CON6571 - Cybersecurity and Compliance in 2017€¦ · Supported endpoints Oracle Databases,...

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

CON6571 - Cybersecurity and Compliance in 2017 Database Security is Business-Critical

Vipin Samar Senior Vice President Database Security Development October 02, 2017

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3


Program Agenda

Security Trends and Current Solutions

Database Security Assessment Tool

Cloud Data Security Strategy and Service

Continuing Innovations in Database Security

EU General Data Protection Regulation (EU-GDPR)

1

2

3

4

5

4

NEW


High-level Trends in Security

• Data breaches becoming bigger and bolder – New targets: Data aggregators, financial accounting firms, breach investigators, security

companies, governments, ...

– New target types: devices, cloud, …

• Data breaches becoming very costly – $80 billion spent every year on IT security but actual breach cost exceeds a trillion dollars

– Average cost of a data breach is $7.35 million, $225 per stolen record

– Litigation expenses account for almost 65% of breach expenses

– Irreversible damage to victims, brand, and business

• Challenges – Severe shortage of security skills, no match to hacker expertise and automation

– Many organizations don’t know how vulnerable they are

5


Lose Your Data, Lose the Business

6

What do you have? Where? How much? Who has access? Who accessed it?


Privacy & Security Regulations Increasing World-Wide

EU GDPR

PCI

NZPA

APP

APPI

Ch GDPL

HK PDPO

Si PDPA

Th OIA

Ru DPA

IT Act

SAECTA

MDPA

APDPL

CLPPL

Art. 5

CDPL

MPDPL

FOIPPA PIPEDA

NY DFS 500 48 State Data Privacy laws

Patriot Act CIP HIPAA GLBA

7


XSS / Malware

Threat Landscape: Databases are the Prime Target

8

Threat Actors

Hackers OS Admin

DBA Test & Dev End-Users Support

SQL Injection

Stolen Credentials

Ransomware

Physical Theft

Privilege Escalation

Network Sniffing

Threat Vectors

Middleware

Applications

Databases

Operating System

Network

Storage

Backup

Threat Targets


Attacking the Database

Apps

Test

9

Dev Partners

Exploit Database Exploit

Application

Attack Users

Attack Admins

Bypass Database

Target Exported Data


Oracle Database Maximum Security Architecture

Apps

10

XXY-YY-5100

Data Redaction Database Firewall

Key Vault

Transparent Data Encryption

Automated Privilege Analysis

Data Masking

010-11-5100 022-22-5001

Audit Vault

Audit Data

Test Dev Partners

Database Vault

Configuration Checks


Database Security Controls

11

Evaluate

Prevent

Detect

Data- Driven

Security


Crypto Toolkit for

Applications

Row Level Security Key Management

Data Encryption

EVALUATE PREVENT DETECT DATA DRIVEN SECURITY

Security Configuration

Sensitive Data

Discovery

Privilege Analysis

DBA & Operation

Controls

Database Auditing

Database Firewall

Real Application

Security

Label based Security

Centralized Monitoring

Security Assessment Alerting & Reporting

Data Redaction

Data Masking and

Subsetting

Comprehensive Defense In Depth Security from Oracle

12


ANNOUNCING Database Security Assessment Tool (DBSAT)

Assess Your Risk Profile Before Hackers Do

13


What Hackers Try to Do Fully and Quickly Map the Target with Automation

Find DB/OS configuration vulnerabilities

Identify and target privileged

users

Identify application

vulnerabilities

14


Data Owner: Where to Start? What to Look For? Tools? Skills? Time?

Is DB securely configured?

patched?

What could my users do? Risks?

What sensitive data do I have?

15


Database Security Assessment Tool (DBSAT)

• Understand how (in)secure is your database

– Database securely configured?

– Identify privileged users and risks?

– Discover your sensitive data* for regulations

• Actionable Reports

– Summary and detailed reports

– Prioritized recommendations

• Analyze Oracle Database 10g and later

• Stand-alone command-line tool: Quick, Easy

• Availability: v1 Now; v2 coming soon

• FREE to current Oracle customers * In an upcoming release

DBSAT

10g +

16


DBSAT Summary Output

17


DBSAT Summary Output

18

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 19

Privileges and Roles - Users with DBA role


Privileges and Roles - Users with DBA role


Sensitive Data Summary Report

21



22



23


For More Details

• Dedicated Session on DBSAT

Today, 5:45 p.m. - 6:30 p.m.

Moscone West - Room 3011

• Demogrounds: SOA-074 Moscone West

• http://www.oracle.com/technetwork/database/security/dbsat.html

• Download DBSAT from https://go.oracle.com/LP=38340

• Watch for v2 announcement

24

http://www.oracle.com/technetwork/database/security/dbsat.html






https://go.oracle.com/LP=38340/?


Preview Data Security Cloud Service (DSCS) Security Unified and Simplified

25


Strategy for Securing Cloud Databases

26

2015 DBCS

2016 Hybrid

2017+ Services

Built-in Security Control and Visibility Security Cloud Services

With all Cloud databases – Transparent Data Encryption – Network encryption

With High/Extreme DBCS – Database Vault – Data Masking and Subsetting – Data Redaction – Label Security – DB Lifecycle Management

Hybrid Support: Same security infrastructure for cloud and on premise databases

– Key Vault on Premise – Audit Vault on Premise

Fusion SaaS – Database Vault – Data Masking – Transparent Data Encryption

Infrastructure Cloud Security – Security and Monitoring

Analytics – IT Compliance

Data Security Cloud Service – Discovery (Plans) – Masking (Plans) – Audit (Plans)


Continuing Innovations Strengthen Security, Simplify Operations

27

Audit Vault

Key Vault


Enterprise User Management

Oracle Database

Oracle Directory Services

Authentication Data Authorization Data Map Users / Roles

Enterprise Domains

DB User

Password Kerberos, PKI


Enterprise User Management

Oracle Database

Oracle Directory Services

Authentication Data Authorization Data Map Users / Roles

Enterprise Domains

Microsoft Active Directory

DB User


User / Group DB Password Verifier


Centrally Managed Users Directly in Active Directory

DB User

Microsoft Active Directory

Map Users / Roles


Oracle Database

NEW

User / Group DB Password Verifier


Continuing Innovations for Data-at-Rest Encryption

31

Innovations Details TDE

Transparency No changes to the application stack

Performance Impact Minimal

Wallet Management SSO (Auto-login), use wallets to share keys in RAC, GoldenGate, ADG

Master Key Management Master Key is externalized for physical separation from encrypted data

Full-Stack Integration DB Technology: Redo Logs, temp/undo segments RAC, Multi-Tenant, GoldenGate, Active Data Guard, ExaData

FIPS 140-2 Level 1 FIPS algorithms and processing through FIPS-inside libraries

Migration of Data Offline and Online Tablespace Conversion from clear text data

NEW

NEW


Continuing Innovations for Centralized Key Management

32

Innovations Details Key Vault

Wallet and Java KeyStore Mgmt Centrally store, retrieve, and share in RAC, GoldenGate, ADG

Online TDE master key Removes wallet management operations, provides physical separation

Supported endpoints Oracle Databases, Middleware, MySQL TDE, Solaris Crypto, ACFS

Availability Primary and Standby, Standby automatically becomes Primary

Scalability Manage multiple hundreds of databases

Hybrid Cloud Key Management Maintain control /visibility of Cloud Keys from on-premise Key Vault

Integration with HSM Support hardware security module as root-of-trust (SafeNet, Thales)

Persistent Cache Improves Database continuity when Key Vault server is unreachable

Read-only Restricted Mode Improves Database continuity, ensures no key loss by limiting updates

NEW

NEW

NEW


Continuing Innovations in Audit Vault and Database Firewall

• Expanded coverage – Hybrid Cloud for Exadata Express and DBCS

– Before/After values report with Client_ID

– Updated platform support for targets - OL 6.8-7.3, RHL 7.0, IBM DB2 LUW 11.1

• Infrastructure improvements – Improved audit data collection performance

with tuned partitioning

– Multiple backup targets for faster backup

– Support for multiple networks cards for segmentation

33

Audit Data, Event Logs

Database Firewall

Policies

Reports

Alerts

Network Events

Audit Vault

Database Cloud Service Exadata Express CS Exadata CS

NEW

NEW


European Union General Data Protection Regulation (EU-GDPR) Strong Privacy Measures for EU Data Subjects

34


EU-GDPR Overview

• Strong data privacy measures for EU resident data, to protect data from misuse, disclosure, and theft

• EU Data Subjects granted rights to consent withdrawal, data erasure, information on how data is used

• Applies to ALL privacy data: PII, PHI, IT, social, political, cookies, logs, …

• Applies to ALL industries, whether on-premise or cloud, globally

• Fines up to 4% of global revenue

• Deadline May 25, 2018

• Similar laws likely to spread globally

Third Party

Data Protection

Officer

Supervisory Authority

Processor

Third Party

Processor

Data Subjects

Controller``


• Privacy-by-Design through data life-cycle – Creation

– Usage

– Test/dev

– Backup

– Integration, …

• Comprehensive Foundation Controls – Impact Assessment

– Sensitive Data Discovery

– Encryption

– Masking

– Monitoring

– Authorized Access, …

• Application Specific Controls – Right-to-be-forgotten

– Right-to-restrict-usage

– Right-to-rectification

– Data-minimization, …

• Notify authorities of data breaches within 72 hours

36

Key EU-GDPR Privacy Control Requirements


EU-GDPR Articles and Mapping to Oracle Security

GDPR Article Protection Mechanism Assisted by Oracle Security Offerings

Article 35 Data Protection Impact Assessment Configuration & Compliance Cloud Service Database Security Assessment Tool (DBSAT)

Article 32 Pseudonymization and encryption of personal data Advanced Security, Key Vault

Article 25, 29 Data protection by design and by default Processing under the authority

Database Vault

Article 30, 33 Notification of a personal data breach Audit Vault and Database Firewall Security Monitoring and Analytics Cloud Service

Article 18, 25, 32 Right to restriction of processing Data protection by design and by default

Label Security

Articles 25, 32 Pseudonymization and encryption of personal data Data Minimization

Data Masking and Subsetting

Article 25 Data Protection by Design and Default All of the above

37

NEW

NEW


• Work with competent legal advisors to determine your responsibilities under EU GDPR

• Appoint Data Protection Officers (DPO) that work with Supervisory Authorities

• Prepare Data Protection Impact Assessment that identifies sensitive data, locations, and security controls

• Implement GDPR practices / procedures

• Start NOW: Deadline fast approaching

38

What Organizations Need to Do

May 25, 2018


For More Details

• Full Oracle World Session

Tuesday, Oct 04, 3:45 p.m. – 4:30 p.m. Moscone West - Room 3011

Speakers: Oracle, Capgemini

• Demo grounds: SOA-074 Moscone West

• For more papers, resources https://www.oracle.com/uk/corporate

/features/gdpr.html

39

https://www.oracle.com/uk/corporate/features/gdpr.html


In Closing…

40


Don’t Let Your Data Assets Become a Liability

41

Secure Your Data, Secure Your Business


Oracle Database Security ebook

42

Comprehensive View of Threats and Database Security Controls

https://www.oracle.com/database/security/index.html

Second Edition adds EU-GDPR, Cloud, Security Assessment

EBOOK-v2

Coming Soon


SECURITY INSIDE-OUT

Security close to the data: Eliminates guesswork, maximizes performance, application transparency

CLOUD DEPLOYMENTS

Pure Cloud and Hybrid: Built-in security, on-premise hybrid controls, data security cloud services, …

DEFENSE-IN-DEPTH SECURITY CONTROLS

Overlapping controls: Encryption, masking, auditing, monitoring, access control, redaction, …

ANTICIPATE THREATS & MITIGATE RISKS

Transparent Data Encryption, DBA Control, Redaction, Masking, Privilege Analysis, DB Firewall, RAS, …

Oracle Database Security Strategy

43


SOA-71

SOA-72

SOA-73

SOA-74

Moscone West

Visit Database Security in the Demo Grounds

44


Database Security at Oracle OpenWorld 2017

Session Title Speaker Location Date & Time

CON6574 NEW FEATURE! Centralized Database User Management Using

Active Directory Oracle Epsilon

Moscone West - 3011 Mon., 3:15-4:00

CON6575 NEW! Database Security Assessment Tool Discovers Top Security

Risks Oracle Moscone West - 3011 Mon., 5:45-6:30

CON6573 Data Management and Security in the GDPR Era Oracle

Capgemini Moscone West - 3011 Tues., 3:45-4:30

CON6580 Encrypt Your Crown Jewels and Manage Keys Efficiently with Oracle Key Vault Oracle Moscone West - 3011 Tues.,4:45-5:30

CON6576 Accelerate Your Compliance Program with Oracle Audit Vault and

Database Firewall Oracle,

Symantec Moscone West - 3011 Tues., 5:45-6:30

CON6572 Inside the Head of a Database Hacker Oracle Moscone West - 3014 Wed. 11:00-11:45

CON6618 Sneak Preview: Oracle Data Security Cloud Service Oracle Moscone West - 3011 Wed.,2:00-2:45

45


Safe Harbor Statement

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

46

CON6571 - Cybersecurity and Compliance in 2017€¦ · Supported endpoints Oracle Databases,...

Documents

Transcript of CON6571 - Cybersecurity and Compliance in 2017€¦ · Supported endpoints Oracle Databases,...