Security Inside Out

No time for downtime but still want to be secure?

Fri, 23 Oct 2009 16:09:02 -0800

The October 2009 Critical Patch Update (CPU) was released earlier this week. Applying security patches is the foundation of Database Security as per Noel Yuhanna's Database Security Strategy report. But a lot of customers struggle with applying the quarterly CPU because of 7x24 operational requirements which prevent them from bringing their database down for more than an hour once or twice a year. So how do you apply security patches while still keeping your database running? Watch this...

Database Security at Oracle Open World

Sun, 11 Oct 2009 10:58:15 -0800

This year was a first. Today the first session in the IOUG track on the first day of Oracle Open World was all about data security. I think it really shows the increasing awareness among the Oracle Database community around data security. The session was a panel discussion on the 2009 IOUG Data Security Report published last week. The panel moderated by Andy Flower, IOUG Executive Vice President, included Tanya Baccam who teaches a great class on Oracle Database Security for SANS, Kim Floss, former IOUG President and Manager of Enterprise Database Services at Pepsi, and myself for Oracle. We had a very interactive discussion with really good questions and feedback from the audience. The session was recorded so will put up a link when available for those who couldn't make it out this year.

For those of you who attending Oracle Open World World this week,download the FocusOn Database Security schedule for database security sessions and workshops. I will be attending all days and hope to have an opportunity to meet many of you in person.

Happy Friday!

Fri, 02 Oct 2009 19:42:24 -0800

No spoilers, just watch the video!

IOUG Data Security 2009 Report Published Today

Wed, 30 Sep 2009 22:14:19 -0800

The Independent Oracle Users Group (IOUG) today released its second annual database security study, "IOUG Data Security 2009: Budget Pressures Lead to Increased Risks". The study conducted by Unisphere Research and sponsored by Oracle surveyed 316 members of the IOUG who oversee complex and multiple database sites, many with large volumes of data. Forty-two percent of those surveyed manage greater than 100 databases, and 20 percent manage in excess of 500 databases. The study found that companies made little headway in securing data over the past year. The economic downturn kept many companies from making necessary investments in security, while at the same time increases in outsourcing and off-shoring actually increased risks to enterprise data.

Among the key findings:

• There has been a 50 percent increase in data breaches since last year and growing wariness of the potential for data security problems. However, the uncertain economic climate over the past year has put a damper on the availability of funding and staff time to address these issues.

There is pressure to do more with less and unfortunately in many cases less is actually being done. Only 28 percent of respondents reported receiving additional funding for their data security budgets - down a third from a year ago.

• Managers see internal threats - such as access by unauthorized users - as more pressing than external hackers or viruses. Potential abuse of access privileges by IT staff also ranked highly as a perceived security risk and regulatory compliance issue.

Most organizations still do not have mechanisms in place to prevent database administrators and other privileged database users from reading or tampering with sensitive information in financial, HR, or other business applications. Most are still unable to even detect such breaches or incidents.

• Outsourcing of database administration, development and testing functions has increased by up to 40 percent over the past year. More outsourcing and off-shoring without adequate security has also resulted in organizations unintentionally exposing data to additional risks.

• Close to half of organizations employ actual production data within non-production environments, thereby exposing this information in unsecured settings. To make matters worse, there has been a decline in companies "de-identifying" such sensitive data. A third even ship live un-encrypted production data offsite.

• Overall, corporate management is still complacent about data security. One out of four cited lack of management commitment and lax procedures. Efforts to address data security are still ad hoc and manual. Organizations are not addressing database security as part of overall database security strategy and making the most of limited budgets.

You can download the full report here and join us for a complementary live webcast on October 06, 2009 at 1:00 pm PDT, 4:00 pm EDT hosted by the IOUG to discuss the survey findings and cost-effective solutions to mitigate risks to enterprise data and Oracle databases.

Register now and receive the special white paper "Investing in Database Security Pays Off" when you attend the webcast. This whitepaper includes exclusive survey results that quantify the costs of "data insecurity" and solutions organizations can deploy today to reduce the cost of securing their data and achieving regulatory compliance.

