a guide to oracle database securityhosteddocs.ittoolbox.com/sec_us_en_wp_securingdata.pdf ·...

SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY

Security Inside Out

SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY

Table of Contents

3 INTRODUCTION

8 DATABASE ENCRYPTION AND MASKING

13 ACCESS AND AUTHORIZATION

16 AUDITING AND MONITORING

21 LOOKING AHEAD

Secure Data At The Source. Save Time And Money.


3 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY


Over the past few years, ensuring the security of information and data has become both more challenging and more important. Indeed, doing so has quickly grown from a technology challenge to a key business issue with broad strategic implications—and that has put growing pressure on IT professionals to keep data safe and secure.

In part, this shift is due to the ever-growing role of electronic data in business and the unprecedented amounts of transaction, personal, and financial data—much of it confidential and regulated—that is being generated and stored by corporations and government agencies. As this growth continues, the universe of stored data will expand to 1,800 exabytes by 2012, according to IDC.

Meanwhile, there is a growing range of threats targeting that data. External threats have evolved from being primarily hackers looking for notoriety to being highly organized criminals looking for financial gain. In a recent study of 90 confirmed data breaches in 2008, the Verizon Business Risk security team found that 285 million records were lost in those attacks—and the team reports that 91 percent of those compromised records could be attributed to organized criminal activity. Stolen sensitive information—such as addresses and credit card and social security numbers—can be sold on the black market or

used in spamming campaigns, credit card fraud, identity theft. and the distribution of malicious software. And unlike hackers, criminals want to stay below the radar, making their attacks all the more difficult to detect. As Rich Mogull, founder of the Securosis research and analysis firm, recently noted, “We need to acknowledge that threats have changed, from noisy to quiet, from the edge of the organization to the center. We also need to understand that attackers’ motivations have changed—web site defacement isn’t the goal; fraud and data theft are.”

But companies need to consider insider threats as well. Often, these come in the form of accidents or failures to follow security policy. Recent research from the Ponemon Institute found that employee compliance with company security policies is actually declining. “Employees routinely engage in activities that put sensitive data at risk,” writes Dr. Larry Ponemon, chairman of the institute. Such activities include downloading data onto unsecured mobile devices, sharing passwords, losing laptops and other devices, and turning off security tools on mobile devices. Writes Ponemon: “Interestingly, of those surveyed, 58 percent said their employer failed to provide adequate data

Unlike hackers, criminals want to stay below the radar, making their attacks all the more difficult to detect.

Introduction

INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD



security awareness and training, and 57 percent said their employer’s data protection policies were ineffective.” But insider threats can be malicious as well, and come from disgruntled workers or employees seeking personal gain. At times, insider attacks make headlines, such as the FBI’s 2008 arrest of a former Countrywide Financial Corp. employee for alleged involvement in the theft of some 2 million customer records. But the Privacy Rights Clearinghouse, which maintains a list of breaches, shows numerous smaller attacks at corporations, universities, and government agencies. These breaches may involve only hundreds or tens of thousands of people, but to the organizations and individuals who are victimized, they are very serious just the same. Regardless of the motivation behind internal data breaches, organizations can no longer ignore the security threat posed by people who are actually authorized to access systems at some level. An IDC survey found that 52 percent of large companies had terminated employees or contractors for internal security violations, and 80 percent of very large organizations—those with more than 10,000 employees—had done so.

The cost of failing to secure data is high, and getting higher. Data breaches can lead to administrative costs and, of course, individual or class-action lawsuits from consumers. Compliance, too, can be a costly and growing issue: Companies are liable to

run afoul of a growing range of regulations—such as Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, Financial Instruments and Exchange Law, Basel II, and the EU Directive on Privacy and Electronic Communications in Europe—which require organizations to implement measures to protect sensitive information and monitor access to that information.

The impact on the business from data losses can be deep, and it can be far-ranging in terms of damaged reputation and reduced customer loyalty. In research from the Chief Marketing Officer Council, more than half of the surveyed consumers said that they would strongly consider or definitely take their business elsewhere if their personal information were compromised. The same held true with business-to-business relationships, with about half of surveyed executives saying they would consider or would recommend taking their business elsewhere if a business partner experienced a security breach that compromised their data.

