SECURING DATA AT THE SOURCE

:
A GUIDE TO ORACLE DATABASE SECURITY

Security Inside Out

Secure Data At The Source. Secure Data At The Source. Save Time And Money. Save Time And Money.

Table of Contents
SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY 3 8 13 16 21 INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD

making their attacks all the more difficult to detect. ” Unlike hackers. As Rich Mogull. of those surveyed. credit card fraud. Meanwhile. writes Dr. the Verizon Business Risk security team found that 285 million records were lost in those attacks— and the team reports that 91 percent of those compromised records could be attributed to organized criminal activity. from noisy to quiet. and turning off security tools on mobile devices. the universe of stored data will expand to 1. In part. founder of the Securosis research and analysis firm. fraud and data theft are. Indeed. “Employees routinely engage in activities that put sensitive data at risk. We also need to understand that attackers’ motivations have changed—web site defacement isn’t the goal. ensuring the security of information and data has become both more challenging and more important. Larry Ponemon.800 exabytes by 2012. But companies need to consider insider threats as well. this shift is due to the ever-growing role of electronic data in business and the unprecedented amounts of transaction.Secure Data At The Source. recently noted. As this growth continues. criminals want to stay below the radar. these come in the form of accidents or failures to follow security policy. Such activities include downloading data onto unsecured mobile devices. Writes Ponemon: “Interestingly. And unlike hackers. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Introduction Over the past few years. Recent research from the Ponemon Institute found that employee compliance with company security policies is actually declining. Often. there is a growing range of threats targeting that data. criminals want to stay below the radar. “We need to acknowledge that threats have changed. External threats have evolved from being primarily hackers looking for notoriety to being highly organized criminals looking for financial gain. from the edge of the organization to the center. 58 percent said their employer failed to provide adequate data . losing laptops and other devices. and the distribution of malicious software. chairman of ” the institute. sharing passwords. according to IDC. personal. and financial data—much of it confidential and regulated—that is being generated and stored by corporations and government agencies. Stolen sensitive information—such as addresses and credit card and social security numbers—can be sold on the black market or 3 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY used in spamming campaigns. making their attacks all the more difficult to detect. In a recent study of 90 confirmed data breaches in 2008. doing so has quickly grown from a technology challenge to a key business issue with broad strategic implications—and that has put growing pressure on IT professionals to keep data safe and secure. Save Time And Money. identity theft.

and it can be far-ranging in terms of damaged reputation and reduced customer loyalty. The impact on the business from data losses can be deep. But insider ” threats can be malicious as well. too. and the EU Directive on Privacy and Electronic Communications in Europe— which require organizations to implement measures to protect sensitive information and monitor access to that information. and 57 percent said their employer’s data protection policies were ineffective. such as the FBI’s 2008 arrest of a former Countrywide Financial Corp. of course. the Health Insurance Portability and Accountability Act. more than half of the surveyed consumers said that they would strongly consider or definitely take their business elsewhere if their personal information were compromised. These breaches may involve only hundreds or tens of thousands of people. and government agencies. which maintains a list of breaches. and 80 percent of very large organizations—those with more than 10. but to the organizations and individuals who are victimized. individual or class-action lawsuits from consumers. 4 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . In research from the Chief Marketing Officer Council. The same held true with business-to-business relationships. Data breaches can lead to administrative costs and. Compliance. But the Privacy Rights Clearinghouse. employee for alleged involvement in the theft of some 2 million customer records. can be a costly and growing issue: Companies are liable to run afoul of a growing range of regulations—such as SarbanesOxley. Financial Instruments and Exchange Law. insider attacks make headlines. organizations can no longer ignore the security threat posed by people who are actually authorized to access systems at some level. with about half of surveyed executives saying they would consider or would recommend taking their business elsewhere if a business partner experienced a security breach that compromised their data. The cost of failing to secure data is high. and getting higher. In a recent study. shows numerous smaller attacks at corporations. At times. more than half of the surveyed large companies have had to terminate employees or contractors for internal security violations. Basel II. and come from disgruntled workers or employees seeking personal gain. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD security awareness and training. Save Time And Money. Regardless of the motivation behind internal data breaches. they are very serious just the same.Secure Data At The Source. universities. An IDC survey found that 52 percent of large companies had terminated employees or contractors for internal security violations.000 employees— had done so.

and healthcare data can be found across innumerable medical offices and hospitals. Another is changing technology and the proliferation of data—and especially. a company loses anywhere from 0. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD The ramifications of a data breach add up quickly. ” says David Knox. and antivirus and antispam software to try to keep intruders out. “there are more applications that deal with some element of sensitive information in a typical enterprise IT environment than there are applications that are exempt from sensitive data. credit card numbers are kept by retailers. which by nature create more ways for intruders to gain access. Protecting Data Where It Lives These issues and costs have prompted greater attention to security in corporations—and in particular. banks. In addition. VPNs. Today. the average perincident cost for a data breach is now $6. including legal and administrative costs. then. and lost opportunity. and companies have implemented firewalls. they have highlighted the need for rigorous security at the database level. several factors have been contributing to the need to extend security back from the network perimeter to the database. and other organizations. Looking at the total picture. data is shared across systems and organizational departments. 5 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . ” Changing technology and the proliferation of sensitive data across numerous platforms and channels create more ways for intruders to gain access to information. Traditionally. These controls are important. but they are really just a first line of defense—and ultimately not enough in an age of growing security threats. which by definition defeats that line of defense on the perimeter. “Consider all the sensitive data that is out there. security efforts have focused on the perimeter of the corporate network. a growing emphasis on collaboration with partners often means that outside parties have access to corporate networks via their extranets. One factor is the internal threat discussed above. Today. which opens a potential avenue for attackers to work their way to the database level.65 million.63 percent to 2. Indeed.Secure Data At The Source. according to the Ponemon Institute. The evolution of business practices is also a factor. sensitive data—across numerous platforms and channels. Save Time And Money. And the high price of low security is not lost oninvestors: According to Emory University researchers. has become an issue in the executive suite as well as in the data center. Social security numbers are housed in everything from old student information systems to employee records and government systems.1 percent in its stock price when a breach is reported. damaged reputation. a member of Oracle’s National Security Group and author of Effective Oracle Database 10g Security by Design. Knox says. Security.

“Today. Advanced security measures that can help ” are available—but. which are the hardest to detect. notes a report from Noel ” Yuhanna. especially in the case of internal attacks.9 percent of the world’s databases. outsourcing arrangements often mean that other companies have access to corporate systems and data—and that picture can become even more complicated when offshoring puts work into countries where partners may be working under different laws and regulations regarding data security. with Oracle Database being used for 48. attacks on enterprise databases are more sophisticated than ever. retail. The industry firsts it has delivered include row-level access control.Secure Data At The Source. protect against insider threats. 6 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . database security is rapidly becoming a recognized best practice—but often. Today. fine-grained auditing. “Despite significant effort to protect enterprise databases. attack rates continue to rise across several industries. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Similarly. transparent data encryption. Today. and data masking. Oracle solutions are used to protect a significant amount of data. and manufacturing. The solution to such challenges. the public sector. education. reports Yuhanna. Save Time And Money. These solutions build on Oracle’s long history of innovation in the field. and many occur without enterprises being aware that an attack is taking place. Oracle solutions are used to protect a significant amount of data. then. principal analyst at Forrester Research. companies lag behind in this area. with Oracle Database being used for 44 percent of the world’s databases. including financial services. The Oracle Approach to Database Security Oracle provides a comprehensive portfolio of database security solutions to ensure data privacy. the Ponemon Institute found that third-party organizations account for more than 44 percent of data breach incidents. is to safeguard data where it lives—in the database. and enable regulatory compliance—without requiring changes to existing applications. only 25 percent of surveyed enterprises are using those types of measures. In its research. Indeed.

