3. The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.
3
4. Your Information Assets
Across Heterogeneous Databases
Customer
Product
Employee
Finance Clinical
Trials
4
5. Your Information Asset Lifecycle
Shared with 3rd Parties
• Almost 50% of all organizations exposed Production
data in non-Production environments
• Only 16% have a system in place for deidentifying
sensitive data
Clinical IT Service Market Business Application
Research Providers Research partners Developers
5
6. Your Information Asset Protection Challenge
• Ensure comprehensive protection of your information
assets across heterogeneous enterprise databases
• Reduce information lifecycle costs through
automation
Clinical IT Service Market Business Application
Research Providers Research partners Developers
6
7. Secure Test System Deployments
Production Test
LAST_NAME SSN SALARY LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000 SMITH 111—23-1111 60,000
BENSON 323-22-2943 60,000 MILLER 222-34-1345 40,000
7
8. How Secure Test System Deployments
Production Test
LAST_NAME SSN SALARY LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000 SMITH 111—23-1111 60,000
BENSON 323-22-2943 60,000 MILLER 222-34-1345 40,000
• Deploy secure test system by masking sensitive data
• Sensitive data never leaves the database
• Extensible template library and policies for automation
• Sophisticated masking: Condition-based, compound, deterministic
• Integrated masking and cloning
• Leverage masking templates for common data types
9. Data Masking using Oracle Enterprise Manager
Centrally controlled. Globally managed.
• Monitoring
• Performance Diagnostics
• Patching & Provisioning
• Configuration Management
• Data Masking
9
10. Data Masking Methodology
Production Non-Production
LAST_NAME SSN SALARY LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000 SMITH 111—23-1111 40,000
BENSON 323-22-2943 60,000 JOHNSON 222-34-1345 60,000
• Find: Catalog and identify sensitive data across enterprise databases
• Assess: Define the optimal data masking techniques
• Secure: Automate non-production systems through data masking
• Test: Ensure the integrity of applications through testing
10
11. FIND: Catalog and identify
sensitive data across enterprise
databases
ASSESS
SECURE
TEST
11
12. Catalog Sensitive Data in Your Enterprise Databases
Person Name Bank Account Number
Maiden Name Card Number (Credit or Debit Card Number)
Business Address Tax Registration Number or National Tax ID • Business-driven
Business Telephone Number Person Identification Number
Business Email Address Welfare Pension Insurance Number • Criteria:
Custom Name Unemployment Insurance Number
Employee Number Government Affiliation ID – Violate government
User Global Identifier Military Service ID regulations
Party Number or Customer Number Social Insurance Number
Account Name Pension ID Number – Violate business
Mail Stop Article Number
regulations
GPS Location Civil Identifier Number
Student Exam Hall Ticket Number Hafiza Number – Damage shareholder
Club Membership ID
Library Card Number
Social Security Number
Trade Union Membership Number
value through loss of
Identity Card Number Pension Registration Number • Market capital
Instant Messaging Address National Insurance Number
• Valuation
Web site Health Insurance Number
National Identifier Personal Public Service Number
• Reputation
Passport Number Electronic Taxpayer Identification Number • Customers
Driver’s License Number Biometrics Data
• Lawsuits
Personal Address Digital ID
Personal Telephone Number Citizenship Number
• Business-driven
Personal Email Address Voter Identification Number
Visa Number or Work Permit Residency Number (Green Card)
12
14. Comprehensive Mask Formats
Mask Primitives and User-extensible Mask Formats
• Mask primitives
– Simple mask formats
• ALPHA
• NUMERIC
• DATE
– Simple mask techniques
• SHUFFLE
• RANDOMIZE
• LOOKUP TABLE
Mask formats for common sensitive data Accelerates solution deployment of masking
Extensible mask routines Enables customization of business rules
Define once, apply everywhere Ensures consistent enforcement of policies
14
15. Mask Definition
Associate Mask Formats with Identified Sensitive Columns
• Automatic discovery and
enforcement of referential
integrity
• Registration and enforcement
of referential integrity when
entered as related columns
– Application-enforced referential
integrity
– Business-process based data
relationships
– Non-Oracle database based
referential integrity
• Imported via XML generated
via SQL against meta data
15
17. Test System Setup for Oracle Databases
Creating Test Databases from Production
Business T1 BusinessT1
T2 T3 T2 T3
data data
T4 T5 T4 T5
Clone
App Meta data App Meta data
DB dictionary data DB dictionary data
Production DB Test DB
• Enterprise Manager out-of-the-box workflows
• RMAN-based clone-and-masking (Recommended)
