partner webcast - oracle database security inside-out - part 1: advanced security and database vault
DESCRIPTION
Businesses not only have to protect sensitive information, but also monitor access to sensitive information for both compliance and potential threats. Avoid risky third-party solutions, and leverage the full potential of the #1 Database with 33 years of security innovations to safeguard data where it lives- in the database. On 2 webcasts we explore Oracle’s comprehensive database security and compliance solutions. Part 1: Advanced Security and Database Vault - 04 April 2013 Part 2: Audit Vault and Database Firewall (AVDF) - 11 April 2013 Find out more at https://blogs.oracle.com/imc/entry/partner_webcasts_oracle_database_securityTRANSCRIPT
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 1
CUSTOMER LOGO
“This slide format serves to call attention to a quote from a prominent customer, executive, or thought leader in regards to a particular topic.”
Name Title, Company Name
blogs.oracle.com/IMC
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 2
Oracle Database – Advanced Security And Database Vault
Tarek Salama
DB Options Specialist - A&C Technology
Adoption Office MEA
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 4
Program Agenda
Database Security Defense in Depth
Oracle Database Advanced Security Option
– Network Encryption.
– Transparent Data Encryption (TDE).
Oracle Database Vault
– Privileged user access control.
– Prevent Application Bypass.
Q&A
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 5
What’s Driving the Need For Security?
Bring your own device culture requires a proactive approach
Applications & Data
Anytime
Anywhere
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 6
Security
Endpoint Security
Physical Security
Vulnerability Management
Email Security
Network Security
Authentication & User Security
Application Security
Other Security…
A Variety of Security Solutions are deployed
BUT still…
Over 1B records compromised
over past 6 years
174M of compromised records
in 2011 alone
96% Of attacks were not highly difficult (+4%)
85% Of breaches took weeks or more to discover
(+6%)
97% Of breaches were avoidable through simple or
intermediate controls (+1%)
Source: Verizon, 2012 Data Breach Investigations report
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 7
What do
customers want from
security?
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 8
Customers Want Protection…
Enterprise IS NOT Vulnerable
Privacy IS NOT Violated
Compliance IS Achieved & Demonstrated
Minimized Costs & Effort
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 9
What is
a customers most
Valuable Asset?
INFORMATION
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 10
Two-thirds of sensitive and regulated information now resides in databases
… and doubling every two years
Source: Verizon, 2007-11 & IDC, "Effective Data Leak Prevention Programs: Start by Protecting Data at the Source", August 2011
Classified Govt. Info.
Trade Secrets
Competitive Bids
Corporate Plans
Source Code
Bug Database Credit Cards
Customer Data
Financial Data
HR Data
Citizen Data
48% Data Breaches
Caused by Insiders
89% Records Stolen
Using SQL Injection
86% Hacking Used
Stolen Credentials
Information Is Data
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 11
IT Security is $35B Market Today
Source: Forrester: The Evolution Of IT Security, 2010 To 2011, April 2011
Data Security IS a Top Priority
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 12
Business Drivers for Data Security
Security Concerns
• Rising security threats and incidents
• Increasing quantity of stored data
• Evolving technology infrastructures
• Continuous organizational changes
Compliance Issues
• Multiple regulations, geographies,
and jurisdictions to deal with
• Periodic updates and revisions
• Expanding scope of regulations
Technology Organization
Manage
Risks
Control
Costs
Management
Plan for
Growth
Data
Security
Solutions
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 13
Database Security Defense In Depth
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 14
Oracle Database Security Solutions Defense-in-Depth for Maximum Security
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE
Redaction and Masking
Privileged User Controls
Encryption
PREVENTIVE ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 15
Oracle Database Security Solutions Defense-in-Depth for Maximum Security
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE
Redaction and Masking
Privileged User Controls
Encryption
PREVENTIVE ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 16
Oracle Database Security Platform
Transparent Data Encryption, Privileged
User Controls, Multi-Factor
Authorization, Data Classification, and
Change Tracking
Database Activity Auditing and Reporting,
SQL Traffic Monitoring and Blocking,
Real-Time Alerting, Workflow Automation
mySQL
Secure Configuration Scanning, Automated
Patching, Configuration Change Control,
Sensitive Data Discovery, Data Masking
Maximum Security for Oracle
Databases:
•Oracle Advanced Security
•Oracle Database Vault
•Oracle Label Security
•Oracle Total Recall
Security for Production and non-
Production Database Environments:
•Oracle Database Lifecycle
•Oracle Enterprise Manager
•Oracle Data Masking
Security for Oracle and non-Oracle
Databases Outside the Database:
•Oracle Audit Vault and Oracle
Database Firewall
DETECTIVE ADMINISTRATIVE PREVENTIVE
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 17
Oracle Database Advanced Security Options Product Overview
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 18
Only 30% Prevent Non-Database Users from Seeing or Tampering with Data at the OS Level
Is personal identity information (e.g., social security, credit card,
national identifier numbers) stored in your databases encrypted?
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 19
Only 22% Encrypt All Backups and Exports
Do you encrypt all your online and offline database backups and exports?
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 20
Evolution of Oracle Advanced Security
Oracle 9i
Oracle 10g
Oracle 11g
Network
Encryption
&
Strong
Authentication
Column TDE
&
Wallet Key
Management
Tablespace
TDE
&
Hardware
Acceleration
&
Exadata
Optimizations
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 21
ASO Overview
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 22
Disk
Backups
Exports
Off-Site
Facilities
Oracle Advanced Security
• Prevents “database by-pass” with complete end-to-end data encryption
• Efficient application data encryption without application changes
• Built-in key management with separation of duties
• High performance and easy to deploy
Protect Data from Unauthorized Database Users
Application
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 23
Transparent Data Encryption Encryption Key Architecture
TDE Column
Encryption
TDE Tablespace
Encryption
Hardware
Security Module
Master Key
Oracle
Wallet
Tablespace
Key
Table
Key
Standard
Wallet
Auto-Open
Wallet
Local
Auto-Open
Wallet
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 24
Oracle Advanced Security
Support for all column types, including Oracle Database 11g SecureFile
Data is cached encrypted in the SGA
Decrypted only when you dereference it, encrypted every time you modify it
Indexing supported, but the index is indexing encrypted data (not sorted!)
Encryption keys are table specific - means cannot enforce foreign key constraints
Undo and Redo generated are encrypted
Transparent Data Encryption for Columns
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 25
Oracle Advanced Security
All tables in Tablespace are encrypted – no need to identify specific columns
Data encrypted at block level as written out to disk, decrypted when read in
Data is cached in the SGA unencrypted
Index contains ‘clear text’ (blocks are encrypted) so no limitations on index use
Encryption keys are Tablespace specific – foreign key constraints can be enforced
Undo and Redo generated are encrypted
Transparent Data Encryption for Tablespaces
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 26
Oracle Advanced Security
TDE integrated with Oracle Data Pump for bulk export/import to OS flat files
TDE integrated with Oracle RMAN for database backup and recovery
RMAN and Data Pump compress and encrypt data
Master Key, passphrase, or both can be used to encrypt export and backup files – No need to distribute production master key with exports or backups
Master key not automatically backed up with database
Transparent Data Encryption for Media
Disk
Backups
Exports
Off-Site
Facilities
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 27
Oracle Advanced Security
“Encrypting data is expensive” is a myth (started with bad third party solutions!)
Incremental CPU ~5% with 10x speed-up if cryptographic hardware available
Incremental CPU reduced even more if using Oracle Advanced Compression
or Exadata Hybrid Columnar Compression (EHCC) – If compression ratio is 75%, we have to encrypt 75% less data!
Transparent Data Encryption Performance E
ncry
ption
pro
cessin
g r
ate
(MB
/CP
U s
econds)
Intel Xeon Processor X5570 w/o Intel® IPP
Intel Xeon processor X5680
w/ Intel® IPP
10x speedup
Oracle Database Enterprise Edition 11.2.0.2 AES-256 Encryption
Intel Xeon Processor X5570 w/o Intel® IPP
Intel Xeon processor X5680
w/ Intel® IPP
8x speedup
Oracle Database Enterprise Edition 11.2.0.2 AES-256 Decryption
57
559 468
58
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 28
Oracle Advanced Security Database Traffic Network Encryption
Network traffic entirely encrypted to prevent “man in the middle” attacks
– AES, RSA RC4, and DES/3DES
Data integrity checksums - prevent modification, replay, missing packet, etc.
