Contenu connexe Similaire à Talk IT_ Oracle_김상엽_110822 Similaire à Talk IT_ Oracle_김상엽_110822 (20) Talk IT_ Oracle_김상엽_1108222. <Insert Picture Here>
Protect Your Most Sensitive Data
Build a Maximum Security Architecture
Ryan Kim | Senior Manager, Technology Readiness and Developer Program
2
3. The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle‘s
products remains at the sole discretion of Oracle.
© 2011 Oracle Corporation 3
4. Agenda
• Data Security Trends
• How Are Threats Getting In?
• What is Maximum Security Architecture
• Oracle Solutions Mapped to MSA
• Summary
• Q&A
© 2011 Oracle Corporation 4
5. More data than ever…
Growth Doubles
Yearly
1,800 Exabytes
2006 2011
Source: IDC, 2008
© 2011 Oracle Corporation Oracle Confidential 5
6. More breaches than ever…
Data Breach Once exposed, the data is out there – the bell can’t be un-rung
PUBLICLY REPORTED DATA BREACHES
400
300
630%
Increase
200
100
Total Personally
Identifying Information
Records Exposed 0
(Millions) 2005 2006 2007 2008
Average cost of a data breach $202 per record
Average total cost exceeds $6.6 million per breach
Source: DataLossDB, Ponemon Institute, 2009
© 2011 Oracle Corporation Oracle Confidential 6
7. More threats than ever…
70% attacks originate inside the perimeter
90% attacks perpetrated by employees with privileged access
© 2011 Oracle Corporation Oracle Confidential 7
8. More regulations than ever…
• Federal, state, local, industry…adding more
mandates every year!
• Need to meet AND demonstrate compliance
• Compliance costs are unsustainable
?
Report and audit
90% Companies behind in compliance
Source: IT Policy Compliance Group, 2007.
© 2011 Oracle Corporation 8
9. Compliance
• 현행 개인정보 보호 법률 체계
구분 개별 법률 적용대상 소관부처
공공 부문 공공기관의 개인정보보호법 공공기관 행정안전부
민간 정보통신 정보통신망법 정보통신서비스제공자 방송통신위원회
부문 금융/신용 신용정보법 신용정보 제공/이용자 금융위원회
• 개인정보 보호법 ( 2011년 9월 시행)
• 온라인/오프라인 상관없이 모든 업종에 걸쳐 적용. 공공기관의
• 정보통신망법과 신용정보법은 그대로 유지. 공공 개인정보보호법 개
• 정보통신망법과 신용정보법이 통신사업자와 인
금융기관에 먼저 적용되고 동 법률들에서 규정하지
않는 조항에 대해 개인정보 보호법이 적용됨 통신 정
정보통신망법 보
• 정보통신망법의 적용을 받던 통신 사업자이외의
준용사업자는 모두 망법 에서 삭제되고 개인정보 보
보호법의 직접 적용을 받음 금융
호
신용정보법 법
기타
© 2011 Oracle Corporation 9
10. Higher Costs Than Ever…
• User Management Costs
• User Productivity Costs
• Compliance & Remediation Costs
• Security Breach Remediation Costs
$
It Adds Up
© 2011 Oracle Corporation 10
11. Biggest Barrier to Cloud Computing
Adoption? Security!
74%
74% rate cloud
security issues
as ―very
significant‖
Source: IDC
© 2011 Oracle Corporation 11
12. • Data Security Trends
• How Are Threats Getting In?
• What is Maximum Security Architecture
• Oracle Solutions Mapped to MSA
• Summary
• Q&A
© 2011 Oracle Corporation 12
13. Over 900M Breached Records Resulted
from Compromised Database Servers
Type Category % Breaches % Records
Database Server Servers & Applications 25% 92%
Desktop Computer End-User Devices 21% 1%
Verizon 2010 Data Breach Investigations Report
© 2011 Oracle Corporation 13
14. SQL Injection Attacks Against Databases
Responsible for 89% of Breached Data
• SQL injection is a technique for controlling responses from the database
server through the web application
• It can‘t be fixed by simply applying a patch, tweaking a setting, or
changing a single page
• SQL injection vulnerabilities are endemic, and to fix them you have to
overhaul all your code.
