Hackers who manage to break in to government and corporate enterprise systems make the news—sometimes very big news. An organization’s most privileged IT users may not get the same news attention, but their ability to access sensitive information as well as to configure systems, modify databases, and grant privileges makes internal system administrators and DBAs a security risk to the enterprise and a target for hackers. And they aren’t the only potential liabilities: in some cases, sensitive production data moves through development and test environments, where any developer can see it.
“In most organizations, two-thirds of sensitive and regulated data resides in databases,” points out Vipin Samar, vice president of database security technologies at Oracle. “Unless the databases are protected using a multilayered security architecture, that data is at risk to be read or changed by administrators of the operating system, databases, or network, or hackers who use stolen passwords to pose as administrators. Further, hackers can exploit legitimate access to the database by using SQL injection attacks from the Web. Organizations need to mitigate all types of risks and craft a security architecture that protects their assets from attacks coming from different sources.”
Companies spend billions of dollars each year securing their IT systems worldwide, including software, services, and support, Samar adds. Despite these massive investments, attacks have continued, and the attackers—with the help of social engineering and sophisticated automated tools—have continued to succeed. This is partly because traditional security strategies have focused on protecting the network perimeter and desktop and laptop machines, rather than internal server assets. Ultimately, what is most important is protecting the databases themselves, yet this is the area that many companies overlook. According to Forrester Research, while 70 percent of companies have an information security plan, only 20 percent of them have a database security plan.
Samar thinks security professionals can learn a lesson from history. In medieval Europe, castles had multiple defenses—wide moats, high walls, iron doors, and even counterattacking archers to repel different types of attackers. “Similarly, in the IT world, you have to defend your databases from casual onlookers, opportunistic insiders, and state-sponsored hackers,” he says. “Data is your king, but if your defensive moat is a firewall of pawns, it is easy for an enemy knight to jump across and checkmate your king.”Database Encryption
Oracle Advanced Security, an Oracle Database 11g option, helps organizations protect sensitive data on the network, on storage media, and within the database. It addresses privacy and regulatory requirements including the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and numerous breach notification laws.
A need to comply with PCI DSS regulations motivated TransUnion Interactive to adopt Oracle Advanced Security’s Transparent Data Encryption feature and Oracle Database Firewall.
“We have a lot of sensitive information that we must protect, and Oracle gives us many different ways to defend our data against attacks,” says Andrew Meade, senior database administrator at TransUnion Interactive. “We don’t want that information stored in plain text on a disk. Oracle Advanced Security’s Transparent Data Encryption ensures that any time information is written to disk or backed up to another location, it is completely encrypted.”
Meade leads a team of database administrators charged with keeping TransUnion Interactive’s data available, secure, and compliant. It’s a high-volume, nonstop operation that processes thousands of transactions per second.
TransUnion Interactive is the consumer subsidiary of TransUnion, providing credit-report, credit-monitoring, and alert services for consumers along with educational tools to help them stay on top of their finances and avoid identity theft.
“We used tablespace encryption in Oracle Database 11g to protect our databases and address regulatory compliance issues,” says Ramdas Kenjale, director of architecture and infrastructure at TransUnion Interactive. “This method allowed us to encrypt our data very quickly, without changing our applications or modifying our infrastructure. Transparent Data Encryption encrypts data when written to disk and decrypts it after a user has been successfully authenticated and authorized.”
Kenjale says Oracle’s approach with Transparent Data Encryption shields his team from the details of encrypting specific columns in each database table. It fulfills PCI DSS requirements by encrypting data in storage, in transit, and on backup media. All access controls that are enforced by Oracle Database remain in effect, including object grants, roles, virtual private database, and Oracle Database Vault. Oracle’s two-tier system includes a master encryption key that protects data encryption keys.Weighing the Alternatives
TransUnion Interactive considered alternatives from other security vendors such as full-disk encryption, in which data is encrypted at the hardware level, and tokenization, in which a token represents the actual data. “Tokenization would have meant changing all of our applications and parts of our architecture, which would have been time consuming and costly,” says Meade. “For us, tokenization is not really a viable solution.”
Headquarters: Chicago, Illinois
Industry: Financial services
Oracle products: Oracle Database 11g, Oracle Advanced Security, Oracle Database Firewall
Full-disk encryption wasn’t viable either because it would have required TransUnion Interactive to take key databases offline whenever encryption keys are rotated. “Neither solution satisfied our needs for a zero-downtime implementation,” Meade says.
TransUnion Interactive chose Transpararent Data Encryption in part because of the flexibility it provides. “Oracle Advanced Security with Transparent Data Encryption is the perfect solution for us,” Meade says. “It lets us encrypt all of our data without any application or infrastructure changes. It’s fully integrated with Oracle Database. And key management is built in. No downtime is required to create or rotate the keys, so it works well for us. It is easy to use, easy to implement, and easy to maintain.”
TransUnion Interactive recently passed a PCI audit that focused on encryption and key rotation, validating the effectiveness of its Oracle solution. Users see little or no difference in the level of service. “The performance impact of Transparent Data Encryption is negligible,” adds Meade. “In our case, it is less than 1 percent.”Oracle Database Firewall
TransUnion Interactive is now implementing Oracle Database Firewall to complement its existing network security strategy. Most security experts see database firewalls as an important adjunct to network firewalls, which protect a data center from unauthorized access from the outside.
To guard against unauthorized database access, Oracle Database Firewall monitors the SQL network traffic going to the database, and provides a first line of defense against threats originating from both outside and inside the organization. It monitors data access, enforces access policies, highlights anomalies, and protects against network-based attacks.
“Oracle Database Firewall reveals precisely what types of queries are hitting our database, who is submitting them, and where they come from,” says Meade. “All that information is exposed based on our preferences, which we specify via a graphical user interface.”
Meade is in the process of developing a white list and a black list of various types of SQL statements. “Anything that is on the white list gets through, and everything on the black list is blocked,” he explains. “The database firewall analyzes SQL traffic. Based on policies we establish, it chooses to block, substitute, log, or send an alert about each suspicious statement.”In addition to evaluating the legitimacy of SQL statements, Oracle Database Firewall can consider factors such as the requester’s IP address, time, and program name. TransUnion Interactive can choose to deploy it in blocking mode as a database policy enforcement system as well as for supplemental auditing and compliance purposes.
Martin Kuppinger, founder and principal analyst at KuppingerCole, a leading analyst company for identity-focused information security, explains the importance of this type of defense. “While a network firewall controls access to IT resources at the IP level, it looks at packets, so it doesn’t have a very deep understanding of what happens at the SQL level. Database firewalls provide in-depth protection for communication to databases by monitoring and enforcing normal application behavior. They prevent SQL injection attacks and unauthorized SQL commands.”
Kuppinger sees database encryption and database firewalls as an important part of a complete database security strategy. Other essential technologies include data masking for test environments and controlling access to databases. “It’s important to have solutions for every aspect, starting with strong authentication and granular access control to databases, ensuring that operators and database administrators can’t abuse their privileges,” Kuppinger concludes. “If you trust only one database security solution, you will fail to address all of these different aspects. Leaving some doors open doesn’t really solve your enterprise security issues.”
Many Oracle customers implement Oracle Identity Management to enable centralized access control, along with granular role-based controls and provisioning capabilities.
In addition, Oracle Database Vault limits the activities of privileged users by placing sensitive database tables and applications in a protective realm. Oracle Audit Vault provides robust monitoring and auditing of these privileged users.
“Some organizations still use generic shared accounts, which doesn’t allow them to track which users made which changes,” says Samar. “Rather than granting excessive privileges for the sake of convenience, it is better to assign the least privileges for each user to do his or her job.”
When considering their overall security architecture, Samar believes that customers should adopt a multitiered perspective by viewing potential threats from outside and inside the database. He suggests that organizations follow these guidelines:
READ more about database security
Photography by Christopher Burns,Unsplash