Upload
freshp
View
214
Download
0
Embed Size (px)
Citation preview
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
1/35
Security for Data at the Source in Public and Private Sector
3rd November 2010, Bucharest
Michael Brger
Product Director EECIS, Security and Manageability
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
2/35
The following is intended to outline our generalproduct direction. It is intended for informationpurposes only, and may not be incorporated into anycontract. It is not a commitment to deliver any
material, code, or functionality, and should not berelied upon in making purchasing decisions.The development, release, and timing of anyfeatures or functionality described for Oracles
products remains at the sole discretion of Oracle.
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
3/35
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
4/35
Business Drivers for Security
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
5/35
End to End Oracle Security SolutionsSecuring Data at the Source
Application Security
Identity and Access Management
Database Security
Infrastructure Security
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
6/35
Source: Gartner DataQuest, 2008; Forrester Database Security Market Report, 2009
#1 Database, Most Secure
Most DBMS vendors offer basic
security features; Oracles offering is
most comprehensive.
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
7/35
How is Data Compromised?Source: Verizon 2010 Data Breach Investigations Report
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
8/35
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
9/35
Oracle Database Security Business DriversMost relevant in EECIS, the minimum bundle on data level
AuditVault
LabelSecurity
Reduce & avoid Security Costs
ConfigurationManagementfor Policies
DB Vault,DBA Access Control
Compliance & Regulation Data Maskfor Developers
AdvancedSecurity Optionfor Encryption
DatabaseFirewall
Security Threats internal & external
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
10/35
DB Security in the Data Center
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
11/35
DB Security in the Data Center
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
12/35
DB environmentApplication users, DBAs, Developers, Security Officer
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
13/35
Securing data at rest
Application users protected by
Transparent Data Encryption 10g ColumnTransparent Data Encryption 11g Tablespace
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
14/35
Securing data in motion
Application users protected by
Transparent Data Encryption 10g ColumnTransparent Data Encryption 11g Tablespace
Application users protected byTransparent Data Encryption 10g Network
Transparent Data Encryption 10g TapesDB Firewall Network Realtime SQL Analyzer
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
15/35
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
16/35
Application users protected byTransparent Data Encryption 10g ColumnTransparent Data Encryption 11g Tablespace
Application users protected byTransparent Data Encryption 10g Network
Transparent Data Encryption 10g TapesDB Firewall Network Realtime SQL Analyzer
Developers protected byData Mask 10g
Preventing unauthorized modification
DBAs protected by
DB Vault 9i
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
17/35
Application users protected by
Transparent Data Encryption 10g ColumnTransparent Data Encryption 11g Tablespace
Application users protected byTransparent Data Encryption 10g NetworkTransparent Data Encryption 10g TapesDB Firewall Network Realtime SQL Analyzer
Developers protected byData Mask 10g
DBAs protected by
DB Vault 9i
Highly secured DB environmentpreventive and detective
Security Officer protected byAudit Vault 10g
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
18/35
New 11g Features and Certifications
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
19/3519
Oracle Advanced Security11g Table Space Encryption, e.g. for ODB based HR systems
Disk
Backups
Exports
Off-SiteFacilities
Any employee user with operating system access can sniff data and copy it 11g Table Space Encryption for sensitive HR data at rest encryption Data in motion traveling on network is encrypted from 10g on Rapid implementation of 11g Table Space Encryption
No identification of the fields required, just create an encrypted table space as part ofthe upgrade and use that table space for HR system on ODB, rapid index queries
This is totally transparent without application change Minimal preparation within the 11g upgrade and all the data is protected Less administration & performance impact compared to 10g column encryption
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
20/3520
Oracle Database VaultPrivileged User Access Control on Data leveland Multifactor Authorization
Procurement
HR
Finance
Application
select * from finance.customers
DBA
Power users can access sensitive data (HR, Credit Cards) and publish it
SoD, prevents unauthorized new account creation or password change
(1) Application owners to create new accounts
(2) DB Vault protects DBAs, they can manage the data, but can't modify(3) Security officers to grant access rights according to written policies
Certified Realms to protect all tables in EBS, SAP or ISV HR SystemsBrings Security Policies in production according to CIA application ratings*
CIA principles: Confidentiality, Integrity and Availability, who can delete, copy or change what?
