Security Inside Out

Less than a quarter of the 2008 IOUG Data Security Report respondents said they were encrypting all the application data on the network to/from databases, but about a third said they were encrypting some of their application data on the network to/from database. To be honest, I was kind of surprised by this last part. I talk to a lot of our customers and unfortunately many of them are still not encrypting any of the traffic between their application servers and their databases. So while at Oracle Open World I decided to pose this question to some of the customers that came by our Oracle Advanced Security booth to see if I could get more insight into this response.

Sure enough about a third said they were only encrypting some of their application data. When I asked them to tell me more they said their database applications use HTTPS to encrypt some of the data. So if your database application uses HTTPS then the application data is encrypted on the network to/from the database, right? Unfortunately this is not actually the case. HTTPS (or HTTP over SSL) only means that the data between the web browser and the web/application server is encrypted, it does not mean that the connections from web/application server to the database are encrypted.

The upshot of this is that some of the folks that think they are encrypting some of their application data on the network, may be in for a rude surprise if a hacker gets access to their networks and starts eavesdropping on their traffic. In fact, the 25% of the 2008 IOUG Data Security respondents who said they were not encrypting any of the traffic and the 17% who said they were unsure if they were encrypting traffic may be in for the same rude surprise: a really big data breach. As I'm sure you recall, more than 45 million credit card numbers were stolen from TJX by hackers that got access to the company’s network and eavesdropped on unencrypted traffic.

So if you’re one of the organizations that are not encrypting all your database traffic, you really should be. With Oracle Advanced Security, you can set up network encryption to your database in a matter of hours. You can also configure your Oracle databases to only accept mutually authenticated and encrypted connections. This means that in addition to protecting against network eavesdropping, you can also protect against unauthorized connections to your database.

To get started with Oracle Advanced Security today, check out Oracle Technical Network.

Don't feel left out if you didn't make it Oracle Open World this year. We have two web seminars on database security coming up. The first one is next week on Thursday October 2 at 11am PT / 2pm ET. We will be discussing protecting data privacy in production and non-production environments. If you want to better understand the difference between data encryption and masking, and get more information on Oracle Advanced Security and Oracle Data Masking, then you don't want to miss this. This will be a live event and we will leave plenty of time for Q&A at the end. These events are free but attendance is limited so you will want to register and reserve your spot quickly. Click here for your invitation.

Yesterday the IOUG announced the results of the survey conducted in August. The report is entitled Enterprise Data Insecurity: Are Organizations Prepared for the Threat From Within? and you can download it here. The key findings were pretty troubling:

At last count, we had 82 sessions covering security at this year’s Oracle Open World starting on Sunday September 21. This is a record but not surprising when you consider that Oracle offers the virtual machine, the operating system, the database, the middleware, and the applications needed to run pretty much any kind of enterprise, from grocery store chains to entire governments. And everything in that stack needs to be secured - really drives home defense-in-depth. Database Security is really the lynchpin of that defense-in-depth since most organizations store all their mission critical data in their databases. So whether you are a DBA, an HR Manager, an IT Apps Developer, or a Compliance Officer, I encourage you to go to some database security sessions and stop by the Database Security demo grounds in Moscone South.

If you want to catch up with me personally (to perhaps complain about my blogging lapses ;-) I will be on the panel at the “IOUG Security Roundtable” Sunday September 21 at 1pm (Moscone West Rm 2003) and moderating the “Applications Data Privacy: An Expert Panel Discussion” session Wednesday September 24, 11.30am (Moscone West, Rm 2001). I am very excited to be moderating this session - we have an amazing panel and we’re going to be discussing data masking and de-identification.

Oh and if you want to take a break from security, there’s always Michael Phelps!

Oracle is working with the Independent Oracle Users Group (IOUG) to sponsor the 2008 IOUG Enterprise Data Security Practices Survey. The survey takes less than 10 minutes to complete. Participants of the survey will receive an advance copy of the report, and be entered into a drawing for a $200 American Express gift card. Also the survey results should make for some interesting discussion at the IOUG Security Roundtable (Session S301233) at Oracle Open World.

And if the survey gets you thinking about your data security practices, you might also want to try our new Enterprise Data Security Assessment tool.

Today we officially announced a new version of Oracle Audit Vault (the software has actually been up on OTN for a few weeks).

