![Page 1: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/1.jpg)
![Page 2: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/2.jpg)
<Insert Picture Here>
Oracle Database Security Kwesi Edwards Dominic YoungPrincipal Solutions Architect Account ManagerOracle Higher Education Oracle Higher Education
![Page 3: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/3.jpg)
Data Security Lifecycle
Inbound Data• Network Encryption• Strong Authentication• Identity Management Integration
Storage• Transparent Data Encryption• Secure Backup
Access Control• Database Vault• Oracle Label Security• Fusion Security
Outbound Data• Network Encryption
Monitor• Configuration Scanning• Audit Vault
![Page 4: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/4.jpg)
<Insert Picture Here>
Agenda
• Network Encryption• Encryption of data in motion
• Strong Authentication• PKI, Kerberos, Radius
• Data Encryption• Encryption of data at rest• Secure Backup
• Oracle DataVault• DB Auditing
• Audit Vault
![Page 5: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/5.jpg)
Network Security Threats
2. Data Modification or Replay
3. Data Disruption
Packet stolenOrder never arrives
$500.00
1. Data Theft
My competitor sees my bids in a sealed auction.
$50,000
![Page 6: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/6.jpg)
Network Encryption
• Provided by Oracle for nearly a decade• Encrypts all communication with the database
• AES• RSA RC4 (40-, 56-, 128-, 256-bit keys)• DES (40-, 56-bit) and 3DES (2- and 3-key)
• Data integrity with checksums• MD5, SHA-1• Automatically detects modifications, replays, missing
packets
• Easy to setup
![Page 7: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/7.jpg)
<Insert Picture Here>
Agenda
• Network Encryption• Encryption of data in motion
• Strong Authentication• PKI, Kerberos, Radius
• Data Encryption• Encryption of data at rest• Secure Backup
• Oracle Data Vault• DB Auditing
• Audit Vault
![Page 8: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/8.jpg)
Strong Authentication
• Kerberos• Ease of deployment makes this a popular choice
• PKI• Large customers are working on full scale deployments• Strong interest among large Universities• Oracle supports SSL accelerators
• Radius• Database integrates with RADIUS
![Page 9: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/9.jpg)
<Insert Picture Here>
Agenda
• Network Encryption• Encryption of data in motion
• Strong Authentication• PKI, Kerberos, Radius
• Data Encryption• Encryption of data at rest• Secure Backup
• Oracle Data Vault• DB Auditing
• Audit Vault
![Page 10: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/10.jpg)
The Need for Encryption
• Worldwide privacy, security laws and regulations• Sarbanes-Oxley• PCI• California SB 1386 • Country-specific laws
Customer CreditCard Numbers
Disks replacedfor maintenance
Laptops stolenBackups lost
Data worthless if encrypted
![Page 11: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/11.jpg)
The DBMS_CRYPTO Package
• Formerly DBMS_OBFUSCATION (Release 8)• Extensive control of options
• Generate as many, or as few keys as you desire• Granular access control, Manual salt generation, algorithm
selection, chaining mode
• Limited Transparency
![Page 12: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/12.jpg)
Transparent Data Encryption
• Integrated with the Oracle database for simplicity• Alter table encrypt column …
• Provides application transparency• No API calls, database triggers or views required
• Media protection of PII data• Social security numbers• Credit Card Numbers
• Performance• Works with existing indexes for
fast searches
![Page 13: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/13.jpg)
Separation of duties
DBA starts upDatabase
Security DBA opens walletcontaining master key
Wallet password is separate fromSystem or DBA password
No access to wallet
![Page 14: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/14.jpg)
Master key and column keys
Column keys encryptedby master key
Master key storedin PKCS#12 wallet
Security DBA opens walletcontaining master key Column keys encrypt
data in columns
![Page 15: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/15.jpg)
Oracle Secure Backup:Tape Backup Management
Highest levels of tape data protection at the lowest cost!
Fastest & Best Integrated tape backup for the Oracle Database
-Recovery Manager (RMAN) integration
-Enterprise Manager (EM) interface
Maximum security options
Free version (limited functionality) will ship with the Oracle Database
Oracle Secure BackupCentralized Tape Backup Management
Oracle DatabasesOracle Databases
Integration with
RMAN
File System DataFile System Data
UNIX Linux
Windows NAS
Tape
![Page 16: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/16.jpg)
Why Use Oracle Secure Backup?
