PCI DSS- Payment Card Industry

Data Security Standard

Alfredo Valenza
Master Principal Sales Consultant - Oracle Italia

Agenda
Oracle

PCI market

PCI Compliance
Database Security
Identity Management
Access Management

In addition
Configuration Management
IRM

2009 Oracle Corporation

Agenda
Oracle

PCI market

PCI Compliance
Database Security
Identity Management
Access Management

In addition
Configuration Management
IRM

2009 Oracle Corporation

Oracle PCIs Target market

Merchants with transactions per year between 20,000 to
6,000,000 as they have to perform annual self-assessment
questionnaire and also conduct quarterly network scans. They
will want a technical solution!
People who want to be PCI compliant for Intranet/Internet and
want to build database to database compliance.
We are not going to cover security policies, cash tills, retail
outlets.

Why Oracle?

Oracle has 360 degree security products and is in a unique

position to offer a single vendor solution.
Security Accreditation on a number of components, such as:

Oracle 11g EE (11.1)

Oracle Database Vault11g (11.1.0.7)
Oracle Label Security 11g (11.1.0.7)
Oracle Identity and Access Manager

Evaluated
Evaluated
Evaluated
Evaluated

EAL 4+
EAL 4+
EAL 4+
EAL 4+

Scalability / High Availability / Performance second to none.

Provide solution for small / medium / large organisations.

What Customers Are Asking For

Business Users

Jim
(User)

Jane
(Manager)

IT Personnel
Needs Help Simplifying User Management For:
Employees
Customers
Partners
Want to Automate Manual Processes (like Workflow)
Need Tools To Manage IT Systems With Less Effort

Larry
(IT)

Kate
(Audit/Security)

Want Their User Accounts As Fast As Possible

Want Simplified Access To Applications And Content
Minimize And Synchronize Passwords

Audit/Security

Need To Understand Risk And What To Protect

Want to Protect Data From Compromise
Looking for ways to Recertify User Access With Less Effort
Need Reports For Who Has (And Had) Access To What

Agenda
Oracle

PCI market

PCI Compliance
Database Security
Identity Management
Access Management

In addition
Configuration Management
IRM

2009 Oracle Corporation

Oracle Database Security and PCI

Compliance
2.1 Always change vendor-supplied defaults before installing a system on the network
Oracle locks and expires default accounts and passwords during installation. Passwords for
administration accounts are prompted for during installation.
2.2 Develop configuration standards for all system components. Assure that these
standards address all known security vulnerabilities and are consistent with industryaccepted system hardening standards.
Oracle Enterprise Manager Configuration Pack enables customers to scan their enterprise
databases for compliance.
2.2.3 Configure system security parameters to prevent misuse.
Monitor with the Oracle EM Configuration Pack.
Oracle Audit Vault consolidates audit data from across Oracle databases, and can report and
alert on audit data.
Oracle Database Vault Separation of Duty prevents unauthorized administrative actions in
the Oracle Database.

Oracle Database Security and PCI

Compliance
2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features,
subsystems, file systems, and unnecessary web servers.
Oracle Database custom installation allows specific components to be installed or
removed.
2.3 Encrypt all non-console administrative access. Use technologies
such as SSH, VPN, or SSL/TLS for web based management and other non-console
administrative access.
Oracle Advanced Security provides network encryption to encrypt all traffic over SQL*Net
between the middle tier and the database, between clients and the database and between
databases.

Oracle Database Security and PCI

Compliance
3.3 Mask PAN when displayed (the first six and last four digits are
the maximum number of digits to be displayed).
Application specific; Applications can leverage Virtual Private Database (VPD)
with a column relevant policy to mask out the entire number. If the application stores
the number in different fields VPD can be used to mask out the relevant parts of the
number by field.
Security attributes provided by Oracle Label Security label factors can help
determine who should have access to the number.
Oracle Database Vault Realms can be used to prevent highly privileged users from
accessing any application data.

Oracle Database Security and PCI

Compliance
3.4 Render PAN, at minimum, unreadable anywhere it is stored
(including on portable digital media, backup media, in logs)
Oracle Advanced Security TDE column encryption and TDE tablespace
encryption can be used to transparently encrypt the Primary Account Number on
storage media.
Oracle RMAN can encrypt the entire backup when backed up to disk.
Oracle Data Pump can encrypt entire Database export files, either with the master
encryption key from the source database, or a passphrase that can be securely shared
with the receiving party.

Oracle Secure Backup provides a solution for backing up and encrypting directly
to tape storage.
Encryption algorithms supported include 3DES and AES with 128, 192, or 256 bit
key length.

Oracle Advanced Security Transparent Data Encryption (TDE) has key

management built-in. Encrypted data stays encrypted in the data files, undo logs, and
redo logs. SHA-1 and MD5 are used for integrity.

Oracle Database Security and PCI

Compliance
3.4.1 If disk encryption is used (rather than file or column-level database encryption),
logical access must be managed independently of native operating system access control
mechanisms
Security attributes provided by Oracle Label Security label factors can help determine who
should have access to the data.
3.4.1.b Verify that cryptographic keys are stored securely (for example, stored on
removable media that is adequately protected with strong access controls).
The TDE master encryption key is part of a two tier key architecture that protects the
encryption keys used to encrypt the data. The TDE master key can be stored in an Oracle
Wallet or an external hardware security module (HSM).
6.1 Ensure that all system components and software have the latest
vendor-supplied security patches installed. Install critical security patches
within one month of release.
Oracle Configuration Management Pack for Oracle Database manages configuration
compliance with automated IT controls

Oracle Database Security and PCI

Compliance
7.2.2 Assignment of privileges to individuals based on job classification
and function
Security attributes provided by Oracle Label Security label factors can help assign privileges .
8.4 Render all passwords unreadable during transmission and storage on all system
components using strong cryptography
Oracle Advanced Security provides network encryption to encrypt all traffic over SQL*Net
between the middle tier and the database, between clients and the database and between
databases.
8.5.16 Authenticate all access to any database containing cardholder data.
This includes access by applications, administrators, and all other users.
Oracle Database Vault Realms can be used to prevent highly privileged users from accessing
any application data.

Oracle Database Security and PCI

Compliance
10.1 Establish a process for linking all access to system components (especially access
done with administrative privileges such as root) to each individual user.
Oracle Audit Vault reduces the cost and complexity of compliance and the risk of insider
threats by automating the collection and consolidation of audit data. It provides a secure and
highly scalable audit warehouse, enabling simplified reporting, analysis, and threat detection
on audit data.
10.5.1 Limit viewing of audit trails to those with a job-related need.
10.5.2 Protect audit trail files from unauthorized modifications.
Oracle Database Vault Realms can be used to prevent highly privileged users from accessing
any application data.
10.6 Review logs for all system components at least daily.
Oracle Audit Vault

Oracle Security Inside Out

Database Security

Encryption and Masking

Privileged User Controls
Multi-Factor Authorization
Activity Monitoring and Audit
Secure Configuration

Identity Management

Information
Infrastructure
Databases

User Provisioning
Role Management
Entitlements Management
Risk-Based Access Control
Virtual Directories

Information Rights Management

Applications
Content

Document-level access control

All copies, regardless of location
(even beyond the firewall)
Auditing and revocation

Oracle Database Security

Defense-in-Depth for Security and Compliance
Monitoring

Configuration
Management

Audit
Vault

Total Recall

Access Control

Database
Vault

Label
Security

Encryption and Masking

Advanced
Security

Secure
Backup

Data
Masking

16

Oracle Label Security

Access Control

Evaluated at CC EAL4
Available on all Oracle platforms

Sensitive

Transparent access control based on labels

Highly Sensitive

Industry leading classification solution

Label Based

Complements database roles and privileges

Extends application security

Confidential

Customers include government and commercial

organizations

3.4.1 If disk encryption is used (rather than file or column-level database

encryption), logical access must be managed independently of native
operating system access control mechanisms
7.2.2 Assignment of privileges to individuals based on job classification
and function

Sensitive

Highly Sensitive

Oracle Label Security

How

does it work?

Provision Policy and

Define Labels

Provision User Labels

Apply Label Security

Row Level Data
Classification
Highly Sensitive
Sensitive

HR Applications Policy

Confidential

Database Vault
Command Rules

Highly Sensitive

Sensitive

Sensitive

Highly Sensitive

VPD Column Masking

Confidential

Oracle Identity
Management

or

Database

Oracle Advanced Security

Tablespace Encryption

Encrypt all application data

Encrypt entire database files

No need to worry about encrypting individual columns

Buffer Cache
SSN = 987-65-..