Your Enterprise Database Security Strategy for 2010

Tue, 29 Sep 2009 19:32:43 -0800

Noel Yuhanna from Forrester has just published a fantastic report on database security entitled Your Enterprise Database Security Strategy for 2010 that I would encourage everyone to read.

There's been a lot written on individual point solutions like database encryption or database activity monitoring. But I think this kind of analysis causes more harm than good and a lot of it is based on misconceptions. Not to name names, but I know there was at least one analyst out there that for quite a while was telling clients that database activity monitoring can be used as a compensating control for database encryption. Good luck passing PCI compliance with that! The unfortunate thing is that customers do often end up buying point solutions that they later figure out don't provide all the data protection they need, don't meet their compliance requirements, cause database stability and performance problems since not well integrated, and will cost a small fortune to deploy and scale.

What makes this Forrester report so useful is that it's basically a blueprint for database security. It identifies all the areas of database security that organizations need to consider upfront. You don't need to deploy everything at once but it's important to understand the big picture so can prioritize and formulate an actionable database security plan. More to come on this topic. Approaching database security strategically not only saves time and money, but ensures that you are truly protecting your data, since defense-in-depth is really the key to database security.

Are you doing less with less?

Mon, 31 Aug 2009 16:49:26 -0800

Unfortunately it seems like many organizations are when it comes to security. Although data security is still top priority for all the IT groups I talk to, their budgets are flat, and quite frankly they are failing to keep up. A lot of what they do is still manual and reactive.

Secure database configuration is a great example. Many organizations still run point solution tools or home grown scripts on an ad-hoc basis. When they run them they have to manually compare results to the last time they ran them to see changes, and often times the scripts and tools don't flag security vulnerabilities like unchanged default passwords or open ports. Much less create tickets so that the problems can be fixed. This whole process can be easily automated with Oracle Configuration Management Pack.

But this was just one example. Where I was going with this is that in these challenging economic times, IT groups need to make the most of their resources and approach database security holistically and with budget in mind. To actually do more with less, your organization needs to formulate a comprehensive database security strategy, an effective plan, and tools that will save you time and money. Sounds good, right?

How do I get there you ask? I am so glad you asked ;-) Join us for a live online event with guest speaker Noel Yuhanna, Principal Analyst at Forrester Research to learn more. Space is limited so don't wait to register.

Reminder to sign up for North America Security Summit

Thu, 13 Aug 2009 20:04:21 -0800

Don't forget to register for NetworkWorld's Security Inside Out Summit, exclusively hosted by Oracle in nine North America cities. When you attend, you'll meet industry experts, and learn about:

• New approaches to identity management and database security
• Proven practices for securing applications and data
• Strategies for automating compliance auditing and reporting
• Advancements in online fraud prevention and entitlements management
• Transparent data encryption and privileged user controls you can deploy today

To register, click here. And don't wait, space is limited!

Learn how customers rely on Oracle to protect their business

Thu, 13 Aug 2009 19:53:16 -0800

The most recent issue of Oracle Magazine features a great article on Oracle customers that rely on Oracle Database Security and Identity Management solutions to protect their business. Click here to read it now.

North America Security Summit Coming to a Location Near You!

Fri, 31 Jul 2009 08:00:00 -0800

With tightened budgets, how can you improve information security while complying with regulatory mandates? And save money? The answers are at NetworkWorld’s Security Inside Out Summit, exclusively hosted by Oracle in nine North America cities. When you attend, you’ll meet industry experts, and learn about:

To register, click here. And don't wait, space is limited!

Got Jello? (Shots ;-)

Thu, 30 Jul 2009 08:00:00 -0800

It's Thursday July 30. You're in San Diego attending Burton Group's Catalyst Conference. You're enjoying the sessions, learning a lot, etc. etc. But what 's really on your mind is which vendor hospitality suite are you going to tonight ;-) So let me help you answer that so you can focus on the sessions, the don't miss hospitality suite tonight will be the Oracle CSI (Catalyst Security Interactive) Research Lab. I don't want to spoil the surprise, but hope you like jello!