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
21/35
Oracle Database FirewallFirst Line of Defense
Monitor db activity to prevent unauthorized db access, SQL injections, privilege orrole escalation, illegal access to sensitive data, etc, according to Security Policies
SQL grammar analysis for Firewall activities (allow, log, alert, substitute, block) Scalable architecture provides enterprise performance in all deployment modes
Built-in and custom compliance reports for SOX, PCI, and other regulations
Whitelists or blacklists consider time of day, day of week, network, application, etc
PoliciesBuilt-inReports
Alerts CustomReports
ApplicationsBlock
Log
Allow
Alert
Substitute
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
22/35
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
23/35
Customers in Vertical Industries
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
24/35
Oracle DB Security cross-industry EECIS
Banking
Telecommunication
Public Sector Retail, Utilities, other
Telecommunications Insurances
CIPSCIPS
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
25/35
Case Study Public Sector RomaniaDB Vault, Advanced Security
From the business point of view, the use of Advanced Security and DB Vault facilitates the reduction of risks like information theft or
leaks, fraudulent alterations of data, and bad publicity
From the technical point of view, the solution will have to protect all private data used by key applications
Implementation will be done by Oracle Partner, with 1 year left for f inishing the project
Customer does not take reference calls or visits
BUSINESS CHALLENGE
Nation-wide project with confidential data
The business drivers are regulations and preventive concepts
DB Security part of a larger project
Customer expects to insure the confidentiality of stored data,
in transfer and storage, while preventing unauthorized access
from privileged accounts.
RESULTS
ORACLE SOLUTION
Customer in Public Sector bought DB Vault and Advanced
Security in Nov 2009
Products are used on all servers
Customer also uses Oracle IdM Access Manager for web
access control
Oracle gained a strong vendor position at customer with
significant footprint for Enterprise Security
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
26/35
Case Study Telecom in Central EuropeDB Vault, Advanced Security
Pilot release of implementation in progress
DB Vault and ASO Encryption to protect and encrypt sensitive customer data Siebel CRM is running on
The success in implementation is the only criteria which may lead to next phase of the project
Delivery of project by Oracle partner Accenture
Customer is not taking reference calls or visits
BUSINESS CHALLENGE
Drivers:Big gap between IT and Business
Bring Business processes to IT and develop relevant IT
services
Project start at 2007 Service Order management - Tower
Merger of 2 Telecom companies
Integrated Order Management (IOM) based on SIEBEL
IT recognized that SIEBEL is not enough(many logic need to
be implemented in level of integration, processes, custom
apps)
Data security is crucial, Security violations as a business
driver to invest in Security solutions.
Customer Data Security & Compliance requirements
(ISO27001 Compliance regulation relevant for Telco)
Partner: Accenture
RESULTS
ORACLE SOLUTION
Oracle technology on site: DB, IAS, SOA Suite 10 (firstmajor adoption of SOA in this country)
FMW stack + DB EE, Partitioning, RAC, Advanced
Security, Db Vault, Diag, Tun, Config packs in Dec 2009.
Managed systems: IOM based on SIEBEL
Oracle is trusted technology vendor (Presales) and advisor
of Eastern European ICCC Competence Center Bratislava
Sales process:
Longterm relationships with Enterprise Architect, DB admin,Development unit managers and senior developers, etc.
Good cooperation between partner and Oracle ASR
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
27/35
Case Study Bankart Financial ServicesDB Vault, Audit Vault
Reaching PCI compliance is expected from business point of view
Technically. Bankart decided for Oracle centric PCI approach
Project has started in June 2009, first phase (change of an application, use od DB Vault and set-up Audit Vault) until 2010
Internal IT together with local security partner OSI
Customer has published a snapshot story and is available for reference calls and visits
BUSINESS CHALLENGE
Bankart is the largest Credit Card processing company in
Slovenia
PCI Compliance was business demand
CIO started internal project to reach PCI compliance in oneyear
Avoiding costs and simplifying the audit reporting
RESULTS
ORACLE SOLUTION
Customer bought Audit and Database Vault in May 2009
All Production and Test systems are managed by DB Sec
component, together with MS SQL server as one Audit
source
Platform is HP-UX, Oracle 10gR2, MS SQL 2005
Other DB Sec products (Advanced Security - TDE, Conf.
Mgm. Packs) are still under evaluation
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
28/35
Case Study Bank in Munich GermanyAdvanced Security and DB Vault for SAP HR
Customer is compliant with internal security policies (regulations)
Only authorized HR employees have data access to HR data. Privileged users like DBAs, network administrators, system
administrators arent able to access the HR data
Oracle Partner was involved as consulting firm and system integrator, the solution is implemented and works with SAP
The customer is not taking reference calls
BUSINESS CHALLENGE
The customer wanted to protect SAP HR data against
unauthorized access
The customer wanted to comply with internal security policies
It was a HR project so HR compartment was the sponsor
There was a re-organization SAP project and data privacy was
an important part of this project.