Highly efficient

SQL Layer

High performance
Integrated with Oracle data compression

No application changes

All data types

Index range scans

data blocks
*M$b@^s%&d7

undo
blocks
2.3 Encrypt all non-console administrative access.

redo
logs

temp
blocks
flashback
logs

Oracle Advanced Security

Transparent Data Encryption Key
Management

Built-in key lifecycle management

Generate, store, rotate and destroy master encryption key
Software wallet or HSM key store
Hardware Security Module (HSM):
Special purpose hardware
Open PKCS#11 interface allows Oracle customers to
choose from a wide variety of HSM vendors

Open Master Key

Master Key

Security DBA

20

Oracle Database Vault

Privileged User Controls

Separation of Duties &

Procurement

Application

DBA

HR
Finance

select * from finance.customers

DBA separation of duties

Limit powers of privileged users
Securely consolidate application data
No application changes required
Works with Oracle Exadata V2 Database Machine

8.5.16 Authenticate all access to any database containing cardholder data.

10.5.2 Protect audit trail files from unauthorized modifications .
21

Oracle Database Vault

User Controls

Privileged

Database DBA views HR data

Compliance and
protection from insiders

SELECT * FROM HR.EMP

DBA

HR Realm

HR APP Owner views Fin.

data

HR
HR App

Eliminates security risks

from server consolidation

FIN Realm

FIN
FIN App

22

Data Masking Pack

Data Masking

Off-Line

Protect sensitive data

De-identify sensitive data moved from
production databases to dev or test
environments
No impact on production database

LAST_NAME

SSN

SALARY

AGUILAR

203-33-3234

40,000

BENSON

323-22-2943

60,000

Cloned
Database

Production
Database

Built-in Discovery
Use foreign key definitions to maintain
relationships between tables
Define custom data relationships

LAST_NAME

SSN

SALARY

ANSKEKSL

11123-1111

40,000

BKJHHEIEDK

111-34-1345

60,000

23

What Do You Need To

Audit?
Database
Audit Requirements

SOX

PCI
DSS

HIPAA/
HITECH

Basel II

FISMA

GLBA

Accounts, Roles & GRANT changes

Failed Logins and other Exceptions

Privileged User Activity

Access to Sensitive Data (SELECTs)

Data Changes (INSERT, UPDATE, )

Schema Changes (DROP, ALTER)

24

Oracle Audit Vault Alerts

with Alerting

Efficient scanning

Threat Detection

Inbound audit data scanning

Alerts can be defined for

Directly viewing sensitive columns

Creating users on sensitive
systems
Role grants on sensitive systems
DBA grants on all systems
Failed logins for application users
.

10.1 Establish a process for linking all access to system

components (especially access done with administrative
privileges such as root) to each individual user.

25

Integration with Email / SMS /

Remedy
FRM: Audit Vault
SUBJ: Audit Vault Alert :
Create User
MSG: Create User occurred
On PAYROLL.ORACLE.COM
@ 02-Oct-09 11:07:10 AM

26

Agenda
Oracle

PCI market

PCI Compliance
Database Security
Identity Management
Access Management

In addition
Configuration Management
IRM

2009 Oracle Corporation

Oracle Identity Management and PCI

Compliance
1.1.4 Description of groups, roles, and responsibilities for logical management of
network components
7.1.2 Assignment of privileges is based on individual personnels job classification
and function
7.1.3 Requirement for an authorization form signed by management that
specifies required privileges
7.1.4 Implementation of an automated access control system
7.2 Establish an access control system for systems components with multiple
users that restricts access based on a users need to know, and is set to deny all
unless specifically allowed.
8.1 Assign all users a unique ID before allowing them to access system
components or cardholder data.
8.5.1 Control addition, deletion, and modification of user IDs, credentials and
other identifier objects.

Oracle Identity Management and PCI

Compliance
8.5.2 Verify user identity before performing password resets.
8.5.3 Set first-time passwords to a unique value for each user and change
immediately after the first use.
8.5.4 Immediately revoke access for any terminated users.
8.5.5 Remove/disable inactive user accounts at least every 90 days.
8.5.6 Enable accounts used by vendors for remote maintenance only during the time
period needed.
8.5.9 Change user passwords at least every 90 days.
8.5.10 Require a minimum password length of at least seven characters.
8.5.11 Use passwords containing both numeric and alphabetic characters.
8.5.12 Do not allow an individual to submit a new password that is the same as any of
the last four passwords he or she has used.

Oracle Identity Management

based Provisioning

Policy

Oracle Identity Manager

Provisioned
Applications
New
Contractor

Self
Registration

Approval

Identity
Store

New
Employee

HRMS

Role

Access
Policy

Workflow

Connector

Reconciliation
Engine

7.1.2 Assignment of privileges is based on individual personnels job classification and function
8.5.3 Set first-time passwords to a unique value for each user and change
immediately after the first use.

