Oracle Database Security Mythbusting
Transcript of Oracle Database Security Mythbusting
Oracle Database Security MythbustingDon’t Be Afraid to Use Something You Already Own, or Try Something New g y , y gFebruary 2011
Bob Bocchino, CISA ERM Don Shepherd, CISSPSecurity and Compliance Business Advisor Security Solution Specialist IBU T h l Gl b l B i U it N th A i T h l O i ti
1Industries Business Unit, Technology Global Business Unit
IBU Technology Global Business Unit North American Technology Organization
2Industries Business Unit, Technology Global Business Unit
3Industries Business Unit, Technology Global Business Unit
Budget
Availability
Performance
Security
4Industries Business Unit, Technology Global Business Unit
y
Myth #1Network & Application Security
Protects My DataProtects My Data
5Industries Business Unit, Technology Global Business Unit
Information Security Focus
Network Application Identity Database
6Industries Business Unit, Technology Global Business Unit
Network Application Identity Database
Willie Sutton – Bank Robber$2 million stolen between 1920’s and 1952$2 million stolen between 1920’s and 1952
“Because that’s where the money is.”
Willie’s response to a question “Why do you rob banks?”
7Industries Business Unit, Technology Global Business Unit
Willie’s response to a question “Why do you rob banks?”
In other wordsIn other words ….
8Industries Business Unit, Technology Global Business Unit
9
10
What are the High Value Target S ?Systems?
11From a study conducted by the Verizon RISK team in conjunction with the US Secret Service
Concentrate on the Greatest Risk
T f H ki / P t f B h d R d
12From a study conducted by the Verizon RISK team in conjunction with the US Secret Service
Types of Hacking / Percent of Breached Records
13
Address the REAL Threat
Lock the DatabaseLock the Databaseat different levels
14
Myth #2I Have to Buy Something Extra to Protect My Oracle Databaseto Protect My Oracle Database
15Industries Business Unit, Technology Global Business Unit
16Industries Business Unit, Technology Global Business Unit
Security Access ControlsSecurity Access Controls
Encryption Toolkit
Standard and Fine Grained Auditing
Virtual Private Database
17
Encryption Myths
18Industries Business Unit, Technology Global Business Unit
Myth #3Encrypting Data Makes
Databases UnusableDatabases Unusable
19Industries Business Unit, Technology Global Business Unit
RealityReality
20Industries Business Unit, Technology Global Business Unit
Myth #4Encryption Requires Application ChangesApplication Changes
21Industries Business Unit, Technology Global Business Unit
RealityReality
22Industries Business Unit, Technology Global Business Unit
Myth #5All Encryption is Created Equal
23Industries Business Unit, Technology Global Business Unit
RealityReality
24Industries Business Unit, Technology Global Business Unit
Auditing Myths
25Industries Business Unit, Technology Global Business Unit
Myth #6Native Auditing Brings My
Database to its KneesDatabase to its Knees
26Industries Business Unit, Technology Global Business Unit
RealityReality
27Industries Business Unit, Technology Global Business Unit
Access Control Myths
28Industries Business Unit, Technology Global Business Unit
Myth #7Database Level Access Control
is Hard to Deployis Hard to Deploy
29Industries Business Unit, Technology Global Business Unit
RealityReality
30Industries Business Unit, Technology Global Business Unit
Myth #8Privileged User Access Controls
Stop DBAs from Doing Their JobsStop DBAs from Doing Their Jobs
31Industries Business Unit, Technology Global Business Unit
RealityReality
32Industries Business Unit, Technology Global Business Unit
Mythbusting Summary
Native Options
Encryption Programming Toolkit –DBMS_CRYPTO
Transparent Data Encryption_ yp
Access Control Native Database Access Controlincluding Virtual Private Database
Database Vault
Database
Audit Standard Database Audit and Fine Grained Audit
Audit VaultFine Grained Audit
33
34Industries Business Unit, Technology Global Business Unit
California Senate Bill 1386California Senate Bill 1386Security Breach Notification
Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, orCalifornia whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
35Industries Business Unit, Technology Global Business Unit
HIPAA and HITECHHIPAA and HITECHSecurity Breach Notification
36Industries Business Unit, Technology Global Business Unit
37Industries Business Unit, Technology Global Business Unit
What Are Encryption and Data Masking?
Data Losses from Production, Back-Up, Development & PartnersDevelopment & Partners
No Disclosure Required
38Industries Business Unit, Technology Global Business Unit
Th k YThank You
39Industries Business Unit, Technology Global Business Unit