5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01

8/2/2019 5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01

1/35

Security for Data at the Source in Public and Private Sector

3rd November 2010, Bucharest

Michael Brger

Product Director EECIS, Security and Manageability


2/35

The following is intended to outline our generalproduct direction. It is intended for informationpurposes only, and may not be incorporated into anycontract. It is not a commitment to deliver any

material, code, or functionality, and should not berelied upon in making purchasing decisions.The development, release, and timing of anyfeatures or functionality described for Oracles

products remains at the sole discretion of Oracle.


3/35


4/35

Business Drivers for Security


5/35

End to End Oracle Security SolutionsSecuring Data at the Source

Application Security

Identity and Access Management

Database Security

Infrastructure Security


6/35

Source: Gartner DataQuest, 2008; Forrester Database Security Market Report, 2009

#1 Database, Most Secure

Most DBMS vendors offer basic

security features; Oracles offering is

most comprehensive.


7/35

How is Data Compromised?Source: Verizon 2010 Data Breach Investigations Report


8/35


9/35

Oracle Database Security Business DriversMost relevant in EECIS, the minimum bundle on data level

AuditVault

LabelSecurity

Reduce & avoid Security Costs

ConfigurationManagementfor Policies

DB Vault,DBA Access Control

Compliance & Regulation Data Maskfor Developers

AdvancedSecurity Optionfor Encryption

DatabaseFirewall

Security Threats internal & external


10/35

DB Security in the Data Center


11/35

DB Security in the Data Center


12/35

DB environmentApplication users, DBAs, Developers, Security Officer


13/35

Securing data at rest

Application users protected by

Transparent Data Encryption 10g ColumnTransparent Data Encryption 11g Tablespace


14/35

Securing data in motion



Application users protected byTransparent Data Encryption 10g Network

Transparent Data Encryption 10g TapesDB Firewall Network Realtime SQL Analyzer


15/35


16/35

Application users protected byTransparent Data Encryption 10g ColumnTransparent Data Encryption 11g Tablespace

Application users protected byTransparent Data Encryption 10g Network

Transparent Data Encryption 10g TapesDB Firewall Network Realtime SQL Analyzer

Developers protected byData Mask 10g

Preventing unauthorized modification

DBAs protected by

DB Vault 9i


17/35



Application users protected byTransparent Data Encryption 10g NetworkTransparent Data Encryption 10g TapesDB Firewall Network Realtime SQL Analyzer

Developers protected byData Mask 10g

DBAs protected by

DB Vault 9i

Highly secured DB environmentpreventive and detective

Security Officer protected byAudit Vault 10g


18/35

New 11g Features and Certifications


19/3519

Oracle Advanced Security11g Table Space Encryption, e.g. for ODB based HR systems

Disk

Backups

Exports

Off-SiteFacilities

Any employee user with operating system access can sniff data and copy it 11g Table Space Encryption for sensitive HR data at rest encryption Data in motion traveling on network is encrypted from 10g on Rapid implementation of 11g Table Space Encryption

No identification of the fields required, just create an encrypted table space as part ofthe upgrade and use that table space for HR system on ODB, rapid index queries

This is totally transparent without application change Minimal preparation within the 11g upgrade and all the data is protected Less administration & performance impact compared to 10g column encryption


20/3520

Oracle Database VaultPrivileged User Access Control on Data leveland Multifactor Authorization

Procurement

HR

Finance

Application

select * from finance.customers

DBA

Power users can access sensitive data (HR, Credit Cards) and publish it

SoD, prevents unauthorized new account creation or password change

(1) Application owners to create new accounts

(2) DB Vault protects DBAs, they can manage the data, but can't modify(3) Security officers to grant access rights according to written policies

Certified Realms to protect all tables in EBS, SAP or ISV HR SystemsBrings Security Policies in production according to CIA application ratings*

CIA principles: Confidentiality, Integrity and Availability, who can delete, copy or change what?


