SlideShare a Scribd company logo

Best Practices for implementing Database Security Comprehensive Database Security

K
Kal BO

The document discusses best practices for implementing comprehensive database security, emphasizing the increasing risks of data breaches and the importance of regulatory compliance. It outlines several customer use cases demonstrating solutions such as Oracle Database Security Assessment, Transparent Data Encryption, and data masking strategies to prevent, detect, and mitigate security threats. Additionally, it highlights the need for a proactive and layered security strategy to safeguard sensitive information against a variety of threat actors and attack vectors.

1 of 27
Downloaded 35 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Best Practices for implementing Database Security Comprehensive Database Security Saikat Saha Product Director Database Security, Oracle October 02, 2017
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 2
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Privacy & Security Regulations Increasing World-Wide EU GDPR PCI NZPA APP APPI Ch GDPL HK PDPO Si PDPA Th OIA Ru DPA IT Act SAECTA MDPA APDPL CLPPL Art. 5 CDPL MPDPL FOIPPAPIPEDA NY DFS 500 48 State Data Privacy laws Patriot Act CIPHIPAA GLBA
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 98M Target DEC ‘13 1B Yahoo Dec ’16 400M Friend Finder Dec ‘16 150M eBay May ‘14 200M Experian Mar ’14 US Voters 191M, Dec 15 150M Adobe Oct ‘13 56M Home Depot Sep ‘14 76M JPMC Oct ‘14 80M Anthem Feb ‘15 2M Vodafone Oct ‘13 42M Cupid Media Jan ’13 TBs IP Sony Nov ’14 2M Orange Feb/Apr ‘14 20M Credit Bureau 12M Telecom S. Korea Jan ‘14 22M Benesse Education Jul ‘14 Japan Espionage Kaspersky Jun ‘15 400GB IP Theft Hacking Team Jul ‘15 Carphone Warehouse Aug ’15 2.4M 4M Talk Talk Oct 15 50M Turkish Govt Apr ‘16 5M VTech Nov ‘15 30M BSNL Telco Journal Jul ‘15 Kmart Oct ‘15 11M Premera Blue Cross Mar ‘15 93M Mexico Voter Apr ‘16 154M US Voter Jun ‘16 32M Ashley Madison Jul ’15 US OPM, 22M Jun ’15 15M T-Mobile Oct ’15 4.6M Scottrade Oct ’15 55M Philippines Voter list Apr ‘16 4 Data Breaches are Exploding World-Wide 3.2M Debit cards Oct ‘16 Sabre Mar ‘16 CIA Apr ‘17 77M Edmodo May ‘17 143M Equifax July ‘17
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Data is Today’s Capital • Data breaches are exploding world-wide – Databases continue to be the prime target • Fast Evolving, Stringent Regulatory Landscape – Across industries and regions – Laws that aim to protect data and citizen privacy • Data Security Strategy – Protect against multiple threat actors and multiple vectors – With built-in, comprehensive security controls – For on-premise and cloud databases 5 But in the Wrong Hands, Data Becomes the New Liability
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | XSS / Malware Changing Threat Landscape 6 Databases remain the Target Threat Actors Hackers OS Admin DBA Test & Dev End-Users Support SQL Injection Stolen Credentials Ransomware Physical Theft Privilege Escalation Network Sniffing Threat Vectors Middleware Applications Databases Operating System Network Storage Backup Threat Targets
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 7 Evaluate Prevent Detect Data Driven Security Comprehensive Database Security Controls
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Evaluate Security Risks
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 9 Situation: Hundreds of databases distributed around the globe, scattered across dozens of acquired companies; no unified configuration standard Solution: Oracle Database Security Assessment (DBSAT) Result: Significant misconfigurations identified, leading to a single configuration standard being applied everywhere Benefit: Reduced risk of breach and easier security audits against a well-defined standard Global Oil Field Services Provider Situation: Thousands of Oracle Databases managed by silos of administrators; no comprehensive picture of databases’ security posture Solution: Continuous compliance monitoring with Oracle Enterprise Manager Database Lifecycle Management Pack Result: Near-real time alerts when any database configuration drift introduces security risk Benefit: Reduced audit costs, improved security Very Large Semiconductor Manufacturer Situation: Migrating SAP installation to a new infrastructure; desire to harden deployment at the same time Solution: Oracle Database Security Assessment (DBSAT) Result: Discovered many security issues including use of default SAP application account configured for password-less login Benefit: Potential production vulnerability avoided Global Auto Manufacturer Situation: Dozens of production databases with no model of where sensitive data resides making it difficult to apply suitable security policies and controls Solution: Sensitive Data Discovery with Oracle DB Security Result: 400+ columns of SSN & other sensitive data identified Benefit: Ability to apply appropriate security controls on data US Insurance Provider Evaluative Controls – Customer Use Cases
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Prevent Data Compromise
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Reducing the Risk from Malicious Users Oracle Database Vault 11 Separation of Duty Over Privileged Account Least Privilege Protect Sensitive Data Minimize impact to • Applications • Performance • High Availability • Operations Prevent Database Change
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Disks Exports Backups Transparent Data Encryption Encrypted Storage d$f8#;!90Wz@Yg#3 Redacted Applications Data Redaction Oracle Advanced Security 12
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Advanced Security Transparent Data Encryption (TDE) 13 Disks Exports Off-Site Facilities • Encrypts columns or entire tablespaces • Protects the database files on disk and on backups • High-speed performance • Transparent to applications, no changes required • Integrated with Oracle DB technologies Applications Encrypted Data Backups Clear Data d$f8#; !90Wz Yg#3R qR+% @Ue#3 R+%K# *HH$7 #9Vlka
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | TDE Integration with Oracle Database 14 Database Technologies Example Points of Integration TDE Support High-Availability Clusters Oracle Real Application Clusters (RAC), Data Guard, Active Data Guard Backup and Restore Oracle Recovery Manager (RMAN), Oracle Secure Backup Export and Import Oracle Data Pump Export and Import Database Replication Oracle Golden Gate Pluggable Databases Oracle Multitenant Option Engineered Systems Oracle Exadata Smart Scans Storage Management Oracle Automatic Storage Management (ASM) Data Compression Oracle Standard, Advanced , and Hybrid Columnar Compression