which includes Oracle Audit Vault. Oracle Secure Backup. Oracle Total Recall. and Oracle Configuration Management Pack These offerings are discussed in detail in the following chapters. which includes Oracle Advanced Security. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Given the sophistication and variety of security threats facing businesses.Secure Data At The Source. Oracle’s database security options fall into three broad categories: • Encryption and Masking. and Oracle Data Masking Pack. LEARN MORE Seminar Protecting Data at the Source with Oracle Database 11g Release 2 Demo Oracle Database 11g Security and Compliance Analyst Report Oracle Database Security: Cost-Effective Data Leak Prevention Starts at the Source 7 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . which includes Oracle Database Vault and Oracle Label Security • Auditing and Monitoring. Save Time And Money. most organizations know that effective security programs are typically based on multiple layers of preventive measures. • Access and Authorization.

and credit card information. it is still common to find unencrypted data at many companies—and that data is at risk of being compromised. Encryption at the database level can help protect data from unauthorized backdoor access by dishonest administrators and other insiders. says Gary Loveland. “Over the years. ” However. administrators. “There is no doubt that in [the near future] even more data will need to be protected. Oracle Secure Backup. ” PricewaterhouseCoopers’ Advisory principal and security practice leader in the United States. but it doesn’t cover every situation.Secure Data At The Source. For example. or that they aren’t sure whether or not they do. with the rise of identity theft and criminal attacks targeting social security numbers. and other sensitive information. companies can address these security challenges with the capabilities provided by Oracle Advanced Security. and Oracle Data Masking Pack. developers. personal identifiable information.and network-level attacks by outsiders. the need for encryption has increased significantly. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Database Encryption And Masking Security strategies have long relied on the encryption of information. storage disks being removed for maintenance. Being able to encrypt all application data efficiently is a big benefit to organizations in terms of keeping up with business needs and staying ahead of regulatory requirements. but in recent years. and others need to be able to access data in these environments. Encryption is important. Oracle Advanced Security With Oracle Advanced Security. companies can transparently encrypt all application data or specific sensitive columns. we’ve seen requirements to expand protection around critical data such as medical data. Being able to encrypt all application data efficiently is a big benefit to organizations in terms of keeping up with business needs and staying ahead of regulatory requirements. 8 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . only 21 percent of the respondents said that they encrypt personal information on all databases—and 37 percent said that they either have no encryption of such data. and from operating system. It also helps protect from media theft involving laptops. encryption will not protect against unauthorized access to production data in nonproduction environments. By definition. Save Time And Money. credit card numbers. and backup tapes. In a recent Independent Oracle User Group survey. Overall.

and passed all authorization checks. With a simple command or point-and-click interface. and RADIUS-based strong authentication solutions • Manage costs. 9 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . including integration with industry-leading Hardware Security Modules (HSM) or other enterprisewide key management solutions.Secure Data At The Source. views. TDE is completely transparent to existing applications. The Oracle Database can be configured to reject connections from clients with encryption turned off. providing both native network encryption and SSL-based encryption. Save Time And Money. disk backups. or personally identifiable information. or optionally allow unencrypted connections for deployment flexibility. or other application changes are required. an administrator can encrypt sensitive data within an existing application table. with transparent encryption for Oracle database traffic.To safeguard data in transit. Existing database backup routines will continue to work. Label Security. Unlike most database encryption solutions. By encrypting data at rest in the database—as well as when it leaves the database over the network or via backup media—Oracle Advanced Security provides a cost-effective solution for data protection. or through the theft of hardware or backup media. and Virtual Private Database enforcement policies. social security numbers. Authorization checks include verifying the user has the necessary select and update privileges on the application table and checking Database Vault. with the data remaining encrypted in the backup. with support for PKI. Overall. Data is transparently encrypted when written to disk and transparently decrypted after an application user has successfully authenticated. Oracle Advanced Security Transparent Data Encryption (TDE) provides robust encryption solutions to safeguard sensitive data against unauthorized access at the operating system level. Kerberos. and exports • Achieve high levels of identity assurance. with the ability to encrypt the entire tablespace or specific sensitive columns without making any changes to existing applications • Take a comprehensive approach to encryption. Oracle Advanced Security provides an easy-to-deploy and comprehensive solution for protecting all communication to and from the Oracle Database. with the ability to leverage complete built-in encryption key lifecycle management. With a simple command or point-and-click interface. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD such as credit card numbers. Oracle Advanced Security lets companies: • Protect all application data quickly and easily. and no triggers. an administrator can easily encrypt sensitive data within an existing application table.

