of 23
8/3/2019 Securing Data at the Source 1-08-10
1/23
SECURING DATA AT THE SOURCE:A GUIDE TO ORACLE DATABASE SECURITY
Security Inside Out
8/3/2019 Securing Data at the Source 1-08-10
2/23
SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Table o Contents
3 INTRODUCTION
8 DATABASE ENCRYPTION AND MASKING
13 ACCESS AND AUTHORIZATION
16 AUDITING AND MONITORING
21 LOOKING AHEAD
Secure Data At The Source.
Save Time And Money.
Secure Data At The Source.
Save Time And Money.
8/3/2019 Securing Data at the Source 1-08-10
3/23
3 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Secure Data At The Source.
Save Time And Money.
Over the past ew years, ensuring the security o inormation and
data has become both more challenging and more important.
Indeed, doing so has quickly grown rom a technology challenge
to a key business issue with broad strategic implicationsand
that has put growing pressure on IT proessionals to keep data
sae and secure.
In part, this shit is due to the ever-growing role o electronic
data in business and the unprecedented amounts o transaction,
personal, and nancial datamuch o it condential and
regulatedthat is being generated and stored by corporations
and government agencies. As this growth continues, the
universe o stored data will expand to 1,800 exabytes by 2012,
according to IDC.
Meanwhile, there is a growing range o threats targeting that
data. External threats have evolved rom being primarilyhackers looking or notoriety to being highly organized criminals
looking or nancial gain. In a recent study o 90 conrmed
data breaches in 2008, the Verizon Business Risk security team
ound that 285 million records were lost in those attacks
and the team reports that 91 percent o those compromised
records could be attributed to organized criminal activity. Stolen
sensitive inormationsuch as addresses and credit card and
social security numberscan be sold on the black market or
used in spamming campaigns, credit card raud, identity thet.
and the distribution o malicious sotware. And unlike hackers,
criminals want to stay below the radar, making their attacks
all the more dicult to detect. As Rich Mogull, ounder o the
Securosis research and analysis rm, recently noted, We need
to acknowledge that threats have changed, rom noisy to quiet,
rom the edge o the organization to the center. We also need tounderstand that attackers motivations have changedweb site
deacement isnt the goal; raud and data thet are.
But companies need to consider insider threats as well. Oten,
these come in the orm o accidents or ailures to ollow security
policy. Recent research rom the Ponemon Institute ound thatemployee compliance with company security policies is actually
declining. Employees routinely engage in activities that put
sensitive data at risk, writes Dr. Larry Ponemon, chairman o
the institute. Such activities include downloading data onto
unsecured mobile devices, sharing passwords, losing laptops
and other devices, and turning o security tools on mobile
devices. Writes Ponemon: Interestingly, o those surveyed,
58 percent said their employer ailed to provide adequate data
Unlike hackers, criminals want to stay below the radar,
making their attacks all the more difcult to detect.
Introduction
INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD
8/3/2019 Securing Data at the Source 1-08-10
4/23
4 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Secure Data At The Source.
Save Time And Money.
security awareness and training, and 57 percent said their
employers data protection policies were ineective. But insider
threats can be malicious as well, and come rom disgruntled
workers or employees seeking personal gain. At times, insider
attacks make headlines, such as the FBIs 2008 arrest o a
ormer Countrywide Financial Corp. employee or alleged
involvement in the thet o some 2 million customer records.
But the Privacy Rights Clearinghouse, which maintains a list
o breaches, shows numerous smaller attacks at corporations,universities, and government agencies. These breaches may
involve only hundreds or tens o thousands o people, but to
the organizations and individuals who are victimized, they are
very serious just the same. Regardless o the motivation behind
internal data breaches, organizations can no longer ignore the
security threat posed by people who are actually authorized
to access systems at some level. An IDC survey ound that
52 percent o large companies had terminated employees or
contractors or internal security violations, and 80 percent o verylarge organizationsthose with more than 10,000 employees
had done so.
The cost o ailing to secure data is high, and getting higher.
Data breaches can lead to administrative costs and, o course,
individual or class-action lawsuits rom consumers. Compliance,
too, can be a costly and growing issue: Companies are liable to
run aoul o a growing range o regulationssuch as Sarbanes-
Oxley, the Health Insurance Portability and Accountability Act,
Financial Instruments and Exchange Law, Basel II, and the EU
Directive on Privacy and Electronic Communications in Europe
which require organizations to implement measures to protect
sensitive inormation and monitor access to that inormation.
The impact on the business rom data losses can be deep, and it
can be ar-ranging in terms o damaged reputation and reduced
customer loyalty. In research rom the Chie Marketing Ocer
Council, more than hal o the surveyed consumers said that
they would strongly consider or denitely take their business
elsewhere i their personal inormation were compromised. The
same held true with business-to-business relationships, withabout hal o surveyed executives saying they would consider or
would recommend taking their business elsewhere i a business
partner experienced a security breach that compromised
their data.
