help! another university data breach (237177021)
DESCRIPTION
Universities are now the number-one target for data security breaches. Hackers have figured out how to get around traditional perimeter firewalls and are making a fortune off selling the sensitive data of your students and faculty. Universities are suffering from damaging headlines across the country. This PR nightmare can cause a loss in student enrollment, endowment, and grant dollars and can even result in class action lawsuits. The bad news is that there isn't a silver bullet to protect your university. The good news is that many of the breaches that have been experienced could have been prevented by using tools that may already be included in your Oracle environment. Come hear about our Defense in Depth approach to securing your database, which can help your students, parents, and staff feel safe knowing that you are doing everything you can to protect their private information. OUTCOMES: Understand the difference between being compliant and being secure * Understand that data breaches are a valid concern for higher education * Gain knowledge of Oracle Defense in Depth http://new.educause.edu/events/security-professionals-conference/2014/help-another-university-data-breachTRANSCRIPT
Security Defense-in-Depth Latest Innovations in Oracle Security
Scott Grykowski, CISSP Sales Consulting Senior Manager
Oracle Corporation
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 2
Agenda
Database Security
– The World Today
– Defense in Depth
– Solution Overview
– Customer Success Stories
Identity Management
– Identity Management Trends
– Identity Suite Overview
– Securing the Extended Enterprise
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 3
The World Today
Loss of Data Continuing to Grow Worldwide
• Two-thirds of sensitive and regulated
information resides in databases
• And doubling every two years!
• 98% of records stolen from databases
• Over 2 billion records compromised is
just the tip of the iceberg…
Source: IDC, 2011 and Verizon Data Breach Investigations Report, 2012
2012 Verizon Data Breach
Investigations Report
Why are Databases so Vulnerable?
• 97% of data breaches were avoidable
with basic controls
• But less than 20% of IT Security
programs address databases
• Attacks against databases exploit
legitimate access
• Attack surface is people not servers
Source: Forrester, 2012 and Verizon Data Breach Investigations Report, 2012
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 6
Core Principles
• Identity and Access Management
• Any user, whether apps end user or database
admin, has access only as needed to perform
tasks based on job function or role
• Need to know/compartmentalization
• Including DBA/OS Admins!!
Least Privilege
• Policies, Procedures, and Awareness
• Physical Security
• Perimeter Security
• Internal Networks
• Host Security
• Application Level Security
• Database Level Security
• Data Protection – Production, Development
Defense in Depth
• Governance, Risk, Compliance
• Security Management and Monitoring – Incident Response, vulnerability and threat
management, configuration and change management
Governance
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 7
Oracle Database Security Solutions Defense-in-Depth for Maximum Security
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE
Redaction and Masking
Privileged User Controls
Encryption
PREVENTIVE ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 8
Solution Overview
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 9
Oracle Database Security Solutions Defense-in-Depth for Maximum Security
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE
Redaction and Masking
Privileged User Controls
Encryption
PREVENTIVE ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 10
Transparent data encryption in the database
– (Network encryption now included with DB)
Prevents access to data at rest
Requires no application changes
Built-in two-tier key management
“Near Zero” overhead with hardware
Integrations with Oracle technologies
e.g. Exadata, Advanced Compression, ASM, Golden Gate, DataPump, etc.
Oracle Advanced Security
Encryption is the Foundation Preventive Control for Oracle Databases
Disk
Backups
Exports
Off-Site
Facilities
Applications
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 11
Real-time sensitive data redaction
based on database session context
Library of redaction policies and point-
and-click policy definition
Consistent enforcement, policies
applied to data
Transparent to applications, users, and
operational activities
Oracle Advanced Security
Redaction of Sensitive Data Displayed Preventive Control for Oracle Database 12c
Credit Card Numbers 4451-2172-9841-4368
5106-8395-2095-5938
7830-0032-0294-1827
Redaction Policy
xxxx-xxxx-xxxx-4368 4451-2172-9841-4368
Billing
Department Call Center
Application
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 12
Replace sensitive application data
Extensible template library and formats
Application templates available
Referential integrity detected/preserved
At source masking and sub-setting*
Support for masking data in non-Oracle
databases
Oracle Data Masking
Masking Data for Non-Production Use Preventive Control for Oracle Databases
LAST_NAME SSN SALARY
ANSKEKSL 323—23-1111 60,000
BKJHHEIEDK 252-34-1345 40,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production
Non-Production
Dev
Test
Production
*Requires use of Oracle Test Data Management
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 13
Limit DBA access to application data
Multi-factor SQL command rules
Realms create protective zones
Enforce enterprise data governance,
least privilege, segregation of duties
Out of the box application policies
Database Vault
Privileged User Controls Preventive Control for Oracle Databases
Procurement
HR
Finance
select * from finance.customers
Application
DBA
Applications
Security
DBA
DBA
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 14
Oracle Label Security
Label Based Access Control Preventive Control for Oracle Databases
Transactions
Report Data
Reports
Confidential Sensitive
Sensitive
Confidential
Public
Virtual information partitioning for cloud,
SaaS, hosting environments
Classify users and data using labels
Labels based on business drivers
Automatically enforced row level access
control, transparent to applications
Labels can be factors in other policies
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 15
Oracle Database Security Solutions Defense-in-Depth for Maximum Security
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE
Redaction and Masking
Privileged User Controls
Encryption
PREVENTIVE ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 16
Built-in Reports
Alerts
Custom Reports
!
