This document outlines Oracle's product direction for data security at the source in public and private sectors. It discusses business drivers for security such as governance, risk management and compliance needs as well as security threats. It then describes Oracle's database security solutions like Transparent Data Encryption, Database Vault, and Audit Vault that secure data at rest, in motion and for testing. Case studies show how customers in various industries like banking, telecom, and public sectors have implemented Oracle's database security to protect sensitive data and comply with regulations. The document concludes that Oracle's database security solutions provide a preventive and detective approach to protect data at the source.
1. <Insert Picture Here>
Security for Data at the Source in Public and Private Sector
3rd November 2010, Bucharest
Michael Bürger
Product Director EECIS, Security and Manageability
2. The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.
3. 3
Agenda
• Business Drivers
• DB Security in the Data Center
• New 11g Features and Certifications
• Customers in Vertical Industries
• Conclusions
5. End to End Oracle Security Solutions
Securing Data at the Source
• Application Security
• Identity and Access Management
• Database Security
• Infrastructure Security
6. Source: Gartner DataQuest, 2008; Forrester Database Security Market Report, 2009
#1 Database, Most Secure
“Most DBMS vendors offer basic
security features; Oracle’s offering is
most comprehensive.”
7. How is Data Compromised?
Source: Verizon 2010 Data Breach Investigations Report
8. Entry Points DB Security 11g
Business Drivers
• GRC Governance, Risk
Management, Compliance
• Security Threats
• Cost reduction
9. Oracle Database Security Business Drivers
Most relevant in EECIS, the minimum bundle on data level
Audit
Vault
Label
Security
Reduce & avoid Security Costs
Configuration
Management
for Policies
DB Vault,
DBA Access Control
Compliance & Regulation
Data Mask
for Developers
Advanced
Security Option
for Encryption
Database
Firewall
Security Threats internal & external
13. Securing data at rest
Application users protected by
Transparent Data Encryption 10g Column
Transparent Data Encryption 11g Tablespace
14. Securing data in motion
Application users protected by
Transparent Data Encryption 10g Column
Transparent Data Encryption 11g Tablespace
Application users protected by
Transparent Data Encryption 10g Network
Transparent Data Encryption 10g Tapes
DB Firewall Network Realtime SQL Analyzer
15. Securing data for testing
Application users protected by
Transparent Data Encryption 10g Column
Transparent Data Encryption 11g Tablespace
Application users protected by
Transparent Data Encryption 10g Network
Transparent Data Encryption 10g Tapes
DB Firewall Network Realtime SQL Analyzer
Developers protected by
Data Mask 10g
16. Application users protected by
Transparent Data Encryption 10g Column
Transparent Data Encryption 11g Tablespace
Application users protected by
Transparent Data Encryption 10g Network
Transparent Data Encryption 10g Tapes
DB Firewall Network Realtime SQL Analyzer
Developers protected by
Data Mask 10g
Preventing unauthorized modification
DBAs protected by
DB Vault 9i
17. Application users protected by
Transparent Data Encryption 10g Column
Transparent Data Encryption 11g Tablespace
Application users protected by
Transparent Data Encryption 10g Network
Transparent Data Encryption 10g Tapes
DB Firewall Network Realtime SQL Analyzer
Developers protected by
Data Mask 10g
DBAs protected by
DB Vault 9i
Highly secured DB environment
„preventive and detective“
Security Officer protected by
Audit Vault 10g
19. 19
Oracle Advanced Security
11g Table Space Encryption, e.g. for ODB based HR systems
Disk
Backups
Exports
Off-Site
Facilities
• Any employee user with operating system access can sniff data and copy it
• 11g Table Space Encryption for sensitive HR data at rest encryption
• Data in motion traveling on network is encrypted from 10g on
• Rapid implementation of 11g Table Space Encryption
• No identification of the fields required, just create an encrypted table space as part of
the upgrade and use that table space for HR system on ODB, rapid index queries
• This is totally transparent without application change
• Minimal preparation within the 11g upgrade and all the data is protected
• Less administration & performance impact compared to 10g column encryption
20. 20
Oracle Database Vault
Privileged User Access Control on Data level
and Multifactor Authorization
Procurement
HR
Finance
Application
select * from finance.customers
DBA
Power users can access sensitive data (HR, Credit Cards) and publish it
SoD, prevents unauthorized new account creation or password change
(1) Application owners to create new accounts
(2) DB Vault protects DBAs, they can manage the data, but can't modify
(3) Security officers to grant access rights according to written policies
Certified Realms to protect all tables in EBS, SAP or ISV HR Systems
Brings Security Policies in production according to CIA application ratings*
CIA principles: Confidentiality, Integrity and Availability, who can delete, copy or change what?
