with Oracle IDM Peter Heintzen, Sen. Mgr. Information Security Oracle

Size: px

Start display at page:

Download "with Oracle IDM Peter Heintzen, Sen. Mgr. Information Security Oracle"

Avis Horton
6 years ago
Views:

1 <Insert Picture Here> Data Privacy Enhanced Database Security with Oracle IDM Peter Heintzen, Sen. Mgr. Information Security Oracle

2 Security Levels for SLAs Preventive Controls Detective Controls Corrective Controls Securitylevel Standard: Internal Data Securitylevel Standard Plus: Confidential Information with Limited Access Auditing Data Protocolserver, stores definined Audit Trails User Administration Management for high privileged user Securitylevel High: Highly Confidential Information with Very Limited Access Securitylevel Test- and Development: Testing Data

3 Best Practice Architectures Enterprise User Security Management EUS Centralized User Administration Corporate Directory or HR System CUA4DB Synchronization LDAP (OID or Other) User CUA4DB Central Admin Self-service Password Change Audit Login Redirection Login Run on Oracle Identity Manager Synchronization User Login Oracle DB Oracle DB (or other)

4 Central User Mgmt for DB Enables full DB user lifecycle management (Automation) Link DB accounts (mostly dba like accounts) to people Central role assignment Supports proprietary naming structure (e.g.costcenter + personal id) Report on Orphan/Ghost account Enforce Accountability on Sys and System Provide Complete Audit for compliance Workflow for request and approval Password and profile self service Password policy enforcement. Does not require changes in the DB Use Synchronization to propagate Identities Package based on OIM Any directory or HR repository can be used as a source for the Centralized User Administration Central Management DB 5 DB 4 DB 3 DB 2 DB 1

5 EUS vs CUA4DB EUS CUA4DB Use of centralized LDAP for database users/roles for authentication and authorization Centralized management of database users and roles Strong authentication using Kerberos or PKI possible (1) LDAP as user identity source possible Centralized provisioning and de-provisioning of application users Audit & Compliance Ready: eg historical reporting, Self Service password reset Fully Transparent to DB/applications - no changes required Workflow & Policy based user management Any directory or HR repository as user identity source Centralized User Administration possible for non-oracle DBs Fast implementation: Preconfigured (1) need Oracle Advanced Security

6 Identity Administration Oracle Identity Manager GRANT REVOKE GRANT REVOKE GRANT REVOKE Employee Joins / Departs HR System Approval Workflows Applications Automate Provisioning / Deprovisioning Identify orphaned accounts Report on Who has access to what Self-service requests

7 Oracle Advanced Security Disk Backups Exports Off-Site Facilities Transparent data at rest encryption Data stays encrypted when backed up Encryption for data in transit Strong authentication of users and servers Oracle Confidential 7

8 Separation of Duties: Business / IT Functional Administration Technical Administration

9 Database Vault Procurement HR Rebates DBA Application Insert into rebate.rebate_recipients values ( mark drake, mdrake@gmail.com, 350) Keep privileged database users from abusing their powers Enforce security policies and block unauthorized database activities Prevent application by-pass and protect application data Separate Technical Administration from Functional Administration

11 Oracle Data Masking Irreversible De-Identification Production LAST_NAME SSN SALARY AGUILAR ,000 BENSON ,000 Non-Production LAST_NAME SSN SALARY ANSKEKSL ,000 BKJHHEIEDK ,000 Fully functional masked databases supporting any business process Remove sensitive data from non-production databases Create realistic data maintaining referential integrity Faster, more reliable and more secure data refreshes Oracle Confidential 11

12 Oracle Audit Vault Automated Activity Monitoring & Audit Reporting HR Data! Alerts Auditor CRM Data ERP Data Audit Data Built-in Reports Custom Reports Databases Policies Automated database activity monitoring Detect and alert on suspicious activities Out-of-the box compliance reports Custom forensic reports Oracle Confidential

13 Limit Access to Confidential / TopSecret Data Encryption & Masking Data/Network Encryption Secure Backup Data Masking Access Control Separation of Functional and Techn. Admin Multilevel Security Monitoring Encryption & Masking Access Control Monitoring User/Role Management Configuration Management Auditing, Realtime Alarming Data Loss Prevention User/Role Management Identity and Role Lifecycle Shared Service Accounts

14 Compliance Automation ENFORCE CONTROLS MONITOR CONTROLS Enforce Controls Segregation of duties Access control Oracle Security Solutions Monitor Controls Who accessed what? Who changed what? Streamline Processes Attestation / Recertification AUTOMATE REPORTING STREAMLINE PROCESSES Automate Reporting Out-of-the-box compliance reports Customized reports

15 Oracle Security Solutions Applications Identity Administration User Provisioning Role Management Self-Service Requests Directory Services Scalable LDAP IDENTITY Storage AND ACCESS MANAGEMENT Virtual Directory Directory Synchronization Access Management Risk-based Authorization Entitlements Management Single Sign-On and Federation Activity Monitoring Access Control and Authorization Encryption and Data Masking Unauthorized Activity Detection Automated Compliance Reports Secure Configuration Audit Privileged User Controls DATABASE SECURITY Multi-Factor Authorization Classification Control Transparent Data Encryption De-identification for Non-Production Built-In Key Management Databases

16 Security Levels Preventive Controls Detective Controls Corrective Controls Securitylevel Standard: Advanced Security Option Securitylevel Standard Plus: Advanced Security Option Database Vault Securitylevel High: Advanced Security Option Database Vault Limit Access To System and Data Audit Vault Protocolserver, stores definined Audit Trails Who did what and when? Central User Administration for Database Central Management for high privileged user Who is able to access and why? Label Security Securitylevel Test- and Development: Data Masking Pack

17 3 Key Take Aways #1 Oracle Security solves major challenges in Costs, Compliance, Security #2 Comprehencive Information Security Offering #3 Quick Wins Much add-on Projects Potential 17

18 Useful Links Visit Oracle Security and IAM on the Web Oracle DB Security Solutions Visit: Oracle IAM Solutions Visit: View whitepapers, buyer s guides, and webinars Try the Software Visit OTN:otn.oracle.com Download software, get technical information

Database Centric Information Security. Speaker Name / Title

Database Centric Information Security Speaker Name / Title The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated