You are on page 1of 23

SECURING DATA AT THE SOURCE

:
A GUIDE TO ORACLE DATABASE SECURITY

Security Inside Out

Secure Data At The Source. Secure Data At The Source. Save Time And Money. Save Time And Money.

Table of Contents
SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY 3 8 13 16 21 INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD

As this growth continues. We also need to understand that attackers’ motivations have changed—web site defacement isn’t the goal. these come in the form of accidents or failures to follow security policy. Larry Ponemon. founder of the Securosis research and analysis firm.800 exabytes by 2012. Recent research from the Ponemon Institute found that employee compliance with company security policies is actually declining. sharing passwords. And unlike hackers. criminals want to stay below the radar. and the distribution of malicious software. Such activities include downloading data onto unsecured mobile devices. “Employees routinely engage in activities that put sensitive data at risk. 58 percent said their employer failed to provide adequate data . As Rich Mogull. writes Dr. identity theft. the universe of stored data will expand to 1. and turning off security tools on mobile devices. this shift is due to the ever-growing role of electronic data in business and the unprecedented amounts of transaction. But companies need to consider insider threats as well. Often.Secure Data At The Source. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Introduction Over the past few years. Writes Ponemon: “Interestingly. from the edge of the organization to the center. doing so has quickly grown from a technology challenge to a key business issue with broad strategic implications—and that has put growing pressure on IT professionals to keep data safe and secure. credit card fraud. Meanwhile. External threats have evolved from being primarily hackers looking for notoriety to being highly organized criminals looking for financial gain. according to IDC. “We need to acknowledge that threats have changed. chairman of ” the institute. of those surveyed. from noisy to quiet. personal. ensuring the security of information and data has become both more challenging and more important. ” Unlike hackers. criminals want to stay below the radar. In part. and financial data—much of it confidential and regulated—that is being generated and stored by corporations and government agencies. there is a growing range of threats targeting that data. losing laptops and other devices. Stolen sensitive information—such as addresses and credit card and social security numbers—can be sold on the black market or 3 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY used in spamming campaigns. In a recent study of 90 confirmed data breaches in 2008. making their attacks all the more difficult to detect. the Verizon Business Risk security team found that 285 million records were lost in those attacks— and the team reports that 91 percent of those compromised records could be attributed to organized criminal activity. making their attacks all the more difficult to detect. fraud and data theft are. recently noted. Save Time And Money. Indeed.

At times. The same held true with business-to-business relationships. An IDC survey found that 52 percent of large companies had terminated employees or contractors for internal security violations. more than half of the surveyed consumers said that they would strongly consider or definitely take their business elsewhere if their personal information were compromised. more than half of the surveyed large companies have had to terminate employees or contractors for internal security violations.Secure Data At The Source. The impact on the business from data losses can be deep. Save Time And Money. and it can be far-ranging in terms of damaged reputation and reduced customer loyalty. shows numerous smaller attacks at corporations. of course. universities. But insider ” threats can be malicious as well. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD security awareness and training. These breaches may involve only hundreds or tens of thousands of people. But the Privacy Rights Clearinghouse. the Health Insurance Portability and Accountability Act. The cost of failing to secure data is high. Regardless of the motivation behind internal data breaches. insider attacks make headlines. and government agencies. such as the FBI’s 2008 arrest of a former Countrywide Financial Corp. 4 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY .000 employees— had done so. and the EU Directive on Privacy and Electronic Communications in Europe— which require organizations to implement measures to protect sensitive information and monitor access to that information. organizations can no longer ignore the security threat posed by people who are actually authorized to access systems at some level. can be a costly and growing issue: Companies are liable to run afoul of a growing range of regulations—such as SarbanesOxley. Basel II. Data breaches can lead to administrative costs and. too. with about half of surveyed executives saying they would consider or would recommend taking their business elsewhere if a business partner experienced a security breach that compromised their data. employee for alleged involvement in the theft of some 2 million customer records. and getting higher. but to the organizations and individuals who are victimized. Compliance. and come from disgruntled workers or employees seeking personal gain. they are very serious just the same. and 80 percent of very large organizations—those with more than 10. In research from the Chief Marketing Officer Council. which maintains a list of breaches. and 57 percent said their employer’s data protection policies were ineffective. In a recent study. Financial Instruments and Exchange Law. individual or class-action lawsuits from consumers.

Protecting Data Where It Lives These issues and costs have prompted greater attention to security in corporations—and in particular. security efforts have focused on the perimeter of the corporate network. which by definition defeats that line of defense on the perimeter. including legal and administrative costs. a company loses anywhere from 0. Looking at the total picture. “there are more applications that deal with some element of sensitive information in a typical enterprise IT environment than there are applications that are exempt from sensitive data. has become an issue in the executive suite as well as in the data center. which opens a potential avenue for attackers to work their way to the database level.1 percent in its stock price when a breach is reported. One factor is the internal threat discussed above. ” Changing technology and the proliferation of sensitive data across numerous platforms and channels create more ways for intruders to gain access to information.Secure Data At The Source. the average perincident cost for a data breach is now $6. Social security numbers are housed in everything from old student information systems to employee records and government systems. then. and other organizations. The evolution of business practices is also a factor.63 percent to 2. These controls are important. and antivirus and antispam software to try to keep intruders out. which by nature create more ways for intruders to gain access. Save Time And Money. banks. And the high price of low security is not lost oninvestors: According to Emory University researchers. data is shared across systems and organizational departments. Security. Indeed. Traditionally. and companies have implemented firewalls. a growing emphasis on collaboration with partners often means that outside parties have access to corporate networks via their extranets. Knox says. but they are really just a first line of defense—and ultimately not enough in an age of growing security threats. credit card numbers are kept by retailers. “Consider all the sensitive data that is out there. Another is changing technology and the proliferation of data—and especially. VPNs. several factors have been contributing to the need to extend security back from the network perimeter to the database. and healthcare data can be found across innumerable medical offices and hospitals. damaged reputation. Today. sensitive data—across numerous platforms and channels. a member of Oracle’s National Security Group and author of Effective Oracle Database 10g Security by Design. Today. according to the Ponemon Institute. they have highlighted the need for rigorous security at the database level. In addition. 5 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD The ramifications of a data breach add up quickly.65 million. and lost opportunity. ” says David Knox.

transparent data encryption. Oracle solutions are used to protect a significant amount of data. fine-grained auditing. the public sector. “Today. The Oracle Approach to Database Security Oracle provides a comprehensive portfolio of database security solutions to ensure data privacy. outsourcing arrangements often mean that other companies have access to corporate systems and data—and that picture can become even more complicated when offshoring puts work into countries where partners may be working under different laws and regulations regarding data security. with Oracle Database being used for 44 percent of the world’s databases. attacks on enterprise databases are more sophisticated than ever. then. Oracle solutions are used to protect a significant amount of data. especially in the case of internal attacks. database security is rapidly becoming a recognized best practice—but often. reports Yuhanna. and manufacturing.9 percent of the world’s databases. companies lag behind in this area. Indeed. Save Time And Money. and data masking. is to safeguard data where it lives—in the database. These solutions build on Oracle’s long history of innovation in the field. Today. which are the hardest to detect. and many occur without enterprises being aware that an attack is taking place. “Despite significant effort to protect enterprise databases.Secure Data At The Source. with Oracle Database being used for 48. In its research. attack rates continue to rise across several industries. including financial services. retail. and enable regulatory compliance—without requiring changes to existing applications. principal analyst at Forrester Research. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Similarly. notes a report from Noel ” Yuhanna. protect against insider threats. Advanced security measures that can help ” are available—but. 6 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . The solution to such challenges. education. The industry firsts it has delivered include row-level access control. the Ponemon Institute found that third-party organizations account for more than 44 percent of data breach incidents. only 25 percent of surveyed enterprises are using those types of measures. Today.

