talk it_ oracle_김상엽_110822

<Insert Picture Here>

Protect Your Most Sensitive Data

Build a Maximum Security Architecture

Ryan Kim | Senior Manager, Technology Readiness and Developer Program

2


The following is intended to outline our general

product direction. It is intended for information

purposes only, and may not be incorporated into any

contract. It is not a commitment to deliver any

material, code, or functionality, and should not be

relied upon in making purchasing decisions.

The development, release, and timing of any

features or functionality described for Oracle‘s

products remains at the sole discretion of Oracle.

3


Agenda

• Data Security Trends

• How Are Threats Getting In?

• What is Maximum Security Architecture

• Oracle Solutions Mapped to MSA

• Summary

• Q&A

4

© 2011 Oracle Corporation Oracle Confidential

More data than ever…

Source: IDC, 2008

1,800 Exabytes

Growth Doubles

Yearly

2006 2011

5


Data Breach

More breaches than ever…

Once exposed, the data is out there – the bell can’t be un-rung

0

100

200

300

400

2005 2006 2007 2008

PUBLICLY REPORTED DATA BREACHES

630% Increase

Total Personally

Identifying Information

Records Exposed

(Millions)

Source: DataLossDB, Ponemon Institute, 2009

Average cost of a data breach $202 per record

Average total cost exceeds $6.6 million per breach

6


More threats than ever…

70% attacks originate inside the perimeter

90% attacks perpetrated by employees with privileged access

7


More regulations than ever…

• Federal, state, local, industry…adding more

mandates every year!

• Need to meet AND demonstrate compliance

• Compliance costs are unsustainable

Report and audit ?

Source: IT Policy Compliance Group, 2007.

90% Companies behind in compliance

8


Compliance

• 현행 개인정보 보호 법률 체계

• 개인정보 보호법 ( 2011년 9월 시행)

• 온라인/오프라인 상관없이 모든 업종에 걸쳐 적용.

• 정보통신망법과 신용정보법은 그대로 유지.

• 정보통신망법과 신용정보법이 통신사업자와금융기관에 먼저 적용되고 동 법률들에서 규정하지않는 조항에 대해 개인정보 보호법이 적용됨

• 정보통신망법의 적용을 받던 통신 사업자이외의준용사업자는 모두 망법 에서 삭제되고 개인정보보호법의 직접 적용을 받음

구분 개별 법률 적용대상 소관부처

공공 부문 공공기관의 개인정보보호법 공공기관 행정안전부

민간부문

정보통신 정보통신망법 정보통신서비스제공자 방송통신위원회

금융/신용 신용정보법 신용정보 제공/이용자 금융위원회

공공

통신

금융

기타

공공기관의개인정보보호법

정보통신망법

신용정보법

개

인

정

보

보

호

법

9


Higher Costs Than Ever…

• User Management Costs

• User Productivity Costs

• Compliance & Remediation Costs

• Security Breach Remediation Costs

It Adds Up$

10


Biggest Barrier to Cloud Computing

Adoption? Security!

74%74% rate cloud

security issues

as ―very

significant‖

Source: IDC

11






• Summary

• Q&A

12


Over 900M Breached Records Resulted

from Compromised Database Servers

Type Category % Breaches % Records

Database Server Servers & Applications 25% 92%Desktop Computer End-User Devices 21% 1%

Verizon 2010 Data Breach Investigations Report

13


SQL Injection Attacks Against Databases

Responsible for 89% of Breached Data

• SQL injection is a technique for controlling responses from the database

server through the web application

• It can‘t be fixed by simply applying a patch, tweaking a setting, or

changing a single page

• SQL injection vulnerabilities are endemic, and to fix them you have to

overhaul all your code.

Verizon 2010 Data Breach Investigations Report

―The versatility and effectiveness of SQL Injection

make it a multi-tool of choice among cybercriminals.‖

14


66% Organizations Vulnerable to SQL

Injection Attacks

Taken steps to prevent SQL injection attacks?