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Key Vault – Centralized Key Management 15 Oracle Wallet Upload & Download Oracle Database Online Master Key ASM Storage Nodes ASM Cluster File Systems (Encrypted) Online Master Key Credential File Upload & Download Java Keystore Upload & Download MySQL Keys Solaris Crypto Keys
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 16 Situation: Fourteen independent operating units consolidating different Oracle eBusiness Suite (EBS) instances; requirement to support migration and test Solution: Data Masking with eBusiness Suite templates Result: Substantial reduction in risk (and risk-mitigation costs) by removing sensitive data from non-production systems Benefit: Initial consolidation of three business units was accomplished in the first year Consumer Goods Manufacturer Situation: Hortonworks Hadoop with sensitive/classified information Solution: BigData SQL, Oracle Data Redaction and Virtual Private Database (VPD) across Oracle DB and Hadoop Result: Ability to restrict user access to sensitive data in data lake Benefit: Data from a single big data repository can be shared among agencies while maintaining adherence to data classification policies European Government Ministry Situation: Board of Directors mandate to encrypt databases for critical applications by end of 2017 Solution: Transparent Data Encryption with Oracle Key Vault Result: Encrypted 50 databases containing sensitive customer data Benefit: Information protection throughout data lifecycle at scale with automated key management Diversified Telecommunications Company Situation: 1,000s of databases; recent breach led to evaluation of security practices, and how they could be improved Solution: Transparent Data Encryption and Oracle Database Vault Result: Most databases encrypted within the first year. Database Vault security realms protect data from privileged accounts Benefit: Confidentiality of data throughout the data lifecycle and protection from data loss from stolen privileged user credentials Top Global Bank Preventive Controls – Customer Use Cases
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 17 Detect Anomalies, Support Investigations
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Audit Data, Event Logs Database Firewall Network Events Audit Vault Monitor and Audit Enterprise Databases 18 Security Alerts SIEM Reports, Alerts Ad-hoc queries Security Analyst
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 19 Situation: 100s of production databases containing sensitive IP; need to monitor for potential attacks and support compliance audits Solution: Oracle Audit Vault and Database Firewall Result: 200+ databases monitored within 3 months with regular reporting of audit information Benefit: Improved visibility and reporting for regulatory audits Multinational Semiconductor Company Situation: Need to comply with PCI DSS, SOX and GLBA Solution: Oracle Database Firewall Result: Monitoring of peak loads of 10k transactions/sec while maintaining database performance Benefit: Improved database traffic visibility Consumer Credit Reporting Company Situation: Public health record system; requirement for bank- strength security features Solution: Oracle Database Firewall Result: Monitoring access to health records in multivendor systems (Oracle MySQL, Sybase, IBM, MS SQL Server) to detect suspicious or inappropriate behavior Benefit: Improved posture for this patient “opt-in” service National Health Ministry Situation: Heterogeneous DB environment supporting over 700 stores in US, Canada, Japan, Australia and Mexico; requirement to comply with complex world-wide privacy regulations Solution: Oracle Audit Vault and Database Firewall Result: Monitor over 400 databases (Oracle, IBM DB2, Microsoft SQL Server) with daily activity reporting from audit logs Benefit: Improved security and streamlined compliance reporting North American Retailer Detective Controls – Customer Use Cases
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Data-Driven Access Control Russ DE HR Franck FR Marketing Paolo SP Consulting Luca IT Corporate Karen NE Sales Bob US Eng Mary US Eng Jim CA Eng Leslie MX Eng
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 21 Situation: Consolidated patient data; HIPAA/HITRUST requirement for patient consent prior to data sharing Solution: Oracle Label Security Result: Enforcement of data access based with labels indicating patient consent status Benefit: Compliance with HITRUST requirements with minimal system modifications US Healthcare Provider Situation: Hundreds of business analysts needing access to raw data, but not access to certain sensitive data elements Solution: Virtual Private Database Result: Column-level access controlled by data values Benefit: Analysts were able to access data objects without risk of proliferation of sensitive data Large Asset Management Company Situation: Securing multiple departmental applications from accessing Billing/utility data from diverse sources Solution: Real Application Security data realms/columns Result: Applications leverage common data access policy enforcement at database Benefit: Cost savings; no access controls per applications Electric Utility Service Provider Situation: Managing data for both commercial and government customers; US ITAR regulations Solution: Oracle Label Security Result: Ability to comply with ITAR requirements for data using existing information systems Benefit: Reduced systems and management costs Defense/Commercial Manufacturer Data-Driven Security Controls – Customer Use Cases
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 22 Evaluate Prevent Detect Data Driven Security Comprehensive Database Security Controls
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Crypto Toolkit for Applications Row Level SecurityKey Management Data Encryption EVALUATE Comprehensive Database Security Controls PREVENT DETECT DATA DRIVEN SECURITY Security Configuration Sensitive Data Discovery Privilege Analysis DBA & Operation Controls Database Auditing Database Firewall Real Application Security Label based Security Centralized Monitoring Security Assessment Alerting & Reporting Data Redaction Data Masking and Subsetting 23 Defense in depth Security
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | SECURITY INSIDE-OUT Security close to the data: Eliminates guesswork, maximizes performance, application transparency ENTERPRISE DEPLOYMENTS Across multiple systems: Operating systems, heterogeneous databases, applications, Cloud, … Oracle Database Security Strategy DEFENSE-IN-DEPTH SECURITY CONTROLS Overlapping controls: Encryption, masking, auditing, monitoring, access control, redaction, … ANTICIPATE THREATS & MITIGATE Transparent Data Encryption, DBA Control, Redaction, Masking, Privilege Analysis, DB Firewall, RAS, Cloud, … 24
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 25
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 26
Best Practices for implementing Database Security Comprehensive Database Security
Ad

