Hey. Hi. Good evening everyone. This is Krishna again. I'm here to talk about my recent implementation, elevating security standards for my databases. I'm an Oracle database engineer, and I have like almost 13 years of experience and I was, I did lot of encryption process and I recently implemented. These hardware security module delivering military grade encryption and regulatory campaigns with maintaining the system performance. And nowadays we are seeing lot of security breaches and cyber threats are happening. So encryption is more important for each and every company and each databases. So here are the few things which we automated and elevated the process and improvise the databases, with the help of these HSM encryption. And if we go on to my, my project, right? the challenges which I face solutions and the results, right? here, we, I got an opportunity to implement these security standards for almost 50 databases. So we, we started working on this for one database, like how to safeguard the data, like customer information, that, and personal data and social security, healthcare information, which are all, everything is updated. The personal, like home addresses, everything is there on the databases, the cl for the client, for the client details and everything. So we want to safeguard that. We streamline the process and the solution we deployed. We deployed hardware security model with at once encryption algorithm and robust key management infrastructure. here, if we go onto the, like HMS encryption, right? The hardware security module include the stronger security compliance and regulatory, requirements, and, secure key management performance, scalability. Cloud and hybrid security and protection critical application, which includes everything. which results achieving comprehensive data security, procedure and full regularities and comprehensives, while maintaining the optimal system performances. So with that, like we, we improve, we improve system performance a lot and, We improve system performance a lot and the, where they're trying to access the data, it is also streamlined and everything like the, if we jump onto the, the how we, streamline the process which we implement, like the process. To install the process and the, the project and everything, right? we did it like everything's automate. We automated the process, like to involve the less downtime. So here are that hardware security modules, which I want to explain in detail like temporary register hardware. Hardware. it is a pure physical security application with multilayered. defines that activi actively detect and re respond to unauthorized physical and electrical infrastructure attempts like after, after this implementation. What happens, like the unwanted users, which they can able to access the data. for example, if you build any database in the company, right? There are a default user which order, which we, which imp Which can create automatically in the databases, with the sta like with the security standards. So if any of the user, like all user with the employee information and the customer information are the member of the company, if they are a current member, the data will be stored. And if they are all member, we will be. Locking that account, deactivate the account. Like same with the employee information, deactivating that employee information, the old information and storing the information in the IV database like that. we encrypted everything and data masking the personal, like personal credit card information, the payment process, right? we must the data with the help of these encryption. so if we tone the data from prod to a non-pro, so the customer or the user or developer, application developer, they cannot see the data, like data bridges can be halted with that. So we mastered, all the credit card information from the prod to non pros. So the security key, secure key management, so isolated and. we, we, we isolated cryptographic process environment that, safeguard the entire key life cycle. So whenever we implement, the keys, which we stored in the, in the cybersecurity level, we store those keys in, in, in a cryptographic base. So no one cannot. It's more than we, we select more than 50, more than 50 words to get the passwords. So it has to be algorithm, completely cryptographic algorithm, which automatically change, with the help of the, like with the help of cybersecurity keys. And it rotates automatically to avoid the downtime and to get, the ballots safe. and if we jump onto the next point, the regulatory compliance that facilitates, The, data protection standards includes G-D-G-D-P-R. It means, general data protection re, regulations, which contains the data collection and processing and P-C-I-D-S-S, it's a payment card in, industry. The data security standards, we follow the process. And HIPA, it's a, it's healthcare. Healthcare. Health insurance, poverty, health insurance process and everything. The health insurance information, the HS HSA account, the PPO and everything, the process of the employee information, we stored the data to, To mask that in info, to mask and, secure those information also. it's an internal control for the financial report. so it's audit, it mostly use for the audit team, for the audit databases to audit the audit, the databases who all are accessing the data and everything. So we, we follow the SOC standards and security control and for the audit logging. And the performance optimization here. specialized cryptographic process, ac accurate, accurate, crypto accurate encryption, decryption encryption, decryption operations while freeing the databases, services, resources, maintain throughput. even during the initiative security operations, I. And with that, like we, we, the performance of the databases have been improved a lot after implementing this encryption. So the connections, the sessions which are coming to the databases has been decreased, due to un unwanted reports, unwanted reports, pulling that, pulling and connecting to the databases without doing anything, they're just connecting the databases and running something. So we, we disconnected all those connections with the help of this encryption. With the help of encryption. If we go on to the next slide, we have a few more topics like how we, how the technical implementation, how we prepare, configuration, encrypt, validate, maintain the here, the preparation, the database around will come, the preparation that all the databases are not on the past level. So initially we applied patches to, latest elevated patches to, for the security standard. We have applied all the patches for all the databases. and we implemented those are also like, we, what we did for initially, we took one or two databases. We implemented manually for the first, and then we started doing all the scripting process here. the configuration, we did, we engineered robust HMS, Oracle td. TTDE integration channel with multi-layer authentication protocols, encryption, deployed strategic encryption, access table spaces and sensitive data columns, and minimal performance impact. Validate, executed regular, executed rigorous encryption. Ation testing with third party security experts to verify the protection. Third party expert. we have some expert to test that, encryption process, like how they're able to access the data, the maintenance established automated key rotation. Ation schedules and comprehensive audit ready main management protocols. The rotation of the keys are very important. We need to update the passwords, update the current password, current password every 90 days. So we automated those, password rotations, so it was very helpful for us to do the process and. And here are the five phases which we implemented with most of, we went from some minimal downtime to zero downtime to implement this process here, we got, we have to bonds, bond the database multiple times, but this minimal downtime, what we did for, we have most of the databases are like databases. So we did it in a no way. Single node. Single node. All the users, application users can access the data even though we are implementing this, this encryption process. And here are the TDE transparent data encryption integration challenges, which we faced. Legacy capability. The multiple database, instances require critical version upgrades, patch app patch applications before h HSM integration would be implemented successfully. So most of the databases are different version. In Oracle, we have 11, 11 I to 19 C, so we have upgraded all the databases to latest version 19 C. And also we are thinking about to implement the newer version of 23 a IE. we are working on that. In future I'll be talking about those things also. So network configuration network, establishing the security encryption communication channel between the Oracle databases and HSM encryption, HSM application. demands complex r routing rules and certificate based authentication and performance tuning Intel encryption process triggered the significant io io latency across a high transaction system, necessary the customer buffer and configuring in the table space optimization and, TDE encryption and, And the key management engineering robust fault tolerance process for the master key backup, restore, and disaster recovery Required multi mul, meticulous plans and multi-layered safeguards. we are taking backups of the databases every day, so if there is any need, like the restoration points, we are creating restoration point. like every 15 minutes we are creating restoration points. Depends upon the customer interest and also we are taking the archive of backups so they can pinpoint restore, they can do it anyway. With the help of this, with the help of this HSM encryption, we did it a lot of changes automated, so it'll be very helpful to restore the databases where we want to go, like for the testing databases. They want to restore, like after they are, they were, they're testing multiple things. They want to restore 10 minutes before we can do easily, and there is no issue with the keys. And we really like, that HMH some encryption help us a lot. while we are doing the restoration promotion process, it'll help us to restore the database very easily and fast and with. Encryption with that encryption there. There is no loss of data while we are doing this, like testing process for the testing databases. And automate, automation. The, we did a lot of automation during this key, key process, like here, custom scripts here, we use, we, we use Python and ba dash scripting here. What we did like initially, we did it manual, manually, this encryption process. Initially we need to install some software like a Luna client for my client. client usually use, they use Luna client to store the keys. So from the a Luna client, they need to install the loan client from the server. To the HSM encryption valid cybersecurity team. They use this luna kind to, to talk from, Luna client. it's a heartbeat. it usually, the encryption key issues isnt this heartbeat from database to encryption it. It is like it is signal. it is. It is a heartbeat. it's like a, it's a human heartbeat. similar to the HSM encryption. It's a heartbeat and connection between the database and the, database. And the Valids. So if Luna can help us to read the data and