easy-to-use backup solution that encrypts data to tape to safeguard against the misuse of sensitive data in the event that backup tapes are lost or stolen. Linux. The Administrative Server maintains a tape backup catalog that houses metadata. Companies can also take advantage of the Oracle Secure Backup Cloud module. Save Time And Money. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Oracle Secure Backup Oracle Secure Backup provides an integrated. as well as the Oracle Database. making it possible to achieve higher levels of security. eliminating the risk of data being stolen while in transit to tape. backup encryption keys. The Oracle Database then automatically decrypts backups during the restore process. and ease of use. In addition. Oracle Secure Backup gives companies complete data protection for Oracle environments. Oracle Secure Backup also features 10 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY .Secure Data At The Source. performance. It provides network tape backup for UNIX. and Network Attached Storage (NAS) file system data. Key pieces of Oracle Secure Backup functionality are embedded directly inside the Oracle Database engine. Oracle Secure Backup encrypts data during all stages of a backup. This module is fully integrated with RMAN and Oracle Enterprise Manager. Such cloud-based backups offer reliability and virtually unlimited capacity that is available on-demand and requires no up-front capital expenditure. providing users with familiar interfaces for Cloud-based backups. and userdefined polices. Oracle Secure Backup’s client-server architecture enables centralized tape backup management of heterogeneous clients. configuration information. servers’ and tape devices from a single point called the Administrative Server. Encryption is performed before the data leaves the Oracle database. It can be used to complement existing backup strategies and can be run independently of Oracle Secure Backup tapemanagement offerings. With a low entry cost. It enables Oracle Database-to-tape backup through integration with Oracle Recovery Manager (RMAN)—supporting versions Oracle9i to Oracle Database 11g—as well as file system data protection of local and distributed servers and policy-based tape backup management. Oracle Secure Backup is ideal for small and midsize businesses and large enterprises alike. The ability to “de-identify” sensitive data is an increasingly important element of data-privacy protection laws around the globe. the data on tape is stored in encrypted form. to help ensure high levels of security. For example. schedules. Windows. and supports more than 200 different tape devices from leading vendors. which enables efficient Oracle Database backups to the Amazon Simple Storage Service (Amazon S3).

Traditionally. With Oracle Data Masking. the ability to “de-identify” sensitive data is an increasingly important element of data-privacy protection laws around the globe. helping to ensure that the original data cannot be retrieved. and shared with outsourcing or offshore partners for various nonproduction purposes. The problem is that such production copies often contain confidential. 11 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . Save Time And Money. provides a central repository for common masking formats. Companies can apply data privacy rules consistently to all sensitive data to help ensure compliance with regulations. sensitive. and then those rules are applied automatically every time the database administrator masks the database. Oracle Data Masking Pack ships with out-of-the-box mask formats for various types of sensitive data. national insurance number for U. In terms of performance. It also provides a centralized approach to masking. on the other hand. Its tight integration with RMAN enables it to read the database block layout structure directly and optimize storage access. or restored.Secure Data At The Source. with up to 30 percent less CPU utilization. and national identifiers (social security number for U. Sensitive data never has to leave the database. Oracle Data Masking. Oracle Data Masking Pack IT professionals often need to share data with other parts of the organization. or personally identifiable information that government regulations require companies to protect. In fact. and is kept out of nonproduction databases. Security administrators define the masking rules once. Data masking capabilities let companies apply data privacy rules consistently to all sensitive data to help ensure compliance with regulations. The solution uses an irreversible process to replace sensitive data. For example. Oracle Secure Backup provides very rapid backups to tape.. allowing production data to be safely used for development.). and staging.S. recovered. testing. DBAs have had to create and maintain custom scripts to mask data in each of their corporate databases—a method that is not scalable or truly auditable.K. phone numbers. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD certificate-based authentication of host systems participating in a backup or restore to ensure that outside parties cannot impersonate an authorized host. sensitive information such as credit card or social security numbers can be replaced with realistic values. such as credit card numbers. DBAs may need to make copies of production data available to in-house developers or offshore testers for their work. The solution typically performs backups 10 percent to 25 percent more quickly than comparable media management utilities.

