help! another university data breach (237177021)

Security Defense-in-Depth Latest Innovations in Oracle Security

Scott Grykowski, CISSP Sales Consulting Senior Manager

Oracle Corporation

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted 2

Agenda

Database Security

– The World Today

– Defense in Depth

– Solution Overview

– Customer Success Stories

Identity Management

– Identity Management Trends

– Identity Suite Overview

– Securing the Extended Enterprise


The World Today

Loss of Data Continuing to Grow Worldwide

• Two-thirds of sensitive and regulated

information resides in databases

• And doubling every two years!

• 98% of records stolen from databases

• Over 2 billion records compromised is

just the tip of the iceberg…

Source: IDC, 2011 and Verizon Data Breach Investigations Report, 2012

2012 Verizon Data Breach

Investigations Report

Why are Databases so Vulnerable?

• 97% of data breaches were avoidable

with basic controls

• But less than 20% of IT Security

programs address databases

• Attacks against databases exploit

legitimate access

• Attack surface is people not servers

Source: Forrester, 2012 and Verizon Data Breach Investigations Report, 2012


Core Principles

• Identity and Access Management

• Any user, whether apps end user or database

admin, has access only as needed to perform

tasks based on job function or role

• Need to know/compartmentalization

• Including DBA/OS Admins!!

Least Privilege

• Policies, Procedures, and Awareness

• Physical Security

• Perimeter Security

• Internal Networks

• Host Security

• Application Level Security

• Database Level Security

• Data Protection – Production, Development

Defense in Depth

• Governance, Risk, Compliance

• Security Management and Monitoring – Incident Response, vulnerability and threat

management, configuration and change management

Governance


Oracle Database Security Solutions Defense-in-Depth for Maximum Security

Activity Monitoring

Database Firewall

Auditing and Reporting

DETECTIVE

Redaction and Masking

Privileged User Controls

Encryption

PREVENTIVE ADMINISTRATIVE

Sensitive Data Discovery

Configuration Management

Privilege Analysis


Solution Overview



Activity Monitoring

Database Firewall


DETECTIVE



Encryption




Privilege Analysis


Transparent data encryption in the database

– (Network encryption now included with DB)

Prevents access to data at rest

Requires no application changes

Built-in two-tier key management

“Near Zero” overhead with hardware

Integrations with Oracle technologies

e.g. Exadata, Advanced Compression, ASM, Golden Gate, DataPump, etc.

Oracle Advanced Security

Encryption is the Foundation Preventive Control for Oracle Databases

Disk

Backups

Exports

Off-Site

Facilities

Applications


Real-time sensitive data redaction

based on database session context

Library of redaction policies and point-

and-click policy definition

Consistent enforcement, policies

applied to data

Transparent to applications, users, and

operational activities


Redaction of Sensitive Data Displayed Preventive Control for Oracle Database 12c

Credit Card Numbers 4451-2172-9841-4368

5106-8395-2095-5938

7830-0032-0294-1827

Redaction Policy

xxxx-xxxx-xxxx-4368 4451-2172-9841-4368

Billing

Department Call Center

Application


Replace sensitive application data

Extensible template library and formats

Application templates available

Referential integrity detected/preserved

At source masking and sub-setting*

Support for masking data in non-Oracle

databases

Oracle Data Masking

Masking Data for Non-Production Use Preventive Control for Oracle Databases

LAST_NAME SSN SALARY

ANSKEKSL 323—23-1111 60,000

BKJHHEIEDK 252-34-1345 40,000

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

Production

Non-Production

Dev

Test

Production

*Requires use of Oracle Test Data Management


Limit DBA access to application data

Multi-factor SQL command rules

Realms create protective zones

Enforce enterprise data governance,

least privilege, segregation of duties

Out of the box application policies

Database Vault

Privileged User Controls Preventive Control for Oracle Databases

Procurement

HR

Finance

select * from finance.customers

Application

DBA

Applications

Security

DBA

DBA


Oracle Label Security

Label Based Access Control Preventive Control for Oracle Databases

Transactions

Report Data

Reports

Confidential Sensitive

Sensitive

Confidential

Public

Virtual information partitioning for cloud,

SaaS, hosting environments

Classify users and data using labels

Labels based on business drivers

Automatically enforced row level access

control, transparent to applications

Labels can be factors in other policies



Activity Monitoring

Database Firewall


DETECTIVE



Encryption




Privilege Analysis


Built-in Reports

Alerts

Custom Reports

!

