1

Oracle Database 11g Release 2 Security Update and Plans Defense-in-Depth Vipin Samar Vice President, Oracle Database Security

3 Program Agenda Today’s Threat Landscape Defense-in-Depth Approach Oracle Database Security Solutions Oracle Database Firewall New! Summary Q&A

4 Why Secure the Database? Exploding Data Highly available Data Sophisticated hackers Opportunistic insiders What’s new now? Customer, Employee, Citizen, Corporate data Reputation Fines & Penalties Lot at stake Audit findings Outsourcing/offshoring Data consolidation Data breaches in sector Deployment triggers

5 Security Technologies Deployed Authentication Identity Management Network Security Vulnerability Mgmt End Point Security Security Other Security Employee Customer Citizen DB Security?

6 How Data Gets Compromised? Source: Verizon 2010 Data Breach Investigations Report 6

Data Breach Investigations Report 92% of Records from Compromised Databases Where Losses Come From?

8 Top Attack Techniques % Breaches and % Records 2010 Data Breach Investigations Report Most records lost through ‘Stolen Credentials” & “SQL Injection”

9 Existing Security Solutions Not Enough Application Database Administrators Data Must Be Protected in depth Application Users Botware MalwareKey LoggersEspionage Phishing SQL Injection Social Engineering Web Users

10 Database Security Defense-In-Depth Approach Monitor and block threats before they reach databases Control access to data within the databases Track changes and audit database activity Encrypt data to prevent direct access Implement with – Transparency – no changes to existing applications – High Performance – no measurable impact on applications – Accuracy – minimal false positives and negatives

11 Oracle Database Security Defense-in-Depth Access Control Oracle Database Vault Oracle Label Security Oracle Advanced Security Oracle Secure Backup Oracle Data Masking Encryption and Masking Auditing and Tracking Oracle Audit Vault Oracle Configuration Management Oracle Total Recall Oracle Database Firewall Monitoring and Blocking

12 Oracle Database Security Defense-in-Depth Oracle Advanced Security Oracle Secure Backup Oracle Data Masking Encryption and Masking 12

13 Oracle Advanced Security End–to–end Encryption Disk Backups Exports Off-Site Facilities Efficient encryption of all application data Built-in key lifecycle management No application changes required Works with Exadata and Oracle Advanced Compression Application

14 Oracle Advanced Security Integrated with Oracle Enterprise Manager

15 TDE Column Encryption Integrated with Oracle Enterprise Manager

16 Oracle Advanced Security What’s New and Coming? Hardware Acceleration Support – Performance already < 10% for most applications – 7-10x performance gain with Intel Advanced Encryption Standard New Instructions (AES-NI) and Oracle SPARC T-3 Key Management and HSM Support – Certified with SafeNet, Thales, Utimaco using PKCS #11 – Planned support for Oracle’s Key Management System

17 Oracle Data Masking Irreversible De-Identification Mask sensitive data for test and partner systems Sophisticated masking: Condition-based, compound, deterministic Extensible template library and policies for automation Leverage masking templates for common data types Integrated masking and cloning Masking of heterogeneous databases via database gateways Command line support for data masking tasks LAST_NAMESSNSALARY ANSKEKSL111 — ,000 BKJHHEIEDK ,000 LAST_NAMESSNSALARY AGUILAR ,000 BENSON ,000 ProductionNon-Production New

18 Sensitive data identification based on privacy attributes Application Masking templates for E-Business Suite Fusion Applications Oracle Data Masking What’s Coming?

19 Oracle Database Security Defense-in-Depth 19 Access Control Oracle Database Vault Oracle Label Security Oracle Advanced Security Oracle Secure Backup Oracle Data Masking Encryption and Masking

20 Oracle Database Vault Separation of Duties & Privileged User Controls Restricts application data from privileged users DBA separation of duties Securely consolidate application data No application changes required Works with Oracle Exadata Procurement HR Finance Application select * from finance.customers DBA

21 Oracle Database Vault Multi-Factor Access Control Policy Enforcement Protect application data and prevent application by-pass Enforce who, where, when, and how using rules and factors User Factors: Name, Authentication type, Proxy Enterprise Identity Network Factors: Machine name, IP, Network Protocols Database Factors: IP, Instance, Hostname, SID Runtime Factors: Date, Time Procurement HR Rebates Application

22 Oracle Database Vault Out-of-the Box Protections For Applications Pre-built policies with further possible customization Complements application security Transparent to existing applications Minimal performance overhead Certifications Underway: – Oracle Hyperion – Oracle Tax and Utilities Oracle E-Business Suite 11i / R12 PeopleSoft Applications Siebel, i-Flex, Retek JD Edwards EnterpriseOne SAP Infosys Finacle 22

23 Oracle Label Security Data Classification for Access Control Classify users and data based on business drivers Database enforced row level access control Users classification through Oracle Identity Management Suite Classification labels can be factors in Database Vault ConfidentialSensitive Transactions Report Data Reports Sensitive Confidential Public

24 Oracle Database Security Defense-in-Depth Access Control Oracle Database Vault Oracle Label Security Oracle Advanced Security Oracle Secure Backup Oracle Data Masking Encryption and Masking Auditing and Tracking Oracle Audit Vault Oracle Configuration Management Oracle Total Recall 24

25 Oracle Audit Vault Automated Audit Collection and Reporting Consolidate audit data into a secure warehouse Create/customize compliance and entitlement reports Detect and raise alerts on suspicious activities Centralized audit policy management Integrated audit trail cleanup CRM Data ERP Data Databases HR Data Audit Data Policies Built-in Reports Alerts Custom Reports ! Auditor

26 Oracle Audit Vault Consolidated Reports Span Enterprise Databases

27 Oracle Audit Vault Default Reports

28 Oracle Configuration Management Secure Configuration & Change Tracking Continuous scanning against best practices and gold baselines 200+ out-of-the-box policies spanning host, database, and middleware Real-time detect changes to processes, files, etc Violations can trigger s, and create tickets Compliance reports mapped to compliance frameworks Optimized for Oracle with Industry Specific Compliance Dashboards User-defined Policies & Groups Real-Time Change Detection Industry & Regulatory Frameworks Compliance Dashboard Out-of-box Policies     

29 Oracle Database Security Defense-in-Depth Access Control Oracle Database Vault Oracle Label Security Oracle Advanced Security Oracle Secure Backup Oracle Data Masking Encryption and Masking Auditing and Tracking Oracle Audit Vault Oracle Configuration Management Oracle Total Recall Oracle Database Firewall Monitoring and Blocking

30 Oracle Database Firewall First Line of Defense Prevent unauthorized activity, application bypass and SQL injections Highly accurate SQL grammar based analysis Flexible enforcement options Built-in and custom compliance reports Policies Built-in Reports Alerts Custom Reports Applications Block Log Allow Alert Substitute

31 Oracle Database Firewall Security Model White-list based policies enforce normal or expected behavior Evaluate factors such as time, day, network, app, etc. Easily generate white-lists for any application Log, alert, block or substitute out-of-policy SQL statements Black lists to stop unwanted SQL commands, user, or schema access Superior performance and policy scalability based upon clustering White List Applications Block Allow

32 Management Server Oracle Database Firewall Deployment Architecture In-line blocking and monitoring, or out-of-band monitoring modes Monitoring of remote databases by forwarding network traffic Centralized policy management and reporting High availability options for Database firewalls and Management Servers Support for multiple Oracle/non-Oracle Databases with the same firewall In-Line Blocking and Monitoring HA In-Line Mode Inbound SQL Traffic Out-of-Band Monitoring Management Server Policy Analyzer

33 Oracle Database Security – Big Picture Procurement HR Rebates Encrypted Backups Encrypted Database Encrypted Exports Data Masking Audit consolidation Procurement HR Rebates Sensitive Confidential Public Local DBA Privilege Mis-Use DB Consolidation Security Unauthorized Local Activity Applications Block Log Allow Alert Substitute Network SQL Monitoring and Blocking

34 Oracle Database Security Key Differentiators TransparentPerformant Certified with Applications Best-in-Class Defense-in- Depth

35 More Oracle Database Security Presentations Monday: – 12:30 pm: Making a Business Case for Information SecurityMS 300 – 3:30 pm: Oracle Database 11g Release 2 Security: Defense-in-Depth MS 103 Tuesday: – 12:30 pm: Real-World Deployment and Best Practices : Oracle Audit Vault MS 104 – 2:00 pm: Real-World Deployment and Best Practices : Oracle Advanced Security MS 300 – 2:00 pm: Best Practices for Ensuring the Highest Enterprise Database SecurityMS 304 – 3:30 pm: Database Security Event Management : Oracle Audit Vault and ArcSight MS 300 – 5:00 pm: Real-World Deployment and Best Practices :Oracle Database Vault MS 303 Wednesday: – 10:00 am: Protect Data and Save Money: Aberdeen MS 306 – 11:30 am: Preventing Database Attacks With Oracle Database FirewallMS 306 – 4:45 pm: Centralized Key Management and Performance :Oracle Advanced Security MS 306 Thursday: – 10:30 am: Deploying Oracle Database 11g Securely on Oracle SolarisMS 104 MS = Moscone South

36 Oracle Database Security Hands-on-Labs Monday: – Database Vault 11:00AM | Marriott Marquis, Salon 10 / 11 Check Availability – Database Vault 5:00PM | Marriott Marquis, Salon 10 / 11 Check Availability Tuesday: – Database Security 11:00AM | Marriott Marquis, Salon 10 / 11 Check Availability Thursday – Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11 Check Availability – Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11 Check Availability

37 Oracle Database Security Demo Grounds Moscone West Oracle Database Firewall Oracle Database Vault Oracle Label Security Oracle Audit Vault Oracle Advanced Security Oracle Database 11g Release2 Security Exhibition Hours Monday, September 209:45 a.m. - 5:30 p.m. Tuesday, September 219:45 a.m. - 5:30 p.m. Wednesday, September 229:00 a.m. - 4:00 p.m.

38 The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

39 For More Information oracle.com/database/security search.oracle.com database security

40 Q & A