Store, protect the data. So we did it. Everything is like automated, like after the new, after the Luna client installation. We, we need to, we need, we, during the manual process, we need to get the security team, HSM Team, CyberArk team, network team. And me the database. So we all need to work together to, to, for the step-by-step process. We streamline the process with the help of self scripting. So what we did with the one one execution of the script while monitoring, we are in front of the comer while monitoring it'll. It'll throughput, whatever the person need to enter the passwords and, give access to the, access to the particular application team or, the CyberArk team. It'll prompt the CyberArk password there. if it's password like HSM encryption password, like keyword password, where it'll come and request for the teams. They need to just come and enter the password with the. Cryptographic algorithm, password, all they need to do one click saying that I'm granting the password. So only that guy can control. They need to log in from their machine and they need to just give that like just one click. So we automated everything. We no need to be like sitting in front of the computer with everyone available and the three, three to four hours process, we streamline the process. So the monitoring system. Here, the realtime monitoring system, while the database is up and running like we are, we did it like encryption process where there's no impact for the application user. While we are imp while we are implementing this process, I. So we streamline the process validation tools after we implementation violation, the developer comprehensive testing framework that automatically verify encryption integration, security complaints, implementing potential human over sites, documentation, regulatory. We documented everything. Built intelligent document system that automatically product, Produce audit Ready Co auditory complaints report tailored to each databases safe encryption parameters, and configurations. Yeah, here are the key managed key management workflow. What we did and had this workflow, it is if we go over through these generation distribution, usage, rotation backups, generating generation means HSM generation, Cryptographic key keys, which we are, we, when we do step by step process, it'll generate the keys in the ballot. We need to store those creed, tamper, restaurant hardware using NISD certified, entropy source and true random number generation, the distribution. Encryption. We securely put, propagated to Oracle wallets through auto automated channels while rolled database access control and multifactor authentication. The usage, the TD is also similar, CT, D and HS encryption, both the same. The TDE leverages the key keys of seamless encryption, decryption opt, operational while maintaining the optimal data performing and data leverages rotation automated. we have automated this key rotation, automated periodically rotation, information hygienic and my. Mitigates the risk of the long term keys case and protection compromise and the backups. here are the backups. we do take the backups like we automated the key backups, which we physically store, the store, those keys, we are printing those keys in the valid room. we have, like in, for my client, we, so they have some secure, valid room. They usually store those keys. Keys like it. Like a bank wallet, bank vault, they usually store those phy, store those keys physically every quarter. Every quarter they store those keys. They update the keys in the room so no one can able to access those keys. We, and comprehen, the backups, which we are used like comprehensive keys, escrow system with, Geographically displays, encrypt offline backups, business continuity in the disaster recovery process. Yeah. Here are the performance impact. Here are the performance impact, which we, After implementing the, yeah, after implementing the HSM encryption, we do see a lot of implementing the database performances, like the Select operations. Select operations. we do get almost like the 50%, like 20% increase in the efficiency and the. like the response time and output of the select queries has been increased with the help of H-M-S-H-H-S-M based encryption, like writing, writing operation, insert update. we have seen almost 40% implement for these inset and update operations and that. All the data we just entering the table spaces are like, everything is encrypted a ES 2 56. we have altered the, all the databases with the, all the table spaces with, a ES 2 56 encryption after we implemented the databases. So all the ta, all the table spaces are like encrypted, so the insect operations will run very fast. Because minimal number of connections are coming, so it'll accept the all. Insert update. Insert update, select queries like the streamline, the select queries, and we streamline the process. there's no. like buffer gates and the ram speed has been increased. the performance of the ram and everything. The server level has been increased after implementing this, h some encryption. The delete operation has been increased up to 30%, which we, which were really re really while resort. Full table scan while the performance, if we see the execution plan before and after these HMS encryption. The execution plan of the queries has been imp increased, the performance has been increased a lot. like I times buffer gates, and, before we usually see a lot of the s sequels are in like. Sequences are running around. for example, if it is running for th 300, 3, 300, 300 buffer gates, it is going down to 200 and few. I and CP is going like the po the performance of that CCPU and I has