• Export-Import
• Backup and Restore
• Transportable Tablespace
18. Test System Setup for non-Oracle Databases
Creating Test Databases from Production using Oracle Gateways
Business T1 1 BusinessT1
T2 T3 T2 T3
data Clone data
T4 T5 T4 T5
Production DB App Meta data App Meta data Test DB
DB dictionary data DB dictionary data
2 Database 4
gateway
Masking Process
1. Production data copied to Test
2. Sensitive data copied to Staging
3. Sensitive data masked in Staging BusinessT1 3
4. Masked data copied from Staging to Test T2 T3
data
5. Truncate Data in Stage Database
T4 T5
Staging DB
20. Auditing your Database Information
Sybase
Oracle ASE
IBM
Database
Microsoft DB2
SQL Server
21. Why Audit?
• Its all about protecting sensitive data, maintaining
customer trust, and protecting the business
• Trust-but-verify that your employees are only
performing operations required by the business
• Detective controls to monitor what is really going on
• Reduce the curiosity seekers from looking at data
• Compliance demands that privileged users be monitored
• Know what is going on before others tell you
• Cost of compliance
• Eliminate costly and complex scripts for reporting
• Reduce reporting costs for specific compliance audits
• SOX, PCI, HIPAA, SAS 70, STIG
22
22. Database Auditing and Applications
Why Auditors Want to Audit Databases
• Monitor privileged application user accounts for non-
compliant activity
• Audit non-application access to sensitive data (credit card, financial
data, personal identifiable information, etc)
• Verify that no one is trying to bypass the application
controls/security
• PO line items are changed so it does not require more approvals
• Verify shared accounts are not be abused by non-
privileged users
• Application bypass - Use of application accounts to view application
data
23
23. What Do You Need To Audit?
Database PCI HIPAA/
SOX Basel II FISMA GLBA
Audit Requirements DSS HITECH
Accounts, Roles & GRANT changes ● ● ● ● ● ●
Failed Logins and other Exceptions ● ● ● ● ● ●
Privileged User Activity ● ● ● ● ● ●
Access to Sensitive Data (SELECTs…) ● ● ● ● ●
Data Changes (INSERT, UPDATE, …) ● ●
Schema Changes (DROP, ALTER…) ● ● ● ● ● ●
24
24. Oracle Audit Vault
Trust-but-Verify
Consolidate and Secure
Audit Data
Out-of-the Box
Compliance Reports
Alert on Security
Threats Sybase
ASE
Lower IT Costs With
Entitlements & Audit Policies IBM
Oracle
DB2
Database Microsoft
SQL Server
25
25. Oracle Audit Vault
Oracle Database Audit Support
• Database Audit Tables
• Collect audit data for standard and fine-grained auditing
• Oracle audit trail from OS files
• Collect audit records written in XML or standard text file
• Operating system Windows Event Viewer & SYSLOG
• Collect Oracle database audit records
• Redo log
• Extract before/after values and DDL changes to table
• Database Vault specific audit records
27
27. The Access Reports
filter the audit content
based on event and
categories, such as
Data Access: select,
insert, update, delete..,
and User Sessions:
login, logout, etc. The
Oracle Audit Vault
Auditor’s Guide list the
events that are
collected and mapped
to the categories.
29
28. The Entitlement Reports
can be used for
internal/external auditors
to view Oracle database
users and their privileges.
You can view all Oracle
databases and their users
or filter by an individual
database to view the
privileges.
The compare capability
provides a report on
changes to user privileges
from one snapshot time to
another.
30
29. The Alerts Report
content can be
accessed from the
Dashboard or you can
view all alerts that have
been generated at one
Alerts can be defined for time.
The critical and warning
•Directly viewing sensitive columns alert reports track
•Creating users on sensitive systems critical and warning
•Role grants on sensitive systems alerts. An alert is raised
•“DBA” grants on all systems when data in a single
•Failed logins for application user audit record matches a
predefined alert rule
condition.
31
30. Oracle Audit Vault
Audit Trail Clean-Up: DBMS_AUDIT_MGMT
• Automatically deletes Oracle audit trails from target
after they are securely inserted into Audit Vault
• Reduces DBA manageability challenges with audit trails
Database
1) Transfer audit trail data
3) Delete older 2) Update last inserted record
audit records
32
31. Setting Client Identifier with
Applications
• Any application running on Oracle database can set
the client identifier
Application sets
client_info to User A
User A
connects Oracle Audit Record
Application uses
Server
client_identifier
Application resets
client_info to User B Oracle
User B Database
connects
33
34. Existing Security Solutions Not Enough
Key Loggers Malware SQL Injection Espionage
Spear Phishing Botware Social Engineering
Database
Application Users
Application Database Administrators
Data Must Be Protected at the Source
35. SQL Injection Review
The biggest danger to cyber security
Attacks blocked!!!
X
Data and/or credential theft
SQL command
Successful
Millions of
attack
attacks Malware injection
App Server Database
App Server Database
Firewall
• Successful attack • Implications Attacks
logged
• Query database • Lost data
• Modify data • Monetary theft
• Deliver malware • Steal credentials / deny service
36. Oracle Database Firewall
First Line of Defense
Allow
Log
Alert
Substitute
Applications
Block
Alerts Built-in Custom Policies
Reports Reports
• Monitor database activity to prevent unauthorized database access, SQL
injections, privilege or role escalation, illegal access to sensitive data, etc.
• Highly accurate SQL grammar based analysis without costly false positives
• Flexible SQL level enforcement options based on white lists and black lists
• Scalable architecture provides enterprise performance in all deployment modes
• Built-in and custom compliance reports for SOX, PCI, and other regulations
37. Oracle Database Firewall
Positive Security Model
White List
Allow
Block
Applications
• “Allowed” behavior can be defined for any user or application
• Whitelist can take into account built-in factors such as time of day,
day of week, network, application, etc.
• Automatically generate whitelists for any application
• Transactions found not to match the policy instantly rejected
• Database will only process data how you want and expect
38. Oracle Database Firewall
Negative Security Model
Black List
Allow
Block
Applications
• Stop specific unwanted SQL commands, user or schema access
• Prevent privilege or role escalation and unauthorized access to sensitive data
• Blacklist can take into account built-in factors such as time of day, day of
week, network, application, etc.
• Selectively block any part of transaction in context to your business and
security goals
39. Oracle Database Firewall
Policy Enforcement
Log
Allow
SELECT * FROM
Alert
accounts Substitute
Applications
Becomes Block
SELECT * FROM dual
where 1=0
• Innovative SQL grammar technology reduces millions of SQL statements into a
small number of SQL characteristics or “clusters”
• Superior performance and policy scalability
• Flexible enforcement at SQL level: block, substitute, alert and pass, log only
• SQL substitution foils attackers without disrupting applications
• Zero day protection without false positives
40. Reporting
Speeding deployment means lower
cost
• Database Firewall log data consolidated
into reporting database
• Over 130 built in reports that can be
modified/customized
• Entitlement report for database
attestation
• Activity and privileged user reports
• Supports demonstrating PCI, SOX,
HIPAA, etc.
• Write your own reports
Unique to
Oracle
43
41. Oracle Database Firewall
Database Activity Masking
• Prevents creating yet another database with sensitive and regulated data
• Sensitive and regulated information contained in SQL statements can be
masked or redacted in real-time prior to being logged
• Flexible masking policies allow masking all data or just specific columns
• Critical for organizations who want to monitor and log all database activity
42. Oracle Database Firewall
Architecture
Local Monitor
Database
Firewalls HA Mode
Database Firewall
Policy Analyzer
Management Server
• Low TCO Oracle Enterprise Linux based “software appliance”
• Supports Intel-based hardware platforms for vertical and horizontal scalability
• Policy enforcement separated from policy management and reporting for
scalability and performance
• Optional lightweight agents that reside within the database or the OS
• Supports Oracle and non-Oracle Databases, and is application agnostic
43. Oracle Database Firewall
Fast and Flexible Deployments
Application Servers Users
Database Out-of-Band Router
Firewall
Database Servers
In-Line Host
Based
Agent
• In-Line: All database traffic goes through the Oracle Database Firewall
• Out-of-Band/Passive: Database Firewall connected to a SPAN port or TAP
• Optional Host Based Remote or Local Monitors
• Can send network traffic from the database host to the Database Firewall
• Can send non-network database activity to the Database Firewall to
identify unauthorized use of local console or remote sessions
44. Oracle Security Solutions
Complete Defense-in-Depth
• Comprehensive – single vendor addresses all your requirements
• Transparent – no changes to existing applications or databases
• Easy to deploy – point and click interfaces deliver value within hours
• Cost Effective – integrated solutions reduce risk and lower TCO
• Proven – #1 Database with over 30 years of security innovation!
Monitoring Auditing Access Encryption
& Blocking Control & Masking
• Database • Audit Vault • Database • Data Masking
Firewall Vault
• Label Security
• Identity
Management