Oracle Security Products and Their Relationship to EBS Presented By: Christopher Carriero 1
Agenda Confidential Data in Corporate Systems Sensitive Data in the Oracle EBS What Are the Oracle Security Products and How Do They Relate to the EBS? Sensitive Data Risk Assessment Questions and Answers
Corporate Confidential Data 3
Dollars Focusing on Security Corporate Privacy Policies Auditing and Monitoring Identity Access Management Data Loss Prevention Database Encryption 4
Facts and Stats 50% of all the corporate databases contain sensitive data. -Enterprise Strategy Group 38% admitted failing one or more compliance audits in last 3 years. -Enterprise Strategy Group 76% rated database security as high priority project for the next year. -Enterprise Strategy Group 5
Facts and Stats Data thefts by employees doubled in 2009. -ITRC 80% report using real production data in testing environments. -Ponemon Institute 61% report having multiple copies of non production environments. -Ponemon Institute 75% report sharing real production data with 3rd parties & offshore teams. -Ponemon Institute 6
Internal Breaches Less Often & More Costly Verizon Report 2008 7
Sensitive Data in the Oracle EBS 8
Private Data Exposed Production Development Sensitive Information 9
Privileged Users Full Database Access Database Administrators System Administrators Developers/Testers Contractors Third Party Vendors 10
What are the Oracle Security Products? 11
Oracle Security Products Oracle Advanced Security Oracle Audit Vault Oracle Label Security Oracle Configuration Management Oracle Secure Backup Oracle Database Firewall Oracle Database Vault Oracle Data Masking Oracle Total Recall 12
Oracle Advanced Security Encrypts Data At Rest Encrypts Data As It Leaves the DB (for Backup or Over Network). Encrypts Tablespace or Specific Columns Can Be Used for PCI/HIPPA/SOX Compliance Can This Be Used for EBS? Pitfalls??? 13
Oracle Audit Vault Data Warehousing Technology Logs Activities Based on Guidelines Allows Analysis on Activities Can Be Used for PII/HIPPA/SOX Compliance Not a Prevention Tool Can This Be Used for EBS? Pitfalls??? 14
Oracle Label Security Mainly Used in Public Sector Policy Based Security Create Custom Data Classifications Can Be Used With Data Vault Can This Be Used for EBS? Pitfalls??? 15
Oracle Configuration Management Allows for Discovery, Vulnerability Scanning, Compliance Benchmarking, and Central Management of DB Configuration Prevent Configuration Drift Critical Patch Alerts Can This Be Used for EBS? Pitfalls??? 16
Oracle Secure Backup Integrated Data Protection Used for Tape Backup or Cloud Storage Encrypts Data to Tape Low Cost Can This Be Used for EBS? Pitfalls??? 17
Oracle Database Firewall Monitors Database Activity Prevent SQL Injection Detects Internal and External Attacks Can This Be Used for EBS? Pitfalls??? 18
Oracle Database Vault Controls Access Based on Multiple Factors Prevents Access of Privileged Users Built in Factors such as Time of Day, IP Address, Application Name, and Authentication Method. Can This Be Used for EBS? Pitfalls??? 19
Oracle Data Masking Replaces Data with Other Data Mainly Used for Testing/Development Environments Can Be Used for PCI, HIPPA, etc for Compliance Can This Be Used for EBS? Pitfalls??? 20
Oracle Total Recall Archive of Historical Data Secured and Tamper Proof Databases Can This Be Used for EBS? Pitfalls??? 21
Sensitive Data Risk Assessment 22
Investigate Oracle Database and Application Password Use 200 Oracle Default Passwords Unused Accounts (Lock/Remove) Role Based Access Management Default Port (1521) Estimate Resources and Time Needed to Manage these Tasks 23
# of Privileged Users x Hours = Annual Hours of Vulnerability Determine Number of Internal IT Staff and Contractors Establish Average Daily Hours Worked Onsite and Remotely Per Person Estimate Average Days Worked Yearly Per Person Calculate Annual Hours of Data Vulnerability 24
# of Unprotected Records x $ = Potential Cost Examine Oracle EBS Modules Locate Sensitive Data Tables & Columns Quantify Number of Unprotected Sensitive Data Records Decide on an Cost Estimate Forrester Research $90-$305 per unique record Ponemon Institute $202 per unique record Calculate Potential Breach Cost 25
For More Information Contact: Guardian Applications info@guardianapps.com www.guardianapps.com Extended Database Security for the Oracle E-Business Suite 26