X

Cloud Security Perspectives and Insights

Plug into Defense-in-Depth with Oracle Database 12c

Designed for the Cloud, the new multitenant architecture of Oracle
Database 12c
now enables customers to greatly simplify and accelerate database
consolidation by enabling the management of hundreds of databases as one. To protect
the unprecedented amounts of data customers will store within their databases,
Oracle Database 12c also introduces
more security capabilities than any previous Oracle Database release.

“Oracle
Database 12c represents a complete
shift in database technology. With the
growing amount of stored data, these new multitenant databases will be targeted
by both hackers and insiders, and scrutinized by auditors more than ever,” says
Vipin Samar, vice president, database security product development, Oracle.
“It’s imperative that customers take advantage of the new security capabilities
in Oracle Database 12c to protect
their data and database infrastructure.”

Key
new capabilities to help customers mitigate risks and address compliance
requirements include:

Data
Redaction.
Part of Oracle Advanced Security, Data Redaction
complements transparent data encryption (TDE) by ensuring sensitive data is not
exposed to users of current applications. While TDE protects information from database
bypass attacks at the operating system level, Data Redaction conditionally redacts
sensitive data in the outgoing result set by replacing original data with ****
or any other fixed or random string of choice based upon the customer
requirements. Data is redacted based on
simple declarative policies that take into account rich database session
context such as IP address, program name, and application user. The original data remains unaltered along
with existing operational procedures.

Privilege
Analysis.
 Part of Oracle Database Vault, Privilege Analysis can harden database access by
identifying users’ or applications’ unused privileges and roles based upon the
actual roles and privileges used at runtime on production servers. Typically over time, applications and users
amass powerful privileges and roles that may no longer be necessary. Finding the set of used roles and privileges
is important because it helps identify the minimal set required and allows
unused privileges to be revoked, reducing the attack surface.

Database Vault also enables customers to realize the full
potential of Oracle Database 12c multitenant-based
consolidation by preventing common database administrators from accessing application
data stored in a pluggable database. With
three distinct separation-of-duty controls, Database Vault is critical to
regulatory compliance in multitenant environments.

Conditional
Auditing.
Oracle Database 12c introduces a new auditing framework
that creates audit records based on the context of the database session. For example, an audit policy can be defined to
audit all SQL statements unless they are coming from the application server’s IP
address and with the given program name. Out-of-policy connections can be fully audited while no audit data will
be generated for others, enabling highly selective and effective auditing.

New roles have been introduced for managing audit data and
audit policies inside the database. Audit
data integrity is further protected by restricting management to the built-in
audit data management package, preventing audit trail tampering using ad hoc SQL
commands. Multiple audit statements can
be grouped together for easier management. Three default audit policies are configured and shipped out of the box.

Additionally, Oracle Audit Vault and Database Firewall now
supports Oracle Database 12c, and can be used to collect, consolidate, alert
and report on audit data from Oracle and non-Oracle databases and operating
systems. Oracle Audit Vault and Database
Firewall can also monitor Oracle Database 12c SQL activity over the network,
blocking any unauthorized activity such as SQL injection attacks, or insider
abuse.

Sensitive Data
Discovery and Management.
Locating and cataloging sensitive
data is more critical than ever. Oracle Enterprise Manager Data Discovery and Modeling (DDM) and Sensitive Data Discovery (SDD) facilitate the process of locating sensitive data within an application and applying security controls on that data. In addition, the new Oracle Database 12c Transparent
Sensitive Data Protection (TSDP) can load sensitive information from Oracle
Enterprise Manager Data Discovery and Modeling into the Oracle database and
apply security controls such as Data Redaction. This greatly reduces the operational burden of
managing sensitive data consistently in Oracle Database 12c environments.

Real Application Security. Oracle Database 12c introduces the next generation authorization framework to support
the increased application security requirements in multitenant environments. Unlike the traditional Oracle VPD, Oracle
Database 12c Real Application
Security (RAS) provides a declarative model that allows developers to define
the data security policy based on application users, roles and privileges
within the Oracle Database. This new RAS-based
paradigm is more secure, scalable, and cost effective.

In addition to these critical new capabilities, Oracle Database 12c greatly strengthens the overall database security posture with new Oracle Database Vault realm controls, Oracle Advanced Security TDE key management, Oracle Enterprise Manager Security Console, and more.

All the security capabilities available in Oracle Database
12c are compatible with the new multitenant architecture in Oracle Database 12c. As a result, customers can quickly and
efficiently address the unique security requirements of each pluggable
database. The security policies move
with the pluggable database when it is unplugged from one and plugged into a
new Oracle Database 12c multitenant
server.

Learn more about Oracle Database Security

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha