Oracle Database 11g Securely on Oracle Solaris MS 104 MS = Moscone South

  35. Oracle Database Security Hands-on-Labs • Monday: • Database Vault 11:00AM | Marriott Marquis, Salon 10 / 11        Check Availability  • Database Vault 5:00PM | Marriott Marquis, Salon 10 / 11        Check Availability • Tuesday: • Database Security 11:00AM | Marriott Marquis, Salon 10 / 11     Check Availability • Thursday • Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11    Check Availability • Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11       Check Availability

  36. Oracle Database Security Demo GroundsMoscone West • Oracle Database Firewall • Oracle Database Vault • Oracle Label Security • Oracle Audit Vault • Oracle Advanced Security • Oracle Database 11g Release2 Security

  37. The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

  38. database security oracle.com/database/security For More Information search.oracle.com 39

  39. Q & A 40

More Related