In a recent study, more than half of the surveyed large companies have had to terminate employees or contractors for internal security violations.




The ramifications of a data breach add up quickly. Looking at the total picture, including legal and administrative costs, damaged reputation, and lost opportunity, the average per-incident cost for a data breach is now $6.65 million, according to the Ponemon Institute. And the high price of low security is not lost oninvestors: According to Emory University researchers, a company loses anywhere from 0.63 percent to 2.1 percent in its stock price when a breach is reported. Security, then, has become an issue in the executive suite as well as in the data center.

Protecting Data Where It Lives

These issues and costs have prompted greater attention to security in corporations—and in particular, they have highlighted the need for rigorous security at the database level.

Traditionally, security efforts have focused on the perimeter of the corporate network, and companies have implemented firewalls, VPNs, and antivirus and antispam software to try to keep intruders out. These controls are important, but they are really just a first line of defense—and ultimately not enough in an age of growing security threats. Indeed, several factors have been contributing to the need to extend security back from the network perimeter to the database.

One factor is the internal threat discussed above, which by definition defeats that line of defense on the perimeter. Another

is changing technology and the proliferation of data—and especially, sensitive data—across numerous platforms and channels, which by nature create more ways for intruders to gain access. “Consider all the sensitive data that is out there,” says David Knox, a member of Oracle’s National Security Group and author of Effective Oracle Database 10g Security by Design. Social security numbers are housed in everything from old student information systems to employee records and government systems; credit card numbers are kept by retailers, banks, and other organizations; and healthcare data can be found across innumerable medical offices and hospitals. Today, Knox says, “there are more applications that deal with some element of sensitive information in a typical enterprise IT environment than there are applications that are exempt from sensitive data.”

The evolution of business practices is also a factor. Today, data is shared across systems and organizational departments. In addition, a growing emphasis on collaboration with partners often means that outside parties have access to corporate networks via their extranets, which opens a potential avenue for attackers to work their way to the database level.

Changing technology and the proliferation of sensitive data across numerous platforms and channels create more ways for intruders to gain access to information.




Similarly, outsourcing arrangements often mean that other companies have access to corporate systems and data—and that picture can become even more complicated when offshoring puts work into countries where partners may be working under different laws and regulations regarding data security. In its research, the Ponemon Institute found that third-party organizations account for more than 44 percent of data breach incidents.

The solution to such challenges, then, is to safeguard data where it lives—in the database. Indeed, database security is rapidly becoming a recognized best practice—but often, companies lag behind in this area. “Despite significant effort to protect enterprise databases, attack rates continue to rise across several industries, including financial services, education, retail, the public sector, and manufacturing,” notes a report from Noel Yuhanna, principal analyst at Forrester Research. “Today, attacks on enterprise databases are more sophisticated than ever, and many occur without enterprises being aware that an attack is taking place, especially in the case of internal attacks, which are the hardest to detect.” Advanced security measures that can help are available—but, reports Yuhanna, only 25 percent of surveyed enterprises are using those types of measures.

The Oracle Approach to Database Security

Oracle provides a comprehensive portfolio of database security solutions to ensure data privacy, protect against insider threats, and enable regulatory compliance—without requiring changes to existing applications. These solutions build on Oracle’s long history of innovation in the field. The industry firsts it has delivered include row-level access control, fine-grained auditing, transparent data encryption, and data masking. Today, Oracle solutions are used to protect a significant amount of data, with Oracle Database being used for 48.9 percent of the world’s databases.

Today, Oracle solutions are used to protect a significant amount of data, with Oracle Database being used for 44 percent of the world’s databases.




Given the sophistication and variety of security threats facing businesses, most organizations know that effective security programs are typically based on multiple layers of preventive measures. Oracle’s database security options fall into three broad categories:

•Encryption and Masking, which includes Oracle Advanced Security, Oracle Secure Backup, and Oracle Data Masking Pack,

•Access and Authorization, which includes Oracle Database Vault and Oracle Label Security

•Auditing and Monitoring, which includes Oracle Audit Vault, Oracle Total Recall, and Oracle Configuration Management Pack

These offerings are discussed in detail in the following chapters.

