Security Inside Out

Oracle Database Vault is now certified for use with SAP applications. With Oracle Database Vault, protective realms around SAP application database objects can be established to prevent privileged database users from accessing sensitive data and to enforce separation of duties among privileged database users.

Oracle Database Vault provides the following default realms to protect the SAP application and data within the database:

• Application Protection Realms for ABAP™ and the Java stacks: Protects all the sensitive SAP business data against unauthorized access from the privileged database users, and maintains the integrity of the SAP database structures;


• Application Administration Realm for BR*Tools: Securely protects the integrity of all Oracle Database objects such as tables and indexes that are used by the BR*Tools and guards against unauthorized changes from other privileged database users;


• Application Protection Realm for Admin Roles: protects SAP administration roles including SAPCONN, SAPDBA, SAPCRED, and SAPSYS from being granted except by the authorized administrator, and provides separation of duty; and,


• Application Credential Protection Realm: protects the SAP application credential data from any unauthorized access or changes by privileged database user, and enhances separation of duty.

Using the certified Oracle Database Vault command rules for SAP, organizations can also ensure that database users cannot by-pass SAP application security features and access SAP application data directly using ad-hoc database query tools. Customers can further customize these default rules and add rules to address additional security requirements. Oracle Database Vault comes with numerous pre-defined command rule factors such as time of day, day of week and system address, and organizations can build custom factors using the Oracle Database Vault API.

SAP application data can be further protected using Oracle Advanced Security, which was previously certified for SAP. Oracle Advanced Security provides Transparent Data Encryption to prevent unauthorized access to SAP application data outside the database, and complements Oracle Database Vault protection for SAP application data within the database.

Download a free, evaluation version of Oracle Database Vault (terms, conditions and restrictions apply) and the Oracle Database Vault for SAP Resource Kit which includes demos, step-by-step tutorials, and more info to get you started.

The October 2009 Critical Patch Update (CPU) was released earlier this week. Applying security patches is the foundation of Database Security as per Noel Yuhanna's Database Security Strategy report. But a lot of customers struggle with applying the quarterly CPU because of 7x24 operational requirements which prevent them from bringing their database down for more than an hour once or twice a year. So how do you apply security patches while still keeping your database running? Watch this...

This year was a first. Today the first session in the IOUG track on the first day of Oracle Open World was all about data security. I think it really shows the increasing awareness among the Oracle Database community around data security. The session was a panel discussion on the 2009 IOUG Data Security Report published last week. The panel moderated by Andy Flower, IOUG Executive Vice President, included Tanya Baccam who teaches a great class on Oracle Database Security for SANS, Kim Floss, former IOUG President and Manager of Enterprise Database Services at Pepsi, and myself for Oracle. We had a very interactive discussion with really good questions and feedback from the audience. The session was recorded so will put up a link when available for those who couldn't make it out this year.

For those of you who attending Oracle Open World World this week,download the FocusOn Database Security schedule for database security sessions and workshops. I will be attending all days and hope to have an opportunity to meet many of you in person.

No spoilers, just watch the video!

The Independent Oracle Users Group (IOUG) today released its second annual database security study, "IOUG Data Security 2009: Budget Pressures Lead to Increased Risks". The study conducted by Unisphere Research and sponsored by Oracle surveyed 316 members of the IOUG who oversee complex and multiple database sites, many with large volumes of data. Forty-two percent of those surveyed manage greater than 100 databases, and 20 percent manage in excess of 500 databases. The study found that companies made little headway in securing data over the past year. The economic downturn kept many companies from making necessary investments in security, while at the same time increases in outsourcing and off-shoring actually increased risks to enterprise data.

Among the key findings:

• There has been a 50 percent increase in data breaches since last year and growing wariness of the potential for data security problems. However, the uncertain economic climate over the past year has put a damper on the availability of funding and staff time to address these issues.

There is pressure to do more with less and unfortunately in many cases less is actually being done. Only 28 percent of respondents reported receiving additional funding for their data security budgets - down a third from a year ago.

• Managers see internal threats - such as access by unauthorized users - as more pressing than external hackers or viruses. Potential abuse of access privileges by IT staff also ranked highly as a perceived security risk and regulatory compliance issue.

Most organizations still do not have mechanisms in place to prevent database administrators and other privileged database users from reading or tampering with sensitive information in financial, HR, or other business applications. Most are still unable to even detect such breaches or incidents.