See you there!!!

Deploying Oracle Database Vault to protect JD Edwards Application Data Just Got Easier

Wed, 29 Jul 2009 10:29:31 -0800

Oracle Database Vault has now been certified with Oracle JD Edwards EnterpriseOne and you can download default policies to make deployment even easier. The default policies will establish the following realms:

Application Protection Realm to prevent privileged users from accessing sensitive information;

Configuration Protection Realm to protect the application meta data against unauthorized changes; and,

Command Rule to authorize the JD Edwards application connections to the Oracle Database based on IP address and client application.

Whta do these policies do? The first one limits privileged database users like DBAs from accessing the application data. They can still perform operational database functions but just can't read or update the data.

The second one protects the application itself by making sure there are no unauthorized changes to the application meta data that determines application behavior.

The third policy prevents access to the application data stored in the database from their desktop using Toad or some other ad-hoc query tool they can just download off the Internet.

Database Vault works inside the Oracle database so it's transparent to the JD Edwards applications. The default policies are just to get you started and make deployment faster. You can also add additional policies or customize the default ones. With Database Vault you can pretty much control every aspect of who, how, where, and when data is accessed so you can enforce pretty much any database security policy. For example, one customer added a policy that prevents any JD Edwards EnterpriseOne schema changes during their business hours.

You can read the full announcement here and learn more about Oracle Database Vault by downloading our free resource kit.

Oracle at Gartner Information Security Summit

Wed, 24 Jun 2009 19:50:20 -0800

Oracle is proud to be a platinum sponsor at this year’s Gartner Information Security Summit, June 29-July 1, in Washington, DC. We will be showcasing our Database Security and Identity Management solutions in our booth, so please stop by to talk to our product experts, and get a demo of our latest products. Also don’t forget to attend our session, IT Security Stories, Tues 1:30 to learn how Oracle can provide a complete solution for protecting data and applications from many different kinds of internal and external threats.

Making the Business Case for Database Security

Wed, 11 Mar 2009 10:10:12 -0800

According to a recent report by Forrester Research, data security is cited as a top priority by the organizations surveyed, and it is getting the largest share of enterprise IT budgets for the coming year. Since most mission-critical data is managed in databases, this means organizations need to focus on securing their databases more then ever. Doing business is hard enough without the negative publicity and loss of business associated with data breaches and regulatory failures. Data security is critical to maintaining your customers’ and partners’ trust. To learn learn how securing your databases will save your organization money and facilitate business initiatives, register for this free live webcast featuring guest speaker Jonathan Penn from Forrester Research on Thursday, March 26, 11 am PT/2 pm ET.

Things the auditor saw and what you can do to make sure they don’t see them again

Tue, 17 Feb 2009 14:26:34 -0800

CIO Insight put together this great security slideshow: 10 Things the Security Auditor Saw based on Deloitte's 6th Annual Global Security Survey discussing the top priorities and problems revealed by internal and external audits.

Top on the list was excessive access rights. Often times organizations grant individuals or applications access to more information then they really need to perform their function. Since databases are the primary repositories for information in most organizations, this is actually most often the case at the database level. This is exactly why Oracle developed Oracle Database Vault. With Oracle Database Vault organizations can enforce least privilege by setting up protection realms inside their database that restrict access to data to any user, including privileged database users such as DBAs or applications with DBA privileges. So for example using Oracle Database Vault, an organization can allow a DBA to manage a database without actually being able to read or change the information that in that database. Oracle Database Vault does not require any changes to existing applications so it represents a very cost-effective and easy to deploy way to remediate this issue.