Only authorized HR employees should have access to HR
data. Privileged users like DBAs, network administrators,
system administrators shouldnt be able to access the HR data
RESULTS
ORACLE SOLUTION
The customers purchased the Oracle Advanced Security
and Oracle Database Vault to prevent the unauthorized
access to sensitive HR data in August 2009
It is one of the first DB Vault for SAP implementationsworldwide
10 CPUs SUN Solaris system is now protected with Oracle
Advanced Security and Oracle Database Vault, both
products are certified for SAP/R3
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
29/35
Case Study ApoBank GermanyDB Vault and ASO for ODB based ISV HR
DB Vault is supporting segregation of duty and enables to protocol all changes in data schema, DBAs can manage but can't see data
ASO Advanced Security Option is including Encryption, ASO is encrypting data
on disc
Incl. Back-up's
and in motion for data traveling on the network save against insider threats, nobody can modificate or copy sensitive HR data
Cost savings achieved based on server consolidation for centralized HR data and secure HR process optimization
The customer is taking reference calls and visits
BUSINESS CHALLENGE
Business drivers
to centralize high sensitive HR data on less servers for
cost savings and more efficiency in HR processes
to protect this type of sensitive HR data containingsalary info but transparent to the HR application
No segregation of duties before, DB administration and HR did
had the same rights to copy, change or delete data
Target to strictly split access rights, only HR can see the data
RESULTS
ORACLE SOLUTION
Customer does have 2.000 employees across Germany
DB Vault and Advanced Security Option purchased in 2008
Partner MT AG involved in implementation
Oracle Encryption is working application transparent,
means without any change of HR system running on Oracle
Database
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
30/35
Case Study CMC Markets Financial Services UKDB Vault and ASO for E-Business Suite HR
Segregation of Duties has been achieved according to Security polices and vertical industry regulations
Protection the privacy of sensitive data
Customer data
Employee data such as salary information
The customer is taking reference calls and visits
BUSINESS CHALLENGE
The customer is focused on providing access to online trading
markets across the globe
The key business driver to ensure customers reputation by
keeping customer and salary data confidential versus insiderthreats
To comply with vertical industry specific regulations in financial
services.
Simplify the audit process by providing a secure audit
infrastructure
RESULTS
ORACLE SOLUTION
Oracle DB Vault, Advanced Security Option and Audit Vault
purchased in 2008
This is the first EBS customer in Europe with DB Security
DB Security in production with
RAC Real Application Cluster
EBS E-Business Suite incl. HR data
Oracle Database 10g
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
31/35
Case Study Bank in UkraineDB Vault for Flexcube
Oracle Database Vault provides a transparent solution for mitigating the risk of insider threats and complying with regulations.
Oracle Database Vault restricts ad-hoc database changes and enforces controls over how, when and where the most sensitive
application data can be accessed.
Proposed solution must be fully implemented in three months after the new core banking system is launched.
To adopt Oracle Database Vault technologies, the customer is working with Oracles local partner.
BUSINESS CHALLENGE
The banking customer is concerning about the risk of
unauthorized access by privileged users to sensitive banking
information.
The bank intents to bring its system into compliance withexisting and newly emerging regulations as well as industry
best practices.
The solution must provide f lexible, transparent and highly
adaptable security controls that require no application
changes.
RESULTS
ORACLE SOLUTION
Customer bought Oracle Database Vault in January 2010
as a first step in his Security initiative
DB Vault provides powerful security controls for protecting
banking applications and sensitive data. Oracle Database Vault protects the core banking system
Oracle Flexcube on the server with 12 CPU's.
The next step under consideration are Advanced Security
and Audit Vault to bring the system to the highest security
level.
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
32/35
Conclusions
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
33/35
Conclusions to Protect Data at the Source?
Logical bundle preventive
Advanced Security
DB Vault
Data Masking Pack
Extend to detective solutions
Audit Vault
DB Firewall
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
34/35
Vertical Industry Security E2E
StrategicVert
icalValue
Public Sector: DB Security part ofPublic Sector Tenders to fit EU Data
Privacy Regulations and avoid Security Threats. DB Vault, Audit Vault,
Data Mask and Advanced Security for DB SaaS/Cloud and for encryptingbackups and masking non-production testing data.
Financial Services and Retail: Vertical industry regulations such as PCI
require DB Security in context of Credit Card payments. DB Vault, AuditVault, Advanced Security, Data Masking & DB Firewall for defense-in-depthsecurity for Oracle DB.
Utilities and other industries: Oracle end-to-end Security, DB Security,plus Identity and Access Management plus Applications Security.
Communications: DB Security fits Siebel CRM projects. DB Vault,Advanced Security and Data Mask to ensure that sensitive customer datacan be only accessed by authorized staff.
8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01
35/35