5. 2010 11-03 bucharest oracle-tech_day_security

<Insert Picture Here>

Security for Data at the Source in Public and Private Sector

3rd November 2010, Bucharest

Michael Bürger

Product Director EECIS, Security and Manageability

The following is intended to outline our general

product direction. It is intended for information

purposes only, and may not be incorporated into any

contract. It is not a commitment to deliver any

material, code, or functionality, and should not be

relied upon in making purchasing decisions.

The development, release, and timing of any

features or functionality described for Oracle’s

products remains at the sole discretion of Oracle.

3

Agenda

• Business Drivers

• DB Security in the Data Center

• New 11g Features and Certifications

• Customers in Vertical Industries

• Conclusions

Business Drivers for Security

End to End Oracle Security Solutions

Securing Data at the Source

• Application Security

• Identity and Access Management

• Database Security

• Infrastructure Security

Source: Gartner DataQuest, 2008; Forrester Database Security Market Report, 2009

#1 Database, Most Secure

“Most DBMS vendors offer basic

security features; Oracle’s offering is

most comprehensive.”

How is Data Compromised?

Source: Verizon 2010 Data Breach Investigations Report

Entry Points DB Security 11g

Business Drivers

• GRC Governance, Risk

Management, Compliance

• Security Threats

• Cost reduction

Oracle Database Security Business DriversMost relevant in EECIS, the minimum bundle on data level

Audit

VaultLabel

Security

Reduce & avoid Security Costs

Configuration

Management

for Policies

DB Vault,

DBA Access Control

Compliance & RegulationData Mask

for Developers

Advanced

Security Option

for Encryption

Database

Firewall

Security Threats internal & external

DB Security in the Data Center

DB environment

Application users, DBAs, Developers, Security Officer

Securing data at rest

Application users protected by

Transparent Data Encryption 10g Column

Transparent Data Encryption 11g Tablespace

Securing data in motion





Transparent Data Encryption 10g Network

Transparent Data Encryption 10g Tapes

DB Firewall Network Realtime SQL Analyzer

Securing data for testing








Developers protected by

Data Mask 10g









Data Mask 10g

Preventing unauthorized modification

DBAs protected by

DB Vault 9i









Data Mask 10g

DBAs protected by

DB Vault 9i

Highly secured DB environment

„preventive and detective“

Security Officer protected by

Audit Vault 10g

New 11g Features and Certifications

19

Oracle Advanced Security 11g Table Space Encryption, e.g. for ODB based HR systems

Disk

Backups

Exports

Off-Site

Facilities

• Any employee user with operating system access can sniff data and copy it

• 11g Table Space Encryption for sensitive HR data at rest encryption

• Data in motion traveling on network is encrypted from 10g on

• Rapid implementation of 11g Table Space Encryption• No identification of the fields required, just create an encrypted table space as part of

the upgrade and use that table space for HR system on ODB, rapid index queries

• This is totally transparent without application change

• Minimal preparation within the 11g upgrade and all the data is protected

• Less administration & performance impact compared to 10g column encryption

20

Oracle Database VaultPrivileged User Access Control on Data level

and Multifactor Authorization

Procurement

HR

Finance

Application

select * from finance.customers

DBA

Power users can access sensitive data (HR, Credit Cards) and publish it

SoD, prevents unauthorized new account creation or password change

(1) Application owners to create new accounts

(2) DB Vault protects DBAs, they can manage the data, but can't modify

(3) Security officers to grant access rights according to written policies

Certified Realms to protect all tables in EBS, SAP or ISV HR Systems

Brings Security Policies in production according to CIA application ratings*

CIA principles: Confidentiality, Integrity and Availability, who can delete, copy or change what?

Oracle Database FirewallFirst Line of Defense

• Monitor db activity to prevent unauthorized db access, SQL injections, privilege or

role escalation, illegal access to sensitive data, etc, according to Security Policies

• SQL grammar analysis for Firewall activities (allow, log, alert, substitute, block)

• Scalable architecture provides enterprise performance in all deployment modes

• Built-in and custom compliance reports for SOX, PCI, and other regulations

• Whitelists or blacklists consider time of day, day of week, network, application, etc

PoliciesBuilt-inReports

AlertsCustomReports

ApplicationsBlock

Log

Allow

Alert

Substitute

Fastest high volume DB Security Machine

Brings Security Policies in Production with Exadata

Zero impact 11g R2 TableSpace Encryption

Secure high volume Network Traffic Encryption

Fastest real time SQL analyzer hacker resistant

Compliant data center consolidation

Sensitive Data Warehouse access control

Customers in Vertical Industries

Oracle DB Security cross-industry EECIS

Banking

Telecommunication

Public Sector Retail, Utilities, other

Telecommunications Insurances

CIPSCIPS

Case Study – Public Sector Romania

DB Vault, Advanced Security

• From the business point of view, the use of Advanced Security and DB Vault facilitates the reduction of risks like information theft or

leaks, fraudulent alterations of data, and bad publicity

• From the technical point of view, the solution will have to protect all private data used by key applications

• Implementation will be done by Oracle Partner, with 1 year left for finishing the project

• Customer does not take reference calls or visits

BUSINESS CHALLENGE

• Nation-wide project with confidential data

• The business drivers are regulations and preventive concepts

• DB Security part of a larger project

• Customer expects to insure the confidentiality of stored data,

in transfer and storage, while preventing unauthorized access

from privileged accounts.

RESULTS

ORACLE SOLUTION

• Customer in Public Sector bought DB Vault and Advanced

Security in Nov 2009

• Products are used on all servers

• Customer also uses Oracle IdM Access Manager for web

access control

• Oracle gained a strong vendor position at customer with

significant footprint for Enterprise Security

Case Study – Telecom in Central Europe

DB Vault, Advanced Security

• Pilot release of implementation in progress

• DB Vault and ASO Encryption to protect and encrypt sensitive customer data Siebel CRM is running on

• The success in implementation is the only criteria which may lead to next phase of the project

• Delivery of project by Oracle partner Accenture

• Customer is not taking reference calls or visits

BUSINESS CHALLENGE

• Drivers:

Big gap between IT and Business

Bring Business processes to IT and develop relevant IT

services

Project start at 2007 Service Order management - Tower

Merger of 2 Telecom companies

Integrated Order Management (IOM) based on SIEBEL

IT recognized that SIEBEL is not enough…(many logic need to

be implemented in level of integration, processes, custom

apps)

Data security is crucial, Security violations as a business

driver to invest in Security solutions.

Customer Data Security & Compliance requirements

(ISO27001 Compliance regulation relevant for Telco)

• Partner: Accenture

RESULTS

ORACLE SOLUTION

• Oracle technology on site: DB, IAS, SOA Suite 10 (first

major adoption of SOA in this country)

• FMW stack + DB EE, Partitioning, RAC, Advanced

Security, Db Vault, Diag, Tun, Config packs in Dec 2009.

• Managed systems: IOM based on SIEBEL

• Oracle is trusted technology vendor (Presales) and advisor

of Eastern European ICCC Competence Center Bratislava

• Sales process:

• Longterm relationships with Enterprise Architect, DB admin,

Development unit managers and senior developers, etc.

• Good cooperation between partner and Oracle ASR

Case Study – Bankart Financial Services

DB Vault, Audit Vault

• Reaching PCI compliance is expected from business point of view

• Technically. Bankart decided for Oracle centric PCI approach

• Project has started in June 2009, first phase (change of an application, use od DB Vault and set-up Audit Vault) until 2010

• Internal IT together with local security partner OSI

• Customer has published a snapshot story and is available for reference calls and visits

BUSINESS CHALLENGE

• Bankart is the largest Credit Card processing company in

Slovenia

• PCI Compliance was business demand

• CIO started internal project to reach PCI compliance in one

year

• Avoiding costs and simplifying the audit reporting

RESULTS

ORACLE SOLUTION

• Customer bought Audit and Database Vault in May 2009

• All Production and Test systems are managed by DB Sec

component, together with MS SQL server as one Audit

source

• Platform is HP-UX, Oracle 10gR2, MS SQL 2005

• Other DB Sec products (Advanced Security - TDE, Conf.

Mgm. Packs) are still under evaluation

Case Study – Bank in Munich Germany

Advanced Security and DB Vault for SAP HR

• Customer is compliant with internal security policies (regulations)

• Only authorized HR employees have data access to HR data. Privileged users like DBA’s, network administrators, system

administrators aren’t able to access the HR data

• Oracle Partner was involved as consulting firm and system integrator, the solution is implemented and works with SAP

• The customer is not taking reference calls

BUSINESS CHALLENGE

• The customer wanted to protect SAP HR data against

unauthorized access

• The customer wanted to comply with internal security policies

• It was a HR project so HR compartment was the sponsor

• There was a re-organization SAP project and data privacy was

an important part of this project.