Recommended

Oracle Database Security
Oracle Database Security
Troy Kitch
 
Oracle GoldenGate
Oracle GoldenGate
oracleonthebrain
 
Oracle Security Presentation
Oracle Security Presentation
Francisco Alvarez
 
AV/DF Advanced Security Option
AV/DF Advanced Security Option
DLT Solutions
 
User, roles and privileges
User, roles and privileges
Yogiji Creations
 
An introduction to Defender for Business
An introduction to Defender for Business
Robert Crane
 
Free Training: How to Build a Lakehouse
Free Training: How to Build a Lakehouse
Databricks
 
Oracle architecture ppt
Oracle architecture ppt
Deepak Shetty
 
Big data and Hadoop
Big data and Hadoop
Rahul Agarwal
 
Introduction to Oracle Cloud Infrastructure Services
Introduction to Oracle Cloud Infrastructure Services
Knoldus Inc.
 
Elastic Data Warehousing
Elastic Data Warehousing
Snowflake Computing
 
Data Guard Architecture & Setup
Data Guard Architecture & Setup
Satishbabu Gunukula
 
Architect’s Open-Source Guide for a Data Mesh Architecture
Architect’s Open-Source Guide for a Data Mesh Architecture
Databricks
 
Changing the game with cloud dw
Changing the game with cloud dw
elephantscale
 
Backup Solution
Backup Solution
Jed Concepcion
 
Oracle E-Business Suite R12.2.5 on Database 12c: Install, Patch and Administer
Oracle E-Business Suite R12.2.5 on Database 12c: Install, Patch and Administer
Andrejs Karpovs
 
Fast Start Failover DataGuard
Fast Start Failover DataGuard
Borsaniya Vaibhav
 
Oracle RAC 19c - the Basis for the Autonomous Database
Oracle RAC 19c - the Basis for the Autonomous Database
Markus Michalewicz
 
MAA Best Practices for Oracle Database 19c
MAA Best Practices for Oracle Database 19c
Markus Michalewicz
 
Cloud Storage in Azure, AWS and Google Cloud
Cloud Storage in Azure, AWS and Google Cloud
Thurupathan Vijayakumar
 
Oracle data guard for beginners
Oracle data guard for beginners
Pini Dibask
 
Introducing the Snowflake Computing Cloud Data Warehouse
Introducing the Snowflake Computing Cloud Data Warehouse
Snowflake Computing
 
Apache Hadoop and HBase
Apache Hadoop and HBase
Cloudera, Inc.
 
Snowflake Data Science and AI/ML at Scale
Snowflake Data Science and AI/ML at Scale
Adam Doyle
 
Autonomous Database Explained
Autonomous Database Explained
Neagu Alexandru Cristian
 
GoldenGate and Stream Processing with Special Guest Rakuten
GoldenGate and Stream Processing with Special Guest Rakuten
Jeffrey T. Pollock
 
Aws Elastic Block Storage
Aws Elastic Block Storage
Dhananjay Aloorkar
 
NoSQL Now! NoSQL Architecture Patterns
NoSQL Now! NoSQL Architecture Patterns
DATAVERSITY
 
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Edgar Alejandro Villegas
 
Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2
Oracle BH
 

More Related Content

What's hot (20)

Big data and Hadoop
Big data and Hadoop
Rahul Agarwal
 
Introduction to Oracle Cloud Infrastructure Services
Introduction to Oracle Cloud Infrastructure Services
Knoldus Inc.
 
