1 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
2 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information 2 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
The following is intended to outline our general product
direction. It is intended for information purposes only, and
may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality,
and should not be relied upon in making purchasing
decisions. The development, release, and timing of any
features or functionality described for Oracle’s products
remains at the sole discretion of Oracle.
3 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Best Practices for Database
Security and Compliance
Tom Kyte, Sr. Technical Architect, Oracle
Troy Kitch, Sr. Manager, Database Security Product Marketing, Oracle
4 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Program Agenda
• Enterprise Data Security Challenges
• Database Security Best Practices
• Oracle Database Security Solutions
• Defense-in-Depth
• Q&A
5 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Database Server Breaches
Two-thirds of sensitive and regulated information now resides in databases
… and doubling every two years
Source: Verizon, 2007-11 and IDC, "Effective Data Leak Prevention Programs: Start by
Protecting Data at the Source — Your Databases", August 2011
48% Data Breaches
Caused by Insiders
89% Records Stolen
Using SQL Injection
86% Hacking Used
Stolen Credentials
Over 1B records compromised over past six years
6 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
How Secure Are Your Databases? 2011 IOUG Data Security Survey Results
24% Can prevent DBAs from accessing data and stored procedures
69% Do not monitor sensitive application data reads and writes
63% Have not taken steps to prevent SQL injection attacks or unsure
48% Copy sensitive data to development and test environments
70% Data stored in database files or storage can be read at OS level
57% Cannot prevent direct access to database (application bypass)
7 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
“Forrester estimates
that although 70%
of enterprises have
an information security plan,
only 20% of enterprises have a
database security plan.”
IT Security Not Addressing Database Security
– Only 20% Have a Plan
Source: Creating An Enterprise Database Security Plan , July 2010
Endpoint Security
Vulnerability Management
Network Security Email Security
Authentication and User Security
Database Security
8 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Database Security Best Practices
• Prevent access to data at OS, storage, network, media layers
• Transparent data encryption for data at rest, in transit, on media
• Separation of duties for key management
• Privileged user access control to limit access to application data
• Multi-factor authorization for enforcing enterprise security policies
• Secure application consolidation
• Native Oracle and non-Oracle database auditing, centralized audit policies
• Consolidate, secure, analyze audit trail, alert on suspicious activities
• Report for compliance & security, automate database audit workflow
• Monitor Oracle & non-Oracle database traffic over the network
• Block threats like SQL injection attacks before reaching databases
• Enforce normal database activity, lightweight monitoring
• Sensitive data discovery for production
• Secure database lifecycle management, configuration scanning, patch automation
• Mask data for nonproduction development & test
Mitigate Database Bypass
Prevent Application
Bypass
Consolidate Auditing and Compliance Reporting
Monitor Database
Traffic and Block Threats
Protect All Database
Environments
9 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Disk
Backups
Exports
Off-Site
Facilities
Mitigate Database Bypass
• Prevents access to data stored in database files, on tape, etc. by IT staff/OS users
• Efficient application data encryption without application changes
• Built-in two-tier key management for SoD with support for centralized key
management using HSM/KMS
• Strong authentication of database users for greater identity assurance
Oracle Advanced Security for authentication and encryption
Application
10 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Prevent Application Bypass Oracle Database Vault to enforce privileged user access
Application
Procurement
HR
Finance
Application
DBA
select * from finance.customers
DBA
Security
DBA
• Automatic and customizable DBA separation of duties and protective realms
• Enforce who, where, when, and how data is accessed using rules and factors
– Enforce least privilege for privileged database users
– Prevent application by-pass and enforce enterprise data governance
• Securely consolidate application data or enable multi-tenant data management
11 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Prevent Application Bypass
• Classify users and data based on business drivers
• Database enforced row level access control
• Users classification through Oracle Identity Management Suite
• Classification labels can be factors in other policies
• No application changes required
Oracle Label Security for data classification access control
Transactions
Report Data
Reports Confidential Sensitive
Sensitive
Confidential
Public
12 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Consolidate Auditing & Compliance Reporting
• Consolidate database audit trail into secure centralized repository
• Detect and alert on suspicious activities, including privileged users
• Out-of-the box compliance reports for SOX, PCI, and other regulations
– E.g., privileged user audit, entitlements, failed logins, regulated data changes
• Streamline audits with report generation, notification, attestation, archiving, etc.