• Outsourcing of database administration, development and testing functions has increased by up to 40 percent over the past year. More outsourcing and off-shoring without adequate security has also resulted in organizations unintentionally exposing data to additional risks.

• Close to half of organizations employ actual production data within non-production environments, thereby exposing this information in unsecured settings. To make matters worse, there has been a decline in companies "de-identifying" such sensitive data. A third even ship live un-encrypted production data offsite.

• Overall, corporate management is still complacent about data security. One out of four cited lack of management commitment and lax procedures. Efforts to address data security are still ad hoc and manual. Organizations are not addressing database security as part of overall database security strategy and making the most of limited budgets.

You can download the full report here and join us for a complementary live webcast on October 06, 2009 at 1:00 pm PDT, 4:00 pm EDT hosted by the IOUG to discuss the survey findings and cost-effective solutions to mitigate risks to enterprise data and Oracle databases.

Register now and receive the special white paper "Investing in Database Security Pays Off" when you attend the webcast. This whitepaper includes exclusive survey results that quantify the costs of "data insecurity" and solutions organizations can deploy today to reduce the cost of securing their data and achieving regulatory compliance.

Noel Yuhanna from Forrester has just published a fantastic report on database security entitled Your Enterprise Database Security Strategy for 2010 that I would encourage everyone to read.

There's been a lot written on individual point solutions like database encryption or database activity monitoring. But I think this kind of analysis causes more harm than good and a lot of it is based on misconceptions. Not to name names, but I know there was at least one analyst out there that for quite a while was telling clients that database activity monitoring can be used as a compensating control for database encryption. Good luck passing PCI compliance with that! The unfortunate thing is that customers do often end up buying point solutions that they later figure out don't provide all the data protection they need, don't meet their compliance requirements, cause database stability and performance problems since not well integrated, and will cost a small fortune to deploy and scale.

What makes this Forrester report so useful is that it's basically a blueprint for database security. It identifies all the areas of database security that organizations need to consider upfront. You don't need to deploy everything at once but it's important to understand the big picture so can prioritize and formulate an actionable database security plan. More to come on this topic. Approaching database security strategically not only saves time and money, but ensures that you are truly protecting your data, since defense-in-depth is really the key to database security.

Unfortunately it seems like many organizations are when it comes to security. Although data security is still top priority for all the IT groups I talk to, their budgets are flat, and quite frankly they are failing to keep up. A lot of what they do is still manual and reactive.

Secure database configuration is a great example. Many organizations still run point solution tools or home grown scripts on an ad-hoc basis. When they run them they have to manually compare results to the last time they ran them to see changes, and often times the scripts and tools don't flag security vulnerabilities like unchanged default passwords or open ports. Much less create tickets so that the problems can be fixed. This whole process can be easily automated with Oracle Configuration Management Pack.

But this was just one example. Where I was going with this is that in these challenging economic times, IT groups need to make the most of their resources and approach database security holistically and with budget in mind. To actually do more with less, your organization needs to formulate a comprehensive database security strategy, an effective plan, and tools that will save you time and money. Sounds good, right?

How do I get there you ask? I am so glad you asked ;-) Join us for a live online event with guest speaker Noel Yuhanna, Principal Analyst at Forrester Research to learn more. Space is limited so don't wait to register.

Don't forget to register for NetworkWorld's Security Inside Out Summit, exclusively hosted by Oracle in nine North America cities. When you attend, you'll meet industry experts, and learn about:

• New approaches to identity management and database security
• Proven practices for securing applications and data
• Strategies for automating compliance auditing and reporting
• Advancements in online fraud prevention and entitlements management
• Transparent data encryption and privileged user controls you can deploy today

To register, click here. And don't wait, space is limited!

The most recent issue of Oracle Magazine features a great article on Oracle customers that rely on Oracle Database Security and Identity Management solutions to protect their business. Click here to read it now.

With tightened budgets, how can you improve information security while complying with regulatory mandates? And save money? The answers are at NetworkWorld’s Security Inside Out Summit, exclusively hosted by Oracle in nine North America cities. When you attend, you’ll meet industry experts, and learn about:

• New approaches to identity management and database security
• Proven practices for securing applications and data
• Strategies for automating compliance auditing and reporting
• Advancements in online fraud prevention and entitlements management
• Transparent data encryption and privileged user controls you can deploy today

To register, click here. And don't wait, space is limited!