LEARN MORE

Seminar

Protecting Data at the Source with Oracle Database 11g Release 2

Demo

Oracle Database 11g Security and Compliance

Analyst Report

Oracle Database Security: Cost-Effective Data Leak Prevention Starts at the Source


http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=8042809&p_referred=FlashISeminar&p_width=800&p_height=620

http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=8042809&p_referred=FlashISeminar&p_width=800&p_height=620

http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=8131846&p_referred=undefined&p_width=1000&p_height=675

http://www.oracle.com/corporate/analyst/reports/infrastructure/sec/idc-219001-080109.pdf

http://www.oracle.com/corporate/analyst/reports/infrastructure/sec/idc-219001-080109.pdf



Security strategies have long relied on the encryption of information, but in recent years, the need for encryption has increased significantly, with the rise of identity theft and criminal attacks targeting social security numbers, credit card numbers, and other sensitive information. Encryption at the database level can help protect data from unauthorized backdoor access by dishonest administrators and other insiders, and from operating system- and network-level attacks by outsiders. It also helps protect from media theft involving laptops, storage disks being removed for maintenance, and backup tapes. “Over the years, we’ve seen requirements to expand protection around critical data such as medical data, personal identifiable information, and credit card information,” says Gary Loveland, PricewaterhouseCoopers’ Advisory principal and security practice leader in the United States. “There is no doubt that in [the near future] even more data will need to be protected. Being able to encrypt all application data efficiently is a big benefit to organizations in terms of keeping up with business needs and staying ahead of regulatory requirements.”

However, it is still common to find unencrypted data at many companies—and that data is at risk of being compromised. In a recent Independent Oracle User Group survey, only 21 percent

of the respondents said that they encrypt personal information on all databases—and 37 percent said that they either have no encryption of such data, or that they aren’t sure whether or not they do.

Encryption is important, but it doesn’t cover every situation. For example, encryption will not protect against unauthorized access to production data in nonproduction environments. By definition, developers, administrators, and others need to be able to access data in these environments.

Overall, companies can address these security challenges with the capabilities provided by Oracle Advanced Security, Oracle Secure Backup, and Oracle Data Masking Pack.

Oracle Advanced Security

With Oracle Advanced Security, companies can transparently encrypt all application data or specific sensitive columns,

Database Encryption And Masking

Being able to encrypt all application data efficiently is a big benefit to organizations in terms of keeping up with business needs and staying ahead of regulatory requirements.




such as credit card numbers, social security numbers, or personally identifiable information. By encrypting data at rest in the database—as well as when it leaves the database over the network or via backup media—Oracle Advanced Security provides a cost-effective solution for data protection.

Oracle Advanced Security Transparent Data Encryption (TDE) provides robust encryption solutions to safeguard sensitive data against unauthorized access at the operating system level, or through the theft of hardware or backup media. With a simple command or point-and-click interface, an administrator can encrypt sensitive data within an existing application table.

Unlike most database encryption solutions, TDE is completely transparent to existing applications, and no triggers, views, or other application changes are required. Data is transparently encrypted when written to disk and transparently decrypted after an application user has successfully authenticated, and passed all authorization checks. Authorization checks include verifying the user has the necessary select and update privileges on the application table and checking Database Vault, Label Security, and Virtual Private Database enforcement policies.

Existing database backup routines will continue to work, with the data remaining encrypted in the backup.To safeguard data in transit, Oracle Advanced Security provides an easy-to-deploy and comprehensive solution for protecting all communication to and from the Oracle Database, providing both native network encryption and SSL-based encryption. The Oracle Database can be configured to reject connections from clients with encryption turned off, or optionally allow unencrypted connections for deployment flexibility.

Overall, Oracle Advanced Security lets companies:

•Protect all application data quickly and easily, with the ability to encrypt the entire tablespace or specific sensitive columns without making any changes to existing applications

•Take a comprehensive approach to encryption, with transparent encryption for Oracle database traffic, disk backups, and exports

•Achieve high levels of identity assurance, with support for PKI, Kerberos, and RADIUS-based strong authentication solutions

•Manage costs, with the ability to leverage complete built-in encryption key lifecycle management, including integration with industry-leading Hardware Security Modules (HSM) or other enterprisewide key management solutions.