– MD5 and SHA-1
No infrastructure changes required, point-and-click implementation
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 29
Oracle Advanced Security
Generate, store, and rotate encryption keys
Two-tier key management architecture – Table and Tablespace keys used to encrypt data (stored in database for performance)
– Master key used to encrypt Table and Tablespace keys
Master key is stored in External Security Module (outside the database) – Oracle Wallet (PKCS #12 file)
– Hardware Security Module (HSM) meets FIPS & Common Criteria reqs using PKCS#11 API
Separation of duties -- wallet password is separate from System or DBA password
Transparent Data Encryption Built-In Key Management
PKCS #11 API
Master Key
Table and Tablespace Keys
Oracle Wallet
HSM
Create a wallet and generate the master key:
alter system set key identified by “e3car61”
Open the wallet: alter system set wallet open identified by “e3car61”
Rotate master (table/tablespace keys re-encrypted):
alter system set key identified by “2naf1sh”
Rotate table/tablespace keys (data re-encrypted)
alter table employee REKEY;
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 30
Oracle Advanced Security
TDE returns clear text data to authenticated, authorized database users
Critical to protect against stolen credentials & increase assurance of database
user identities, especially privileged application users and DBAs
Strong authentication schemes supported – Kerberos, PKI & RADIUS (for 1 time passwords tokens, risk-based authentication, etc.)
Strong Authentication
Application
Strong Authentication
X509
v3
Kerberos
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 31
Transparent data encryption
Prevents access to data at rest
Requires no application changes
Built-in two-tier key management
“Near Zero” overhead with hardware
Integrations with Oracle technologies
e.g. Exadata, Advanced Compression, ASM, Golden Gate, DataPump, etc.
Oracle Advanced Security
Encryption is the Foundation Preventive Control for Oracle Databases
Disk
Backups
Exports
Off-Site
Facilities
Applications
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 32
Summary of Oracle Advanced Security
Secure – Protects sensitive data against a range of threats
Compliant – Accelerates compliance projects requiring encryption
Transparent – Transparent to existing applications
Fast – Offers high-speed cryptographic performance
Easy – Installed with the database, has built-in key management
Standards-Based – Follows accepted encryption standards
Battle-Tested – Used for years by thousands of Oracle customers
on diverse systems across multiple industries
Key Points to Remember
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 33
Oracle Database Vault Product Overview
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 34
76% Have No Preventive Controls on Privileged Database Users or Unsure
Can you prevent DBAs & other privileged database users from reading/tampering
with sensitive information in financial, HR, or other business applications?
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 35
Three-Fourths Don’t Have Safeguards To Prevent Accidental Harm to Databases
Any safeguards preventing a database administrator from accidentally dropping
a table or unintentionally causing harm to critical application databases?
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 36
Managing Database Users and Security
Security
Admin
Accounts
Admin
Junior
DBA
Senior
DBA
Backup
Patch
Install
Tuning
Recovery
Managing DBAs
Create Security
Policies to protect data
Create and manage
Database Users
Application
user
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 37
Enforce Application Security Controls Oracle Database Vault to enforce privileged user access
Application
Procurement
HR
Finance
Application
DBA
select * from finance.customers
DBA
Security
DBA
Automatic and customizable DBA separation of duties and protective realms
Enforce who, where, when, and how data is accessed using rules and factors
– Enforce least privilege for privileged database users
– Prevent application by-pass and enforce enterprise data governance
Securely consolidate application data or enable multi-tenant data management
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 38
Procurement
HR
Finance
Oracle Database Vault Privileged User and Operational Controls
• Limit default powers of privileged users
• Enforce policy rules inside the database
• Violations audited, secured and sent to Oracle Audit Vault
• No application changes required
Application
DBA
select * from
finance.customers
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 39
Prevent Application Bypass
• Classify users and data based on business drivers
• Database enforced row level access control
• Users classification through Oracle Identity Management Suite
• Classification labels can be factors in other policies
• No application changes required
Classify Data and Users to Automate Access Control
Transactions
Report Data
Reports Confidential Sensitive
Sensitive
Confidential
Public
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 40
Oracle Database Vault Realms
Application
Procurement
HR
Finance
Application
DBA
select * from finance.customers
DBA
Security
DBA
• Realms are protections zones (firewalls) inside the database to protect
application data
• Use realms to control the use of system privileges to specific accounts or roles
• Default realms to address database governance
• Out-of-the box realms to protect popular Oracle and non-Oracle applications
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 41
Oracle Database Vault Strong Operational Controls Inside the Database
Application
Procurement
HR
Finance
• Rules to control how users can execute almost any SQL statement inside the database
• Command rules can take into account built-in and custom factors (numerous built in)
• Command rules can be system-wide, schema specific, and object specific
• Out-of-the box command rules for Oracle and non-Oracle applications
