X

Gain insights on latest trends in Data Security and Compliance and get updates and tips from Data Security experts

FEATURED POST

NEW! Oracle Database Security Assessment Tool 2.0.2 (DBSAT)

By Pedro Lopes, Product Manager, Oracle Database Security It has been a great year for Oracle Database Security Assessment Tool (DBSAT) so far. We have over 8000...

Recent Posts

Security Inside Out

New Reports in Audit Vault and Database Firewall Help Customers Address Data Privacy Requirements

By George Csaba Director, Product Management, Oracle Database Security   This month Oracle released Audit Vault and Database Firewall (AVDF) Release 12.2 Bundle Patch 8. This release includes new Data Privacy Reports to help users comply with privacy regulations such as GDPR. AVDF provides a first line of defense for databases and consolidates audit data from databases, operating systems, and directories to support monitoring and compliance reporting.  A highly accurate SQL grammar-based engine monitors unauthorized SQL traffic before it reaches the database.  Audit records from on-premises and cloud databases are collected for centralized management and provide monitoring, reporting, and alerting of anomalous activity across databases.  AVDF helps reduce the costs of regulatory compliance while giving administrators enhanced visibility into their IT operations. The new Data Privacy Reports in AVDF leverage sensitive data discovery results to set object level audit policies on data. These can be generated using either Oracle Enterprise Manager or Oracle Database Security Assessment Tool to run a data discovery job to search for sensitive data in Oracle Database secured targets. The sensitive data file is then imported into the AVDF repository and the Audit Vault Server GUI is used to view the related Data Privacy Reports. The reports provide information such as which users have access rights to sensitive data, as well as details of activity on sensitive data by all users, including privileged users. Here are some screenshots of the reports:   Some of the other new features introduced with this release of AVDF include: Collection of audit data from Autonomous Data Warehouse Cloud using AVDF’s hybrid cloud capability Support for UEFI boot mode installation enabling installation on Oracle Server X7-2 Incorporation of April 2018 Bundle Patch for Oracle Database 12.1.0.2, which includes the latest security fixes A complete list of the features and capabilities of this release is available in the release notes. To learn more about Audit Vault and Database Firewall, check out our AVDF Product Page on OTN. Learn more about Oracle Database Security Solutions  

By George Csaba Director, Product Management, Oracle Database Security   This month Oracle released Audit Vault and Database Firewall (AVDF) Release 12.2 Bundle Patch 8. This release includes new Data...

Security Inside Out

HIPAA Attestations Create Opportunity for Healthcare Providers and Payers

By Anita Salinas Healthcare organizations sit in a tough spot when it comes to embracing cloud benefits. On one hand, the cloud offers the cost savings and flexibility necessary for improving patient care. On the other, healthcare organizations have a duty and a regulatory responsibility to keep patients’ protected health information (PHI) safe. Fortunately for Oracle customers—and all those looking to realize the benefits of Oracle Cloud—that tough spot just got a whole lot more comfortable. Oracle recently achieved a series of HIPAA attestations for its Infrastructure as a Service and Platform as a Service offerings. These attestations are in addition to already HIPAA-attested Oracle Software as a Service solutions as well as Service Organization Controls (SOC) 1 and SOC 2 audits/reports for Oracle Cloud. Together, these attestations and audits open the door for healthcare organizations to confidently run mission-critical workloads containing PHI in Oracle Cloud—whether hosted by Oracle or behind the organization’s firewall with Cloud@Customer. For forward-thinking healthcare organizations looking to lower costs while improving patient care, here are three benefits that can be realized by adopting Oracle Cloud. 1. Planning for Peak Periods Few industries outside of healthcare can more clearly draw a line between resource conservation and customer benefit. Lowering costs, saving time, and alleviating the demand on staff all lead to better patient care. Trouble is that while some high-demand periods are predictable (open enrollment, for example), others (a late flu season, an epidemic, or just a particularly busy time) can put an unexpected strain on resources. With Oracle Cloud, healthcare organizations can glide through usage spikes knowing that supply will always meet, but not exceed, demand and that they’ll only pay for what they use. Plus, with Oracle’s unprecedented scale, performance, reliability, and autonomous features, healthcare companies can rest assured that their workloads running on Oracle Cloud can handle the busiest times. In fact, a very large healthcare organization is projecting a 37 percent decrease in total cost of ownership and $17 million in savings over three years by running its TriZetto Facets Claims workload on Oracle Cloud. 2. Embracing New Technology Wearables and IoT offer an unprecedented opportunity for healthcare organizations to understand patient needs, make personalized recommendations, and reward positive behavior—all of which can improve care and outcomes. But the tidal wave of PHI associated with these devices is enough to make most run for cover. With Oracle Cloud and its recent HIPAA attestations, healthcare organizations can now embrace these cognitive technologies knowing that protected health information is just that—protected. Plus, the reduced cost of storing data, extreme scale, and Oracle Cloud performance make this former patient-care dream a potential reality. 3. Actionable Insights with Predictive Analytics In the healthcare industry, highly trained professionals make medical miracles happen every day. But even with all the training in the world, you’d be hard pressed to find a clinician who wouldn’t welcome even just a little more information if it meant a better diagnosis, treatment, or outcome. Payers can also benefit from a better handle on determining whether the effectiveness of a specific treatment justifies its cost. Predictive analytics can assist in making these important decisions. But there are challenges. Not only do the sheer amounts of protected data make it difficult, but the number of different kinds of data—both structured and unstructured—stand in the way. Oracle Cloud, backed by recent HIPAA attestations, can help here as well. For example, one healthcare organization is analyzing massive amounts of data about cancer drugs and treatments and correlating those with patient outcomes to determine more effective treatment protocols. Bottom line, modernizing health IT in the cloud accelerates speed to market, reduces cost, and improves patient care and outcomes. Oracle Cloud, offering a broad range of HIPAA-attested cloud services, makes cloud benefits accessible to forward-thinking healthcare organizations. And with enterprise-class performance, scalability, reliability, and end-to-end security baked in, all kinds of healthcare organizations can run their most mission-critical workloads in the Oracle Cloud with complete confidence.  To learn more about what Oracle Cloud can do for your business, join us for our webcast on June 21, where we’ll discuss how healthcare organizations are succeeding with Oracle Cloud. Editorial contribution by Amanda Dyer.  

By Anita Salinas Healthcare organizations sit in a tough spot when it comes to embracing cloud benefits. On one hand, the cloud offers the cost savings and flexibility necessary for improving patient...

Security Inside Out

Oracle at Gartner Security & Risk Management Summit 2018

By Russ Lowenthal Data is the most valuable IT asset, but if not protected can become your biggest liability. EU GDPR is now being enforced (with the first GDPR lawsuits filed the very first day of the new law), and there is a global trend toward privacy legislation that mirrors GDPR. These new data privacy laws combined with weekly revelations of significant data breaches are driving organization to focus more and more on how to protect their sensitive data. The bad guys are after your data, and they are winning far too often. Hackers exploit unpatched systems; leverage weak, default, and stolen passwords; and slurp up unencrypted data wherever they find it. One of the many lessons in this year's Verizon Data Breach Investigations Report is that databases are high value targets.  In fact, Verizon highlights databases as THE top asset involved in the most significant data breaches. It's time to turn the tide and lock down these valuable data repositories. Gartner Security & Risk Management Summit 2018 is quickly approaching. Attending the event?  Please join Vipin Samar, Oracle's Senior Vice President of Database Security on Wednesday, June 6, to discuss the latest innovations in securing databases both on-premises and in the cloud. Learn how with multiple rings of control, you can protect your data from the bad guys and ensure regulatory compliance. Title: Don't forget to cover your assets!  Oracle on Data Security Wednesday, June 6: 10:45 a.m. to 11:30 a.m. in Annapolis 1        Speaker: Vipin Samar, Senior Vice President Database Security Abstract: Data is the most valuable IT asset, but if not protected can become your biggest liability.  Join Oracle to discuss the latest innovations in securing databases both on premises and in the cloud.  Learn how preventive and detect/respond controls can secure your Oracle and non-Oracle assets, help ensure compliance to EU-GDPR and similar regulations, and simultaneously deliver a step-function improvement in your SOC efficiency. See you there!  

By Russ Lowenthal Data is the most valuable IT asset, but if not protected can become your biggest liability. EU GDPR is now being enforced (with the first GDPR lawsuits filed the very first day of the...

Security Inside Out

Inside the Head of a Database Hacker: Session at Collaborate 18

COLLABORATE 18 April 22-26, 2018 Mandalay Bay Resort & Casino Las Vegas, NV USA   With unprotected assets in plain sight, it's no wonder hackers seek to steal sensitive data from databases. Exploiting common vulnerabilities such as unpatched systems, over-privileged accounts, insecure database configurations, stolen passwords, and unencrypted data is a quick place to start. However, knowing the mind of a hacker can better help create a blueprint for protecting your database. Attend the following session at COLLABORATE this week to get into the mind of a cybercriminal adept at exploiting vulnerabilities to access sensitive data stored in databases, and then discusses ways to stop them. ATTEND THIS SESSION Inside the Head of a Database Hacker  (Session ID: 1694) Apr 25, 2018,   4:15 PM–5:15 PM Banyan B Speaker: Russ Lowenthal, Product Manager, Database Security   About COLLABORATE COLLABORATE 18: Technology and Applications Forum for the Oracle Community is where Oracle power users and IT decision makers find practical solutions for today and strategies for tomorrow. This conference empowers users of Oracle business applications and database software to gain greater value from their Oracle investments through real-world education and networking. Created by and for users, COLLABORATE provides a personalized experience alongside functional and technical insight from other experienced professionals, whether your organization seeks to maximize its on-premises solutions, evaluate a path to the cloud, or optimize your business in the cloud. Participants can expand their community and gain direct access to Oracle. COLLABORATE is jointly presented by the Independent Oracle Users Group (IOUG), the Oracle Applications Users Group (OAUG) and Quest International Users Group (Quest).  

COLLABORATE 18 April 22-26, 2018 Mandalay Bay Resort & Casino Las Vegas, NV USA   With unprotected assets in plain sight, it's no wonder hackers seek to steal sensitive data from databases. Exploiting...

Security Inside Out

Celebrating 5,000 Database Security Assessment Tool (DBSAT) downloads!

By Pedro Lopes We have crossed over 5,000 downloads of our popular Oracle Database Security Assessment Tool. Since the release of DBSAT v 2.0.1 in mid-January, we have seen an increasing demand and have been getting very positive feedback. DBSAT is the go-to tool to evaluate your current Database Security posture today because of the following reasons: It’s simple and doesn't require prior security experience. Just extract to install and get easy to read reports. It provides immediate value. It not only reports on overall configuration and operational security risks, but also on database users and their entitlements. To better understand what is at stake, DBSAT also helps discover sensitive personal data. Helps address GDPR Compliance: To help bridge the gap between GDPR and technical controls, it highlights related findings and provides recommendations on what security controls could help.  The tool also highlights findings that relate to Oracle Database CIS Benchmark recommendations. With GDPR deadline approaching on May 25th 2018, and Verizon new 2018 Data Breach Investigations Report [1] confirming that Databases are at the top assets breached (in Information vertical; ~20%), ahead of webservers and desktops, it is urgent that you take action to assess your current database security state before hackers do it for you! Want to see DBSAT in action? Join us at the RSA Conference 2018 at Oracle Booth #1115 Moscone South to learn more.    [1] http://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf

By Pedro Lopes We have crossed over 5,000 downloads of our popular Oracle Database Security Assessment Tool. Since the release of DBSAT v 2.0.1 in mid-January, we have seen an increasing demand and...

Security Inside Out

Join us at RSA Conference 2018

  Next Generation Cybersecurity Organizations are losing the cyber war. They can no longer rely on manual threat detection and respond to address today's sophisticated attacks. Additionally, organizations are finding it hard to keep pace with the volume of security alerts and growing scale of users, apps, and data. In fact, 51% of organizations say that they are unable to analyze the majority of their event data, (Oracle and KPMG Cloud Threat Report 2018). Organizations need to address these challenges with autonomous security. Join us at RSA Conference 2018 from April 16-20 in San Francisco to discuss all these topics and more.   Visit Oracle at Booth #1115, Moscone South Visit us at our booth to learn more about: Oracle’s first Autonomous Database Cloud and how it leverages artificial intelligence, and machine learning to revolutionize data security. Oracle’s Identity-based Security Operations Center (Identity SOC) which provides comprehensive monitoring, threat detection, analytics, and remediation tools to stay ahead of threats. Sign up for an Oracle Cloud trial! Get free SWAG from us at the #OracleatRSA giveaway! Learn More about the Oracle and KPMG Cloud Threat Report, 2018 The Oracle and KPMG Cloud Threat Report 2018 is the inaugural global survey of cloud security challenges, threats, and insights from security practitioners and decisions makers. This report compiles the findings from organizations across the globe that center on one common theme: that the cloud has created a strategic imperative to keep pace at scale. Attend our Session Monty Python and the Holy RFP April 18, 2018 | 3:00 pm - 3:45 pm | Moscone West 2022 Speaker: Mary Ann Davidson, Oracle CSO Abstract: Ever been asked to conduct a pen test—with a herring? Provide a secure shrubbery: “not too big?” Been confronted with “Ni” “Peng” or “Nee-wom” in response to your security practices? Welcome to the Monty Python-esque world of RFPs and security attestations. Learn to decipher what the real security concern is and get to “yes” (and determine if it’s a cute little bunny rabbit…or a vicious killer). Oracle at Cloud Security Alliance (CSA) Summit at RSA   Join us in the panel discussion at the Cloud Security Alliance Summit at RSA Panel: Cloud Compliance Zeitgeist April 16, 2018 | 12:50 pm - 1:35 pm Panelist: Gail Coury, Oracle CISO Abstract: The clock will strike midnight for the General Data Protection Regulation (GDPR) in a month from the CSA Summit. This broad mandate for privacy joins an increasing number of mandates that can mean life or death for businesses and hold their officers personally accountable for security failures. In this expert panel, we will explore the major compliance mandates enterprises are facing today in the cloud. Are the regulations adequate or unreasonable? Do regulatory bodies understand the shared security responsibilities between tenant and provider and is this reflected in their guidance? What is the future role of security certifications in asserting compliance with a myriad of evolving requirements. How can compliance evolve in an era of DevOps continuous deployment? What are the practical and actionable steps organizations can take to make sure their cloud providers maintain robust security programs and how can this evidence be communicated with regulatory bodies? What are the emerging tools and strategies to harmonize governance and risk management and achieve compliance in time and at scale? Panel: Getting to Mission Critical with Cloud April 16, 2018 | 3:15 pm - 4:00 pm Panel Moderator: Mary Ann Davidson, Oracle CSO Abstract: Once again, the CSA Summit will bring together a panel discussion of some of the largest and most complex enterprises from within the Global 2000 to gain perspective on their journey to the cloud and their security lessons learned. Global enterprises with massive legacy IT infrastructure have the most to gain and the biggest challenge in making the journey to the cloud. Security is the key enabler to secure cloud adoption. How do they maintain strong Enterprise Risk Management oversight with often indirect access to cloud systems? Are you able to deploy high availability applications in the cloud? What compliance mandates do they struggle with? How are regulators adjusting to the cloud reality? Will the government need to designate cloud as critical infrastructure? What are the unexpected security benefits of cloud? What are the attacks they predict for the next year? What tools and technologies are showing the most promise to improve cloud security? Learn more about our presence at RSA at: Oracle at RSA Conference

  Next Generation Cybersecurity Organizations are losing the cyber war. They can no longer rely on manual threat detection and respond to address today's sophisticated attacks. Additionally,...

Security Inside Out

Cloud Security and Compliance Is a Shared Responsibility

By Gail Coury, Chief Information Security Officer, Oracle Cloud   Organizations around the world are ramping up to comply with the European Union’s General Data Protection Regulation (GDPR), which will be enforced beginning on May 25, 2018, and each must have the right people, processes and technology in place to comply or else potentially face litigation and heavy fines. The drive for more regulations is in large part  the direct consequence of the rise in data breaches and cyber security incidents. In an effort to protect data privacy, governments are stepping in and demanding greater transparency in how organizations handle sensitive personal data. GDPR is just one such privacy mandate that will affect organizations globally and impact the lifeblood of their operations. Many have spent countless hours already preparing for the deadline, while others are just getting started. Organizations are rapidly embracing cloud services to gain agility and thrive in today’s digital economy. This has created a strategic imperative to better manage cybersecurity risk and ensure compliance while keeping pace at scale as firms move critical apps to the cloud. According to the Oracle and KPMG Cloud Threat Report, 2018, 87 percent of organizations have a cloud-first orientation. The conventional mindset—that security is an obstacle to cloud adoption—is rapidly losing relevance. Enterprises in highly regulated industries are becoming more confident putting sensitive data in the cloud. Ninety percent of organizations say that more than half of their cloud data is sensitive information, according to the same report. Although customers are confident in their cloud service provider’s (CSP) security, they should vet their cybersecurity programs vigorously, and conduct a comprehensive review assessment of their security and compliance posture. Trust has always been important in business and paramount when choosing a cloud partner. GDPR is top of mind for a lot of organizations because it’s a people, process and technology challenge and requires a coordinated strategy that incorporates different organizational entities versus a single technology solution. It is a complicated law and introduces intricate new regulations and requirements for handling personal data. In fact, 95 percent of firms affected by GDPR say that the regulation will impact their cloud strategies and CSP choices, based on findings published by Oracle and KPMG. One of the central considerations would be movement of sensitive data between CSP data centers. Organizations need to understand and clarify how their CSPs employ essential data protection controls and standards to meet GDPR requirements because every cloud platform and vendor has unique cybersecurity standards. As you may know by now, cloud security and compliance is a shared responsibility, where the cloud provider and the tenant each have a role to play. Although it sounds relatively simple, customers are often not clear where their provider’s role ends and their obligations start, creating gaps. Knowing what security controls the vendor provides allows the business to take steps to secure their own cloudenvironment and ensure compliance. Almost every organization today has more than one regulation with which they need to comply and they increase the complexity with each cloud service they add. As organizations continue to lift and shift their apps to the cloud, they need to keep pace with scale and ensure security and compliance is maintained. I am excited to explore these topics with other industry experts at the Cloud Compliance Zeitgeist panel on April 16 (12:50 p.m. – 1:35 p.m.), at the Cloud Security Alliance Summit at the RSA Conference 2018. Also, my colleague, Mary Ann Davidson, Oracle’s Chief Security Officer, will lead the panel Getting to Mission Critical with Cloud. You will hear directly from some large complex global enterprises about their journey to the cloud, cybersecurity challenges and their complex compliance mandates. We look forward to seeing you there!   Source: Cloud Security Alliance

By Gail Coury, Chief Information Security Officer, Oracle Cloud   Organizations around the world are ramping up to comply with the European Union’s General Data Protection Regulation (GDPR), which will...

Security Inside Out

Securing the Oracle Database eBook - Second Edition Now Available

What every data owner should read before hackers and auditors come knocking! According to the Economist, data has surpassed oil as the most valuable asset. Data gives organizations unprecedented advantages, enabling them to find new ways to serve customers and create value. Your data is your asset, but unless you protect it well it could fall in wrong hands and become a liability.    We hear reports about breaches almost daily and by some estimates on average over 10 million records are lost or stolen each day worldwide.  In addition, new laws and regulations such as the European Union’s GDPR are forcing organizations to take a hard look at how they manage and protect data. Since databases contain most of their sensitive data assets, organizations are now appreciating the importance of securing their databases. Oracle Database provides the industry’s most comprehensive security. Read the latest eBook from Oracle, Securing the Oracle Database: A Technical Primer, authored by the Oracle Database Security Product Management team to: Learn the various approaches hackers use to try to gain access to your sensitive data. Understand the multiple layers of assessment, preventive, and detective security controls you need to protect your data. Guide your teams with strategies to shrink the attack surface and keep your databases secure, both on-premises and in the cloud. Use this book as a quick study into what every Database or Security Director/VP should know about the security of Oracle Databases.  This book will help you answer questions such as:   What are my options for authenticating and authorizing database users? How do I enforce separation of duties and limit access to data by administrators and other privileged users? How can I leverage encryption and key management to protect data in motion and at rest? How do I create application data sets that are safe to use in test, development and production environments? How do I audit database user activities and generate management and compliance reports? How do I monitor database activity and protect from attacks such as SQL injection? How do I leverage authorization technologies to build secure applications?  How can I evaluate the security posture of my database, and understand what controls I can implement to manage risk? What is EU GDPR, and how can database security technologies help with this and other regulatory compliance requirements? What do I need to know about securing databases in the cloud? Breaches are happening faster than ever and it is crucial that you are prepared with a sound database security strategy. Hackers aren’t resting in their endless quest to acquire your data, and we cannot risk resting either.  Arm yourself with up-to-date information about these database security concepts. Let’s start by securing the source! Download your eBook Learn more about Oracle Database Security Solutions  

What every data owner should read before hackers and auditors come knocking! According to the Economist, data has surpassed oil as the most valuable asset. Data gives organizations unprecedented...

Security Inside Out

Pragmatyxs Ensures Data Security in the Cloud with Oracle

Pragmatyxs is a leading technology consultant and systems integrator based in Seattle. They provide product tracking and labeling solutions to medical device, pharmaceutical, and food & beverage companies to help them meet their market and compliance requirements. Last year at Oracle Openworld 2017, I had the opportunity to speak with Paul Van Hout, CEO and founder of Pragmatyxs, about their key challenges and journey to the cloud. Being a small organization, one of their biggest challenges was to provide to provide maximum value to their clients while minimizing administrative costs and focus on value delivery.  Additionally, since their customers are in very highly regulated industries (FDA regulations etc.) data protection is very critical. He stressed that security has to be a very important element of all their solutions and they need to not only incorporate it in everything they do but continuously to evolve their security strategy. Data security and putting sensitive data in the cloud, still remains one of their key concerns while moving to the cloud. One of the first questions they get asked when they move their client data to the cloud is “how will you secure my data?”  Pragmatyxs chose Oracle Cloud over multiple other choices because of the security that it provides by default, for instance, with Oracle Database Cloud Service, transparent data encryption is provided by default. This helps them give their customers the confidence they need in putting their sensitive data in the cloud. Here is one of his quotes from our conversation: “One of the key benefits of moving to the Oracle Database Cloud Service was transparent data encryption—we could ensure our customers that, right out of the gate, their data was secure, and the risk of compromise was minimum.” –Paul Vanhout, CEO & Founder, Pragmatyx Pragmatyxs has been a partner of Oracle since the company was founded 22 years ago. Watch this video to learn more about why Pragmatyxs chose Oracle Cloud how they help their clients reduce risks and ensure compliance with better data security in the cloud. Learn more about Oracle Database Security Learn more about Oracle Security

Pragmatyxs is a leading technology consultant and systems integrator based in Seattle. They provide product tracking and labeling solutions to medical device, pharmaceutical, and food & beverage...

Security Inside Out

The deadline for GDPR compliance is approaching. Are you prepared?

