<Insert Picture Here>

Oracle Database Security

Kwesi Edwards Dominic Young
Principal Solutions Architect Account Manager
Oracle Higher Education Oracle Higher Education
Data Security Lifecycle

Inbound Data Storage

• Network Encryption • Transparent Data Encryption
• Strong Authentication • Secure Backup
• Identity Management Integration

Monitor
• Configuration Scanning
• Audit Vault

Access Control
• Database Vault
Outbound Data • Oracle Label Security
• Network Encryption • Fusion Security
 Agenda

• Network Encryption <Insert Picture Here>

• Encryption of data in motion

• Strong Authentication
• PKI, Kerberos, Radius
• Data Encryption
• Encryption of data at rest
• Secure Backup
• Oracle DataVault
• DB Auditing
• Audit Vault
 Network Security Threats

1. Data Theft 2. Data Modification or Replay

$50,000 $500.00
My competitor sees
my bids in a sealed
auction.

3. Data Disruption

Packet stolen
Order never arrives
 Network Encryption

• Provided by Oracle for nearly a decade

• Encrypts all communication with the database
• AES
• RSA RC4 (40-, 56-, 128-, 256-bit keys)
• DES (40-, 56-bit) and 3DES (2- and 3-key)
• Data integrity with checksums
• MD5, SHA-1
• Automatically detects modifications, replays, missing
packets
• Easy to setup
 Agenda

• Network Encryption <Insert Picture Here>

• Encryption of data in motion

• Strong Authentication
• PKI, Kerberos, Radius
• Data Encryption
• Encryption of data at rest
• Secure Backup
• Oracle Data Vault
• DB Auditing
• Audit Vault
 Strong Authentication

• Kerberos
• Ease of deployment makes this a popular choice
• PKI
• Large customers are working on full scale deployments
• Strong interest among large Universities
• Oracle supports SSL accelerators
• Radius
• Database integrates with RADIUS
 Agenda

• Network Encryption <Insert Picture Here>

• Encryption of data in motion

• Strong Authentication
• PKI, Kerberos, Radius
• Data Encryption
• Encryption of data at rest
• Secure Backup
• Oracle Data Vault
• DB Auditing
• Audit Vault
 The Need for Encryption

• Worldwide privacy, security laws and regulations

• Sarbanes-Oxley
• PCI
• California SB 1386
• Country-specific laws

Disks replaced Data worthless if encrypted

Customer Credit for maintenance
Card Numbers Laptops stolen
Backups lost
 The DBMS_CRYPTO Package

• Formerly DBMS_OBFUSCATION (Release 8)

• Extensive control of options
• Generate as many, or as few keys as you desire
• Granular access control, Manual salt generation, algorithm
selection, chaining mode
• Limited Transparency
 Transparent Data Encryption

• Integrated with the Oracle database for simplicity

• Alter table encrypt column …
• Provides application transparency
• No API calls, database triggers or views required
• Media protection of PII data
• Social security numbers
• Credit Card Numbers
• Performance
• Works with existing indexes for
fast searches
 Separation of duties

Wallet password is separate from

System or DBA password
No access
to wallet

DBA starts up
Database

Security DBA opens wallet

containing master key
 Master key and column keys

Column keys encrypted

by master key

Master key stored

in PKCS#12 wallet

Security DBA opens wallet

containing master key Column keys encrypt
data in columns
Oracle Secure Backup:
Tape Backup Management
Highest levels of tape data
Oracle Databases File System Data
protection at the lowest cost!
UNIX Linux Fastest & Best Integrated
Integration with tape backup for the Oracle
RMAN Windows NAS Database
-Recovery Manager
(RMAN) integration
Oracle Secure Backup -Enterprise Manager
Centralized Tape Backup Management (EM) interface
Maximum security options
Free version (limited
functionality) will ship with the
Oracle Database

Tape
 Why Use Oracle Secure Backup?