been increased by 30%. here, comprehensive performance testing involve minimal overhead from HSMN based TD implementation, operation experience, and average latency. Increase to 25 to 40% with select queries, list effect, and. Least affected and update. Update operation shows the highest impact. So the deployments has been completed so far. So application can do the testing very fast after the completion of their updates and delete operation despite, despite the downtime has been ridiculous for the weekend maintenance. So they can like, The performance, the performance varies. the availability of the database, availability of the application has been increased. So encryption is more important for all the databases? Yeah. Compliance and benefits. So if I already talked about these things, the, regulatory standards and. Corporate security audit implements. See, the PCI, the P-P-P-P-C-I is about these, the SE to secure cardholder data with strong cryptography. G-D-P-R-G-D-P-R is general data protection Regulation. Implement the state of the art, the data protection measure. HIA. HI Security rules. This is PHI, the personal health insurance. Confidential confidentiality through encryption. SOX control the maintain in integrity of the financial report system. Report security mitigating the data, breach financials and regulations impact establish robust inter intellectual. Property protection layer. Build latency client to client trust through demonstrate the security gain security advantage through security excellence, the audit improvements, the streamlined over oversight with centralized the key management. Enable regular security events monitoring analysis, accelerate the complaints, verified with clear audit, trail, demonstrate the security governance and stakeholders. Here we, and if we go into the cross team co collaboration, right? We have collaborated with the database team and the database team and I have collaborated with security team, application team, infrastructure team and compliance team. So we lead the TD arch architecture design, implementing security database level configuration changes and. Conducted extensive performance optimization to minimal encryption overhead. The security team established a robust encryption standards developer, comprehensive key management policies, and perform regulars penetrate the testing to validate the security implementation. The, if we go to the application team. Executed through complete compatibility testing across all environments, application, identify and resolve the encryption. Regulated keys and implemented necessary code modification to security integration. So here are the most important thing. We stored all of the data, right? Most of the data is, we are upgrading from old version to latest version. So application team, we work with application team to up upgrade their application also to access the current version of the data, which we are implementing. HSM hardware procurement and deployment configure the secure network architecture and establish a high availability infrastructure to ensure uninterrupted HMS services. So infrastructure team, they had, they work in the middle saying that we collaborated everything. They helped us to build this HMS encryption, streamline process with the less downtime compliance team. Mely documented. They help us to, like we, we are, we give all the steps to documented the process. Implementation, again is re regulatory. The framework, the provides complaints, guidance, throughput throughout the project lifecycle and prepared detailed, elevated packages of upcoming audits. If we go to the matrix, the implementation of these, we, I've implemented around more than 50 plus databases and, comprehensive encryption deployed across all the production development and testing environment and up time and up time. Maintain encrypted operation continues sim seamlessly with. With, negligible service integration during these implementation. So we, the most important thing we worked on it is very less downtime, which we achieved with these streamlining automation of these processes. And we safeguarded almost three terabyte for each database is slow. If we combine everything light like. almost 150 to 200 terabyte databases, which we, data, which we, which we secured with this, implementation of HSM and the 30% audit time. Reduce the streamline. These campaigns will verification through automate the key management and secured audit trials. So we, with this implementation, we disconnect the most of the unwanted, unused, Read only Econs. We eliminated all those econs with this encryption. So the audit team, we have radio audit team validation. So they were very hap happy about this implementation. Key takeaways and next steps, which we are. Elevating for these security standards enhances security. Deploy multi-grade HSM encryption across 50 databases. Established a robust shield of mission critical customer data assets. Scalable approach. Leverage customer automation frameworks to streamline encryption deployment, reducing implementation time by 60% with assuring security control. Complaints achievement sub process through regulatory required in including PCI and GDPR with maintain sub query performance on critical system, the future expansion in initiating the phase encryption with and. Quarterly cryptographic three rotation with nine with zero downtime architecture. And thank you so much for giving me this opportunity to talk on my hardware security module, which I recently implemented for my client. And I'm very happy to present myself as a senior Oracle database administrator from LGM Entry. Thank you for giving me this chance.