21/35

Oracle Database FirewallFirst Line of Defense

Monitor db activity to prevent unauthorized db access, SQL injections, privilege orrole escalation, illegal access to sensitive data, etc, according to Security Policies

SQL grammar analysis for Firewall activities (allow, log, alert, substitute, block) Scalable architecture provides enterprise performance in all deployment modes

Built-in and custom compliance reports for SOX, PCI, and other regulations

Whitelists or blacklists consider time of day, day of week, network, application, etc

PoliciesBuilt-inReports

Alerts CustomReports

ApplicationsBlock

Log

Allow

Alert

Substitute


22/35


23/35

Customers in Vertical Industries


24/35

Oracle DB Security cross-industry EECIS

Banking

Telecommunication

Public Sector Retail, Utilities, other

Telecommunications Insurances

CIPSCIPS


25/35

Case Study Public Sector RomaniaDB Vault, Advanced Security

From the business point of view, the use of Advanced Security and DB Vault facilitates the reduction of risks like information theft or

leaks, fraudulent alterations of data, and bad publicity

From the technical point of view, the solution will have to protect all private data used by key applications

Implementation will be done by Oracle Partner, with 1 year left for f inishing the project

Customer does not take reference calls or visits

BUSINESS CHALLENGE

Nation-wide project with confidential data

The business drivers are regulations and preventive concepts

DB Security part of a larger project

Customer expects to insure the confidentiality of stored data,

in transfer and storage, while preventing unauthorized access

from privileged accounts.

RESULTS

ORACLE SOLUTION

Customer in Public Sector bought DB Vault and Advanced

Security in Nov 2009

Products are used on all servers

Customer also uses Oracle IdM Access Manager for web

access control

Oracle gained a strong vendor position at customer with

significant footprint for Enterprise Security


26/35

Case Study Telecom in Central EuropeDB Vault, Advanced Security

Pilot release of implementation in progress

DB Vault and ASO Encryption to protect and encrypt sensitive customer data Siebel CRM is running on

The success in implementation is the only criteria which may lead to next phase of the project

Delivery of project by Oracle partner Accenture

Customer is not taking reference calls or visits

BUSINESS CHALLENGE

Drivers:Big gap between IT and Business

Bring Business processes to IT and develop relevant IT

services

Project start at 2007 Service Order management - Tower

Merger of 2 Telecom companies

Integrated Order Management (IOM) based on SIEBEL

IT recognized that SIEBEL is not enough(many logic need to

be implemented in level of integration, processes, custom

apps)

Data security is crucial, Security violations as a business

driver to invest in Security solutions.

Customer Data Security & Compliance requirements

(ISO27001 Compliance regulation relevant for Telco)

Partner: Accenture

RESULTS

ORACLE SOLUTION

Oracle technology on site: DB, IAS, SOA Suite 10 (firstmajor adoption of SOA in this country)

FMW stack + DB EE, Partitioning, RAC, Advanced

Security, Db Vault, Diag, Tun, Config packs in Dec 2009.

Managed systems: IOM based on SIEBEL

Oracle is trusted technology vendor (Presales) and advisor

of Eastern European ICCC Competence Center Bratislava

Sales process:

Longterm relationships with Enterprise Architect, DB admin,Development unit managers and senior developers, etc.

Good cooperation between partner and Oracle ASR


27/35

Case Study Bankart Financial ServicesDB Vault, Audit Vault

Reaching PCI compliance is expected from business point of view

Technically. Bankart decided for Oracle centric PCI approach

Project has started in June 2009, first phase (change of an application, use od DB Vault and set-up Audit Vault) until 2010

Internal IT together with local security partner OSI

Customer has published a snapshot story and is available for reference calls and visits

BUSINESS CHALLENGE

Bankart is the largest Credit Card processing company in

Slovenia

PCI Compliance was business demand

CIO started internal project to reach PCI compliance in oneyear

Avoiding costs and simplifying the audit reporting

RESULTS

ORACLE SOLUTION

Customer bought Audit and Database Vault in May 2009

All Production and Test systems are managed by DB Sec

component, together with MS SQL server as one Audit

source

Platform is HP-UX, Oracle 10gR2, MS SQL 2005

Other DB Sec products (Advanced Security - TDE, Conf.

Mgm. Packs) are still under evaluation


28/35

Case Study Bank in Munich GermanyAdvanced Security and DB Vault for SAP HR

Customer is compliant with internal security policies (regulations)

Only authorized HR employees have data access to HR data. Privileged users like DBAs, network administrators, system

administrators arent able to access the HR data

Oracle Partner was involved as consulting firm and system integrator, the solution is implemented and works with SAP

The customer is not taking reference calls

BUSINESS CHALLENGE

The customer wanted to protect SAP HR data against

unauthorized access

The customer wanted to comply with internal security policies

It was a HR project so HR compartment was the sponsor

There was a re-organization SAP project and data privacy was

an important part of this project.

Only authorized HR employees should have access to HR

data. Privileged users like DBAs, network administrators,

system administrators shouldnt be able to access the HR data

RESULTS

ORACLE SOLUTION

The customers purchased the Oracle Advanced Security

and Oracle Database Vault to prevent the unauthorized

access to sensitive HR data in August 2009

It is one of the first DB Vault for SAP implementationsworldwide

10 CPUs SUN Solaris system is now protected with Oracle

Advanced Security and Oracle Database Vault, both

products are certified for SAP/R3


29/35

Case Study ApoBank GermanyDB Vault and ASO for ODB based ISV HR

DB Vault is supporting segregation of duty and enables to protocol all changes in data schema, DBAs can manage but can't see data

ASO Advanced Security Option is including Encryption, ASO is encrypting data

on disc

Incl. Back-up's

and in motion for data traveling on the network save against insider threats, nobody can modificate or copy sensitive HR data

Cost savings achieved based on server consolidation for centralized HR data and secure HR process optimization

The customer is taking reference calls and visits

BUSINESS CHALLENGE

Business drivers

to centralize high sensitive HR data on less servers for

cost savings and more efficiency in HR processes

to protect this type of sensitive HR data containingsalary info but transparent to the HR application

No segregation of duties before, DB administration and HR did

had the same rights to copy, change or delete data

Target to strictly split access rights, only HR can see the data

RESULTS

ORACLE SOLUTION

Customer does have 2.000 employees across Germany

DB Vault and Advanced Security Option purchased in 2008

Partner MT AG involved in implementation

Oracle Encryption is working application transparent,

means without any change of HR system running on Oracle

Database


30/35

Case Study CMC Markets Financial Services UKDB Vault and ASO for E-Business Suite HR

Segregation of Duties has been achieved according to Security polices and vertical industry regulations

Protection the privacy of sensitive data

Customer data

Employee data such as salary information

The customer is taking reference calls and visits

BUSINESS CHALLENGE

The customer is focused on providing access to online trading

markets across the globe

The key business driver to ensure customers reputation by

keeping customer and salary data confidential versus insiderthreats

To comply with vertical industry specific regulations in financial

services.

Simplify the audit process by providing a secure audit

infrastructure

RESULTS

ORACLE SOLUTION

Oracle DB Vault, Advanced Security Option and Audit Vault

purchased in 2008

This is the first EBS customer in Europe with DB Security

DB Security in production with

RAC Real Application Cluster

EBS E-Business Suite incl. HR data

Oracle Database 10g


31/35

Case Study Bank in UkraineDB Vault for Flexcube

Oracle Database Vault provides a transparent solution for mitigating the risk of insider threats and complying with regulations.

Oracle Database Vault restricts ad-hoc database changes and enforces controls over how, when and where the most sensitive

application data can be accessed.

Proposed solution must be fully implemented in three months after the new core banking system is launched.

To adopt Oracle Database Vault technologies, the customer is working with Oracles local partner.

BUSINESS CHALLENGE

The banking customer is concerning about the risk of

unauthorized access by privileged users to sensitive banking

information.

The bank intents to bring its system into compliance withexisting and newly emerging regulations as well as industry

best practices.

The solution must provide f lexible, transparent and highly

adaptable security controls that require no application

changes.

RESULTS

ORACLE SOLUTION

Customer bought Oracle Database Vault in January 2010

as a first step in his Security initiative

DB Vault provides powerful security controls for protecting

banking applications and sensitive data. Oracle Database Vault protects the core banking system

Oracle Flexcube on the server with 12 CPU's.

The next step under consideration are Advanced Security

and Audit Vault to bring the system to the highest security

level.


32/35

Conclusions


33/35

Conclusions to Protect Data at the Source?

Logical bundle preventive

Advanced Security

DB Vault

Data Masking Pack

Extend to detective solutions

Audit Vault

DB Firewall


34/35

Vertical Industry Security E2E

StrategicVert

icalValue

Public Sector: DB Security part ofPublic Sector Tenders to fit EU Data

Privacy Regulations and avoid Security Threats. DB Vault, Audit Vault,

Data Mask and Advanced Security for DB SaaS/Cloud and for encryptingbackups and masking non-production testing data.

Financial Services and Retail: Vertical industry regulations such as PCI

require DB Security in context of Credit Card payments. DB Vault, AuditVault, Advanced Security, Data Masking & DB Firewall for defense-in-depthsecurity for Oracle DB.

Utilities and other industries: Oracle end-to-end Security, DB Security,plus Identity and Access Management plus Applications Security.

Communications: DB Security fits Siebel CRM projects. DB Vault,Advanced Security and Data Mask to ensure that sensitive customer datacan be only accessed by authorized staff.


35/35

[email protected]

Documents

5-2010-11-03bucharestoracletechdaysecurity-101104082226-phpapp01