Elastic Data Warehousing
Elastic Data Warehousing
Snowflake Computing
 
Data Guard Architecture & Setup
Data Guard Architecture & Setup
Satishbabu Gunukula
 
Architect’s Open-Source Guide for a Data Mesh Architecture
Architect’s Open-Source Guide for a Data Mesh Architecture
Databricks
 
Changing the game with cloud dw
Changing the game with cloud dw
elephantscale
 
Backup Solution
Backup Solution
Jed Concepcion
 
Oracle E-Business Suite R12.2.5 on Database 12c: Install, Patch and Administer
Oracle E-Business Suite R12.2.5 on Database 12c: Install, Patch and Administer
Andrejs Karpovs
 
Fast Start Failover DataGuard
Fast Start Failover DataGuard
Borsaniya Vaibhav
 
Oracle RAC 19c - the Basis for the Autonomous Database
Oracle RAC 19c - the Basis for the Autonomous Database
Markus Michalewicz
 
MAA Best Practices for Oracle Database 19c
MAA Best Practices for Oracle Database 19c
Markus Michalewicz
 
Cloud Storage in Azure, AWS and Google Cloud
Cloud Storage in Azure, AWS and Google Cloud
Thurupathan Vijayakumar
 
Oracle data guard for beginners
Oracle data guard for beginners
Pini Dibask
 
Introducing the Snowflake Computing Cloud Data Warehouse
Introducing the Snowflake Computing Cloud Data Warehouse
Snowflake Computing
 
Apache Hadoop and HBase
Apache Hadoop and HBase
Cloudera, Inc.
 
Snowflake Data Science and AI/ML at Scale
Snowflake Data Science and AI/ML at Scale
Adam Doyle
 
Autonomous Database Explained
Autonomous Database Explained
Neagu Alexandru Cristian
 
GoldenGate and Stream Processing with Special Guest Rakuten
GoldenGate and Stream Processing with Special Guest Rakuten
Jeffrey T. Pollock
 
Aws Elastic Block Storage
Aws Elastic Block Storage
Dhananjay Aloorkar
 
NoSQL Now! NoSQL Architecture Patterns
NoSQL Now! NoSQL Architecture Patterns
DATAVERSITY
 
Big data and Hadoop
Big data and Hadoop
Rahul Agarwal
 
Introduction to Oracle Cloud Infrastructure Services
Introduction to Oracle Cloud Infrastructure Services
Knoldus Inc.
 
Elastic Data Warehousing
Elastic Data Warehousing
Snowflake Computing
 
Data Guard Architecture & Setup
Data Guard Architecture & Setup
Satishbabu Gunukula
 
Architect’s Open-Source Guide for a Data Mesh Architecture
Architect’s Open-Source Guide for a Data Mesh Architecture
Databricks
 
Changing the game with cloud dw
Changing the game with cloud dw
elephantscale
 
Backup Solution
Backup Solution
Jed Concepcion
 
Oracle E-Business Suite R12.2.5 on Database 12c: Install, Patch and Administer
Oracle E-Business Suite R12.2.5 on Database 12c: Install, Patch and Administer
Andrejs Karpovs
 
Fast Start Failover DataGuard
Fast Start Failover DataGuard
Borsaniya Vaibhav
 
Oracle RAC 19c - the Basis for the Autonomous Database
Oracle RAC 19c - the Basis for the Autonomous Database
Markus Michalewicz
 
MAA Best Practices for Oracle Database 19c
MAA Best Practices for Oracle Database 19c
Markus Michalewicz
 
Cloud Storage in Azure, AWS and Google Cloud
Cloud Storage in Azure, AWS and Google Cloud
Thurupathan Vijayakumar
 
Oracle data guard for beginners
Oracle data guard for beginners
Pini Dibask
 
Introducing the Snowflake Computing Cloud Data Warehouse
Introducing the Snowflake Computing Cloud Data Warehouse
Snowflake Computing
 
Apache Hadoop and HBase
Apache Hadoop and HBase
Cloudera, Inc.
 
Snowflake Data Science and AI/ML at Scale
Snowflake Data Science and AI/ML at Scale
Adam Doyle
 
Autonomous Database Explained
Autonomous Database Explained
Neagu Alexandru Cristian
 
GoldenGate and Stream Processing with Special Guest Rakuten
GoldenGate and Stream Processing with Special Guest Rakuten
Jeffrey T. Pollock
 
Aws Elastic Block Storage
Aws Elastic Block Storage
Dhananjay Aloorkar
 
NoSQL Now! NoSQL Architecture Patterns
NoSQL Now! NoSQL Architecture Patterns
DATAVERSITY
 

Similar to Best Practices for implementing Database Security Comprehensive Database Security (20)

Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Edgar Alejandro Villegas
 
Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2
Oracle BH
 
Oracle database 12c security and compliance
Oracle database 12c security and compliance
FITSFSd
 
Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...
Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...
Minh237839
 
Security Inside Out: Latest Innovations in Oracle Database 12c
Security Inside Out: Latest Innovations in Oracle Database 12c
Troy Kitch
 
Oracle 11g security - 2014
Oracle 11g security - 2014
Connor McDonald
 
5. 2010 11-03 bucharest oracle-tech_day_security
5. 2010 11-03 bucharest oracle-tech_day_security
Doina Draganescu
 
Best Practices in Implementing Oracle Database Security Products
Best Practices in Implementing Oracle Database Security Products
Estuate, Inc.
 
