Security Inside Out

Oracle is proud to be a platinum sponsor at this year’s Gartner Information Security Summit, June 29-July 1, in Washington, DC. We will be showcasing our Database Security and Identity Management solutions in our booth, so please stop by to talk to our product experts, and get a demo of our latest products. Also don’t forget to attend our session, IT Security Stories, Tues 1:30 to learn how Oracle can provide a complete solution for protecting data and applications from many different kinds of internal and external threats.

According to a recent report by Forrester Research, data security is cited as a top priority by the organizations surveyed, and it is getting the largest share of enterprise IT budgets for the coming year. Since most mission-critical data is managed in databases, this means organizations need to focus on securing their databases more then ever. Doing business is hard enough without the negative publicity and loss of business associated with data breaches and regulatory failures. Data security is critical to maintaining your customers’ and partners’ trust. To learn learn how securing your databases will save your organization money and facilitate business initiatives, register for this free live webcast featuring guest speaker Jonathan Penn from Forrester Research on Thursday, March 26, 11 am PT/2 pm ET.

CIO Insight put together this great security slideshow: 10 Things the Security Auditor Saw based on Deloitte's 6th Annual Global Security Survey discussing the top priorities and problems revealed by internal and external audits.

Top on the list was excessive access rights. Often times organizations grant individuals or applications access to more information then they really need to perform their function. Since databases are the primary repositories for information in most organizations, this is actually most often the case at the database level. This is exactly why Oracle developed Oracle Database Vault. With Oracle Database Vault organizations can enforce least privilege by setting up protection realms inside their database that restrict access to data to any user, including privileged database users such as DBAs or applications with DBA privileges. So for example using Oracle Database Vault, an organization can allow a DBA to manage a database without actually being able to read or change the information that in that database. Oracle Database Vault does not require any changes to existing applications so it represents a very cost-effective and easy to deploy way to remediate this issue.

Second on the list was segregation of duties since lack of segregation of duties allows people to circumvent controls. Oracle Database Vault also enforces segregation of duties. Out of the box, Oracle Database Vault separates responsibilities and functions that conflict with one another such as database account creation, privilege grants, and other database management functions. Oracle Audit Vault can also be used as a detective control for segregation of duties by allowing a separate organization or IT auditor to monitor database activity across all Oracle and non-Oracle databases in the organization. Oracle Audit Vault can detect and alert on unauthorized activities such as account creation or access to application data that circumvents the application by any user even privileged users.

Third on the list was access control to ensure users only have access to the systems and information they need to do their jobs. Managing user access to systems can be achieved at the enterprise level using an identity management solution or at the database level using an Oracle Database Vault “connect” rule. But restricting system access is not enough since it’s not just the system we’re trying to protect - we need to protect the information. Organizations need to look at database controls to ensure users only have access to the information that they need to do their job. With Oracle Database Vault you can setup command rules that take into account multiple factors such as time of day, application being used to access information in the database, where the application is running, etc. to determine whether to grant access to information. For example, access to HR information might only be granted during business hours to HQ users accessing the data through the HR application. Users trying to access that data using an ad-hoc reporting tool or from a remote location would be denied access. Oracle Advanced Security can also be used for strong authentication to restrict access to the database to users that have been issued a PKI certificate or a physical device like an OTP token or smart card.

Number four on the list was lack of audit trails/logging with number seven being lack of review of audit trails. As you can see from past blog posts, between 30-50% of the folks we survey still don’t have database auditing turned on and many who do don't don't actually monitor the database trail. Everyone should have native auditing turned on and be monitoring for at least the basic stuff like failed logins, DDL changes, direct access to sensitive/data, etc. Of course if no one is looking at that audit trail that’s not going to help a lot. Again this is where you want to consider the use of Oracle Audit Vault. With Oracle Audit you can automate the collection and analysis of that audit data. You can setup alerts on exceptions and you can centrally manage audit policies across multiple databases to make sure you are generating audit trails for all your databases.

Number six was excessive developer access to production data and number nine was the use of production data in testing. We already talked about how user access to systems can be restricted so you can keep developers out of production environments, but the challenge is really around keeping production data out of development environments. With Oracle Data Masking, sensitive production data such as credit card or social security numbers can be replaced with realistic values, allowing production data to be safely used for development, testing, or sharing with out-sourcing partners or off-shore organizations for other non-production purposes. Oracle Data Masking uses a library of templates and format rules, consistently transforming data in order to maintain referential integrity for applications.

So if your auditor saw any of these issues, you can make sure they don’t see them again.

We ran some polls during the Network webcast we did last week, Information Security for Database Administrators. (If you missed it, the replay is available here)

One of the polls was "Are you encrypting sensitive information such as credit card and social security numbers in all databases across your organization?" We had 61 responses, and 34 answered NO. Although 27 of the folks on our webcast answered yes, the 2008 IOUG Data Security Report a few months back actually indicated that number out there is more like a third. One of the main reasons is we find is the use of production data containing live social security numbers or credit cards being copied to non-production databases for development and test purposes.

We are going to be talking more about this topic in a live webcast on how to "Protect Sensitive Data Using Encryption and Masking" this Thursday at 2:30 EST/11:30 PST. You can register here.