often use complex algorithms to generate account numbers to prevent fraud. allowing them to use formats that are appropriate for their business or industry. That means that in addition to the standalone masking process. With user-defined formats. database administrators can now add data masking to the database clone process by pointing the production database to a staging environment and specifying the masking definitions that need to be run after cloning. The solution also provides several options to allow administrators greater control over the masking process and to enable them to test and verify the integrity of the masking process before deploying it. LEARN MORE Podcast Data Privacy Protection with PricewaterhouseCoopers Database Security for Database and Security Administrators Customer Snapshot Dressbarn Relies on Oracle Advanced Security for PCI Compliance Demo Forrester Research Oracle Database 11g Security: Data Masking 12 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . Oracle Data Masking Pack is securely integrated with the database-cloning capabilities in Oracle Enterprise Manager. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD In addition. for example. Financial institutions. they can generate fictitious account numbers to replace the original data and still remain compliant with the security standard built into the account numbers.Secure Data At The Source. Save Time And Money. companies with specialized masking requirements can add user-defined mask formats to the collection of the mask formats.

Oracle Database Vault Today. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Access and Authorization Controlling access to information is fundamental to data security—and regulations and best practices alike require companies to have strong access and authorization controls. Rules. database administrators—without limiting those users’ ability to perform their jobs. The ability to prevent privileged users from accessing data outside of their authorized area is increasingly critical because many companies are consolidating application databases on the same database server as they search for ease of management and lower total cost of ownership. from unauthorized access and modification. Save Time And Money. Or. and Factors features. “excessive access rights” was cited as the primary internal or external audit finding over the last year. and credit card records. Companies must work to control the access given to privileged users—in particular. database administrators—without limiting those users’ ability to perform their jobs. Oracle Database Vault helps companies comply with those requirements with strong controls designed to protect data against threats from insiders. Together. the Oracle Database Vault and Oracle Label Security options can help companies meet those challenges. For example. and “unauthorized access to personal information” was cited as the top concern in terms of ensuring data privacy. which work together inside the database to restrict access from even the most powerful users without interfering with the normal day-to-day database administration. Not only do companies need to manage access for employees across the corporation to make sure the right people are using the right data. Oracle Database Vault offers Realms. 13 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . they must also work to control the access given to privileged users—in particular. But this is an area that is not always well managed. Realms can be defined and placed around an entire application or set of tables.Secure Data At The Source. such as financial. a number of regulations require companies to maintain internal controls to protect sensitive information. In a recent Deloitte Touche Tohmatsu global security survey. a database administrator who can manage all the application databases can be restricted from actually reading the data stored in those databases. an HR application user who has full access to the HR application database can be prevented from accessing data in the financial application database if those two databases are defined as different realms. health.

making it easy to create policies for different applications in a consolidated environment. 14 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . responsibilities can be consolidated. offering three distinct out-of-the-box responsibilities for security administration. In addition. a user’s access to a customer table. Save Time And Money. application name. The resource administration responsibility can be further subdivided into backup. Or. Oracle Siebel CRM. can be used in a flexible and adaptable manner to enforce authorization requirements. Because Oracle Database Vault runs inside the Oracle Database.Secure Data At The Source. Multiple factors. For example. Label Security provides an easy-to-use policy-based administration model. and patching responsibilities. such as time of day. account management. Overall. For example. the solution blocks a DBA with the “create user” privilege from creating a new user if he or she doesn’t have the proper responsibility. Traditional controls focus on roles or stop at the object level—a company would be able to control. Oracle provides certified customizable Oracle Database Vault policies for Oracle E-Business Suite. such multifactor control helps prevent unauthorized ad hoc access and application bypass. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Meanwhile. Oracle PeopleSoft. Rules and Factors significantly tighten application security by limiting who can access which databases. Oracle Database Vault provides powerful separation of duty controls. This lets companies create policies specific to their needs. and applications. performance. and resource management. if company policy mandates no changes to databases during production hours. and a new DBA tries to do an upgrade at the wrong time. and when and how they can access them. Oracle Label Security Oracle Label Security is the industry’s most advanced labelbased access control product. Oracle Label Security extends database security authorization by enabling powerful row-level access controls in the Oracle Database using data sensitivity labels. multiple policies can reside in the same database. and essentially assigning a data label to each row. it does not require changes to existing applications. and authentication method. and Oracle JD Edwards applications to help companies deploy quickly. data. but not to specific subsets within the table. Database Vault can block that action or require that a second DBA be present in order to make such a change. for example. The Oracle software’s multifactor control approach helps prevent unauthorized ad hoc access and application bypass. It gives companies a powerful and easy-to-use tool for classifying data and mediating access to data based on the data’s classification. Moreover. IP address.

so that only those with the right clearance can access sensitive data. Save Time And Money. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Oracle Label Security enables organizations to: • Restrict access to individuals with the appropriate clearance. • Enforce regulatory compliance. Such organizations typically use the solution for multilevel security—that is. Oracle Label Security was originally designed to meet the high-security requirements of government and defense organizations. and to enhance security in multi-tenancy databases and hosting and software-as-aservice arrangements. Commercial organizations can use data labels to compartmentalize data in order to control access to regulatory data and enforce need-to-know policies. 15 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY LEARN MORE Podcast Protecting Your Databases Against CyberEspionage Demo Forrester Research Oracle Database 11g Security: Access Control Oracle Database Vault: Privileged User and MultiFactor Controls Seminar Rich Mogull on Enforcing Separation of Duties for Database and Security Administrators . It provides a policy-based administration model that enables organizations to establish custom data-classification schemes for implementing “need to know” access for their applications. to compartmentalize access to “sensitive” and “highly sensitive” data stored in the same application table. • Leverage labels flexibly. Oracle Label Security also integrates with Oracle Identity Management. Labels can be used as factors within Oracle Database Vault for multifactor authorization policies.Secure Data At The Source. It allows administrators to classify every row in a table. enabling centralized management of policy definitions.

and Oracle Configuration Management Pack options. 16 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . and heading off security problems before they start. And finally. so that the company can detect unauthorized access and act quickly to avoid problems or minimize their impact. with access strictly controlled through the use of predefined administrative roles. and comply with regulatory reporting requirements. so that the company can detect unauthorized access and act quickly to avoid problems or minimize their impact. with alerts that highlight suspicious activity across the enterprise. companies can draw on the Oracle Audit Vault. and SQL Server databases. It continuously monitors inbound audit data. that means that companies need to be able to audit changes in the database. Effective security can not be accomplished with a “set it and forget it” approach—it requires continued vigilance and comprehensive monitoring of the state of security in the enterprise. To strengthen auditing and monitoring. It also leverages Oracle’s industry-leading database security and data warehousing technology for managing. This is key to working proactively. The solution enables proactive threat detection. Oracle Total Recall. Today. storing. reducing the financial impact of the breaches. It consolidates this data in a secure and highly scalable audit warehouse. analyzing. Save Time And Money. Sybase. and archiving large volumes of audit data securely. In part. evaluating it against It is increasingly important to monitor activity in real time. providing valuable insight into who did what to which data when—including privileged users who have direct access to the database. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Auditing and Monitoring Security threats continue to shift and grow. it is also increasingly important to monitor activity in real time. DB2. companies need to assess their potential vulnerabilities during deployment and ongoing database operations. Oracle Audit Vault Experts who have investigated data breaches have found that auditing can help detect problems early on. to see who altered what when in order to analyze problems. Oracle Audit Vault transparently collects and consolidates audit data. and the use of technology continues to evolve—all of which means that the security landscape is constantly changing. Oracle Audit Vault automatically collects audit data from Oracle. uncover suspicious activity.Secure Data At The Source.