Scalable from the department to the data center
Database tape backups can now be seamlessly managed by Database Administrators (DBA) or storage group
Intelligent integration with RMAN delivering the best performance and security for database backups
Easily managed using Enterprise Manager (EM)
Single technical support resource for entire backup solution expedites problem resolution
Reliable data protection at lower cost and complexity• For the Oracle Database and file system data
![Page 17: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/17.jpg)
End to End Security
Data EncryptedOn Backup Files
DataWrittenTo Disk
AutomaticallyEncrypted
DataAutomatically
DecryptedThrough
SQL Interface
Oracle Advanced SecurityNetwork Encryption
Oracle Advanced SecurityStrong Authentication
Oracle Advanced SecurityTransparent Data Encryption
![Page 18: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/18.jpg)
<Insert Picture Here>
Agenda
• Network Encryption• Encryption of data in motion
• Strong Authentication• PKI, Kerberos, Radius
• Data Encryption• Encryption of data at rest• Secure Backup
• Oracle Data Vault• DB Auditing
• Audit Vault
![Page 19: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/19.jpg)
Data Vault Objectives
• Multi-factored approach to database security• Protect and share data assets using environmental factors for
assurance• Defense in depth approach• Protect application schemas from system privileges
• Database Server as Database Appliance• Lock Down, Hardened Software and Privileges• Comprehensive Audit Policy• Separation of Duties
![Page 20: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/20.jpg)
Data Vault Protected Schema
• Protect Data Vault metadata from tampering• Remove metadata dependency on SYS schema• Access to protected schema only through the
administrative roles• Provide separation of duties by different
administrative roles• Password required for SYS login• No OSDBA group membership
![Page 21: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/21.jpg)
<Insert Picture Here>
Agenda
• Network Encryption• Encryption of data in motion
• Strong Authentication• PKI, Kerberos, Radius
• Data Encryption• Encryption of data at rest• Secure Backup
• Oracle DataVault• DB Auditing
• Audit Vault
![Page 22: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/22.jpg)
AUDITING
• Audit & monitor database activity• Logon failures, privilege usage, data access,
object access,and other activities
• Standard Audit Trail (over 250 audit actions)
• Gives first level of information about access to the database
• Statement auditing• Privilege auditing• Schema Object auditing
• Fine-Grained Auditing (FGA)• Gives second level of information about
specific operations to the database• Enables you to monitor data access
based on content.
Oracle Database 10g Auditing
![Page 23: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/23.jpg)
Fine-grained auditing (FGA)
• Beginning with Oracle9i Database, Oracle provides the capability to audit specific rows within a table. This is accomplished using the DBMS_FGA package.
• Features• Attach audit policy to table or view • Specify audit condition using a SQL predicate• User’s query text with bind variables are written to audit record upon
a triggering audit event• Event handler can alert administrator to triggering condition (e.g.
write record to log, send page)
![Page 24: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/24.jpg)
10gR210gR1
Oracle 9iR2(Future)
Other Sources,Databases
Monitor Policies
Reports Security
Collect and Consolidate Audit Data
Simplify Compliance Reporting
Detect and Prevent Insider Threats
Scale and Security
Lower IT Costs With Audit Policies
![Page 25: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/25.jpg)
Oracle Audit Vault Oracle Database Vault
DB Security Evaluation #19
Transparent Data Encryption
EM Configuration Scanning
Fine Grained Auditing (9i)
Secure application roles
Client Identifier / Identity propagation
Oracle Label Security
Proxy authentication
Enterprise User Security
Global roles
Virtual Private Database (8i)
Database Encryption API
Strong authentication (PKI, Kerberos, RADIUS)
Native Network Encryption (Oracle7)
Database Auditing
Government customer
Oracle Database Security30 years of Innovation
20071977
![Page 26: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/26.jpg)
<Insert Picture Here>
Agenda
• Network Encryption• Encryption of data in motion
• Strong Authentication• PKI, Kerberos, Radius
• Data Encryption• Encryption of data at rest• Secure Backup
• Oracle DataVault• DB Auditing
• Audit Vault
![Page 27: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/27.jpg)
For More Information
http://search.oracle.com
or
oracle.com/security
Transparent Data Encryption
![Page 28: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/28.jpg)
![Page 29: Oracle Database Security Kwesi Edwards Dominic Young Principal Solutions Architect Account Manager Oracle Higher Education](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cab5503460f9496bdfd/html5/thumbnails/29.jpg)