most organizations know that effective security programs are typically based on multiple layers of preventive measures. Oracle’s database security options fall into three broad categories: • Encryption and Masking. which includes Oracle Advanced Security. and Oracle Data Masking Pack. Save Time And Money. which includes Oracle Audit Vault. Oracle Total Recall.Secure Data At The Source. • Access and Authorization. and Oracle Configuration Management Pack These offerings are discussed in detail in the following chapters. which includes Oracle Database Vault and Oracle Label Security • Auditing and Monitoring. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Given the sophistication and variety of security threats facing businesses. Oracle Secure Backup. LEARN MORE Seminar Protecting Data at the Source with Oracle Database 11g Release 2 Demo Oracle Database 11g Security and Compliance Analyst Report Oracle Database Security: Cost-Effective Data Leak Prevention Starts at the Source 7 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY .

but it doesn’t cover every situation. and from operating system. with the rise of identity theft and criminal attacks targeting social security numbers. credit card numbers. administrators. we’ve seen requirements to expand protection around critical data such as medical data. ” However. but in recent years. personal identifiable information. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Database Encryption And Masking Security strategies have long relied on the encryption of information. and credit card information. By definition. Being able to encrypt all application data efficiently is a big benefit to organizations in terms of keeping up with business needs and staying ahead of regulatory requirements. storage disks being removed for maintenance. For example. encryption will not protect against unauthorized access to production data in nonproduction environments. the need for encryption has increased significantly. ” PricewaterhouseCoopers’ Advisory principal and security practice leader in the United States. companies can address these security challenges with the capabilities provided by Oracle Advanced Security. only 21 percent of the respondents said that they encrypt personal information on all databases—and 37 percent said that they either have no encryption of such data. Oracle Secure Backup. Encryption is important. “There is no doubt that in [the near future] even more data will need to be protected.and network-level attacks by outsiders. developers. Overall. Oracle Advanced Security With Oracle Advanced Security. and Oracle Data Masking Pack. it is still common to find unencrypted data at many companies—and that data is at risk of being compromised. and others need to be able to access data in these environments.Secure Data At The Source. Being able to encrypt all application data efficiently is a big benefit to organizations in terms of keeping up with business needs and staying ahead of regulatory requirements. or that they aren’t sure whether or not they do. companies can transparently encrypt all application data or specific sensitive columns. It also helps protect from media theft involving laptops. and other sensitive information. says Gary Loveland. Encryption at the database level can help protect data from unauthorized backdoor access by dishonest administrators and other insiders. 8 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . Save Time And Money. “Over the years. In a recent Independent Oracle User Group survey. and backup tapes.

Oracle Advanced Security provides an easy-to-deploy and comprehensive solution for protecting all communication to and from the Oracle Database. The Oracle Database can be configured to reject connections from clients with encryption turned off. with support for PKI. or other application changes are required. With a simple command or point-and-click interface. social security numbers. or through the theft of hardware or backup media. an administrator can easily encrypt sensitive data within an existing application table. Existing database backup routines will continue to work. providing both native network encryption and SSL-based encryption. Unlike most database encryption solutions. Label Security. with the data remaining encrypted in the backup. with the ability to leverage complete built-in encryption key lifecycle management. 9 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . or optionally allow unencrypted connections for deployment flexibility. and exports • Achieve high levels of identity assurance. and Virtual Private Database enforcement policies. TDE is completely transparent to existing applications. with transparent encryption for Oracle database traffic. and passed all authorization checks. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD such as credit card numbers. and RADIUS-based strong authentication solutions • Manage costs. Overall. Oracle Advanced Security lets companies: • Protect all application data quickly and easily. Authorization checks include verifying the user has the necessary select and update privileges on the application table and checking Database Vault. including integration with industry-leading Hardware Security Modules (HSM) or other enterprisewide key management solutions. or personally identifiable information. disk backups.To safeguard data in transit. Kerberos. Data is transparently encrypted when written to disk and transparently decrypted after an application user has successfully authenticated. Save Time And Money. With a simple command or point-and-click interface. an administrator can encrypt sensitive data within an existing application table. and no triggers. with the ability to encrypt the entire tablespace or specific sensitive columns without making any changes to existing applications • Take a comprehensive approach to encryption. By encrypting data at rest in the database—as well as when it leaves the database over the network or via backup media—Oracle Advanced Security provides a cost-effective solution for data protection. Oracle Advanced Security Transparent Data Encryption (TDE) provides robust encryption solutions to safeguard sensitive data against unauthorized access at the operating system level.Secure Data At The Source. views.

eliminating the risk of data being stolen while in transit to tape. Oracle Secure Backup is ideal for small and midsize businesses and large enterprises alike. This module is fully integrated with RMAN and Oracle Enterprise Manager. backup encryption keys. and Network Attached Storage (NAS) file system data. Oracle Secure Backup encrypts data during all stages of a backup.Secure Data At The Source. Such cloud-based backups offer reliability and virtually unlimited capacity that is available on-demand and requires no up-front capital expenditure. configuration information. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Oracle Secure Backup Oracle Secure Backup provides an integrated. It enables Oracle Database-to-tape backup through integration with Oracle Recovery Manager (RMAN)—supporting versions Oracle9i to Oracle Database 11g—as well as file system data protection of local and distributed servers and policy-based tape backup management. Save Time And Money. the data on tape is stored in encrypted form. making it possible to achieve higher levels of security. Key pieces of Oracle Secure Backup functionality are embedded directly inside the Oracle Database engine. servers’ and tape devices from a single point called the Administrative Server. Companies can also take advantage of the Oracle Secure Backup Cloud module. For example. schedules. The Administrative Server maintains a tape backup catalog that houses metadata. to help ensure high levels of security. Linux. Oracle Secure Backup’s client-server architecture enables centralized tape backup management of heterogeneous clients. as well as the Oracle Database. Oracle Secure Backup gives companies complete data protection for Oracle environments. It provides network tape backup for UNIX. which enables efficient Oracle Database backups to the Amazon Simple Storage Service (Amazon S3). providing users with familiar interfaces for Cloud-based backups. and userdefined polices. and supports more than 200 different tape devices from leading vendors. Encryption is performed before the data leaves the Oracle database. It can be used to complement existing backup strategies and can be run independently of Oracle Secure Backup tapemanagement offerings. performance. With a low entry cost. easy-to-use backup solution that encrypts data to tape to safeguard against the misuse of sensitive data in the event that backup tapes are lost or stolen. Windows. and ease of use. Oracle Secure Backup also features 10 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . In addition. The ability to “de-identify” sensitive data is an increasingly important element of data-privacy protection laws around the globe. The Oracle Database then automatically decrypts backups during the restore process.

and is kept out of nonproduction databases. phone numbers. Its tight integration with RMAN enables it to read the database block layout structure directly and optimize storage access. It also provides a centralized approach to masking.).K. For example. testing. sensitive information such as credit card or social security numbers can be replaced with realistic values. With Oracle Data Masking. The solution typically performs backups 10 percent to 25 percent more quickly than comparable media management utilities. DBAs have had to create and maintain custom scripts to mask data in each of their corporate databases—a method that is not scalable or truly auditable. Oracle Data Masking Pack ships with out-of-the-box mask formats for various types of sensitive data. with up to 30 percent less CPU utilization. Oracle Secure Backup provides very rapid backups to tape. In fact. on the other hand. The solution uses an irreversible process to replace sensitive data. Save Time And Money. Security administrators define the masking rules once. Sensitive data never has to leave the database. the ability to “de-identify” sensitive data is an increasingly important element of data-privacy protection laws around the globe. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD certificate-based authentication of host systems participating in a backup or restore to ensure that outside parties cannot impersonate an authorized host. DBAs may need to make copies of production data available to in-house developers or offshore testers for their work. sensitive. such as credit card numbers. helping to ensure that the original data cannot be retrieved. and then those rules are applied automatically every time the database administrator masks the database. Oracle Data Masking Pack IT professionals often need to share data with other parts of the organization. recovered. or restored. and shared with outsourcing or offshore partners for various nonproduction purposes. and staging. or personally identifiable information that government regulations require companies to protect. 11 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . The problem is that such production copies often contain confidential. and national identifiers (social security number for U. Companies can apply data privacy rules consistently to all sensitive data to help ensure compliance with regulations. national insurance number for U. Oracle Data Masking. Data masking capabilities let companies apply data privacy rules consistently to all sensitive data to help ensure compliance with regulations. provides a central repository for common masking formats.S. In terms of performance.Secure Data At The Source. Traditionally. allowing production data to be safely used for development..

