<Insert Picture Here>

Oracle Database Security Overview

Tammy Bednar
Sr. Principal Product Manager
tammy.bednar@oracle.com
 Data Security Challenges

• What to secure?
• Sensitive
S Data: Confidential,
C f PII, regulatory
• Data in packaged and custom applications
• Secure Life cycle: creation, transit, storage, backup, test, transfer
• Can we secure it now?
• Secure using existing systems?
• Transparent?
• Loss,
Loss Unauthorized access
access, Separation of Duty
• Will it meet business requirements?
• Flexible, Transparent, Compliant?
• Secures both custom and packaged applications?
• Will it reduce operational cost?
• Easy to manage?
• Performant?

2
 Oracle Database Security
Defense-in-Depth for Security and Compliance

Monitoring Audit
Vault Total
Configuration
Management Recall

Access Control

Database Label
Vault Security

Encryption and Masking

Advanced Data
Secure
Security Masking
Backup

3
 Oracle Database Security
Defense-in-Depth for Security and Compliance

Encryption and Masking

Advanced Data
Secure
Security Masking
Backup

4
Oracle Advanced Security
Transparent Data Encryption

Disk

Backups

Exports

Application
Off-Site
Facilities

• No application changes required

• Efficient encryption of all application data
• Built-in key lifecycle management
• Works with Exadata V2 Smart Scans
• Works with Oracle Advanced Compression

5
 Security Tip

• Migrate
g Oracle PeopleSoft applications to encrypted
y
tablespaces without downtime and data loss with this
FREE downloadable script and detailed
implementation guide from here

http://www.oracle.com/technology/deploy/security/dat
abase-security/pdf/tde_tabsp_enc_for_psft.zip
b it / df/td t b f ft i

6
Oracle Advanced Security
Network Encryption & Strong Authentication

• Standard-based encryption for data in transit

• Strong authentication of users and servers
• No infrastructure changes required
• Easy to implement

7
Oracle Secure Backup
Integrated Tape or Cloud Backup Management

• Secure data archival to tape or cloud

• Easy to administer key management
• Fastest Oracle Database tape backups
• Leverage low-cost cloud storage

8
 Oracle Data Masking
Irreversible De-Identification

Production Non-Production
LAST_NAME SSN SALARY LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000 ANSKEKSL 111—23-1111 40,000

BENSON
SO 323-22-2943
3 3 9 3 60,000 BKJHHEIEDK 222-34-1345
222 34 1345 60,000

• Remove sensitive data from non-production databases

• Referential integrity preserved so applications continue to work
• Extensible template library and policies for automation

9
Large Credit Card Services Provider
Cost Effective Encryption of Card Holder Data

• Protect sensitive card holder data

Business Challenges
• Comply with PCI

• Deployed Oracle Advanced Security TDE

Solution Tablespace Encryption

• Addressed internal and external requirements

Business Results • Leveraged Oracle Advanced Security integration
with Hardware Security Modules for network
based management of TDE master encryption key

10
U.S. Pharmaceutical Tools Manufacturer
Oracle Advanced Security Protects Sensitive Data

• Worried about protection of intellectual

Business Challenges
g property and sensitive employee data
• Oracle Advanced Security TDE column
encryption
• Easy implementation within hours (Oracle
Solution PeopleSoft)
• TDE with HSM made corporate-wide standard
• Average end-user responses time: +2.5 %
• Cost effective and transparent implementation
of data encryption with no application changes
Business Results
• Protection of sensitive data at rest and on
backup media

11
 Oracle Database Security
Defense-in-Depth for Security and Compliance

Access Control

Database Label
Vault Security

Encryption and Masking

Advanced Data
Secure
Security Masking
Backup

12
Oracle Database Vault
Separation of Duties & Privileged User Controls

Procurement
DBA
HR
Application
Finance
select * from finance.customers

• DBA separation of duties

• Limit powers of privileged users
• Securely consolidate application data
• No application changes required
• Works with Oracle Exadata V2 Database Machine

13
Oracle Database Vault
Multi-Factor Access Control Policy Enforcement

Procurement

HR

Application Rebates

• Protect application data and prevent application by-pass

• Enforce who, where, when, and how using rules and factors
• Out-of-the box policies for Oracle applications, customizable

14
Oracle Label Security
Data Classification for Access Control

Sensitive
Transactions

Confidential
Report Data
Public
Reports
Confidential Sensitive

• Classify users and data based on business drivers

• Database enforced row level access control
• Users classification through Oracle Identity Management Suite
• Classification labels can be factors in other policies

15
 Did you know?

• Finding
g User Accounts That Have Default
Passwords
• When you create a database in Oracle Database 11g Release 2 (11.2),
most of its default accounts are locked with the passwords expired.
• To find both locked and unlocked accounts that use default passwords,
log onto SQL*Plus using the SYSDBA privilege and then query the
DBA_USERS_WITH_DEFPWD data dictionary view.
SELECT d.username, u.account_status
FROM DBA_USERS_WITH_DEFPWD d,
DBA_USERS u WHERE d.username = u.username ORDER BY 2,1;

USERNAME ACCOUNT_STATUS
----------------- --------------------------
SCOTT EXPIRED & LOCKED

16
 Large US Based Global Bank
Enable
ab e Secu
Secure
e Cost Effective
ect e Deployments
ep oy e ts

• Outsource administration of multiple applications (E-Business Suite,

PeopleSoft and other in-house and 3rd party applications)
Business • “Cross Border” security controls to protect country-specific sensitive
Challenges client data from DBA access in a different country
• Deploy a security solution that is certified with applications and with
minimal pperformance overhead
• Deployed Oracle Database Vault on 18+ applications including E-
Business Suite, PeopleSoft and other internal and 3rd party
applications to prevent privileged user access to application data
Solution • Used Database Vault multi-factor authorization to enforce cross-
border access control and to prevent “Application Bypass”
• Over 200K users accessing these systems globally

• Saved over $15M a year by outsourcing/off-shoring backend

Business administration operations
Results • Addressed “Cross Border” security requirements
• Passed external audit and avoided paying fines

17
 Pharmaceutical Services Provider
Protect
otect Sensitive
Se s t e Custo
Customer
e Information
o at o and
a d Address
dd ess Regulations
egu at o s

• Protect and secure the privacy of very sensitive customer

medical data and employee data in PeopleSoft
Business Challenges • Comply with internal policies and external regulations
(HIPAA, SOX, Privacy Laws)
• Prevent privileged user access to sensitive data
• Deployed Oracle Database Vault with out-of-the-box
Solution PeopleSoft protection policies
• Took 14 days to go production
• Complied with HIPAA and other privacy regulations
• Passed external audit
• Saved on consulting costs and deployment time by using
Business Results
the out-of-the-box Database Vault protection policies
• Deployed Database Vault with minimal changes to
existing internal processes and procedures

18
 Large European Telecom Provider
Enable
ab e O
Organization
ga at o to Meet
eet Regulations
egu at o s

• Protect the privacy of sensitive client data in their telecom billing system
Business • Meet internal, European Data Security Directive, and country
country-specific
specific
Challenges privacy requirements
• Prevent tampering or deletion of database objects or database users

• Used Database Vault Realms and Command Rules to prevent DBAs

from accessing sensitive data
• Used Command Rules to prevent tampering or deletion of database
Solution objects or users
• Used multi
multi-factor
factor authorization to prevent “Application
Application Bypass
Bypass” based
on IP address
• Secure the third party billing system without any application changes
• Comply
p y with internal,, European,
p , and country-specific
y p p
privacy
y laws
Business
• Cost effective preventive controls against any tampering or deletion of
Results database objects or users
• Maintain good performance without buying additional hardware

19
 Oracle Database Security
Defense-in-Depth for Security and Compliance

Monitoring Audit
Vault Total
Configuration
Management Recall

Access Control

Database Label
Vault Security

Encryption and Masking

Advanced Data
Secure
Security Masking
Backup

20
Oracle Audit Vault
Automated Activity Monitoring & Audit Reporting

HR Data ! Alerts

Built-in
CRM Data Reports
Audit
Data Custom
ERP Data Reports

Databases Policies
Auditor

• Consolidate audit data into secure repository

• Detect and alert on suspicious activities
• Out-of-the box compliance reporting
• Centralized audit policy management

21
 Security Tip

• Want to audit users that log

g into the database at odd
hours?
• New in Oracle Database Release 11.2
• A
Audit
dit statements
t t t for
f currentt session
i using
i IN SESSION
CURRENT clause
• Create a database logon trigger
• If the login time is between 7:00 PM – 6:00 AM, and not
connecting from a ‘trusted’ middle-tier, audit all activity

AUDIT ALL STATEMENTS IN SESSION CURRENT;

22
 Oracle Database Auditing Performance
A dit users/tables
Audit sers/tables effectively
effecti el

• Oracle Database 11.2 • 4 – CPU 3.6 GHz, 4GB RAM

• ~250 audit records / second • Linux 2.6.9-34.0.1.0.11.ELsmp
• Existing CPU Work Load: 50%

Audit Location Throughput Additional CPU

Degradation Used above 50%
OS file 1 39%
1.39% 1 45%
1.45%
XML format file 1.70% 3.51%
XML format file + 3.22% 4.56%
SQL Text
Database Tables 3.84% 4.55%
Database Tables 11.93% 13.95%
+ SQL Text

23
Oracle Total Recall
Secure Change Tracking

select salary from emp AS OF TIMESTAMP

'02 MAY 09 12
'02-MAY-09 12.00
00 AM‘ where emp
emp.title
title = ‘admin’

• Transparently track data changes

• Efficient, tamper-resistant storage of archives
• Real-time access to historical data
• Enables forensics and error correction

24
Oracle Configuration Management
Vulnerability Assessment & Secure Configuration

Discover C
Classify
f Assess Prioritize Fix Monitor

Asset Configuration
Policy Vulnerability Analysis &
Management Management
Management Management Analytics
& Audit

• Database discovery
• Continuous scanning against best practices
• Detect and prevent unauthorized configuration changes
• Change management compliance reports

25
European Healthcare Insurance Provider
Simplified Reporting and Stronger Security

• Internal and external database audit requirements

across 10 Oracle and SQL Server databases
Business Challenges • Took 3 months and 2 part time people to create the
audit reports for yearly audit
• No
N monitoring
it i ffor iinsider
id ththreats
t
• Oracle Audit Vault consolidated reporting on audit
data from Oracle and SQL Server
Solution
• Oracle Audit Vault consolidation of audit data
removed DBA from audit review process
• Saved 100’s of hours in report generations
• Worked with auditors to create customized reports
ffrom the
th out-of-the
t f th box
b default
d f lt reports
t for
f
Business Results personalized content
• Estimated return on investments in less than 18
months

26
Large Financial Services Provider
Stronger Controls

• Audit credit card transactions

• 20+ production Oracle databases with native
Business Challenges auditing already turned on
• Need for reports and no resource or budget to
create and review them
• Oracle Audit Vault audit data collection and secure
centralized storage
Solution • Audit Vault proactively monitors privileged user
access violations
violations, failed database logins
logins, and
generates forensic data
• Passed internal audits
• Automated reporting
p g on credit card transactions
Business Results • Secure consolidation of audit data
• Detected policy violations of database activity
• Deployed in production in 3 months

27
Large European Telco Provider
Address Telco Regulations on Call Records

• Audit credit card transactions

• 20+ production Oracle databases with native
Business Challenges auditing already turned on
• Need for reports and no resource or budget to
create and review them
• Oracle Audit Vault audit data collection and secure
centralized storage
Solution • Audit Vault proactively monitors privileged user
access violations
violations, failed database logins
logins, and
generates forensic data
• Passed internal audits
• Automated reporting
p g on credit card transactions
Business Results • Secure consolidation of audit data
• Detected policy violations of database activity
• Deployed in production in 3 months

28
 Oracle Database Security
Defense-in-Depth for Security and Compliance

Monitoring Audit
Vault Total
Configuration
Management Recall

Access Control

Database Label
Vault Security

Encryption and Masking

Advanced Data
Secure
Security Masking
Backup

29
For More Information

search.oracle.com

database security

oracle.com/database/security
l /d t b / it

30
Oracle Products Available Online

Oracle Store

Buy Oracle license and support

online today at
oracle.com/store
32
33