X

Cloud Security Perspectives and Insights

Enhancing EBS Security in Oracle Cloud - Part 5

Paul Toal
Distinguished Solution Engineer - Cyber Security

Welcome to the fifth article in my series on “Enhancing EBS Security on OCI”. We are now nearing the end of this series, which I hope you are finding useful.

So far, we have covered a range of preventative and detective controls that offer protection for EBS, or more broadly, your enterprise applications. In this article, we are going to start to look beyond the front-end of your application and ask how we protect some of the underpinning components. In this article, we will be looking at the threat of Application Bypass.

               

Up until now, other than Infrastructure Attack, we have concentrated on users (and/or attackers) accessing EBS through the front door. We have looked at how we ensure users are authenticated and authorised appropriately, as well as how we ensure that your enterprise application is running, performing well, and not subject to direct attacks against it.

But, what if a user is able to bypass the application’s front end? After all, your application’s front-end (or mid-tier) doesn’t contain the valuable asset, your data. That sits in the database that supports it. Therefore, ensuring you have the right level of protection on the database itself supports the fundamental principle of defence in depth. It also supports Oracle’s belief that security should be pushed down the stack, as close to the data as possible, before then layering controls up from there.

The good news is that if you are running EBS, then you will be running the Oracle Database, which means that you already have a fantastic database, offering great security controls. Not only are there a large number of security capabilities built into the database natively and provided, as part of the core database, but there are also many additional security options to mitigate specific risks and attack vectors.  

For example, let have a quick look at some of the security capabilities included with Oracle Database Enterprise Edition.

  • Fine-grained auditing – as the name suggests, lets you define audit policies with granular conditions.
  • Secure authentication – enables a number of different options to be used to authenticate to the Oracle Database,e.g. Kerberos, RADIUS, SSL
  • Privilege Analysis – dynamically analyse privileges and role usage for database users and application service accounts, and report on which were and weren’t used.
  • Network Encryption – on the wire encryption for database traffic
  • Enterprise User Security – Centralising management of database users and authorisations
  • Real Application Security – enables declarative security policies with end-to-end security for multitier applications
  • Virtual Private Database – uses application context to enforce sophisticated row and/or column level security requirements

N.B. Not all features listed above are certified with all enterprise applications. Check your specific enterprise application documentation for certification information. For EBS, you will find a great source of certification information here.

If you want to learn more about Oracle Database Security capabilities, have a look here.

In addition to the above features, there are also a number of Database security options, including:

  • Advanced Security – allows you to encrypt data at rest (including backups etc), as well as offering data redaction.
  • Label Security – provides row level security for your data based on privileges
  • Database Vault – provides fine-grained access control to your data, including protecting data from privileged users in the database.
  • Audit Vault and Database Firewall – provides centralised monitoring of database activity as well as protection from SQL injection attacks.
  • Data Masking and Subsetting – allows you to de-sensitize sensitive data for non-production environments, as well as subset the data to provide smaller test sets.

Of course, not everyone needs every security tool. As with all security controls, it is about mitigating the identified risks down to an acceptable level. That risk will be determined, in part, by the type of information you are storing. That data’s sensitivity will help determine which controls are needed. For example, you might apply a model similar to the one in the diagram below, to map a standard set of security controls to different sets of data.

               

By now I hear some of you asking, “Why is this relevant to the subject of move and improve?” In one sense, none of the security controls above are new, and are in place already for many customers. N.B If you are not familiar with Oracle Database Security, there is a great technical primer here.

However, for the database security options I talked about above, there is a cost associated with using them. In the traditional on-premise world that means licensing each option you want to use. As part of a move and improve strategy for your enterprise applications, you may be looking move your database into one of Oracle’s Database-as-a-Service platforms, like ExaData Cloud Service. This can provide a number of benefits such as simplified administration. However, security is also one of the areas that can take advantage of this.

For example, in every edition of Oracle Database Cloud Service, encryption at rest is included and enabled by default. There is no additional charge for using this. Therefore, immediately you are gaining benefit from your data being encrypted at rest, even if you haven’t previously being using Transparent Data Encryption (TDE). If you have been using Standard Edition of Oracle Database previously, then TDE wasn’t even an option for you, as it required Enterprise Edition as a minimum. However, in Oracle Cloud, TDE is even enabled for Database Cloud Service Standard Edition.

In addition, Oracle Database Cloud Service comes with a number of security options bundled with the different editions. The table below shows a summary.

          

In addition to the security options that are included with Database Cloud Service, hot off the press, you may have seen the announcement at Oracle OpenWorld 2019 about the new Data Safe cloud service that has been released and is now generally available in all Oracle Cloud regions. As the announcement states:

"Data Safe is a unified control center for your Oracle Databases which helps you understand the sensitivity of your data, evaluate risks to data, mask sensitive data, implement and monitor security controls, assess user security, monitor user activity, and address data security compliance requirements. Whether you're using Oracle Autonomous Database or Oracle Database Cloud Service (Exadata, Virtual Machine, or Bare Metal), Data Safe delivers essential data security capabilities as a service on Oracle Cloud Infrastructure."

Best of all, Data Safe is free to use for Oracle Cloud Databases. There is no additional cost for the service (except storage if you are capturing large amounts of audit data).

Therefore, with the various Oracle Database Cloud Services and their built-in security options, together with the new Data Safe, it has never been easier to start using security options like Database Vault to mitigate risks to your sensitive data.

In summary, if you are looking at a move and improve strategy for your enterprise applications like EBS, the moving from a traditional database that you install and manage yourself, to a cloud service like Oracle Database Cloud Service can offer a number of benefits, not least of which is security and the security capabilities and tooling that is provided with this service.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.