  Written by Stephanie G. Hlavin, Senior Content Strategist Integrated Marketing, Cloud Technology, Oracle   Imagine if compliance with the General Data Protection Regulation (GDPR) – a set of strict requirements that protect data of all individuals; how it’s used and collected –was as simple as writing a privacy statement and posting it on your organization’s website. If only. It’s not 1995 anymore – which is the year the current Data Protection Directive was put in place and that, come May 25, 2018, the GDPR will replace. Twenty-three years ago, the stipulations were sufficient. It was a much different world, a mostly non-digital one. For context, consider: In 1997, 68% of U.S. households had no internet, and the top website was AOL. Up until 2003 when it was at its peak, you listened to music on CDs. In 1999, 56% of Americans had no cell phone (true definition of cell phone here, not smartphone).  Today, it’s digital everything. Whether shopping for socks and groceries to health insurance; to banking and all forms of entertainment, these tasks happen online and with enormous amounts of personal data given. That’s where the GDPR comes in. It aims to increase the accountability of controllers (the organization that collects data) and processors (an organization that processes data on behalf of the data controller e.g., a cloud service provider, like Oracle) and give persons more control over how their personal data is collected and what’s done with it. So what does GDPR mean for you? Nothing, since you’re not a European company? Unfortunately, not so. Although it’s an EU initiative, GDPR crosses the pond. If any or your customers or employees (even just one) are located inside the EU, you must comply. Nor is it limited to only certain-sized organizations. Small, mid-size and large enterprises are all held to the same requirements. Hefty fines and loss of brand confidence, if not class-action lawsuits (think Equifax) loom large if not. Keep in mind that GDPR is not a punishment! It’s intended to make possible digital transformation that will benefit everyone: enable organizations to carry on digitally while they have the trust of their customers, partners and their own employees. And according to Troy Kitch, Sr. Director of Security Product Marketing at Oracle, “The only way economies can flourish is to provide that trust through protective mechanisms.” Kitch recently hosted a webcast, “Addressing GDPR compliance: Implementing a security framework,” that you can catch on replay. If GDPR is on your radar (or should be), the webcast is just under an hour and packed with information to consider as you work on meeting the May 2018 deadline. Within the hour-long webcast, you’ll hear about the key tenets of good security practices; common mistakes to avoid when it comes to security; and most critical, the best way to achieve an appropriate level of security based on the level of risk to data and the cost and implementation to do so. The webcast also includes slides with an expanded set of information not covered in the hour.                                                   Find more information about GDPR and how you can prepare for compliance. 

  Written by Stephanie G. Hlavin, Senior Content Strategist Integrated Marketing, Cloud Technology, Oracle   Imagine if compliance with the General Data Protection Regulation (GDPR) – a set of...

Security Inside Out

Oracle Database Security Assessment Tool – New Capabilities Yield New Use Cases

  GUEST BLOG WRITTEN BY BARBARA GINGRANDE Unpatched databases.  Unencrypted data.  Default passwords.  These are among the common findings that my colleagues and I have uncovered as we’ve performed hundreds of Oracle Database Security Assessments using the Database Security Assessment Tool (DBSAT) from Oracle. Customers are always surprised by what is revealed by running this tool.  No matter how well-managed the environment, several security gaps are always uncovered.  For example: Organizations confident that they are not using Native Database Auditing sometimes have discovered literally millions of audit records in their Oracle database, with the number growing daily.  Conversely, customers positive that they are adequately monitoring database activity often find that insufficient tracking is in place. Database Administrators are often unaware of how settings and updates requested by application developers can cause security gaps.  For example, if REMOTE_OS_AUTHENTICATION is set to TRUE, a user can create a local account on their personal computer named SYS or SYSTEM and log into the database as a highly privileged user without knowing the account password.   While Oracle has deprecated this parameter, settings from prior versions of the database are often left unchanged and migrated as-is during an upgrade. Application owners and Security professionals often “assume” that their data is encrypted at rest.  One Compliance Officer told us, “I’ve been attesting to our Board of Directors every year that our data is encrypted on disk.  You’re telling me that I’ve been lying?” During the assessments, we request that the DBSAT tool is run in PRODUCTION.  Why?  If the assessment tool is run in a development or staging environment, even though that environment may be “just like” production, the findings can be easily dismissed – “That’s not how it is in Production.”  With the release of DBSAT 2.0.1, the tool now contains a Discoverer component which can identify sensitive data.  That Discoverer capability has resulted in organizations looking more closely at non-production environments and the data residing within those databases.  As organizations move to the Cloud, they often start with their non-production workload.  Identification and obfuscation of this sensitive data before moving the data outside of the corporate data center is a must. Security Analysts and Database Administrators will find tremendous value in this latest release of the Database Security Assessment Tool. Author: Barbara Gingrande Barbara Gingrande is Director of Business Development for CrossGeneration Security LLC, Innovators in Database Security Services (crossgensecurity.com).  Prior to joining CrossGen, Ms. Gingrande was the Program Director for Database Security Assessments for Oracle North America.   About CrossGen Security CrossGeneration (“CrossGEN”) Security, an Oracle Business Partner, provides assessment, strategy, architecture and implementation services for Data Security and emerging, Blockchain-based Digital Identity solutions.  CrossGEN’s services offerings help North American organizations secure their data across several generations of IT investments, enable Digital Business Transformation and address regulatory compliance.  CrossGEN has a strong focus on Database Security for Oracle customers both on-premises and in the Cloud.  We offer Security Assessments, Rapid Start offerings for every Oracle Database Security product on any platform / hybrid environment, and have deep expertise in Data Masking.  For more details, visit us at http://crossgensecurity.com.  

  GUEST BLOG WRITTEN BY BARBARA GINGRANDE Unpatched databases.  Unencrypted data.  Default passwords.  These are among the common findings that my colleagues and I have uncovered as we’ve performed...

Security Inside Out

Partner Webcast – Database Security Assessment Tool and GDPR

Help organizations evaluate their database security before hackers do it for them! Oracle is a leader in preventive and detective controls for databases and with the newly released Oracle Database Security Assessment Tool (DBSAT) it helps customers access their security profile and recommends changes and controls to mitigate risks.  DBSAT is simple, a light-weight, easy to use tool, focused on identifying how securely the database is configured, who are the users and what are their entitlements, what security policies and controls are in place, and where sensitive data resides with the goal of promoting successful approaches to mitigate potential security risks. DBSAT helps:  Discover sensitive data with the discoverer module Evaluates user roles and associated security policies, determining who can access the database, whether they have highly sensitive privileges, and how those users should be secured. Highlight findings related to GDPR articles/recitals and CIS Benchmark recommendations Download DBSAT today! DBSAT is a complimentary tool available to all Oracle database customers, small or large. Join us on this webcast to find out more on how DBSAT can help your customers easily assess risks and evaluate their security posture. Register here for the webcast Agenda: Oracle Database Security Assessment Tool Oracle Partner Opportunity Summary - Q&A Presenters:  Pedro Lopes – DBSAT Product Manager - Oracle Database Security Delivery Format This FREE online LIVE eSeminar will be delivered over the Web. Registrations received less than 24 hours prior to start time may not receive confirmation to attend.

Help organizations evaluate their database security before hackers do it for them! Oracle is a leader in preventive and detective controls for databases and with the newly released Oracle...

Advanced Security

Bust the myth! False Sense of Security with Encryption alone

Protecting sensitive data, your crown jewels is a critical business requirement today. Often encryption is perceived as the silver bullet for your data security. Many IT organizations do not even have encryption in place today and those who have encryption deployed in their environment, feel encryption can secure against all kinds of threats. This realization or analysis needs to start with various threat vectors against your data assets and also discusses some of the common vulnerabilities that have been exploited during recent breaches. Then, you will soon understand how encryption provides the foundation for data security and yet does not provide mitigation against all the threat vectors. The following building blocks are essential in building a comprehensive data security strategy: a) Periodic and regular evaluation or assessment of your security configuration, patching of your environment. Be conversant with where your sensitive data reside. Understand roles and privileges assigned to administrators and application accounts. b) Encryption - Data-at-rest and Data-In-Motion: What do they protect and what do they not protect. c) Key Management Why centralized key management is critical for managing encryption. Also understand repercussions or liabilities of Bring Your Own Key (BYOK) process. d) Apply appropriate access control mechanisms for your data e) Apply principles of least privileges - Ensure administrators have just enough privileges to perform their job and nothing beyond. Ensure that application accounts are not running with loaded privileges f) Data Masking and Subsetting - How to limit sensitive data exposure in development and testing environment using Data Masking and Subsetting g) Apply firewall for your data repositories to protect against sql injection type attacks h) Finally monitor and audit to detect anomalies and respond quickly While each of the above concepts is commonly understood as independent concept, stitching the pieces together to build a comprehensive security strategy is lacking. A systematic approach along with appropriate process is essential in building a comprehensive security strategy. Stay tuned and I will cover more details in subsequent blogs in this series. Please visit https://www.oracle.com/database/security/index.html for further details.  

Protecting sensitive data, your crown jewels is a critical business requirement today. Often encryption is perceived as the silver bullet for your data security. Many IT organizations do not even have...

Advanced Security

Oracle Releases Database Security Assessment Tool: A New Weapon in the War to Protect Your Data

Evaluate your database security before hackers do it for you! Vipin Samar, Senior Vice President, Oracle Data is a treasure. And in my last 20 years of working in security, I’ve found that hackers have understood this better than many of the organizations that own and process the data. Attackers are relentless in their pursuit of data, but many organizations ignore database security, focusing only on network and endpoint security. When I ask the leaders responsible for securing their data why this is so, the most frequent answers I hear are: Our databases are protected by multiple firewalls and therefore must be secure. Our databases have had no obvious breaches so far, so whatever we have been doing must be working. Our databases do not have anything sensitive, so there is no need to secure them. And yet, when they see the results from our field-driven security assessment, the same organizations backtrack. They admit that their databases do, in fact, have sensitive data, and while there may be firewalls, there are very limited security measures in place to directly protect the databases. They are even unsure how secure their databases are, or if they have ever been hacked. Given the high volume of breaches, they realize that they must get ready to face attacks, but don’t  know where to start. Assessing database security is a good first step but it can be quite an arduous task. It involves finding holes from various angles including different points of entry, analyzing the data found, and then prioritizing next steps.  With DBAs focused on database availability and performance, spending the time to run security assessments or to develop database security expertise is often not a priority. Hackers, on the other hand, are motivated to attack and find the fastest way in, and then the fastest way out.  They map out the target databases, looking for vulnerabilities in database configuration and over privileged users, run automated tools to quickly penetrate systems, and then exfiltrate sensitive data without leaving behind much of a trail.   If this were a war between organizations and hackers, it would be an asymmetric one. In such situations, assessing your own weaknesses and determining vulnerable points of attack becomes very critical. Assess First I am excited to announce availability of the Oracle Database Security Assessment Tool (DBSAT). DBSAT helps organizations assess the security configuration of their databases, identify sensitive data, and evaluate database users for risk exposure.  Hackers take similar steps during their reconnaissance, but now organizations can do the same – and do it first. DBSAT is a simple, lightweight, and free tool that helps Oracle customers quickly assess their databases.  Designed to be used by all Oracle database customers in small or large organizations, DBSAT has no dependency on other tools or infrastructure and needs no special expertise.  DBAs can download DBSAT and get actionable reports in as little as 10 minutes. What can you expect DBSAT to find?  Based upon decades of Oracle’s field experience in securing databases against common threats, DBSAT looks at various configuration parameters, identifies gaps, discovers missing security patches, and suggests remediation. It checks whether security measures such as encryption, auditing, and access control are deployed, and how they compare against best practices.  It evaluates user accounts, roles, and associated security policies, determining who can access the database, whether they have highly sensitive privileges, and how those users should be secured. Finally, DBSAT searches your database metadata for more than 50 types of sensitive data including personally identifiable information, job data, health data, financial data, and information technology data. You can also customize the search patterns to look for sensitive data specific to your organization or industry.  DBSAT helps you not only discover how much sensitive data you have, but also which schemas and tables have them. With easy-to-understand summary tables and detailed findings, organizations can quickly assess their risk exposure and plan mitigation steps.  And all of this can be accomplished in a few minutes, without overloading valuable DBAs or requiring them to take special training. Reviewing your DBSAT assessment report may be surprising – and in some cases, shocking – but the suggested remediation steps can improve your security dramatically.  Privacy Regulations and Compliance DBSAT also helps provide recommendations to assist you with regulatory compliance. This includes the European Union General Data Protection Regulation (EU GDPR) that calls for impact assessments and other enhanced privacy protections.  Additionally, DBSAT highlights findings that are applicable to EU GDPR and the Center for Internet Security (CIS) benchmark. Nothing could be Easier Oracle is a leader in preventive and detective controls for databases, and now with the introduction of DBSAT, security assessment is available to all Oracle Database customers. I urge you to download and try DBSAT – after all, it’s better that you assess your database’s security before the hackers do it for you!

Evaluate your database security before hackers do it for you! Vipin Samar, Senior Vice President, Oracle Data is a treasure. And in my last 20 years of working in security, I’ve found that hackers have...

Security Inside Out

Webcast: GDPR - Validating Security by Design for an Oracle Database

Most organizations realize that their most critical data resides in their databases and they need to secure them, but have very limited security measures in place to directly protect the databases. They are unsure how secure their databases are, or whether they have been hacked. Knowing where your personal data is, and how the database is configured is the foundation for GDPR compliance. Join this webcast to learn how the Database Security Assessment Tool (DBSAT) gives you a quick start to help discover sensitive and personal data, identify database users and their entitlements, review compliance with security policies, and quickly identify the security risks. DBSAT is a simple, lightweight, and complimentary tool that helps Oracle customers quickly assess the security of their Oracle databases. Register Here Date/Time: : Tuesday, January 30, 2018 Time: 11:00 AM Central European Time Duration: 1 hour Speakers: Alessandro Vallega Business Development GDPR Oracle EMEA   Pedro Lopes Sr. Principal Field Product Manager, EMEA Oracle Database Security   Learn more about Oracle Database Security Solutions Download DBSAT today!

Most organizations realize that their most critical data resides in their databases and they need to secure them, but have very limited security measures in place to directly protect the databases....

Advanced Security

Oracle Key Vault 12.2 BP6 is Now Available

We are delighted to announce the immediate availability of release 12.2 BP6 of Oracle Key Vault.  New features available in this release include: Faster Discovery of an Unreachable Key Vault Server In Oracle Key Vault 12.2.0.5.0 and earlier, clients attempt to connect to Oracle Key Vault by checking each of the two Oracle Key Vault servers in HA deployment. If the Oracle Key Vault server is unavailable, the client currently encounters an OS-defined delay which could be 20 seconds or longer, depending upon the OS. In Oracle Key Vault 12.2.0.6.0, clients first establish a non-blocking TCP connection to Oracle Key Vault to quickly detect unreachable servers. Improved Resiliency with Unavailable Key Vault Servers In Oracle Key Vault 12.2.0.5.0 and earlier, if the Oracle Key Vault server is not available, the PKCS#11 library retrieves master key from the Persistent Master Key Cache if set.  However, in the unlikely scenario of Key Vault Servers still not available, and if the persistent master key cache time limit (PKCS11_PERSISTENT_CACHE_TIMEOUT in the okvclient.ora file) has expired, PKCS#11 library attempt to refresh the master key fails and the endpoint database operations are affected. With Oracle Key Vault 12.2.0.6.0, a new Refresh Window feature of the Persistent Master Key Cache enables the database endpoint to make multiple attempts to refresh the expired master key from the OKV server. This feature extends the duration for which the master key is available after it is cached in the persistent master key cache. At the same time, the endpoints can refresh the key during the refresh window instead of once at the end of the cache time.  Support for Bring Your Own TDE Master Encryption Keys You can now import your generated key to be used as the Transparent Data Encryption (TDE) master encryption key in Oracle Key Vault. Key Administrators can upload this user-defined key to the groups that they have write access to. This feature provides key administrators with more control on creation of the master key used to encrypt TDE data encryption keys. Ability to Update SNMP Settings on Standby Server In a High Availability deployment of Oracle Key Vault 12.2.0.5.0 and earlier, SNMP Settings on the Standby server cannot be updated, as the Oracle Key Vault management console is unavailable on the Standby server. Oracle Key Vault 12.2.0.6.0 introduces the stdby_snmp_enable script to enable the root user to modify SNMP settings on the standby server. New Alerts for High Availability Operations Oracle Key Vault generates alerts to inform users about certain conditions that may affect the functioning of Oracle Key Vault. Oracle Key Vault 12.2.0.6.0 introduces alerts when FSFO failure causes HA configuration process to fail and when HA nodes are not successfully synchronized. New Install Option to Speed Deployment In Oracle Key Vault 12.2.0.5.0 and earlier, the symlink reference to okvclient.ora is not updated during re-enrollment. Oracle Key Vault 12.2.0.6.0 introduces a new okvclient.jar option which allows you to overwrite the symlink reference pointing to okvclient.ora in the new directory. Expanded Support for Oracle Database on Windows Server 2008 and 2012 Oracle Key Vault 12.2.0.6.0 extends support Oracle Database 12.2.0.1.0 on Windows Server 2008 and Windows Server 2012. Critical Patches and Fixes These include the Oracle Database October 2017 Critical Patch Update as well as fixes to Java and the underlying Linux operating system. For a fresh installation, Oracle Key Vault can be downloaded from Software Delivery Cloud. Note that this package cannot be used for an upgrade.  An upgrade package is available on ARU. The full installation media is also available in eDelivery (please search for “Oracle Key Vault” and select “Linux x86-64” as platform).  We are looking forward to hearing about your experience with OKV 12.2 BP6!

We are delighted to announce the immediate availability of release 12.2 BP6 of Oracle Key Vault.  New features available in this release include: Faster Discovery of an Unreachable Key Vault Server In...

Register for the webcast & learn how to address GDPR compliance

With the EU GDPR deadline just around the corner, many organizations are still scrambling to understand its impact and how to create and implement a co-ordinated strategy that addresses GDPR compliance. To help you better understand how Oracle’s experience built over the years, and our technological capabilities can help you design such a strategy, you are invited to attend the following webcast on Nov 28th, 2017 at 2pm EST. Register today! Webcast Addressing GDPR compliance requires a coordinated strategy that involves different organizational divisions such as legal, human resources, marketing, security, IT and others.  The regulation requires these and various other entities like customers, employees as well as communications and technology, to protect personal data.  However, with all these components and a due date that is just around the corner, how can organizations create and implement a coordinated strategy that addresses GDPR security compliance?  Join us to hear expert advice and insight from members of the Oracle leadership team on how to leverage Oracle experience and technologies to implement a security framework that can help address GDPR. Date/Time: Nov 28th, 2:00 PM EST Speakers: Troy Kitch, Senior Principal Product Marketing Director, Oracle To learn more about how Oracle can help you address some of the requirements for GDPR, read this whitepaper: Helping Address GDPR Compliance Using Oracle Security Solutions  Learn more about Oracle Security Solutions  

With the EU GDPR deadline just around the corner, many organizations are still scrambling to understand its impact and how to create and implement a co-ordinated strategy that addresses...

Security Inside Out

Managing least priviledge accounts

Did you know attacks into databases with stolen credentials are a bigger threat than attacks stealing data from the network or binary files?  A database organizes all the data neatly in one place.  Database accounts with enough privileges makes it easy to find the data, ex-filtrate it and then cover up the tracks.  Stolen credentials can even be used again if no one notices a theft had taken place. Database administrators and applications are two owners of highly privileged accounts.  DBAs need their privileges to do their job and applications need to act on behalf of all application end-users.  Here are some common mistakes concerning these two types of accounts.  DBA accounts: Oracle provides a SYSTEM account with the DBA role.  Many organizations believe this is what the DBAs should use to manage the database.  This creates some issues around accountability and liability.  When doing a forensic analysis of an event, if SYSTEM was found to have executed an unauthorized SQL command, then it would be very difficult to find the actual DBA that executed it.  The other side of this is liability – every DBA would be viewed with suspicion since it would be difficult to prove one’s innocence since they all share a single account.  Oracle recommends using separate named accounts for each user and not to use the SYSTEM account for database administration. Application accounts: When applications are being developed, the developer frequently grants many system privileges to  the database account so the application can be developed without worrying about data access.  As the application completes development, no effort is made to find out what privileges the application really needs to operate in a production environment.  The application also needs extra privileges when it is installed and when upgrades are done.  These installation and upgrade privileges are frequently not removed, leaving the application account in the database with many privileges not required for normal runtime.  To learn more about Oracle Database Security Solutions visit https://www.oracle.com/database/security/index.html  

Did you know attacks into databases with stolen credentials are a bigger threat than attacks stealing data from the network or binary files?  A database organizes all the data neatly in one place. ...

Security Inside Out

EU GDPR is a top priority

By Russ Lowenthal - Director of Database Security Product Management   What a week it's been! I look forward to OpenWorld each year, and each year it seems like it gets bigger and better - but this year is going to be hard to top! Over 150 people attended the hands-on labs for the new Database Security Assessment Tool, more than two dozen database security focused sessions, and countless one-on-one visits with customers. A couple of themes stood out this year, one in particular is widespread concern about the new European Union General Data Protection Regulation (EU GDPR). Time is short to be ready before the regulation goes into effect on May 25th, 2018 - that's just 228 days away! Not long at all to design, test and implement security controls for major IT systems. Almost everyone is starting with sensitive data discovery to map out which systems fall under GDPR, and then moving to encryption for those systems that aren't already encrypted. The combination of the new Database Security Assessment Tool and Oracle Database 12.2's online-tablespace encryption has been very popular this week because it lets people take care of their database encryption without any downtime needed. Key Vault was also a popular topic since anyone who is encrypting obviously also has to consider how the encryption keys are stored and managed. Once encryption is taken care of, most people seem to be following a fairly standard path for securing their databases – set up Database Vault to place sensitive data into tightly controlled security realms, and then Audit Vault to monitor access to the sensitive data and report on who has seen personal data. It was encouraging to see how many people recognized GDPR as a top priority – and even more encouraging to see that although people are of course concerned about the potential fines (4% of your gross annual revenue is not a laughing matter!), they were also worried about protecting their data. Several CISOs commented that it’s “just the right thing to do.” And more than one said that in today’s environment not protecting sensitive data is simply not acceptable. By the time OpenWorld rolls around again next year GDPR will have been in effect for months, and we’ll probably have already started to see our first enforcement actions under the new regulation. I can’t wait to see what the conversations are going to be then!

By Russ Lowenthal - Director of Database Security Product Management   What a week it's been! I look forward to OpenWorld each year, and each year it seems like it gets bigger and better - but this year...