• Only authorized HR employees should have access to HR

data. Privileged users like DBA’s, network administrators,

system administrators shouldn’t be able to access the HR data

RESULTS

ORACLE SOLUTION

• The customers purchased the Oracle Advanced Security

and Oracle Database Vault to prevent the unauthorized

access to sensitive HR data in August 2009

• It is one of the first “DB Vault for SAP” implementations

worldwide

• 10 CPU’s SUN Solaris system is now protected with Oracle

Advanced Security and Oracle Database Vault, both

products are certified for SAP/R3

Case Study – ApoBank Germany

DB Vault and ASO for ODB based ISV HR

• DB Vault is supporting segregation of duty and enables to protocol all changes in data schema, DBAs can manage but can't see data

• ASO Advanced Security Option is including Encryption, ASO is encrypting data

• on disc

• Incl. Back-up's

• and in motion for data traveling on the network save against insider threats, nobody can modificate or copy sensitive HR data

• Cost savings achieved based on server consolidation for centralized HR data and secure HR process optimization

• The customer is taking reference calls and visits

BUSINESS CHALLENGE

• Business drivers

• to centralize high sensitive HR data on less servers for

cost savings and more efficiency in HR processes

• to protect this type of sensitive HR data containing

salary info but transparent to the HR application

• No segregation of duties before, DB administration and HR did

had the same rights to copy, change or delete data

• Target to strictly split access rights, only HR can see the data

RESULTS

ORACLE SOLUTION

• Customer does have 2.000 employees across Germany

• DB Vault and Advanced Security Option purchased in 2008

• Partner MT AG involved in implementation

• Oracle Encryption is working application transparent,

means without any change of HR system running on Oracle

Database

Case Study – CMC Markets Financial Services UK

DB Vault and ASO for E-Business Suite HR

• Segregation of Duties has been achieved according to Security polices and vertical industry regulations

• Protection the privacy of sensitive data

• Customer data

• Employee data such as salary information

• The customer is taking reference calls and visits

BUSINESS CHALLENGE

• The customer is focused on providing access to online trading

markets across the globe

• The key business driver to ensure customers reputation by

keeping customer and salary data confidential versus insider

threats

• To comply with vertical industry specific regulations in financial

services.

• Simplify the audit process by providing a secure audit

infrastructure

RESULTS

ORACLE SOLUTION

• Oracle DB Vault, Advanced Security Option and Audit Vault

purchased in 2008

• This is the first EBS customer in Europe with DB Security

• DB Security in production with

• RAC Real Application Cluster

• EBS E-Business Suite incl. HR data

• Oracle Database 10g

Case Study – Bank in Ukraine

DB Vault for Flexcube

• Oracle Database Vault provides a transparent solution for mitigating the risk of insider threats and complying with regulations.

• Oracle Database Vault restricts ad-hoc database changes and enforces controls over how, when and where the most sensitive

application data can be accessed.

• Proposed solution must be fully implemented in three months after the new core banking system is launched.

• To adopt Oracle Database Vault technologies, the customer is working with Oracle’s local partner.

BUSINESS CHALLENGE

• The banking customer is concerning about the risk of

unauthorized access by privileged users to sensitive banking

information.

• The bank intents to bring its system into compliance with

existing and newly emerging regulations as well as industry

best practices.

• The solution must provide flexible, transparent and highly

adaptable security controls that require no application

changes.

RESULTS

ORACLE SOLUTION

• Customer bought Oracle Database Vault in January 2010

as a first step in his Security initiative

• DB Vault provides powerful security controls for protecting

banking applications and sensitive data.

• Oracle Database Vault protects the core banking system

Oracle Flexcube on the server with 12 CPU's.

• The next step under consideration are Advanced Security

and Audit Vault to bring the system to the highest security

level.

Conclusions

Conclusions to Protect Data at the Source?

• Logical bundle „preventive“

• Advanced Security

• DB Vault

• Data Masking Pack

• Extend to „detective“ solutions

• Audit Vault

• DB Firewall

Vertical Industry Security E2E

Str

ate

gic

Vert

ical V

alu

e

Public Sector: DB Security part of Public Sector Tenders to fit EU Data

Privacy Regulations and avoid Security Threats. DB Vault, Audit Vault,

Data Mask and Advanced Security for DB SaaS/Cloud and for encrypting

backups and masking non-production testing data.

Financial Services and Retail: Vertical industry regulations such as PCI

require DB Security in context of Credit Card payments. DB Vault, Audit

Vault, Advanced Security, Data Masking & DB Firewall for defense-in-depth

security for Oracle DB.

Utilities and other industries: Oracle end-to-end Security, DB Security,

plus Identity and Access Management plus Applications Security.

Communications: DB Security fits Siebel CRM projects. DB Vault,

Advanced Security and Data Mask to ensure that sensitive customer data

can be only accessed by authorized staff.

35

[email protected]

5. 2010 11-03 bucharest oracle-tech_day_security

Documents