talk it_ oracle_김상엽_110822
DESCRIPTION
TRANSCRIPT
© 2011 Oracle Corporation
<Insert Picture Here>
Protect Your Most Sensitive Data
Build a Maximum Security Architecture
Ryan Kim | Senior Manager, Technology Readiness and Developer Program
2
© 2011 Oracle Corporation
The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle‘s
products remains at the sole discretion of Oracle.
3
© 2011 Oracle Corporation
Agenda
• Data Security Trends
• How Are Threats Getting In?
• What is Maximum Security Architecture
• Oracle Solutions Mapped to MSA
• Summary
• Q&A
4
© 2011 Oracle Corporation Oracle Confidential
More data than ever…
Source: IDC, 2008
1,800 Exabytes
Growth Doubles
Yearly
2006 2011
5
© 2011 Oracle Corporation Oracle Confidential
Data Breach
More breaches than ever…
Once exposed, the data is out there – the bell can’t be un-rung
0
100
200
300
400
2005 2006 2007 2008
PUBLICLY REPORTED DATA BREACHES
630% Increase
Total Personally
Identifying Information
Records Exposed
(Millions)
Source: DataLossDB, Ponemon Institute, 2009
Average cost of a data breach $202 per record
Average total cost exceeds $6.6 million per breach
6
© 2011 Oracle Corporation Oracle Confidential
More threats than ever…
70% attacks originate inside the perimeter
90% attacks perpetrated by employees with privileged access
7
© 2011 Oracle Corporation
More regulations than ever…
• Federal, state, local, industry…adding more
mandates every year!
• Need to meet AND demonstrate compliance
• Compliance costs are unsustainable
Report and audit ?
Source: IT Policy Compliance Group, 2007.
90% Companies behind in compliance
8
© 2011 Oracle Corporation
Compliance
• 현행 개인정보 보호 법률 체계
• 개인정보 보호법 ( 2011년 9월 시행)
• 온라인/오프라인 상관없이 모든 업종에 걸쳐 적용.
• 정보통신망법과 신용정보법은 그대로 유지.
• 정보통신망법과 신용정보법이 통신사업자와금융기관에 먼저 적용되고 동 법률들에서 규정하지않는 조항에 대해 개인정보 보호법이 적용됨
• 정보통신망법의 적용을 받던 통신 사업자이외의준용사업자는 모두 망법 에서 삭제되고 개인정보보호법의 직접 적용을 받음
구분 개별 법률 적용대상 소관부처
공공 부문 공공기관의 개인정보보호법 공공기관 행정안전부
민간부문
정보통신 정보통신망법 정보통신서비스제공자 방송통신위원회
금융/신용 신용정보법 신용정보 제공/이용자 금융위원회
공공
통신
금융
기타
공공기관의개인정보보호법
정보통신망법
신용정보법
개
인
정
보
보
호
법
9
© 2011 Oracle Corporation
Higher Costs Than Ever…
• User Management Costs
• User Productivity Costs
• Compliance & Remediation Costs
• Security Breach Remediation Costs
It Adds Up$
10
© 2011 Oracle Corporation
Biggest Barrier to Cloud Computing
Adoption? Security!
74%74% rate cloud
security issues
as ―very
significant‖
Source: IDC
11
© 2011 Oracle Corporation
• Data Security Trends
• How Are Threats Getting In?
• What is Maximum Security Architecture
• Oracle Solutions Mapped to MSA
• Summary
• Q&A
12
© 2011 Oracle Corporation
Over 900M Breached Records Resulted
from Compromised Database Servers
Type Category % Breaches % Records
Database Server Servers & Applications 25% 92%Desktop Computer End-User Devices 21% 1%
Verizon 2010 Data Breach Investigations Report
13
© 2011 Oracle Corporation
SQL Injection Attacks Against Databases
Responsible for 89% of Breached Data
• SQL injection is a technique for controlling responses from the database
server through the web application
• It can‘t be fixed by simply applying a patch, tweaking a setting, or
changing a single page
• SQL injection vulnerabilities are endemic, and to fix them you have to
overhaul all your code.
Verizon 2010 Data Breach Investigations Report
―The versatility and effectiveness of SQL Injection
make it a multi-tool of choice among cybercriminals.‖
14
© 2011 Oracle Corporation
66% Organizations Vulnerable to SQL
Injection Attacks
Taken steps to prevent SQL injection attacks?
2010 IOUG Data Security Survey Report
15
© 2011 Oracle Corporation
Traditional Security Solutions Leave
Data within Databases Vulnerable
Database
Applications Database Users
and Administrators
Maximum Security Architecture
Protects Your Most Sensitive Area: Your Data
Botware
MalwareKey Loggers Espionage
Spear Phishing
SQL Injection
Social Engineering
16
© 2011 Oracle Corporation
• Data Security Trends
• How Are Threats Getting In?
