Monday Mar 09, 2015

Security and Governance Will Increase Big Data Innovation in 2015

"Let me begin with my vision of the FTC and its role in light of the emergence of big data. I grew up in a beach town in Southern California. To me, the FTC is like the lifeguard on a beach. Like a vigilant lifeguard, the FTC’s job is not to spoil anyone’s fun but to make sure that no one gets hurt. With big data, the FTC’s job is to get out of the way of innovation while making sure that consumer privacy is respected."

- Edith Ramirez, Chairwoman, Federal

Trade Commission Ms. Ramirez highlights the FTC's role in protecting consumers from what she refers to as "indiscriminate data collection" of personal information. Her main concern is that organizations can potentially use this information to ultimately implicate individual privacy. There are many instances highlighting the ability to take what was previously considered anonymous data, only to correlate with other publicly available information in order to increase the ability to implicate individuals.

Finding Out Truthful Data from "Anonymous" Information 

Her concerns are not unfounded; the highly referenced paper Robust De-anonymization of Large Sparse Datasets, illustrates the sensitivity of supposedly anonymous information. The authors were able to identify the publicly available and "anonymous" dataset of 500,000 Netflix subscribers by cross referencing it with the Internet Movie Database. They were able to successfully identify records of users, revealing such sensitive data as the subscribers' political and religious preferences, for example. In a more recent instance of big data security concerns, the public release of a New York taxi cab data set was completely de-anonymized, ultimately unveiling cab driver annual income, and possibly more alarming, the weekly travel habits of their passengers.

Many large firms have found their big data projects shut down by compliance officers concerned about legal or regulatory violations. Chairwoman Hernandez highlights specific cases where the FTC has cracked down on firms they feel have violated customer privacy rights, including the United States vs. Google, Facebook, and Twitter. She feels that big data opens up additional security challenges that must be addressed.

"Companies are putting data together in new ways, comingling data sets that have never been comingled before," says Jeff Pollock, Oracle vice president for product management. "That’s precisely the value of big data environments. But these changes are also leading to interesting new security and compliance concerns."

The possible security and privacy pitfalls of big data center around three fundamental areas:

  • Ubiquitous and indiscriminate collection from a wide range of devices 
  • Unexpected uses of collected data, especially without customer consent 
  • Unintended data breach risks with larger consequences

Organizations will find big data experimentation easier to initiate when the data involved is locked down. They need to be able to address regulatory and privacy concerns by demonstrating compliance. This means extending modern security practices like data masking and redaction to the full big data environment, in addition to the must-haves of access, authorization and auditing.

Securing the big data lifecycle requires:

  • Authentication and authorization of users, applications and databases 
  • Privileged user access and administration 
  • Data encryption of data at rest and in motion 
  • Data redaction and masking for non production environments 
  • Separation of roles and responsibilities 
  • Implementing least privilege 
  • Transport security 
  • API security 
  • Monitoring, auditing, alerting and compliance reporting

With Oracle, organizations can achieve all the benefits that big data has to offer while providing a comprehensive data security approach that ensures the right people, internal and external, get access to the appropriate data at right time and place, within the right channel. The Oracle Big Data solution prevents and safeguards against malicious attacks and protects organizational information assets by securing data in-motion and at-rest. It enables organizations to separate roles and responsibilities and protect sensitive data without compromising privileged user access, such as database administrators. Furthermore, it provides monitoring, auditing and compliance reporting across big data systems as well as traditional data management systems.

Learn more about Oracle Security Solutions.

This article has been re-purposed from the Oracle Big Data blog.  

Wednesday Mar 04, 2015

Securing Information in the New Digital Economy

We are in the midst of a data breach epidemic, fueled by a lucrative information black market. The perimeter security most IT organizations rely on has become largely ineffective. Nearly 70% of security resources are focused on perimeter controls, but most exploited vulnerabilities are internal. 

Effective modern security requires an inside-out approach with a focus on data and internal controls.

A New Hacker Economy

Today, a layered economy of specialized, organized hackers has created a black market estimated to be more lucrative than the illegal drug trade. (Lillian Ablon 2014) Hacking-for-hire has made the black market accessible to non-experts, expanding its reach exponentially.  As businesses grow their online footprints, criminals find new ways of attacking their vulnerabilities.

Thinking Inside-Out

Internal systems are the new perimeter – the new front line in the battle for data security. Security should be built into the customer and employee experiences.

