Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
2012 Enterprise Data Security Survey Results
Michelle Malcher, EVP, Director of Membership IOUGWilliam Hardie, VP of Database Product Marketing, Oracle
2012 ISACA Webinar Program
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 2
Welcome!
• Type in questions using the Ask A Question button
• All audio is streamed over your computer– Having technical issues? Click the ? button
• Click Attachments button to find a printable copy of this presentation
• After the webinar, ISACA members may earn 1 CPE credit– Find a link to the CPE Quiz on the Attachments button– Once you pass the quiz, you’ll receive a printable CPE Certificate
• Question or suggestion? Email them to [email protected]
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 3
Michelle MalcherEVP, Dir of Membership, IOUG and
DBA Team LeadDRW Holdings
Today’s Speakers
Willie HardieVice President
Database Product MarketingOracle
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 4
Agenda
• Survey Overview• 2012 Enterprise Data Security Survey Results• Database Security Defense-in-Depth• Conclusion• Q&A
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 5
Survey Overview
• Independent Oracle Users Group• 350 respondents
– 12% government, 9% manufacturing– 9% healthcare, 9% education, 6% financial
• Organizations of all sizes– 21% 1-5K employees– 26% over 10K employees
• 39% have a DBA title• 38% responsible for over 100 databases
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 6
57% Say Data Breach Likely or Don’t Know What to Expect Over Next Year…
What is the likelihood of a data breach over the next 12 months?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 7
What do you see as the greatest risks to your data at this time?
Greatest Risks: Human Error, Internal Hackers, and IT Staff Abuse
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 8
Only 32% Prevent Non-Database Users from Seeing/Tampering with OS Level Data
Is personal identity information (e.g., social security, credit card, national identifier numbers) stored in your databases encrypted?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 9
71% Susceptible to Non-Database Users Seeing/Tampering Data via Network Traffic
Is application data encrypted on the network to/from your database?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 10
Only 23% Encrypt All Backups and Exports
Do you encrypt all your online and offline database backups and exports?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 11
Use Encryption to Protect Data From Unauthorized Users
Disk
Backups
Exports
Off-SiteFacilities
Application
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 12
1 in 4 Admit Application By-Pass Possible –Allowing Direct Access to the Database
Can database users access application data in the database directly using ad-hoc tools or spreadsheets?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 13
69% Have No Preventive Controls on Privileged Database Users or Unsure
Can you prevent database administrators and other privileged database users from reading or tampering with sensitive information in financial, HR, or other business applications?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 14
Enforce Security Policies Inside the Database to Prevent Privilege User Misuse
Application
Procurement
HR
Finance
ApplicationDBA
select * from finance.customers
DBA
SecurityDBA
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 15
Database Activity Monitoring - Critical Activities Remain Unmonitored
If monitoring production databases, indicate all activities you monitor
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 16
67% Use Native Auditing
Are you using native database auditing to monitor database activity?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 17
Database Security Audits Infrequent at Best 34% Never Do, or Unsure if Ever Done
How many database security audits does your organization do per year?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 18
Only 19% Protect Audit Trail for All Databases – Easy to Tamper With
Do you consolidate database audit data to a central secure location to protect from unauthorized access or potential tampering by privileged database users?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 19
3 in 4 Cannot Detect Unauthorized Database Access on Most Databases
Would you or a security administrator know if someone made an unauthorized database access to your database?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 20
74% Could Not Prove Privileged Database Users Are Not Abusing Their Privileges
Could you prove database administrators & other privileged database users at your company are not abusing their super-user privileges?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 21
Consolidated and Secure Auditing to Monitor Database Activity in Real-Time
CRM Data
ERP Data
Databases
HR Data
Audit Data
Policies
Built-inReports
Alerts
CustomReports
!
Auditor
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 22
54% Took >24 Hours to Detect & Correct Unauthorized Access or Change
If there was unauthorized database access or change, how long would it take your organization to detect and correct?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 23
69% Have Limited to No Network-Based Database Firewall Solution
Are you using a network-based database firewall solution for blocking unauthorized database activity?
(Total does not equal 100% due to rounding.)
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 24
Database Traffic Monitoring to Block Unauthorized Access
Block
Log
Allow
Alert
Substitute
PoliciesBuilt-inReportsAlerts Custom
Reports
Applications
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 25
76% Take Longer than 3 Months to Apply Security Patches to All Systems
How quickly do you apply Critical Patch Updates to all systems?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 26
Secure Complete Database Lifecycle to Prevent Configuration Drift
Discover Scan and Monitor Patch
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 27
Over Half Have Production Data in Non-Production Environments
What kind of data is used within non-production environments? (e.g. staging and dev environments)
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 28
Nearly Half Outsource Database Functions to a Third-Party
Has your company outsourced or off-shored the following in the last year?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 29
Irreversibly De-Identify Data for Non-Production Environments
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 60,000
BKJHHEIEDK 222-34-1345 40,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Non-Production
Data Never Leaves Database
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 30
Most Subject to Data Privacy and Protection Regulatory Requirements
Which of the following compliance mandates are you required to comply with?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 31
Database and Security Groups Must Work Together to Address Issues
Who is responsible for database security in your organization?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 32
Transparent Data Encryption, Privileged User Controls, Multi-Factor Authorization, Data
Classification, and Change Tracking
Database Activity Auditing and Reporting, SQL Traffic Monitoring and Blocking,
Real-Time Alerting, Workflow Automation
Secure Configuration Scanning, Automated Patching, Configuration Change Control, Sensitive Data Discovery, Data Masking
Maximum Security for Oracle Databases:•Oracle Advanced Security•Oracle Database Vault•Oracle Label Security
Security for Production and Non-Production Database Environments:
•Oracle Database Lifecycle•Oracle Enterprise Manager•Oracle Data Masking
Security for Oracle and non-Oracle Databases Outside the Database:
•Oracle Audit Vault•Oracle Database Firewall
Oracle Database SecurityDefense-in-Depth
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 33
Q&A
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 34
For More Information
oracle.com/database/security
search.oracle.com
or
database security