Oracle Magazine spoke with Martin Kuppinger, founder and principal analyst at KuppingerCole, about database security as the cornerstone of an end-to-end security architecture.
Oracle Magazine: Why is a multilevel approach to security important?
Kuppinger: When you look at the well-publicized breaches of IT security, in many cases the attacker is an internal person who had access to a database. A layered security approach protects each part of your technology stack, from the network to the application, including the database. While identity management technology authenticates people at the application level, if the data is still readable and in plain text, then there are plenty of ways that a malicious intruder can access it.
Oracle Magazine: What’s the difference between securing data in the cloud and securing data on premises?
Kuppinger: Your security approach should differ depending on the type of clouds you’re using. Running a private cloud in a well-defined data center at a specific location is different from simply renting a virtual machine in a public cloud. One of the issues is that you often don’t know where your data resides. You rely on service-level agreements for security, which comes down to trusting the vendor. In those instances, it’s important to protect your data—generally using encryption.
Oracle Magazine: What responsibilities do enterprises have to secure personally identifiable information [PII], and what are the primary risks that they must address?
Kuppinger: There are two types of risk here: monetary penalties and breach notification. PII regulations differ from country to country. International organizations must meet the highest levels of security to ensure that they are fully compliant. As to the risks, if you lose data then you face breach notification penalties and you might end up making the headlines the next day. Three or four years ago, you could lose a lot of data and it would be noted in some computer magazines. Now you might find yourself on the front page of the business news, which can have huge ramifications on the enterprise, on shareholder value, and on your reputation with customers.
Oracle Magazine: How do database security technologies help enterprises mitigate these risks?
Kuppinger: You need a multifaceted database security portfolio to fulfill regulatory compliance criteria. Auditability and traceability are very important, as are labeling data and segmenting it into different domains. Encryption and strong authentication are also essential.
Organizations must look at the requirements for their industry, region, and country. They must identify risks and select a variety of technologies to make sure that they have covered everything that pertains to them.
Oracle Magazine: DBAs, system administrators, and other technical personnel need access to database resources. How do organizations secure database information from their own administrators?Kuppinger: Limit the actions of privileged users. For starters, you can segment data into domains and limit administrative access to financial data and PII. HR data is often confidential as well. Privileged users are important, but they are also a big risk. Don’t give them access that they don’t need, and encrypt sensitive data so that they can work on the database without seeing things that they don’t need to see.
Oracle Magazine: How does a database firewall differ from a network firewall?
Kuppinger: Both of them are called firewalls, but they do different things. A network firewall guards the perimeter of the network, while a database firewall works from within to detect SQL injections and rogue transactions that shouldn’t be allowed. Place a database firewall in front of the database within your data center to analyze the SQL statements and prevent the execution of malicious programs or loss of data.
Oracle Magazine: What are the pros and cons of database-level encryption—such as transparent data encryption—and full-disk encryption?
Kuppinger: Important data should be encrypted, partly to protect it from privileged users who have broad access to information. Transparent data encryption is applied to the specific needs of a database environment, whereas full-disk encryption protects data at rest on the disk but in no other situation. Of course, even transparent data encryption doesn’t protect data while somebody is using it. But it does protect some part of the communication when the data is in motion.
READ about Oracle Database security