In a recent study, more than hal o the surveyed large
companies have had to terminate employees or contractorsor internal security violations.
INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD
8/3/2019 Securing Data at the Source 1-08-10
5/23
8/3/2019 Securing Data at the Source 1-08-10
6/23
6 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Secure Data At The Source.
Save Time And Money.
Similarly, outsourcing arrangements oten mean that other
companies have access to corporate systems and dataand that
picture can become even more complicated when oshoring
puts work into countries where partners may be working
under dierent laws and regulations regarding data security.
In its research, the Ponemon Institute ound that third-party
organizations account or more than 44 percent o data
breach incidents.
The solution to such challenges, then, is to saeguard data where
it livesin the database. Indeed, database security is rapidly
becoming a recognized best practicebut oten, companies
lag behind in this area. Despite signicant eort to protect
enterprise databases, attack rates continue to rise across several
industries, including nancial services, education, retail, the
public sector, and manuacturing, notes a report rom Noel
Yuhanna, principal analyst at Forrester Research. Today, attacks
on enterprise databases are more sophisticated than ever, and
many occur without enterprises being aware that an attack is
taking place, especially in the case o internal attacks, which are
the hardest to detect. Advanced security measures that can help
are availablebut, reports Yuhanna, only 25 percent o surveyed
enterprises are using those types o measures.
The Oracle Approach to Database Security
Oracle provides a comprehensive portolio o database security
solutions to ensure data privacy, protect against insider threats,
and enable regulatory compliancewithout requiring changesto existing applications. These solutions build on Oracles
long history o innovation in the eld. The industry rsts it has
delivered include row-level access control, ne-grained auditing,
transparent data encryption, and data masking. Today, Oracle
solutions are used to protect a signicant amount o data,
with Oracle Database being used or 48.9 percent o the
worlds databases.
Today, Oracle solutions are used to protect a signifcant
amount o data, with Oracle Database being used or 44
percent o the worlds databases.
INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD
8/3/2019 Securing Data at the Source 1-08-10
7/23
7 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Secure Data At The Source.
Save Time And Money.
Given the sophistication and variety o security threats acing
businesses, most organizations know that eective security
programs are typically based on multiple layers o preventive
measures. Oracles database security options all into three
broad categories:
Encryption and Masking, which includes Oracle Advanced
Security, Oracle Secure Backup, and Oracle Data Masking Pack,
Access and Authorization, which includes Oracle DatabaseVault and Oracle Label Security
Auditing and Monitoring, which includes Oracle Audit
Vault, Oracle Total Recall, and Oracle Conguration
Management Pack
These oerings are discussed in detail in the ollowing chapters.
LEARN MORE
Seminar
Protecting Data at the Source with Oracle Database 11g
Release 2
Demo
Oracle Database 11g Security and Compliance
Analyst Report
Oracle Database Security: Cost-Eective Data Leak
Prevention Starts at the Source
INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD
http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=8042809&p_referred=FlashISeminar&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=8042809&p_referred=FlashISeminar&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=8042809&p_referred=FlashISeminar&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=8131846&p_referred=undefined&p_width=1000&p_height=675http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=8131846&p_referred=undefined&p_width=1000&p_height=675http://www.oracle.com/corporate/analyst/reports/infrastructure/sec/idc-219001-080109.pdfhttp://www.oracle.com/corporate/analyst/reports/infrastructure/sec/idc-219001-080109.pdfhttp://www.oracle.com/corporate/analyst/reports/infrastructure/sec/idc-219001-080109.pdfhttp://www.oracle.com/corporate/analyst/reports/infrastructure/sec/idc-219001-080109.pdfhttp://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=8131846&p_referred=undefined&p_width=1000&p_height=675http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=8042809&p_referred=FlashISeminar&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=8042809&p_referred=FlashISeminar&p_width=800&p_height=6208/3/2019 Securing Data at the Source 1-08-10
8/23
8 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Secure Data At The Source.
Save Time And Money.
Security strategies have long relied on the encryption o
inormation, but in recent years, the need or encryption has
increased signicantly, with the rise o identity thet and criminal
attacks targeting social security numbers, credit card numbers,
and other sensitive inormation. Encryption at the database
level can help protect data rom unauthorized backdoor access
by dishonest administrators and other insiders, and romoperating system- and network-level attacks by outsiders. It
also helps protect rom media thet involving laptops, storage
disks being removed or maintenance, and backup tapes.
Over the years, weve seen requirements to expand protection
around critical data such as medical data, personal identiable
inormation, and credit card inormation, says Gary Loveland,
PricewaterhouseCoopers Advisory principal and security
practice leader in the United States. There is no doubt that in
[the near uture] even more data will need to be protected. Being
able to encrypt all application data eciently is a big benet to
organizations in terms o keeping up with business needs and
staying ahead o regulatory requirements.