With a simple command or point-and-click interface, an administrator can easily encrypt sensitive data within an existing application table.




The ability to “de-identify” sensitive data is an increasingly important element of data-privacy protection laws around the globe.

Oracle Secure Backup

Oracle Secure Backup provides an integrated, easy-to-use backup solution that encrypts data to tape to safeguard against the misuse of sensitive data in the event that backup tapes are lost or stolen. With a low entry cost, Oracle Secure Backup is ideal for small and midsize businesses and large enterprises alike.

Oracle Secure Backup gives companies complete data protection for Oracle environments. It provides network tape backup for UNIX, Linux, Windows, and Network Attached Storage (NAS) file system data, as well as the Oracle Database, and supports more than 200 different tape devices from leading vendors. It enables Oracle Database-to-tape backup through integration with Oracle Recovery Manager (RMAN)—supporting versions Oracle9i to Oracle Database 11g—as well as file system data protection of local and distributed servers and policy-based tape backup management.

Companies can also take advantage of the Oracle Secure Backup Cloud module, which enables efficient Oracle Database backups to the Amazon Simple Storage Service (Amazon S3). Such cloud-based backups offer reliability and virtually unlimited capacity that is available on-demand and requires no up-front capital expenditure. This module is fully integrated with RMAN and Oracle Enterprise Manager, providing users with familiar interfaces for Cloud-based backups. It can be used to

complement existing backup strategies and can be run independently of Oracle Secure Backup tape- management offerings.

Oracle Secure Backup’s client-server architecture enables centralized tape backup management of heterogeneous clients, servers’ and tape devices from a single point called the Administrative Server. The Administrative Server maintains a tape backup catalog that houses metadata, configuration information, backup encryption keys, schedules, and user- defined polices.

Key pieces of Oracle Secure Backup functionality are embedded directly inside the Oracle Database engine, making it possible to achieve higher levels of security, performance, and ease of use. For example, to help ensure high levels of security, Oracle Secure Backup encrypts data during all stages of a backup. Encryption is performed before the data leaves the Oracle database, eliminating the risk of data being stolen while in transit to tape. In addition, the data on tape is stored in encrypted form. The Oracle Database then automatically decrypts backups during the restore process. Oracle Secure Backup also features




certificate-based authentication of host systems participating in a backup or restore to ensure that outside parties cannot impersonate an authorized host.

In terms of performance, Oracle Secure Backup provides very rapid backups to tape. Its tight integration with RMAN enables it to read the database block layout structure directly and optimize storage access. The solution typically performs backups 10 percent to 25 percent more quickly than comparable media management utilities, with up to 30 percent less CPU utilization.

Oracle Data Masking Pack

IT professionals often need to share data with other parts of the organization. For example, DBAs may need to make copies of production data available to in-house developers or offshore testers for their work. The problem is that such production copies often contain confidential, sensitive, or personally identifiable information that government regulations require companies to protect. In fact, the ability to “de-identify” sensitive data is an increasingly important element of data-privacy protection laws around the globe.

With Oracle Data Masking, sensitive information such as credit card or social security numbers can be replaced with realistic values, allowing production data to be safely used for development, testing, and staging, and shared with outsourcing or offshore partners for various nonproduction purposes. Sensitive data never has to leave the database, and is kept out of nonproduction databases.

The solution uses an irreversible process to replace sensitive data, helping to ensure that the original data cannot be retrieved, recovered, or restored. It also provides a centralized approach to masking. Traditionally, DBAs have had to create and maintain custom scripts to mask data in each of their corporate databases—a method that is not scalable or truly auditable. Oracle Data Masking, on the other hand, provides a central repository for common masking formats. Security administrators define the masking rules once, and then those rules are applied automatically every time the database administrator masks the database. Companies can apply data privacy rules consistently to all sensitive data to help ensure compliance with regulations.

Oracle Data Masking Pack ships with out-of-the-box mask formats for various types of sensitive data, such as credit card numbers, phone numbers, and national identifiers (social security number for U.S., national insurance number for U.K.).

Data masking capabilities let companies apply data privacy rules consistently to all sensitive data to help ensure compliance with regulations.




