Miss Scarlet with a lead pipe, in the library
•Players: 3 to 6•Contents: Clue game board, six suspect tokens, six murder weapons, 21 cards, secret envelope, one die, pad of detective notebook sheets.•Goal: To correctly name the murderer, murder weapon, and murder location.
•Setup - Sort the cards by type and shuffle each pile face-down. Without looking, take one suspect card, one weapon card, and one room card, and slide them into the secret envelope.
Cluedo - the game
Cluedo - the tools
Deon Roos
Enterprise Architect
Oracle Corporation South Africa
Developer End User Power UsersQuality
Assurance
Pro
d
De
v, Q
A,
Te
st
Re
po
rt
Se
rve
r
Storage Storage
•Sys Admin•Network Admin•Storage Admin•DBA
HW Vendor
Backup Server
hAck3rs
Database Defense-in-Depth
Access Control
• Oracle Database Vault
• Oracle Label Security
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Encryption and Masking
Auditing and Monitoring
• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall
• Oracle Database Firewall
Blocking and Logging
Encryption & Masking
Access Control
Auditing & Monitoring
Blocking & Logging
Database Defense-in-Depth
Access Control
• Oracle Database Vault
• Oracle Label Security
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Encryption and Masking
Auditing and Monitoring
• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall
• Oracle Database Firewall
Blocking and Logging
Encryption & Masking
Access Control
Auditing & Monitoring
Blocking & Logging
Developer End User Power UsersQuality
Assurance
Pro
d
De
v, Q
A,
Te
st
Re
po
rt
Se
rve
r
Storage Storage
•Sys Admin•Network Admin•Storage Admin•DBA
HW Vendor
Backup Server
SSL
hAck3rs
Database Defense-in-Depth
Access Control
• Oracle Database Vault
• Oracle Label Security
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Encryption and Masking
Auditing and Monitoring
• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall
• Oracle Database Firewall
Blocking and Logging
Encryption & Masking
Access Control
Auditing & Monitoring
Blocking & Logging
Developer End User Power UsersQuality
Assurance
Pro
d
De
v, Q
A,
Te
st
Re
po
rt
Se
rve
r
Storage Storage
•Sys Admin•Network Admin•Storage Admin•DBA
HW Vendor
Backup Server
SensitiveSensitive
ConfidentialConfidential
PublicPublic
hAck3rs
Database Defense-in-Depth
Access Control
• Oracle Database Vault
• Oracle Label Security
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Encryption and Masking
Auditing and Monitoring
• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall
• Oracle Database Firewall
Blocking and Logging
Encryption & Masking
Access Control
Auditing & Monitoring
Blocking & Logging
Developer End User Power UsersQuality Assurance
Pro
d
De
v, Q
A,
Te
st
Re
po
rt
Se
rve
r
Storage Storage
•Sys Admin•Network Admin•Storage Admin•DBA
HW Vendor
Backup Server
Auditing vault
hAck3rs
ConfigurationManagement& Audit
VulnerabilityManagement
Fix
Analysis &Analytics
Prioritize
PolicyManagement
AssessClassify MonitorDiscover
AssetManagement
`
Why Audit?
• Compliance Mandates It– SOX, PCI-DSS, HIPAA …..
• Your auditor told you to do it• You don’t want to end up in the news• Maintain customer trust
• Detective controls– Monitor privileged application user accounts for non-compliant
activity – trust but verify– Audit non-application access to sensitive data (credit card,
financial data, personal identifiable information, etc)– Verify that no one is trying to bypass the application security
controls– Line items are changed in order to avoid business processes
and approvals
• Cost of compliance– Eliminate costly and complex scripts for reporting– Reduce reporting costs for specific compliance audits
Business drivers
• Statement Auditing
• Statement auditing audits SQL statements by type of statement, not by the specific schema objects on which the statement operates
• Data definition statements (DDL). • Data manipulation statements (DML).
• Object Auditing
• Schema object auditing is the auditing of specific statements on a particular schema object.
• Privilege Auditing
• Privilege auditing is the auditing of SQL statements that use a system privilege. You can audit activities of all database users or of only a specified list of users.
Standard Auditing
●●●●●●Failed Logins
Do you have visibility of failed logins and other exception activities?
●●●●●●Accounts, Roles & Permissions
Do you have visibility of GRANT and REVOKE activities?
●
●
●
FISMA
●
●
●
●
Basel II
●●●●Privileged User Activity Do you have visibility of users activities?
●●●●
Schema ChangesAre you aware of CREATE, DROP and ALTER Commands that are occurring on identified Tables / Columns?
●Data Changes
Do you have visibility into Insert, Update, Merge, Delete commands?
●●●Access to Sensitive Data
Can you have visibility into what information is being queried (SELECTs)?
GLBAHIPAAPCI DSS
SOXDatabase
Audit Requirements
What do you need to audit?
Health Insurance Portability Account Act - Federal Info Sec Man Act – Gramm-Leech-Bliley Act
Siebel
MS SQL Server 2000, 2005, & 2008
SybaseASE 12.5.4 - 15.0.x
HCM
Audit DataAudit Data
PoliciesPolicies
Built-inReportsBuilt-inReports
AlertsAlerts
CustomReportsCustomReports
!
AuditorAuditor
•Various DB sources•Adapters for packaged applications
•Various DB sources•Adapters for packaged applications
Oracle
DB28.2 - 9.5 on Linux,
Unix, Windows
•Easy to use reports•Central provisioning of policies•Meet compliance reporting•Proactive – alerts & notifications (SMS/email)•Pre-defined & custom reports
•Easy to use reports•Central provisioning of policies•Meet compliance reporting•Proactive – alerts & notifications (SMS/email)•Pre-defined & custom reports
AA
Encryption in
transitE
ncryption in transit
•Audit warehouse•Secured audited data•Segregation of duties•Completeness of audit•Encryption at rest•Consolidated auditing•Performance & scalability
Oracle Audit Vault Automated Activity Monitoring & Audit Reporting
Default reports
Out of the box - Compliance reports
Database Defense-in-Depth
Access Control
• Oracle Database Vault
• Oracle Label Security
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Encryption and Masking
Auditing and Monitoring
• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall
• Oracle Database Firewall
Blocking and Logging
Encryption & Masking
Access Control
Auditing & Monitoring
Blocking & Logging
hAck3rsDeveloper End User Power UsersQuality
Assurance
Pro
d
De
v, Q
A,
Te
st
Re
po
rt
Se
rve
r
Storage Storage
•Sys Admin•Network Admin•Storage Admin•DBA
Backup Server
hack3rs
oracle.com/database/security
search.oracle.com
database securitydatabase security
For more Information