However, it is still common to nd unencrypted data at many
companiesand that data is at risk o being compromised. In a
recent Independent Oracle User Group survey, only 21 percent
o the respondents said that they encrypt personal inormation
on all databasesand 37 percent said that they either have no
encryption o such data, or that they arent sure whether or
not they do.
Encryption is important, but it doesnt cover every situation. For
example, encryption will not protect against unauthorized access
to production data in nonproduction environments. By denition,
developers, administrators, and others need to be able to access
data in these environments.
Overall, companies can address these security challenges with
the capabilities provided by Oracle Advanced Security, Oracle
Secure Backup, and Oracle Data Masking Pack.
Oracle Advanced Security
With Oracle Advanced Security, companies can transparently
encrypt all application data or specic sensitive columns,
Database Encryption And Masking
Being able to encrypt all application data efciently
is a big beneft to organizations in terms o keeping upwith business needs and staying ahead o
regulatory requirements.
INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD
8/3/2019 Securing Data at the Source 1-08-10
9/23
9 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Secure Data At The Source.
Save Time And Money.
such as credit card numbers, social security numbers, or
personally identiable inormation. By encrypting data at rest
in the databaseas well as when it leaves the database over
the network or via backup mediaOracle Advanced Security
provides a cost-eective solution or data protection.
Oracle Advanced Security Transparent Data Encryption (TDE)
provides robust encryption solutions to saeguard sensitive data
against unauthorized access at the operating system level, or
through the thet o hardware or backup media. With a simplecommand or point-and-click interace, an administrator can
encrypt sensitive data within an existing application table.
Unlike most database encryption solutions, TDE is completely
transparent to existing applications, and no triggers, views, or
other application changes are required. Data is transparently
encrypted when written to disk and transparently decrypted
ater an application user has successully authenticated, and
passed all authorization checks. Authorization checks include
veriying the user has the necessary select and update privileges
on the application table and checking Database Vault, Label
Security, and Virtual Private Database enorcement policies.
Existing database backup routines will continue to work, with
the data remaining encrypted in the backup.To saeguard data
in transit, Oracle Advanced Security provides an easy-to-deploy
and comprehensive solution or protecting all communication
to and rom the Oracle Database, providing both native network
encryption and SSL-based encryption. The Oracle Database can
be congured to reject connections rom clients with encryption
turned o, or optionally allow unencrypted connections or
deployment fexibility.
Overall, Oracle Advanced Security lets companies:
Protect all application data quickly and easily, with the ability
to encrypt the entire tablespace or specic sensitive columns
without making any changes to existing applications
Take a comprehensive approach to encryption, with
transparent encryption or Oracle database trac, disk
backups, and exports
Achieve high levels o identity assurance, with support or PKI,
Kerberos, and RADIUS-based strong authentication solutions
Manage costs, with the ability to leverage complete built-in
encryption key liecycle management, including integration
with industry-leading Hardware Security Modules (HSM) or
other enterprisewide key management solutions.
With a simple command or point-and-click interace,
an administrator can easily encrypt sensitive data within
an existing application table.
INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD
8/3/2019 Securing Data at the Source 1-08-10
10/23
10 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Secure Data At The Source.
Save Time And Money.
The ability to de-identiy sensitive data is an
increasingly important element o data-privacy protection
laws around the globe.
Oracle Secure Backup
Oracle Secure Backup provides an integrated, easy-to-use backup
solution that encrypts data to tape to saeguard against the
misuse o sensitive data in the event that backup tapes are lost
or stolen. With a low entry cost, Oracle Secure Backup is ideal or
small and midsize businesses and large enterprises alike.
Oracle Secure Backup gives companies complete data protection
or Oracle environments. It provides network tape backup or
UNIX, Linux, Windows, and Network Attached Storage (NAS) le
system data, as well as the Oracle Database, and supports more
than 200 dierent tape devices rom leading vendors. It enables
Oracle Database-to-tape backup through integration with Oracle
Recovery Manager (RMAN)supporting versions Oracle9i to
Oracle Database 11gas well as le system data protection o
local and distributed servers and policy-based tape
backup management.
Companies can also take advantage o the Oracle Secure
Backup Cloud module, which enables ecient Oracle Database
backups to the Amazon Simple Storage Service (Amazon
S3). Such cloud-based backups oer reliability and virtually
unlimited capacity that is available on-demand and requires no
up-ront capital expenditure. This module is ully integrated with
RMAN and Oracle Enterprise Manager, providing users with
amiliar interaces or Cloud-based backups. It can be used to
complement existing backup strategies and can be
run independently o Oracle Secure Backup tape-
management oerings.
Oracle Secure Backups client-server architecture enables
centralized tape backup management o heterogeneous
clients, servers and tape devices rom a single point called the
Administrative Server. The Administrative Server maintains
a tape backup catalog that houses metadata, conguration
inormation, backup encryption keys, schedules, and user-dened polices.
