1

<Insert Picture Here>

Security for Heterogeneous Environments

Federman HoyosIT Solution Architect

3

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

4

Your Information Assets Across Heterogeneous Databases

Finance

Product

Customer

Clinical Trials

Employee

5

Your Information Asset LifecycleShared with 3rd Parties

• Almost 50% of all organizations exposed Production data in non-Production environments

• Only 16% have a system in place for deidentifying sensitive data

Application Developers

IT Service Providers

Business partners

Market Research

Clinical Research

6

Your Information Asset Protection Challenge

• Ensure comprehensive protection of your information assets across heterogeneous enterprise databases

• Reduce information lifecycle costs through automation

Application Developers

IT Service Providers

Business partners

Market Research

Clinical Research

7

Secure Test System Deployments

LAST_NAME SSN SALARY

SMITH 111—23-1111 60,000

MILLER 222-34-1345 40,000

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

Production Test

How Secure Test System Deployments

• Deploy secure test system by masking sensitive data• Sensitive data never leaves the database• Extensible template library and policies for automation• Sophisticated masking: Condition-based, compound, deterministic• Integrated masking and cloning• Leverage masking templates for common data types

LAST_NAME SSN SALARY

SMITH 111—23-1111 60,000

MILLER 222-34-1345 40,000

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

Production Test

9

Data Masking using Oracle Enterprise ManagerCentrally controlled. Globally managed.

• Monitoring• Performance Diagnostics• Patching & Provisioning• Configuration Management• Data Masking

10

Data Masking Methodology

• Find: Catalog and identify sensitive data across enterprise databases

• Assess: Define the optimal data masking techniques

• Secure: Automate non-production systems through data masking

• Test: Ensure the integrity of applications through testing

LAST_NAME SSN SALARY

SMITH 111—23-1111 40,000

JOHNSON 222-34-1345 60,000

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

Production Non-Production

11

FIND: Catalog and identify sensitive data across enterprise databases

ASSESS

SECURE

TEST

12

Catalog Sensitive Data in Your Enterprise DatabasesPerson Name Bank Account Number

Maiden Name Card Number (Credit or Debit Card Number)

Business Address Tax Registration Number or National Tax ID

Business Telephone Number Person Identification Number

Business Email Address Welfare Pension Insurance Number

Custom Name Unemployment Insurance Number

Employee Number Government Affiliation ID

User Global Identifier Military Service ID

Party Number or Customer Number Social Insurance Number

Account Name Pension ID Number

Mail Stop Article Number

GPS Location Civil Identifier Number

Student Exam Hall Ticket Number Hafiza Number

Club Membership ID Social Security Number

Library Card Number Trade Union Membership Number

Identity Card Number Pension Registration Number

Instant Messaging Address National Insurance Number

Web site Health Insurance Number

National Identifier Personal Public Service Number

Passport Number Electronic Taxpayer Identification Number

Driver’s License Number Biometrics Data

Personal Address Digital ID

Personal Telephone Number Citizenship Number

Personal Email Address Voter Identification Number

Visa Number or Work Permit Residency Number (Green Card)

• Business-driven• Criteria:

– Violate government regulations

– Violate business regulations

– Damage shareholder value through loss of

• Market capital• Valuation• Reputation• Customers• Lawsuits• Business-driven

13

FIND

ASSESS: Define the optimal data masking techniques

SECURE

TEST

14

Comprehensive Mask FormatsMask Primitives and User-extensible Mask Formats

• Mask primitives– Simple mask formats

• ALPHA• NUMERIC• DATE

– Simple mask techniques• SHUFFLE• RANDOMIZE• LOOKUP TABLE

Ensures consistent enforcement of policiesDefine once, apply everywhere

Accelerates solution deployment of maskingMask formats for common sensitive data

Enables customization of business rules Extensible mask routines

15

Mask Definition Associate Mask Formats with Identified Sensitive Columns

• Automatic discovery and enforcement of referential integrity

• Registration and enforcement of referential integrity when entered as related columns

– Application-enforced referential integrity

– Business-process based data relationships

– Non-Oracle database based referential integrity

• Imported via XML generated via SQL against meta data

16

FIND

ASSESS

SECURE: Automate non-production systems through data masking

TEST

Test System Setup for Oracle DatabasesCreating Test Databases from Production

• Enterprise Manager out-of-the-box workflows• RMAN-based clone-and-masking (Recommended)• Export-Import• Backup and Restore• Transportable Tablespace

