oracle database vault: application data security and - nocoug
TRANSCRIPT
![Page 1: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/1.jpg)
<Insert Picture Here>
Oracle Database Vault
Kamal TbeilehSenior Principal Product Manager, Database Security
![Page 2: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/2.jpg)
2
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
![Page 3: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/3.jpg)
3
Agenda
• Regulatory Compliance and Application Security • Oracle Database Vault Overview• Oracle Database Vault Protection for Applications
• PeopleSoft, E-Business Suite, Siebel, … and more
• Where to go for more information• Q&A
![Page 4: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/4.jpg)
4
Application Data Security & Compliance Business Drivers
Security Threats
Insider ThreatsInsider Threats
Industrial EspionageIndustrial Espionage
Identity TheftIdentity Theft
Data Consolidation Globalization Right Sourcing
Compliance Mandates
SOXSOX
JSOXJSOX Basel IIBasel IIEU Directives
EU Directives
HIPAAHIPAA
GLBAGLBA SB1386SB1386
PCIPCI
![Page 5: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/5.jpg)
5
Data MaskingTDE Tablespace Encryption
Oracle Total RecallOracle Audit Vault
Oracle Database VaultTransparent Data Encryption (TDE)
Real Time MaskingSecure Config Scanning
Fine Grained AuditingOracle Label Security
Enterprise User SecurityVirtual Private Database (VPD)
Database Encryption API Strong Authentication
Native Network Encryption Database Auditing
Government customer
Application Data Security & ComplianceContinuous Innovation
Oracle7
Oracle8i
Oracle Database 9i
Oracle Database 10g
Oracle Database 11g
![Page 6: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/6.jpg)
6
Application Data Security & Compliance Defense-in-Depth
Database Vault
Label Security
Access Control
Configuration Management
Audit Vault Total
Recall
Monitoring
Data Masking
Advanced Security Secure
Backup
Encryption and Masking
![Page 7: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/7.jpg)
7
Application Data Security & Compliance Oracle Database Vault
• Controls on privileged users• Restrict highly privileged users
from application data• Provide Separation of Duty• Security for database and
information consolidation
• Real time access controls• Control who, when, where and
how data is accessed• Make decision based on IP
address, time, auth…
Reports
Protection Realms
Multi-FactorAuthorization
Separationof Duty
CommandRules
![Page 8: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/8.jpg)
8
Oracle Database VaultControl Access to Application Data
Benefits
Transparently prevent admin access to application data with “Realms”
Control SQL commands and other database operations
Enforce whom, how, where, and when with multi-factor authorization
Get Separation-of-duty
Securely consolidate databases
No application changes required
Financials ApplicationUser
DBA
![Page 9: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/9.jpg)
9
Oracle Database VaultProtection Realms
DBA
HR DBAHR
HR RealmHR
• Database DBA views HR data
select * from HR.empCompliance and protection from insiders
Fin
FIN DBA
• HR DBA views Fin. dataEliminates security risks from server consolidation
Fin RealmFin
![Page 10: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/10.jpg)
10
Oracle Database VaultTransparent Multi-factor Authorization
HR account
FIN DBA
HR
FIN
SELECT ….
CREATE …
Business hours
Unexpected IP address
![Page 11: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/11.jpg)
11
<Insert Picture Here>
Example:Protecting application data fromDatabase privileged users
![Page 12: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/12.jpg)
12
![Page 13: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/13.jpg)
13
![Page 14: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/14.jpg)
14
Database Vault Administration Page
![Page 15: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/15.jpg)
15
Step 1. Defining a Realm
![Page 16: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/16.jpg)
16
Step 2. Adding Protected Schema
![Page 17: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/17.jpg)
17
![Page 18: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/18.jpg)
18
![Page 19: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/19.jpg)
19
<Insert Picture Here>
Example:Limiting connection from non-applicationserver IP addresses
![Page 20: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/20.jpg)
20
Limit Access to Specific IP Addresses Creating a Command Rule
![Page 21: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/21.jpg)
21
List of Allowed IP Addresses
![Page 22: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/22.jpg)
22
Connection Blocked from Other IP Addresses
![Page 23: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/23.jpg)
23
<Insert Picture Here>
Application Data Security & ComplianceOracle Database Vault & Grid Control
![Page 24: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/24.jpg)
24
Enterprise Manager Grid ControlDatabase Vault Target
![Page 25: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/25.jpg)
25
Enterprise Manager Grid ControlDatabase Vault Generated Alerts
![Page 26: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/26.jpg)
26
<Insert Picture Here>
Application Data Security & ComplianceOracle Database Vault & PeopleSoft
![Page 27: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/27.jpg)
27
Application Data Security & Compliance PeopleSoft Protection with Oracle Database Vault
• All PeopleSoft modules are protected• Realm that protects PeopleSoft (SYSADM schema)• A CONNECT Command Rule that ensures
• Access through middle tier• Access from trusted IP addresses
• A SELECT Command Rule restricts Application DBA access• Separation of Duty
• Database Account Manager• Security Administrator• Application DBA
• Extensible• Customer can create additional realms and command rules
![Page 28: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/28.jpg)
28
Application Data Security & Compliance PeopleSoft supported versions with Database Vault
• PeopleSoft apps less than 8.4 (e.g.. 8.0, 8.1, 8.3) • Must be on PeopleTools 8.22
• PeopleSoft apps 8.4 or greater (e.g.. 8.4, 8.8, 8.9, 9.0 and higher)• Must be on PeopleTools 8.46 or greater
• Oracle Database versions:• Oracle Database 10.2.0.3 or 10.2.0.4 (recommended)• Oracle Database 9.2.0.8• Oracle Database 11g release
![Page 29: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/29.jpg)
Protection
TypeDBASYSADM
PeopleSoft Access Rule Set
Limit PSFTDBRule Set
DisabledRule Set
Disabled Rule Set
DisabledRule Set
DisabledRule Set
PeopleSoftRealm
Select Command Rule
Connect Command Rule
SYSTEMPSFTDBA
OWNER
Drop Tablespace Command Rule
Authorized
with Rule Set
OWNERNo Access
No Access
No Access No AccessNot
Restricted
Not Restricted
Not Restricted
Not Restricted
![Page 30: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/30.jpg)
30
Pharmaceutical Services Customer
Challenge
Solution
Results
• Meet internal and external compliance requirements• Streamline data management, optimizing a lean IT staff• Protect the privacy and security of very sensitive data
• Ensure compliance with regulation such as Sarbanes-Oxley• Reduce the risk of data breaches and impropriety by limiting
access to sensitive information with preventive controls• Save time and money by implementing The Oracle-provided
PeopleSoft-specific Database Vault protection policies
• Oracle Database Vault– Separation of Duties– Realms and Command Rules to restrict DBAs access to PeopleSoft– Multi-factor authorization to prevent application by-pass
Customer Profile-Over 11K employees, with revenue over $500 Million-15 databases-Solaris Platform
We will put an industry
relevant image here
![Page 31: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/31.jpg)
31
<Insert Picture Here>
Application Data Security & ComplianceOracle Database Vault & E-Business Suite
![Page 32: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/32.jpg)
32
Application Data Security & Compliance E-Business Suite Protection with Database Vault
• E-Business Suite data protected• Oracle Database Vault pre-seeded Realms prevent access by un-
authorized privileged users to E-Business Suite application data• All E-Business Suite modules are Protected• Oracle Database Vault Separation of Duty prevents new account
creation or ad hoc changing of passwords
• Extensible• Define custom command rules to restrict ad-hoc access to specific
Factors such as IP addresses or subnets• Define custom realms for E-Business Suite custom schemas
![Page 33: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/33.jpg)
33
Application Data Security & ComplianceEBS with Database Vault best practices
• Treat the SYSTEM account the same way as APPS account• SYSTEM account is required to run the AD utilities
• Monitoring• Audit using database auditing during patching for SYSTEM and
APPS• Mitigate the risk of accessing data during patching
• Manage accounts passwords when not doing patching• Security Administrator should own the passwords for these
accounts
![Page 34: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/34.jpg)
34
Application Data Security & Compliance EBS with Database Vault supported versions
• Certified Configurations• E-Business Suite Release 11.5.10.CU2 or 12.0 and higher• Oracle Database 10.2.0.4• Oracle Database 11.1.0.7 will be certified soon
• Documentation• Integrating Oracle E-Business Suite Release 12 with Oracle
Database Vault 10gR2 (Note 566841.1)• Integrating Oracle E-Business Suite Release 11i with Oracle
Database Vault 10gR2 (Note 428503.1)
![Page 35: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/35.jpg)
35
Oracle Database Vault E-Business Suite Application Protection Matrix
![Page 36: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/36.jpg)
36
Global Financial Services Customer
Challenge
Solution
Results
• Meet internal and external compliance requirements• Streamline data management, optimizing a lean IT staff• Protect the privacy and security of very sensitive client data
