<Insert Picture Here>

Oracle Database Security Ursula Koski Senior Principal Architect ursula.koski@oracle.com

Ursula Koski Senior Principal Architect • Senior Principal Architect

• Oracle User Group Liaison and OUGF Board Member (Finland)

• Joined Oracle 2007 – Working mainly with short term database

engagements around the world. High availability and disaster recovery area.

– Have worked as an Oracle DBA for partners from 1994.

• Interests – Professional: Oracle Database Evangelist,

Maximum Availability Architecture and Database Disaster Recovery & Problem solving.

– Personal: Oracle Databases, all technical gadgets (Geek!), traveling and reading.

3

Data Security Challenges

• What to secure? • Sensitive Data: Confidential, PII, regulatory • Data in packaged and custom applications • Secure Life cycle: creation, transit, storage, backup, test, transfer

• Can we secure it now? • Secure using existing systems? • Transparent? • Loss, Unauthorized access, Separation of Duty

• Will it meet business requirements? • Flexible, Transparent, Compliant? • Secures both custom and packaged applications?

• Will it reduce operational cost? • Easy to manage? • Performant?

4

Oracle Database Security Defense-in-Depth for Security and Compliance

Database Vault

Label Security

Access Control

Configuration Management

Audit Vault Total

Recall

Monitoring

Data Masking

Advanced Security Secure

Backup

Encryption and Masking

5

Oracle Database Security Defense-in-Depth for Security and Compliance

Data Masking

Advanced Security Secure

Backup

Encryption and Masking

6

Oracle Advanced Security Transparent Data Encryption

Disk

Backups

Exports

Off-Site Facilities

• No application changes required

• Efficient encryption of all application data

• Built-in key lifecycle management

• Works with Exadata V2 Smart Scans

• Works with Oracle Advanced Compression

Application

7

Oracle Advanced Security Network Encryption & Strong Authentication

• Standard-based encryption for data in transit

• Strong authentication of users and servers

• No infrastructure changes required

• Easy to implement

8

Oracle Secure Backup Integrated Tape or Cloud Backup Management

• Secure data archival to tape or cloud

• Easy to administer key management

• Fastest Oracle Database tape backups

• Leverage low-cost cloud storage

9

Oracle Data Masking Irreversible De-Identification

• Remove sensitive data from non-production databases

• Referential integrity preserved so applications continue to work

• Extensible template library and policies for automation

LAST_NAME SSN SALARY

ANSKEKSL 111—23-1111 40,000

BKJHHEIEDK 222-34-1345 60,000

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

Production Non-Production

10

Oracle Database Security Defense-in-Depth for Security and Compliance

Database Vault

Label Security

Access Control

Data Masking

Advanced Security Secure

Backup

Encryption and Masking

11

Oracle Database Vault Separation of Duties & Privileged User Controls

• DBA separation of duties

• Limit powers of privileged users

• Securely consolidate application data

• No application changes required

• Works with Oracle Exadata V2 Database Machine

Procurement

HR

Finance Application

select * from finance.customers

DBA

12

Oracle Database Vault Multi-Factor Access Control Policy Enforcement

• Protect application data and prevent application by-pass

• Enforce who, where, when, and how using rules and factors

• Out-of-the box policies for Oracle applications, customizable

Procurement

HR

Rebates Application

13

Oracle Label Security Data Classification for Access Control

• Classify users and data based on business drivers

• Database enforced row level access control

• Users classification through Oracle Identity Management Suite

• Classification labels can be factors in other policies

Confidential Sensitive

Transactions

Report Data

Reports

Sensitive

Confidential

Public

Did you know?

• Finding User Accounts That Have Default Passwords

• When you create a database in Oracle Database 11g Release 2 (11.2), most of its default accounts are locked with the passwords expired.

• To find both locked and unlocked accounts that use default passwords, log onto SQL*Plus using the SYSDBA privilege and then query the DBA_USERS_WITH_DEFPWD data dictionary view.

14

SELECT d.username, u.account_status FROM DBA_USERS_WITH_DEFPWD d, DBA_USERS u WHERE d.username = u.username ORDER BY 2,1;

USERNAME ACCOUNT_STATUS ----------------- -------------------------- SCOTT EXPIRED & LOCKED

15

Oracle Database Security Defense-in-Depth for Security and Compliance

Database Vault

Label Security

Access Control

Configuration Management

Audit Vault Total

Recall

Monitoring

Data Masking

Advanced Security Secure

Backup

Encryption and Masking

16

Oracle Audit Vault Automated Activity Monitoring & Audit Reporting

• Consolidate audit data into secure repository

• Detect and alert on suspicious activities

• Out-of-the box compliance reporting

• Centralized audit policy management

CRM Data

ERP Data

Databases

HR Data

Audit Data

Policies

Built-in Reports

Alerts

Custom Reports

!

Auditor

17 17

Oracle Database Auditing Performance Audit users/tables effectively

• Oracle Database 11.2 • ~250 audit records / second

Audit Location Throughput Degradation

Additional CPU Used above 50%

OS file 1.39% 1.45% XML format file 1.70% 3.51% XML format file + SQL Text

3.22% 4.56%

Database Tables 3.84% 4.55% Database Tables + SQL Text

11.93% 13.95%

• 4 – CPU 3.6 GHz, 4GB RAM • Linux 2.6.9-34.0.1.0.11.ELsmp • Existing CPU Work Load: 50%

18

Oracle Total Recall Secure Change Tracking

select salary from emp AS OF TIMESTAMP

'02-MAY-09 12.00 AM‘ where emp.title = ‘admin’

• Transparently track data changes

• Efficient, tamper-resistant storage of archives

• Real-time access to historical data

• Enables forensics and error correction

19

Oracle Configuration Management Vulnerability Assessment & Secure Configuration

• Database discovery

• Continuous scanning against best practices

• Detect and prevent unauthorized configuration changes

• Change management compliance reports

Configuration Management

& Audit Vulnerability Management

Fix

Analysis & Analytics

Prioritize

Policy Management

Assess Classify Monitor Discover

Asset Management

20

Oracle Database Security Defense-in-Depth for Security and Compliance

Database Vault

Label Security

Access Control

Configuration Management

Audit Vault Total

Recall

Monitoring

Data Masking

Advanced Security Secure

Backup

Encryption and Masking

21

For More Information

oracle.com/database/security

search.oracle.com

database security

Oracle Products Available Online

Oracle Store Buy Oracle license and support online today at oracle.com/store

23

24