Key pieces o Oracle Secure Backup unctionality are embedded
directly inside the Oracle Database engine, making it possible
to achieve higher levels o security, perormance, and ease o
use. For example, to help ensure high levels o security, Oracle
Secure Backup encrypts data during all stages o a backup.
Encryption is perormed beore the data leaves the Oracle
database, eliminating the risk o data being stolen while in transit
to tape. In addition, the data on tape is stored in encrypted
orm. The Oracle Database then automatically decrypts backups
during the restore process. Oracle Secure Backup also eatures
INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD
8/3/2019 Securing Data at the Source 1-08-10
11/23
11 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Secure Data At The Source.
Save Time And Money.
certicate-based authentication o host systems participating
in a backup or restore to ensure that outside parties cannot
impersonate an authorized host.
In terms o perormance, Oracle Secure Backup provides veryrapid backups to tape. Its tight integration with RMAN enables it
to read the database block layout structure directly and optimize
storage access. The solution typically perorms backups 10
percent to 25 percent more quickly than comparable media
management utilities, with up to 30 percent less CPU utilization.
Oracle Data Masking Pack
IT proessionals oten need to share data with other parts o the
organization. For example, DBAs may need to make copies oproduction data available to in-house developers or oshore
testers or their work. The problem is that such production copies
oten contain condential, sensitive, or personally identiable
inormation that government regulations require companies to
protect. In act, the ability to de-identiy sensitive data is an
increasingly important element o data-privacy protection laws
around the globe.
With Oracle Data Masking, sensitive inormation such as
credit card or social security numbers can be replaced with
realistic values, allowing production data to be saely used or
development, testing, and staging, and shared with outsourcing
or oshore partners or various nonproduction purposes.
Sensitive data never has to leave the database, and is kept out o
nonproduction databases.
The solution uses an irreversible process to replace sensitive
data, helping to ensure that the original data cannot beretrieved, recovered, or restored. It also provides a centralized
approach to masking. Traditionally, DBAs have had to create and
maintain custom scripts to mask data in each o their corporate
databasesa method that is not scalable or truly auditable.
Oracle Data Masking, on the other hand, provides a central
repository or common masking ormats. Security administrators
dene the masking rules once, and then those rules are applied
automatically every time the database administrator masks the
database. Companies can apply data privacy rules consistently
to all sensitive data to help ensure compliance with regulations.
Oracle Data Masking Pack ships with out-o-the-box mask
ormats or various types o sensitive data, such as credit card
numbers, phone numbers, and national identiers (social
security number or U.S., national insurance number or U.K.).
Data masking capabilities let companies apply data
privacy rules consistently to all sensitive data to help
ensure compliance with regulations.
INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD
8/3/2019 Securing Data at the Source 1-08-10
12/23
12 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Secure Data At The Source.
Save Time And Money.
In addition, companies with specialized masking requirements
can add user-dened mask ormats to the collection o the mask
ormats, allowing them to use ormats that are appropriate or
their business or industry. Financial institutions, or example,
oten use complex algorithms to generate account numbers
to prevent raud. With user-dened ormats, they can generate
ctitious account numbers to replace the original data and still
remain compliant with the security standard built into the
account numbers.
Oracle Data Masking Pack is securely integrated with the
database-cloning capabilities in Oracle Enterprise Manager.
That means that in addition to the standalone masking process,
database administrators can now add data masking to the
database clone process by pointing the production database to a
staging environment and speciying the masking denitions that
need to be run ater cloning. The solution also provides several
options to allow administrators greater control over the masking
process and to enable them to test and veriy the integrity o the
masking process beore deploying it.
LEARN MORE
Podcast
Data Privacy Protection with PricewaterhouseCoopers
Database Security or Database and Security Administrators
Customer Snapshot
Dressbarn Relies on Oracle Advanced Security or
PCI Compliance
Demo
Forrester Research Oracle Database 11gSecurity:
Data Masking
INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD
http://streaming.oracle.com/ebn/podcasts/db_insider/6958087_Alex_Fowler_100708.mp3http://streaming.oracle.com/ebn/podcasts/db_insider/6790837_Rich_Mogull_081808.mp3http://www.oracle.com/customers/snapshots/the-dress-barn-snapshot.pdfhttp://www.oracle.com/customers/snapshots/the-dress-barn-snapshot.pdfhttp://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060297&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060297&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060297&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060297&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060297&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060297&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060297&p_referred=0&p_width=800&p_height=620http://www.oracle.com/customers/snapshots/the-dress-barn-snapshot.pdfhttp://www.oracle.com/customers/snapshots/the-dress-barn-snapshot.pdfhttp://streaming.oracle.com/ebn/podcasts/db_insider/6790837_Rich_Mogull_081808.mp3http://streaming.oracle.com/ebn/podcasts/db_insider/6958087_Alex_Fowler_100708.mp38/3/2019 Securing Data at the Source 1-08-10
13/23
13 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Secure Data At The Source.