―The versatility and effectiveness of SQL Injection
make it a multi-tool of choice among cybercriminals.‖
Verizon 2010 Data Breach Investigations Report
© 2011 Oracle Corporation 14
15. 66% Organizations Vulnerable to SQL
Injection Attacks
Taken steps to prevent SQL injection attacks?
2010 IOUG Data Security Survey Report
© 2011 Oracle Corporation 15
16. Traditional Security Solutions Leave
Data within Databases Vulnerable
Key Loggers Malware SQL Injection Espionage
Spear Phishing Botware Social Engineering
Database
Applications Database Users
and Administrators
Maximum Security Architecture
Protects Your Most Sensitive Area: Your Data
© 2011 Oracle Corporation 16
17. • Data Security Trends
• How Are Threats Getting In?
• What is Maximum Security Architecture
• Oracle Solutions Mapped to MSA
• Summary
• Q&A
© 2011 Oracle Corporation 17
18. Maximum Security Architecture
Safeguards your Information Technology environment
at every layer, leaving no weak link Infrastructure Security
• Network Security
• Hardware Security
• OS / Firmware Security
• Virtualization Security
Database Security
Identity Management
• User Provisioning
• Role Management
Information
• Entitlements Management
Infrastructure • Risk-Based Access Control
• Virtual Directories
Databases
Applications Information Rights
Content
Management
• Track and Audit Document Usage
Today we will focus on Maximum DATA • Control & Revoke Document Access
• Secured Inside or Outside Firewall
Security Architecture for the Database tier • Centralized Policy Administration
© 2011 Oracle Corporation Oracle Confidential 18
19. Maximum Data Security Architecture
1. Perimeter Defense
2. Monitoring Detect &
Audit Mis-use Reverse
Secure
& Undo
Configuration
Damage
3. Access Control
Privileged Multi-factor
User Authorization
Controls
4. Encryption & Masking
Mask Data
Encrypt Used in Dev.
Data In- Protect Data
& Testing
Transit Backups
© 2011 Oracle Corporation 19
20. Oracle Configuration Management
Vulnerability Assessment & Secure Configuration
Discover Classify Assess Prioritize Fix Monitor
Asset Configuration
Policy Vulnerability Analysis &
Management Management
Management Management Analytics
& Audit
REQUIREMENTS:
1. Discovers Databases, OS, Hosts, remote end-points, apps & apps servers
2. Continuous scanning vs. 375+ best practices & industry standards, extensible
3. Detect, prevent and roll-back unauthorized configuration changes real time
4. Change management compliance reports
5. Platform & vendor agnostic
© 2011 Oracle Corporation 20
21. Detection & Auditing Against Mis-use
Automated Activity Monitoring & Audit Reporting
HR Data ! Alerts
Built-in
CRM Data Reports
Audit
Data Custom
ERP Data Reports
Policies
Databases Auditor
REQUIREMENTS:
1. Automated Oracle and non-Oracle database activity monitoring
2. Detect and alert on suspicious activities
3. Out-of-the box compliance reports
4. Custom forensic reports
5. Centralized management of audit policies (SOX, custom, etc.)
© 2011 Oracle Corporation 21
22. Reverse and Undo Damaged Data
Secure Change Tracking
select salary from emp AS OF TIMESTAMP
'02-MAY-09 12.00 AM‗ where emp.title = ‗admin‘
REQUIREMENTS:
1. Transparently track data changes
2. Efficient, tamper-resistant storage of archives
3. Real-time access to historical data
4. Simplified forensics and error correction
5. Ability to roll-back and undo damaged records, eliminating problems
© 2011 Oracle Corporation 22
23. Separation of Duties
Privileged User Access Control and Multifactor Authorization
Procurement
DBA
HR
Application
Finance
select * from finance.customers
REQUIREMENTS:
1. Keep privileged database users from abusing their powers
2. Address Separation of Duties requirements
3. Enforce security policies and block unauthorized database activities
4. Prevent application by-pass to protect application data
5. Securely consolidate application data
6. Requires no application changes
© 2011 Oracle Corporation 23
24. Prevent Unauthorized Insider Access
Data Classification for Access Control
Sensitive
Transactions
Confidential
Report Data
Public
Reports
Confidential Sensitive
REQUIREMENTS:
1. Classify users and data based on business drivers
2. Database enforced row level access control
3. Users classification through Oracle Identity Management Suite
4. Classification labels can be factors in other policies
5. Certified with Oracle Database and is application agnostic
© 2011 Oracle Corporation 24
25. Encrypt Sensitive or In-transit Data
Comprehensive Standards-Based Encryption
Disk
Backups
Exports
Off-Site
Facilities
REQUIREMENTS:
1. Transparent data at rest encryption
2. Data stays encrypted when backed up
3. Encryption for data in transit
4. Strong authentication of users and servers
5. Certified with Oracle Database
© 2011 Oracle Corporation 25
26. Securely Backup & Store Data Archives
Integrated Tape or Cloud Backup Management
REQUIREMENTS:
1. Secure data archival to tape or cloud
2. Easy to administer key management
3. Fastest Oracle Database tape backups
4. Leverage low-cost cloud storage
© 2011 Oracle Corporation 26
27. Mask data used in development & test
Irreversible De-Identification
Production Non-Production
LAST_NAME SSN SALARY LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000 ANSKEKSL 111—23-1111 60,000
BENSON 323-22-2943 60,000 BKJHHEIEDK 222-34-1345 40,000
REQUIREMENTS:
1. Remove sensitive data from non-production databases
2. Referential integrity preserved so applications continue to work
3. Sensitive data never leaves the database
4. Extensible template library and policies for automation
5. Supports heterogeneous Database envrionments
© 2011 Oracle Corporation 27
28. Application of MSA to Safeguard your Data
Recap of how to secure your business’ most valuable asset
Encryption and Masking
Encrypt Sensitive & In-transit Data
Protect Data Back-ups
Mask Data for Dev. & Testing Use
Access Control
Control Privileged Users
Multi-factor Authorization
Auditing and Monitoring
Secure Configurations
Encryption & Masking Detect and Audit Mis-use
Reverse and undo Damage
Access Control
Auditing & Monitoring Blocking and Logging
Blocking & Logging
Perimeter Defense
© 2011 Oracle Corporation 28
29. • Data Security Trends
• How Are Threats Getting In?
• What is Maximum Security Architecture
• Oracle Solutions Mapped to MSA
• Summary
• Q&A
© 2011 Oracle Corporation 29
30. Oracle Solutions Mapped to MSA
Integrated products to deliver MSA capabilities for your Databases
Encryption and Masking Encryption and Masking
Encrypt Sensitive & In-transit Data Advanced Security Option
Protect Data Back-ups Secure Back-up
Mask Data for Dev. & Testing Use Data Masking Pack
Access Control Access Control
Control Privileged Users Database Vault
Multi-factor Authorization Label Security
Auditing and Monitoring Auditing and Monitoring
Secure Configurations Configuration Management Pack
Detect and Audit Mis-use Audit Vault
Reverse and undo Damage Total Recall
Blocking and Logging Blocking and Logging
Perimeter Defense Database Firewall
© 2011 Oracle Corporation 30
31. Daewoo Securities
Protecting Against Insider Threats
• Internal threats are major concern in Daewoo Securities.
Several major companies in Korea have experienced data
leaks
Business
• Daewoo Securities had granted a high number of access
Challenges privileges to super users, such as IT administrators.