• Ensure compliance with regulation such as Sarbanes-Oxley• Reduce the risk of data breaches and impropriety by limiting
access to sensitive information with preventive controls• Save over $15 mil a year by outsourcing/off-shoring backend
operations while still be compliant with regulations
• Oracle Database Vault– Separation of Duties– Realms and Command Rules to restrict DBAs access to sensitive data– Multi-factor authorization to prevent application by-pass
Customer Profile-Over 100K employees, with revenue over $50 Billion-Over 800 databases-Solaris, Linux x86-64, and AIX Platforms
We will put an industry
relevant image here
![Page 37: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/37.jpg)
37
<Insert Picture Here>
Application Data Security & ComplianceOracle Database Vault & Siebel
![Page 38: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/38.jpg)
38
Application Data Security & Compliance Siebel Protection with Oracle Database Vault
• All Siebel modules are protected• Siebel Realm protects the Siebel database schema• CONNECT Command Rule that ensures
• Access through middle tier• Access from trusted IP addresses
• SELECT Command Rule restricts SIEBELDBA data access• Separation of Duty
• Database Account Manager• Security Administrator• Application DBA: SIEBELDBA user
• Extensible• Customer can create additional realms and command rules
![Page 39: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/39.jpg)
39
Application Data Security & Compliance Siebel Supported Versions
• All Siebel modules are supported• Service, Sales, Marketing, …etc
• Siebel 7.7 and above versions are supported• 7.7• 7.8• 8.x
• Oracle DB Versions:• Oracle Database 10.2.0.4• Oracle Database 11.1.0.7
![Page 40: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/40.jpg)
40
Global Telecom Services Customer
Challenge
Solution
Results
• Meet internal and European compliance requirements• Prevent any tampering or deletion of database objects• Protect the privacy and security of very sensitive client data
• Ensure compliance with regulations - European privacy laws• Reduce the risk of data breaches and impropriety• Enhance Application Availability by gaining confidence that no user
can change database objects without the Security Administrator’s approval
• Oracle Database Vault– Separation of Duties– Realms and Command Rules to restrict DBAs access to sensitive data– Command Rules to prevent any tampering of database objects
Customer Profile-Over 80K employees, with revenue over $30 Billion-Over 200 databases-Solaris, Linux x86-64, and HPUX Platforms
We will put an industry
relevant image here
![Page 41: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/41.jpg)
Protection
Type
DBA And SYSTEMSIEBEL
Siebel Access Rule Set
Restrict SelectRule Set
Not Restricted
DisabledRule Set
Disabled Rule Set
DisabledRule Set
DisabledRule Set
SiebelRealm
Select Command Rule
Connect Command Rule
SADMINSIEBELDBA
OWNER
Drop Tablespace Command Rule
Authorized
with Rule Set
OWNERAccess through middle tier
No Access
No Access
Siebel Access Rule Set
Not Restricted
Not Restricted
Not Restricted
![Page 42: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/42.jpg)
42
Application Data Security & ComplianceApplication Protection Summary with Database Vault
Application / Product Protection Status
• PeopleSoft Applications • E-Business Suite Applications• Oracle Siebel Applications• JDE Applications (In progress)• Partner applications (SAP) (In progress)• Oracle Content DB• Oracle Internet Directory
![Page 43: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/43.jpg)
43
<Insert Picture Here>
Application Data Security & ComplianceSummary
![Page 44: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/44.jpg)
44
Application Data Security & Compliance Oracle Database Vault - Summary
• Enforce Separation of Duty for the Database• Prevent DBA access to sensitive data• Protect applications using Protection templates
available for download for:• PeopleSoft, EBS, and Siebel
• Use Enterprise Manager Grid Control integration• Apply on all of your existing Database releases:
• Oracle Database Releases 11g, 10g, and even 9i
• Achieve Better JSOX compliance for the Database
![Page 45: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/45.jpg)
45
Learn More
Database Vault technical details• http://www.oracle.com/technology/deploy/security/database-security/database-
vault/index.html
Steven Chan blog• http://blogs.oracle.com/schan
PeopleSoft’s Database Vault Protection templates:• http://www.oracle.com/technology/software/products/database_vault/index.html
Siebel’s Database Vault protection templates• http://www.oracle.com/technology/software/products/database_vault/index.html
![Page 46: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/46.jpg)
46
![Page 47: Oracle Database Vault: Application Data Security and - NoCOUG](https://reader030.vdocuments.site/reader030/viewer/2022021209/62063b588c2f7b173005b001/html5/thumbnails/47.jpg)
47