Save Time And Money.
Controlling access to inormation is undamental to data
securityand regulations and best practices alike require
companies to have strong access and authorization controls.
But this is an area that is not always well managed. In a recent
Deloitte Touche Tohmatsu global security survey, excessive
access rights was cited as the primary internal or external audit
nding over the last year, and unauthorized access to personalinormation was cited as the top concern in terms o ensuring
data privacy. Not only do companies need to manage access
or employees across the corporation to make sure the right
people are using the right data, they must also work to control
the access given to privileged usersin particular, database
administratorswithout limiting those users ability to perorm
their jobs. Together, the Oracle Database Vault and Oracle Label
Security options can help companies meet those challenges.
Oracle Database Vault
Today, a number o regulations require companies to maintain
internal controls to protect sensitive inormation, such as
nancial, health, and credit card records, rom unauthorized
access and modication. Oracle Database Vault helps companies
comply with those requirements with strong controls designed
to protect data against threats rom insiders.
Oracle Database Vault oers Realms, Rules, and Factors eatures,
which work together inside the database to restrict access
rom even the most powerul users without interering with
the normal day-to-day database administration. Realms can be
dened and placed around an entire application or set o tables.
For example, a database administrator who can manage all the
application databases can be restricted rom actually reading thedata stored in those databases. Or, an HR application user who
has ull access to the HR application database can be prevented
rom accessing data in the nancial application database i
those two databases are dened as dierent realms. The ability
to prevent privileged users rom accessing data outside o their
authorized area is increasingly critical because many companies
are consolidating application databases on the same database
server as they search or ease o management and lower total
cost o ownership.
Access and Authorization
Companies must work to control the access given
to privileged usersin particular, database
administratorswithout limiting those users ability
to perorm their jobs.
INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD
8/3/2019 Securing Data at the Source 1-08-10
14/23
14 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Secure Data At The Source.
Save Time And Money.
Meanwhile, Rules and Factors signicantly tighten application
security by limiting who can access which databases, data, and
applications, and when and how they can access them. Multiple
actors, such as time o day, IP address, application name, and
authentication method, can be used in a fexible and adaptable
manner to enorce authorization requirements. For example,
i company policy mandates no changes to databases during
production hours, and a new DBA tries to do an upgrade at the
wrong time, Database Vault can block that action or require that a
second DBA be present in order to make such a change. Overall,
such multiactor control helps prevent unauthorized ad hoc
access and application bypass.
Oracle Database Vault provides powerul separation o duty
controls, oering three distinct out-o-the-box responsibilities
or security administration, account management, and resource
management. For example, the solution blocks a DBA with
the create user privilege rom creating a new user i he
or she doesnt have the proper responsibility. The resource
administration responsibility can be urther subdivided
into backup, perormance, and patching responsibilities. Or,
responsibilities can be consolidated.
Because Oracle Database Vault runs inside the Oracle Database,
it does not require changes to existing applications. In addition,
Oracle provides certied customizable Oracle Database Vault
policies or Oracle E-Business Suite, Oracle PeopleSot, Oracle
Siebel CRM, and Oracle JD Edwards applications to help
companies deploy quickly.
Oracle Label Security
Oracle Label Security is the industrys most advanced label-
based access control product. It gives companies a powerul and
easy-to-use tool or classiying data and mediating access to data
based on the datas classication.
Traditional controls ocus on roles or stop at the object levela
company would be able to control, or example, a users access
to a customer table, but not to specic subsets within the table.
Oracle Label Security extends database security authorization
by enabling powerul row-level access controls in the Oracle
Database using data sensitivity labels, and essentially assigning
a data label to each row.
Label Security provides an easy-to-use policy-based
administration model. This lets companies create policies specic
to their needs. Moreover, multiple policies can reside in the
same database, making it easy to create policies or dierent
applications in a consolidated environment.
The Oracle sotwares multiactor control approach helps
prevent unauthorized ad hoc access and application bypass.
INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD
8/3/2019 Securing Data at the Source 1-08-10
15/23
15 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Secure Data At The Source.
Save Time And Money.
Oracle Label Security enables organizations to:
Restrict access to individuals with the appropriate clearance. It
allows administrators to classiy every row in a table, so that
only those with the right clearance can access sensitive data.
Enorce regulatory compliance. It provides a policy-based
administration model that enables organizations to establish
custom data-classication schemes or implementing need to
know access ortheir applications.
Leverage labels fexibly. Labels can be used as actors within
Oracle Database Vault or multiactor authorization policies.
Oracle Label Security also integrates with Oracle Identity
Management, enabling centralized management o
policy denitions.