LEARN MORE Podcast Data Privacy Protection with PricewaterhouseCoopers Database Security for Database and Security Administrators Customer Snapshot Dressbarn Relies on Oracle Advanced Security for PCI Compliance Demo Forrester Research Oracle Database 11g Security: Data Masking 12 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY .Secure Data At The Source. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD In addition. often use complex algorithms to generate account numbers to prevent fraud. Save Time And Money. The solution also provides several options to allow administrators greater control over the masking process and to enable them to test and verify the integrity of the masking process before deploying it. for example. Oracle Data Masking Pack is securely integrated with the database-cloning capabilities in Oracle Enterprise Manager. database administrators can now add data masking to the database clone process by pointing the production database to a staging environment and specifying the masking definitions that need to be run after cloning. they can generate fictitious account numbers to replace the original data and still remain compliant with the security standard built into the account numbers. companies with specialized masking requirements can add user-defined mask formats to the collection of the mask formats. allowing them to use formats that are appropriate for their business or industry. Financial institutions. That means that in addition to the standalone masking process. With user-defined formats.

Realms can be defined and placed around an entire application or set of tables. Not only do companies need to manage access for employees across the corporation to make sure the right people are using the right data. an HR application user who has full access to the HR application database can be prevented from accessing data in the financial application database if those two databases are defined as different realms. the Oracle Database Vault and Oracle Label Security options can help companies meet those challenges.Secure Data At The Source. database administrators—without limiting those users’ ability to perform their jobs. Oracle Database Vault helps companies comply with those requirements with strong controls designed to protect data against threats from insiders. Oracle Database Vault offers Realms. Save Time And Money. health. “excessive access rights” was cited as the primary internal or external audit finding over the last year. and “unauthorized access to personal information” was cited as the top concern in terms of ensuring data privacy. Rules. which work together inside the database to restrict access from even the most powerful users without interfering with the normal day-to-day database administration. they must also work to control the access given to privileged users—in particular. database administrators—without limiting those users’ ability to perform their jobs. Together. a number of regulations require companies to maintain internal controls to protect sensitive information. Oracle Database Vault Today. and credit card records. For example. But this is an area that is not always well managed. Companies must work to control the access given to privileged users—in particular. a database administrator who can manage all the application databases can be restricted from actually reading the data stored in those databases. and Factors features. In a recent Deloitte Touche Tohmatsu global security survey. 13 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . The ability to prevent privileged users from accessing data outside of their authorized area is increasingly critical because many companies are consolidating application databases on the same database server as they search for ease of management and lower total cost of ownership. such as financial. Or. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Access and Authorization Controlling access to information is fundamental to data security—and regulations and best practices alike require companies to have strong access and authorization controls. from unauthorized access and modification.