With the solution. with the ability to easily analyze audit data and take action in a timely fashion using out-of-thebox or custom reporting • Detect threats more effectively. IT security personnel work with auditors to define audit settings on databases and other systems to meet both compliance requirements and internal security policies. with the ability to centrally manage audit settings across all databases With Oracle Audit Vault. role grants. Today. or third-party reporting tools. but doing so in a secure manner has traditionally been a difficult and inefficient process. and to thwart perpetrators who try to cover their tracks • Lower IT costs. Oracle Audit Vault helps companies: • Simplify compliance reporting. Companies can define parameter-driven reports that show user log-in activity across multiple systems and within specific time periods. Oracle Application Express. with the ability to quickly and automatically identify unauthorized activities that violate security and governance policies. and privileged user creation on sensitive systems. 17 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . With these capabilities. out-of-the-box compliance reporting. including changes to application tables. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD alert conditions. It gives companies standard auditassessment reports covering privileged users. The solution gives companies graphical summaries of the activities that are causing alerts. Oracle Audit Vault also offers simplified. Oracle Audit Vault lets companies provision and review audit settings in multiple Oracle databases from a central console. organizations are in a much better position to enforce privacy policies. and address regulatory requirements. guard against insider threats. such as weekends. Save Time And Money. account management. Database audit settings are centrally managed and monitored from within Oracle Audit Vault. The solution also provides an open audit warehouse schema that can be accessed from Oracle BI Publisher. Alerts can be associated with any auditable database event. roles and privileges. companies need to keep data for long periods of time. object management. and system management.Secure Data At The Source. reducing the cost and complexity of managing audit settings across the enterprise.

Oracle Total Recall addresses that problem by allowing historical data to be kept inside the database very efficiently—and by enabling the instant access to historical data needed to conduct various analyses. and administrator time. The Oracle software lets companies automatically detect. • Automated ongoing historical data management. and report on authorized and unauthorized configuration changes. As a result. storage. and historical data is stored in compressed form to reduce storage requirements. Save Time And Money. can handle any retention period the business requires. Based on Flashback Data Archive. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Oracle Total Recall Today. companies need to retain historical data for long periods of time in order to comply with various regulations.Secure Data At The Source. In addition. Overall. the solution provides: • Efficiency of performance and storage. however. with the ability to query data as of any point in time in the past through the use of standard SQL statements. Oracle Database 11g automatically enforces rules and sends problem alerts when needed to minimize administrator intervention. many recognize the potential value that such historical data holds in terms of enabling the analysis of problems and the understanding of market trends and customer behavior. No one—not even administrators—can update historical data directly. they are keeping such data for even longer than regulations demand. Oracle Total Recall can be used to support internal auditing. it lets companies transparently track changes to database tables data in a highly secure and efficient manner. Overall. Oracle Total Recall is designed to be easily managed and make the most efficient use of all related resources. And it eliminates the need for third-party or custom solutions in the management of historical data. the solution 18 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . • Complete protection from accidental or malicious update. the solution requires no application changes or special interfaces. because that data is stored in the database itself. Doing all of this in a secure manner. has traditionally been a difficult and inefficient process. validate. There is no limit on the time period for storing historical data. human-error correction. The capture process minimizes performance overhead. Administrators can enable historical data capture for one table or all tables in a database with a simple “enable archive” command. including CPU. and regulatory compliance processes. Oracle Total Recall is easy to configure and implement. In addition. And the solution provides real-time access to historical archives.