Oracle Label Security was originally designed to meet the
high-security requirements o government and deenseorganizations. Such organizations typically use the solution
or multilevel securitythat is, to compartmentalize access
to sensitive and highly sensitive data stored in the same
application table. Commercial organizations can use data labels
to compartmentalize data in order to control access to regulatory
data and enorce need-to-know policies, and to enhance security
in multi-tenancy databases and hosting and sotware-as-a-
service arrangements.
LEARN MORE
Podcast
Protecting Your Databases Against CyberEspionage
Demo
Forrester Research Oracle Database 11g Security:
Access Control
Oracle Database Vault: Privileged User and Multi-
Factor Controls
Seminar
Rich Mogull on Enorcing Separation o Duties or Database
and Security Administrators
INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD
http://streaming.oracle.com/ebn/podcasts/db_insider/7169324_david_knox_111108.mp3http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060296&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060296&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=5641797&p_referred=undefined&p_width=800&p_height=600http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=5641797&p_referred=undefined&p_width=800&p_height=600http://www.oracle.com/pls/ebn/live_viewer.main?p_shows_id=6469943&p_referred=undefinedhttp://www.oracle.com/pls/ebn/live_viewer.main?p_shows_id=6469943&p_referred=undefinedhttp://www.oracle.com/pls/ebn/live_viewer.main?p_shows_id=6469943&p_referred=undefinedhttp://www.oracle.com/pls/ebn/live_viewer.main?p_shows_id=6469943&p_referred=undefinedhttp://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=5641797&p_referred=undefined&p_width=800&p_height=600http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=5641797&p_referred=undefined&p_width=800&p_height=600http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060296&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060296&p_referred=0&p_width=800&p_height=620http://streaming.oracle.com/ebn/podcasts/db_insider/7169324_david_knox_111108.mp38/3/2019 Securing Data at the Source 1-08-10
16/23
16 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Secure Data At The Source.
Save Time And Money.
Security threats continue to shit and grow, and the use o
technology continues to evolveall o which means that the
security landscape is constantly changing. Eective security can
not be accomplished with a set it and orget it approachit
requires continued vigilance and comprehensive monitoring o
the state o security in the enterprise.
In part, that means that companies need to be able to audit
changes in the database, to see who altered what when in
order to analyze problems, uncover suspicious activity, and
comply with regulatory reporting requirements. Today, it is also
increasingly important to monitor activity in real time, so that the
company can detect unauthorized access and act quickly to avoid
problems or minimize their impact. And nally, companies need
to assess their potential vulnerabilities during deployment and
ongoing database operations. This is key to working proactively,and heading o security problems beore they start.
To strengthen auditing and monitoring, companies can draw
on the Oracle Audit Vault, Oracle Total Recall, and Oracle
Conguration Management Pack options.
Oracle Audit Vault
Experts who have investigated data breaches have ound
that auditing can help detect problems early on, reducing thenancial impact o the breaches. Oracle Audit Vault transparently
collects and consolidates audit data, providing valuable insight
into who did what to which data whenincluding privileged
users who have direct access to the database.
Oracle Audit Vault automatically collects audit data rom Oracle,
DB2, Sybase, and SQL Server databases. It consolidates this data
in a secure and highly scalable audit warehouse, with access
strictly controlled through the use o predened administrativeroles. It also leverages Oracles industry-leading database
security and data warehousing technology or managing,
analyzing, storing, and archiving large volumes o audit
data securely.
The solution enables proactive threat detection, with alerts
that highlight suspicious activity across the enterprise. It
continuously monitors inbound audit data, evaluating it against
Auditing and Monitoring
It is increasingly important to monitor activity in real time,
so that the company can detect unauthorized access and
act quickly to avoid problems or minimize their impact.
INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD
8/3/2019 Securing Data at the Source 1-08-10
17/23
17 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Secure Data At The Source.
Save Time And Money.
alert conditions. Alerts can be associated with any auditable
database event, including changes to application tables, role
grants, and privileged user creation on sensitive systems. The
solution gives companies graphical summaries o the activities
that are causing alerts.
Database audit settings are centrally managed and monitored
rom within Oracle Audit Vault. With the solution, IT security
personnel work with auditors to dene audit settings on
databases and other systems to meet both compliancerequirements and internal security policies. Oracle Audit Vault
lets companies provision and review audit settings in multiple
Oracle databases rom a central console, reducing the cost and
complexity o managing audit settings across the enterprise.
Oracle Audit Vault also oers simplied, out-o-the-box
compliance reporting. It gives companies standard audit-
assessment reports covering privileged users, account
management, roles and privileges, object management, andsystem management. Companies can dene parameter-driven
reports that show user log-in activity across multiple systems
and within specic time periods, such as weekends. The solution
also provides an open audit warehouse schema that can be
accessed rom Oracle BI Publisher, Oracle Application Express,
or third-party reporting tools.