In addition, companies with specialized masking requirements can add user-defined mask formats to the collection of the mask formats, allowing them to use formats that are appropriate for their business or industry. Financial institutions, for example, often use complex algorithms to generate account numbers to prevent fraud. With user-defined formats, they can generate fictitious account numbers to replace the original data and still remain compliant with the security standard built into the account numbers.

Oracle Data Masking Pack is securely integrated with the database-cloning capabilities in Oracle Enterprise Manager. That means that in addition to the standalone masking process, database administrators can now add data masking to the database clone process by pointing the production database to a staging environment and specifying the masking definitions that need to be run after cloning. The solution also provides several options to allow administrators greater control over the masking process and to enable them to test and verify the integrity of the masking process before deploying it.

LEARN MORE

Podcast

Data Privacy Protection with PricewaterhouseCoopers

Database Security for Database and Security Administrators

Customer Snapshot

Dressbarn Relies on Oracle Advanced Security for PCI Compliance

Demo

Forrester Research Oracle Database 11g Security: Data Masking


http://streaming.oracle.com/ebn/podcasts/db_insider/6958087_Alex_Fowler_100708.mp3

http://streaming.oracle.com/ebn/podcasts/db_insider/6790837_Rich_Mogull_081808.mp3

http://www.oracle.com/customers/snapshots/the-dress-barn-snapshot.pdf

http://www.oracle.com/customers/snapshots/the-dress-barn-snapshot.pdf

http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060297&p_referred=0&p_width=800&p_height=620




Controlling access to information is fundamental to data security—and regulations and best practices alike require companies to have strong access and authorization controls. But this is an area that is not always well managed. In a recent Deloitte Touche Tohmatsu global security survey, “excessive access rights” was cited as the primary internal or external audit finding over the last year, and “unauthorized access to personal information” was cited as the top concern in terms of ensuring data privacy. Not only do companies need to manage access for employees across the corporation to make sure the right people are using the right data, they must also work to control the access given to privileged users—in particular, database administrators—without limiting those users’ ability to perform their jobs. Together, the Oracle Database Vault and Oracle Label Security options can help companies meet those challenges.

Oracle Database Vault

Today, a number of regulations require companies to maintain internal controls to protect sensitive information, such as financial, health, and credit card records, from unauthorized access and modification. Oracle Database Vault helps companies comply with those requirements with strong controls designed to protect data against threats from insiders.

Oracle Database Vault offers Realms, Rules, and Factors features, which work together inside the database to restrict access from even the most powerful users without interfering with the normal day-to-day database administration. Realms can be defined and placed around an entire application or set of tables. For example, a database administrator who can manage all the application databases can be restricted from actually reading the data stored in those databases. Or, an HR application user who has full access to the HR application database can be prevented from accessing data in the financial application database if those two databases are defined as different realms. The ability to prevent privileged users from accessing data outside of their authorized area is increasingly critical because many companies are consolidating application databases on the same database server as they search for ease of management and lower total cost of ownership.

Access and Authorization

Companies must work to control the access given to privileged users—in particular, database administrators—without limiting those users’ ability to perform their jobs.




Meanwhile, Rules and Factors significantly tighten application security by limiting who can access which databases, data, and applications, and when and how they can access them. Multiple factors, such as time of day, IP address, application name, and authentication method, can be used in a flexible and adaptable manner to enforce authorization requirements. For example, if company policy mandates no changes to databases during production hours, and a new DBA tries to do an upgrade at the wrong time, Database Vault can block that action or require that a second DBA be present in order to make such a change. Overall, such multifactor control helps prevent unauthorized ad hoc access and application bypass.

Oracle Database Vault provides powerful separation of duty controls, offering three distinct out-of-the-box responsibilities for security administration, account management, and resource management. For example, the solution blocks a DBA with the “create user” privilege from creating a new user if he or she doesn’t have the proper responsibility. The resource administration responsibility can be further subdivided into backup, performance, and patching responsibilities. Or, responsibilities can be consolidated.

Because Oracle Database Vault runs inside the Oracle Database, it does not require changes to existing applications. In addition, Oracle provides certified customizable Oracle Database Vault

policies for Oracle E-Business Suite, Oracle PeopleSoft, Oracle Siebel CRM, and Oracle JD Edwards applications to help companies deploy quickly.

Oracle Label Security

Oracle Label Security is the industry’s most advanced label-based access control product. It gives companies a powerful and easy-to-use tool for classifying data and mediating access to data based on the data’s classification.

Traditional controls focus on roles or stop at the object level—a company would be able to control, for example, a user’s access to a customer table, but not to specific subsets within the table. Oracle Label Security extends database security authorization by enabling powerful row-level access controls in the Oracle Database using data sensitivity labels, and essentially assigning a data label to each row.

Label Security provides an easy-to-use policy-based administration model. This lets companies create policies specific to their needs. Moreover, multiple policies can reside in the same database, making it easy to create policies for different applications in a consolidated environment.

The Oracle software’s multifactor control approach helps prevent unauthorized ad hoc access and application bypass.




Oracle Label Security enables organizations to:

•Restrict access to individuals with the appropriate clearance. It allows administrators to classify every row in a table, so that only those with the right clearance can access sensitive data.

•Enforce regulatory compliance. It provides a policy-based administration model that enables organizations to establish custom data-classification schemes for implementing “need to know” access for their applications.

•Leverage labels flexibly. Labels can be used as factors within Oracle Database Vault for multifactor authorization policies. Oracle Label Security also integrates with Oracle Identity Management, enabling centralized management of policy definitions.

Oracle Label Security was originally designed to meet the high-security requirements of government and defense organizations. Such organizations typically use the solution for multilevel security—that is, to compartmentalize access to “sensitive” and “highly sensitive” data stored in the same application table. Commercial organizations can use data labels to compartmentalize data in order to control access to regulatory data and enforce need-to-know policies, and to enhance security in multi-tenancy databases and hosting and software-as-a-service arrangements.

LEARN MORE

Podcast

Protecting Your Databases Against CyberEspionage

Demo

Forrester Research Oracle Database 11g Security: Access Control

Oracle Database Vault: Privileged User and Multi- Factor Controls

Seminar

Rich Mogull on Enforcing Separation of Duties for Database and Security Administrators


http://streaming.oracle.com/ebn/podcasts/db_insider/7169324_david_knox_111108.mp3





http://www.oracle.com/pls/ebn/live_viewer.main?p_shows_id=6469943&p_referred=undefined

http://www.oracle.com/pls/ebn/live_viewer.main?p_shows_id=6469943&p_referred=undefined



Security threats continue to shift and grow, and the use of technology continues to evolve—all of which means that the security landscape is constantly changing. Effective security can not be accomplished with a “set it and forget it” approach—it requires continued vigilance and comprehensive monitoring of the state of security in the enterprise.

In part, that means that companies need to be able to audit changes in the database, to see who altered what when in order to analyze problems, uncover suspicious activity, and comply with regulatory reporting requirements. Today, it is also increasingly important to monitor activity in real time, so that the company can detect unauthorized access and act quickly to avoid problems or minimize their impact. And finally, companies need to assess their potential vulnerabilities during deployment and ongoing database operations. This is key to working proactively, and heading off security problems before they start.

To strengthen auditing and monitoring, companies can draw on the Oracle Audit Vault, Oracle Total Recall, and Oracle Configuration Management Pack options.

Oracle Audit Vault

Experts who have investigated data breaches have found that auditing can help detect problems early on, reducing the financial impact of the breaches. Oracle Audit Vault transparently collects and consolidates audit data, providing valuable insight into who did what to which data when—including privileged users who have direct access to the database.

Oracle Audit Vault automatically collects audit data from Oracle, DB2, Sybase, and SQL Server databases. It consolidates this data in a secure and highly scalable audit warehouse, with access strictly controlled through the use of predefined administrative roles. It also leverages Oracle’s industry-leading database security and data warehousing technology for managing, analyzing, storing, and archiving large volumes of audit data securely.

The solution enables proactive threat detection, with alerts that highlight suspicious activity across the enterprise. It continuously monitors inbound audit data, evaluating it against

Auditing and Monitoring

It is increasingly important to monitor activity in real time, so that the company can detect unauthorized access and act quickly to avoid problems or minimize their impact.




alert conditions. Alerts can be associated with any auditable database event, including changes to application tables, role grants, and privileged user creation on sensitive systems. The solution gives companies graphical summaries of the activities that are causing alerts.

Database audit settings are centrally managed and monitored from within Oracle Audit Vault. With the solution, IT security personnel work with auditors to define audit settings on databases and other systems to meet both compliance requirements and internal security policies. Oracle Audit Vault lets companies provision and review audit settings in multiple Oracle databases from a central console, reducing the cost and complexity of managing audit settings across the enterprise.

Oracle Audit Vault also offers simplified, out-of-the-box compliance reporting. It gives companies standard audit-assessment reports covering privileged users, account management, roles and privileges, object management, and system management. Companies can define parameter-driven reports that show user log-in activity across multiple systems and within specific time periods, such as weekends. The solution also provides an open audit warehouse schema that can be accessed from Oracle BI Publisher, Oracle Application Express, or third-party reporting tools.

With these capabilities, Oracle Audit Vault helps companies:

•Simplify compliance reporting, with the ability to easily analyze audit data and take action in a timely fashion using out-of-the-box or custom reporting

•Detect threats more effectively, with the ability to quickly and automatically identify unauthorized activities that violate security and governance policies, and to thwart perpetrators who try to cover their tracks

•Lower IT costs, with the ability to centrally manage audit settings across all databases

With Oracle Audit Vault, organizations are in a much better position to enforce privacy policies, guard against insider threats, and address regulatory requirements.

Today, companies need to keep data for long periods of time, but doing so in a secure manner has traditionally been a difficult and inefficient process.




Oracle Total Recall

Today, companies need to retain historical data for long periods of time in order to comply with various regulations. In addition, many recognize the potential value that such historical data holds in terms of enabling the analysis of problems and the understanding of market trends and customer behavior. As a result, they are keeping such data for even longer than regulations demand. Doing all of this in a secure manner, however, has traditionally been a difficult and inefficient process.

Oracle Total Recall addresses that problem by allowing historical data to be kept inside the database very efficiently—and by enabling the instant access to historical data needed to conduct various analyses. Overall, it lets companies transparently track changes to database tables data in a highly secure and efficient manner.

Oracle Total Recall can be used to support internal auditing, human-error correction, and regulatory compliance processes. There is no limit on the time period for storing historical data, because that data is stored in the database itself; the solution

can handle any retention period the business requires. And the solution provides real-time access to historical archives, with the ability to query data as of any point in time in the past through the use of standard SQL statements.

Based on Flashback Data Archive, the solution provides:

•Efficiency of performance and storage. The capture process minimizes performance overhead, and historical data is stored in compressed form to reduce storage requirements.

•Complete protection from accidental or malicious update. No one—not even administrators—can update historical data directly.

•Automated ongoing historical data management. Oracle Database 11g automatically enforces rules and sends problem alerts when needed to minimize administrator intervention.

Oracle Total Recall is easy to configure and implement. Administrators can enable historical data capture for one table or all tables in a database with a simple “enable archive” command. In addition, the solution requires no application changes or special interfaces. And it eliminates the need for third-party or custom solutions in the management of historical data. Overall, Oracle Total Recall is designed to be easily managed and make the most efficient use of all related resources, including CPU, storage, and administrator time.

The Oracle software lets companies automatically detect, validate, and report on authorized and unauthorized configuration changes.




Oracle Configuration Management Pack

The Oracle Configuration Management Pack helps companies ensure that their database configurations are secure by automatically detecting, validating, and reporting on authorized and unauthorized configuration changes.

To help track assets and uncover problems, this management pack collects deep configuration information for a range of components, including hardware, operating systems, and Oracle Database, middleware, application server, and WebLogic server software. The pack can be used to support both Oracle and third-party IT components.

Oracle Configuration Management enables the proactive assessment of key compliance areas such as security, configuration, and storage to help companies identify vulnerabilities and areas where best practices are not being followed. The solution includes a built-in collection of more 250 best practices based on industry standards for security and configuration management, which can be customized by administrators for their specific IT environment.

In addition, the pack has a Critical Patch Update Advisory feature that alerts companies to critical patches issued by Oracle and immediately identifies those systems across the enterprise that

may require the new patch. Companies can also use a patch wizard to automatically deploy the patch, helping to ensure that application databases are always up-to-date and protected.

A key part of this management pack is the Configuration Change Console, which provides real-time change detection and reporting. The console automatically collects the required data, detecting and capturing any actions by users or applications that result in changes to the infrastructure. No user input is requested or required to capture and document changes. The console monitors a variety of areas, including files and directories, processes, user accounts, server resources, databases, and the network. With the console, companies can use compliance-reporting dashboards that convert continuous evaluation results into compliance scores and present them in at-a-glance views that highlight key indicators, provide the ability to drill down to details, and help decision makers track progress toward compliance over time.


The solution includes a built-in collection of more 250 best practices based on industry standards for security and configuration management



By letting companies detect and prevent unauthorized changes more efficiently and effectively, the Oracle Configuration Management Pack helps ensure compliance with IT control frameworks such as Control Objectives for Information and related Technology (COBIT) and COSO “Internal Control-Integrated Framework” as required by Sarbanes-Oxley and similar global directives. By doing so, it helps them increase security, mitigate risk, and provide demonstrable control over the entire IT environment for governance and compliance.

LEARN MORE

Podcast

Chase Paymentech Relies on Oracle Audit Vault for Security and Compliance

Demo

Oracle Audit Vault: Database Audit and Activity Monitoring

Database Vulnerability Assessment and Secure Configuration

Seminar

Forrester Research Oracle Database 11g Security: Activity and Configuration Monitoring


http://streaming.oracle.com/ebn/podcasts/db_insider/media/8231852_David_DeLuca_110609.mp3

http://streaming.oracle.com/ebn/podcasts/db_insider/media/8231852_David_DeLuca_110609.mp3







Looking AheadDatabase security is clearly a vital and challenging issue, and companies need to be prepared for this reality. At many organizations, however, there is considerable room for improvement on this front. For example, in a recent IOUG security survey:

•Only one out of four respondents said that all their databases are locked down against attacks.

•Most respondents said that they do not have mechanisms in place to prevent database administrators and other privileged database users from reading or tampering with sensitive information—and most said that they are unable to detect such incidents.

•Responses indicated that one in four of the sites covered by the survey do not encrypt data within their databases, and nearly one in five were not sure whether such encryption takes place.

•Two out of five responding organizations said that they use actual production data in nonproduction environments, which typically puts that data in an unsecured setting.

These types of gaps represent significant vulnerabilities—and the world is likely to be less and less forgiving of such lapses in the months and years to come. Compliance is likely to become

increasingly challenging, as data privacy regulations—and fines for noncompliance—become more and more stringent. The sheer volume of sensitive data that needs to be protected continues to grow. And threats posed by insiders and outsiders alike will only become more sophisticated.

“The risks around data security can be expected to keep growing and evolving to become ever-more challenging, as criminals step up efforts to tap into what is a very valuable asset,” says Securosis founder Rich Mogull. “That means that advanced, comprehensive security is only growing more important, and that companies will need to tighten control over the sensitive information held in their databases.“ In short, database security has already become a critical technical and business issue, and looking forward, the effort to “protect data where it lives” will play an increasingly vital role in an organization’s success.





LEARN MORE

Podcast

Database Security for Database and Security Administrators

Anaylst Report

Forrester Research: Your Enterprise Security Strategy for 2010

Blog

Security Inside Out

Data Security Self-Assessment Tool

http://streaming.oracle.com/ebn/podcasts/db_insider/media/7405578_Ian_Abramson_021909.mp3

http://streaming.oracle.com/ebn/podcasts/db_insider/6790837_Rich_Mogull_081808.mp3

http://www.oracle.com/corporate/analyst/reports/infrastructure/dbms/forrester-database-security.pdf

http://www.oracle.com/corporate/analyst/reports/infrastructure/dbms/forrester-database-security.pdf

http://blogs.oracle.com/securityinsideout/

http://www.oracle.com/broadband/survey/security/index.html

Copyright © 2009, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

a guide to oracle database securityhosteddocs.ittoolbox.com/sec_us_en_wp_securingdata.pdf ·...

Documents