Security Inside Out

Every month, there are hundreds of thousands of attacks on corporate applications in attempts to access human resources data, customer records, intellectual property, trade secrets, and other critical business data. Without the appropriate controls, even your own database and system users can access sensitive business data and tamper with your applications directly from the database level. On our next webcast, we will discuss how to defend against these kind of attacks without any costly and time-consuming application changes, simply by securing your database. For more information and registration, click here.

Good news! Oracle Database 11g Enterprise Edition and Oracle Label Security 11g were recently awarded Common Criteria EAL4+ certification. Common Criteria evaluations involve formal rigorous analysis and testing to examine the security aspects of a product or system. Extensive testing activities involve a comprehensive and formally repeatable process, confirming that the security product functions as claimed by the manufacturer. Security weaknesses and potential vulnerabilities are specifically examined during wide-ranging evaluation and testing. The Oracle Database has gone through more than 20 independent evaluations over the years. You can see this most recent Common Criteria certification report and learn how Oracle is the leader in third-party security standard evaluations here.

The Absa Group Limited (Absa), one of South Africa's largest financial services groups and a subsidiary of Barclays Bank, which holds a 58.8% stake in the group and is a major financial services provider with more than 27 million customers and an extensive presence in more than 50 countries, has recently rolled out Oracle Database Security solutions to protect their data by making the most of their existing investment in Oracle technology. Specifally Absa is using Oracle Database Vault, Oracle Audit Vault, and Oracle Configuration Management to protect their data and address regulatory mandates. You can read more here.

Most organizations have a database disaster recovery plan, a database maintenance plan, and other plans related to operating their database. But according the 2009 IOUG Data Security Report, more than half lack a database security plan!

A secure database is a matter of both process and technology. A piecemeal approach to protecting your databases is not only costly and inefficient, but also results in gaps that leave your organization vulnerable to security and regulatory issues.

In one of the most highly attended sessions at Oracle Open World this year, Noel Yuhanna, principal analyst at Forrester Research, discussed how to design a cost-efficient, comprehensive database security plan that addresses the critical areas of database security. He talked about how to go all the way from a database security strategy to a plan, and even provided the templates you need to get started.

But since not everyone could make it Oracle Open World, we repeated this session online so you can watch it right now. You can also read Forrester's "Your Enterprise Database Security Strategy for 2010" report in our Oracle Database Security Resource Kit which has the resources you need to help you start protecting your data immediately.

Want to learn how to stop fighting security and compliance fires one at a time and start deploying integrated data protection with less cost, less complexity and more control? To learn more and register for this exclusive FREE half-day IT Security Summit, where you'll explore solutions to your toughest IT security challenges, including database security, identity management, fraud prevention and compliance automation, click here.

Oracle Database Vault, the industry's first and only native database privileged user control and multi-factor authorization solution, has been awarded the international Common Criteria Evaluation Assurance Level 4 Augmented (EAL 4+) certification. This certification means that organizations worldwide can continue to have the utmost confidence in the security afforded by Oracle Database Vault.

The Common Criteria for IT Security Evaluations is an internationally recognized standard (ISO 15408) to measure the security of IT products. It was initially developed by the national security organizations of the United States, Canada, United Kingdom, France, Germany and The Netherlands, and provides a broad range of evaluation criteria for many types of commercial and nationally-sensitive government-use IT security products. EAL-4 Augmented (EAL 4+) is the highest mutually recognized certification level. This level requires the deepest level of evaluation possible from an independent testing laboratory, and is considered a critical measure of the quality of an IT security product and a procurement requirement by governments and IT professionals globally.

Now available, Oracle Audit Vault Release 10.2.3.2 is designed to help organizations secure all their enterprise databases and address regulatory requirements. This latest release of Oracle Audit Vault introduces key new reporting and alerting capabilities to further automate the database audit process and help reduce costs. New features include:

• Report scheduling, notification, attestation, and archiving capabilities that can help organizations lower the cost of complying with internal and external data privacy and protection mandates


• Entitlement reports with up-to-date snapshots of Oracle Database users, privileges, and profiles, which allow auditors to track changes to database access


• Compliance reports to specifically address the Sarbanes-Oxley (SOX) Act, the Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry (PCI) Data Security Standard (DSS) regulatory requirements for database activity monitoring and audit


• Automated cleanup of audit trail data from supported Oracle and non-Oracle databases once that audit data has been securely consolidated in the Oracle Audit Vault repository, which helps reduce the operational costs of database auditing

Internally we call this new release, the "Auditors' Release" since we consulted with numerous IT auditors to help ensure that the new entitlements and compliance specific reports contain the information needed to pass real-world database audits, and the automation features required to streamline the way auditors really work. "Oracle Audit Vault reports contain the necessary information auditors are looking for when they conduct database compliance and security audits," says Joseph DeVita, Oracle Governance, Risk and Compliance leader at PricewaterhouseCoopers. "With support for Oracle and non-Oracle databases, Oracle Audit Vault provides a robust solution for enterprise database activity monitoring and audit."

Customers like Chase Paymentech agree. Listen here to learn how Chase Paymentech, one of the largest payment card processors, relies on Oracle Audit to help address security and compliance requirements while avoiding costly infrastructure investments and third-party support hassles.

Oracle Database Vault is now certified for use with SAP applications. With Oracle Database Vault, protective realms around SAP application database objects can be established to prevent privileged database users from accessing sensitive data and to enforce separation of duties among privileged database users.

Oracle Database Vault provides the following default realms to protect the SAP application and data within the database:

• Application Protection Realms for ABAP™ and the Java stacks: Protects all the sensitive SAP business data against unauthorized access from the privileged database users, and maintains the integrity of the SAP database structures;


• Application Administration Realm for BR*Tools: Securely protects the integrity of all Oracle Database objects such as tables and indexes that are used by the BR*Tools and guards against unauthorized changes from other privileged database users;


• Application Protection Realm for Admin Roles: protects SAP administration roles including SAPCONN, SAPDBA, SAPCRED, and SAPSYS from being granted except by the authorized administrator, and provides separation of duty; and,


• Application Credential Protection Realm: protects the SAP application credential data from any unauthorized access or changes by privileged database user, and enhances separation of duty.

Using the certified Oracle Database Vault command rules for SAP, organizations can also ensure that database users cannot by-pass SAP application security features and access SAP application data directly using ad-hoc database query tools. Customers can further customize these default rules and add rules to address additional security requirements. Oracle Database Vault comes with numerous pre-defined command rule factors such as time of day, day of week and system address, and organizations can build custom factors using the Oracle Database Vault API.

SAP application data can be further protected using Oracle Advanced Security, which was previously certified for SAP. Oracle Advanced Security provides Transparent Data Encryption to prevent unauthorized access to SAP application data outside the database, and complements Oracle Database Vault protection for SAP application data within the database.

Download a free, evaluation version of Oracle Database Vault (terms, conditions and restrictions apply) and the Oracle Database Vault for SAP Resource Kit which includes demos, step-by-step tutorials, and more info to get you started.

The October 2009 Critical Patch Update (CPU) was released earlier this week. Applying security patches is the foundation of Database Security as per Noel Yuhanna's Database Security Strategy report. But a lot of customers struggle with applying the quarterly CPU because of 7x24 operational requirements which prevent them from bringing their database down for more than an hour once or twice a year. So how do you apply security patches while still keeping your database running? Watch this...

This year was a first. Today the first session in the IOUG track on the first day of Oracle Open World was all about data security. I think it really shows the increasing awareness among the Oracle Database community around data security. The session was a panel discussion on the 2009 IOUG Data Security Report published last week. The panel moderated by Andy Flower, IOUG Executive Vice President, included Tanya Baccam who teaches a great class on Oracle Database Security for SANS, Kim Floss, former IOUG President and Manager of Enterprise Database Services at Pepsi, and myself for Oracle. We had a very interactive discussion with really good questions and feedback from the audience. The session was recorded so will put up a link when available for those who couldn't make it out this year.

For those of you who attending Oracle Open World World this week,download the FocusOn Database Security schedule for database security sessions and workshops. I will be attending all days and hope to have an opportunity to meet many of you in person.