Oracle Database 12c Release 2 Security and Compliance Defense-in-Depth Database Security for On-Premises and Cloud Databases O R ACL E WH IT E P AP E R | AP R IL 2 0 1 7 ORACLE DATABASE 12C RELEASE 2 SECURITY AND COMPLIANCE Table of Contents Introduction 1 Oracle Database 12c Security 2 Evaluating Security Risks 2 Knowing Where Sensitive Data Resides with Sensitive Data Discovery 3 Reducing the Attack Surface with Role and Privilege Analysis 3 Evaluating the Database Security Posture with Database Security Assessment 4 Monitoring the Database Configurations with Enterprise Manager 5 Preventing Unauthorized Access to Data 6 Preventing Database Bypass with Transparent Data Encryption 6 Scaling Transparent Data Encryption with Oracle Key Vault 7 Limiting Privileged User Access with Database Vault 7 Protecting sensitive data in applications with data redaction 9 Minimizing sensitive data exposure with data sub setting and masking 10 Detecting Access Attempts and Abuse 11 Auditing Database Activity with Universal and Conditional Audit 11 Managing Audit Data with Audit Vault 11 Monitoring SQL Activity with Database Firewall 12 Protecting Application Data with Data-Driven Security 13 Implementing Fine-Grained security with Virtual Private database 13 Enforcing Application Data Controls with Real Application Security 14 Conclusion 16 1 | ORACLE DATABASE 12C RELEASE 2 SECURITY AND COMPLIANCE Introduction The need to secure data is driven by an expanding privacy and regulatory environment coupled with an increasingly dangerous world of hackers, insider threats, organized crime, and other groups intent on stealing valuable data. The security picture is complicated even more by the rapid expansion of access to sensitive data via the Internet, an unprecedented understanding of technology, increasing economic competition, and the push to achieve greater efficiencies through consolidation and cloud computing. Information targeted for attack has included citizen data, intellectual property, credit card data, financial information, government data, and competitive bids. Attack methodologies include hacking of privileged user accounts, exploitation of application vulnerabilities, media theft, and other sophisticated attacks collectively known as advanced persistent threats or APT. In response to the increasing threat to data, regulations have been put in place that include the numerous U.S. State privacy laws, Payment Card Industry Data Security Standard (PCI-DSS), the U.K Data Protection Act, the European Unions General Data Protection Regulation (GDPR), and the Korean Act on Protection of Personal Data, to name a few. To better understand the importance of database security one needs to consider the potential sources of vulnerability. Threats that target the operating system can circumvent the database by accessing raw data files, bypassing application security, access controls inside the database, network security, and encrypted drives. Proliferation of production data beyond the controls of the production environment expand the scope of compliance and increase the risk to data. Privacy related information can be exposed to individuals without a true need-to-know due to an oversight in the development process or the complexity of modifying legacy applications. Privileged user accounts and over privileged applications may become targets for highly specialized attacks or the source of insider threats. Ad-hoc access to application data by privileged accounts may violate internal policies, regulatory mandates, service level agreements, as well as expose data to external attacks. Application bypass through SQL injection can expose large amounts of sensitive data to attackers or unauthorized users. Configuration drift or changes that create deviation from internal deployment standards and security best practices can result in audit findings, impact business continuity, and increase security risks. 2 | ORACLE DATABASE 12C RELEASE 2 SECURITY AND COMPLIANCE Oracle Database 12c Security Security and compliance requires a defense-in-depth, multi-layered, security model that includes preventive, detective, and administrative controls. Controls should be aligned with the sensitivity of the data, its location, its environment, and applicable regulations. Additional consideration should be given to the business impact should the data be lost, stolen, or used for unauthorized purposes. Oracle Database 12c Release 2 (12.2), the latest generation of the worlds most popular database, is available for deployment on premises and in the Oracle Cloud. With Oracle Database 12c Release 2, Oracle continues to lead the industry with the most complete solution set for securing business-critical data throughout the data lifecycle. Oracle Database 12c security, combined with the Oracle Audit Vault and Database Firewall and Oracle Key Vault solutions, provide unprecedented capabilities to protect data and defend aga