Second on the list was segregation of duties since lack of segregation of duties allows people to circumvent controls. Oracle Database Vault also enforces segregation of duties. Out of the box, Oracle Database Vault separates responsibilities and functions that conflict with one another such as database account creation, privilege grants, and other database management functions. Oracle Audit Vault can also be used as a detective control for segregation of duties by allowing a separate organization or IT auditor to monitor database activity across all Oracle and non-Oracle databases in the organization. Oracle Audit Vault can detect and alert on unauthorized activities such as account creation or access to application data that circumvents the application by any user even privileged users.

Third on the list was access control to ensure users only have access to the systems and information they need to do their jobs. Managing user access to systems can be achieved at the enterprise level using an identity management solution or at the database level using an Oracle Database Vault “connect” rule. But restricting system access is not enough since it’s not just the system we’re trying to protect - we need to protect the information. Organizations need to look at database controls to ensure users only have access to the information that they need to do their job. With Oracle Database Vault you can setup command rules that take into account multiple factors such as time of day, application being used to access information in the database, where the application is running, etc. to determine whether to grant access to information. For example, access to HR information might only be granted during business hours to HQ users accessing the data through the HR application. Users trying to access that data using an ad-hoc reporting tool or from a remote location would be denied access. Oracle Advanced Security can also be used for strong authentication to restrict access to the database to users that have been issued a PKI certificate or a physical device like an OTP token or smart card.

Number four on the list was lack of audit trails/logging with number seven being lack of review of audit trails. As you can see from past blog posts, between 30-50% of the folks we survey still don’t have database auditing turned on and many who do don't don't actually monitor the database trail. Everyone should have native auditing turned on and be monitoring for at least the basic stuff like failed logins, DDL changes, direct access to sensitive/data, etc. Of course if no one is looking at that audit trail that’s not going to help a lot. Again this is where you want to consider the use of Oracle Audit Vault. With Oracle Audit you can automate the collection and analysis of that audit data. You can setup alerts on exceptions and you can centrally manage audit policies across multiple databases to make sure you are generating audit trails for all your databases.

Number six was excessive developer access to production data and number nine was the use of production data in testing. We already talked about how user access to systems can be restricted so you can keep developers out of production environments, but the challenge is really around keeping production data out of development environments. With Oracle Data Masking, sensitive production data such as credit card or social security numbers can be replaced with realistic values, allowing production data to be safely used for development, testing, or sharing with out-sourcing partners or off-shore organizations for other non-production purposes. Oracle Data Masking uses a library of templates and format rules, consistently transforming data in order to maintain referential integrity for applications.

So if your auditor saw any of these issues, you can make sure they don’t see them again.

More than half still not encrypting sensitive regulated data in all their databases

Mon, 09 Feb 2009 12:07:07 -0800

We ran some polls during the Network webcast we did last week, Information Security for Database Administrators. (If you missed it, the replay is available here)

One of the polls was "Are you encrypting sensitive information such as credit card and social security numbers in all databases across your organization?" We had 61 responses, and 34 answered NO. Although 27 of the folks on our webcast answered yes, the 2008 IOUG Data Security Report a few months back actually indicated that number out there is more like a third. One of the main reasons is we find is the use of production data containing live social security numbers or credit cards being copied to non-production databases for development and test purposes.

We are going to be talking more about this topic in a live webcast on how to "Protect Sensitive Data Using Encryption and Masking" this Thursday at 2:30 EST/11:30 PST. You can register here.

The second question we asked was "Are you using native database auditing to detect failed logins, DDL changes, or other suspicious activities?" with a follow-up question of "Are you monitoring database audit logs to detect security threats in real-time?" We had 67 responses, 32 indicated they were auditing their databases, but only 25 were actually monitoring those audit logs.

In the webcast, we discussed the importance of using tools like Oracle Audit Vault to automate the monitoring of audit data in order to detect and alert on security threats in real-time. Also having all that audit data securely stored in a centralized warehouse saves lots of time and money when generating regulatory audit reports. If you want to see a demo of Oracle Audit Vault, you can register here to attend one of our weekly demos in February.

Well that's it for now, I will be posting some follow-up to some of the questions asked on this and other recent webcasts. Stay tuned...