The second question we asked was "Are you using native database auditing to detect failed logins, DDL changes, or other suspicious activities?" with a follow-up question of "Are you monitoring database audit logs to detect security threats in real-time?" We had 67 responses, 32 indicated they were auditing their databases, but only 25 were actually monitoring those audit logs.

In the webcast, we discussed the importance of using tools like Oracle Audit Vault to automate the monitoring of audit data in order to detect and alert on security threats in real-time. Also having all that audit data securely stored in a centralized warehouse saves lots of time and money when generating regulatory audit reports. If you want to see a demo of Oracle Audit Vault, you can register here to attend one of our weekly demos in February.

Well that's it for now, I will be posting some follow-up to some of the questions asked on this and other recent webcasts. Stay tuned...

Rich and I are doing another live webcast on Network World. The topic is Information Security for Database Professionals. Rich will cover critical database security concepts and I will provide an introduction to some of the solutions Oracle provides to help customers protect their data. We will also be running some polls and we are leaving ample time for Q&A so everyone can join in the discussion. To participate, register here.

We are offering two live online events in January:

Protecting Data Privacy in Production and Nonproduction Environments

Concerns over data breaches as well as regulatory compliance require every organization to consider encrypting sensitive information stored in their databases. With Oracle Advanced Security, customers can now transparently encrypt data at rest inside their production databases in a matter of hours without any changes to their existing applications. But if you regularly copy production databases for testing, development and other purposes, you may be exposing sensitive customer and employee information in the process. Oracle Data Masking complements the encryption capabilities in Oracle Advanced Security by substituting sensitive data with realistic values in order to maintain data privacy and regulatory compliance in non-production environments. During this presentation, you'll learn how you can use two of the options in Oracle’s comprehensive portfolio of database security solutions to cost-effectively address your data privacy and regulatory requirements.

Comprehensive Controls to Prevent and Detect Database Breaches

Databases are the most valuable assets in your IT infrastructure, and hence the most targeted by hackers and auditors alike. A comprehensive strategy for database security and compliance must include preventing unauthorized activities as well as auditing and monitoring to detect any failure of preventive controls or policies. With Oracle Database Vault, you can enforce security policies inside the Oracle Database, preventing any user - even a privileged user – from bypassing application security policies or performing unauthorized database operations. Oracle Audit Vault complements Oracle Database Vault by providing a reliable enterprise-wide solution for demonstrating the effectiveness of preventive controls as well as detecting and alerting on unauthorized or suspicious activities. In this session, learn how Oracle Database Vault and Oracle Audit Vault work together to provide a complete cost-effective solution for preventing and detecting security and regulatory breaches.

We will have ample time for Q&A at the end of each presentation so hope you make it to one of them.

Less than a quarter of the 2008 IOUG Data Security Report respondents said they were encrypting all the application data on the network to/from databases, but about a third said they were encrypting some of their application data on the network to/from database. To be honest, I was kind of surprised by this last part. I talk to a lot of our customers and unfortunately many of them are still not encrypting any of the traffic between their application servers and their databases. So while at Oracle Open World I decided to pose this question to some of the customers that came by our Oracle Advanced Security booth to see if I could get more insight into this response.

Sure enough about a third said they were only encrypting some of their application data. When I asked them to tell me more they said their database applications use HTTPS to encrypt some of the data. So if your database application uses HTTPS then the application data is encrypted on the network to/from the database, right? Unfortunately this is not actually the case. HTTPS (or HTTP over SSL) only means that the data between the web browser and the web/application server is encrypted, it does not mean that the connections from web/application server to the database are encrypted.

The upshot of this is that some of the folks that think they are encrypting some of their application data on the network, may be in for a rude surprise if a hacker gets access to their networks and starts eavesdropping on their traffic. In fact, the 25% of the 2008 IOUG Data Security respondents who said they were not encrypting any of the traffic and the 17% who said they were unsure if they were encrypting traffic may be in for the same rude surprise: a really big data breach. As I'm sure you recall, more than 45 million credit card numbers were stolen from TJX by hackers that got access to the company’s network and eavesdropped on unencrypted traffic.

So if you’re one of the organizations that are not encrypting all your database traffic, you really should be. With Oracle Advanced Security, you can set up network encryption to your database in a matter of hours. You can also configure your Oracle databases to only accept mutually authenticated and encrypted connections. This means that in addition to protecting against network eavesdropping, you can also protect against unauthorized connections to your database.

To get started with Oracle Advanced Security today, check out Oracle Technical Network.

Don't feel left out if you didn't make it Oracle Open World this year. We have two web seminars on database security coming up. The first one is next week on Thursday October 2 at 11am PT / 2pm ET. We will be discussing protecting data privacy in production and non-production environments. If you want to better understand the difference between data encryption and masking, and get more information on Oracle Advanced Security and Oracle Data Masking, then you don't want to miss this. This will be a live event and we will leave plenty of time for Q&A at the end. These events are free but attendance is limited so you will want to register and reserve your spot quickly. Click here for your invitation.

Yesterday the IOUG announced the results of the survey conducted in August. The report is entitled Enterprise Data Insecurity: Are Organizations Prepared for the Threat From Within? and you can download it here. The key findings were pretty troubling: