X

Learn how businesses like yours can begin to optimize for today and plan for tomorrow with Cloud-Ready IT Infrastructure

Oracle Exadata: Can You Trust Yourself to Secure Your System?

Guest Author

Today's guest post comes from Bob Thome, Vice President of Product Management at Oracle.

Can you trust yourself with the security of your company’s critical data?  At first, this must sound like a ridiculous question, as the old adage says, “If you can’t trust yourself, who can you trust?”  But I’m not talking about trusting your own integrity, fearing you will steal your data, or sabotage your system.  I’m asking if you have enough confidence in your abilities to trust them to the security of your system.  After all, do you trust yourself to fly the plane on your next trip, or deliver your next child, or even do your own taxes?  Some things are best left to the experts, and securing your database server is clearly in that camp.

It seems as if we hear about a new data breach every few weeks. It could be credit bureaus, hotel chains, social media sites—no one seems immune.  But there is no single vulnerability affecting all these victims.  That makes it especially hard to avoid the next breach.  There’s no checklist you can walk through that is going to guarantee you are secure.  Rather it takes hard work and lots of testing to ensure your system is secure.

An IBM study conducted by the Ponemon Institute found the average cost of a data breach in 2018 was $3.86 million.  Given the stakes, it makes sense to leave security to the security professionals.  Security researchers have years of experience in locking down systems.  They understand common vulnerabilities and have developed best practices and methodologies to reduce the risk of break-ins dramatically.  Are you a security professional?  My guess is "probably not," and that is another reason to use engineered systems like Oracle Exadata

So, how does Exadata protect from unauthorized access to data?  It uses a defense-in-depth approach to security, starting with giving services and users only the minimal privileges required to operate the system.  Customers following Exadata’s default settings are protected using the following techniques:

 

Minimal software install

Exadata does not install any unnecessary packages, eliminating any potential vulnerabilities associated with these packages

Implements Oracle Database secure settings

Locks down the Oracle database through settings developed through years of testing by Oracle developments

Enforces minimum password complexity

Greatly reduces the risk that a user on the system chooses an easy to crack or guess password

Locks accounts after too many failed login attempts

Prevents someone from programmatically trying passwords to break into the system

Default OS accounts locked

Prevents log in from accounts that need not support login, reducing the password or key management burden

Limited ability to use su command

Prevents users from elevating their privileges on the system or from changing their identity

Password-protected secure boot

Prevents unauthorized changes to the boot loader, or booting the system with unauthorized software images

Unnecessary protocols, services, and kernel modules disabled

Eliminates threats from vulnerabilities in services not required for operation of the system

Software firewall configured on storage cells

Prevents anyone from opening additional ports to access storage cells, enabling services that are not required and may present vulnerabilities

Restrictive file permissions on key security-related files

Prevents accidental or intentional changes to security files that may compromise security

SSH listening only on management/private networks

Prevents users on the public network from logging into a database server

Supports SSH V2 protocol only, and insecure SSH authentication mechanisms are disabled

Prevents use of version 1 of the SSH protocol, which contains fundamental weaknesses that make sessions vulnerable to man-in-the-middle attacks, and other insecure mechanisms

Cryptographic ciphers properly configured for best security

Prevents improperly configured ciphers from compromising security and uses hardware cryptographic engines to improve performance

Fine-grained auditing and accounting

All user activity is monitored and recorded on the system

 

Now you might be thinking, these are all database and system configuration settings, and you can do it yourself.  That is true, and if you are a security professional, you likely can.  But what if you are not—do you know how to secure and harden the system properly?  Regardless, there are also many features of Exadata that improve security further—features engineered into Exadata and not available on self-built platforms.

By default, all clusters running in a consolidated environment can access any ASM disks.  Exadata tightens that security with ASM-scoped security, which limits access to underlying disk partitions (grid disks) to only authorized clusters.  Because a single cluster may host multiple databases, DB-scoped security provides even finer grained control, limiting access to specific grid disks to only authorized databases.

Exadata also checks for unauthorized access by scanning the machine for changes to files in specific directories.  If changes are detected, Exadata will raise software alerts, notifying the administrator of a potential intrusion.  Management operations and public data access are segregated to different networks, allowing tighter security on the public network interfaces without compromising manageability.  VLAN support protects users from unauthorized access to network data by isolating network traffic.  Similarly, access to the storage cells from the compute servers is also on an isolated network—one that is InfiniBand partitioned to ensure network traffic from one cluster is not accessible to another, eliminating the chance an attacker can steal data as it transits between compute and storage.  

During the development process, security is built in.  The Exadata development team routinely runs a variety of industry-standard security scanners, to ensure the software deployed on the system is free from known vulnerabilities.  If vulnerabilities are detected, monthly software updates quickly provide fixes to ensure your system is protected.

All these features are critical to security, but studies have repeatedly shown the most significant contributor to security vulnerabilities is not keeping up with software updates.  Given the complexity and risk of patching today's critical database systems, it’s not surprising.  Many opt not to touch what is not broken, but what’s broken may not always be visible.

Exadata takes the risk and pain out of software updates.  Risk is reduced as all database and Exadata software updates are extensively tested in the Exadata environment before shipping.  Exadata customers also benefit from a community effect.  There is a community of customers running Exadata, and issues are quickly discovered and fixed.  If you build your own database environment, it’s possible only you will experience the issue, and you will suffer the associated disruption.  The pain of software updates is reduced with Exadata Platinum support.  This level of support, exclusive to Exadata, regularly patches your systems on your behalf, eliminating your having to deal with patching all together.  With the risk and pain of software updates reduced, Exadata systems are patched more frequently, kept up to date with security fixes, and overall more secure.

Finally, don’t forget all the database security features.  Oracle Database has a rich set of features to protect your data, and all are compatible with Exadata.  Oracle Database protects your data with encryption for data at rest and in transit over the network.  It can enforce access restrictions for ad hoc data queries by filtering results based on database user or a data restriction label.  Databases themselves can be isolated within a rack using virtual machine clusters, within a single VM using OS user-level isolation, or within a container database using the Multitenant database option.  You can even protect valuable data from your administrators using Oracle Database Vault, a security feature that prevents DBAs from accessing arbitrary data on the systems they are managing.  Lastly, to ensure compliance, Oracle Audit Vault and Database Firewall monitor Oracle and non-Oracle database traffic to detect and block threats and consolidate audit data from databases, operating systems, directories, and other sources.

With the attention to security and the rich set of security features built in or available as options, Oracle Exadata is the world’s most secure database machine.  Proven by FIPS compliance and many deployments satisfying PCI DDS compliance, it’s no wonder that hundreds of banks, telecoms, and governments worldwide have evaluated Exadata, and found it delivers the extremely high level of security they require. If you truly value security, don’t trust yourself to do it right.  Follow the path of these leading enterprises and protect your data with Oracle Exadata.

This is part 5 in a series of blog posts celebrating the 10th anniversary of the introduction of Oracle Exadata.  Our next post will focus on Manageability, and examine the benefits Engineered Systems bring to managing your database environments.

 

About the Author

Bob Thome is a Vice President at Oracle responsible for product management for Database Engineered Systems and Cloud Services, including Exadata, Exadata Cloud Service, Exadata Cloud at Customer, RAC on OCI-C, VM DB (RAC and SI) on OCI, and Oracle Database Appliance. He has over 30 years of experience working in the Information Technology industry. With experience in both hardware and software companies, he has managed databases, clusters, systems, and support services. He has been at Oracle for 20 years, where he has been responsible for high availability, information integration, clustering, and storage management technologies for the database. For the past several years, he has directed product management for Oracle Database Engineered Systems and related database cloud technologies, including Oracle Exadata, Oracle Exadata Cloud Service, Oracle Exadata Cloud at Customer, Oracle Database Appliance, and Oracle Database Cloud Service.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.