Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 1.

Similar presentations


Presentation on theme: "Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 1."— Presentation transcript:

1 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 1

2 Latest Innovations in Database Security Frank Yang APAC Database Security Product Manager

3 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 3 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

4 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 4 Program Agenda  Business drivers for database security  Monitoring Oracle and non-Oracle databases  New solutions to secure data and applications  Updates for existing database security features

5 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 5 Business Drivers for Data Security Protect sensitive data Manage Compliance Control Costs Plan for Growth

6 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 6 What Do We Know About Our Attackers? PERSISTENT PLANNED ADVANCED ADAPTIVE THREATS TARGETS  Apply enough fire power to break weakest link  Ability to dial-up the attack vector  Scanning, scoping, infiltrating  Stay put, but avoid detection  Infrastructure, IP, and business targets  Cause harm directly/indirectly

7 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 7 Challenges in Securing Databases Meeting Ever Changing Threat & Compliance Landscape Performance & Management Securing Oracle & Non Oracle Databases Securing Existing Applications

8 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 8 Oracle Database Security Solutions Protecting Critical Data Infrastructure Activity Monitoring Database Firewall DETECTIVE Privilege User Control Encryption and Masking PREVENTIVEADMINISTRATIVE Data Discovery and Classification Database Lifecycle Management

9 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 9 INTRODUCING ORACLE AUDIT VAULT AND DATABASE FIREWALL

10 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 10 Oracle Audit Vault and Database Firewall New Detective Control for Oracle and Non-Oracle Databases Audit/Event Warehouse Security Manager Reports Users Applications Block Log Allow Alert Substitute ! ! Alerts Database Firewall Firewall Events DB Audit Data Custom Server OS, Directory & Custom Audit Logs Auditor Policies

11 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 11 Activity Reports System Privileges Used

12 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 12 Activity Reports System Privileges Used

13 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 13

14 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 14 Oracle Audit Vault and Database Firewall  Technology Differentiators – Exceptional horizontal and vertical scalability to support massive volume of data – Accurate network monitoring based on SQL grammar – Extensible platform with Templates for new custom audit sources (no-coding) – Audit policy management and integrated audit trail cleanup – Compliance/custom reports/alerts and workflow without overloading the security team – Information lifecycle management for target specific retention  Deployment Simplicity – Start with auditing and extend to monitoring; or vice-versa – Ease of deployment with “software appliance” on your hardware – Multiple deployment modes: in-line, out-of-band, proxy, host-based, HA Comprehensive Auditing and Monitoring Platform

15 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 15 ORACLE PRODUCT LOGO INTRODUCING ORACLE DATA REDACTION xxxx-xxxx-xxxx -4368

16 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 16 Oracle Data Redaction New Preventive Control Credit Card Numbers 4451-2172-9841-4368 5106-8395-2095-5938 7830-0032-0294-1827 Credit Card Numbers 4451-2172-9841-4368 5106-8395-2095-5938 7830-0032-0294-1827 Policy  Real-time redaction of sensitive data based on context  Transparent to applications, no code changes required  Consistent enforcement within the database  No changes in regular database operations Call Center Application Credit Card Processing xxxx-xxxx-xxxx-4368 4451-2172-9841-4368

17 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 17 052-51-2147 XXX-XX-2147 Supported Transformations Stored Data Redacted Results 10/09/1992 tim.lee@acme.com [hidden]@acme.com 4451-2172-9841-4368 4943-6344-0547-0110 Full Partial RegExp Random 01/01/2001

18 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 18 Declarative Multi-factor Policies Policy identification What to redact? How to redact? When to redact? Data Redaction Policy PL/SQL APIs, Enterprise Manager

19 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 19 Redaction Using Enterprise Manager

20 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 20 ORACLE PRODUCT LOGO INTRODUCING PRIVILEGE ANALYSIS

21 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 21 Privilege Use Analysis Reduce Attack Surface  Report on actual privileges and roles used in the database  Revoke unnecessary privileges and roles as needed  Help enforce least privilege and reduce risks Privilege Analysis Create … Select … Update … DBA role APPADMIN role

22 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 22 Privilege Analysis System Privileges Used

23 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 23 Privilege Analysis Unused Privileges to be Revoked?

24 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 24 ORACLE PRODUCT LOGO INTRODUCING UNIFIED AUDITING

25 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 25 Oracle Database Auditing Catch Anomalies with Conditional Auditing Policy Based Conditional Extensible Syntax User Exceptions Unified Audit Secure, Performant Set of privileges, objects, actions auditing managed as a group Multi-factor auditing to easily catch anomalies Audit all access except when connected by …. Add context data: realms, labels, app context, etc.

26 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 26 Create Custom Audit Policies

27 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 27 ORACLE PRODUCT LOGO INTRODUCING REAL APPLICATION SECURITY

28 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 28 NameManagerSSNSalaryPhone_Number AdamGerald650.506.1111 JuliaAdam650.124.5234 JamesAdam515.124.4567 StevenAdam515.124.4269 ShantaSteven650.121.2994 PayamSteven590.423.4569 MichaelPayam650.507.9877 HR Application Security Requirements Employees can view public information.

29 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 29 HR Application Security Requirements Public page contains basic employee information. - Users in Employee role can view public record. An employee can view his own record and update his contact information. NameManagerSSNSalaryPhone_Number AdamGerald650.506.1111 JuliaAdam650.124.5234 JamesAdam515.124.4567 StevenAdam444-44-444412030515.333.1233 ShantaSteven650.121.2994 PayamSteven590.423.4569 MichaelPayam650.507.9877

30 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 30 NameManagerSSNSalaryPhone_Number AdamGerald650.506.1111 JuliaAdam650.124.5234 JamesAdam515.124.4567 StevenAdam444-44-444412030515.333.1233 ShantaSteven8900650.121.2994 PayamSteven6500590.423.4569 MichaelPayam7900650.507.9877 HR Application Security Requirements Manager can view salary of his organization.

31 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 31 NameManagerSSNSalaryPhone_Number AdamGerald111-11-1111650.506.1111 JuliaAdam222-22-2222650.124.5234 JamesAdam333-33-33339700515.124.4567 StevenAdam444-44-4444515.333.1233 ShantaSteven555-55-5555650.121.2994 PayamSteven666-66-6666590.423.4569 MichaelPayam777-77-7777650.507.9877 HR Application Security Requirements HR representative can view employee SSN.

32 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 32 Real Application Security HR Application Shared, All- Powerful Connection Direct, Uncontrolled Access Business Logic Security Policy Users and Roles Business Logic CRM Application Security Policy Users and Roles Light Weight Sessions Security Enforced on Direct Connections Identity/Policy Store

33 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 33 ORACLE PRODUCT LOGO ENHANCEMENTS TO SECURITY FEATURES

34 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 34 Performance Leap for Sec. Features Eliminating Performance as an Issue * On Developer machine; Formal performance tests TBD ** With hardware acceleration on Intel or Oracle SPARC ComponentSpeed-up* Database Vault10 - 15x Label Security10 - 25x Advanced Security Transparent Data Encryption 5 - 7x** Advanced Security Network Encryption 5 - 7x** Database Auditing 2 - 5x

35 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 35 Cryptographic Enhancements  SHA-512 for Password verifiers, Certificate signatures, DBMS_CRYPTO  Cryptographic hardware acceleration – Network encryption, DBMS_CRYPTO toolkit and other operations – Now on Windows, in addition to Linux and Solaris  FIPS 140 validation for cryptographic operations  Export/import/merge operations to move individual keys  Operations to migrate keys between wallet and HSM keystore

36 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 36 Oracle Database Vault  Seal off access to sensitive data even when emergency access is given to application DBA or support analyst  Freeze all security settings identified by Privilege Analysis: roles, grants, …  Single command to enable Database Vault Mandatory Realm select * from finance.cust

37 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 37 Privilege User Controls  Strong password policies, prohibit account sharing  Least privilege analysis for privileged users  Separation of duty with task specific roles  Multi-factor authorization controls  Multi-factor conditional and exception based auditing  Audit top level and recursive SQL statements  Database Vault Realms  Monitoring activities through Audit Vault and Database Firewall

38 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 38 Improving Database Security Posture  Out-of-the-box audit policies (Account Management, Security Configuration, Database Parameters)  Mandatory audit of audit administration  New roles for Audit Reviewer, Audit Administrator  New roles for Key Management, Backup, Data Guard  New Kerberos stack  Running Oracle Database as a Windows service

39 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 39 Building Secure Applications  Sensitive data discovery, Least privilege analysis  Multi-factor authorization, auditing, and redaction  Virtual Private Database for row/column security  Label based access control  Secure Application Context  Code-based access control (CBAC) associates privileges with code  Real Application Security

40 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 40 Enterprise Manager Security Console  Centralized Console  Events and alerts  Policy management  Step-by-step  Create by examples  Format libraries Simplified Management

41 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 41 Discover Sensitive Data Administrative Control  Scan databases for sensitive data  Create and maintain application data models  Encrypt, redact, mask, audit…

42 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 42 Securely Provisioning Test Systems  Masking at-Source minimizes sensitive data exposure  Application Masking Templates – E-Business Suite 12.1.3 – Fusion Applications – PeopleSoft (planned with PTools 8.5.3)  Self-updated masking templates – EM store @ Oracle Mask Sensitive Data for Test/Dev. 0100101100101010010010010010010010010010010010001 0010101001001001001110010010010010010010000100100 1011100100101010010010101010011010100101010010 Subsetted & Masked Data Pump File New Prod Before Test At-Source Masking

43 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 43 Oracle Database Security Solutions Maximum Security for Critical Data Infrastructure Activity Monitoring Database Firewall DETECTIVE Redaction and Masking Encryption PREVENTIVEADMINISTRATIVE Data Discovery and Classification Database Lifecycle Management

44 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 44 Oracle Database Security Key Benefits Simple and Flexible Security and Compliance Enterprise Ready Speed and Scale

45 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 45 Graphic Section Divider

46 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 46


Download ppt "Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 1."

Similar presentations


Ads by Google