DOAG Oracle Database Vault
DOAG Oracle Database Vault
Stefan Oehrli
 
Database Security – Issues and Best PracticesOutline
Database Security – Issues and Best PracticesOutline
OllieShoresna
 
Innovations dbsec-12c-pub
Innovations dbsec-12c-pub
OracleIDM
 
Securing data in Oracle Database 12c - 2015
Securing data in Oracle Database 12c - 2015
Connor McDonald
 
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
MarketingArrowECS_CZ
 
Oracle-Security_Executive-Presentation
Oracle-Security_Executive-Presentation
stefanjung
 
ODW 2021 - Automated patching and compliance to improve database security.pptx
ODW 2021 - Automated patching and compliance to improve database security.pptx
Paul Breniuc
 
Oracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and Masking
DLT Solutions
 
Wp security-data-safe
Wp security-data-safe
ALI ANWAR, OCP®
 
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
InSync2011
 
ppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdf
camyla81
 
Database Private Security Jurisprudence: A Case Study using Oracle
Database Private Security Jurisprudence: A Case Study using Oracle
IJDMS
 
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Edgar Alejandro Villegas
 
Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2
Oracle BH
 
Oracle database 12c security and compliance
Oracle database 12c security and compliance
FITSFSd
 
Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...
Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...
Minh237839
 
Security Inside Out: Latest Innovations in Oracle Database 12c
Security Inside Out: Latest Innovations in Oracle Database 12c
Troy Kitch
 
Oracle 11g security - 2014
Oracle 11g security - 2014
Connor McDonald
 
5. 2010 11-03 bucharest oracle-tech_day_security
5. 2010 11-03 bucharest oracle-tech_day_security
Doina Draganescu
 
Best Practices in Implementing Oracle Database Security Products
Best Practices in Implementing Oracle Database Security Products
Estuate, Inc.
 
DOAG Oracle Database Vault
DOAG Oracle Database Vault
Stefan Oehrli
 
Database Security – Issues and Best PracticesOutline
Database Security – Issues and Best PracticesOutline
OllieShoresna
 
Innovations dbsec-12c-pub
Innovations dbsec-12c-pub
OracleIDM
 
Securing data in Oracle Database 12c - 2015
Securing data in Oracle Database 12c - 2015
Connor McDonald
 
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
MarketingArrowECS_CZ
 
Oracle-Security_Executive-Presentation
Oracle-Security_Executive-Presentation
stefanjung
 
ODW 2021 - Automated patching and compliance to improve database security.pptx
ODW 2021 - Automated patching and compliance to improve database security.pptx
Paul Breniuc
 
Oracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and Masking
DLT Solutions
 
Wp security-data-safe
Wp security-data-safe
ALI ANWAR, OCP®
 
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
InSync2011
 
ppt-security-dbsat-222-overview-nodemo.pdf
ppt-security-dbsat-222-overview-nodemo.pdf
camyla81
 
Database Private Security Jurisprudence: A Case Study using Oracle
Database Private Security Jurisprudence: A Case Study using Oracle
IJDMS
 
Ad

Recently uploaded (20)

Crypto Super 500 - 14th Report - June2025.pdf
Crypto Super 500 - 14th Report - June2025.pdf
Stephen Perrenod
 
“Key Requirements to Successfully Implement Generative AI in Edge Devices—Opt...
“Key Requirements to Successfully Implement Generative AI in Edge Devices—Opt...
Edge AI and Vision Alliance
 
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptx
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptx
FIDO Alliance
 
FME for Distribution & Transmission Integrity Management Program (DIMP & TIMP)
FME for Distribution & Transmission Integrity Management Program (DIMP & TIMP)
Safe Software
 
The State of Web3 Industry- Industry Report
The State of Web3 Industry- Industry Report
Liveplex
 
Bridging the divide: A conversation on tariffs today in the book industry - T...
Bridging the divide: A conversation on tariffs today in the book industry - T...
BookNet Canada
 
June Patch Tuesday
June Patch Tuesday
Ivanti
 
Integration of Utility Data into 3D BIM Models Using a 3D Solids Modeling Wor...
Integration of Utility Data into 3D BIM Models Using a 3D Solids Modeling Wor...
Safe Software
 
“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...
“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...
Edge AI and Vision Alliance
 
Reducing Conflicts and Increasing Safety Along the Cycling Networks of East-F...
Reducing Conflicts and Increasing Safety Along the Cycling Networks of East-F...
Safe Software
 
OWASP Barcelona 2025 Threat Model Library
OWASP Barcelona 2025 Threat Model Library
PetraVukmirovic
 
No-Code Workflows for CAD & 3D Data: Scaling AI-Driven Infrastructure
No-Code Workflows for CAD & 3D Data: Scaling AI-Driven Infrastructure
Safe Software
 
Tech-ASan: Two-stage check for Address Sanitizer - Yixuan Cao.pdf
Tech-ASan: Two-stage check for Address Sanitizer - Yixuan Cao.pdf
caoyixuan2019
 
FME for Good: Integrating Multiple Data Sources with APIs to Support Local Ch...
FME for Good: Integrating Multiple Data Sources with APIs to Support Local Ch...
Safe Software
 
AI vs Human Writing: Can You Tell the Difference?
AI vs Human Writing: Can You Tell the Difference?
Shashi Sathyanarayana, Ph.D
 
Can We Use Rust to Develop Extensions for PostgreSQL? (POSETTE: An Event for ...
Can We Use Rust to Develop Extensions for PostgreSQL? (POSETTE: An Event for ...
NTT DATA Technology & Innovation
 