Security Inside Out

Managing Data Security in the Cloud

By Michael Mesaros, Product Management Users are eager to leverage the benefits of the Oracle Cloud, but they also need easy access to tools to help them secure their data.   Fortunately, Oracle Database users can leverage a rich set of security controls which support deployments both on-premises and in the cloud.  However, deployment and ongoing support of these solutions is often a “do-it-yourself” exercise for users.  This week at Oracle OpenWorld 2017, we provided a sneak preview of some cloud-based solutions for securing data. A cloud-based data security service would provide customers would be able to deliver proven technologies for securing data with a convenient and hassle free delivery model. An important design goal for Data Security Cloud Service is ease of use; providing a simple “click-and-secure” user interaction model so that controls are deployed quickly and easily.  Three important capabilities which were previewed included Sensitive Data Discovery, Database Auditing, and Data Masking.      Protecting data begins with understanding what kinds of sensitive data an organization has and where it is located.  Sensitive data discovery provides the ability to search schema and identify sensitive data.  Database administrators can use the results to specify masking policies that protect their most sensitive data during cloud-based test and development.  They may also use knowledge of what sensitive data they have to specify audit polices and implement other security controls. Hosting databases for development and test is an important use case for database cloud services.  Masking is a technology to protect sensitive data in these environments by selectively replacing this data with realistic, but fictitious, data.  A properly masked database can transparently support applications in test and development without implementing all of the strict controls which would be required to protect sensitive data in a production environment.  The ability to mask databases from production clones or backups with a click of a button enables DevOps to automate generation of test database instances and provide their development teams with high-fidelity application data.  Database Auditing is perhaps the most powerful tool for identifying potentially malicious activities and addressing compliance requirements.  Audit functionality provides users with the ability to manage their database audit polices, automatically collect audit data, continuously monitor the data to generate high-value, specific alerts, and provide interactive activity reports that allow teams to monitor security posture and address compliance requirements. Cloud-based data security solutions are not only easy to use and manage, they make enterprise-class security solutions accessible to all organizations, large and small.  Stay tuned for more updates!

By Michael Mesaros, Product Management Users are eager to leverage the benefits of the Oracle Cloud, but they also need easy access to tools to help them secure their data.   Fortunately, Oracle...

Security Inside Out

Highlights from Oracle Openworld 2017 - Tuesday

Oracle Openworld is more than halfway done!  Tuesday was another busy action packed day with tons of sessions, over seven 1:1 customer briefings, multiple analyst discussions, demos and hands on labs and much more. Larry’s Keynote on CyberSecurity The morning kicked off with a lot of excitement building for  Larry’s afternoon address on CyberSecurity.  Larry started his keynote with “Companies are losing the cyber war. And it gets worse every year.” Security in the data centers has to be number one priority, not tenth because today companies have to defend themselves against nation-states and very sophisticated cyber criminals who are stealing their data. Today, it can no longer be our people vs their machine, it has to be our computers vs their computers. Listen to the entire keynote here Continued excitement around the DBSAT tool We saw continued interest amongst our customers around our DBSAT tool with a packed room for the DBSAT Hands on lab. As part of Oracle’s defense-in-depth strategy, Oracle's Database Security Assessment Tool (DBSAT) helps identify areas of risk and recommends changes to mitigate configuration, operational, and technical risks. Don’t miss the last opportunity to get your hands on DBSAT while you are here at #OOW17. Attend this hands-on lab and learn how to easily run DBSAT to identify your exposure to the top database security risks and how to remediate them. Learn how to analyze and prioritize the different risk findings identified within the security reports so that you are well on the way to securing your databases. DBSAT hands on labs: Wednesday, Oct 04, 9:45 a.m. - 10:45 a.m. Venue: Hilton San Francisco Union Square (Lobby Level) - Plaza Room A Encryption and Key Management There were multiple discussions around the benefits of native database encryption vs storage level encryption. Lot of customers have over 5000 Oracle Databases, which is very typical of a large organization, and one of the key challenges that were cited was around how can you streamline key management. A lot of details around encryption were covered in today’s session: Encrypt your Crown Jewels and Manage Keys Efficiently with Oracle Key Vault (CON6580) Must see sessions on Wednesday Sneak Preview: Oracle Database Security Cloud Service (CON6618) Speakers: Vikram Pesati, Oracle;  Michael Mesaros, Oracle Time: 2:00 p.m. - 2:45 p.m. Venue: Moscone West - Room 3011 Inside the Head of a Database Hacker (CON6572) Speaker: Mark Fallon , Oracle Time: 11:00 a.m. - 11:45 a.m. Venue: Moscone West - Room 3014 Size matters: Securing a Very Large Database (CON4841) Speaker: Steve Young, Sr. DBA Manager, CCCIS Fei Dong, Sr. Database Administrator, EDS Steve Rosenblum, Database Administrator , CCC Information Services Time: 5:30 p.m. - 6:15 p.m. Venue: Moscone West - Room 3011 And many more sessions here Stay on top of the latest all security news at OOW 2017 by following us on Twitter (@OracleSecurity) and Facebook (www.facebook.com/oraclesecurity). 

Oracle Openworld is more than halfway done!  Tuesday was another busy action packed day with tons of sessions, over seven 1:1 customer briefings, multiple analyst discussions, demos and hands on labs...

What you don’t know CAN hurt you…

By Pedro Lopes, Senior Principal Product Manager, Oracle Database Security, EMEA   Oracle Database Security Assessment Tool (DBSAT) 2.0.1 will improve the ability of Oracle’s customers to assess database security posture and identify systems containing sensitive data. Known risk is better than unknown risk Security professionals categorize risk as known, unknown, and unknowable – with a goal to move as much possible risk from unknown into the known category, where it can be mitigated or accepted.  Many security teams see their Oracle Database environments as a black hole of risk – unknown, possibly unknowable.  Security teams often don’t have the expertise to assess and quantify risk in database environments. There are a few historical reasons for this situation. Common backgrounds lead to common approaches Most security professionals come from one of two fields – they were either network engineers who moved into security through their work with firewalls, or they were desktop engineers who moved into security through their work with anti-virus and desktop protection. Cybersecurity as a stand-alone profession, especially an entry-level profession, is relatively new.  As a result, security teams tend to focus where their strengths are – perimeter security and endpoint protection. Securing databases is frequently left to the database administrators. Database Administrators on the other hand rarely focus on database security.  They are usually concerned with availability and performance and have little time left over for tasks not related to those two key areas. This is slowly changing, over the past five years I’ve seen a significant increase in the number of database administrators who specialize in security, but it is still a very small percentage of the administrator population. The result is that databases are typically configured without basic security controls and managed the same way today that they were 15 years ago. Unfortunately, the threat environment today is very different from 15 years ago, and these databases can present significant security risk to the organization. Compounding the problem is the growing requirement for security configuration scanning of systems containing personal data. Periodic assessments of system security are part of many regulatory frameworks, including the European Union’s General Data Protection Regulation (EU GDPR) and the Payment Card Industry’s Data Security Standard. Some problems are easy to solve Fortunately, there is an easy answer to these problems.  Oracle provides the Database Security Assessment Tool (DBSAT) as a free download to all supported customers.  As part of Oracle’s defense in depth strategy, DBSAT helps identify areas where your database configuration, operation, or implementation introduces risk and recommends changes and controls to mitigate those risks.  The current release focuses on identifying common security errors – parameters that may be set incorrectly, over privileged users, weak password policies, missing patches – over 70 individual checks.  In many cases, DBSAT not only identifies the risk, but recommends ways to mitigate the problem. Over the next few months we’ll be release DBSAT 2.0.1 – with significant enhancements including categorization of findings based on the Center for Internet Security (CIS) benchmarks and European Union General Data Protection requirements.  As with the current version, DBSAT highlights Oracle Database security best practices but now wherever appropriate you’ll find DBSAT also references the Center for Internet Security (CIS) benchmark and EU GDPR articles and recitals. New Discovery Module We’ll also be introducing a new sensitive data discovery module, DBSAT Discoverer as part of DBSAT 18c.  DBSAT Discoverer searches your database for sensitive data columns, with out-of-the-box support for English and sample modules for French, Spanish, Italian, Portuguese, German and Swedish that provide a head-start and can be further customized to expand language support..  This new module enhances the ability of DBSAT to detect risk by not only informing you of potential issues with the database, but also helping you prioritize mitigation efforts based on which systems contain the most sensitive data. How do I get started? Download the Database Security Assessment Tool and try it out it on a few of your databases.  You’ll find the tool’s output and mitigation recommendations easy to understand and consume.

By Pedro Lopes, Senior Principal Product Manager, Oracle Database Security, EMEA   Oracle Database Security Assessment Tool (DBSAT) 2.0.1will improve the ability of Oracle’s customers to assess...

Highlights from Oracle Openworld 2017 – Monday

Monday kicked off the second day at Oracle Openworld 2017 where customers, partners and technologists learnt about latest innovations and announcements in Oracle Database Security Solutions. Customers heard about the latest trends in security and some key announcements from the SVP of Database Security, Vipin Samar in his session “Cybersecurity and Compliance in 2017: Database Security is Business Critical (CON6571)”. He stressed on the fact that with data breaches getting more sophisticated, databases still remain the most attractive target for attackers. If you don’t protect your data, it can have severe repercussions on your business.    “Lose your data, lose your business” was the key message.   Announcements made in the session: Database Assessment Tool (DBSAT) Assess your risk profile before hackers do with the database assessment tool which helps you understand how secure/insecure your database is. DBSAT is a free tool with over 5000 downloads. DBSAT v1 is available today and v2 will be released very soon. Further details were covered in the session on DBSAT today. (CON6575) Data Security Cloud Service: Sneak Preview The vision around the Data Security Cloud Service is to provide a unified control plane for data security management with huge focus on ease of use to help secure your cloud databases. Here more about this brand new service at the following session: Sneak Preview: Oracle Data Security Cloud Service Speakers: Vikram Pesati, Oracle, Michael Mesaros, Oracle Time: 2:00 p.m. - 2:45 p.m. Venue: Moscone West - Room 3011 Centralized database user management using active directory This new feature helps you directly connect Active Directory (AD) to Oracle Database to authenticate and authorize users. Details of this announcement were covered in session CON6574 Conversations around GDPR Compliance There were interesting conversations around the need for GDPR compliance. For instance, one of the largest air carriers in the world were concerned about how to comply with GDPR. Although they are not an EU resident, they have flight crews and EU passenger information, as a result of which they need to comply with the regulation. Additionally, their challenge is compounded by the fact that they have multiple partnerships with hotels and car rentals. As a result of this, they play a role of a data controller, data processor and third party at the same time. There was discussion around how some things are hard to comply with like the enrichment of apps, right to erasure etc. but there are areas which are easy to start with like enforcement, encryption, pseudonymization, data discovery etc. They were particularly interested in the DBSAT tool for sensitive data discovery to get started. They also have Oracle Enterprise Manager deployed and hence were happy to learn that their advanced sec license allows them to use sen data discovery at no charge! To learn more about how Oracle can help you comply with GDPR, attend the following session tomorrow: Data Management and Security in the GDPR Era Speakers: Russ Lowenthal , Oracle; Franck Hourdin , Oracle;  Mike Turner, Global COO Cybersecurity , Capgemini Time:  5:45 p.m. - 6:30 p.m Venue: Moscone West - Room 3011 Some of the other sessions you must not miss tomorrow include: Encrypt your Crown Jewels and Manage Keys Efficiently with Oracle Key Vault (CON6580) Speakers: Saikat Saha, Product Director, Database Security , Oracle; Hamid Habet, Service Manager , Allianz Technology SE Time: 4:45 p.m. - 5:30 p.m. Venue: Moscone West - Room 3011 Accelerate your Compliance Program with Oracle Audit Vault and Database Firewall (CON6576) Speakers: Ram Subramanian, Director, Database Services, Symantec  Corporation;  Rohit Muttepawar, IT Architect - Database Platform, Symantec Corporation; George Csaba, Director, Product Management, Database Security, Oracle Time: 5:45 p.m. - 6:30 p.m. Venue: Moscone West - Room 3011 The entire day was filled with activities including seven 1:1 analysts meetings with leading analysts like Gartner, IDC, Forrester and Kuppinger Cole, over five 1:1 customer briefings at the customer visit center, hands-on labs, demos and much more. Attendees got a chance to view demos around our encryption, data masking, database activity monitoring solutions and many more at our demo pods. If you didn’t get a chance to check out the demos today, be sure to visit tomorrow. The demo showcase is at Moscone West. SOA-071 - Authentication and Authorization SOA-072 - Encryption and Key Management SOA-073 - Auditing and Activity Monitoring SOA-074 - GDPR, Data Discovery, Security Assessments, Data Masking As the excitement continues, stay on top of the latest all security news at OOW 2017 by following us on Twitter (@OracleSecurity) and Facebook (www.facebook.com/oraclesecurity). 

Monday kicked off the second day at Oracle Openworld 2017 where customers, partners and technologists learnt about latest innovations and announcements in Oracle Database Security Solutions. Customers...

Protect your sensititve data today!

Protecting sensitive data whether in your on-premises environment or in the cloud environment is a critical business requirement in light of recent megabreaches and ever-expanding compliance regulations. Data is today's capital, but in wrong hands, data can become a liability. Databases make very attractive targets as databases contain all the business critical data neatly arranged in columns and rows, properly structured and linked with relevant information. In order to safeguard your enterprise data stored in databases, you need to build a comprehensive strategy around your databases, you need to build a defense-in-depth around your databases. Applying layered security controls is essential to protect sensitive data. To build a comprehensive security strategy for databases, first you need to evaluate who you have, perform sensitive data discovery, then apply preventive measures such as encryption, access control mechanisms, application level redaction or data masking for test and development environments. Once you apply preventive security controls, then you need to monitor and audit constantly to find anomalies and react promptly when something unusual happens. And the cycle continues. To learn how to build a comprehensive security strategy for your databases that store business critical data and sleep well at night while meeting your SLAs and compliance regulations, please join my session "Best Practices for implementing Database Security" on Monday October 2nd at 5:45 PM in Marriott Marquis (Yerba Buena Level), Nob Hill A/B. The security of your encrypted data depends on how complete the encryption is within database environment, and the security and control you have over the encryption keys. Centralized protection and management of keys has become an important consideration for organizations. To learn about Oracle Transparent Data Encryption and centralized key management for Oracle Transparent data Encryption keys, and listen to some real-life deployment experiences, please join my other session "Encrypt Your Crown Jewels and Manage Keys Efficiently with Oracle Key Vault" on Tuesday October 3rd at 4:45 PM in Moscone West Room 3011.  

Protecting sensitive data whether in your on-premises environment or in the cloud environment is a critical business requirement in light of recent megabreaches and ever-expanding compliance...

Database Security @ Oracle Openworld 2017!

Whether this will be your first Oracle Openworld or you’ve been here before, hopefully you’re getting as pumped up as we are for Oracle Openworld 2017 which kicks off today at the Moscone Center, San Francisco. Join thousands of fellow Oracle users, experts, and thought leaders and discover how we’ve packed more learning and innovation into all of our technology sessions, labs, demos etc. If you haven't yet registered,  registration for Oracle OpenWorld 2017 can be found HERE. Whether you have been using all or some of Oracle Database Security technologies or are a brand new user, there is something at Openworld for each of you with over 23 database security sessions, an extensive showcase of demos, hands on labs and much more. A complete listing of all database security sessions can be found here. Your days will be jam-packed with activities and we want you to make most of them. Database Security is Business Critical Organized crime, insiders, and nation-states continue to target databases and additionally transition to the cloud is changing the way we look at security controls. Hence whether you are an Executive, Database Administrator or a Security professional, you need to be aware of the latest security threats and how to protect your most sensitive data (your crown jewels) both on-premises and in the cloud. Attend our sessions to learn more about recent developments in database security, what to expect in 2018 and how to comply with compliance mandates like the EU GDPR which has severe penalties for non-compliance. Key Sessions on Monday, Oct 2 As you are preparing for tomorrow, here are some of the top database security sessions which you should not miss:   CON6571 Cybersecurity and Compliance in 2017 - Database Security is Business Critical  Speaker: Vipin Samar, Senior Vice President, Database Security, Oracle 1:15 p.m. - 2:00 p.m. | Moscone West - Room 3011 CON6574: New Feature - Centralized Database User Management with Active Directory Speakers: Alan Williams, Senior Principal Product Manager , Oracle; Keith Wilcox, VP, Database, Epsilon 3:15 p.m. - 4:00 p.m. | Moscone West - Room 3011 CON6575: NEW! Database Security Assessment Tool Discovers Top Security Risks Speaker: Pedro Lopes, EMEA Field Product Manager, Oracle 5:45 p.m. - 6:30 p.m. | Moscone West - Room 3011 Demo Showcase Don’t miss checking out some cool new demos at our booth (Moscone West), where our amazing product experts will give you a tour and showcase new capabilities: SOA-071 - Authentication and Authorization SOA-072 - Encryption and Key Management SOA-073 - Auditing and Activity Monitoring SOA-074 - GDPR, Data Discovery, Security Assessments, Data Masking Hands-on Experience It’s not all talk here at Oracle Openworld. There are plenty of opportunities to try things out for yourself and learn from the experts at the hands on labs Hilton SF Union Square – Lobby Level – Plaza Room A Not going to Openworld? Then be sure to follow us on Twitter (@OracleSecurity) and Facebook (www.facebook.com/oraclesecurity) for all the highlights from our experience.

Whether this will be your first Oracle Openworld or you’ve been here before, hopefully you’re getting as pumped up as we are for Oracle Openworld 2017 which kicks off today at the Moscone Center, San...

Advanced Security

Top Database Security Sessions @ Oracle OpenWorld, 2017

  We’re getting closer to Oracle Openworld 2017 and I am excited to share all the great sessions we have in plan for next week. During the five days of the conference, you will be able to choose from over 20 sessions focused on database security covering all kinds of topics from GDPR compliance, cybersecurity, data security in the cloud, encryption key management, etc. I am especially proud and thankful to our customers and partners like Epsilon, Cap Gemini, Allianz Technology SE, Symantec, EDS, Onapsis and many more who will share their experiences with Oracle. Time is running out, so don’t miss the chance to register before it’s too late. Registration for Oracle OpenWorld 2017 can be found HERE. This Focus on Oracle Database Security document provides a full list of sessions, demos, and hands on labs for the week. A complete listing of all security focused sessions, demos and hands on labs can be located HERE For a quick reference, I've outlined some key must-see sessions. Monday, Oct 2 Cybersecurity and Compliance in 2017: Database Security is Business Critical (CON6571) Speaker: Vipin Samar, Senior Vice President, Database Security , Oracle Time: 1:15 p.m. - 2:00 p.m. Venue:  Moscone West - Room 3011 Join Vipin Samar, senior vice president of Oracle Database Security development, to discuss recent developments in database security and what to expect in 2018. Enforcement of the European Union's General Data Protection Regulation (GDPR) begins on May 25, 2018 and is likely to be the #1 concern for most organizations this year. Organized crime, insiders, and nation-states continue to target databases. And of course, the transition to the cloud is changing the way we look at security controls. Learn about new security assessment tools, new security features in the latest database release, and what we are working on this year to help you secure your database whether on-premises or on the cloud. NEW! Database Security Assessment Tool Discovers Top Security Risks (CON6575) Speaker: Pedro Lopes, EMEA Field Product Manager , Oracle Time:  5:45 p.m. - 6:30 p.m Venue: Moscone West - Room 3011 Most organizations understand the need to secure their databases, but may not be aware of their vulnerabilities or what type of sensitive data they may have. In this session learn how Oracle Database’s security assessment tool (DBSAT) helps identify potentially sensitive data, highlights configuration and operational security risks, and recommends changes to mitigate them. DBSAT evaluates hundreds of parameters across Oracle Database, and provides both a summary and detailed reports of findings and recommendations. NEW FEATURE! Centralized Database User Management using Active Directory (CON6574) Speakers: Alan Williams, Senior Principal Product Manager, Oracle; Keith Wilcox, VP, Database, Epsilon Time:  3:15 p.m. - 4:00 p.m. Venue: Moscone West - Room 3011 Attend this session to learn how to directly connect Active Directory (AD) to Oracle Database to authenticate and authorize users. The next release of Oracle Database offers a simpler alternative to today’s AD integration with enterprise user security and intermediate directories. Users can authenticate with passwords, Kerberos, or SSL while AD groups directly map to shared database accounts and roles. AD password policies like password expiration and lockout counts are enforced during user login.   Tuesday, Oct 3 Data Management and Security in the GDPR Era (CON6573) Speakers: Russ Lowenthal , Oracle; Franck Hourdin , Oracle;  Mike Turner, Global COO Cybersecurity , Capgemini Time:  5:45 p.m. - 6:30 p.m Venue: Moscone West - Room 3011 The EU General Data Protection Regulation (GDPR) is the most significant data privacy legislation to date which goes into effect on May 25, 2018. Databases and the privacy-sensitive data they contain are at the heart of GDPR and should be one of the first areas of focus in your compliance strategy. In this session learn about the impact GDPR is likely to have on managing your data, typical preparatory strategies, and which database features and controls are applicable to GDPR. Encrypt your Crown Jewels and Manage Keys Efficiently with Oracle Key Vault (CON6580) Speakers: Saikat Saha, Product Director, Database Security , Oracle; Hamid Habet, Service Manager , Allianz Technology SE Time: 4:45 p.m. - 5:30 p.m. Venue: Moscone West - Room 3011 Encrypting sensitive data has become a must in light of recent megabreaches and compliance regulations. Centralized management of keys has become an important consideration for organizations. Join this session to learn about new innovations in Oracle Advanced Security’s transparent data encryption, including the new online and offline encryption capabilities, real-life customer stories, and deployment best practices in Oracle Key Vault. Accelerate your Compliance Program with Oracle Audit Vault and Database Firewall (CON6576) Speakers: Ram Subramanian, Director, Database Services, Symantec  Corporation;  Rohit Muttepawar, IT Architect - Database Platform, Symantec Corporation; George Csaba, Director, Product Management, Database Security, Oracle Time: 5:45 p.m. - 6:30 p.m. Venue: Moscone West - Room 3011 Increased concerns about protecting personal data and a heightened regulatory environment make monitoring access to sensitive data an imperative for organizations. In this session learn how Oracle Audit Vault and Database Firewall supports compliance programs with consolidated auditing and reporting across the hybrid cloud data center. Learn how Symantec used Oracle’s solution to meet PCI regulatory controls.   Wednesday, Oct 4 Sneak Preview: Oracle Database Security Cloud Service (CON6618) Speakers: Vikram Pesati , Oracle, Michael Mesaros , Oracle Time: 2:00 p.m. - 2:45 p.m. Venue: Moscone West - Room 3011 Oracle users have a variety of security options for protecting their on-premises databases. Organizations migrating their databases to the cloud can take advantage of upcoming Oracle Data Security Cloud Service. It automates the collection of database audit records and delivers consolidated reporting and alerting on database activities. This service also discovers and masks sensitive data in copies of production databases to enable improved application development and testing. Learn about the supported use cases for these services and see key features. Inside the Head of a Database Hacker (CON6572) Speaker: Mark Fallon , Oracle Time: 11:00 a.m. - 11:45 a.m. Venue: Moscone West - Room 3014 With unprotected assets in plain sight in databases, no wonder hackers seek to steal sensitive data from them. However, knowing the mind of a hacker can better help you strategize and create a blueprint for protecting your database. In this session the Oracle Database security architect (and resident white-hat hacker) takes you into the mind of a cybercriminal adept at exploiting vulnerabilities to access sensitive data stored in databases, and then discusses ways to stop them. And many more sessions here Stay on top of the latest all security news at OOW 2017 by following us on Twitter (@OracleSecurity) and Facebook (www.facebook.com/oraclesecurity). 

  We’re getting closer to Oracle Openworld 2017 and I am excited to share all the great sessions we have in plan for next week. During the five days of the conference, you will be able to choose from...