21. Oracle Database Firewall
First Line of Defense
• Monitor db activity to prevent unauthorized db access, SQL injections, privilege or
role escalation, illegal access to sensitive data, etc, according to Security Policies
• SQL grammar analysis for Firewall activities (allow, log, alert, substitute, block)
• Scalable architecture provides enterprise performance in all deployment modes
• Built-in and custom compliance reports for SOX, PCI, and other regulations
• Whitelists or blacklists consider time of day, day of week, network, application, etc
PoliciesBuilt-in
Reports
Alerts Custom
Reports
Applications
Block
Log
Allow
Alert
Substitute
22. Fastest high volume DB Security Machine
Brings Security Policies in Production with Exadata
Zero impact 11g R2 TableSpace Encryption
Secure high volume Network Traffic Encryption
Fastest real time SQL analyzer hacker resistant
Compliant data center consolidation
Sensitive Data Warehouse access control
24. Oracle DB Security cross-industry EECIS
Banking
Telecommunication
Public Sector Retail, Utilities, other
Telecommunications Insurances
CIPSCIPS
25. Case Study – Public Sector Romania
DB Vault, Advanced Security
• From the business point of view, the use of Advanced Security and DB Vault facilitates the reduction of risks like information theft or
leaks, fraudulent alterations of data, and bad publicity
• From the technical point of view, the solution will have to protect all private data used by key applications
• Implementation will be done by Oracle Partner, with 1 year left for finishing the project
• Customer does not take reference calls or visits
BUSINESS CHALLENGE
• Nation-wide project with confidential data
• The business drivers are regulations and preventive concepts
• DB Security part of a larger project
• Customer expects to insure the confidentiality of stored data,
in transfer and storage, while preventing unauthorized access
from privileged accounts.
RESULTS
ORACLE SOLUTION
• Customer in Public Sector bought DB Vault and Advanced
Security in Nov 2009
• Products are used on all servers
• Customer also uses Oracle IdM Access Manager for web
access control
• Oracle gained a strong vendor position at customer with
significant footprint for Enterprise Security
26. Case Study – Telecom in Central Europe
DB Vault, Advanced Security
• Pilot release of implementation in progress
• DB Vault and ASO Encryption to protect and encrypt sensitive customer data Siebel CRM is running on
• The success in implementation is the only criteria which may lead to next phase of the project
• Delivery of project by Oracle partner Accenture
• Customer is not taking reference calls or visits
BUSINESS CHALLENGE
• Drivers:
Big gap between IT and Business
Bring Business processes to IT and develop relevant IT
services
Project start at 2007 Service Order management - Tower
Merger of 2 Telecom companies
Integrated Order Management (IOM) based on SIEBEL
IT recognized that SIEBEL is not enough…(many logic need to
be implemented in level of integration, processes, custom
apps)
Data security is crucial, Security violations as a business
driver to invest in Security solutions.
Customer Data Security & Compliance requirements
(ISO27001 Compliance regulation relevant for Telco)
• Partner: Accenture
RESULTS
ORACLE SOLUTION
• Oracle technology on site: DB, IAS, SOA Suite 10 (first
major adoption of SOA in this country)
• FMW stack + DB EE, Partitioning, RAC, Advanced
Security, Db Vault, Diag, Tun, Config packs in Dec 2009.
• Managed systems: IOM based on SIEBEL
• Oracle is trusted technology vendor (Presales) and advisor
of Eastern European ICCC Competence Center Bratislava
• Sales process:
• Longterm relationships with Enterprise Architect, DB admin,
Development unit managers and senior developers, etc.
• Good cooperation between partner and Oracle ASR
27. Case Study – Bankart Financial Services
DB Vault, Audit Vault
• Reaching PCI compliance is expected from business point of view
• Technically. Bankart decided for Oracle centric PCI approach
• Project has started in June 2009, first phase (change of an application, use od DB Vault and set-up Audit Vault) until 2010
• Internal IT together with local security partner OSI
• Customer has published a snapshot story and is available for reference calls and visits
BUSINESS CHALLENGE
• Bankart is the largest Credit Card processing company in
Slovenia
• PCI Compliance was business demand
• CIO started internal project to reach PCI compliance in one
year
• Avoiding costs and simplifying the audit reporting
RESULTS
ORACLE SOLUTION
• Customer bought Audit and Database Vault in May 2009
• All Production and Test systems are managed by DB Sec
component, together with MS SQL server as one Audit
source
• Platform is HP-UX, Oracle 10gR2, MS SQL 2005
• Other DB Sec products (Advanced Security - TDE, Conf.
Mgm. Packs) are still under evaluation
28. Case Study – Bank in Munich Germany
Advanced Security and DB Vault for SAP HR
• Customer is compliant with internal security policies (regulations)
• Only authorized HR employees have data access to HR data. Privileged users like DBA’s, network administrators, system
administrators aren’t able to access the HR data
• Oracle Partner was involved as consulting firm and system integrator, the solution is implemented and works with SAP
• The customer is not taking reference calls
BUSINESS CHALLENGE
• The customer wanted to protect SAP HR data against
unauthorized access
• The customer wanted to comply with internal security policies
• It was a HR project so HR compartment was the sponsor
• There was a re-organization SAP project and data privacy was
an important part of this project.
