Transcript Oracle Database Security FY11 6/1/2010

Private Clouds: Opportunity to Improve
Data Security and Lower Costs
InfoTRAMS „Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt W Pracy”
Private Clouds: Opportunity to Improve Data Security
and Lower Costs
Michał Jerzy Kostrzewa ([email protected])
ECE Business Development Manager
Agenda
•
•
•
•
•
Challenges of Securing Data Today
Data Security in Cloud Environments
Private v. Public Clouds
Securing Database Clouds
Q&A
Easy to Lose Track of Sensitive Data In
Traditional Computing Environments
• Silos of dedicated hardware and
software for each application
• Organizations typically unsure which
silos contain sensitive data
• Securing every silo is too costly and
complex
• Organizations typically protect the
only shared resource - the network
• Data and database infrastructure
vulnerable to attack from within the
network perimeter
Data and Databases Vulnerable
The 2010 IOUG Data Security Report
28%
uniformly encrypt sensitive
data in all databases
Data can be read/tampered with by any
system user or admin with access to
database files or storage
24%
can prevent privileged
database users from
reading/modifying data
Data can be accessed by DBAs or
anyone with privileged database user
credentials
44%
allow database users to
access data directly
Users can by-pass application security
policies to read or modify data directly
within database
68%
can not detect if database
users are abusing privileges
Database users can perform
unauthorized activities undetected
66%
not sure if applications
subject to SQL injection
Data can be manipulated by hackers
who compromise applications
48%
copy sensitive production
data to non-production
environments
Data can be accessed by developers,
testers, etc.
Over 900M (92%) Breached Records from
Compromised Databases Servers
48% involved privilege misuse
40% resulted from hacking
2010 Data Breach Investigations Report
38%
28%
15%
utilized malware
employed social tactics
comprised physical attacks
Cloud Computing Environments Allow
Securing Sensitive Data Efficiently
• Clouds are shared pools of
standardized computing resources
• Oracle Exadata is a pre-integrated,
highly optimized Database Cloud
platform that maximizes ROI
• All data now managed in the
Database Cloud - securing
Database Clouds is not optional!
• Securing Database Clouds results in
efficient and consistent protection for
all data
• Database Clouds enable better
security at lower cost and complexity
Exadata and Exalogic
Extreme Performance, Engineered Systems
• Database and middle tier machines
• Unmatched performance, simplified deployment,
lower total cost
• Building blocks for private and public PaaS
8
Oracle Exadata Extreme Performance
• Faster Than DW Appliances
Query Throughput
75 GB/sec
GB/sec Uncompressed Data
Single Rack
Flash
• Faster query throughput
• Fastest disk throughput
• Much faster with Flash
20
Teradata
2650
• More Bandwidth than High-End Arrays
• Storage Arrays can’t deliver disk bandwidth
• No extra bandwidth from Flash
• No CPU offload
• No Columnar Compression
• No InfiniBand
• More Data Capacity
• More disk drives/rack
• Larger disk drives
• Much better compression
Disk
10
Netezza
TwinFin 12
75 GB/sec
Storage Data Bandwidth
(Uncompressed GB/sec)
<6
IBM
XIV
NetApp
6080
IBM
DS8700
Flash
11
???
Hitachi
USP V
EMC
VMAX
9
2.5
Systems with Equal User Data
Disk
Exadata
10x
All with Largest Disks,
Best Compression
3x
Exadata
2-4x
1.4x
Teradata
2650
EMC
VMAX
Netezza
TwinFin 12
Exadata
9
Oracle Exalogic Extreme Performance
• Internet Applications
• 12X improvement
• Over 1 Million HTTP Requests/Sec.
• FaceBook’s Web Traffic on 2 Full Racks
Exalogic
Alternative
• Messaging Applications
• 4.5X improvement
• Over 1.8 Million Messages/Sec.
• All Chinese Rail Ticketing on 1 Rack
Exalogic
Alternative
• Database Applications
• 1.4X improvement
• Almost 2 million JPA Operations/Sec.
• All E-Bay Product Searches on 1/2 Rack
Alternative
Exalogic
10
Biggest Barrier to Cloud Computing
Adoption? Security!
74%
74% rate cloud
security issues
as “very
significant”
Source: IDC
The Reality of Cloud Computing
Cloud Computing Often Confused with
Outsourcing…
Public Clouds
• Cloud operated by a vendor
• Security (and compliance??)
becomes outsourced
• Not an option for certain
organizations, industries
Private Clouds
• Evolution of IT Services
• Still responsible for ensuring
security and compliance
• Cost-effective option to protect
data for all organizations!
Securing Database Clouds
Defense In Depth
 Prevent access by non-database users
 Increase database user identity assurance
 Control access to data within database
 Audit database activity
Data
 Monitor database traffic and prevent
threats from reaching the database
 Ensure database production environment
is secure and prevent drift
 Remove sensitive data from
non-production environments
13
Copyright © 2010, Oracle. All rights reserved
Oracle Advanced Security
Protect Data from Unauthorized Users
Disk
Backups
Application
Exports
Off-Site
Facilities
• Complete encryption for application data at rest to prevent direct access to
data stored in database files, on tape, exports, etc. by IT Staff/OS users
• Efficient application data encryption without application changes
• Built-in two-tier key management for SoD with support for centralized key
management using HSM/KMS
• Strong authentication of database users for greater identity assurance
14
Oracle Database Vault
Enforce Security Policies Inside the Database
Security
DBA
Procurement
Application
Application
DBA
HR
Finance
select * from finance.customers
DBA
• Automatic and customizable DBA separation of duties and protective realms
• Enforce who, where, when, and how using rules and factors
• Enforce least privilege for privileged database users
• Prevent application by-pass and enforce enterprise data governance
• Securely consolidate application data or enable multi-tenant data management
15
Oracle Audit Vault
Audit Database Activity in Real-Time
!
HR Data
CRM Data
ERP Data
Databases
Audit
Data
Alerts
Built-in
Reports
Custom
Reports
Policies
Auditor
• Consolidate database audit trail into secure centralized repository
• Detect and alert on suspicious activities, including privileged users
• Out-of-the box compliance reports for SOX, PCI, and other regulations
• E.g., privileged user audit, entitlements, failed logins, regulated data changes
• Streamline audits with report generation, notification, attestation, archiving, etc.
16
Oracle Total Recall
Track Changes to Sensitive Data
select salary from emp AS OF TIMESTAMP
'02-MAY-09 12.00 AM‘ where emp.title = ‘admin’
• Transparently track application data changes over time
• Efficient, tamper-resistant storage of archives in the database
• Real-time access to historical application data using SQL
• Simplified incident forensics and recovery
17
Oracle Database Firewall
First Line of Defense
Allow
Log
Alert
Substitute
Applications
Block
Alerts
Built-in
Reports
Custom
Reports
Policies
• Monitor database activity to prevent unauthorized database access, SQL
injections, privilege or role escalation, illegal access to sensitive data, etc.
• Highly accurate SQL grammar based analysis without costly false positives
• Flexible SQL level enforcement options based on white lists and black lists
• Scalable architecture provides enterprise performance in all deployment modes
• Built-in and custom compliance reports for SOX, PCI, and other regulations
18
Oracle Configuration Management
Secure Your Database Environment
Monitor
Discover
Asset
Management
Classify
Policy
Management
Assess
Prioritize
Vulnerability
Management
Fix
Configuration
Management
& Audit
Monitor
Analysis &
Analytics
• Discover and classify databases into policy groups
• Scan databases against 400+ best practices and industry standards, custom
enterprise-specific configuration policies
• Detect and event prevent unauthorized database configuration changes
• Change management dashboards and compliance reports
19
Oracle Data Masking
Irreversibly De-Identify Data for Non-Production Use
Production
Non-Production
LAST_NAME
SSN
SALARY
LAST_NAME
SSN
SALARY
AGUILAR
203-33-3234
40,000
ANSKEKSL
111—23-1111
60,000
BENSON
323-22-2943
60,000
BKJHHEIEDK
222-34-1345
40,000
Data never leaves Database
• Make application data securely available in non-production environments
• Prevent application developers and testers from seeing production data
• Extensible template library and policies for data masking automation
• Referential integrity automatically preserved so applications continue to work
20
Oracle Database Defense In Depth
Solution Summary
• Oracle Advanced Security
• Oracle Identity Management
• Oracle Database Vault
• Oracle Label Security
Data
• Oracle Audit Vault
• Oracle Total Recall
• Oracle Database Firewall
• Oracle Configuration Management
• Oracle Data Masking
Comprehensive – Transparent – Easy to Deploy – Proven!
21
Next Steps….
• Protect sensitive data and database
infrastructure ASAP!
• Database Clouds enable better
security at lower cost and complexity
• Start evolving your existing IT
infrastructure into a Private Cloud
• Secured Oracle Exadata servers
provide the secure database cloud
building block you need
• Securing your databases will allow
you to outsource/take advantage of
Public Clouds with less risk
22
For More Information
oracle.com/database/security
search.oracle.com
database security