Security Inside Out

Oracle Helps Customers Address GDPR with Security Solutions

With all the activity around the new European Union General Data Protection Regulation (GDPR), some organizations are scrambling to understand the impact it will have, including but not limited to: Potential fines up to 4% of annual revenue turnover and legal costs and recourse  Reviewing and modifying organizational processes, applications, and systems New and more stringent privacy and security requirements to be addressed Continuous Compliance Strategy Addressing GDPR compliance requires a coordinated strategy involving different organizational entities including legal, human resources, marketing, security, IT and others. The subject matter may involve information collected from various entities (i.e. customers and employees), as well as coordinated communications and technology used. Organizations should therefore have a clear strategy and action plan to address the GDPR requirements with an eye towards the May 25, 2018 due date. My colleagues, Alessandro Vallega and Angelo Bosis, and I put together this whitepaper on Oracle Security Solutions that help our customers address some of their requirements for GDPR. Leveraging Oracle's experience built over the years, and our technological capabilities, we are committed to help customers implement a strategy designed to address GDPR security compliance. This whitepaper explains how Oracle Security solutions can be used to help implement a security framework that addresses GDPR. To learn more about Database Security solutions that help address GDPR, please read this other paper.  Key Tenets of Security: C-I-A Overall, GDPR addresses the key security tenets of confidentiality, integrity, and availability of systems and data. Oracle has a long history, and proven record, of securing data and systems. Oracle security includes a full set of hybrid cloud solutions, from the chip to applications, that help prevent, detect, respond to, and predict security threats; it can also help address regulations like the GDPR.  The benefits of strategically implementing the right technology, with effective security controls, can help:  Address regulatory requirements Reduce risk (whether driven by regulatory compliance or other needs) Improve competitive advantage by enabling increased flexibility and quicker time to market  Enable digital transformations Ultimately, implementing effective security will offer organizations the opportunity to improve their IT security and IT security organization. Oracle GDPR Framework for Oracle Products Therefore, we looked at four different solution areas to create a framework for Oracle and how our products can help customers address GDPR (see image): Discovery, enforcement, enrichment, and foundation. Discovery. On premises products and cloud services that can help discover personal data and map data flows. This technology includes the discipline of data governance and provides capabilities such as data lineage, asset inventory, and data discovery. Enrichment. Enrichment includes application modifications that may be necessary to comply with rights of the data subject (Art. 15-20). As well, it may be necessary to consolidate customer data to get a single view of the data subjects across the organization. Foundation. The comprehensive set of mature operational technologies that are a part of Oracle’s DNA to enable good IT security with an emphasis on availability and performance of the services. This includes hybrid cloud solutions from maximum availability architecture and engineered systems to operating systems and processors. These solutions can help address “availability and resilience of processing systems and services; and the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident” (Art. 32). Enforcement. Oracle hybrid cloud technologies that enforce security policies and controls that protect people, software, and systems. This encompasses products and services that provide predictive, preventive, detective and responsive security controls across database security, identity and access management, monitoring, management, and user behavior analytics.  We welcome you to download the paper, Helping Address GDPR Compliance Using Oracle Security Solutions to learn more.

With all the activity around the new European Union General Data Protection Regulation (GDPR), some organizations are scrambling to understand the impact it will have, including but not limited to: Pote...

Oracle Key Vault 12.2 BP5 is available now!

We are delighted to announce the immediate availability of release 12.2 BP5 of Oracle Key Vault. Primary feature for 12.2 BP5 release is the much awaited support for Read-Only Restricted Mode High Availability to enhance service continuity of the endpoints. New features available in BP5 release are listed below: 1. Support for HA (High Availability) Read-Only Restricted Mode Oracle Key Vault supports HA Read-Only Restricted Mode to allow for continued access to keys even when connectivity between primary and standby servers is lost. Oracle Key Vault operating in a High Availability Read-Only Restricted deployment can continue to service requests such as key retrieval if its peer is unavailable. Operations like key creation and modification are not allowed in this mode. Previously, Oracle Key Vault did not allow operations because of the risk of losing certain types of data, such as audit records. The old behavior is still available and can be enabled while configuring High Availability. See the Oracle Key Vault Administrator's Guide for more information. 2. Additional Attributes on the All Items page to improve Key Searchability Additional attributes like Name, Deactivation Date and Protect Stop Date added to the All Items page. This feature enables a user to search for the keys that are deactivated or will be deactivated soon. Keys uploaded using okvutil have multiple identifiers. This feature improves the lookup of such keys. 3. Support for Sending Audit Records to Remote Syslog Oracle Key Vault supports sending of audit records to remote syslog. OKV Audit managers can enable this option. Remote syslog should have been configured by the System administrator before the Audit manager can enable sending of audit records to remote syslog. 4. Persistent Cache - New Mode and Lookup Persistent cache features a new mode of operation - Persistent Master Key Cache First. When a key is required by the database, a lookup is performed on the persistent cache before fetching the key from the Oracle Key Vault. This improves performance because the PKCS#11 library will connect to Oracle Key Vault only if the key is not found in the persistent master key cache. This is the default persistent cache mode. A new type okv_persistent_cache, is added to the okvutil list command. Okv_persistent_cache allows customers to view the persistent cache and check if the keys are available or expired. 5. Operating system in the appliance has been upgraded to Oracle Linux 6.9 OS 6. The following critical patches and fixes are included in Oracle Key Vault Release 12.2.0, Bundle Patch 5. Oracle Database April 2017 Critical Patch Update available here.    The base platform has been updated with relevant security and stability fixes. These include fixes to Java and the underlying Linux operating system. Additionally, Oracle Key Vault is now installed using two discs (created from two ISO files). For a fresh installation, Oracle Key Vault can be downloaded from Software Delivery Cloud. Note that this package cannot be used for an upgrade.

We are delighted to announce the immediate availability of release 12.2 BP5 of Oracle Key Vault. Primary feature for 12.2 BP5 release is the much awaited support for Read-Only Restricted Mode High...

Analysis and Reports

Oracle Audit Vault and Database Firewall wins 2017 DBTA Readers’ Choice Award

  Oracle Audit Vault and Database Firewall is the winner of the “Best Data Security Solution” in the 2017 DBTA Reader’s Choice Awards for the fourth year in a row.  These awards are selected each year by the readers of Database Trends and Applications magazine and DBTA.com across 27 different categories of products and services. Oracle Database Security solutions help protect the world's most sensitive data, providing consistent security policies and implementation across on-premise and cloud environments. Oracle Database Security helps over 10,000 customers worldwide in securing their database with comprehensive security controls to evaluate, prevent and detect threats.  Oracle Audit Vault and Database Firewall is an integral component of the database security control framework.  It continuously monitors database activity for anomalies, helping detect threats, and preventing them from ever reaching the database. With its comprehensive reporting and analytics capabilities, Oracle Audit Vault and Database Firewall solution helps demonstrate regulatory compliance and support security investigations. “This award is a testament to our success in delivering solutions that provide tangible security benefits” – says Vipin Samar, SVP of Oracle Database Security products.  “There is an expanding array of solutions for storing, protecting, integrating, enhancing, and analyzing data.” said Tom Hogan, Group Publisher of DBTA magazine. The DBTA Readers’ Choice Awards play a key role in spreading information about products that are providing a unique value to customers.” Oracle and the other award winners will be featured in a special section of the August edition of DBTA Magazine, and at www.DBTA.com, reaching over 300,000 IT and business professionals across North America. Additional information Learn more about Oracle Database Security Solutions Read more about the award:   Best data security solution See the complete list of 2017 DBTA Readers' Choice Winners.    

  Oracle Audit Vault and Database Firewall is the winner of the “Best Data Security Solution” in the 2017 DBTA Reader’s Choice Awards for the fourth year in a row.  These awards are selected each year...

Database Security

Leverage Enterprise Manager to Simplify your Database Security Management

Are you concerned about securing your and your customers’ most valuable asset - the data? Are you worried about enforcing and managing different database security solutions to meet regulations such as European Union (EU) General Data Protection Regulation (GDPR)? Most of you must have used or heard about Oracle Database Security features and products that work together to offer a complete defense-in-depth and unified solution to your data security needs. But, did you know that you can manage these features and products from a central location? Yes, you can perform all database security management operations (and much more) from one place! Let us see how. Oracle Enterprise Manager is Oracle's integrated enterprise information technology (IT) management product line, which provides built-in monitoring, administration and lifecycle management capabilities for traditional and cloud environments. Oracle Enterprise Manager provides pluggable entities called plug-ins that offer special management capabilities customized to suit specific target types. While some of these plug-ins such as Oracle Database plug-in are installed by default, others such as Oracle Audit Vault and Database Firewall plug-in can be installed either using Oracle Enterprise Manager’s self-update feature or by downloading and installing the plug-in using offline mode (reference MOS note 1394908.1 for more information on deploying plug-ins). Oracle Enterprise Manager, with the help of plug-ins, enables you to perform centralized monitoring and administration of Oracle Database Security solutions deployed in your environment. These solutions include: Discovering sensitive data in databases to enable targeted protection On-the-fly redaction (sometimes referred to as dynamic data masking) of sensitive data before display by applications, which helps you reduce proliferation of sensitive data and minimize business risk of data breaches due to sensitive data exposure Encrypting individual columns or entire application tablespaces with Transparent Data Encryption (TDE) to protect against unauthorized access from outside of the database environment Enforcing trusted-path access control and controlling the risk of compromised administrator credentials by reducing administrator access to data using Database Vault Extracting and obfuscating entire copies or subsets of application data to reduce proliferation of sensitive data while sharing with partners Deploying Oracle Audit Vault and Database Firewall to protect against threats such as SQL Injection as well as for audit data consolidation, monitoring and compliance reporting Let us take an example to understand how powerful Enterprise Manager and these plug-ins are and how they can make your life easier. The Oracle Audit Vault and Database Firewall (AVDF) plug-in provides an interface within Enterprise Manager for administrators to manage and monitor Audit Vault and Database Firewall components. The homepage gives you an overview of the overall health of the system, while drill-down pages let you monitor and manage specific components. Some of the operations that can be performed from within the Enterprise Manager are: Automatically discover Oracle components such as Audit Vault Server, Database Firewall, databases and Audit Vault Agent on a host server Deploy Audit Vault Agent by simply pushing it out from the Enterprise Manager, and create audit trails for hundreds of databases in a short time Monitor and manage Secured Targets, Audit Agents, Audit Trails, Database Firewalls and Enforcement Points Monitor the underlying stack of AVDF system such as host server, databases, and ASM storage Set up proactive notifications along with performance and availability monitoring to provide better understanding regarding the system health and any potential issues You do not need to access AVDF product interfaces to perform these monitoring and management tasks. Likewise, other Oracle Database Security features and products provide interfaces within Oracle Enterprise Manager with the help of plug-ins so that you can monitor and manage your most critical security operations from one place. These plug-ins have independent release cycles, so every time a new version of an Oracle product is released, a new version of the plug-in supports monitoring of that new product version in Enterprise Manager. Oracle continuously strives to provide unparalleled security solutions for your mission-critical data and applications. Oracle has recently released a new set of plug-ins for Oracle Enterprise Manager 13c Release 2. Please check Oracle Enterprise Manager documentation to learn how to deploy and use these plug-ins.  Oracle Enterprise Manager plug-ins are quite powerful and provide numerous important functionality. So, do not wait any longer, go ahead and try these plug-ins to see what you have been missing. To learn more, please visit our Oracle Technology Network webpage.

Are you concerned about securing your and your customers’ most valuable asset - the data? Are you worried about enforcing and managing different database security solutions to meet regulations such as...

Oracle Key Vault

Oracle Key Vault 12.2 BP4 is Now Available!

Bundle Patch 4 (BP4) of Oracle Key Vault 12.2 is now available.  This release delivers new capabilities and several improvements including: Windows 2008 and 2012 Endpoint Platform Support for Oracle Databases 11.2.0.4 and 12.1.0.2 To learn more please visit the Oracle Key Vault page on the Oracle Technology Network.

Bundle Patch 4 (BP4) of Oracle Key Vault 12.2 is now available.  This release delivers new capabilities and several improvements including: Windows 2008 and 2012 Endpoint Platform Support for...

Events

Join Oracle at RSA Conference 2017, 'Where the World Talks Security’

The 2017 RSA Conference is three short weeks away and Oracle is going to be there in force discussing whether cloud security is an evolution or revolution, why users are the new perimeter, and how to do the regulatory rumba!  If you are attending RSA, we would love an opportunity to meet with you there. Here are some easy ways for us to connect: Stop by the Oracle booth in the North Hall at N4435, or in the South Hall at S2621 for a demo of Oracle Identity SOC and our security solutions that help address the EU GDPR.  Connect with us at our meeting room just around the corner from Moscone by clicking here to arrange a time. We also want to make you aware of speaking sessions to add to your itinerary: On Monday, 2:00pm at the CSA Summit at RSA, you can hear Akshay Bhargava, Oracle Security Product Marketing VP, as he participates on the “Security in the Cloud: Evolution or Revolution” panel. On Friday, 9:00am at RSA, you can hear Mary Ann Davidson, Oracle CSO, speaking on “Doin’ the Regulatory Rumba.” What is the Oracle Identity SOC and Why Should I Care? Oracle Identity SOC is an identity-centric, context-aware intelligence and automation framework for security operations centers. Whether you call it an evolution or revolution, modern security attacks start outside the network and are not directly carried out by humans. To make matters worse, they are highly adaptive. In this modern world, traditional security models don’t work. Oracle Identity SOC recognizes that the one constant is the user, and puts identity at the center where it needs to be. We will be demonstrating three key components of Identity SOC at RSA. How Can I Accelerate My Response to the EU GDPR? As you prepare for the new European Union (EU) General Data Protection Regulation (GDPR), you are probably considering changes in processes, people, and technical controls. It can be daunting trying to understand what you need to do. Stop by one of our booths to understand how Oracle products can help accelerate adoption of the GDPR’s assessment, preventive, and detective controls. Our easy-to-use solutions provide transparent controls for implementing many of the security principles mandated by the GDPR.  Hope to see you where the world will be talking security – at RSA Conference 2017!

The 2017 RSA Conference is three short weeks away and Oracle is going to be there in force discussing whether cloud security is an evolution or revolution, why users are the new perimeter, and how to...

Oracle Key Vault

Oracle Key Vault 12.2 BP3 is Now Available

Bundle Patch 3 (BP3) of Oracle Key Vault 12.2 is now available.  This release delivers new capabilities and several improvements including:Persistent master key caching to enhance database continuity in the event the OKV server is unavailableIntegration with the Thales nShield Connect 6000+ Hardware Security ModuleSupport for the NIST CNSA (Commercial National Security Algorithm) Suite  Support for Google and Office365 SMTP business services for delivery of email notification alertsTo learn more please visit the Oracle Key Vault page on the Oracle Technology Network.

Bundle Patch 3 (BP3) of Oracle Key Vault 12.2 is now available.  This release delivers new capabilities and several improvements including: Persistent master key caching to enhance database continuity...

Audit Vault and Database Firewall

Oracle Audit Vault and Database Firewall 12.2 BP4 is Available

Bundle Patch 4 for Oracle Audit Vault and Database Firewall 12.2 is now generally available. This update to AVDF includes a number of notable feature enhancements:Support for multiple Network Interface Cards (NIC) on Audit Vault Server to support segmented networksPlatform upgrade to Oracle Linux UEK4, and support for installation on Oracle Server X6-2Support for Oracle Linux version 7.1 as a secured targetSupport for Oracle 12c Release 2 (Cloud release) for audit data collection and monitoringHybrid cloud support for Oracle Database Exadata Express Cloud ServiceAs well as a number of improvements.  Audit Vault and Database Firewall customers may access the bundle patch from eDelivery.

Bundle Patch 4 for Oracle Audit Vault and Database Firewall 12.2 is now generally available. This update to AVDF includes a number of notable feature enhancements: Support for multiple Network...

Dutch Ministry of Economic Affairs on Masking Non-Oracle Databases

Watch this recorded webcast to hear lessons learned by Dutch Ministry of Economic Affairs masking Non-Oracle and Oracle Databases using Oracle Data Masking and Subsetting

Watch this recorded webcast to hear lessons learned by Dutch Ministry of Economic Affairs masking Non-Oracle and Oracle Databases using Oracle Data Masking and Subsetting

Database Security

Fieldfisher and Dutch Ministry of Economic Affairs on EU GDPR

Watch this recorded webcast on EU GDPR and Data Anonymization featuring a counsel from Fieldfisher and  Dutch Ministry of Economic Affairs explaining:    Key compliance requirements under EU GDPR Business impact and preparation   Measures taken by Dutch Ministry of Economic Affairs to comply with the GDPR   Importance of data anonymization Lessons learned by Dutch Ministry of Economic Affairs anonymizing personal data  using Oracle Data Masking and Subsetting    How Oracle technologies can help protecting data

Watch this recorded webcast on EU GDPR and Data Anonymization featuring a counsel from Fieldfisher and  Dutch Ministry of Economic Affairs explaining:    Key compliance requirements under EU GDPR Busines...

ISACA Webinar: Mitigate Attacks on Test and Development by Masking Sensitive Data

Test and development environments often contain real sensitive data from production.  As these instances are often left wide open for collaboration, they have become an easy target for the hackers. Watch this ISACA webcast to learn how masking and subsetting can protect data and help address regulatory compliance by obfuscating sensitive data from developers, testers, and other non-production users.

Test and development environments often contain real sensitive data from production.  As these instances are often left wide open for collaboration, they have become an easy target for the hackers. Wat...

Cloud Security

White paper: Unifying Cloud and On-Premises Data Security

Data Security is the #1, #2, and #3 concern for organizations adopting Cloud.  Whether on-premises or in the cloud, databases are the repositories of sensitive data and therefore are attractive targets for attackers. Read this white paper for a methodology to protect sensitive information in cloud databases and yet retain control on-premises.

Data Security is the #1, #2, and #3 concern for organizations adopting Cloud.  Whether on-premises or in the cloud, databases are the repositories of sensitive data and therefore are attractive...

Database Security

Your Data, More Secure in the Cloud

In this video, Vipin Samar, SVP of Oracle Database Security, illustrates how organizations can protect sensitive data in the cloud using a simple demonstration. Key requirements outlined as critical security controls include: Masking sensitive data Restricting access by admins Encrypting data by default Allowing direct control of encryption keys Allowing monitoring of user activities Reduced TCO  Your data has now become your capital, and like all assets, it needs to be protected.  Watch the video and hear about cloud security risks and how to protect your organization in the cloud. 

In this video, Vipin Samar, SVP of Oracle Database Security, illustrates how organizations can protect sensitive data in the cloud using a simple demonstration. Key requirements outlined as critical...

Customers

SBI Trade Win Tech Launches Industry-Compliant and Secure My Number Management Services in Just Six Months, Reduces Costs by 66%, and Supports Growth

Established in 2009, SBI Trade Win Tech Co., Ltd., aims to help customers in the financial services industry, including securities and foreign exchange companies, to cope with a fast-changing business environment and enhance their competitive edge. With the introduction of the My Number system—a national identification system with an individual’s social security and tax identification number—in Japan, SBI Trade Win Tech provides data management services tailored to customers’ security requirements and supports business growth.  SBI Trade Win Tech has successfully implemented Oracle Advanced Security, Database Vault, and Audit Vault and Database Firewall to protect sensitive data and meet regulatory compliance. “We selected Oracle because it offered more cost-effective database security options than other vendors and enabled us to meet regulatory requirements...” Takashi Tosa, executive officer, cooperate planning and administration division, quality management division, SBI Trade Win Tech Co., Ltd. Read more.

Established in 2009, SBI Trade Win Tech Co., Ltd., aims to help customers in the financial services industry, including securities and foreign exchange companies, to cope with a fast-changing business...

Events

Focus on Database Security @ Oracle OpenWorld, 2016

This year's Oracle OpenWorld is chock-full of database security sessions and this Focus on Oracle Database Security document provides a full list for the week. For a quick reference, I've outlined some key must-see sessions. Monday Defense-in-Depth Database Security for On-Premises and Cloud Databases [CON6143] Vipin Samar, SVP of Database Security, Oracle The last 24 months have seen an unprecedented scale of data breaches across all sectors. Databases are frequently targeted by organized criminals, nation-states, and even insiders because they hold the most sensitive assets. Join this session to hear the senior vice president of Oracle Database Security development discuss a defense-in-depth strategy to mitigate different threat vectors against attacks on both on-premises and cloud databases. Learn how to evaluate your security posture, reduce attack surface, prevent attacks, and monitor user activities to keep your data safe using the latest innovations in Oracle Database Security. He also shares how to maintain full control and visibility of cloud databases. Monday, Sep 19, 3:00 p.m. | Moscone South—305 Customer Panel: The Science and Art of Deploying Database Security [CON6578] Sarah Brydon, Engineer (IT), Paypal Keith Wilcox, VP, Database, Epsilon Data Management LLC Leonid Stavnitser, Senior Director, Managed Security Services, Oracle Troy Kitch, Director of Security Software Product Marketing, Oracle  Managing risk in the face of data breaches and regulatory compliance is a consistent challenge. One of the best ways to gain insight into database security is to hear firsthand from current customers: how they prioritize what to protect, and then how they deploy database security to mitigate these threats. Come join this session to hear Oracle top-tier customers discuss their deployments, best practices, and the science and art of defending their databases.Monday, Sep 19, 5:30 p.m. | Park Central—Franciscan IT Wednesday Continuing Innovations in Oracle Database Encryption Jump Starts Your Security [CON6368] Saikat Saha, Senior Principal Product Manager, Database Security, Oracle Encrypting sensitive data has become a must in light of recent megabreaches and ever-expanding compliance regulations. Join this session to learn about new innovations in Oracle Advanced Security's transparent data encryption capabilities, including the new online and offline encryption capabilities. See a demo and learn about operational considerations, application transparency, performance throughput, and key management. The session also includes a real-world perspective on using Oracle Database encryption technologies.Wednesday, Sep 21, 12:15 p.m. - 1:00 p.m. | Moscone South—103 Using Oracle Key Vault to Simply Key Management [CON6369] Saikat Saha, Senior Principal Product Manager, Database Security, Oracle Steven Zydek, Oracle DBA, Kohl's Corporation The security of your encrypted data depends upon the security and control you have over the encryption keys. Centralized protection and management of encryption keys has become an important consideration for organizations. This session discusses how Oracle Key Vault accelerates deployment of encryption through centralized management. Optimized for Oracle Databases, Oracle Key Vault is a security-hardened software appliance with the ability to centrally store, share, and manage master encryption keys, Oracle Wallets, and Java KeyStores. Learn about the latest innovations and deployment best practices in the new Oracle Key Vault 12.2, and watch demonstrations of this easy-to-provision key management solution.Thursday, Sep 22, 9:30 a.m. - 10:15 a.m. | Park Central—Franciscan I Reducing the Risk from Malicious Users with Oracle Database Vault [CON6552] Alan Williams, Senior Principal Product Manager, Oracle Shekhar Trivedi, DBA, Verizon wireless In this session learn best practices for using Oracle Database Vault to protect your sensitive data from access by unauthorized users. Highly privileged database accounts can be used by malicious users to access sensitive data they are not authorized to see. See how to reduce risk and liability and meet regulatory requirements to prevent unauthorized data access. The new simulation mode allows you to quickly and safely analyze the security controls you need to protect sensitive data and prevent unauthorized changes to the database. Simulation mode eliminates the risk of impacting mission-critical applications. Learn how privilege analysis can help you implement least privilege best practices.Wednesday, Sep 21, 4:15 p.m. - 5:00 p.m. | Moscone South—301 Inside the Head of a Database Hacker [CON6142] Mark Fallon, Architect / Security Lead, Oracle With unprotected assets hiding in plain sight in databases, no wonder hackers seek to steal intellectual property, personally identifiable information, and payment cards from databases. Exploiting common vulnerabilities-such as unpatched systems, overprivileged accounts, insecure database configurations, and stolen passwords-and unencrypted data is a good place to start. However, knowing the mind of a hacker can better help you strategize a blueprint for protecting your database. In this session, a world-renowned database white hat hacker takes you step by step into the mind of a cybercriminal adept at exploiting vulnerabilities to access sensitive data stored in databases.Wednesday, Sep 21, 3:00 p.m. | Moscone South—104 Thursday Accelerate Compliance with EU General Data Protection Regulation [CON6587] Dinesh Rajasekharan, Product Manager, Oracle The European Union (EU) recently announced the General Data Protection Regulation (GDPR) to address increasing security threats. Noncompliance fines can be up to 4 percent of global annual revenue. Come to this session to learn about how this regulation applies to both EU and non-EU organizations that have data about EU residents. Learn about the key data protection controls imposed by GDPR, and how they apply to the database, the source of sensitive data. Understand GDPR’s key objectives and actors, and learn how Oracle Database Security technologies can help implement data protection guidelines recommended by GDPR.Thursday, Sep 22, 9:30 a.m. | Marriott Marquis—Salon 10/11  Oracle Audit Vault and Database Firewall: New Features, Hybrid Cloud Deployment [CON6579] Wilson Verardi, CSRA George Csaba, Director, Product Management, Database Security , Oracle Attend this session to learn about the new features available with Oracle Audit Vault and Database Firewall 12.2. Find out how they protect your Oracle and non-Oracle databases against insider threats and help achieve regulatory compliance. Learn how Oracle Audit Vault and Database Firewall consolidates audit data for not only on-premises, but also in hybrid cloud environments where some databases are on-premises and others are in the Oracle Public Cloud. Discover how Oracle Audit Vault and Database Firewall ensures consistent security and audit policies across all database instances while decreasing implementation time and lowering TCO.Thursday, Sep 22, 10:45 a.m. | Moscone South—301 Quickly Mask Test/Dev Environments: Securing Production Data Alone Is Insufficient [CON6583] Dinesh Rajasekharan, Product Manager, Oracle While many organizations implement protective and detective controls for their production databases, their test/dev databases are often left unprotected and become low hanging fruits for attackers. Test/dev databases are typically the first databases to be moved to the cloud, and it is really critical to remove sensitive data prior to the move. Attend this session to find out how Oracle Data Masking and Subsetting Pack can help de-identify sensitive data from test/dev systems. This helps take such databases out of scope from audit and compliance and reduces the cost of compliance. Learn how to mask data dynamically in real time using Data Redaction. Learn about latest product updates, best practices, and a customer case study.Thursday, Sep 22, 12:00 p.m. | Moscone South—301

This year's Oracle OpenWorld is chock-full of database security sessions and this Focus on Oracle Database Security document provides a full list for the week. For a quick reference, I've outlined...

Audit Vault and Database Firewall

Audit Vault and Database Firewall Wins DBTA Readers' Choice Award for Best Database Security Solution

We are happy to announce that for the third year in a row, Oracle Audit Vault and Database Firewall won the - 2016 DBTA (Database Trends and Applications) Readers’ Choice Awards for Best Database Security Solution.  Unlike other awards programs, the DBTA Readers’ Choice Awards are unique in that the winning information management solutions are chosen by the people who use them. We are humbled and appreciative of this honor. Thank you to our users!  Data is increasingly appreciated by companies as their most valuable asset. But the problem is that this view is not just held by organizations themselves, amd there are others - including hackers - who see it that way as well.  Read the details here.

We are happy to announce that for the third year in a row, Oracle Audit Vault and Database Firewall won the - 2016 DBTA (Database Trends and Applications) Readers’ Choice Awards for Best Database...

Announcing Data Masking templates for Oracle E-Business Suite 12.2

As more and more organizations are upgrading to Oracle E-Business Suite (EBS) 12.2, we are announcingData Masking templates for EBS 12.2. New and existing customer base of Oracle's one of the most popular applications can now easily secure sensitive information for their application development and testing. You require Oracle Enterprise Manager Cloud Control 13c with Oracle Data Masking and Subsetting to use EBS 12.2 Data Masking templates. Oracle Data Masking and Subsetting has been significantly enhanced to support EBS 12.2's one of the marquee features - "Online Patching", which leverages Oracle Database features such as Edition-Based Redefinition and Editioning Views. Data Masking templates for previous EBS versions are revamped to mask sensitive data in the EBS 12.2 Editioning Views. As always, the comprehensive EBS 12.2 Data Masking templates are included in the Oracle Data Masking and Subsetting License at no additional cost and is one of the unique differentiators when compared to competition. Click here for more details about the announcement.

As more and more organizations are upgrading to Oracle E-Business Suite (EBS) 12.2, we are announcingData Masking templates for EBS 12.2. New and existing customer base of Oracle's one of the most...

Database Security

Accelerate Your Response to the EU General Data Protection Regulation (GDPR)

If you are an information security professional then unless you are off the internet and media for the past few months, you would not have missed the news on European Union(EU) General Data Protection Regulation(GDPR). The new data privacy regulation in Europe affects anyone globally who directly or indirectly deals with EU individual’s personal information, imposing fines up to 4% of global annual revenue upon non-compliance. We recently published a white paper summarizing several key requirements of the GDPR and how Oracle Data Security technologies can help to respond to the key GDPR data protection principles. We hope this white paper will help in your journey towards GDPR compliance.

If you are an information security professional then unless you are off the internet and media for the past few months, you would not have missed the news on European Union(EU) General Data...

Data Masking

Announcing Data Masking templates for Oracle E-Business Suite 12.2

As more and more organizations are upgrading to Oracle E-Business Suite (EBS) 12.2, we are announcingData Masking templates for EBS 12.2. New and existing customer base of Oracle's one of the most popular applications can now easily secure sensitive information for their application development and testing. You require Oracle Enterprise Manager Cloud Control 13c with Oracle Data Masking and Subsetting to use EBS 12.2 Data Masking templates.Oracle Data Masking and Subsetting has been significantly enhanced to support EBS 12.2's one of the marquee features - "Online Patching", which leverages Oracle Database features such as Edition-Based Redefinition and Editioning Views. Data Masking templates for previous EBS versions are revamped to mask sensitive data in the EBS 12.2 Editioning Views.As always, the comprehensive EBS 12.2 Data Masking templates are included in the Oracle Data Masking and Subsetting License at no additional cost and is one of the unique differentiators when compared to competition. Click here for more details about the announcement.

As more and more organizations are upgrading to Oracle E-Business Suite (EBS) 12.2, we are announcingData Masking templates for EBS 12.2. New and existing customer base of Oracle's one of the most...

Register now for Oracle University Security Training Subscription

Protecting corporate information and technology assets from intruders, thieves, and vandals is a significant challenge for most enterprises. Historically, investments in security technology were made by individual technology managers and business units in response to the specific threats they faced.  CIOs are now implementing technologies that can support the centralized management and enforcement of security policies. Now more than ever, training employees to use these security technologies has become paramount. In response, Oracle University has released updated security training so that customers can get educated on the latest Oracle security content, including: Content developed by industry and product engineers and delivered by expert instructors More than 10 courses totaling over 30 days worth of instructor-led training Over a hundred continuous learning and just-in-time training videos Curriculum focuses on content from the following key areas: Security and Risk Management Asset Security Security Engineering Cyber Security Identity and Access Management Security Assessment and Testing Security Operations Software Development Security and so much more.... Also Available:  Quizzes to assess your understanding of key topics Learning paths to guide your career choices  24/7 availability of offerings Demonstrations Subscribe to Oracle Security Learning and get prepared to help your organization reduce its overall risk.

Protecting corporate information and technology assets from intruders, thieves, and vandals is a significant challenge for most enterprises. Historically, investments in security technology were made...

Advanced Security

How Spain Protects 400 Million Citizen Records

Ministry of Justice of Spain (Ministerio de Justicia de España) is the public entity responsible for preparing, managing, and executing Spanish government justice system policy. It oversees the consistent execution of national laws across the country’s 23 provincial offices, while coordinating funding and procurement for tribunals, magistrate courts, and prosecutor’s offices. The organization is responsible for managing all staff - including lawyers, court officers, clerks and other administrative personnel - involved in the justice system.  “We selected Oracle because we know its solutions work flawlessly. Oracle solutions are an investment in peace of mind and security,” said Jose Luis Hernández Carrión, Deputy Director of New Technologies for Justice. Spain’s Ministry of Justice allocates resources based on different jurisdictional needs, which fluctuate based on crime rates, type and seasonality. The organization’s IT department provides support to the central registry, a number of other provincial offices nationwide, collecting data from all jurisdictions, archiving it and providing decision-makers with the tools needed to analyze resource allocation and program efficiency.  Challenges: Ensure compliance with data privacy laws by protecting citizens’ personal data Control and monitor access to data, restricting it to authorized users and mitigating the risk of data leaks Enable real-time backup of geographically disperse databases to reduce downtime, improve recovery time, and reduce costs Solution: Comply with data privacy laws by using Oracle Advanced Security to encrypt more than 400 million pieces of citizens’ personal information Establish an access control and monitoring system, isolating user functions to enable only authorized users to access or modify data, logging all accesses to mitigate the risk of data leaks and ensure accountability Secure data in development and test environments with Oracle Data Masking and Subsetting Pack, enabling the ministry to develop and test new applications without compromising sensitive data, reducing overall masking time from a week to a few hours Use Oracle Active Data Guard to centralize more than 20 geographically dispersed standby databases, reducing costs 8x by executing 8 backups simultaneously on a single machine Enable real-time backups with Oracle Active Data Guard, eliminating downtime and reducing data recovery window from 48 hours or more to 2 hours—improving the ministry’s productivity and enabling forms and data to remain available to citizens  Why Oracle? Oracle Advanced Security, Oracle Data Masking and Subsetting Pack, and Oracle Active Data Guard seamlessly integrated with the ministry’s Oracle Database. “We selected Oracle because we know its solutions work flawlessly. Oracle solutions are an investment in peace of mind and security,” said Jose Luis Hernández Carrión, Deputy Director of New Technologies for Justice. Success story here 

Ministry of Justice of Spain (Ministerio de Justicia de España) is the public entity responsible for preparing, managing, and executing Spanish government justice system policy. It oversees...

Events

Wanted: Outstanding Oracle Security Experts to Speak @OpenWorld 2016

We want you to speak at OpenWorld 2016 The Oracle OpenWorld 2016 call for proposals is now open. Attendees at the conference are eager to hear from experts on Oracle security and technology. They're looking for insights and improvements they can put to use in their own jobs: exciting innovations, strategies to modernize their business, different or easier ways to implement, unique use cases, lessons learned, the best of best practices. If you've got something special to share with other Oracle Identity Management and Database Security users and technologists, they want to hear from you, and so do we. Submit your proposal now for this opportunity to present at Oracle OpenWorld, the most important Oracle technology and business conference of the year.

We want you to speak at OpenWorld 2016 The Oracle OpenWorld 2016 call for proposals is now open. Attendees at the conference are eager to hear from experts on Oracle security and technology. They're...

Cloud Security

New Paper Explains Oracle Public Cloud Security

Security: Top Priority  Security is a top priority for Oracle Cloud solutions. Oracle’s vision is to create the most secure and trusted public cloud infrastructure and platform services for enterprises and government organizations. Oracle’s mission is to build secure public cloud infrastructure and platform services where there is greater trust - where Oracle customers have effective and manageable security to run their workloads with more confidence, and build scalable and trusted secure cloud solutions. In a new whitepaper, titled Oracle Infrastructure and Platform Cloud Services Security, Oracle's cloud security philosophy is explained, which includes our shared cloud security model that we have with our customers. The paper focuses on shared and service-specific security capabilities of the following services: Oracle Compute Cloud Service Oracle Storage Cloud Service Oracle Network Cloud Service Oracle Java Cloud Service Oracle Database Cloud Service – Enterprise Edition For a comprehensive list of the available Oracle Cloud services, go to https://www.oracle.com/cloud. Cloud Security Capabilities As we talk to customers, they desire the following security capabilities. The paper, therefore, is organized to explain how we address: Control: Security mechanisms to control who can access data and under which conditions Auditing: Ability to audit resources to maintain their security configuration Visibility: Logs providing visibility into accounts and resources Assurance: Ability to independently verify how data is being stored, accessed, and protected against unauthorized access and modification Security: Services that are designed, coded, tested, deployed, and managed securely Out-of-the-box integration with existing Oracle technologies: Seamless integration with existing Oracle solutions such as identity and access management  Fully Committed to Cloud The protection of customer data is a primary design consideration for all of Oracle’s public cloud infrastructure and services. Oracle Cloud was developed to offer secure infrastructure and platform services that are used by Oracle customers to run their mission-critical enterprise workloads and store their data. Oracle believes that it has the right security philosophy, strategy, proven expertise, and resources to protect customer data and enable customers to build secure and private cloud solutions. Oracle is fully committed to continuing to invest in security capabilities to create the most secure public cloud infrastructure and trusted cloud services. These capabilities enable Oracle customers to have effective and manageable security, to run their workloads with more confidence, and to build trusted hybrid cloud solutions.  Download the new whitepaper here.

Security: Top Priority  Security is a top priority for Oracle Cloud solutions. Oracle’s vision is to create the most secure and trusted public cloud infrastructure and platform services for enterprises...

Securing Oracle Public Clouds

There is an incredible transformation we are all experiencing with cloud computing. The cloud truly is changing everything. It’s changing how businesses run and people work; it’s creating new categories, disrupting existing categories, and it’s changing how we communicate and share. It’s changing the economics of business forever.  It’s happening at a speed no one ever imagined and it means a new way of thinking for security practitioners. Transformation When we look at the enterprise, we see that on every level, there are transformations that are encouraging a fluidity of boundaries. The Extended Enterprise is about the always-on expectation from users, about a corporate environment that is no longer limited to the four walls of the enterprise.  Essentially, the Internet has become the corporate network; a coffee shop has become the corporate office. Work is no longer a place…it’s wherever you get inspiration. Within that corporate network, applications that used to be selected, deployed and maintained by IT are increasingly giving way to applications that employees introduce into the network themselves.  Often this is to increase productivity, or solve a problem that can’t be addressed by existing tools.  For example, when files get too large for emailing, users may be tempted to use unsanctioned software as a service like Dropbox, or YouSendIt/Hightail in order to distribute information. This can cause challenges with internal IT teams that are enforcing corporate processes designed to lock down sensitive corporate data and keep it from showing up on shadow IT sites where they have no control. The growing use of social collaboration and sharing regardless of location; the rising adoption of cloud computing; the proliferation of mobile devices; these are creating a fundamental shift within the enterprise that are breaking down the traditional four walls that have constrained IT to the corporate network and private WAN.  This begs the questions, “where did the perimeter go?" The Perimeter has Evolved We’re moving fast and it’s difficult to run a business with the expectation that we can prevent perimeter network penetration. The perimeter has evolved and we must assume the perimeter will be breached and deploy solutions that protect our assets, starting with the most valuable. Now, enterprises face a boundless future where the four walls of the enterprise are fluid.  They extend to the cloud. And follow users from network to network, device to device. These need to be addressed within the context of rapid evolution in the threat landscape. This heightened risk comes at a time when users are increasingly leaving the safety of the corporate network, yet are still trying to access corporate assets – now from anywhere in the world as we embrace mobile and cloud.  In fact, according to a CSO MarketPulse survey we find that the allocation of resources are not appropriately aligned with the most vulnerable areas of attack. Sixty-seven percent of the 200+ CSOs indicated they are allocating most of their resources to the network layer, and only 15% were allocating most of their resources to the database layer. And yet, when asked what IT layers were most vulnerable to an attack, more than half (52%) said their databases. Let me be clear, I am not saying that securing the perimeter is a bad idea.  However, we need to augment where we’re placing our resources—now more than ever. The challenge is that for most enterprises, the network has become so large--encompassing multiple countries across the globe, outsourced data centers, and cloud computing--that it is harder and harder to secure the traditional perimeter from attack. This is even more important when we consider how to secure on premises and cloud based assets in a boundless world. It’s how you secure everything from your perimeters to your networks to your software and even your hardware. To help businesses achieve that, we will need to change. Turning Security from an Inhibitor to an Enabler of Cloud How many of you believe security is actually an inhibitor to Cloud adoption? In Oracle's eleven critical cloud predictions to take into 2016, Oracle CIO Mark Sunday says, “Today, the #1 reason organizations are not moving to the cloud is security. However, tomorrow, security will be one of the most important drivers to move to the cloud.” The article goes on to explain, "A survey by Harvard Business Review Analytic Services (sponsored by Oracle) found that 62 percent of respondents thought security issues were by far the biggest barriers to expanding cloud adoption at their companies. Nearly half said data security is harder in the cloud. But those very same concerns will soon drive organizations to the cloud. Established cloud vendors with a solid security track record have the expertise and resources to deploy layers of defense that many companies can’t hope to duplicate in-house." So, How Do We Do It? Oracle secures every layer of both on premises and the cloud. By owning best in class SaaS, PaaS, and IaaS, our goal is to protect each and every aspect of your on premises, private, and public cloud environments. [Disclaimer: Not all technologies identified here are available for all Oracle Cloud Services.] To build a secure cloud, it starts with the underlying infrastructure—a secure cloud must be built on a foundation that is securely designed and developed from the outset. Oracle starts with defensive layers of defense. This is how we’ve built our solutions to work together and be more secure through seamless integration and layers of security. Then we add a comprehensive set of security controls across these solutions in order to protect the entire environment, from physical to logical security controls. These include preventive controls that protect against bad guys getting to the data, and if they do, it would be rendered useless. This includes detective security controls that detect suspicious activity in process and can raise an alert. This is what I like to call our forensics capabilities. Finally, it includes the administrative process and procedures we follow to build security in to our cloud environment. Let's look at both of these in more detail: Security and Control. Layered Security Defense When looking at security, it’s important to provide layered security, also known as defense-in-depth, because no one control can mitigate all threats. Oracle is working to provide multiple layers of security in our cloud. So, whether on premise or cloud, these are the requirements for a secure IT environment. [Disclaimer: Not all technologies identified here are available for all Oracle Cloud Services.] First, you want to integrate security into the foundation of the software. From the underlying silicon to the firmware that is built into the silicon, to the operating systems and applications. Let’s start with the Silicon layer and work our way up to the applications layer: Silicon Ultimately, security should be enabled at multiple layers and pushed down the stack as far as you can go. For example, security at the database layer is preferable to security at the application layer. When you encrypt data in the database, all applications that are connected to that database gain the encryption capability. Otherwise, you would have to code encryption into each of those applications, which would take a long time and is error prone. If you push security down into the silicon layer, then the software that is built on that silicon inherits that security. You need to be able to secure data in memory from corruption and attack through unauthorized access or buffer over-runs, because if someone can control your systems at the chip layer, then they can potentially own all the software that sits on top. Infrastructure At the infrastructure layer, Oracle provides storage and will soon be offering elastic compute so that our customers can run any workload in the cloud. For our storage service, we provide backup of your sensitive data and can encrypt it all for you. When our elastic compute service is ready, organizations will enable unrestricted, and yet secure communications between selected VMs. By creating dynamic firewalls, also known as security lists, and adding your VMs to that list, the VMs can communicate with each other in the same list over any protocol and port. This is a secure way to communicate between known virtual machines. By default, the VMs in a security list are isolated from hosts outside the security list. At any time, to block access— permanently or temporarily—to all VMs in a security list, delete or disable the relevant security rules. To block access to specific VMs rather than to the entire security list, remove those VMs from the security list. What you ultimately get is the ability to have fine grained network access control over your compute environment. Database At the database layer, Oracle Database as a Service includes tightly integrated Oracle Advanced Security with transparent data encryption to secure data at rest on disk and on database backups. Our same on premise data encryption technology is built into our database as a service and is transparent to users and applications because the encryption takes place at the kernel layer. This extends up into the application layer, so that when applications make calls to the database, we can redact, or remove sensitive data from the application layer, on the fly, so that unauthorized users are unable to see sensitive data. This data redaction is part of our Advanced Security solution. And again, is built into the kernel, which avoids tampering methods and provides better security. In order to prevent privileged users (ours in the cloud or yours on premise) from gaining unfettered access across the entire database, Oracle Database Vault can restrict credentials to a least privilege state, so that administrators can only perform the tasks necessary to do their jobs, and no more. So for example, they can maybe administrate backups, but not necessarily be able to read or write into that database. Middleware Throughout many of our Oracle cloud services (Fusion Apps, PaaS, and IaaS) when a user registers, the account and credential information is stored in Oracle Internet Directory. When a user wants to authenticate and gain access to several services, the single sign-on is handled by Oracle Access Manager. When a user account is disabled, it can be disabled across multiple services. Each of these capabilities is enabled by Oracle Identity Management, and we’ve been providing these services for some time now. Oracle has put a great deal of effort into developing powerful, robust security mechanisms within its products and within our cloud, and we want to make sure that customers are fully leveraging these security features. Applications Finally, at the top of our stack you want to provide Single Sign-On across multiple applications because the least amount of user names and passwords you manage, the better. Oracle provides integrated access controls that are dependent on your role. And I mentioned the ability to remove or redact sensitive data from applications by way of the database kernel; application developers do not have to do complete development rewrites in the application code in order to redact data. Instead, DBAs can implement redaction policies within the database and cover multiple applications. From the chip level up, we have thought through layered security defenses built into the cloud. This strategy is not dependent on a single security tactic or approach. It provides multiple layers of protection. Comprehensive Security Controls for the Cloud From physical security in and around our datacenters, to applying security controls at the application, network, and logical access layers, you can see why Oracle can provide as good as, or dare I say better security, than you can obtain on premise. As we drill down into each layer you can see security is baked into both physical and logical access. For physical access, we have multiple security zones that our IT staff must pass through in order to gain clearance throughout the datacenter, including a reception desk, access cards, biometrics in the way of keypads or retina scanners. All of this is under video surveillance, plus more. We carry this practice of depth in defense to Logical Access layer. We mandate encryption on all staff computers, implement personal firewalls, two-factor authentication, and layers of role based privilege access controls. This helps mitigate stolen username and password threat vectors. All of this is managed by Oracle Identity Management, the same suite that many of you use to gain access to corporate systems. And for detective security controls, we apply forensics – looking for security vulnerabilities.  We monitor access and conduct monthly reviews.  And the layers of defense continue; we also deploy security controls using vendors that we do not directly compete with in order to cover the gaps where Oracle doesn’t play. Security is no longer a reason to not move to the cloud, but in fact a reason to move to the cloud. Security is an enabler: Just as Oracle helps reduce costs associated with system deployments, maintenance and tuning, it’s is even more difficult to find qualified staff to secure your environments. Oracle has the resources and knowledge to secure your deployments in the Oracle Cloud. Securing the Hybrid Cloud Security has also enabled you with a choice of how you deploy, as well as a transition from on premise to the cloud. You see, now you can maintain existing on premises deployments and connect to your public cloud. This provides comprehensive security for a hybrid deployment. This also provides flexibility and choice because we’ve integrated many of our technologies. Security is an enabler: You now have a common set of security controls that address regulatory compliance requirements, a common set of security policies that extend across on premise and cloud, and multiple security layers that are integrated and built in from the infrastructure up. To learn more about how Oracle Secures the Public Cloud, please read Oracle Cloud Enterprise Hosting and Delivery Policies.

