By Mike Faden
High-profile breaches have propelled security to the top of the agenda at many organizations, as the combination of faster, more-damaging attacks, increasingly complex technology environments, and demanding regulatory requirements continues to create new security challenges.
“Today’s attacks are wide and varied,” says Vipin Samar, senior vice president of Oracle Database Security. “They range from targeting infrastructure and databases to targeting your applications and users.”
This means that to protect vital information assets, companies need controls at multiple levels across their entire environment—both in the cloud and on premises. “The hackers only need to be successful once to break in,” Samar says, “but your business needs to be successful all of the time in order to avoid a data breach. The only way to do this and keep our data safe is through defense in depth—with multiple controls, security on by default, automation, best practices, and a secure infrastructure.”
However, ensuring that a full range of effective controls is in place can be challenging. To address that challenge, Oracle Autonomous Database Cloud and other autonomous Oracle PaaS solutions start with built-in self-securing features. Oracle also offers database-specific security features and identity management solutions to help achieve true defense in depth.
The Secure Database
For organizations connecting their Oracle SaaS, custom SaaS, and PaaS solutions, security starts with Oracle Database cloud services. As Samar notes, hackers often target databases because that’s where the organization’s most sensitive data resides.
The protection provided by Oracle Database cloud services, including Oracle Autonomous Data Warehouse, begins with encrypting data at all times. “We encrypt your data everywhere—whether it is in SQL*Net traffic, data in tablespaces, or in backups,” Samar says. Encryption cannot be turned off, and encryption keys are managed automatically.
But while encryption is an essential tool—it prevents hackers from getting direct access to raw data—it closes off only one part of the organization’s attack surface, Samar says. If companies don’t patch on-premises systems with the latest security updates and other updates—because of downtime restrictions, patch testing requirements, or any other reason—they are still vulnerable. “For many organizations, patching is the biggest issue; that’s what they are struggling with,” he says.
With Oracle Database cloud services, security patches are automatically applied every quarter or as needed—narrowing the window of vulnerability. “By patching, we mean patching the full stack—including the firmware, the OS, clusterware, and the database,” Samar says. “By applying patches in a rolling fashion across the nodes of a cluster, there is no application downtime.” That lifts a huge burden from database administrators, who can then spend more time focusing on other aspects of security and data management. Oracle Autonomous Database Cloud services also continually monitor cloud administrator actions for any abnormal activity, and predefined policies for database auditing are turned on by default.
Locking Up the Crown Jewels
However, security is a shared responsibility, Samar says: although Oracle automates functions such as encryption and patching, organizations are still responsible for business-specific security functions such as securing users and ensuring sensitive data is appropriately protected. To facilitate those goals, Oracle provides a broad range of features and tools designed to help assess and control database security.
Among them is Oracle Database’s free Database Security Assessment Tool (DBSAT), which analyzes the database and reports findings such as the sensitive data stored, users along with roles and privileges, and configuration settings. For example, DBSAT discovers and reports sensitive healthcare and credit-card information. “Many people really don’t know how much sensitive data they have and how secure their database is,” Samar says. “It’s better that you assess your database’s security before the hackers do it for you.” Once the tool has identified potential problems, it makes recommendations for fixing them, he adds.
Multiple features in Oracle Database cloud services allow fine-grained control over data access. Data masking scrambles or masks sensitive data. For test and development, “Even if the hackers succeed, they’ll get fake crown jewels,” Samar says. Data redaction lets organizations limit who can view sensitive data such as Social Security numbers. Oracle Virtual Private Database and Oracle Label Security allow control over which users can see which rows of data. And Oracle Database Vault restricts privileged users’ access to application data—reducing the risk of insider and external threats.
Mike Faden is a principal at Content Marketing Partners. He has covered business, technology, and science for more than 30 years as a writer, editor, consultant, and analyst. Faden is based in Portland, Oregon.
(Home page illustration by Pedro Murteira)