Oracle Audit Vault and Database Firewall Detective/Preventative - Solution for Oracle and Non-Oracle Databases

Firewall Events

Users

Applications

Database Firewall Allow

Log

Alert

Substitute

Block

Audit Data

Audit Vault

OS, Directory, File System &

Custom Audit Logs Policies

Security

Analyst

Auditor

SOC



Activity Monitoring

Database Firewall


DETECTIVE



Encryption




Privilege Analysis


Oracle Database Vault

Discover Use of Privileges and Roles Administrative Control for Oracle Database 12c

Privilege Analysis

Create…

Drop…

Modify…

DBA role

APPADMIN role

Turn on privilege capture mode

Report on actual privileges and roles

used in the database

Helps revoke unnecessary privileges

Enforce least privilege and reduce risks

Increase security without disruption


Scan Oracle for sensitive data

Built-in, extensible data definitions

Discover application data models

Protect sensitive data appropriately:

encrypt, redact, mask, audit…

Oracle Enterprise Manager 12c

Discover Sensitive Data and Databases Administrative Control for Oracle Database 12c


Customer Success Stories


Oracle Database Security Customers

www.oracle.com/goto/database/security-customers

SquareTwo Enables Fast Growth with Oracle Database Solutions

SquareTwo enables fast growth and regulatory compliance with Oracle Database security

defense-in-depth solutions including Oracle Database Firewall, Oracle Data Masking, and


National Marrow Donor Program Database Defense-in-Depth

NMDP Secures life-saving patient and donor data with Oracle Advanced Security, Oracle

Database Vault, and Oracle Data Masking

T-Mobile Protects 35 Million Subscribers Using Oracle

T-Mobile explains how they use Oracle Database Firewall, Oracle Advanced Security, and

Oracle Data Masking to secure sensitive data across the organization in both Oracle and

non-Oracle databases

TransUnion Interactive Uses Database Firewall for Compliance

Hear how TransUnion Interactive protects customer data and meets regulatory compliance

with database activity monitoring using Oracle Database Firewall

ETS Complies with PCI DSS Using Oracle Advanced Security

Educational Testing Service secures personally identifiable information (PII) and complies

with regulatory requirements with Oracle Advanced Security


Agenda

Database Security

– The World Today

– Defense in Depth

– Solution Overview

– Customer Success

Identity Management

– Identity Management Trends

– Identity Suites Overview

– Securing the Extended Enterprise


Mobile

Access

Social

Identity

Cloud

Security

Identity

Provider

Internet of

Things

NEW TRENDS TRANSFORMING THE IDENTITY BUSINESS

Oracle Confidential


ENTERPRISE MOBILE CLOUD

IDENTITY

MANAGEMENT

DIRECTORY

GOVERNANCE

ACCESS


Governance

Password Reset

Privileged Accounts

Access Request

Roles Based Provisioning

Role Mining

Attestation

Separation of Duties

Access

Web Single Sign-on

Federation

Mobile, Social & Cloud

External Authorization

SOA Security

Integrated ESSO

Token Services

Fraud Detection

Privileged Account Manager

Directory

LDAP Storage

Virtual Directory

Meta Directory

Platform Security Services

New Technologies and Services Require Integrated Technologies


APPS

APPS

GOVERNANCE

APPS

COMMON REPOSITORY

COMPLETE GOVERNANCE

OPERATING

SYSTEMS

DIRECTORY

SERVICES

ENTERPRISE

APPLICATIONs

DATABASES

ACCESS

ENTITLEMENT

CATALOG

Cloud

Applications/

Services

CUSTOMERS

& PROSPECTS

CONTRACTORS

& PARTNERS

ADMINS

EMPLOYEES

PRIVILEGED

SYSTEMS

EMPLOYEES

Automate and Identify Who Has Access to What


Oracle Access Management 11gR2 Reference Architecture

• Complete

• Simplified

• Innovative

• Scalable


Oracle Directory Services

• Highly Scalable

• Easy to Deploy

• Unify identity across

directories, databases and

web services in real-time

• Fully integrated with Oracle

databases, middleware and

applications

• Complete Meta-data and

Integration Platform

Directory Services Plus

Unified Directory

Internet Directory

Virtual Directory

Directory Services

Enterprise Edition


Oracle Mobile Security Strategy Securely Separate And Manage Corporate Apps And Data On Devices

Secure Container For App

Security And Control

Secure Controls And Management

For Enterprise Apps Extend IDM Services To Avoid

Redundancy And Overlaps

Separate, protect and wipe corporate

applications and data

Strict policies to restrict users from

viewing/moving data out of container

Consistent support across multiple

mobile platforms

• Secure communication with

enterprise application servers

• Corporate app store

• Common users, roles, policies,

access request, cert etc.

• SSO for native and browser apps

• Risk/policy based step up and

strong authentication


Market Overview: Oracle is the Leader Identity Management is a Business Enabler

• Every Cloud, Mobile or Social Application requires

Identity Management

• Reducing the costs and risks of identifying who has

access to what is a top priority for organizations

• Platform approach to identity management reduced

costs by 48% and errors by 35%

• Oracle is the market leading provider of a complete

Identity Management Platform

Oracle has 30,000 Identity Management Customers in 45 countries

Market

Performance

User Provisioning Identity Governance


DEFENSE IN DEPTH: Approach multiple overlapping

controls to secure strategic assets

Oracle Recommends: Use a Proven and Cost Effective Approach

SECURE WHAT IS STRATEGIC: Move controls

closer to the systems and applications they are intended to

protect

LEAST PRIVILEGE: Practices to ensure access is

based on “need to know”


Join the Community

Twitter twitter.com/OracleIDM

Facebook facebook.com/OracleIDM

Oracle Blogs Blogs.oracle.com/OracleIDM

Oracle IdM Website oracle.com/Identity

help! another university data breach (237177021)

Documents