With these capabilities, Oracle Audit Vault helps companies:
Simpliy compliance reporting, with the ability to easily analyze
audit data and take action in a timely ashion using out-o-the-
box or custom reporting
Detect threats more eectively, with the ability to quickly
and automatically identiy unauthorized activities that violate
security and governance policies, and to thwart perpetrators
who try to cover their tracks
Lower IT costs, with the ability to centrally manage audit
settings across all databases
With Oracle Audit Vault, organizations are in a much better
position to enorce privacy policies, guard against insider
threats, and address regulatory requirements.
Today, companies need to keep data or long periods o
time, but doing so in a secure manner has traditionallybeen a difcult and inefcient process.
INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD
8/3/2019 Securing Data at the Source 1-08-10
18/23
18 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Secure Data At The Source.
Save Time And Money.
Oracle Total Recall
Today, companies need to retain historical data or long
periods o time in order to comply with various regulations. In
addition, many recognize the potential value that such historical
data holds in terms o enabling the analysis o problems and
the understanding o market trends and customer behavior.
As a result, they are keeping such data or even longer than
regulations demand. Doing all o this in a secure manner,
however, has traditionally been a dicult andinecient process.
Oracle Total Recall addresses that problem by allowing historical
data to be kept inside the database very ecientlyand by
enabling the instant access to historical data needed to conduct
various analyses. Overall, it lets companies transparently track
changes to database tables data in a highly secure and
ecient manner.
Oracle Total Recall can be used to support internal auditing,
human-error correction, and regulatory compliance processes.
There is no limit on the time period or storing historical data,
because that data is stored in the database itsel; the solution
can handle any retention period the business requires. And the
solution provides real-time access to historical archives, with the
ability to query data as o any point in time in the past through
the use o standard SQL statements.
Based on Flashback Data Archive, the solution provides:
Eciency o perormance and storage. The capture process
minimizes perormance overhead, and historical data is stored
in compressed orm to reduce storage requirements.
Complete protection rom accidental or malicious update.
No onenot even administratorscan update historical
data directly.
Automated ongoing historical data management. Oracle
Database 11gautomatically enorces rules and sends problem
alerts when needed to minimize administrator intervention.
Oracle Total Recall is easy to congure and implement.
Administrators can enable historical data capture or one table or
all tables in a database with a simple enable archive command.
In addition, the solution requires no application changes or
special interaces. And it eliminates the need or third-party or
custom solutions in the management o historical data. Overall,
Oracle Total Recall is designed to be easily managed and make
the most ecient use o all related resources, including CPU,
storage, and administrator time.
The Oracle sotware lets companies automatically detect,
validate, and report on authorized and unauthorized
confguration changes.
INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD
8/3/2019 Securing Data at the Source 1-08-10
19/23
19 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Secure Data At The Source.
Save Time And Money.
Oracle Confguration Management Pack
The Oracle Conguration Management Pack helps companies
ensure that their database congurations are secure by
automatically detecting, validating, and reporting on authorized
and unauthorized conguration changes.
To help track assets and uncover problems, this management
pack collects deep conguration inormation or a range o
components, including hardware, operating systems, and Oracle
Database, middleware, application server, and WebLogic server
sotware. The pack can be used to support both Oracle and third-
party IT components.
Oracle Conguration Management enables the proactive
assessment o key compliance areas such as security,
conguration, and storage to help companies identiy
vulnerabilities and areas where best practices are not being
ollowed. The solution includes a built-in collection o more
250 best practices based on industry standards or security
and conguration management, which can be customized by
administrators or their specic IT environment.
In addition, the pack has a Critical Patch Update Advisory eature
that alerts companies to critical patches issued by Oracle and
immediately identies those systems across the enterprise that
may require the new patch. Companies can also use a patch
wizard to automatically deploy the patch, helping to ensure that
application databases are always up-to-date and protected.
A key part o this management pack is the Conguration
Change Console, which provides real-time change detection and
reporting. The console automatically collects the required data,
detecting and capturing any actions by users or applications that
result in changes to the inrastructure. No user input is requested
or required to capture and document changes. The console
monitors a variety o areas, including les and directories,
processes, user accounts, server resources, databases, and the
network. With the console, companies can use compliance-
reporting dashboards that convert continuous evaluation resultsinto compliance scores and present them in at-a-glance views
that highlight key indicators, provide the ability to drill down
to details, and help decision makers track progress toward
compliance over time.
INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD
The solution includes a built-in collection o more 250 best
practices based on industry standards or security and
confguration management
8/3/2019 Securing Data at the Source 1-08-10
20/23
20 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Secure Data At The Source.
Save Time And Money.