Oracle Audit Vault for real-time database activity monitoring
CRM Data
ERP Data
Databases
HR Data
Audit Data
Policies
Built-in Reports
Alerts
Custom Reports
!
Auditor
13 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Consolidate Auditing & Compliance Reporting
• Transparently track application data changes over time
• Efficient, tamper-resistant storage of archives in the database
• Real-time access to historical application data using SQL
• Simplified incident forensics and recovery
Oracle Total Recall for automated change tracking
select salary from emp AS OF TIMESTAMP
'02-MAY-09 12.00 AM‘ where emp.title = ‘admin’
14 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Block
Log
Allow
Alert
Substitute
Monitor Database Traffic and Block Threats Oracle Database Firewall for activity monitoring, blocking
Policies Built-in Reports
Alerts Custom Reports
• Blocks unauthorized access like SQL injections from reaching databases
• SQL grammar analysis ensures accuracy, enforcement, and scalability
• White lists and black lists enforce application activity without false positives
• Scalable architecture provides enterprise performance in all deployment modes
• Built-in and custom compliance reports for SOX, PCI, and other regulations
Applications
15 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Protect Database Environment: Production
• Discover and classify databases into security policy groups
• Scan databases against 400+ best practices and industry standards, custom enterprise-
specific configuration policies, and enforce security compliance
• Detect and prevent unauthorized database configuration changes, trouble ticket tracking
• Automated patching and secure provisioning
Discover Scan and Monitor Patch
Oracle Enterprise Manager for secure database lifecycle
16 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Protect Database Environment: Nonproduction
• Make application data securely available in non-production environments
• Prevent application developers and testers from seeing production data
• Extensible template library and policies for data masking automation
• Referential integrity automatically preserved so applications continue to work
• Integration with Real Application Testing and Test Data Management
Oracle Data Masking for protecting insecure environments
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 60,000
BKJHHEIEDK 222-34-1345 40,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Non-Production
Data Never Leaves Database
17 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Encrypting Personally
Identifiable Information
Defense in Depth Security
of Patient Donor Data
• Privileged user access controls
• Encrypting production and
masking nonproduction data
• HIPPA/HITECH Compliance
Oracle Database Vault
Oracle Advanced Security
Oracle Data Masking
Database Security Best Practices Case Studies
• Monitoring privileged users,
sensitive data updates and more
• Secure central audit repository
• Sarbanes-Oxley Act Compliance
Audit, Alert & Report on
Application Logs
Oracle Audit Vault
• Transparent data encryption
• No application changes or
performance impact
• PCI DSS compliance
Oracle Advanced Security
18 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Oracle Database Security Strategy
Encryption, Privileged User
Controls, Classification
Activity Monitoring, Auditing,
Blocking Attacks, Reporting
MySQL
Database Lifecycle Management,
Data Masking for Non-Production
Maximum Security: Controls within Database
Low Security: Sensitive Data Removed
External Controls: Protect Oracle & Non-Oracle Database
Defense-in-depth
19 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Questions To Consider…
• Do you know where all sensitive data resides?
• Would you know if your data was breached?
• Are you aware of all your regulatory mandates?
• What best practices are you following, where are holes?
20 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Q&A
21 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
Database Security Best Practices
• Best Practices For
– Database Activity Monitoring and Blocking, Feb 29
– Database Auditing, Alerting and Reporting, Mar 28
– Transparent Data Encryption, Apr 25
– Database Privileged User Access Control, May 30
Monthly Webcast Series
22 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
For More Information
oracle.com/database/security
search.oracle.com
or
database security
23 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information
24 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Public Information