 Intelligent integration with RMAN delivering the best

performance and security for database backups
 Database tape backups can now be seamlessly managed by
Database Administrators (DBA) or storage group
 Scalable from the department to the data center

 Easily managed using Enterprise Manager (EM)

 Single technical support resource for entire backup solution
expedites problem resolution
 Reliable data protection at lower cost and complexity
• For the Oracle Database and file system data
End to End Security

Oracle Advanced Security

Strong Authentication

Oracle Advanced Security

Network Encryption
Data Data Oracle
Automatically Written Advanced
Decrypted To Disk
Through Security
Automatically
SQL Interface Encrypted Transparent
Data Encryption

Data Encrypted
On Backup Files
 Agenda

• Network Encryption <Insert Picture Here>

• Encryption of data in motion

• Strong Authentication
• PKI, Kerberos, Radius
• Data Encryption
• Encryption of data at rest
• Secure Backup
• Oracle Data Vault
• DB Auditing
• Audit Vault
 Data Vault Objectives

• Multi-factored approach to database security

• Protect and share data assets using environmental factors for
assurance
• Defense in depth approach
• Protect application schemas from system privileges
• Database Server as Database Appliance
• Lock Down, Hardened Software and Privileges
• Comprehensive Audit Policy
• Separation of Duties
 Data Vault Protected Schema

• Protect Data Vault metadata from tampering

• Remove metadata dependency on SYS schema
• Access to protected schema only through the
administrative roles
• Provide separation of duties by different
administrative roles
• Password required for SYS login
• No OSDBA group membership
 Agenda

• Network Encryption <Insert Picture Here>

• Encryption of data in motion

• Strong Authentication
• PKI, Kerberos, Radius
• Data Encryption
• Encryption of data at rest
• Secure Backup
• Oracle DataVault
• DB Auditing
• Audit Vault
 Oracle Database 10g Auditing

• Audit & monitor database activity

• Logon failures, privilege usage, data access,
object access,and other activities

• Standard Audit Trail (over 250 audit actions)

• Gives first level of information about access to
the database
• Statement auditing
• Privilege auditing
• Schema Object auditing

• Fine-Grained Auditing (FGA)

• Gives second level of information about AUDITING
specific
operations to the database
• Enables you to monitor data access
based on content.
Fine-grained auditing (FGA)

• Beginning with Oracle9i Database, Oracle provides the

capability to audit specific rows within a table. This is
accomplished using the DBMS_FGA package.

• Features
• Attach audit policy to table or view
• Specify audit condition using a SQL predicate
• User’s query text with bind variables are written to audit record upon
a triggering audit event
• Event handler can alert administrator to triggering condition (e.g.
write record to log, send page)
Collect and Consolidate
Audit Data

Simplify Compliance Monitor Policies

Reporting
Reports Security
Detect and Prevent
Insider Threats

Lower IT Costs With

Audit Policies
(Future)
Scale and Security Oracle 9iR2 Other Sources,
10gR2 Databases
10gR1
 Oracle Database Security
30 years of Innovation Oracle Audit Vault
Oracle Database Vault
DB Security Evaluation #19
Transparent Data Encryption
EM Configuration Scanning
Fine Grained Auditing (9i)
Secure application roles
Client Identifier / Identity propagation
Oracle Label Security
Proxy authentication
Enterprise User Security
Global roles
Virtual Private Database (8i)
Database Encryption API
Strong authentication (PKI, Kerberos, RADIUS)
Native Network Encryption (Oracle7)
Database Auditing
Government customer
1977 2007
 Agenda

• Network Encryption <Insert Picture Here>

• Encryption of data in motion

• Strong Authentication
• PKI, Kerberos, Radius
• Data Encryption
• Encryption of data at rest
• Secure Backup
• Oracle DataVault
• DB Auditing
• Audit Vault
For More Information

http://search.oracle.com
Transparent Data Encryption

or
oracle.com/security