There is an incredible transformation we are all experiencing with cloud computing. The cloud truly is changing everything. It’s changing how businesses run and people work; it’s creating...

Larry Ellison, New Rules of Thumb for Next-Generation Data Security

In his keynote address at Oracle OpenWorld 2015, Oracle Executive Chairman and Chief Technology Officer Larry Ellison highlighted the urgent need for advanced next-generation data security technologies—and outlined two new rules of thumb for data security in the age of megabreaches.  Recent breaches extend far beyond the theft of data from tens of millions of retail and banking customers. Even the US Office of Personnel Management has lost highly sensitive data relating to over 20 million federal employees—all the way up to White House staff.  "Organizations are losing a lot of these cyberbattles," said Ellison. "Our industry needs to rethink how we deliver technology, especially as vast amounts of data are moved to the cloud." Read more of this article and Oracle's perspective.

In his keynote address at Oracle OpenWorld 2015, Oracle Executive Chairman and Chief Technology Officer Larry Ellison highlighted the urgent need for advanced next-generation data security...

Data Masking

Oracle Data Masking and Subsetting FAQ

Dear Readers , We have recently published an updated Oracle Data Masking and Subsetting FAQ document to the Oracle Technology Network. We hope this FAQ answers most of your question regarding the product.

Dear Readers , We have recently published an updated Oracle Data Masking and Subsetting FAQ document to the Oracle Technology Network. We hope this FAQ answers most of your question regarding the...

Data Masking

Qatar Olympic Committee success story

Qatar Olympic Committee Gains Extra Layers of Security for Sporting Events While Reducing Total Database Ownership Cost by 66%.

Qatar Olympic Committee Gains Extra Layers of Security for Sporting Events While Reducing Total Database Ownership Cost by 66%.

Data Masking

2015 Gartner Data Masking MQ Highlights Oracle’s Leadership in Security

Gartner recently published its 2015 Magic Quadrant (MQ) for Data Masking Technology, and Oracle continues to ascend in the leaders quadrant. The report is available for download from Oracle Industry Analyst Relations internal website, under database section.According to this report, “SDM (Static Data Masking) for relational databases remains the most demanded technology”. The report also provides insights on the changing dynamics of this space, saying “The year 2015 had us witnessing an exceptionally high volume of acquisitions… [signifying] the growing importance of DM for security and privacy of sensitive data.”If you want to learn more about how Oracle’s market leading Data Masking product is helping customers worldwide protect their most sensitive and regulated production data, then please see the Oracle Data Masking and Subsetting page on Oracle Technology Network.Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner recently published its 2015 Magic Quadrant (MQ) for Data Masking Technology, and Oracle continues to ascend in the leaders quadrant. The report is available for download from Oracle Industry...

Events

ISACA Webcast on Cloud Security Prediction, Feb 11, 2016

Please join me February 11, 2016 for the ISACA webcast, Prediction: Security Moves from Barrier to Main Benefit of Cloud Adoption where I will discuss some of the cloud security challenges facing organizations. I will also discuss how cloud vendors should be implementing security controls for their public clouds so that organizations have more confidence putting their sensitive systems and data there. And you'll receive a CPE for joining me. Here's the abstract: In a recent cloud predictions article, Oracle CIO, Mark Sunday predicts “Today, the #1 reason organizations are not moving to the cloud is security. However, tomorrow, security will be one of the most important drivers to move to the cloud.” A survey by Harvard Business Review Analytic Services (sponsored by Oracle) found that 62 percent of respondents thought security issues were by far the biggest barriers to expanding cloud adoption at their companies. But those very same concerns will soon drive organizations to the cloud. Join this Oracle and ISACA webcast to learn how established cloud vendors with a solid security track record have the expertise and resources to deploy layers of defense that many companies can’t hope to duplicate in-house.  I hope to see you there.  

Please join me February 11, 2016 for the ISACA webcast, Prediction: Security Moves from Barrier to Main Benefit of Cloud Adoption where I will discuss some of the cloud security challenges facing...

Events

Oracle at RSA Conference 2016

Announcing Oracle at RSA Conference 2016 – Where the World Talks Security! Moscone Center, San FranciscoFebruary 29 – March 4  Fueled by a $288B black market for information, we are in the midst of a data breach epidemic; spending on technology has failed to reduce the risk. Effective modern security to mitigate a data breach requires an inside-out approach with a focus on data and internal controls.  Join Oracle at RSA Conference 2016 February 29 – March 4, and glean insight into helping your organization build an inside-out security strategy. Oracle Speaking Session (PDAC-FO3) Friday, March 4, 2016 | 11:20 AM – 12:10 PM | West | Room 2005 Encryption without Enterprise Key Management – It’s Like Icing without Cake, Saikat Saha, Sr. Principal Product Manager, Oracle  Deploying encryption systems without effective key management will not deliver on the promise of data security. Whilst the exciting part is the encryption technologies, loss of the keys will compromise any solution. In this session we’ll explore the value provided by the standardization of key management protocols as well as the critical part of a security solution it plays. Meet the Experts Visit the Oracle Security Solution Showcase (Booth #4704) to meet our security experts and see live product demonstrations.  Monday, Feb 29th – 5 – 7 p.m. (Welcome reception) Tuesday, Mar 1st – 10 a.m. – 6p.m. Wednesday, Mar 2nd – 10 a.m. – 6 p.m. Thursday, Mar 3rd – 10 a.m. – 3 p.m. Register for a complimentary Exhibit Hall Pass using code XEORACLE16 (deadline Friday, February 26th) 

Announcing Oracle at RSA Conference 2016 – Where the World Talks Security! Moscone Center, San Francisco February 29 – March 4  Fueled by a $288B black market for information, we are in the midst of a...

Advanced Security

Cloud Prediction #2: Security as an Enabler

Check out Oracle's eleven critical predictions as we head into 2016 and you'll find security will move from a barrier to cloud adoption to one of its main benefits. “Today, the #1 reason organizations are not moving to the cloud is security. However, tomorrow, security will be one of the most important drivers to move to the cloud,” said Oracle CIO Mark Sunday.  Security should be an enabler for organizations to move to the cloud. A company like Oracle has both the logical and physical security resources and knowledge that many organizations cannot match. Oracle's cloud is a very secure cloud that provides our customers trust that their applications run securely so they can focus on innovation.   Brakes on a car enable you to go faster. Without brakes, you must go slowly and you can’t drive down hills. It’s very limiting. The cloud is a business enabler and security must be necessary and sufficient so that organizations can move fast as well as safe.  “Cloud vendors like Oracle that have a comprehensive and integrated defense of layered security controls are what can turn security from an inhibitor to an enabler of enterprise cloud deployments,” Sunday concludes. Read his prediction and the ten others here.  

Check out Oracle's eleven critical predictions as we head into 2016 and you'll find security will move from a barrier to cloud adoption to one of its main benefits. “Today, the #1 reason organizations...

Advanced Security

Encryption is the Easy Part; Managing those Keys is Difficult

Security threats and increased regulation of personally identifiable information, payment card data, healthcare records, and other sensitive information have expanded the use of encryption in the data center and cloud. As a result, management of encryption keys, certificates, wallets, and other secrets has become a vital part of an organization’s ecosystem, impacting both security and business continuity. Join this ISACA and Oracle webcast as we examine the challenges with encryption, on premise and in cloud, and how key management best practices can help facilitate the secure deployment of encryption across the enterprise. Challenges we’ll address include:     Managing encryption keys, Oracle Wallets, Java Keystores and Credential files across the enterprise     Securely sharing keys across authorized endpoints     Auditing key access controls and key lifecycle changes     Detailed management reports ISACA Members Earn Free CPE Special Guest Note, we'll have special guest Saikat Saha who has specialized in the area of data encryption and key management. Saikat currently works as product manager in the Oracle Database security team. He also serves as co-chair of the OASIS KMIP (Key Management Interoperability Protocol) industry standard technical committee. He has launched multiple successful security products in the market related to data encryption, application encryption and key management over last decade. Saikat holds a B.E from National Institute of Technology, Durgapur, India and an MBA from Leavey School of Business, Santa Clara University. When and Where? Date:  Thursday, 8 October 2015Time:  12PM (EDT) / 11AM (CDT) / 9:00 (PDT) Register Now

Security threats and increased regulation of personally identifiable information, payment card data, healthcare records, and other sensitive information have expanded the use of encryption in the data...

Data Masking

Oracle Data Masking and Subsetting sessions in Open World 2015

It's Oracle Open World time. This year Open World is from October 25 to 29 in San Fransico. As always, there will be a marathon of sessions, labs and demonstrations along with a lot of fun.I am excited to present a public session about what's new in Oracle Data Masking and Subsetting. More details about this session are available in the Open World content catalog here(search for session identifier CON8625). This year we are also conducting two hands-on-lab sessions on Oracle Data Masking and Subsetting. You can interact with the product during these sessions. The hands-on-lab sessions will be on October 28(Wednesday) between 1:15 pm - 2:15 pm and on October 29(Thursday) between 9:30 am - 10:30 am at Hotel Nikko San Fransico in the Bay View facility. More details about these hands-on-lab sessions are available in the Open World content catalog here(search for session identifier HOL10507). In addition to a conference session and hands-on-lab, you can interact with the product team at Oracle Data Masking and Subsetting booth in the demo grounds.We hope to see you at Oracle Open World 2015.

It's Oracle Open World time. This year Open World is from October 25 to 29 in San Fransico. As always, there will be a marathon of sessions, labs and demonstrations along with a lot of fun.I...

Database Security

Secure the Crown Jewels

What's the secret to being the longest running Monarch in British history? I'd like to think keeping your crown jewels safe; they symbolize the power and continuity of the monarchy. However, as anything that represents worth, or power, there will always be attempts to steal it. In 1671, Colonel Thomas Blood  attempted to steal the crown jewels from inside the Tower of London. Just like we have cyber criminals stealing privileged users' credentials in order to fly under the radar and steal from our governments and corporations, so did Mr. Blood. Over a period of time, he gained the trust--and eventually access to the jewels--from the Master of the Jewel House, Talbot Edwards. Blood and his fellow criminals then managed to subdue Edwards and steal the Crown Jewels, but only for a short time. Blood was ultimately caught and interestingly awarded for his crime.  The new Crown Jewels are organization and government data. This data represents information that organized criminals can sell on the black market, or intellectual property that espionage hackers can use for political or monetary advantage, or worse, blackmail and secrets that political hacktivists can expose. Unfortunately, unlike the case of Blood's attempt on the Crown Jewels, many of these cyber criminals are never caught because they weave an intricate and hidden path to the data, and exfiltrate it without being caught. Data breaches continue to make headlines, and they are not just about stolen credit card information anymore. Data breaches are now targeting different industries and different types of information. What’s going on, and what can organizations do to protect their corporate data?Oracle Magazine sat down with Vipin Samar, vice president of Oracle Database security, to talk about the latest data breaches, how data breach threats are evolving, and how to work with the wide variety of data that needs protection in the enterprise.Read more here

What's the secret to being the longest running Monarch in British history? I'd like to think keeping your crown jewels safe; they symbolize the power and continuity of the monarchy. However, as...

Events

Database Security at OpenWorld, 2015 -- Security is Hot!

Cybersecurity is Hot! In fact, so is the weather here in California at this moment. I write this in sweltering 95 degree temperatures and wonder if October--coincidentally National Cyber Security Awareness month--will be as hot outside San Francisco's Moscone Halls (and surrounding buildings) as it will be inside. Join me at Oracle OpenWorld, October 25-27th to find out.  We are very excited to offer our customers over 77 talks on security, including our latest database security innovations. Plan your days accordingly to attend these hot database security focused sessions.   Monday, Oct 26 What’s New in Oracle Database Security [CON6819] Oracle Audit Vault and Database Firewall—Detect Breaches and Prevent Attacks [CON8668] Data Protection in an Oracle E-Business Suite Situation? Oracle Label Security Is the Answer [CON2075] Tuesday, Oct 27 Oracle Database Maximum Security Architecture—Protecting Critical Data Assets [CON8803] Mask and Subset Sensitive Data for Test/Dev Databases On Premises or in the Cloud [CON8625] Database Security: Preventing and Detecting Privileged User Attacks [HOL10437] Wednesday, Oct 28 Oracle Database Vault for Pluggable Databases [CON1922] Encrypting Oracle E-Business Suite 12.1 on Oracle Exadata Using TDE Functionality [CON2975] Oracle Database Vault—Shrinking the Attack Surface for Your Application [CON8624] Oracle Advanced Security—Enterprise-Grade Encryption for Your Sensitive Data [CON8563] Minimize Security Risks by Masking and Subsetting Sensitive Data in Test and Developmen [HOL10507] Thursday, Oct 29 Minimize Security Risks by Masking and Subsetting Sensitive Data in Test and Developmen [HOL10507] Managing Advanced Security Database Encryption Keys with Oracle Key Vault [CON8562] Oracle Database Security Customer Panel: Strategies and Best Practices [CON8655]. Get the details here with our focus on Database Security. And you can focus on all Security as well.  

Cybersecurity is Hot! In fact, so is the weather here in California at this moment. I write this in sweltering 95 degree temperatures and wonder if October--coincidentally National Cyber Security...

Big Data Security

Ready to meet privacy, security issues that come with Big Data?

Managing big data involves more than dealing with storage and retrieval challenges – it requires addressing a variety of privacy and security issues as well. If you fail to secure the life cycle of your big data environment, you can face regulatory consequences, and worse, significant brand damage that data breaches can cause. Download the resources, to learn about the top threats to Big Data environments, including: Unauthorized access Data provenance Do-it-yourself Hadoop Read the joint MIT and Oracle resources and learn the security controls to protect the big data life cycle: White Paper: Securing the Big Data Life Cycle Video: Securing the Big Data Life Cycle Infographic: Securing the Big Data Life Cycle Bigger Data, Bigger Responsibility Diversity of Big Data Sources Creates Big Security Challenges Big Data, Big Security: Defense in Depth Related Assets from Oracle: Video: Data Capital Comprehensive, Secure Big Data in the Cloud

Managing big data involves more than dealing with storage and retrieval challenges – it requires addressing a variety of privacy and security issues as well. If you fail to secure the lifecycle of...

Database Security

Watch the Security Learning Streams

I wanted to call everyone's attention to the latest Oracle Learning streams for database security.  Oracle's product management team has put together these three 13- to 25-minute clips in order to help our customers understand the value and benefits of a few of our database security solutions. Check them out: Oracle Database Unified and Conditional AuditingOracle Data Masking and Subsetting (data masking for nonprod)What's New in Oracle Audit Vault and Database Firewall

I wanted to call everyone's attention to the latest Oracle Learning streams for database security.  Oracle's product management team has put together these three 13- to 25-minute clips in order to help...

Security Inside Out Newsletter, July Edition is Out

The July edition of the Security Inside newsletter is now available. Sign up here for the Security Inside Out newsletter where we highlight key Oracle Security news and provide information on the latest webcasts, events, training and more.  This month in the news: Inoculating the Cloud Another day, another data breach. From the recent cyber attack on the Internal Revenue Service to news of a security bug called VENOM, it seems as if frequent cybersecurity incidents represent the new normal. What new methods can your security group deploy to augment traditional perimeter defenses? The key is to focus on your most valuable asset—data—and build a security strategy that protects data at its source.  Now Available! Oracle Identity Management 11g Release 2 PS3 Read about the new business-friendly user interface that simplifies the tasks associated with provisioning and managing today’s robust, identity-driven environments. Also learn about the expansion of mobile device management capabilities and a consolidated policy management framework that enables simplified provisioning of devices, applications, and access. Securing Data Where It Matters Most Putting defense in depth database protection in place is the first step to a security inside out data strategy. Even if an organization’s perimeter is breached, organizations can reduce risks by placing security controls around sensitive data, detecting and preventing SQL injection attacks, monitoring database activity, encrypting data at rest and in transit, redacting sensitive application data, and masking nonproduction databases. Read insights from Oracle Vice President of Security and Identity Solutions, Europe, the Middle East, and Africa, Alan Hartwell.

The July edition of the Security Inside newsletter is now available. Sign up here for the Security Inside Out newsletter where we highlight key Oracle Security news and provide information on...

Data Masking

Gartner positions Oracle as a leader in 2014 Magic Quadrant for Data Masking Technology

For the third year in a row, Gartner, Inc., an information technology research and advisory firm, has positioned Oracle as a leader in its 2014 Magic Quadrant for Data Masking Technology report. The report is available for download in Oracle Industry Analyst Relations internal website, under database section.According to the report, “Adopting DM helps enterprises raise the level of security and privacy assurance. At the same time, DM helps them meet compliance requirements with the security and privacy standards recommended by regulating/auditing authorities (for example, the PCI Data Security Standard [DSS] and the Health Insurance Portability and Accountability Act [HIPAA]). Potential abusers, who DM aims to deter, are often enterprise employees or employees of outsourcing firms, such as users of test databases (programmers, testers and database administrators) or users of analytical and training databases (analysts, researchers and trainees).”The report also mentions, “A growing number of enterprises make Data Masking a mandatory part of their overall security strategies.”

For the third year in a row, Gartner, Inc., an information technology research and advisory firm, has positioned Oracle as a leader in its 2014 Magic Quadrant for Data Masking Technology report. The...

Database Security

Database Administrators –the Undercover Security Superheroes

Over the past five years, while enterprise IT departments were focusing on the rise of cloud, mobile, and social technologies, a lucrative black market emerged around the acquisition and sale of information. Today, this includes personal data, intellectual property, financial details and almost any form of information with economic value.  It suffices to say that when it comes to data security, businesses now find themselves under assault like never before, and are in dire need of leadership to help overcome this systemic problem. Step forward the database administrator; the person with the knowledge and power to help secure sensitive data on behalf of the organization and its employees. Like most free markets, the information black market sets the value of its focal commodity – in this case data – and allows buyers and sellers to connect via a complex underground network. Just as the world is producing more data than at any other point in history, these organized groups are finding new ways of stealing and monetizing this information. For their part, senior executives are only too painfully aware of what’s at stake for their businesses, but often don’t know how to approach the problem. In an era where information is arguably the most valuable asset a company has, they will look to database professionals to help the business take a stand and prepare itself to best protect this crucial asset. However, the knowledge gap these individuals will be addressing is large. Two-fifths of businesses admit they are not fully aware of where all the sensitive data in their organizations is kept, according to respondents to a recent Independent Oracle Users Group survey. Those taking proactive measures to lock down data and render it useless to outsiders are still in the minority, and relatively few have any safeguards in place to counter accidental or intentional staff abuse that could lead to a breach. These safeguards should also extend to DBAs themselves, as ultimately everyone in the organization is in a position to commit a data breach, whether inadvertently or intentionally.  That said, together with security professionals, database administrators do have a fighting chance to combat assaults on their organization’s data. Their background gives them a unique understanding of what the risks are to the organization, where to find them and how they can ultimately be addressed or, in the best case, pre-empted. As the stewards of highly sensitive intellectual property and personal information, database administrators will need to step up and lead the battle against the villains of the black market. As Voltaire once said, “With great power comes great responsibility”, a credo that holds as true for comic book superheroes as it does for the security champions of the enterprise. If database administrators can bring security concerns front-of-mind for employees across the business, and help drive protective measures at every level of the organization’s IT, they will be well placed to take a stand and fend off the security challenges of the coming years. Check out the Security Super Hero Infographic here.

Over the past five years, while enterprise IT departments were focusing on the rise of cloud, mobile, and social technologies, a lucrative black market emerged around the acquisition and sale...

Database Security

Inoculate the Cloud: Moving to the Cloud FOR Security

Forbes BrandVoice features a new article, Inoculating the Cloud, on how organizations will be moving to the cloud in order to be more secure. No matter what survey you look at regarding challenges of moving to the cloud, you'll usually see "security" as one of, if not the top, concern. It makes sense that organizations worry about putting their sensitive customer and company data in the cloud because of data breach risks and compliance concerns. "Who can protect my data, better than myself," they question. However, I would much rather trust my money to a bank than putting it under my mattress. I think the bank is better positioned to protect my money.  I believe this same rationale goes for securing sensitive data. I would argue that a cloud vendor like Oracle could protect sensitive data better than corporations can. They should be focused on their core business, not maintaining and securing IT infrastructure. The Forbes BrandVoice article highlights this logic: A recent study from Harvard Business Review Analytic Services (sponsored by Oracle) found that 62% of survey respondents thought security issues were by far the biggest barriers to expanded cloud adoption at their companies. Nearly half pointed out that data is more difficult to secure in the cloud. But those very same concerns will soon make security a selling point for the cloud. Established cloud vendors have the internal expertise and resources to install and maintain multilayer security—a level of expertise that many companies cannot hope to duplicate in house. “This is one factor steering many CIOs toward established vendors for cloud services—they have the resources to invest in state-of-the-art security—both physical and logical,” according to the HBR-AS study. Then, too, big service providers can automate and simplify many security measures such as implementing security patches, access management, and regulatory compliance. Learn more by reading the article here. 

Forbes BrandVoice features a new article, Inoculating the Cloud, on how organizations will be moving to the cloud in order to be more secure. No matter what survey you look at regarding challenges of...

Big Data Security

MIT Technology Review: Diversity of Big Data Sources Creates Big Security Challenges

According to Oracle’s Neil Mendelson, many companies today make a key mistake in setting up their big data environments. “In an effort to gain insights and drive business growth, companies can too often overlook or underestimate the challenge of securing information in a new and unfamiliar environment,” says Mendelson, vice president for big data and advanced analytics at Oracle. That lack of attention to big data security requirements can, of course, leave the organization open to attacks from any number of unknown sources.  Other evolving circumstances also contribute to a wide range of security-related risks, hurdles, and potential pitfalls associated with big data. As the Cloud Security Alliance, an industry group, notes: “Large-scale cloud infrastructures, diversity of data sources and formats, the streaming nature of data acquisition, and high-volume inter-cloud migration all create unique security vulnerabilities.” Learn more here about factors that complicate big data implementations, and what is required for organizations to secure the big data life cycle. 

According to Oracle’s Neil Mendelson, many companies today make a key mistake in setting up their big data environments. “In an effort to gain insights and drive business growth, companies can too...