• Non standard security solutions to protecting the company
data
• Oracle Database
Solution • Oracle Database Vault
• Oracle Advance Security
• Protected confidential HR data from being accessed by
privileges users such as IT administrators, while ensuring
Business Results they could still login to systems to complete their jobs
• Enhance information protecting by encrypting data in the
database and whenever it leaves the repository
© 2011 Oracle Corporation 31
32. Dongguk University
Automated Audit Data Collection, Improved Security,
Reduced Costs with Reporting
• Students use the system to manage their profiles and timetables
online while teachers and staff use it to organize course details and
Business
other important administrative tasks. One of the most important
Challenges parts of the deployment was the rollout of an auditing system to
provide control over user privilege rights and strengthen security.
• Oracle Database
Solution • Oracle Real Application Clusters
• Oracle Audit Vault
• Automated the collection and consolidation of audit data, which
lowered the risk of insider security threats
• Provided audit controls which verified that only the authorized
application user was performing the specified database tasks
Business • Made the auditing process easy by providing useful information
Results such as user name, corresponding IP addresses, and role in the
application
• Allowed reports and audit policy functions to be viewed on screen,
eliminating the cost and time associated with completing manual
audits
© 2011 Oracle Corporation 32
33. Cornell University
Masks all sensitive data used for testing, training and
development in their PeopleSoft environment
• Ensure reliable access to operational and academic systems
Business
across a decentralized IT environment, including PeopleSoft
Challenges applications and a Blackboard learning system
• Implemented Enterprise Manager to automate monitoring the
university‘s IT infrastructure—including databases, middleware,
and servers—saving time for IT managers and increasing
Solution transparency across the IT infrastructure
• Deployed Data Masking Pack as a component within Enterprise
Manager (EM) to protect sensitive student info.
• Data Masking obfuscated all sensitive data from PeopleSoft
environments used for testing, training, and development
Business
• EM enabled Cornell to be more proactive as an IT department—
Results preventing or resolving performance problems before they‘re
noticed, and in anticipating the needs of students, faculty and staff
© 2011 Oracle Corporation 33
34. • Data Security Trends
• How Are Threats Getting In?
• What is Maximum Security Architecture
• Oracle Solutions Mapped to MSA
• Summary
• Q&A
© 2011 Oracle Corporation 34
35. Oracle Database Security Solutions
Fits the Maximum Data Security Architecture framework
• Comprehensive – single vendor addresses all your requirements
• Transparent – no changes to existing applications or databases
• Easy to deploy – point-n-click interfaces deliver value within hours
• Cost effective – integrated solutions reduce risk and lower TCO
• Proven – #1 Database with over 30 years of info security innovation!
Perimeter Auditing and Access Encryption
Security Monitoring Control & Masking
• Database Firewall • Audit Vault • Database Vault • Advanced Security
• Total Recall • Label Security • Secure Backup
• Configuration • Identity • Data Masking
Management Management
© 2011 Oracle Corporation 35
36. Part of an End-to-End Security Solution
Data Security is a key part of the overall Maximum
Security Architecture that covers your entire IT spectrum
Infrastructure Security
Database Security
Identity Management
Information
Infrastructure Information Rights
Management
Databases
Applications
© 2011 Oracle Corporation Oracle Confidential 36
37. Oracle Security Customers are everywhere
Financial Services Transportation & Services
Manufacturing & Technology Telecommunication
Public Sector Retail
Oracle Confidential
© 2011 Oracle Corporation 37
38. Because Oracle is #1 and Most Secure
Microsoft
18.1% Other
12.6%
IBM
20.7%
Oracle
48.6%
―Most DBMS vendors offer basic
security features; Oracle‘s offering
is most comprehensive.‖
Source: Gartner DataQuest, 2008; Forrester Database Security Market Report, 2009
© 2011 Oracle Corporation 38