Revoked
Applications

Oracle Identity Management

Automated

De-Provisioning
Manual Task

Oracle Identity Manager

Revoked
Cell Phone

Identity
Store
Terminated
Employee

HRMS

Reconciliation
Engine

Provisioning
Workflow

Connector

Revoked
Applications

Oracle Identity Management

Administration
Self-Service

User doing password reset

Delegated Administration

Manager assigning proxy user

Self Service Password Reset and Profile Management

Self Service Role, Account and Entitlement Requests
Delegated Administration

Agenda
Oracle

PCI market

PCI Compliance
Database Security
Identity Management
Access Management

In addition
Configuration Management
IRM

2009 Oracle Corporation

Oracle Access Management and PCI

Compliance
7.1.2 Assignment of privileges is based on individual personnels job classification and
function
7.1.4 Implementation of an automated access control system
7.2 Establish an access control system for systems components with multiple users
8.2 In addition to assigning a unique ID, employ at least one of the following methods
to authenticate all users:

Password or passphrase

Two-factor authentication (for example, token devices, smart, or public keys)

8.5.9 Change user passwords at least every 90 days.
8.5.10 Require a minimum password length of at least seven characters.

Oracle Access Management and PCI

Compliance
8.5.11 Use passwords containing both numeric and alphabetic characters.
8.5.12 Do not allow an individual to submit a new password that is the
same as any of the last four passwords he or she has used.
8.5.13 Limit repeated access attempts by locking out the user ID after not more
than six attempts.
8.5.14 Set the lockout duration to a minimum of 30 minutes
8.5.15 If a session has been idle for more than 15 minutes, require the
user to re-enter the password to reactivate the terminal.

Access Management Suite

AuthN mngt & SSO
Course and Fine
Grained AuthN

Fraud detection &

Software Strong AuthN

Centralized Policy
and Entitlements
Management

Strong
Authentication
Forensics Case
Management

Security for SOA

& Web Services

SSO for Desktop &

Mainframe Clients

Runtime SOA
Governance
Distributed policy
enforcement
through agents
and gateways

Real-time Fraud
Prevention

Self-service
Password Reset

SOA Security

Enterprise SSO

Support for Kiosk

and Cloud
Architectures

8.5.11 Use passwords containing both numeric and alphabetic characters.

8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.
8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts.

Agenda
Oracle

PCI market

PCI Compliance
Database Security
Identity Management
Access Management

In addition
Configuration Management
IRM

2009 Oracle Corporation

Configuration and Patch

Patch multiple installations with multiple patches in a
Management
single window

Support patching of Clusterware, ASM, Database, EBiz suite, Operating Systems

Advise

Zero-downtime Rolling patching of RAC clusters

Plan

Verify

Implement

Support Software Library for Release Mgmt

Flexible error handling, retry and rollback
Generate advisories based on
Critical patch updates
Incident (SR) based one-off recommendations
Knowledge driven recommendations
Rich Healthchecks and Policies
Community information (from tens of thousands of
customers)
Advisories are ranked based on criticality

38

The problem IRM

solves

Confidential documents and emails are moderately secure while stored (unused)
within folders, inboxes and repositories
But when used, thousands of copies are stored on desktops, laptops, wireless
devices, USB drives, CDs/DVDs inside and outside your organization!
How do you

Secure all the copies, and audit access to them?

Prevent copies being forwarded (or edited) inappropriately?
Protect your confidential information within your customers, partners and suppliers?
Revoke access to confidential information, when projects end or employees leave?

How Oracle IRM works

Unique, distributed rights management architecture

Patented architecture distributes rights management between centralized

server and desktop agents

Enabling rapid centralized revocation of rights and up-to-date audit trail

while preserving transparent mobile (offline) access to sealed information

Classification-based rights management enables use of sealed (encrypted)

information at enterprise scale

Contexts, users, roles, and documents

Context: L2 Executive Management 2010
Roles

Documents

Contributor
Reviewer

Sales
direction

Q3 Figures.sxls

Reader
Reader (no print)

2008 Business
Plan.sppt

CFO

ACME competitive
review.sdoc

Context: L3 Company Announcements 2010

Roles

Documents

Recent
successes

Contributor
Sales manager
comp plans.sxls

Reviewer

HR Director

Reader
Reader (no print)

Health+Safety
Exec.sdoc

Contract
terms.spdf

All Employees

Basic IRM Deployment

Architecture
External Networks

DMZ (or Intranet)

Corporate Network

Internal User

External User

F
I
R
E
W
A
L
L

F
I
R
E
W
A
L
L

IRM Server

F
I
R
E
W
A
L
L

Database Server

Load balancer
LDAP Server

Web Services