FIDO Seminar: New Data: Passkey Adoption in the Workforce.pptx
FIDO Seminar: New Data: Passkey Adoption in the Workforce.pptx
FIDO Alliance
 
vertical-cnc-processing-centers-drillteq-v-200-en.pdf
vertical-cnc-processing-centers-drillteq-v-200-en.pdf
AmirStern2
 
AudGram Review: Build Visually Appealing, AI-Enhanced Audiograms to Engage Yo...
AudGram Review: Build Visually Appealing, AI-Enhanced Audiograms to Engage Yo...
SOFTTECHHUB
 
“Why It’s Critical to Have an Integrated Development Methodology for Edge AI,...
“Why It’s Critical to Have an Integrated Development Methodology for Edge AI,...
Edge AI and Vision Alliance
 
Crypto Super 500 - 14th Report - June2025.pdf
Crypto Super 500 - 14th Report - June2025.pdf
Stephen Perrenod
 
“Key Requirements to Successfully Implement Generative AI in Edge Devices—Opt...
“Key Requirements to Successfully Implement Generative AI in Edge Devices—Opt...
Edge AI and Vision Alliance
 
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptx
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptx
FIDO Alliance
 
FME for Distribution & Transmission Integrity Management Program (DIMP & TIMP)
FME for Distribution & Transmission Integrity Management Program (DIMP & TIMP)
Safe Software
 
The State of Web3 Industry- Industry Report
The State of Web3 Industry- Industry Report
Liveplex
 
Bridging the divide: A conversation on tariffs today in the book industry - T...
Bridging the divide: A conversation on tariffs today in the book industry - T...
BookNet Canada
 
June Patch Tuesday
June Patch Tuesday
Ivanti
 
Integration of Utility Data into 3D BIM Models Using a 3D Solids Modeling Wor...
Integration of Utility Data into 3D BIM Models Using a 3D Solids Modeling Wor...
Safe Software
 
“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...
“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...
Edge AI and Vision Alliance
 
Reducing Conflicts and Increasing Safety Along the Cycling Networks of East-F...
Reducing Conflicts and Increasing Safety Along the Cycling Networks of East-F...
Safe Software
 
OWASP Barcelona 2025 Threat Model Library
OWASP Barcelona 2025 Threat Model Library
PetraVukmirovic
 
No-Code Workflows for CAD & 3D Data: Scaling AI-Driven Infrastructure
No-Code Workflows for CAD & 3D Data: Scaling AI-Driven Infrastructure
Safe Software
 
Tech-ASan: Two-stage check for Address Sanitizer - Yixuan Cao.pdf
Tech-ASan: Two-stage check for Address Sanitizer - Yixuan Cao.pdf
caoyixuan2019
 
FME for Good: Integrating Multiple Data Sources with APIs to Support Local Ch...
FME for Good: Integrating Multiple Data Sources with APIs to Support Local Ch...
Safe Software
 
AI vs Human Writing: Can You Tell the Difference?
AI vs Human Writing: Can You Tell the Difference?
Shashi Sathyanarayana, Ph.D
 
Can We Use Rust to Develop Extensions for PostgreSQL? (POSETTE: An Event for ...
Can We Use Rust to Develop Extensions for PostgreSQL? (POSETTE: An Event for ...
NTT DATA Technology & Innovation
 
FIDO Seminar: New Data: Passkey Adoption in the Workforce.pptx
FIDO Seminar: New Data: Passkey Adoption in the Workforce.pptx
FIDO Alliance
 
vertical-cnc-processing-centers-drillteq-v-200-en.pdf
vertical-cnc-processing-centers-drillteq-v-200-en.pdf
AmirStern2
 
AudGram Review: Build Visually Appealing, AI-Enhanced Audiograms to Engage Yo...
AudGram Review: Build Visually Appealing, AI-Enhanced Audiograms to Engage Yo...
SOFTTECHHUB
 
“Why It’s Critical to Have an Integrated Development Methodology for Edge AI,...
“Why It’s Critical to Have an Integrated Development Methodology for Edge AI,...
Edge AI and Vision Alliance
 
Ad

Best Practices for implementing Database Security Comprehensive Database Security

  • 1. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Best Practices for implementing Database Security Comprehensive Database Security Saikat Saha Product Director Database Security, Oracle October 02, 2017
  • 2. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 2
  • 3. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Privacy & Security Regulations Increasing World-Wide EU GDPR PCI NZPA APP APPI Ch GDPL HK PDPO Si PDPA Th OIA Ru DPA IT Act SAECTA MDPA APDPL CLPPL Art. 5 CDPL MPDPL FOIPPAPIPEDA NY DFS 500 48 State Data Privacy laws Patriot Act CIPHIPAA GLBA
  • 4. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 98M Target DEC ‘13 1B Yahoo Dec ’16 400M Friend Finder Dec ‘16 150M eBay May ‘14 200M Experian Mar ’14 US Voters 191M, Dec 15 150M Adobe Oct ‘13 56M Home Depot Sep ‘14 76M JPMC Oct ‘14 80M Anthem Feb ‘15 2M Vodafone Oct ‘13 42M Cupid Media Jan ’13 TBs IP Sony Nov ’14 2M Orange Feb/Apr ‘14 20M Credit Bureau 12M Telecom S. Korea Jan ‘14 22M Benesse Education Jul ‘14 Japan Espionage Kaspersky Jun ‘15 400GB IP Theft Hacking Team Jul ‘15 Carphone Warehouse Aug ’15 2.4M 4M Talk Talk Oct 15 50M Turkish Govt Apr ‘16 5M VTech Nov ‘15 30M BSNL Telco Journal Jul ‘15 Kmart Oct ‘15 11M Premera Blue Cross Mar ‘15 93M Mexico Voter Apr ‘16 154M US Voter Jun ‘16 32M Ashley Madison Jul ’15 US OPM, 22M Jun ’15 15M T-Mobile Oct ’15 4.6M Scottrade Oct ’15 55M Philippines Voter list Apr ‘16 4 Data Breaches are Exploding World-Wide 3.2M Debit cards Oct ‘16 Sabre Mar ‘16 CIA Apr ‘17 77M Edmodo May ‘17 143M Equifax July ‘17
  • 5. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Data is Today’s Capital • Data breaches are exploding world-wide – Databases continue to be the prime target • Fast Evolving, Stringent Regulatory Landscape – Across industries and regions – Laws that aim to protect data and citizen privacy • Data Security Strategy – Protect against multiple threat actors and multiple vectors – With built-in, comprehensive security controls – For on-premise and cloud databases 5 But in the Wrong Hands, Data Becomes the New Liability
  • 6. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | XSS / Malware Changing Threat Landscape 6 Databases remain the Target Threat Actors Hackers OS Admin DBA Test & Dev End-Users Support SQL Injection Stolen Credentials Ransomware Physical Theft Privilege Escalation Network Sniffing Threat Vectors Middleware Applications Databases Operating System Network Storage Backup Threat Targets
  • 7. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 7 Evaluate Prevent Detect Data Driven Security Comprehensive Database Security Controls
  • 8. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Evaluate Security Risks
  • 9. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 9 Situation: Hundreds of databases distributed around the globe, scattered across dozens of acquired companies; no unified configuration standard Solution: Oracle Database Security Assessment (DBSAT) Result: Significant misconfigurations identified, leading to a single configuration standard being applied everywhere Benefit: Reduced risk of breach and easier security audits against a well-defined standard Global Oil Field Services Provider Situation: Thousands of Oracle Databases managed by silos of administrators; no comprehensive picture of databases’ security posture Solution: Continuous compliance monitoring with Oracle Enterprise Manager Database Lifecycle Management Pack Result: Near-real time alerts when any database configuration drift introduces security risk Benefit: Reduced audit costs, improved security Very Large Semiconductor Manufacturer Situation: Migrating SAP installation to a new infrastructure; desire to harden deployment at the same time Solution: Oracle Database Security Assessment (DBSAT) Result: Discovered many security issues including use of default SAP application account configured for password-less login Benefit: Potential production vulnerability avoided Global Auto Manufacturer Situation: Dozens of production databases with no model of where sensitive data resides making it difficult to apply suitable security policies and controls Solution: Sensitive Data Discovery with Oracle DB Security Result: 400+ columns of SSN & other sensitive data identified Benefit: Ability to apply appropriate security controls on data US Insurance Provider Evaluative Controls – Customer Use Cases
  • 10. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Prevent Data Compromise
  • 11. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Reducing the Risk from Malicious Users Oracle Database Vault 11 Separation of Duty Over Privileged Account Least Privilege Protect Sensitive Data Minimize impact to • Applications • Performance • High Availability • Operations Prevent Database Change
  • 12. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Disks Exports Backups Transparent Data Encryption Encrypted Storage d$f8#;!90Wz@Yg#3 Redacted Applications Data Redaction Oracle Advanced Security 12
  • 13. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Advanced Security Transparent Data Encryption (TDE) 13 Disks Exports Off-Site Facilities • Encrypts columns or entire tablespaces • Protects the database files on disk and on backups • High-speed performance • Transparent to applications, no changes required • Integrated with Oracle DB technologies Applications Encrypted Data Backups Clear Data d$f8#; !90Wz Yg#3R qR+% @Ue#3 R+%K# *HH$7 #9Vlka
  • 14. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | TDE Integration with Oracle Database 14 Database Technologies Example Points of Integration TDE Support High-Availability Clusters Oracle Real Application Clusters (RAC), Data Guard, Active Data Guard Backup and Restore Oracle Recovery Manager (RMAN), Oracle Secure Backup Export and Import Oracle Data Pump Export and Import Database Replication Oracle Golden Gate Pluggable Databases Oracle Multitenant Option Engineered Systems Oracle Exadata Smart Scans Storage Management Oracle Automatic Storage Management (ASM) Data Compression Oracle Standard, Advanced , and Hybrid Columnar Compression
  • 15. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Key Vault – Centralized Key Management 15 Oracle Wallet Upload & Download Oracle Database Online Master Key ASM Storage Nodes ASM Cluster File Systems (Encrypted) Online Master Key Credential File Upload & Download Java Keystore Upload & Download MySQL Keys Solaris Crypto Keys
  • 16. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 16 Situation: Fourteen independent operating units consolidating different Oracle eBusiness Suite (EBS) instances; requirement to support migration and test Solution: Data Masking with eBusiness Suite templates Result: Substantial reduction in risk (and risk-mitigation costs) by removing sensitive data from non-production systems Benefit: Initial consolidation of three business units was accomplished in the first year Consumer Goods Manufacturer Situation: Hortonworks Hadoop with sensitive/classified information Solution: BigData SQL, Oracle Data Redaction and Virtual Private Database (VPD) across Oracle DB and Hadoop Result: Ability to restrict user access to sensitive data in data lake Benefit: Data from a single big data repository can be shared among agencies while maintaining adherence to data classification policies European Government Ministry Situation: Board of Directors mandate to encrypt databases for critical applications by end of 2017 Solution: Transparent Data Encryption with Oracle Key Vault Result: Encrypted 50 databases containing sensitive customer data Benefit: Information protection throughout data lifecycle at scale with automated key management Diversified Telecommunications Company Situation: 1,000s of databases; recent breach led to evaluation of security practices, and how they could be improved Solution: Transparent Data Encryption and Oracle Database Vault Result: Most databases encrypted within the first year. Database Vault security realms protect data from privileged accounts Benefit: Confidentiality of data throughout the data lifecycle and protection from data loss from stolen privileged user credentials Top Global Bank Preventive Controls – Customer Use Cases
  • 17. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 17 Detect Anomalies, Support Investigations
  • 18. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Audit Data, Event Logs Database Firewall Network Events Audit Vault Monitor and Audit Enterprise Databases 18 Security Alerts SIEM Reports, Alerts Ad-hoc queries Security Analyst
  • 19. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 19 Situation: 100s of production databases containing sensitive IP; need to monitor for potential attacks and support compliance audits Solution: Oracle Audit Vault and Database Firewall Result: 200+ databases monitored within 3 months with regular reporting of audit information Benefit: Improved visibility and reporting for regulatory audits Multinational Semiconductor Company Situation: Need to comply with PCI DSS, SOX and GLBA Solution: Oracle Database Firewall Result: Monitoring of peak loads of 10k transactions/sec while maintaining database performance Benefit: Improved database traffic visibility Consumer Credit Reporting Company Situation: Public health record system; requirement for bank- strength security features Solution: Oracle Database Firewall Result: Monitoring access to health records in multivendor systems (Oracle MySQL, Sybase, IBM, MS SQL Server) to detect suspicious or inappropriate behavior Benefit: Improved posture for this patient “opt-in” service National Health Ministry Situation: Heterogeneous DB environment supporting over 700 stores in US, Canada, Japan, Australia and Mexico; requirement to comply with complex world-wide privacy regulations Solution: Oracle Audit Vault and Database Firewall Result: Monitor over 400 databases (Oracle, IBM DB2, Microsoft SQL Server) with daily activity reporting from audit logs Benefit: Improved security and streamlined compliance reporting North American Retailer Detective Controls – Customer Use Cases
  • 20. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Data-Driven Access Control Russ DE HR Franck FR Marketing Paolo SP Consulting Luca IT Corporate Karen NE Sales Bob US Eng Mary US Eng Jim CA Eng Leslie MX Eng
  • 21. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 21 Situation: Consolidated patient data; HIPAA/HITRUST requirement for patient consent prior to data sharing Solution: Oracle Label Security Result: Enforcement of data access based with labels indicating patient consent status Benefit: Compliance with HITRUST requirements with minimal system modifications US Healthcare Provider Situation: Hundreds of business analysts needing access to raw data, but not access to certain sensitive data elements Solution: Virtual Private Database Result: Column-level access controlled by data values Benefit: Analysts were able to access data objects without risk of proliferation of sensitive data Large Asset Management Company Situation: Securing multiple departmental applications from accessing Billing/utility data from diverse sources Solution: Real Application Security data realms/columns Result: Applications leverage common data access policy enforcement at database Benefit: Cost savings; no access controls per applications Electric Utility Service Provider Situation: Managing data for both commercial and government customers; US ITAR regulations Solution: Oracle Label Security Result: Ability to comply with ITAR requirements for data using existing information systems Benefit: Reduced systems and management costs Defense/Commercial Manufacturer Data-Driven Security Controls – Customer Use Cases
  • 22. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 22 Evaluate Prevent Detect Data Driven Security Comprehensive Database Security Controls
  • 23. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Crypto Toolkit for Applications Row Level SecurityKey Management Data Encryption EVALUATE Comprehensive Database Security Controls PREVENT DETECT DATA DRIVEN SECURITY Security Configuration Sensitive Data Discovery Privilege Analysis DBA & Operation Controls Database Auditing Database Firewall Real Application Security Label based Security Centralized Monitoring Security Assessment Alerting & Reporting Data Redaction Data Masking and Subsetting 23 Defense in depth Security
  • 24. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | SECURITY INSIDE-OUT Security close to the data: Eliminates guesswork, maximizes performance, application transparency ENTERPRISE DEPLOYMENTS Across multiple systems: Operating systems, heterogeneous databases, applications, Cloud, … Oracle Database Security Strategy DEFENSE-IN-DEPTH SECURITY CONTROLS Overlapping controls: Encryption, masking, auditing, monitoring, access control, redaction, … ANTICIPATE THREATS & MITIGATE Transparent Data Encryption, DBA Control, Redaction, Masking, Privilege Analysis, DB Firewall, RAS, Cloud, … 24
  • 25. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 25
  • 26. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 26