<Insert Picture Here> Oracle Database Security

<Insert Picture Here> Oracle Database Security Ursula Koski Senior Principal Architect ursula.koski@oracle.com

Ursula Koski Senior Principal Architect Senior Principal Architect Oracle User Group Liaison and OUGF Board Member (Finland) Joined Oracle 2007 Working mainly with short term database engagements around the world. High availability and disaster recovery area. Have worked as an Oracle DBA for partners from 1994. Interests Professional: Oracle Database Evangelist, Maximum Availability Architecture and Database Disaster Recovery & Problem solving. Personal: Oracle Databases, all technical gadgets (Geek!), traveling and reading.

Data Security Challenges What to secure? Sensitive Data: Confidential, PII, regulatory Data in packaged and custom applications Secure Life cycle: creation, transit, storage, backup, test, transfer Can we secure it now? Secure using existing systems? Transparent? Loss, Unauthorized access, Separation of Duty Will it meet business requirements? Flexible, Transparent, Compliant? Secures both custom and packaged applications? Will it reduce operational cost? Easy to manage? Performant? 3

Oracle Database Security Defense-in-Depth for Security and Compliance Monitoring Configuration Management Audit Vault Total Recall Access Control Database Vault Label Security Encryption and Masking Advanced Security Secure Backup Data Masking 4

Oracle Database Security Defense-in-Depth for Security and Compliance Encryption and Masking Advanced Security Secure Backup Data Masking 5

Oracle Advanced Security Transparent Data Encryption Disk Backups Exports Application Off-Site Facilities No application changes required Efficient encryption of all application data Built-in key lifecycle management Works with Exadata V2 Smart Scans Works with Oracle Advanced Compression 6

Oracle Advanced Security Network Encryption & Strong Authentication Standard-based encryption for data in transit Strong authentication of users and servers No infrastructure changes required Easy to implement 7

Oracle Secure Backup Integrated Tape or Cloud Backup Management Secure data archival to tape or cloud Easy to administer key management Fastest Oracle Database tape backups Leverage low-cost cloud storage 8

Oracle Data Masking Irreversible De-Identification Production LAST_NAME SSN SALARY AGUILAR 203-33-3234 40,000 BENSON 323-22-2943 60,000 Non-Production LAST_NAME SSN SALARY ANSKEKSL 111 23-1111 40,000 BKJHHEIEDK 222-34-1345 60,000 Remove sensitive data from non-production databases Referential integrity preserved so applications continue to work Extensible template library and policies for automation 9

Oracle Database Security Defense-in-Depth for Security and Compliance Access Control Database Vault Label Security Encryption and Masking Advanced Security Secure Backup Data Masking 10

Oracle Database Vault Separation of Duties & Privileged User Controls Application Procurement HR Finance DBA select * from finance.customers DBA separation of duties Limit powers of privileged users Securely consolidate application data No application changes required Works with Oracle Exadata V2 Database Machine 11

Oracle Database Vault Multi-Factor Access Control Policy Enforcement Procurement HR Application Rebates Protect application data and prevent application by-pass Enforce who, where, when, and how using rules and factors Out-of-the box policies for Oracle applications, customizable 12

Oracle Label Security Data Classification for Access Control Confidential Sensitive Transactions Confidential Report Data Public Reports Sensitive Classify users and data based on business drivers Database enforced row level access control Users classification through Oracle Identity Management Suite Classification labels can be factors in other policies 13

Did you know? Finding User Accounts That Have Default Passwords When you create a database in Oracle Database 11g Release 2 (11.2), most of its default accounts are locked with the passwords expired. To find both locked and unlocked accounts that use default passwords, log onto SQL*Plus using the SYSDBA privilege and then query the DBA_USERS_WITH_DEFPWD data dictionary view. SELECT d.username, u.account_status FROM DBA_USERS_WITH_DEFPWD d, DBA_USERS u WHERE d.username = u.username ORDER BY 2,1; USERNAME ACCOUNT_STATUS ----------------- -------------------------- SCOTT EXPIRED & LOCKED 14

Oracle Audit Vault Automated Activity Monitoring & Audit Reporting HR Data! Alerts CRM Data ERP Data Audit Data Built-in Reports Custom Reports Databases Policies Auditor Consolidate audit data into secure repository Detect and alert on suspicious activities Out-of-the box compliance reporting Centralized audit policy management 16

Oracle Database Auditing Performance Audit users/tables effectively Oracle Database 11.2 ~250 audit records / second 4 CPU 3.6 GHz, 4GB RAM Linux 2.6.9-34.0.1.0.11.ELsmp Existing CPU Work Load: 50% Audit Location Throughput Degradation Additional CPU Used above 50% OS file 1.39% 1.45% XML format file 1.70% 3.51% XML format file + SQL Text 3.22% 4.56% Database Tables 3.84% 4.55% Database Tables + SQL Text 11.93% 13.95% 17

Oracle Total Recall Secure Change Tracking select salary from emp AS OF TIMESTAMP '02-MAY-09 12.00 AM where emp.title = admin Transparently track data changes Efficient, tamper-resistant storage of archives Real-time access to historical data Enables forensics and error correction 18

Oracle Configuration Management Vulnerability Assessment & Secure Configuration Discover Classify Assess Prioritize Fix Monitor Asset Management Policy Management Vulnerability Management Configuration Management & Audit Analysis & Analytics Database discovery Continuous scanning against best practices Detect and prevent unauthorized configuration changes Change management compliance reports 19

For More Information search.oracle.com database security oracle.com/database/security 21

Oracle Products Available Online Oracle Store Buy Oracle license and support online today at oracle.com/store