Clone

App Meta data

DB dictionary data

T1

T2 T3

T4 T5

Business

data

Production DB

T1

T2 T3

T4 T5

Business

data

App Meta dataDB dictionary data

Test DB

Ma

sk

Test System Setup for non-Oracle Databases Creating Test Databases from Production using Oracle Gateways

Masking Process

1. Production data copied to Test

2. Sensitive data copied to Staging

3. Sensitive data masked in Staging

4. Masked data copied from Staging to Test

5. Truncate Data in Stage Database

Clone

App Meta dataDB dictionary data

T1

T2 T3

T4 T5

Business

data

Production DB

T1

T2 T3

T4 T5

Business

data

Test DB

T1

T2 T3

T4 T5

Business

data

App Meta dataDB dictionary data

Staging DB

Ma

sk

2

3

4

1

Database gateway

FIND

ASSESS

SECURE

TEST: Ensure the integrity of applications through testing

Auditing your Database Information

Oracle Database IBM

DB2Microsoft SQL Server

Sybase ASE

22

Why Audit?

• Its all about protecting sensitive data, maintaining customer trust, and protecting the business

• Trust-but-verify that your employees are only performing operations required by the business• Detective controls to monitor what is really going on• Reduce the curiosity seekers from looking at data• Compliance demands that privileged users be monitored

• Know what is going on before others tell you• Cost of compliance

• Eliminate costly and complex scripts for reporting• Reduce reporting costs for specific compliance audits • SOX, PCI, HIPAA, SAS 70, STIG

23

Database Auditing and Applications Why Auditors Want to Audit Databases

• Monitor privileged application user accounts for non-compliant activity• Audit non-application access to sensitive data (credit card, financial

data, personal identifiable information, etc)

• Verify that no one is trying to bypass the application controls/security • PO line items are changed so it does not require more approvals

• Verify shared accounts are not be abused by non-privileged users• Application bypass - Use of application accounts to view application

data

24

What Do You Need To Audit?

DatabaseAudit Requirements

SOXPCI DSS

HIPAA/HITECH

Basel II FISMA GLBA

Accounts, Roles & GRANT changes ● ● ● ● ● ●

Failed Logins and other Exceptions ● ● ● ● ● ●

Privileged User Activity ● ● ● ● ● ●

Access to Sensitive Data (SELECTs…) ● ● ● ● ●

Data Changes (INSERT, UPDATE, …) ● ●

Schema Changes (DROP, ALTER…) ● ● ● ● ● ●

25

Oracle Database

IBM DB2

Microsoft SQL Server

Oracle Audit VaultTrust-but-Verify

Sybase ASE

Consolidate and Secure Audit Data

Out-of-the Box Compliance Reports

Alert on Security Threats

Lower IT Costs With Entitlements & Audit Policies

27

Oracle Audit VaultOracle Database Audit Support

• Database Audit Tables• Collect audit data for standard and fine-grained auditing

• Oracle audit trail from OS files• Collect audit records written in XML or standard text file

• Operating system Windows Event Viewer & SYSLOG• Collect Oracle database audit records

• Redo log• Extract before/after values and DDL changes to table

• Database Vault specific audit records

28

29

The Access Reports filter the audit content based on event and categories, such as Data Access: select, insert, update, delete.., and User Sessions: login, logout, etc. The Oracle Audit Vault Auditor’s Guide list the events that are collected and mapped to the categories.

30

The Entitlement Reports can be used for internal/external auditors to view Oracle database users and their privileges. You can view all Oracle databases and their users or filter by an individual database to view the privileges. The compare capability provides a report on changes to user privileges from one snapshot time to another.

31

The Alerts Report content can be accessed from the Dashboard or you can view all alerts that have been generated at one time.The critical and warning alert reports track critical and warning alerts. An alert is raised when data in a single audit record matches a predefined alert rule condition.

Alerts can be defined for

• Directly viewing sensitive columns• Creating users on sensitive systems• Role grants on sensitive systems• “DBA” grants on all systems• Failed logins for application user

32

Oracle Audit Vault Audit Trail Clean-Up: DBMS_AUDIT_MGMT

• Automatically deletes Oracle audit trails from target after they are securely inserted into Audit Vault

• Reduces DBA manageability challenges with audit trails

Database

2) Update last inserted record

1) Transfer audit trail data

3) Delete older audit records

33

Setting Client Identifier with Applications

User A connects

User B connects

OracleApplication Server

OracleDatabase

• Any application running on Oracle database can set the client identifier

Application sets client_info to User A

Application resets client_info to User B

Audit Record uses client_identifier

Protecting access to your Databases

Existing Security Solutions Not Enough

Application Database Administrators

Data Must Be Protected at the Source

Database Application Users

BotwareMalwareKey Loggers Espionage

Spear PhishingSQL Injection

Social Engineering

SQL Injection ReviewThe biggest danger to cyber security

DatabaseApp Server

Millions of

attacks

Successful

attack

Data and/or credential theft

Malware injection

SQL command

• Successful attack• Query database• Modify data• Deliver malware

• Implications• Lost data• Monetary theft• Steal credentials / deny service

Database

FirewallApp Server

Attacks blocked!!!

X

Attacks

logged

Oracle Database FirewallFirst Line of Defense

• Monitor database activity to prevent unauthorized database access, SQL injections, privilege or role escalation, illegal access to sensitive data, etc.

• Highly accurate SQL grammar based analysis without costly false positives

• Flexible SQL level enforcement options based on white lists and black lists• Scalable architecture provides enterprise performance in all deployment modes• Built-in and custom compliance reports for SOX, PCI, and other regulations

PoliciesBuilt-inReportsAlerts Custom

Reports

ApplicationsBlock

Log

Allow

Alert

Substitute

Oracle Database FirewallPositive Security Model

• “Allowed” behavior can be defined for any user or application• Whitelist can take into account built-in factors such as time of day,

day of week, network, application, etc.• Automatically generate whitelists for any application• Transactions found not to match the policy instantly rejected• Database will only process data how you want and expect

White List

Applications Block

Allow

Oracle Database FirewallNegative Security Model

• Stop specific unwanted SQL commands, user or schema access• Prevent privilege or role escalation and unauthorized access to sensitive data• Blacklist can take into account built-in factors such as time of day, day of

week, network, application, etc.• Selectively block any part of transaction in context to your business and

security goals

Block

Allow

Black List

Applications

Block

Log

Allow

Alert

Substitute

• Innovative SQL grammar technology reduces millions of SQL statements into a small number of SQL characteristics or “clusters”

• Superior performance and policy scalability• Flexible enforcement at SQL level: block, substitute, alert and pass, log only

• SQL substitution foils attackers without disrupting applications• Zero day protection without false positives

SELECT * FROM accountsBecomesSELECT * FROM dual where 1=0

Oracle Database FirewallPolicy Enforcement

Applications

Reporting

Speeding deployment means lower cost

• Database Firewall log data consolidated into reporting database

• Over 130 built in reports that can be modified/customized

• Entitlement report for database attestation

• Activity and privileged user reports

• Supports demonstrating PCI, SOX, HIPAA, etc.

• Write your own reports

43

Unique to Oracle

Oracle Database FirewallDatabase Activity Masking

• Prevents creating yet another database with sensitive and regulated data • Sensitive and regulated information contained in SQL statements can be

masked or redacted in real-time prior to being logged• Flexible masking policies allow masking all data or just specific columns• Critical for organizations who want to monitor and log all database activity

Oracle Database FirewallArchitecture

• Low TCO Oracle Enterprise Linux based “software appliance”• Supports Intel-based hardware platforms for vertical and horizontal scalability• Policy enforcement separated from policy management and reporting for

scalability and performance• Optional lightweight agents that reside within the database or the OS• Supports Oracle and non-Oracle Databases, and is application agnostic

Database

FirewallsHA Mode

Database Firewall Management Server Policy Analyzer

Local Monitor

Oracle Database FirewallFast and Flexible Deployments

• In-Line: All database traffic goes through the Oracle Database Firewall• Out-of-Band/Passive: Database Firewall connected to a SPAN port or TAP• Optional Host Based Remote or Local Monitors

• Can send network traffic from the database host to the Database Firewall

• Can send non-network database activity to the Database Firewall to identify unauthorized use of local console or remote sessions

Database Servers

Users

Out-of-BandDatabase Firewall

Application Servers

In-Line HostBasedAgent

Router

• Database Vault

• Label Security• Identity

Management

• Data Masking

Oracle Security SolutionsComplete Defense-in-Depth

• Audit Vault

Encryption & Masking

AccessControl

Auditing

• Database Firewall

Monitoring & Blocking

• Comprehensive – single vendor addresses all your requirements

• Transparent – no changes to existing applications or databases

• Easy to deploy – point and click interfaces deliver value within hours

• Cost Effective – integrated solutions reduce risk and lower TCO

• Proven – #1 Database with over 30 years of security innovation!

Demo…DEMO

En el booth de Oracle Solution Specialist le podemos brindar información sobre los servicios que ofrecemos

y de Nuestras Soluciones