• What is Maximum Security Architecture
• Oracle Solutions Mapped to MSA
• Summary
• Q&A
17
© 2011 Oracle Corporation Oracle Confidential
• Network Security
• Hardware Security
• OS / Firmware Security
• Virtualization Security
Identity Management
Information RightsManagement
Databases
Applications
Content
Maximum Security ArchitectureSafeguards your Information Technology environment
at every layer, leaving no weak link
Infrastructure
• User Provisioning
• Role Management
• Entitlements Management
• Risk-Based Access Control
• Virtual Directories
• Track and Audit Document Usage
• Control & Revoke Document Access
• Secured Inside or Outside Firewall
• Centralized Policy Administration
Information
Infrastructure Security
Database Security
Today we will focus on Maximum DATA
Security Architecture for the Database tier
18
© 2011 Oracle Corporation
Maximum Data Security Architecture
Detect &
Audit Mis-useReverse
& Undo
Damage
Multi-factor
Authorization
Privileged
User
Controls
Encrypt
Data In-
Transit
Protect Data
Backups
Mask Data
Used in Dev.
& Testing
1. Perimeter Defense
2. Monitoring
3. Access Control
4. Encryption & Masking
Secure
Configuration
19
© 2011 Oracle Corporation
Oracle Configuration ManagementVulnerability Assessment & Secure Configuration
REQUIREMENTS:
1. Discovers Databases, OS, Hosts, remote end-points, apps & apps servers
2. Continuous scanning vs. 375+ best practices & industry standards, extensible
3. Detect, prevent and roll-back unauthorized configuration changes real time
4. Change management compliance reports
5. Platform & vendor agnostic
ConfigurationManagement& Audit
VulnerabilityManagement
Fix
Analysis &Analytics
Prioritize
PolicyManagement
AssessClassify MonitorDiscover
AssetManagement
20
© 2011 Oracle Corporation
Detection & Auditing Against Mis-useAutomated Activity Monitoring & Audit Reporting
CRM Data
ERP Data
Databases
HR Data
Audit Data
Policies
Built-inReports
Alerts
CustomReports
!
Auditor
REQUIREMENTS:
1. Automated Oracle and non-Oracle database activity monitoring
2. Detect and alert on suspicious activities
3. Out-of-the box compliance reports
4. Custom forensic reports
5. Centralized management of audit policies (SOX, custom, etc.)
21
© 2011 Oracle Corporation
Reverse and Undo Damaged DataSecure Change Tracking
select salary from emp AS OF TIMESTAMP
'02-MAY-09 12.00 AM‗ where emp.title = ‗admin‘
REQUIREMENTS:
1. Transparently track data changes
2. Efficient, tamper-resistant storage of archives
3. Real-time access to historical data
4. Simplified forensics and error correction
5. Ability to roll-back and undo damaged records, eliminating problems
22
© 2011 Oracle Corporation
Separation of DutiesPrivileged User Access Control and Multifactor Authorization
Procurement
HR
Finance
Application
select * from finance.customers
DBA
REQUIREMENTS:
1. Keep privileged database users from abusing their powers
2. Address Separation of Duties requirements
3. Enforce security policies and block unauthorized database activities
4. Prevent application by-pass to protect application data
5. Securely consolidate application data
6. Requires no application changes
23
© 2011 Oracle Corporation
REQUIREMENTS:
1. Classify users and data based on business drivers
2. Database enforced row level access control
3. Users classification through Oracle Identity Management Suite
4. Classification labels can be factors in other policies
5. Certified with Oracle Database and is application agnostic
Prevent Unauthorized Insider AccessData Classification for Access Control
Confidential Sensitive
Transactions
Report Data
Reports
Sensitive
Confidential
Public
24
© 2011 Oracle Corporation
Encrypt Sensitive or In-transit Data Comprehensive Standards-Based Encryption
Disk
Backups
Exports
Off-Site
Facilities
REQUIREMENTS:
1. Transparent data at rest encryption
2. Data stays encrypted when backed up
3. Encryption for data in transit
4. Strong authentication of users and servers
5. Certified with Oracle Database
25
© 2011 Oracle Corporation
Securely Backup & Store Data ArchivesIntegrated Tape or Cloud Backup Management
REQUIREMENTS:
1. Secure data archival to tape or cloud
2. Easy to administer key management
3. Fastest Oracle Database tape backups
4. Leverage low-cost cloud storage
26
© 2011 Oracle Corporation
Mask data used in development & testIrreversible De-Identification
REQUIREMENTS:
1. Remove sensitive data from non-production databases
2. Referential integrity preserved so applications continue to work
3. Sensitive data never leaves the database
4. Extensible template library and policies for automation
5. Supports heterogeneous Database envrionments
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 60,000
BKJHHEIEDK 222-34-1345 40,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Non-Production
27
© 2011 Oracle Corporation
Access Control
Control Privileged Users
Multi-factor Authorization
Encrypt Sensitive & In-transit Data
Protect Data Back-ups
Mask Data for Dev. & Testing Use
Encryption and Masking
Auditing and Monitoring
Secure Configurations
Detect and Audit Mis-use
Reverse and undo Damage
Perimeter Defense
Blocking and Logging
Encryption & Masking
Access Control
Auditing & Monitoring
Blocking & Logging
Application of MSA to Safeguard your DataRecap of how to secure your business’ most valuable asset
28
© 2011 Oracle Corporation
• Data Security Trends
• How Are Threats Getting In?
• What is Maximum Security Architecture
• Oracle Solutions Mapped to MSA
• Summary
• Q&A
29
© 2011 Oracle Corporation
Access Control
Database Vault
Label Security
Advanced Security Option
Secure Back-up
Data Masking Pack
Encryption and Masking
Auditing and Monitoring
Configuration Management Pack
Audit Vault
Total Recall
Database Firewall
Blocking and Logging
Oracle Solutions Mapped to MSAIntegrated products to deliver MSA capabilities for your Databases
Access Control
Control Privileged Users
Multi-factor Authorization
Encrypt Sensitive & In-transit Data
Protect Data Back-ups
Mask Data for Dev. & Testing Use
Encryption and Masking
Auditing and Monitoring
Secure Configurations
Detect and Audit Mis-use
Reverse and undo Damage
Perimeter Defense
Blocking and Logging
30
© 2011 Oracle Corporation
Daewoo SecuritiesProtecting Against Insider Threats
Business
Challenges
• Internal threats are major concern in Daewoo Securities.
Several major companies in Korea have experienced data
leaks
• Daewoo Securities had granted a high number of access
privileges to super users, such as IT administrators.
• Non standard security solutions to protecting the company
data
Solution
• Oracle Database
• Oracle Database Vault
• Oracle Advance Security
Business Results
• Protected confidential HR data from being accessed by
privileges users such as IT administrators, while ensuring
they could still login to systems to complete their jobs
• Enhance information protecting by encrypting data in the
database and whenever it leaves the repository
31
© 2011 Oracle Corporation
Dongguk UniversityAutomated Audit Data Collection, Improved Security,
Reduced Costs with Reporting
Business
Challenges
• Students use the system to manage their profiles and timetables
online while teachers and staff use it to organize course details and
other important administrative tasks. One of the most important
parts of the deployment was the rollout of an auditing system to
provide control over user privilege rights and strengthen security.
Solution
• Oracle Database
• Oracle Real Application Clusters
• Oracle Audit Vault
Business
Results
• Automated the collection and consolidation of audit data, which
lowered the risk of insider security threats
• Provided audit controls which verified that only the authorized
application user was performing the specified database tasks
• Made the auditing process easy by providing useful information
such as user name, corresponding IP addresses, and role in the
application
• Allowed reports and audit policy functions to be viewed on screen,
eliminating the cost and time associated with completing manual
audits
32
© 2011 Oracle Corporation
Cornell UniversityMasks all sensitive data used for testing, training and
development in their PeopleSoft environment
Business
Challenges
• Ensure reliable access to operational and academic systems
across a decentralized IT environment, including PeopleSoft
applications and a Blackboard learning system
Solution
• Implemented Enterprise Manager to automate monitoring the
university‘s IT infrastructure—including databases, middleware,
and servers—saving time for IT managers and increasing
transparency across the IT infrastructure
• Deployed Data Masking Pack as a component within Enterprise
Manager (EM) to protect sensitive student info.
Business
Results
• Data Masking obfuscated all sensitive data from PeopleSoft
environments used for testing, training, and development
• EM enabled Cornell to be more proactive as an IT department—
preventing or resolving performance problems before they‘re
noticed, and in anticipating the needs of students, faculty and staff
33
© 2011 Oracle Corporation
• Data Security Trends
• How Are Threats Getting In?
• What is Maximum Security Architecture
• Oracle Solutions Mapped to MSA
• Summary
• Q&A
34
© 2011 Oracle Corporation
• Database Vault
• Label Security
• Identity
Management
• Advanced Security
• Secure Backup
• Data Masking
Oracle Database Security SolutionsFits the Maximum Data Security Architecture framework
• Audit Vault
• Total Recall
• Configuration
Management
Encryption & Masking
AccessControl
Auditing and
Monitoring
• Database Firewall
Perimeter
Security
• Comprehensive – single vendor addresses all your requirements
• Transparent – no changes to existing applications or databases
• Easy to deploy – point-n-click interfaces deliver value within hours
• Cost effective – integrated solutions reduce risk and lower TCO
• Proven – #1 Database with over 30 years of info security innovation!
35
© 2011 Oracle Corporation Oracle Confidential
Identity Management
Information RightsManagement
Databases
Applications
Part of an End-to-End Security SolutionData Security is a key part of the overall Maximum
Security Architecture that covers your entire IT spectrum
Infrastructure
Information
Infrastructure Security
Database Security
36
© 2011 Oracle CorporationOracle Confidential
Oracle Security Customers are everywhere
Financial Services
Manufacturing & Technology
Public Sector
Transportation & Services
Telecommunication
Retail
37
© 2011 Oracle Corporation
Other
12.6%
Microsoft
18.1%
Oracle
48.6%
IBM
20.7%
Source: Gartner DataQuest, 2008; Forrester Database Security Market Report, 2009
Because Oracle is #1 and Most Secure
―Most DBMS vendors offer basic
security features; Oracle‘s offering
is most comprehensive.‖
38
© 2011 Oracle Corporation 39
© 2011 Oracle Corporation 40