• Only authorized HR employees should have access to HR
data. Privileged users like DBA’s, network administrators,
system administrators shouldn’t be able to access the HR data
RESULTS
ORACLE SOLUTION
• The customers purchased the Oracle Advanced Security
and Oracle Database Vault to prevent the unauthorized
access to sensitive HR data in August 2009
• It is one of the first “DB Vault for SAP” implementations
worldwide
• 10 CPU’s SUN Solaris system is now protected with Oracle
Advanced Security and Oracle Database Vault, both
products are certified for SAP/R3
29. Case Study – ApoBank Germany
DB Vault and ASO for ODB based ISV HR
• DB Vault is supporting segregation of duty and enables to protocol all changes in data schema, DBAs can manage but can't see data
• ASO Advanced Security Option is including Encryption, ASO is encrypting data
• on disc
• Incl. Back-up's
• and in motion for data traveling on the network save against insider threats, nobody can modificate or copy sensitive HR data
• Cost savings achieved based on server consolidation for centralized HR data and secure HR process optimization
• The customer is taking reference calls and visits
BUSINESS CHALLENGE
• Business drivers
• to centralize high sensitive HR data on less servers for
cost savings and more efficiency in HR processes
• to protect this type of sensitive HR data containing
salary info but transparent to the HR application
• No segregation of duties before, DB administration and HR did
had the same rights to copy, change or delete data
• Target to strictly split access rights, only HR can see the data
RESULTS
ORACLE SOLUTION
• Customer does have 2.000 employees across Germany
• DB Vault and Advanced Security Option purchased in 2008
• Partner MT AG involved in implementation
• Oracle Encryption is working application transparent,
means without any change of HR system running on Oracle
Database
30. Case Study – CMC Markets Financial Services UK
DB Vault and ASO for E-Business Suite HR
• Segregation of Duties has been achieved according to Security polices and vertical industry regulations
• Protection the privacy of sensitive data
• Customer data
• Employee data such as salary information
• The customer is taking reference calls and visits
BUSINESS CHALLENGE
• The customer is focused on providing access to online trading
markets across the globe
• The key business driver to ensure customers reputation by
keeping customer and salary data confidential versus insider
threats
• To comply with vertical industry specific regulations in financial
services.
• Simplify the audit process by providing a secure audit
infrastructure
RESULTS
ORACLE SOLUTION
• Oracle DB Vault, Advanced Security Option and Audit Vault
purchased in 2008
• This is the first EBS customer in Europe with DB Security
• DB Security in production with
• RAC Real Application Cluster
• EBS E-Business Suite incl. HR data
• Oracle Database 10g
31. Case Study – Bank in Ukraine
DB Vault for Flexcube
• Oracle Database Vault provides a transparent solution for mitigating the risk of insider threats and complying with regulations.
• Oracle Database Vault restricts ad-hoc database changes and enforces controls over how, when and where the most sensitive
application data can be accessed.
• Proposed solution must be fully implemented in three months after the new core banking system is launched.
• To adopt Oracle Database Vault technologies, the customer is working with Oracle’s local partner.
BUSINESS CHALLENGE
• The banking customer is concerning about the risk of
unauthorized access by privileged users to sensitive banking
information.
• The bank intents to bring its system into compliance with
existing and newly emerging regulations as well as industry
best practices.
• The solution must provide flexible, transparent and highly
adaptable security controls that require no application
changes.
RESULTS
ORACLE SOLUTION
• Customer bought Oracle Database Vault in January 2010
as a first step in his Security initiative
• DB Vault provides powerful security controls for protecting
banking applications and sensitive data.
• Oracle Database Vault protects the core banking system
Oracle Flexcube on the server with 12 CPU's.
• The next step under consideration are Advanced Security
and Audit Vault to bring the system to the highest security
level.
33. Conclusions to Protect Data at the Source?
• Logical bundle „preventive“
• Advanced Security
• DB Vault
• Data Masking Pack
• Extend to „detective“ solutions
• Audit Vault
• DB Firewall
34. Vertical Industry Security E2E
StrategicVerticalValue
Public Sector: DB Security part of Public Sector Tenders to fit EU Data
Privacy Regulations and avoid Security Threats. DB Vault, Audit Vault,
Data Mask and Advanced Security for DB SaaS/Cloud and for encrypting
backups and masking non-production testing data.
Financial Services and Retail: Vertical industry regulations such as PCI
require DB Security in context of Credit Card payments. DB Vault, Audit
Vault, Advanced Security, Data Masking & DB Firewall for defense-in-depth
security for Oracle DB.
Utilities and other industries: Oracle end-to-end Security, DB Security,
plus Identity and Access Management plus Applications Security.
Communications: DB Security fits Siebel CRM projects. DB Vault,
Advanced Security and Data Mask to ensure that sensitive customer data
can be only accessed by authorized staff.