configuration.Secure Data At The Source. which can be customized by administrators for their specific IT environment. The console monitors a variety of areas. and reporting on authorized and unauthorized configuration changes. and help decision makers track progress toward compliance over time. No user input is requested or required to capture and document changes. including files and directories. The solution includes a built-in collection of more 250 best practices based on industry standards for security and configuration management A key part of this management pack is the Configuration Change Console. including hardware. and storage to help companies identify vulnerabilities and areas where best practices are not being followed. middleware. processes. provide the ability to drill down to details. To help track assets and uncover problems. Companies can also use a patch wizard to automatically deploy the patch. detecting and capturing any actions by users or applications that result in changes to the infrastructure. operating systems. In addition. and Oracle Database. Save Time And Money. The solution includes a built-in collection of more 250 best practices based on industry standards for security and configuration management. companies can use compliancereporting dashboards that convert continuous evaluation results into compliance scores and present them in at-a-glance views that highlight key indicators. this management pack collects deep configuration information for a range of components. which provides real-time change detection and reporting. validating. databases. The pack can be used to support both Oracle and thirdparty IT components. server resources. the pack has a Critical Patch Update Advisory feature that alerts companies to critical patches issued by Oracle and immediately identifies those systems across the enterprise that may require the new patch. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Oracle Configuration Management Pack The Oracle Configuration Management Pack helps companies ensure that their database configurations are secure by automatically detecting. With the console. and WebLogic server software. Oracle Configuration Management enables the proactive assessment of key compliance areas such as security. user accounts. The console automatically collects the required data. 19 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . and the network. helping to ensure that application databases are always up-to-date and protected. application server.

mitigate risk. By doing so.Secure Data At The Source. it helps them increase security. Save Time And Money. the Oracle Configuration Management Pack helps ensure compliance with IT control frameworks such as Control Objectives for Information and related Technology (COBIT) and COSO “Internal ControlIntegrated Framework” as required by Sarbanes-Oxley and similar global directives. LEARN MORE Podcast Chase Paymentech Relies on Oracle Audit Vault for Security and Compliance Demo Oracle Audit Vault: Database Audit and Activity Monitoring Database Vulnerability Assessment and Secure Configuration Seminar Forrester Research Oracle Database 11g Security: Activity and Configuration Monitoring 20 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . and provide demonstrable control over the entire IT environment for governance and compliance. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD By letting companies detect and prevent unauthorized changes more efficiently and effectively.

there is considerable room for improvement on this front. and nearly one in five were not sure whether such encryption takes place. and that companies will need to tighten control over the sensitive information held in their databases. the effort to “protect data where it lives” will play an increasingly vital role in an organization’s success. • Two out of five responding organizations said that they use actual production data in nonproduction environments.Secure Data At The Source. says ” Securosis founder Rich Mogull. “The risks around data security can be expected to keep growing and evolving to become ever-more challenging. as criminals step up efforts to tap into what is a very valuable asset. The sheer volume of sensitive data that needs to be protected continues to grow. Save Time And Money. in a recent IOUG security survey: • Only one out of four respondents said that all their databases are locked down against attacks. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Looking Ahead Database security is clearly a vital and challenging issue. And threats posed by insiders and outsiders alike will only become more sophisticated. • Most respondents said that they do not have mechanisms in place to prevent database administrators and other privileged database users from reading or tampering with sensitive information—and most said that they are unable to detect such incidents. . These types of gaps represent significant vulnerabilities—and the world is likely to be less and less forgiving of such lapses in the months and years to come. however. In short. database security “ has already become a critical technical and business issue. which typically puts that data in an unsecured setting. At many organizations. Compliance is likely to become 21 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY increasingly challenging. and looking forward. “That means that advanced. • Responses indicated that one in four of the sites covered by the survey do not encrypt data within their databases. as data privacy regulations—and fines for noncompliance—become more and more stringent. and companies need to be prepared for this reality. For example. comprehensive security is only growing more important.

Secure Data At The Source. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD LEARN MORE Podcast Database Security for Database and Security Administrators Anaylst Report Forrester Research: Your Enterprise Security Strategy for 2010 Blog Security Inside Out Data Security Self-Assessment Tool 22 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . Save Time And Money.

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. .Copyright © 2009. All rights reserved. Oracle and/or its affiliates. Other names may be trademarks of their respective owners.