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 42
Oracle Database Vault
• Generate audit events on realm violations and command rule exceptions
Demonstrate compliance using built-in reports for
– Realms
– Command rules
– Entitlements such as who has the DBA role
Integrated with Oracle Audit Vault and Oracle Enterprise Manager for near real time
alerting and monitoring
Separation of duties
Multi-factor access
Alerts/Reports
Procurement
HR
Finance
Alerts and Reports
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 43
Oracle Database Vault Out-of-the Box Policies
Pre-built policies include realms
and command rules
Prevent DBA from accessing
application data
Prevent privileged users from
tampering with application objects
Complements application security
Transparent to existing applications
Customizable
Protection For Oracle and non-Oracle Application Data
Oracle E-Business Suite
11i / R2
PeopleSoft Applications
Siebel, i-Flex
JD Edwards EnterpriseOne
SAP
Infosys Finacle
Oracle Notes: 852482.1, 1195205.1, 207959.1
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 44
Summary of Database Vault
Enforces – Trusted paths to applications data
Isolates – Consolidated apps from each other and prevents privilege
escalation
Enables – Outsourcing backend operations without giving access to data
Secures – Applications data in the cloud
Consolidation – Results in multiple privileged accounts in a single database
Restrict - Ad-Hoc access to application data by preventing application
bypass with multi-factor policies
Addresses - Compliance with regulatory requirements that call for
separation of duties and least privilege
Key Points to Remember
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 45
Limit DBA access to application data
Multi-factor SQL command rules
Realms create protective zones
Enforce enterprise data governance,
least privilege, segregation of duties
Out of the box application policies
Database Vault
Separation of the duets is the Foundation
Procurement
HR
Finance
select * from finance.customers
Application
DBA
Applications
Security
DBA
DBA
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 46
Value to Customer
Enforcing regulations compliance & standards
Effective prevention of unauthorized, intentional or unintentional, database operations
Prevent privileged user access to application data on IP, application type, and time of day
Protecting against internal & external threats
End-to-end enterprise security from one vendor – no support issues, staff already familiar
Enforce real time access controls
Value to Partner
Minimize costs of offering compliance services
Reduction of Managing Multiple Solutions per Application
Out-of-the-box functionalities reduce solutions complexity & enhance flexibility
Ease of deployment & High availability of expertise
Proven, efficient, future-proof from one single vendor
Certified, out-of-the-box polices for leading applications
Increased competitiveness/revenues by protecting the end user’s data and reputation
ASO And DBV Value Proposition
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 47
Block database bypass at the Operating System.
Migrate keys between wallet and Automatic
backup of wallets.
Wallet storage directly in Oracle File System.
Installation by default.
New roles for backup , key management, and
auditing.
Simplified authorizations for day to day DBA
tasks.
Security Improvements
Security Future Extensions
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 48
Oracle Database Security Partner Support and Resources
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 49
Oracle Database Security Partner Resell Requirements
http://www.oracle.com/partners/en/knowledge-zone/database/database-021468.htm
• OPN member at Gold+ in good standing
• Acceptance into Oracle Database Knowledge Zone
• Valid Oracle Full Use Program Distribution Agreement
• NO competency or specialization requirements
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 50
OPN “Security” Specialization
Business Criteria Required
Customer References 3
# Of Transactions *
Resell or
Non-Commission Co-sell or
Referral
2
Competency Criteria Required
•Oracle Database 11g Security Sales Specialist Recommended Training
•Oracle Database 11g Security Sales Specialist 2
•Oracle Database 11g Security PreSales Specialist Recommended Training
•Oracle Database 11g Security PreSales Specialist 2
General Product Support Assessment (v3.0) Or
Oracle Database 11g Security Technology Support Specialist acceptable:
Count before March 1, 2013 - valid until March 1, 2014
•Recommended Training
•Oracle Database 11g Security Technology Support Specialist
1
•Oracle Database 11g Security Certified Implementation Specialist.
Oracle Database 11g Security Essentials (1Z0-528)
•Recommended Training
•Oracle Database 11g Security Implementation Specialist
1
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 51
For More Information
http://www.oracle.com/us/products/database/security/overview/index.html
http://www.oracle.com/partners/en/knowledge-zone/database/database-
021468.htm
oracle.com/database/security
search.oracle.com
or
database security
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 52
Key Take Away &
Next Steps
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 53
The industry's most advanced & proven technology to safeguard data where it lives.
Ensure data privacy & integrity.
Effectively protect against insider threats.
Enable regulatory compliance & meet regulatory mandates.
Easy to integrate - No changes to applications required.
Database 11g Value
Database Security Inside Out
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 54
Thank You !
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 55
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 56
CUSTOMER LOGO
“This slide format serves to call attention to a quote from a prominent customer, executive, or thought leader in regards to a particular topic.”
Name Title, Company Name
blogs.oracle.com/IMC