Database Security

Oracle Database 12c Real Application Security Administration Application - Now Available on OTN

The release of Oracle Database 12c and the new Real Application Security (RAS) technology further demonstrated Oracle's decades long commitment to delivering cutting edge security technology to our customers.  The release of RAS fundamentally changed the technology available to application developers and data security architects. “The release of RAS with Oracle Database 12c was the most important database security enhancement for application developers since the release of Oracle's ground breaking row level security solution, Virtual Private Database in 1998,” said Paul Needham, Senior Director for Oracle Database Security Product Management.   Over the past two decades nearly every application developed has had its own unique security model.   Application users, roles, and privileges are mostly stored in custom application tables that require very specific domain knowledge to maintain.   This complexity has made it difficult and costly to keep pace with ever changing privacy and compliance regulations and protect against hackers. Integrated with Oracle Fusion Middleware and Oracle Application Express 5.0, Real Application Security enables developers to build the world’s most secure applications by centralizing security policies within the database.  Benefits of Oracle Database 12c Real Application Security include: End-user session propagation to the database Data security based on application roles and privileges Simplified security administration Today, the database security development team is pleased to announce the release of Real Application Security Administration Application (RASADM).   RASADM is the new Oracle APEX 5.0-based tool for managing Oracle Database 12c Real Application Security.   It complements the comprehensive RAS PL/SQL API available today and is designed for both developers and application security policy administrators.   RASADM is designed to accelerate adoption of the powerful Oracle Database 12c RAS technology.   "The release of Real Application Security with Oracle Database 12c demonstrates Oracle's continuous innovation in the database security arena.  RASADM was one of the first requests from those building on RAS with Oracle Database 12c and we are pleased to be able to deliver this to our customers,” says Vipin Samar, Vice President, Oracle Database Security. More information on Oracle Database 12c RAS as well as the download link for RASADM can be found on OTN here.

The release of Oracle Database 12c and the new Real Application Security (RAS) technology further demonstrated Oracle's decades long commitment to delivering cutting edge security technology to our...

Security Inside Out Newsletter, May Edition

Get the latest Security Inside Out newsletter and hear about securing the big data life cycle, data security training, and more. Also, subscribe to get the bi-monthly news in your own inbox . 

Get the latest Security Inside Out newsletter and hear about securing the big data life cycle, data security training, and more. Also, subscribe to get the bi-monthly news in your own inbox . 

Big Data Security

Securing the Big Data Life Cycle: A New MIT Technology Review and Oracle Paper

The big data phenomenon is a direct consequence of the digitization and “datafication” of nearly every activity in personal, public, and commercial life. Consider, for instance, the growing impact of mobile phones. The global smartphone audience grew from 1 billion users in 2012 to 2 billion today, and is likely to double again, to 4 billion, by 2020, according to Benedict Evans, a partner with the venture capital firm Andreessen Horowitz.  “Companies of all sizes and in virtually every industry are struggling to manage the exploding amounts of data,” says Neil Mendelson, vice president for big data and advanced analytics at Oracle. “But as both business and IT executives know all too well, managing big data involves far more than just dealing with storage and retrieval challenges—it requires addressing a variety of privacy and security issues as well.” With big data, comes bigger responsibility. A new joint Oracle and MIT Technology Review paper drills into addressing these big data privacy and security issues. Get the paper, Securing the Big Data Life Cycle and learn more here.

The big data phenomenon is a direct consequence of the digitization and “datafication” of nearly every activity in personal, public, and commercial life. Consider, for instance, the growing impact of...

Big Data Security

Using Earthquakes to Predict Cybercrime

Known for big surf and occasional big earthquakes, Santa Cruz, California has also been in the news regarding big data. In fact, the police force has used predictive analytics to capture would-be thieves. Two women were taken into custody after they were discovered peering into cars in a downtown parking garage. After further questioning, one was found to have outstanding warrants while the other was carrying illegal drugs. The unique thing here is that the police officers were directed to the parking structure by a computer program that had predicted that car burglaries were especially likely there that day. This computer program, developed by PredPol, is based on models used for predicting aftershocks from earthquakes, a common occurrence here in California. The algorithms used generated projections about which areas and windows of time are at highest risk for future crimes. The Innovative Hacker  Organizations struggle to mitigate threats due to the continuing evolution of hackers and their methods of attack. Since William T. Morris Jr. first introduced the infant internet to his Morris worm virus in 1988, organizations have been fighting tweakers, script kiddies, espionage, and organized crime. The problem is that every time a solution is advised, a new hack is created. It’s a never ending cycle, and unfortunately, the turnaround time for hackers is getting shorter and shorter. They are innovating and sharing their innovations with others, who in turn take advantage and increase the number of effective attacks. According the 2015 Verizon Data Breach Investigations Report, with over 80,000 incidents examined, hackers have become more inventive, thinking up new tactics to evade defenses.  “I hate to admit defeat, says Jay Jacobs, co-author of the report, but there does seem to be an advantage to the attackers right now.”  (Source: Financial Times access for a fee). Learning from the Past  By analyzing and detecting patterns in years of past crime data, the Santa Cruz police department, were able to determine hot spots of potential crime. In fact, on the day the two women were arrested, the program had identified the approximately one-square-block area where the parking garage is situated as one of the highest-risk locations for car burglaries. According to the RAND Corporation's “Predictive Policing"  study, there is strong evidence to support the theory that crime is statistically predictable. That’s because criminals tend to operate in their comfort zone. They commit the type of crimes that they’ve committed successfully in the past, generally close to the same time, location and methods. There is a connection between physical crime and the cybercrime organizations face today. To explain this connection further, the RAND Corporation found that prediction-led policing is not just about making predictions; "but it is a comprehensive business process, of which predictive policing is a part.” That process is summarized here in order to explain the steps taken to analyze past information in order to prevent further criminal activity. First, the police force collected and analyzed previous crime, incident, and offender data in order to produce predictions. These predictions uncovered hotspots. Next, data from multiple and disparate sources in the community gets combined together, often using Big Data environments to quickly process terabytes of data. This data helps inform police where hotpots of potential crime will break out based on time of day, weather, recent criminal activity and more. Using the predictions helps to inform how they will respond to a potential incident. Criminals will then react to the changed environment: either they will be removed, or those still operating in the area may change their practices or move to a different area. Regardless of the response, the environment has been altered, the initial data will be out of date, and new data will need to be collected for analysis.  The Importance of Acquiring Good, Clean Data  This entire process hinges on the collection of data and the importance of that data to make predictions.  Organizations today have the data necessary to make these types of predictions. In fact, our systems are churning out this data all the time through system server logs, database audits, event logs and more.  If crime is statistically predictable, and we have all evidence right there in front of us, then we need to collect and analyze it. Of course, the future of predictive analytics and machine learning is much more than analyzing audit and log data and monitoring our databases, however, these two critical practices are important first steps to a comprehensive cybersecurity program. The recent 2015 Verizon Data Breach Investigations Report highlights that once you have the data you need, analysis is performed using inferred or computed elements of the data. In order to mitigate data breaches, they suggest looking for anomalies within the following: Volume or amount of content transfer, such as e-mail attachments or uploads Resource access patterns, such as logins or data repository touches Time-based activity patterns, such as daily and weekly habits Indications of job contribution, such as the amount of source code checked in by developers Time spent in activities indicative of job satisfaction or discontent Despite that this data is all around us, the tough part is how to effectively and efficiently collect all of this data--securely--and make sense of it to predict and prescribe future actions and prevent the next data breach. 

Known for big surf and occasional big earthquakes, Santa Cruz, California has also been in the news regarding big data. In fact, the police force has used predictive analytics to capture...

Database Security

Your Oracle Database, Secure in the Cloud

Since the advent of cloud computing, the security of sensitive data has been a top concern among business and IT leaders—especially as the size and frequency of data breaches continue escalate. In fact, 73 percent of executives are concerned about their organization’s data in the cloud, according to a recent Cloud Security Alliance report.  Yet despite these fears, the business advantages of the cloud—including database-as-a-service (DBaaS) offerings—is driving record rates of adoption of these technologies.  The question is, is it possible to implement a DBaaS solution that can match or even beat the security controls businesses currently have in place? The answer, of course is a resounding 'yes' for companies that adopt Oracle Database Cloud Service—Oracle's DBaaS offering.   More Control, Not Less Just a few years ago, large breaches involved tens or hundreds of thousands of records stolen in a single incident. These days, breaches regularly involve hundreds of millions. We have now entered the age of megabreaches, moving to the cloud can exacerbate fears of such breaches, since organizations feel they have less control. Fortunately, Oracle Database Cloud Service has database security controls built into its DNA, so organizations don't have to compromise on security and compliance. In fact, they can enhance them. Oracle Database Cloud Service delivers a complete Oracle Database instance in a virtual machine—in other words, the same familiar Oracle Database, now in a cloud.  Just as important, organizations can also rely on the advanced data-centric security controls, including: Encryption of data at rest. Oracle Advanced Security provides transparent data encryption and redaction and Oracle Key Vault helps to secure encryption keys and other sensitive data. Privileged user access controls. Oracle Database Vault provides preventive controls including separation of duties and least privilege to proactively protect application data from being accessed by privileged database users. Multilevel security requirements. Oracle Label Security helps easily categorize and mediate access to data based on its classification. Up-to-date security patches. Oracle Database Lifecycle Management Pack provides a seamless and end-to-end solution for managing Oracle Database’s entire lifecycle in both physical and cloud environments—offering better coverage, greater depth, and more automation. Securing nonproduction data. Oracle Data Masking and Subsetting replaces sensitive information such as credit card or social security numbers with realistic values, allowing safe use of production data for nonproduction purposes. Get a free trial of Oracle Database Cloud Service.

Since the advent of cloud computing, the security of sensitive data has been a top concern among business and IT leaders—especially as the size and frequency of data breaches continue escalate. In...

Events

86% of Data Breaches Miss Detection, How Do You Beat The Odds?

Information security is simply not detecting the bad guys This according to the Verizon Data Breach Investigations Report. In fact, antivirus, intrusion detection systems, and log review all pick up less than 1% of data breach incidents. Very few companies do proactive monitoring and those that do are simply troubleshooting problems they already know about. The result is that 86% of data breach incidents were ultimately detected by someone other than the victimized organization; an embarrassing statistic. Only 35% of organizations audit to determine whether privileged users are tampering with systems. As well, for nearly 70% of organizations, it would take greater than one day to detect and correct unauthorized database access or change. With average data breach compromises taking less than a day, the majority of organizations could lose millions of dollars before even noticing. Join Oracle and learn how to put in place effective activity monitoring including: Privileged user auditing for misuse and error Suspicious activity alerting Security and compliance reporting  Register for the April 9 webcast to learn more. 

Information security is simply not detecting the bad guys This according to the Verizon Data Breach Investigations Report. In fact, antivirus, intrusion detection systems, and log review all pick up...

Big Data Security

Three Big Data Threat Vectors

The Biggest Breaches are Yet to Come Where a few years ago we saw 1 million to 10 million records breached in a single incident, today we are in the age of mega-breaches, where 100 and 200 million records breached is not uncommon. According to the Independent Oracle Users Group Enterprise Data Security Survey, 34% of respondents say that a data breach at their organization is "inevitable" or "somewhat likely" in 2015. Combine this with the fact that the 2014 Verizon Data Breach Investigations Report tallied more than 63,000 security incidents—including 1,367 confirmed data breaches. That's a lot of data breaches. As business and IT executives are learning by experience, big data brings big security headaches. Built with very little security in mind, Hadoop is now being integrated with existing IT infrastructure. This can further expose existing database data with less secure Hadoop infrastructure. Hadoop is an open-source software framework for storing and processing big data in a distributed fashion. Simply put, it was developed to address massive data storage and faster processing, not security. With enormous amounts of less secure big data, integrated with existing database information, I fear the biggest data breaches are yet to be announced. When organizations are not focusing on security for their big data environments, they jeopardize their company, employees, and customers. Top Three Big Data Threats For big data environments, and Hadoop in particular, today's top threats include: Unauthorized access. Built with the notion of “data democratization”—meaning all data was accessible by all users of the cluster—Hadoop is unable to stand up to the rigorous compliance standards, such as HIPPA and PCI DSS, due to the lack of access controls on data. The lack of password controls, basic file system permissions, and auditing expose the Hadoop cluster to sensitive data exposure. Data provenance. In traditional Hadoop, it has been difficult to determine where a particular data set originated and what data sources it was derived from. At a minimum the potential for garbage-in-garbage-out issues arise; or worse, analytics that drive business decisions could be taken from suspect or compromised data. Users need to know the source of the data in order to trust its validity, which is critical for relevant predictive activities. DIY Hadoop. A build-your-own cluster presents inherent risks, especially in shops where there are few experienced engineers that can build and maintain a Hadoop cluster. As a cluster grows from small project to advanced enterprise Hadoop, every period of growth—patching, tuning, verifying versions between Hadoop modules, OS libraries, utilities, user management etc.—becomes more difficult. Security holes, operational security and stability may be ignored until a major disaster occurs, such as a data breach. Big data security is an important topic that I plan to write more about. I am currently working with MIT on a new paper to help provide some more answers to the challenges raised here. Stay tuned.

The Biggest Breaches are Yet to Come Where a few years ago we saw 1 million to 10 million records breached in a single incident, today we are in the age of mega-breaches, where 100 and 200 million...

Security and Governance Will Increase Big Data Innovation in 2015

"Let me begin with my vision of the FTC and its role in light of the emergence of big data. I grew up in a beach town in Southern California. To me, the FTC is like the lifeguard on a beach. Like a vigilant lifeguard, the FTC’s job is not to spoil anyone’s fun but to make sure that no one gets hurt. With big data, the FTC’s job is to get out of the way of innovation while making sure that consumer privacy is respected." - Edith Ramirez, Chairwoman, Federal Trade CommissionMs. Ramirez highlights the FTC's role in protecting consumers from what she refers to as "indiscriminate data collection" of personal information. Her main concern is that organizations can potentially use this information to ultimately implicate individual privacy. There are many instances highlighting the ability to take what was previously considered anonymous data, only to correlate with other publicly available information in order to increase the ability to implicate individuals. Finding Out Truthful Data from "Anonymous" Information  Her concerns are not unfounded; the highly referenced paper Robust De-anonymization of Large Sparse Datasets, illustrates the sensitivity of supposedly anonymous information. The authors were able to identify the publicly available and "anonymous" dataset of 500,000 Netflix subscribers by cross referencing it with the Internet Movie Database. They were able to successfully identify records of users, revealing such sensitive data as the subscribers' political and religious preferences, for example. In a more recent instance of big data security concerns, the public release of a New York taxi cab data set was completely de-anonymized, ultimately unveiling cab driver annual income, and possibly more alarming, the weekly travel habits of their passengers. Many large firms have found their big data projects shut down by compliance officers concerned about legal or regulatory violations. Chairwoman Hernandez highlights specific cases where the FTC has cracked down on firms they feel have violated customer privacy rights, including the United States vs. Google, Facebook, and Twitter. She feels that big data opens up additional security challenges that must be addressed. "Companies are putting data together in new ways, comingling data sets that have never been comingled before," says Jeff Pollock, Oracle vice president for product management. "That’s precisely the value of big data environments. But these changes are also leading to interesting new security and compliance concerns." The possible security and privacy pitfalls of big data center around three fundamental areas: Ubiquitous and indiscriminate collection from a wide range of devices  Unexpected uses of collected data, especially without customer consent  Unintended data breach risks with larger consequences Organizations will find big data experimentation easier to initiate when the data involved is locked down. They need to be able to address regulatory and privacy concerns by demonstrating compliance. This means extending modern security practices like data masking and redaction to the full big data environment, in addition to the must-haves of access, authorization and auditing. Securing the big data lifecycle requires: Authentication and authorization of users, applications and databases  Privileged user access and administration  Data encryption of data at rest and in motion  Data redaction and masking for non production environments  Separation of roles and responsibilities  Implementing least privilege  Transport security  API security  Monitoring, auditing, alerting and compliance reporting With Oracle, organizations can achieve all the benefits that big data has to offer while providing a comprehensive data security approach that ensures the right people, internal and external, get access to the appropriate data at right time and place, within the right channel. The Oracle Big Data solution prevents and safeguards against malicious attacks and protects organizational information assets by securing data in-motion and at-rest. It enables organizations to separate roles and responsibilities and protect sensitive data without compromising privileged user access, such as database administrators. Furthermore, it provides monitoring, auditing and compliance reporting across big data systems as well as traditional data management systems. Learn more about Oracle Security Solutions. This article has been re-purposed from the Oracle Big Data blog.  

"Let me begin with my vision of the FTC and its role in light of the emergence of big data. I grew up in a beach town in Southern California. To me, the FTC is like the lifeguard on a beach. Like...

Database Security

Securing Information in the New Digital Economy

We are in the midst of a data breach epidemic, fueled by a lucrative information black market. The perimeter security most IT organizations rely on has become largely ineffective. Nearly 70% of security resources are focused on perimeter controls, but most exploited vulnerabilities are internal.  Effective modern security requires an inside-out approach with a focus on data and internal controls. A New Hacker Economy Today, a layered economy of specialized, organized hackers has created a black market estimated to be more lucrative than the illegal drug trade. (Lillian Ablon 2014) Hacking-for-hire has made the black market accessible to non-experts, expanding its reach exponentially.  As businesses grow their online footprints, criminals find new ways of attacking their vulnerabilities. Thinking Inside-Out Internal systems are the new perimeter – the new front line in the battle for data security. Security should be built into the customer and employee experiences. Manage privileged user access and think beyond the password: another layer of authentication can vastly increase security. Make it more costly and difficult for attackers by protecting the most valuable information first.  Rebalancing Information Security Diminish the information supply chain and cut off the cash flow to the black market. Taking a security inside-out approach could bring an end to the arms race, giving economic recovery a chance. To learn more about Securing Information in the New Digital Economy, read the joint Oracle and Verizon Report.

We are in the midst of a data breach epidemic, fueled by a lucrative information black market. The perimeter security most IT organizations rely on has become largely ineffective. Nearly 70%...

Events

Top Two Cloud Security Concerns: Data Breaches and Data Loss

Apply a Data-centric Security Strategy in the Cloud Don't miss watching the webcast Applying a Data-centric Security Strategy in the Cloud. Most most organizations are worried about putting sensitive data into the cloud. In fact, industry reports indicate data breaches and data loss are their top two concerns. Rather than apply a one size fits all approach to data security, organizations would be better prepared if they Implemented security controls based on the type of data and its use. In this session, you will learn how to apply the appropriate levels of security controls based on data sensitivity, and then map them to your cloud environment.Watch now.  

Apply a Data-centric Security Strategy in the Cloud Don't miss watching the webcast Applying a Data-centric Security Strategy in the Cloud.  Most most organizations are worried about putting sensitive...

All Data is Not Equal, Map Security Controls to the Value of Data

As you look at data, you will quickly realize that not all data is equal.   What do I mean by that? Quite simply, some data simply does not require the same security controls as other data.    When explaining this to customers, we use a metals analogy to simplify the provisioning of controls. Bronze to represent the least sensitive data, up through to Platinum, the highest value and most sensitive data within an organization. Thinking in this manner provides the ability to refine many configurations into a few pre-configured, pre-approved, reference architectures. Applying this methodology is especially important when it comes to the cloud. It comes down to consistency in applying security controls, based on the data itself. Oracle’s preventive, detective, and administrative pillars can be applied to the various data categorizations. At this point in the conversation, customers begin to understand more pragmatically how this framework can be used to align security controls with the value, or sensitivity, of the data. Security practitioners can then work with lines of business to assign the appropriate level of controls, both systematically and consistently across the organization.   So for example, at the bronze level, items such as application of patches, secure configuration scanning and the most basic auditing would be appropriate. Data deemed more sensitive, such as personally identifiable information, or personal health information, require additional security controls around the application data. This would include, for example, blocking default access by those designated as database administrators. Then finally, at the highest data sensitivity level--Platinum level--should exhibit blocking database changes during production time frames, preventing SQL injection attacks and centralized enterprise-wide reporting and alerting for compliance and audit requirements.   To learn more about Oracle Security Solutions, download the ebook "Securing Oracle Database 12c: A Technical Primer" by Oracle security experts.

As you look at data, you will quickly realize that not all data is equal.   What do I mean by that? Quite simply, some data simply does not require the same security controls as other data.    When...

Events

Oracle Cloud Forum - Mapping Security Controls to the Value of Data

Learn how to prioritize your security control deployments by watching Oracle's Cloud Platform Online Forum session, "Applying a Data-Centric Security Strategy in the Cloud." Most organizations are worried about putting sensitive data into the cloud. In fact, industry reports indicate data breaches and data loss are their top two concerns. Case in point, my previous blog article discusses how more than a third (34%) of organizations believe that a data breach is "somewhat likely" to "inevitable" in 2015. Rather than apply a one size fits all approach to data security, organizations would be better prepared if they implemented security controls based on the type of data and its use. In this session, you will learn how to apply the appropriate levels of security controls based on data sensitivity, and then map them to your cloud environment.  Register to watch the forum here.  

Learn how to prioritize your security control deployments by watching Oracle's Cloud Platform Online Forum session, "Applying a Data-Centric Security Strategy in the Cloud." Most organizations are...

Advanced Security

34% of Organizations Say Data Breach “Somewhat likely” to “Inevitable” in 2015

According to the latest Independent Oracle Users Group (IOUG) Enterprise Data Security Survey, one third of organizations say that a data breach is "somewhat likely" to "inevitable" in the next 12 months, up from 20% in 2008. Are organizations coming to the realization that data breaches will happen?  Each year, the IOUG surveys a wide range of database security and IT professionals responsible for security, and examines the current state of enterprise data security. They summarize the 2014 findings of 353 data managers and professionals in order to help educate organizations about data security. The likelihood of a data breach has grown over the years since they first began asking this question, and is similar to other surveys of this ilk. According to the Ponemon 2014 Cost of a Data Breach Study, we see as much as 30% probability. According to another Ponemon study "Data Breach: The Cloud Multiplier Effect," those surveyed estimate that every one percent increase in the use of cloud services will result in a 3 percent higher probability of a data breach. When looking at history, survey respondents of the IOUG report say that they often have no idea whether a breach has occurred--or worse--is occurring: "We cannot be certain there has been no silent breach. There is no evidence we have detected a breach or corruption. But picturing yourself as highly unlikely to be breached we feel is like wearing a ‘kick-me’ sign on your backside." To learn more, download the 2014 IOUG Data Security Survey Report here. 

According to the latest Independent Oracle Users Group (IOUG) Enterprise Data Security Survey, one third of organizations say that a data breach is "somewhat likely" to "inevitable" in the next 12...

Events

Oracle Security Webcast Series for UK Customers

Over the next four Thursdays, beginning November 20th through December 11th, our UK team will be addressing security  Preventive Controls to Avoid Next Data Breach, Nov 20, 2014. 11:00 AM - 11:45 AM (GMT)Learn how preventive controls can increase your defense arsenal against the evolving threats to databases. Data breaches not only expose your customers' and employees' private data, but also diminish your reputation and impact the bottom line. Oracle Security specialists will demonstrate the latest database security capabilities which enable you to adopt a defense-in-depth strategy to mitigate risks and protect the data at source – the database.Detective Controls for Compliance & Auditing, Nov 27, 2014, 11:00 AM - 11:45 AM (GMT) Learn how you can enforce the “trust but verify” principle by consolidating audit and event sources from the Oracle and non-Oracle components of your infrastructure, offering integrated, real-time security analytics. Find out how Oracle detective controls can offer a first line of defense against SQL injection attacks, as well as a simplified compliance reporting platform, for audit data analysis, within a centralized, secure warehouse. Identity Governance for Extended Enterprise, Dec 4, 2014, 11:00 AM - 11:45 AM (GMT) As organizations deploy an ever-increasing number of cloud, mobile, and enterprise applications, identifying and managing user access can be a challenge, especially when departmental application deployments are outside the view of corporate IT. Join us for this live webcast to learn how Oracle’s Identity governance solution reduces risks and costs while providing fast access to new services through an intuitive user self-service solution. Strategies for Mobile Application Security, Dec 11, 2014, 11:00 AM - 11:45 AM (GMT) Enterprise mobility and the Internet of Things are both new IT endpoints that require melding device and user identities for security reasons.Join us for this live webcast to learn how identity management platform benefits are enabling customers to move deployments to the next level of sophistication, as the mobile security market consolidates.