Oracle Audit Vault and Database Firewall Detective/Preventative - Solution for Oracle and Non-Oracle Databases
Firewall Events
Users
Applications
Database Firewall Allow
Log
Alert
Substitute
Block
Audit Data
Audit Vault
OS, Directory, File System &
Custom Audit Logs Policies
Security
Analyst
Auditor
SOC
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 17
Oracle Database Security Solutions Defense-in-Depth for Maximum Security
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE
Redaction and Masking
Privileged User Controls
Encryption
PREVENTIVE ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 18
Oracle Database Vault
Discover Use of Privileges and Roles Administrative Control for Oracle Database 12c
Privilege Analysis
Create…
Drop…
Modify…
DBA role
APPADMIN role
Turn on privilege capture mode
Report on actual privileges and roles
used in the database
Helps revoke unnecessary privileges
Enforce least privilege and reduce risks
Increase security without disruption
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 19
Scan Oracle for sensitive data
Built-in, extensible data definitions
Discover application data models
Protect sensitive data appropriately:
encrypt, redact, mask, audit…
Oracle Enterprise Manager 12c
Discover Sensitive Data and Databases Administrative Control for Oracle Database 12c
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 20
Customer Success Stories
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 21
Oracle Database Security Customers
www.oracle.com/goto/database/security-customers
SquareTwo Enables Fast Growth with Oracle Database Solutions
SquareTwo enables fast growth and regulatory compliance with Oracle Database security
defense-in-depth solutions including Oracle Database Firewall, Oracle Data Masking, and
Oracle Advanced Security
National Marrow Donor Program Database Defense-in-Depth
NMDP Secures life-saving patient and donor data with Oracle Advanced Security, Oracle
Database Vault, and Oracle Data Masking
T-Mobile Protects 35 Million Subscribers Using Oracle
T-Mobile explains how they use Oracle Database Firewall, Oracle Advanced Security, and
Oracle Data Masking to secure sensitive data across the organization in both Oracle and
non-Oracle databases
TransUnion Interactive Uses Database Firewall for Compliance
Hear how TransUnion Interactive protects customer data and meets regulatory compliance
with database activity monitoring using Oracle Database Firewall
ETS Complies with PCI DSS Using Oracle Advanced Security
Educational Testing Service secures personally identifiable information (PII) and complies
with regulatory requirements with Oracle Advanced Security
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 22
Agenda
Database Security
– The World Today
– Defense in Depth
– Solution Overview
– Customer Success
Identity Management
– Identity Management Trends
– Identity Suites Overview
– Securing the Extended Enterprise
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 23
Mobile
Access
Social
Identity
Cloud
Security
Identity
Provider
Internet of
Things
NEW TRENDS TRANSFORMING THE IDENTITY BUSINESS
Oracle Confidential
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 24
ENTERPRISE MOBILE CLOUD
IDENTITY
MANAGEMENT
DIRECTORY
GOVERNANCE
ACCESS
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 25
Governance
Password Reset
Privileged Accounts
Access Request
Roles Based Provisioning
Role Mining
Attestation
Separation of Duties
Access
Web Single Sign-on
Federation
Mobile, Social & Cloud
External Authorization
SOA Security
Integrated ESSO
Token Services
Fraud Detection
Privileged Account Manager
Directory
LDAP Storage
Virtual Directory
Meta Directory
Platform Security Services
New Technologies and Services Require Integrated Technologies
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 26
APPS
APPS
GOVERNANCE
APPS
COMMON REPOSITORY
COMPLETE GOVERNANCE
OPERATING
SYSTEMS
DIRECTORY
SERVICES
ENTERPRISE
APPLICATIONs
DATABASES
ACCESS
ENTITLEMENT
CATALOG
Cloud
Applications/
Services
CUSTOMERS
& PROSPECTS
CONTRACTORS
& PARTNERS
ADMINS
EMPLOYEES
PRIVILEGED
SYSTEMS
EMPLOYEES
Automate and Identify Who Has Access to What
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 28
Oracle Access Management 11gR2 Reference Architecture
• Complete
• Simplified
• Innovative
• Scalable
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 30
Oracle Directory Services
• Highly Scalable
• Easy to Deploy
• Unify identity across
directories, databases and
web services in real-time
• Fully integrated with Oracle
databases, middleware and
applications
• Complete Meta-data and
Integration Platform
Directory Services Plus
Unified Directory
Internet Directory
Virtual Directory
Directory Services
Enterprise Edition
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 34
Oracle Mobile Security Strategy Securely Separate And Manage Corporate Apps And Data On Devices
Secure Container For App
Security And Control
Secure Controls And Management
For Enterprise Apps Extend IDM Services To Avoid
Redundancy And Overlaps
Separate, protect and wipe corporate
applications and data
Strict policies to restrict users from
viewing/moving data out of container
Consistent support across multiple
mobile platforms
• Secure communication with
enterprise application servers
• Corporate app store
• Common users, roles, policies,
access request, cert etc.
• SSO for native and browser apps
• Risk/policy based step up and
strong authentication
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 35
Market Overview: Oracle is the Leader Identity Management is a Business Enabler
• Every Cloud, Mobile or Social Application requires
Identity Management
• Reducing the costs and risks of identifying who has
access to what is a top priority for organizations
• Platform approach to identity management reduced
costs by 48% and errors by 35%
• Oracle is the market leading provider of a complete
Identity Management Platform
Oracle has 30,000 Identity Management Customers in 45 countries
Market
Performance
User Provisioning Identity Governance
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 36
DEFENSE IN DEPTH: Approach multiple overlapping
controls to secure strategic assets
Oracle Recommends: Use a Proven and Cost Effective Approach
SECURE WHAT IS STRATEGIC: Move controls
closer to the systems and applications they are intended to
protect
LEAST PRIVILEGE: Practices to ensure access is
based on “need to know”
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 37
Join the Community
Twitter twitter.com/OracleIDM
Facebook facebook.com/OracleIDM
Oracle Blogs Blogs.oracle.com/OracleIDM
Oracle IdM Website oracle.com/Identity
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 38