By letting companies detect and prevent unauthorized changesmore eciently and eectively, the Oracle Conguration
Management Pack helps ensure compliance with IT control
rameworks such as Control Objectives or Inormation and
related Technology (COBIT) and COSO Internal Control-
Integrated Framework as required by Sarbanes-Oxley and
similar global directives. By doing so, it helps them increase
security, mitigate risk, and provide demonstrable control over the
entire IT environment or governance and compliance.
LEARN MORE
Podcast
Chase Paymentech Relies on Oracle Audit Vault or Security
and Compliance
Demo
Oracle Audit Vault: Database Audit and Activity Monitoring
Database Vulnerability Assessment and Secure Conguration
Seminar
Forrester Research Oracle Database 11g Security: Activity and
Conguration Monitoring
INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD
http://streaming.oracle.com/ebn/podcasts/db_insider/media/8231852_David_DeLuca_110609.mp3http://streaming.oracle.com/ebn/podcasts/db_insider/media/8231852_David_DeLuca_110609.mp3http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=6067319&p_referred=undefined&p_width=800&p_height=600http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7652999&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060298&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060298&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060298&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060298&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7652999&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=6067319&p_referred=undefined&p_width=800&p_height=600http://streaming.oracle.com/ebn/podcasts/db_insider/media/8231852_David_DeLuca_110609.mp3http://streaming.oracle.com/ebn/podcasts/db_insider/media/8231852_David_DeLuca_110609.mp38/3/2019 Securing Data at the Source 1-08-10
21/23
21 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Secure Data At The Source.
Save Time And Money.
Looking AheadDatabase security is clearly a vital and challenging issue,
and companies need to be prepared or this reality. At many
organizations, however, there is considerable room or
improvement on this ront. For example, in a recent IOUG
security survey:
Only one out o our respondents said that all their databases
are locked down against attacks.
Most respondents said that they do not have mechanisms in
place to prevent database administrators and other privileged
database users rom reading or tampering with sensitive
inormationand most said that they are unable to detect
such incidents.
Responses indicated that one in our o the sites covered by the
survey do not encrypt data within their databases, and nearlyone in ve were not sure whether such encryption takes place.
Two out o ve responding organizations said that they use
actual production data in nonproduction environments, which
typically puts that data in an unsecured setting.
These types o gaps represent signicant vulnerabilitiesand
the world is likely to be less and less orgiving o such lapses in
the months and years to come. Compliance is likely to become
increasingly challenging, as data privacy regulationsand nes
or noncompliancebecome more and more stringent. The sheer
volume o sensitive data that needs to be protected continues to
grow. And threats posed by insiders and outsiders alike will only
become more sophisticated.
The risks around data security can be expected to keep growing
and evolving to become ever-more challenging, as criminals
step up eorts to tap into what is a very valuable asset, says
Securosis ounder Rich Mogull. That means that advanced,
comprehensive security is only growing more important, and
that companies will need to tighten control over the sensitive
inormation held in their databases. In short, database security
has already become a critical technical and business issue, and
looking orward, the eort to protect data where it lives will
play an increasingly vital role in an organizations success.
INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD
8/3/2019 Securing Data at the Source 1-08-10
22/23
22 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY
Secure Data At The Source.
Save Time And Money.
INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD
LEARN MORE
Podcast
Database Security or Database and Security Administrators
Anaylst Report
Forrester Research: Your Enterprise Security Strategy
or 2010
Blog
Security Inside Out
Data Security Sel-Assessment Tool
http://streaming.oracle.com/ebn/podcasts/db_insider/media/7405578_Ian_Abramson_021909.mp3http://streaming.oracle.com/ebn/podcasts/db_insider/6790837_Rich_Mogull_081808.mp3http://www.oracle.com/corporate/analyst/reports/infrastructure/dbms/forrester-database-security.pdfhttp://www.oracle.com/corporate/analyst/reports/infrastructure/dbms/forrester-database-security.pdfhttp://www.oracle.com/corporate/analyst/reports/infrastructure/dbms/forrester-database-security.pdfhttp://blogs.oracle.com/securityinsideout/http://blogs.oracle.com/securityinsideout/http://www.oracle.com/broadband/survey/security/index.htmlhttp://www.oracle.com/broadband/survey/security/index.htmlhttp://blogs.oracle.com/securityinsideout/http://www.oracle.com/corporate/analyst/reports/infrastructure/dbms/forrester-database-security.pdfhttp://www.oracle.com/corporate/analyst/reports/infrastructure/dbms/forrester-database-security.pdfhttp://streaming.oracle.com/ebn/podcasts/db_insider/6790837_Rich_Mogull_081808.mp3http://streaming.oracle.com/ebn/podcasts/db_insider/media/7405578_Ian_Abramson_021909.mp38/3/2019 Securing Data at the Source 1-08-10
23/23
Copyright 2009, Oracle and/or its
afliates. All rights reserved. Oracle is a
registered trademark o Oracle Corporation
and/or its afliates. Other names may be
trademarks o their respective owners.