Over the next four Thursdays, beginning November 20th through December 11th, our UK team will be addressing security  Preventive Controls to Avoid Next Data Breach, Nov 20, 2014. 11:00 AM - 11:45 AM...

Data Masking

Latest Customer Success Stories

Two of our recent customers shared their successful experiences with Oracle Data Masking and Subsetting:(Podcast) Epsilon protects sensitive PCI cardholder information using Oracle Data Masking and Subsetting. Epsilon is a global leader in delivering customer connections that build brand and business equity.(Success Story) Berenberg Bank simplifies auditing procedures and achieves compliance with Oracle Data Masking and Subsetting. Based in Germany, Berenberg Bank is one of the leading privately owned banks in Europe.These two success stories are also published on the Oracle Data Masking and Subsetting page on Oracle Technology Network, along with other success stories.

Two of our recent customers shared their successful experiences with Oracle Data Masking and Subsetting: (Podcast) Epsilon protects sensitive PCI cardholder information using Oracle Data Masking and...

Customers

Encrypting, Redacting and Masking at Epsilon

“With Transparent Data Encryption, the key rotation process is really much simpler for us…attesting to the audit team is much easier.” Hear Keith Wilcox discuss how Epsilon addresses their customer’s sensitive application data requirements in production and development databases using Oracle Advanced Security, and Oracle Data Masking and Subsetting.  Challenges Varying requirements across retail, financial, and more Difficulty demonstrating compliance with custom solution Sensitive data showing within customer’s application  Data encryption key rotation  Why Epsilon Chose Oracle Flexible solution to meet multiple customer requirements Attesting to audit team is more credible using Oracle Provides standard “secure package” for future deployments A lot of great Oracle information available on the internet Notable Quote: “We started using data redaction with the one particular client, for PII data, but we really look forward to rolling that out to other [customers], such as our financial clients. We’ll be adding it to our standard ‘secure package’ that we use across the enterprise.” Listen to the complete interview here.

“With Transparent Data Encryption, the key rotation process is really much simpler for us…attesting to the audit team is much easier.” Hear Keith Wilcox discuss how Epsilon addresses their customer’s...

Data Masking

Oracle OpenWorld 2014 Updates on Oracle Data Masking and Subsetting

We had tremendous amount of interest in Oracle Data Masking and Subsetting at the recent Oracle OpenWorld 2014 conference in San Francisco, California. We had a well attended session on Oracle Data Masking and Subsetting : What's new and Best Practices. Several current and prospective customers from different regions visited our Oracle Data Masking and Subsetting demo booth to see product capabilities. Oracle Data Masking and Subsetting received favorable mentions at various other OpenWorld 2014 sessions including Andy Mendelson's session and Tom Kyte's session.Please visit the Oracle Data Masking and Subsetting page on Oracle Technology Network for further updates.

We had tremendous amount of interest in Oracle Data Masking and Subsetting at the recent Oracle OpenWorld 2014 conference in San Francisco, California. We had a well attended session on Oracle Data...

Customers

Why Infinity Insurance Chose Oracle Advanced Security and Database Vault

I had an opportunity to sit down with Cathy Robinson, Database Administrator at Infinity Property and Casualty Corporation while at Oracle OpenWorld 2014. Infinity Insurance is a public insurance company that deals with high risk maturities, mostly auto insurance, and provide products through a network of approximately 12,500 independent agencies and brokers. Cathy told me how they use Oracle Advanced Security for encryption and Oracle Database Vault for database privilege user controls. Cathy has an interesting background with the Department of Defense and joined Infinity with a great understanding of what is required to lock down data and secure an IT environment. As I interviewed Cathy, I learned that the main overall issues they face include: Protecting sensitive personally identifiable information ( i.e. payment card, social security numbers) Educating employees on the importance of securing this data Securing older applications where changing software code is prohibitive So they have been able to implement Oracle Advanced Security to address these security requirements without having to make any application changes. Additionally, there has been "no performance degradation whatsoever."To further put in place a defense in depth database security strategy, Infinity is also implementing Oracle Database Vault for separation of duties and least privilege. When I asked why they chose Oracle, Cathy responded with the following: One vendor instead of multiple point solution vendors Deep integration with Oracle Databases Oracle security expertise, which included a database security assessment Click here to listen to the interview.

I had an opportunity to sit down with Cathy Robinson, Database Administrator at Infinity Property and Casualty Corporation while at Oracle OpenWorld 2014. Infinity Insurance is a public insurance...

Audit Vault and Database Firewall

ISACA Webcast: Data-Centric Audit and Protection, Reducing Risk and Improving the Security Posture

A security strategy must begin with protecting the databases that hold the majority of sensitive and regulated data. Unfortunately, organizations do not have such a plan in place. They fail to protect their sensitive customer and organizational data. Join Oracle security expert, Roxana Bradescu, as she outlines a data-centric audit and protection strategy to help reduce organizational risk and improve the security posture. During this webcast you will learn: What to audit and how to audit Secure data infrastructure practices How to prevent disclosures and leaks And much more. 

A security strategy must begin with protecting the databases that hold the majority of sensitive and regulated data. Unfortunately, organizations do not have such a plan in place. They fail to protect...

Advanced Security

New KuppingerCole Report on Audit Vault and Database Firewall

KuppingerCole analyst Rob Newby recently (August 2014) put together an executive review of the award-winning Oracle Audit Vault and Database Firewall that you can pick up here for a fee. The paper (4 pages on AVDF, 7 total) goes into a description of the solution and how it works from both the Audit Vault, and Database Firewall perspectives. It further covers reporting and alerting, as well as integration with other Oracle products, summarizing with strengths and challenges. Happy weekend reading.

KuppingerCole analyst Rob Newby recently (August 2014) put together an executive review of the award-winning Oracle Audit Vault and Database Firewall that you can pick up here for a fee. The paper (4...

Advanced Security

SANS Webcast: Simplifying Data Encryption and Redaction Without Touching the Code

SANS Analyst and Instructor and well known security expert, Dave Shackleford, will be doing a review of Oracle Advanced Security on September 16, 12:00 p.m. ET/ 3:00 p.m. ET Register now for the webcast "Simplifying Data Encryption and Redaction Without Touching the Code"  The need for organizations to protect sensitive information has never been more paramount. The risks of data breaches and sensitive data exposures are driving organizations to look for solutions, as an increasing amount of data is being stored and processed outside the perimeter, in cloud applications and service environments. Organizations must protect this sensitive data at its heart, in the databases. In this webcast, we discuss a recent review by SANS Analyst and Instructor Dave Shackleford of Oracle Advanced Security for Oracle Database 12c and its encryption and redaction capabilities. Register for the webcast and be among the first to receive an advance copy of a SANS whitepaper discussing the Analyst Program's review of Oracle Advanced Security.

SANS Analyst and Instructor and well known security expert, Dave Shackleford, will be doing a review of Oracle Advanced Security on September 16, 12:00 p.m. ET/ 3:00 p.m. ET Register now for the...

Audit Vault and Database Firewall

Oracle Audit Vault and Database Firewall Wins Reader's Choice Award for Best Database Security Solution

Thank you to all those who voted for the Database Trends and Applications Reader's Choice Awards, 2014 and voting Oracle Audit Vault and Database Firewall as the best database security solution on the market.  "Unlike any other awards programs conducted by DBTA, this one is special because the nominees are submitted and the winners are chosen by the experts—whose opinions carry more weight than all others—you, the readers. With more than 22,000 votes cast across 31 categories, the contest between candidates was often neck and neck. As a result, we are showcasing both winners and finalists in each category." Oracle wins in a number of categories including: Best Relational Database: Oracle Database Best Cloud Database: Oracle Database 12c Best Database Appliance: Oracle Exadata Best Database Administration Solution: Oracle Enterprise Manager Best Database Performance Solution: Oracle Enterprise Manager Best Database Backup Solution: Oracle Database Backup Logging Recovery Appliance Best Data Replication Solution: Oracle GoldenGate 12c Best Change Data Capture Solution: Oracle CDC Best Data Virtualization Solution: Oracle Database 12c Multitenant Best Cloud Integration Solution: Oracle Cloud Integration Best Streaming Data Solution: Oracle Streams Best Data Mining Solution: Oracle Advanced Analytics

Thank you to all those who voted for the Database Trends and Applications Reader's Choice Awards, 2014 and voting Oracle Audit Vault and Database Firewall as the best database security solution on...

Database Security

Oracle Key Vault Interview with Vipin Samar, Vice President of Oracle Database Security

I had an opportunity to discuss Oracle Key Vault with Oracle's vice president of database security, Vipin Samar. Vipin talks about the challenges facing security professionals and database administrators as they try to manage encryption keys and other secrets, such as SSL certificates and Java keystores, across the enterprise. Watch the below video and learn how Oracle Key Vault, a new centralized key manager, secures, shares, and manages keys and secrets for the enterprise. Learn more about Oracle Key Vault by watching the launch webcast.

I had an opportunity to discuss Oracle Key Vault with Oracle's vice president of database security, Vipin Samar. Vipin talks about the challenges facing security professionals and...

August Edition of Oracle's Security Inside Out Newsletter

Get the Oracle Information InDepth - Security Inside Out Newsletter Read the latest edition of Oracle Security news in this month's bi-monthly Security Inside Out Newsletter that features both database security and identity management news, webcasts, events, training and more. Subscribe here to have your own copy emailed to you.  New Product Launch: Secure and Centralize Key Management with Oracle Key Vault In August 2014, Oracle launched Oracle Key Vault, a central key management platform that enables efficient and secure deployment of encryption across the enterprise. Get details on the new release.  Read More Security at Oracle OpenWorld 2014: Don't-Miss Sessions and More High-profile breaches, combined with increasing regulatory complexity, are driving unprecedented investment in security. Organizers of Oracle OpenWorld expect security-related activities to draw even higher attendance than last year. Find out what key sessions Oracle’s security team recommends you add to your agenda.  Read More Get the August Edition of Security Inside Out

Get the Oracle Information InDepth - Security Inside Out Newsletter Read the latest edition of Oracle Security news in this month's bi-monthly Security Inside Out Newsletter that features both database...

Oracle Key Vault

Oracle Key Vault Press Coverage

Some of the press coverage on the new Oracle Key Vault:  Oracle Introduces Key Vault Software Appliance to Manage and Safeguard Encryption Keys  Oracle Introduces a Virtual Strongbox for Enterprise Encryption Keys Oracle Key Vault Helps Customers Manage Encryption Keys Oracle Introduces Oracle Key Vault  Oracle Improves Database Security with Key Vault Offering Learn more about Oracle Key Vault

Some of the press coverage on the new Oracle Key Vault:  Oracle Introduces Key Vault Software Appliance to Manage and Safeguard Encryption Keys  Oracle Introduces a Virtual Strongbox for Enterprise...

Events

Focus on Database Security at Oracle OpenWorld, 2014

Data security threats and regulatory compliance are the new "death" and "taxes" that we can all be certain of. Security is a hot topic across all organizations, whether you have 100 or 100,000 employees. Organizations are scrambling to mitigate threats and comply with regulatory requirements. Oracle OpenWorld is the place for customers to hear about the latest advances in data security, meet with security experts, and learn the next steps to help secure the sensitive data they hold. With Oracle OpenWorld, 2014 about 2 months away, we've compiled the database security sessions, hands on labs, and more, that are critical for database administrators, security experts and executives to attend. As an example of just some of the talks this year: Oracle Database 12c: Defense-in-Depth Security [CON8194] Attend this session to quickly get up to speed on the powerful preventive and detective controls available in Oracle Database 12c. It provides an overview of security capabilities in Oracle Database 12c and is ideally suited for those who are new to security or want to get quickly get up to speed on protecting the data stored in their mission-critical databases. The presentation drills down particularly into the new Oracle Database 12c unified and conditional auditing facility. Learn how to create audit policies with conditional clauses, enabling highly selective and effective auditing. See a demonstration of a conditional audit policy based on a connection from a database link and a connection using proxy authentication. Introducing Oracle Key Vault: Centralized Keys, Wallets, and Java Keystores [CON8189] Attend this technical session to learn how the new Oracle Key Vault helps organizations accelerate encryption initiatives by addressing proliferating wallets, managing them centrally. See demonstrations of how to set up, configure, and administer Oracle Key Vault for centralized key management for OSs, databases, and middleware. Get best practices for using Oracle Key Vault, a security-hardened software appliance, with existing key storage files such as Oracle wallets and Java Keystores. Learn about optimizations for Oracle Database 11g and Oracle Database 12c, where Oracle Key Vault directly connects to Oracle Advanced Security transparent data encryption (TDE). Oracle Database Security Strategy and Best Practices: Customer Case Study Panel [CON8192] Oracle Database security solutions are transparent and easy to deploy and offer comprehensive data protection in a rapidly evolving threat landscape. In this session, you will hear from Oracle customers that have successfully deployed transparent data encryption, data masking, database firewalls, and database auditing and monitoring to protect their data and address regulatory compliance requirements. You will hear why they did it, how they did it, and the lessons learned. This is a highly interactive session—you will have an opportunity to pose questions to the panel and get real-world tips and best practices from your peers. Plus much more...  Register now and get the focus on database security document here to begin planning. Please note agenda is subject to change and will be filled out with session dates/times and room locations as we get closer to OpenWorld, Sept 28-Oct 2, 2014 in San Francisco. And a tip: read Securing Oracle Database 12c ebook to get prepared; we look forward to see you there! 

Data security threats and regulatory compliance are the new "death" and "taxes" that we can all be certain of. Security is a hot topic across all organizations, whether you have 100 or...

Oracle Key Vault

Introducing Oracle Key Vault for Centralized Key Management

[ENTER PAGE TITLE] /* selection */ html.clearly_highlighting_enabled ::-moz-selection { background: rgba(246, 238, 150, 0.99); } html.clearly_highlighting_enabled ::selection { background: rgba(246, 238, 150, 0.99); } /* cursor */ html.clearly_highlighting_enabled { /* cursor and hot-spot position -- requires a default cursor, after the URL one */ cursor: url("chrome-extension://pioclpoplcdbaefihamjohnefbikjilc/clearly/images/highlight--cursor.png") 14 16, text; } /* highlight tag */ em.clearly_highlight_element { font-style: inherit !important; font-weight: inherit !important; background-image: url("chrome-extension://pioclpoplcdbaefihamjohnefbikjilc/clearly/images/highlight--yellow.png"); background-repeat: repeat-x; background-position: top left; background-size: 100% 100%; } /* the delete-buttons are positioned relative to this */ em.clearly_highlight_element.clearly_highlight_first { position: relative; } /* delete buttons */ em.clearly_highlight_element a.clearly_highlight_delete_element { display: none; cursor: pointer; padding: 0; margin: 0; line-height: 0; position: absolute; width: 34px; height: 34px; left: -17px; top: -17px; background-image: url("chrome-extension://pioclpoplcdbaefihamjohnefbikjilc/clearly/images/highlight--delete-sprite.png"); background-repeat: no-repeat; background-position: 0px 0px; } em.clearly_highlight_element a.clearly_highlight_delete_element:hover { background-position: -34px 0px; } /* retina */ @media (min--moz-device-pixel-ratio: 2), (-webkit-min-device-pixel-ratio: 2), (min-device-pixel-ratio: 2) { em.clearly_highlight_element { background-image: url("chrome-extension://pioclpoplcdbaefihamjohnefbikjilc/clearly/images/highlight--yellow@2x.png"); } em.clearly_highlight_element a.clearly_highlight_delete_element { background-image: url("chrome-extension://pioclpoplcdbaefihamjohnefbikjilc/clearly/images/highlight--delete-sprite@2x.png"); background-size: 68px 34px; } } [touch-action="none"]{ -ms-touch-action: none; touch-action: none; }[touch-action="pan-x"]{ -ms-touch-action: pan-x; touch-action: pan-x; }[touch-action="pan-y"]{ -ms-touch-action: pan-y; touch-action: pan-y; }[touch-action="scroll"],[touch-action="pan-x pan-y"],[touch-action="pan-y pan-x"]{ -ms-touch-action: pan-x pan-y; touch-action: pan-x pan-y; } Oracle Customers Secure Critical Encryption Keys with Oracle Key Vault Centrally Manage Oracle Database Encryption Master Keys, Oracle Wallets, Java KeyStores and Other Credential Files Encryption is widely recognized as the gold standard for protecting data privacy, but encryption is only as strong as its key management. Critical credential files such as Oracle Wallets, Java KeyStores, SSH key files and SSL certificate files are often widely distributed across servers and server clusters with error-prone synchronization and backup mechanisms. To address the need for robust key management, Oracle today introduced Oracle Key Vault, a software appliance designed to securely manage encryption keys and credential files in the enterprise data center. Read the press release and register for the webcast to learn how Oracle Key Vault: Centralizes Keys in a modern, secure, and robust key management platform Secures, shares, and manages keys and secrets for the enterprise Manages key lifecycle stages including creation, rotation, and expiration Learn more: Oracle Key Vault enables customers to quickly deploy encryption and other security solutions. Webcast: August 21, 2014 10:00 a.m. PT/1:00 a.m. ET Copyright © 2014, Oracle Corporation and/or its affiliates. All rights reserved. Contact Us | Legal Notices and Terms of Use | Privacy Statement

Oracle Customers Secure Critical Encryption Keys with Oracle Key VaultCentrally Manage Oracle Database Encryption Master Keys, Oracle Wallets, Java KeyStores and Other Credential FilesEncryption is...

Events

Securing Data in the New Digital Economy Webcast

2014 has already witnessed some of the largest data breaches on record. As the black market for stolen data becomes increasingly organized, the supply chain for information is providing an efficient means to monetize a vast array of stolen information. A the same time, our legal economy is becoming more hyper-connected providing more digital services, and making companies are more vulnerable to attacks. In this session we will explore the security requirements for information in the new digital economy and with the vast amount of case information from breach investigations, distill a security strategy to reduce risk. Register to hear the recorded webcast. 

2014 has already witnessed some of the largest data breaches on record. As the black market for stolen data becomes increasingly organized, the supply chain for information is providing an efficient...

Advanced Security

What's the Difference Between Oracle Transparent Data Encryption, Data Masking and Data Redaction?

Oracle database security solutions provide three means of making data at rest unreadable. We sometimes get questions about their differences. Oracle Advanced Security  Transparent Data Encryption (TDE), a capability of Oracle Advanced Security, is transparent to applications and users by encrypting data within the Oracle Database on disk, without any changes to existing applications. TDE is available as a part of the Oracle Database, so if you have Oracle, you have Oracle Advanced Security and would simply require a license to activate. When would you use TDE?  TDE stops would-be attackers from bypassing the database and reading sensitive information from storage by enforcing data-at-rest encryption in the database layer. Applications and users authenticated to the database continue to have access to application data transparently (no application code or configuration changes are required), while attacks from OS users attempting to read sensitive data from tablespace files and attacks from thieves attempting to read information from acquired disks or backups are denied access to the clear text data. Data Redaction, also a capability of Oracle Advanced Security, provides selective, on-the-fly redaction of sensitive data in SQL query results prior to display by applications so that unauthorized users cannot view the sensitive data. It enables consistent redaction of database columns across application modules accessing the same database information. Data Redaction minimizes changes to applications because it does not alter actual data in internal database buffers, caches, or storage, and it preserves the original data type and formatting when transformed data is returned to the application.  When would you use data redaction?  Existing applications often return sensitive data to call center and support staff employees, or even customers that include date of birth, social security numbers, and more.  Traditionally, organizations would have to access and change application source code in order to redact sensitive data. This can be error-prone, laborious, and performance-heavy. Data redaction mitigates this risk and helps organizations comply with compliance requirements, such as PCI DSS, by masking displayed data within applications. Learn more about transparent data encryption and data redaction.  Oracle Data Masking and Subsetting Data Masking enables sensitive information such as credit card or social security numbers to be replaced with realistic values, allowing production data to be safely used for development, testing, or sharing with out-sourcing partners or off-shore teams for other nonproduction purposes..   When would you use data masking?   Data masking is used for nonproduction environments for quality assurance, testing, and development purposes. Many organizations inadvertently breach information when they routinely copy sensitive and regulated production data into nonproduction environments. Data in nonproduction environments, which can be lost or stolen, has increasingly become the target of cyber criminals. Data masking helps organizations reduce this risk and comply with compliance requirements. Learn more about data masking. 

Oracle database security solutions provide three means of making data at rest unreadable. We sometimes get questions about their differences. Oracle Advanced Security  Transparent Data Encryption (TDE), ...

June Ed of Security Inside Out Newsletter Is Out

Get the latest edition of Oracle Security Inside Out Newsletter and subscribe to future editions. As a bi-monthly security newsletter, we cover all things security for both Oracle Database Security and Identity Management solutions, news, and events. Here are this month's database security articles: Five Hard Lessons Learned from the Verizon Report on APT1 Attack Advanced persistent threats (APT) are a type of ongoing cyberattack from well-coordinated and funded cybercriminals who penetrate an organization slowly and methodically. Find out from Oracle experts what key lessons your organization can take away from the analysis of an APT attack.Read More Know Your Enemy: Profile Attackers and Defend Targeted Assets In the new Countering Adversaries webcast series now available on demand, security experts explain how to identify the kinds of adversaries specific industries attract, understand the types of data they are after, and focus in on the tools that provide the most effective deterrence against these specific threats.Read More

Get the latest edition of Oracle Security Inside Out Newsletter and subscribe to future editions. As a bi-monthly security newsletter, we cover all things security for both Oracle Database Security...

Audit Vault and Database Firewall

Securing Gas and Electrical Utilities with Oracle Audit Vault and Database Firewall

Medicine Hat is a city of 61,180 people in southeast Alberta, Canada. The City of Medicine Hat Electric Utility began generating electricity in 1910 using diesel fuel. Today, the power plant uses co-generation turbines with natural gas and steam to produce electricity for its customers. The Electric Utility generates, transmits and distributes electricity to approximately 30,000 customers within the City of Medicine Hat, Redcliff, Dunmore, Veinerville and outlying rural areas adjacent to the city. Medicine Hat IT security challenges Provide secure online utility billing system with direct database access Work with limited IT department resources, including 17 people for the entire city Secure a heterogeneous database environment: Oracle and SQL Server Solution The City of Medicine Hat chose Oracle Audit Vault and Database Firewall to monitor database traffic and detect and block threats such as SQL injection and privilege escalation attacks.  Listen to the podcast to hear database administrator Chris Maxwell explain how the City of Medicine Hat uses Oracle Audit Vault and Database Firewall to protect their billing system web application and Microsoft SQL Server database.

Medicine Hat is a city of 61,180 people in southeast Alberta, Canada. The City of Medicine Hat Electric Utility began generating electricity in 1910 using diesel fuel. Today, the power plant uses...

Oracle

Integrated Cloud Applications & Platform Services