Oracle PeopleSoft. Rules and Factors significantly tighten application security by limiting who can access which databases. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Meanwhile. For example. if company policy mandates no changes to databases during production hours. making it easy to create policies for different applications in a consolidated environment. and resource management. Oracle Siebel CRM. and applications. account management. Oracle provides certified customizable Oracle Database Vault policies for Oracle E-Business Suite. and Oracle JD Edwards applications to help companies deploy quickly. Traditional controls focus on roles or stop at the object level—a company would be able to control. For example. multiple policies can reside in the same database. such multifactor control helps prevent unauthorized ad hoc access and application bypass. Multiple factors. 14 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . can be used in a flexible and adaptable manner to enforce authorization requirements. It gives companies a powerful and easy-to-use tool for classifying data and mediating access to data based on the data’s classification. Label Security provides an easy-to-use policy-based administration model. but not to specific subsets within the table. performance. Oracle Label Security Oracle Label Security is the industry’s most advanced labelbased access control product. In addition. and when and how they can access them. application name. The Oracle software’s multifactor control approach helps prevent unauthorized ad hoc access and application bypass. and a new DBA tries to do an upgrade at the wrong time.Secure Data At The Source. Oracle Database Vault provides powerful separation of duty controls. and patching responsibilities. Save Time And Money. Oracle Label Security extends database security authorization by enabling powerful row-level access controls in the Oracle Database using data sensitivity labels. the solution blocks a DBA with the “create user” privilege from creating a new user if he or she doesn’t have the proper responsibility. and authentication method. Database Vault can block that action or require that a second DBA be present in order to make such a change. This lets companies create policies specific to their needs. it does not require changes to existing applications. a user’s access to a customer table. Moreover. responsibilities can be consolidated. Or. and essentially assigning a data label to each row. IP address. for example. offering three distinct out-of-the-box responsibilities for security administration. data. such as time of day. Because Oracle Database Vault runs inside the Oracle Database. The resource administration responsibility can be further subdivided into backup. Overall.

• Enforce regulatory compliance. • Leverage labels flexibly. Oracle Label Security was originally designed to meet the high-security requirements of government and defense organizations. Labels can be used as factors within Oracle Database Vault for multifactor authorization policies. Oracle Label Security also integrates with Oracle Identity Management. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Oracle Label Security enables organizations to: • Restrict access to individuals with the appropriate clearance. enabling centralized management of policy definitions. Commercial organizations can use data labels to compartmentalize data in order to control access to regulatory data and enforce need-to-know policies. Such organizations typically use the solution for multilevel security—that is. It provides a policy-based administration model that enables organizations to establish custom data-classification schemes for implementing “need to know” access for their applications.Secure Data At The Source. Save Time And Money. so that only those with the right clearance can access sensitive data. It allows administrators to classify every row in a table. to compartmentalize access to “sensitive” and “highly sensitive” data stored in the same application table. 15 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY LEARN MORE Podcast Protecting Your Databases Against CyberEspionage Demo Forrester Research Oracle Database 11g Security: Access Control Oracle Database Vault: Privileged User and MultiFactor Controls Seminar Rich Mogull on Enforcing Separation of Duties for Database and Security Administrators . and to enhance security in multi-tenancy databases and hosting and software-as-aservice arrangements.

Effective security can not be accomplished with a “set it and forget it” approach—it requires continued vigilance and comprehensive monitoring of the state of security in the enterprise. reducing the financial impact of the breaches. It consolidates this data in a secure and highly scalable audit warehouse. 16 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . providing valuable insight into who did what to which data when—including privileged users who have direct access to the database. The solution enables proactive threat detection.Secure Data At The Source. to see who altered what when in order to analyze problems. and Oracle Configuration Management Pack options. uncover suspicious activity. Sybase. that means that companies need to be able to audit changes in the database. with alerts that highlight suspicious activity across the enterprise. And finally. and comply with regulatory reporting requirements. companies need to assess their potential vulnerabilities during deployment and ongoing database operations. In part. so that the company can detect unauthorized access and act quickly to avoid problems or minimize their impact. and SQL Server databases. To strengthen auditing and monitoring. DB2. Oracle Audit Vault Experts who have investigated data breaches have found that auditing can help detect problems early on. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Auditing and Monitoring Security threats continue to shift and grow. It continuously monitors inbound audit data. and heading off security problems before they start. storing. Oracle Audit Vault automatically collects audit data from Oracle. companies can draw on the Oracle Audit Vault. and archiving large volumes of audit data securely. Save Time And Money. Oracle Total Recall. analyzing. Oracle Audit Vault transparently collects and consolidates audit data. This is key to working proactively. Today. It also leverages Oracle’s industry-leading database security and data warehousing technology for managing. and the use of technology continues to evolve—all of which means that the security landscape is constantly changing. with access strictly controlled through the use of predefined administrative roles. so that the company can detect unauthorized access and act quickly to avoid problems or minimize their impact. it is also increasingly important to monitor activity in real time. evaluating it against It is increasingly important to monitor activity in real time.

with the ability to easily analyze audit data and take action in a timely fashion using out-of-thebox or custom reporting • Detect threats more effectively. IT security personnel work with auditors to define audit settings on databases and other systems to meet both compliance requirements and internal security policies. Today. but doing so in a secure manner has traditionally been a difficult and inefficient process. and to thwart perpetrators who try to cover their tracks • Lower IT costs. Alerts can be associated with any auditable database event. organizations are in a much better position to enforce privacy policies. Oracle Audit Vault helps companies: • Simplify compliance reporting. The solution gives companies graphical summaries of the activities that are causing alerts. Oracle Audit Vault also offers simplified. 17 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . and address regulatory requirements. account management. With these capabilities. object management.Secure Data At The Source. or third-party reporting tools. The solution also provides an open audit warehouse schema that can be accessed from Oracle BI Publisher. reducing the cost and complexity of managing audit settings across the enterprise. role grants. Save Time And Money. Database audit settings are centrally managed and monitored from within Oracle Audit Vault. including changes to application tables. Companies can define parameter-driven reports that show user log-in activity across multiple systems and within specific time periods. out-of-the-box compliance reporting. It gives companies standard auditassessment reports covering privileged users. companies need to keep data for long periods of time. and system management. Oracle Application Express. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD alert conditions. guard against insider threats. with the ability to quickly and automatically identify unauthorized activities that violate security and governance policies. Oracle Audit Vault lets companies provision and review audit settings in multiple Oracle databases from a central console. with the ability to centrally manage audit settings across all databases With Oracle Audit Vault. With the solution. and privileged user creation on sensitive systems. such as weekends. roles and privileges.

the solution provides: • Efficiency of performance and storage. because that data is stored in the database itself. however. The Oracle software lets companies automatically detect. validate. There is no limit on the time period for storing historical data. In addition. No one—not even administrators—can update historical data directly. Overall. can handle any retention period the business requires. and administrator time. many recognize the potential value that such historical data holds in terms of enabling the analysis of problems and the understanding of market trends and customer behavior. Oracle Total Recall can be used to support internal auditing. • Complete protection from accidental or malicious update. Oracle Total Recall addresses that problem by allowing historical data to be kept inside the database very efficiently—and by enabling the instant access to historical data needed to conduct various analyses. and report on authorized and unauthorized configuration changes. with the ability to query data as of any point in time in the past through the use of standard SQL statements. Doing all of this in a secure manner. companies need to retain historical data for long periods of time in order to comply with various regulations. and regulatory compliance processes.Secure Data At The Source. And the solution provides real-time access to historical archives. Oracle Total Recall is designed to be easily managed and make the most efficient use of all related resources. The capture process minimizes performance overhead. Administrators can enable historical data capture for one table or all tables in a database with a simple “enable archive” command. it lets companies transparently track changes to database tables data in a highly secure and efficient manner. Based on Flashback Data Archive. they are keeping such data for even longer than regulations demand. the solution requires no application changes or special interfaces. Overall. Oracle Total Recall is easy to configure and implement. And it eliminates the need for third-party or custom solutions in the management of historical data. As a result. • Automated ongoing historical data management. storage. the solution 18 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . and historical data is stored in compressed form to reduce storage requirements. including CPU. Oracle Database 11g automatically enforces rules and sends problem alerts when needed to minimize administrator intervention. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Oracle Total Recall Today. In addition. Save Time And Money. has traditionally been a difficult and inefficient process. human-error correction.