2010 IOUG Data Security Survey Report

15


Traditional Security Solutions Leave

Data within Databases Vulnerable

Database

Applications Database Users

and Administrators

Maximum Security Architecture

Protects Your Most Sensitive Area: Your Data

Botware

MalwareKey Loggers Espionage

Spear Phishing

SQL Injection

Social Engineering

16






• Summary

• Q&A

17


• Network Security

• Hardware Security

• OS / Firmware Security

• Virtualization Security

Identity Management

Information RightsManagement

Databases

Applications

Content

Maximum Security ArchitectureSafeguards your Information Technology environment

at every layer, leaving no weak link

Infrastructure

• User Provisioning

• Role Management

• Entitlements Management

• Risk-Based Access Control

• Virtual Directories

• Track and Audit Document Usage

• Control & Revoke Document Access

• Secured Inside or Outside Firewall

• Centralized Policy Administration

Information

Infrastructure Security

Database Security

Today we will focus on Maximum DATA

Security Architecture for the Database tier

18


Maximum Data Security Architecture

Detect &

Audit Mis-useReverse

& Undo

Damage

Multi-factor

Authorization

Privileged

User

Controls

Encrypt

Data In-

Transit

Protect Data

Backups

Mask Data

Used in Dev.

& Testing

1. Perimeter Defense

2. Monitoring

3. Access Control

4. Encryption & Masking

Secure

Configuration

19


Oracle Configuration ManagementVulnerability Assessment & Secure Configuration

REQUIREMENTS:

1. Discovers Databases, OS, Hosts, remote end-points, apps & apps servers

2. Continuous scanning vs. 375+ best practices & industry standards, extensible

3. Detect, prevent and roll-back unauthorized configuration changes real time

4. Change management compliance reports

5. Platform & vendor agnostic

ConfigurationManagement& Audit

VulnerabilityManagement

Fix

Analysis &Analytics

Prioritize

PolicyManagement

AssessClassify MonitorDiscover

AssetManagement

20


Detection & Auditing Against Mis-useAutomated Activity Monitoring & Audit Reporting

CRM Data

ERP Data

Databases

HR Data

Audit Data

Policies

Built-inReports

Alerts

CustomReports

!

Auditor

REQUIREMENTS:

1. Automated Oracle and non-Oracle database activity monitoring

2. Detect and alert on suspicious activities

3. Out-of-the box compliance reports

4. Custom forensic reports

5. Centralized management of audit policies (SOX, custom, etc.)

21


Reverse and Undo Damaged DataSecure Change Tracking

select salary from emp AS OF TIMESTAMP

'02-MAY-09 12.00 AM‗ where emp.title = ‗admin‘

REQUIREMENTS:

1. Transparently track data changes

2. Efficient, tamper-resistant storage of archives

3. Real-time access to historical data

4. Simplified forensics and error correction

5. Ability to roll-back and undo damaged records, eliminating problems

22


Separation of DutiesPrivileged User Access Control and Multifactor Authorization

Procurement

HR

Finance

Application

select * from finance.customers

DBA

REQUIREMENTS:

1. Keep privileged database users from abusing their powers

2. Address Separation of Duties requirements

3. Enforce security policies and block unauthorized database activities

4. Prevent application by-pass to protect application data

5. Securely consolidate application data

6. Requires no application changes

23


REQUIREMENTS:

1. Classify users and data based on business drivers

2. Database enforced row level access control

3. Users classification through Oracle Identity Management Suite

4. Classification labels can be factors in other policies

5. Certified with Oracle Database and is application agnostic

Prevent Unauthorized Insider AccessData Classification for Access Control

Confidential Sensitive

Transactions

Report Data

Reports

Sensitive

Confidential

Public

24


Encrypt Sensitive or In-transit Data Comprehensive Standards-Based Encryption

Disk

Backups

Exports

Off-Site

Facilities

REQUIREMENTS:

1. Transparent data at rest encryption

2. Data stays encrypted when backed up

3. Encryption for data in transit

4. Strong authentication of users and servers

5. Certified with Oracle Database

25


Securely Backup & Store Data ArchivesIntegrated Tape or Cloud Backup Management

REQUIREMENTS:

1. Secure data archival to tape or cloud

2. Easy to administer key management

3. Fastest Oracle Database tape backups

4. Leverage low-cost cloud storage

26


Mask data used in development & testIrreversible De-Identification

REQUIREMENTS:

1. Remove sensitive data from non-production databases

2. Referential integrity preserved so applications continue to work

3. Sensitive data never leaves the database

4. Extensible template library and policies for automation

5. Supports heterogeneous Database envrionments

LAST_NAME SSN SALARY

ANSKEKSL 111—23-1111 60,000

BKJHHEIEDK 222-34-1345 40,000

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

Production Non-Production

27


Access Control

Control Privileged Users

Multi-factor Authorization

Encrypt Sensitive & In-transit Data

Protect Data Back-ups

Mask Data for Dev. & Testing Use

Encryption and Masking

Auditing and Monitoring

Secure Configurations

Detect and Audit Mis-use

Reverse and undo Damage

Perimeter Defense

Blocking and Logging

Encryption & Masking

Access Control

Auditing & Monitoring

Blocking & Logging

Application of MSA to Safeguard your DataRecap of how to secure your business’ most valuable asset

28






• Summary

• Q&A

29


Access Control

Database Vault

Label Security

Advanced Security Option

Secure Back-up

Data Masking Pack



Configuration Management Pack

Audit Vault

Total Recall

Database Firewall


Oracle Solutions Mapped to MSAIntegrated products to deliver MSA capabilities for your Databases

Access Control

Control Privileged Users

Multi-factor Authorization

Encrypt Sensitive & In-transit Data

Protect Data Back-ups

Mask Data for Dev. & Testing Use



Secure Configurations

Detect and Audit Mis-use

Reverse and undo Damage

Perimeter Defense


30


Daewoo SecuritiesProtecting Against Insider Threats

Business

Challenges

• Internal threats are major concern in Daewoo Securities.

Several major companies in Korea have experienced data

leaks

• Daewoo Securities had granted a high number of access

privileges to super users, such as IT administrators.

• Non standard security solutions to protecting the company

data

Solution

• Oracle Database

• Oracle Database Vault

• Oracle Advance Security

Business Results

• Protected confidential HR data from being accessed by

privileges users such as IT administrators, while ensuring

they could still login to systems to complete their jobs

• Enhance information protecting by encrypting data in the

database and whenever it leaves the repository

31


Dongguk UniversityAutomated Audit Data Collection, Improved Security,

Reduced Costs with Reporting

Business

Challenges

• Students use the system to manage their profiles and timetables

online while teachers and staff use it to organize course details and

other important administrative tasks. One of the most important

parts of the deployment was the rollout of an auditing system to

provide control over user privilege rights and strengthen security.

Solution

• Oracle Database

• Oracle Real Application Clusters

• Oracle Audit Vault

Business

Results

• Automated the collection and consolidation of audit data, which

lowered the risk of insider security threats

• Provided audit controls which verified that only the authorized

application user was performing the specified database tasks

• Made the auditing process easy by providing useful information

such as user name, corresponding IP addresses, and role in the

application

• Allowed reports and audit policy functions to be viewed on screen,

eliminating the cost and time associated with completing manual

audits

32


Cornell UniversityMasks all sensitive data used for testing, training and

development in their PeopleSoft environment

Business

Challenges

• Ensure reliable access to operational and academic systems

across a decentralized IT environment, including PeopleSoft

applications and a Blackboard learning system

Solution

• Implemented Enterprise Manager to automate monitoring the

university‘s IT infrastructure—including databases, middleware,

and servers—saving time for IT managers and increasing

transparency across the IT infrastructure

• Deployed Data Masking Pack as a component within Enterprise

Manager (EM) to protect sensitive student info.

Business

Results

• Data Masking obfuscated all sensitive data from PeopleSoft

environments used for testing, training, and development

• EM enabled Cornell to be more proactive as an IT department—

preventing or resolving performance problems before they‘re

noticed, and in anticipating the needs of students, faculty and staff

33






• Summary

• Q&A

34


• Database Vault

• Label Security

• Identity

Management

• Advanced Security

• Secure Backup

• Data Masking

Oracle Database Security SolutionsFits the Maximum Data Security Architecture framework

• Audit Vault

• Total Recall

• Configuration

Management

Encryption & Masking

AccessControl

Auditing and

Monitoring

• Database Firewall

Perimeter

Security

• Comprehensive – single vendor addresses all your requirements

• Transparent – no changes to existing applications or databases

• Easy to deploy – point-n-click interfaces deliver value within hours

• Cost effective – integrated solutions reduce risk and lower TCO

• Proven – #1 Database with over 30 years of info security innovation!

35


Identity Management

Information RightsManagement

Databases

Applications

Part of an End-to-End Security SolutionData Security is a key part of the overall Maximum

Security Architecture that covers your entire IT spectrum

Infrastructure

Information

Infrastructure Security

Database Security

36

© 2011 Oracle CorporationOracle Confidential

Oracle Security Customers are everywhere

Financial Services

Manufacturing & Technology

Public Sector

Transportation & Services

Telecommunication

Retail

37


Other

12.6%

Microsoft

18.1%

Oracle

48.6%

IBM

20.7%

Source: Gartner DataQuest, 2008; Forrester Database Security Market Report, 2009

Because Oracle is #1 and Most Secure

―Most DBMS vendors offer basic

security features; Oracle‘s offering

is most comprehensive.‖

38

talk it_ oracle_김상엽_110822

Education