One of the major features in this release is the ability to collect audit data from Microsoft SQL Server 2000 and 2005, in addition to Oracle Databases. This is a really important feature for customers with heterogenous infrastructure since it addresses the lack of a Microsoft solution for enterprise database auditing and activity monitoring. With Oracle Audit Vault 10.2.3, both Oracle and Microsoft database audit data can be automatically consolidated into a highly secure, centralized repository based on Oracle's proven data warehousing technology, and analyzed in real-time against enterprise-defined policies. Any unauthorized activities can be immediately detected using Oracle Audit Vault's dashboard alerts capabilities.

Other new features include more reporting capabilities such as filtering audit data, highlighting rows with condition values, as well as generating charts and graphs. Oracle Audit Vault also now comes with more built-in and customizable reports to address regulations such as the Sarbanes-Oxley (SOX) Act, the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI) Data Security Standard (DSS). And custom reports can be saved and shared within the enterprise or with external auditors.

Oracle Audit Vault 10.2.3 additionally increases privileged user monitoring by auditing Oracle Database Vault. By using Oracle Audit Vault, Oracle Database Vault customers can now monitor the integrity of their preventive controls. To learn more about how preventive and detective controls go hand in hand, check out our two part Ziff-Davis Enterprise Security webcast with industry expert Rich Mogull. Part one was all about using preventive controls to enforce separation of duties, and part two was about how to use detective controls to audit your preventive controls.

For more information on Oracle Audit Vault, please refer to the new datasheet and other materials available on our Oracle Audit Vault page. You can also learn more about Oracle Database Vault and Oracle's comprehensive portfolio of database security at http://www.oracle.com/database/security

Last week we did the second installment in our webcast series with Rich Mogull. As you might recall, we started the year by talking about Database Security Resolutions for Database and Security Administrators.

Last week we drilled down into one of the key resolutions or best practices: separation of duties. Separation of duties is a classic security principle that restricts the amount of power held by any one individual in order to prevent conflict of interest, the appearance of conflict of interest, fraud, and errors. Separation of duties is one of the fundamental principles of many regulatory mandates such as Sarbanes-Oxley (SOX) and the Gramm-Leach-Bliley Act (GLBA), and as a result IT organizations are placing greater emphasis on separation of duties across all IT functions, especially database administration.

Rich did a great job clarifying what separation of duties means in terms of database administration and how separation of duties relates to another very important security principle: least privilege. We mainly focused on preventive controls for separating various aspects of database administration (we will be talking about detective controls around separation of duties in our next webcast). Following Rich�s presentation, I talked about how enterprises can use Oracle Database Vault to put in place preventive controls to secure their Oracle databases without any changes to existing applications. Database Vault is a powerful real-time rules engine inside the Oracle database that can enforce security policies such as least privilege and separation of duties by restricting database access to any users, including privileged users.

We also did a couple of polls during the webcast. First question was could a privileged application user in your organization intentionally or unintentionally drop all your application tables? More than half of the respondents (55%) answered yes or that they were not sure. Second question was can DBAs in your organization read credit card or social security numbers stored in the database? Over 75% of the respondents answered yes or weren�t sure. I have to admit I was a little surprised at this last one given PCI and all the regulatory focus on protecting credit card numbers and personally identifiable information like social security numbers.

If you missed this webcast, definitely check out the replay and register for the next one. And check back here as we will be answering questions we didn�t have an opportunity to cover in the webcast. And if you are going to be at the RSA Conference next week, please stop by the Oracle Solution Showcase, booth 1117, for more info and demos.

Last week we announced the certification of Oracle Database Vault for use with Oracle E-Business Suite. It couldn�t have happened without the hard work our E-Business Suite colleagues. They put out a great post explaining Database Vault so wanted to let them bask in some much deserved glory before posting about this as well.

We talk about the benefits of Database Vault all the time but it really takes considering its use with an application like E-Business Suite to drive home the point. Organizations rely on Oracle E-Business Suite applications to drive key components of their business from finance to human resources to supply chain. E-Business Suite includes applications like Oracle Human Capital Management, Oracle Financial Management and Oracle Customer Relationship Management contain personal identification information (PII), social security numbers, employee salary data, all your customers, credit card numbers, etc.

Today anyone with DBA privileges can look all the application data in the database and pretty much do anything they want to the database objects that manage that data. Think about it: the DBA you hired last week go into the database to find out how much all the other DBAs make, get a list of the company customers and their credit card numbers (his golden parachute), and decide to test his backup script against the production database accidentally dropping the whole thing due to a bug in his script! Not once do we describe this nightmare new DBA without the people in the room calling out names �Oh yeah that was Joe� or �Or yeah that was Phil�.

Using Oracle Database Vault, E-Business Suite customers can protect E-Business Suite data from unauthorized access inside the Oracle database. They can enforce separation of duties within the Oracle database, ensuring that even a DBA cannot access sensitive E-Business Suite application data, as well as defend against intentional or accidental database changes that can harm E-Business Suite application data. Also Database Vault can protect against ad-hoc access to E-Business Suite data based on extensible rules and multiple factors such as IP address, time of day, and application. Using Database Vault, E-Business Suite customers can consolidate application databases and enforce strong boundaries between sensitive business data such as that found in financial and human resource application databases.

To obtain Oracle Database Vault policies for use with Oracle E-Business Suite Release as well as technical information and best practices, please refer to Integrating Oracle E-Business Suite 11i  with Oracle Database Vault 10.2.0.3 (Metalink Note 428503.1)

Have received several follow-up questions on whether Oracle offers real-time data masking in addition to the data masking capabilities discussed in previous post. The answer is YES via Oracle Virtual Private Database (VPD). VPD provides real-time enforcement of row and/or column level security policies inside the database for privacy and regulatory compliance. Using VPD Column Masking it is possible to automatically mask out (set to NULL for now) certain columns in the results of a query.

Additionally, VPD Column Masking policies can  also be expressed based on "application context" - attributes like time of day, client ip address, application, etc. This means it is possible to setup a data masking policy that for example returns the actual value of a column to an application but masks the column value if the data is being returned to an ad-hoc query tool.

By enforcing security policies like data masking in real-time inside the database, VPD ensures that users who have access to ad-hoc query or reporting tools cannot bypass the security mechanisms of the application. Centrally managed security policies applied directly to data enable security to be enforced no matter how a user gets to the data, whether through an application, by a query, or using a report-writing tool. 

Since VPD Column Masking is transparently enforced at the database layer, it also does not require changes to applications. Both commercial off-the-shelf applications and custom-built applications can take advantage of Oracle VPD without the need to change any lines of application code. Oracle offers the only transparent real-time solution for data masking and other fine grain access control policy enforcement inside the database.

Managing VPD policies and application contexts can be done via the Oracle Policy Manager tool. To get more familliar with VPD, you can also check out the Oracle By Example tutorial.

Oracle recently sponsored a Ziff Davis eSeminar called Top Five Database Security and Compliance Resolutions for 2008. Rich Mogull was the speaker and we had such a great turn out (thank you everyone who participated!) that by the time I got to my presentation the servers were so overloaded I couldn't advance my slides. Despite my technical difficulties, the feedback on the event was very positive and I encourage you to view the recorded presentation if you missed it. And let me know what you think since planning the next one for March.

One of the topics we discussed was data masking. If you're not familiar with data masking it refers to "scrubbing" sensitive production data like personal identification information, credit card and social security numbers in order to share that data with development/test, analysis groups, business partners, etc. During the presentation we ran a poll on data masking and found that 58.7% of respondents did not perform any data masking when generating and development data, and 39.9% either did it on an ad-hoc basis or didn't use tools (which might as well be ad-hoc since manual data masking is very error-prone). This means that a whopping 98.6% of our poll participants are at risk of leaking sensitive production when they transfer data from secure product environments to non-secure environments.

The good news is that data masking is one of the easiest security measure to put in place given Oracle introduced a solution for data masking a few months back. Unlike other solutions on the market, with Oracle Data Masking, the data is masked as close to the production database as possible to prevent data breaches. Also the data masking process is automated using an extensible library of formats and templates that ensure consistent masking for referential integrity across databases. Most importantly Oracle Data Masking is part of  Oracle Enterprise Manager and can be used to enforce data masking policies across all Oracle databases enterprise-wide to help address regulatory mandates like PCI and GLBA. Check out the Oracle Data Masking data sheet for more info.