provide the ability to drill down to details. this management pack collects deep configuration information for a range of components. databases. With the console. The pack can be used to support both Oracle and thirdparty IT components. The console automatically collects the required data. Save Time And Money. validating. the pack has a Critical Patch Update Advisory feature that alerts companies to critical patches issued by Oracle and immediately identifies those systems across the enterprise that may require the new patch. including hardware. including files and directories. and help decision makers track progress toward compliance over time. No user input is requested or required to capture and document changes. server resources. and Oracle Database. The console monitors a variety of areas. companies can use compliancereporting dashboards that convert continuous evaluation results into compliance scores and present them in at-a-glance views that highlight key indicators. and storage to help companies identify vulnerabilities and areas where best practices are not being followed. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Oracle Configuration Management Pack The Oracle Configuration Management Pack helps companies ensure that their database configurations are secure by automatically detecting. middleware. The solution includes a built-in collection of more 250 best practices based on industry standards for security and configuration management A key part of this management pack is the Configuration Change Console. operating systems. user accounts. which provides real-time change detection and reporting. 19 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . and WebLogic server software. To help track assets and uncover problems. detecting and capturing any actions by users or applications that result in changes to the infrastructure. The solution includes a built-in collection of more 250 best practices based on industry standards for security and configuration management. application server. helping to ensure that application databases are always up-to-date and protected. configuration. which can be customized by administrators for their specific IT environment. and the network. Oracle Configuration Management enables the proactive assessment of key compliance areas such as security. In addition. processes.Secure Data At The Source. Companies can also use a patch wizard to automatically deploy the patch. and reporting on authorized and unauthorized configuration changes.

the Oracle Configuration Management Pack helps ensure compliance with IT control frameworks such as Control Objectives for Information and related Technology (COBIT) and COSO “Internal ControlIntegrated Framework” as required by Sarbanes-Oxley and similar global directives. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD By letting companies detect and prevent unauthorized changes more efficiently and effectively.Secure Data At The Source. and provide demonstrable control over the entire IT environment for governance and compliance. By doing so. mitigate risk. it helps them increase security. Save Time And Money. LEARN MORE Podcast Chase Paymentech Relies on Oracle Audit Vault for Security and Compliance Demo Oracle Audit Vault: Database Audit and Activity Monitoring Database Vulnerability Assessment and Secure Configuration Seminar Forrester Research Oracle Database 11g Security: Activity and Configuration Monitoring 20 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY .

and nearly one in five were not sure whether such encryption takes place. • Responses indicated that one in four of the sites covered by the survey do not encrypt data within their databases. In short. These types of gaps represent significant vulnerabilities—and the world is likely to be less and less forgiving of such lapses in the months and years to come. Compliance is likely to become 21 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY increasingly challenging. “The risks around data security can be expected to keep growing and evolving to become ever-more challenging. Save Time And Money. and that companies will need to tighten control over the sensitive information held in their databases. And threats posed by insiders and outsiders alike will only become more sophisticated. database security “ has already become a critical technical and business issue. however. The sheer volume of sensitive data that needs to be protected continues to grow. as criminals step up efforts to tap into what is a very valuable asset. INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD Looking Ahead Database security is clearly a vital and challenging issue. in a recent IOUG security survey: • Only one out of four respondents said that all their databases are locked down against attacks. and looking forward.Secure Data At The Source. • Two out of five responding organizations said that they use actual production data in nonproduction environments. the effort to “protect data where it lives” will play an increasingly vital role in an organization’s success. says ” Securosis founder Rich Mogull. . which typically puts that data in an unsecured setting. For example. as data privacy regulations—and fines for noncompliance—become more and more stringent. At many organizations. comprehensive security is only growing more important. “That means that advanced. • Most respondents said that they do not have mechanisms in place to prevent database administrators and other privileged database users from reading or tampering with sensitive information—and most said that they are unable to detect such incidents. there is considerable room for improvement on this front. and companies need to be prepared for this reality.

INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD LEARN MORE Podcast Database Security for Database and Security Administrators Anaylst Report Forrester Research: Your Enterprise Security Strategy for 2010 Blog Security Inside Out Data Security Self-Assessment Tool 22 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY . Save Time And Money.Secure Data At The Source.

. Oracle and/or its affiliates. Other names may be trademarks of their respective owners.Copyright © 2009. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates.