Oracle Database Security MythbustingDon’t Be Afraid to Use Something You Already Own, or Try Something New g y , y gFebruary 2011

Bob Bocchino, CISA ERM Don Shepherd, CISSPSecurity and Compliance Business Advisor Security Solution Specialist IBU T h l Gl b l B i U it N th A i T h l O i ti

1Industries Business Unit, Technology Global Business Unit

IBU Technology Global Business Unit North American Technology Organization

2Industries Business Unit, Technology Global Business Unit

3Industries Business Unit, Technology Global Business Unit

Budget

Availability

Performance

Security

4Industries Business Unit, Technology Global Business Unit

y

Myth #1Network & Application Security

Protects My DataProtects My Data

5Industries Business Unit, Technology Global Business Unit

Information Security Focus

Network Application Identity Database

6Industries Business Unit, Technology Global Business Unit

Network Application Identity Database

Willie Sutton – Bank Robber$2 million stolen between 1920’s and 1952$2 million stolen between 1920’s and 1952

“Because that’s where the money is.”

Willie’s response to a question “Why do you rob banks?”

7Industries Business Unit, Technology Global Business Unit

Willie’s response to a question “Why do you rob banks?”

In other wordsIn other words ….

8Industries Business Unit, Technology Global Business Unit

9

10

What are the High Value Target S ?Systems?

11From a study conducted by the Verizon RISK team in conjunction with the US Secret Service

Concentrate on the Greatest Risk

T f H ki / P t f B h d R d

12From a study conducted by the Verizon RISK team in conjunction with the US Secret Service

Types of Hacking / Percent of Breached Records

13

Address the REAL Threat

Lock the DatabaseLock the Databaseat different levels

14

Myth #2I Have to Buy Something Extra to Protect My Oracle Databaseto Protect My Oracle Database

15Industries Business Unit, Technology Global Business Unit

16Industries Business Unit, Technology Global Business Unit

Security Access ControlsSecurity Access Controls

Encryption Toolkit

Standard and Fine Grained Auditing

Virtual Private Database

17

Encryption Myths

18Industries Business Unit, Technology Global Business Unit

Myth #3Encrypting Data Makes

Databases UnusableDatabases Unusable

19Industries Business Unit, Technology Global Business Unit

RealityReality

20Industries Business Unit, Technology Global Business Unit

Myth #4Encryption Requires Application ChangesApplication Changes

21Industries Business Unit, Technology Global Business Unit

RealityReality

22Industries Business Unit, Technology Global Business Unit

Myth #5All Encryption is Created Equal

23Industries Business Unit, Technology Global Business Unit

RealityReality

24Industries Business Unit, Technology Global Business Unit

Auditing Myths

25Industries Business Unit, Technology Global Business Unit

Myth #6Native Auditing Brings My

Database to its KneesDatabase to its Knees

26Industries Business Unit, Technology Global Business Unit

RealityReality

27Industries Business Unit, Technology Global Business Unit

Access Control Myths

28Industries Business Unit, Technology Global Business Unit

Myth #7Database Level Access Control

is Hard to Deployis Hard to Deploy

29Industries Business Unit, Technology Global Business Unit

RealityReality

30Industries Business Unit, Technology Global Business Unit

Myth #8Privileged User Access Controls

Stop DBAs from Doing Their JobsStop DBAs from Doing Their Jobs

31Industries Business Unit, Technology Global Business Unit

RealityReality

32Industries Business Unit, Technology Global Business Unit

Mythbusting Summary

Native Options

Encryption Programming Toolkit –DBMS_CRYPTO

Transparent Data Encryption_ yp

Access Control Native Database Access Controlincluding Virtual Private Database

Database Vault

Database

Audit Standard Database Audit and Fine Grained Audit

Audit VaultFine Grained Audit

33

34Industries Business Unit, Technology Global Business Unit

California Senate Bill 1386California Senate Bill 1386Security Breach Notification

Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, orCalifornia whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

35Industries Business Unit, Technology Global Business Unit

HIPAA and HITECHHIPAA and HITECHSecurity Breach Notification

36Industries Business Unit, Technology Global Business Unit

37Industries Business Unit, Technology Global Business Unit

What Are Encryption and Data Masking?

Data Losses from Production, Back-Up, Development & PartnersDevelopment & Partners

No Disclosure Required

38Industries Business Unit, Technology Global Business Unit

Th k YThank You

39Industries Business Unit, Technology Global Business Unit