  • Manage privileged user access and think beyond the password: another layer of authentication can vastly increase security.
  • Make it more costly and difficult for attackers by protecting the most valuable information first. 

Rebalancing Information Security

Diminish the information supply chain and cut off the cash flow to the black market. Taking a security inside-out approach could bring an end to the arms race, giving economic recovery a chance.

To learn more about Securing Information in the New Digital Economy, read the joint Oracle and Verizon Report.

Thursday Feb 19, 2015

Top Two Cloud Security Concerns: Data Breaches and Data Loss

Apply a Data-centric Security Strategy in the Cloud

Don't miss watching the webcast Applying a Data-centric Security Strategy in the Cloud

Most most organizations are worried about putting sensitive data into the cloud. In fact, industry reports indicate data breaches and data loss are their top two concerns. Rather than apply a one size fits all approach to data security, organizations would be better prepared if they Implemented security controls based on the type of data and its use. In this session, you will learn how to apply the appropriate levels of security controls based on data sensitivity, and then map them to your cloud environment.

Watch now.  

Tuesday Feb 03, 2015

All Data is Not Equal, Map Security Controls to the Value of Data

As you look at data, you will quickly realize that not all data is equal.   What do I mean by that? Quite simply, some data simply does not require the same security controls as other data.   

When explaining this to customers, we use a metals analogy to simplify the provisioning of controls. Bronze to represent the least sensitive data, up through to Platinum, the highest value and most sensitive data within an organization.

Thinking in this manner provides the ability to refine many configurations into a few pre-configured, pre-approved, reference architectures. Applying this methodology is especially important when it comes to the cloud. It comes down to consistency in applying security controls, based on the data itself.

Oracle’s preventive, detective, and administrative pillars can be applied to the various data categorizations. At this point in the conversation, customers begin to understand more pragmatically how this framework can be used to align security controls with the value, or sensitivity, of the data.

Security practitioners can then work with lines of business to assign the appropriate level of controls, both systematically and consistently across the organization.  

So for example, at the bronze level, items such as application of patches, secure configuration scanning and the most basic auditing would be appropriate. Data deemed more sensitive, such as personally identifiable information, or personal health information, require additional security controls around the application data. This would include, for example, blocking default access by those designated as database administrators.

Then finally, at the highest data sensitivity level--Platinum level--should exhibit blocking database changes during production time frames, preventing SQL injection attacks and centralized enterprise-wide reporting and alerting for compliance and audit requirements.  

To learn more about Oracle Security Solutions, download the ebook "Securing Oracle Database 12c: A Technical Primer" by Oracle security experts.

Wednesday Jan 28, 2015

Oracle Cloud Forum - Mapping Security Controls to the Value of Data

Learn how to prioritize your security control deployments by watching Oracle's Cloud Platform Online Forum session, "Applying a Data-Centric Security Strategy in the Cloud."

Most organizations are worried about putting sensitive data into the cloud. In fact, industry reports indicate data breaches and data loss are their top two concerns.

Case in point, my previous blog article discusses how more than a third (34%) of organizations believe that a data breach is "somewhat likely" to "inevitable" in 2015.

Rather than apply a one size fits all approach to data security, organizations would be better prepared if they implemented security controls based on the type of data and its use.

In this session, you will learn how to apply the appropriate levels of security controls based on data sensitivity, and then map them to your cloud environment. 

Register to watch the forum here.  

Tuesday Jan 13, 2015

34% of Organizations Say Data Breach “Somewhat likely” to “Inevitable” in 2015

According to the latest Independent Oracle Users Group (IOUG) Enterprise Data Security Survey, one third of organizations say that a data breach is "somewhat likely" to "inevitable" in the next 12 months, up from 20% in 2008. Are organizations coming to the realization that data breaches will happen? 

2014 IOUG Data Security Survey Likelihood of a Data Breach

Each year, the IOUG surveys a wide range of database security and IT professionals responsible for security, and examines the current state of enterprise data security. They summarize the 2014 findings of 353 data managers and professionals in order to help educate organizations about data security.

The likelihood of a data breach has grown over the years since they first began asking this question, and is similar to other surveys of this ilk. According to the Ponemon 2014 Cost of a Data Breach Study, we see as much as 30% probability.

According to another Ponemon study "Data Breach: The Cloud Multiplier Effect," those surveyed estimate that every one percent increase in the use of cloud services will result in a 3 percent higher probability of a data breach.

When looking at history, survey respondents of the IOUG report say that they often have no idea whether a breach has occurred--or worse--is occurring:

"We cannot be certain there has been no silent breach. There is no evidence we have detected a breach or corruption. But picturing yourself as highly unlikely to be breached we feel is like wearing a ‘kick-me’ sign on your backside."

2014 IOUG Data Security Survey Known Data Breaches

To learn more, download the 2014 IOUG Data Security Survey Report here

Wednesday Nov 12, 2014

Oracle Security Webcast Series for UK Customers

Over the next four Thursdays, beginning November 20th through December 11th, our UK team will be addressing security 

Preventive Controls to Avoid Next Data Breach, Nov 20, 2014. 11:00 AM - 11:45 AM (GMT)

Learn how preventive controls can increase your defense arsenal against the evolving threats to databases. Data breaches not only expose your customers' and employees' private data, but also diminish your reputation and impact the bottom line. Oracle Security specialists will demonstrate the latest database security capabilities which enable you to adopt a defense-in-depth strategy to mitigate risks and protect the data at source – the database.

Detective Controls for Compliance & Auditing, Nov 27, 2014, 11:00 AM - 11:45 AM (GMT)

Learn how you can enforce the “trust but verify” principle by consolidating audit and event sources from the Oracle and non-Oracle components of your infrastructure, offering integrated, real-time security analytics. Find out how Oracle detective controls can offer a first line of defense against SQL injection attacks, as well as a simplified compliance reporting platform, for audit data analysis, within a centralized, secure warehouse.

Identity Governance for Extended Enterprise, Dec 4, 2014, 11:00 AM - 11:45 AM (GMT)

As organizations deploy an ever-increasing number of cloud, mobile, and enterprise applications, identifying and managing user access can be a challenge, especially when departmental application deployments are outside the view of corporate IT. Join us for this live webcast to learn how Oracle’s Identity governance solution reduces risks and costs while providing fast access to new services through an intuitive user self-service solution.

Strategies for Mobile Application Security, Dec 11, 2014, 11:00 AM - 11:45 AM (GMT)

Enterprise mobility and the Internet of Things are both new IT endpoints that require melding device and user identities for security reasons.Join us for this live webcast to learn how identity management platform benefits are enabling customers to move deployments to the next level of sophistication, as the mobile security market consolidates.

Monday Nov 10, 2014

Encrypting, Redacting and Masking at Epsilon

Epsilon Uses Oracle Advanced Security and Data Masking and Subsetting“With Transparent Data Encryption, the key rotation process is really much simpler for us…attesting to the audit team is much easier.”

Hear Keith Wilcox discuss how Epsilon addresses their customer’s sensitive application data requirements in production and development databases using Oracle Advanced Security, and Oracle Data Masking and Subsetting


  • Varying requirements across retail, financial, and more
  • Difficulty demonstrating compliance with custom solution
  • Sensitive data showing within customer’s application 
  • Data encryption key rotation 

Why Epsilon Chose Oracle

  • Flexible solution to meet multiple customer requirements
  • Attesting to audit team is more credible using Oracle
  • Provides standard “secure package” for future deployments
  • A lot of great Oracle information available on the internet

Notable Quote:

“We started using data redaction with the one particular client, for PII data, but we really look forward to rolling that out to other [customers], such as our financial clients. We’ll be adding it to our standard ‘secure package’ that we use across the enterprise.”

Friday Oct 17, 2014

Why Infinity Insurance Chose Oracle Advanced Security and Database Vault

Infinity InsuranceI had an opportunity to sit down with Cathy Robinson, Database Administrator at Infinity Property and Casualty Corporation while at Oracle OpenWorld 2014. Infinity Insurance is a public insurance company that deals with high risk maturities, mostly auto insurance, and provide products through a network of approximately 12,500 independent agencies and brokers. Cathy told me how they use Oracle Advanced Security for encryption and Oracle Database Vault for database privilege user controls.

Cathy has an interesting background with the Department of Defense and joined Infinity with a great understanding of what is required to lock down data and secure an IT environment. As I interviewed Cathy, I learned that the main overall issues they face include:

  • Protecting sensitive personally identifiable information ( i.e. payment card, social security numbers)
  • Educating employees on the importance of securing this data
  • Securing older applications where changing software code is prohibitive

So they have been able to implement Oracle Advanced Security to address these security requirements without having to make any application changes. Additionally, there has been "no performance degradation whatsoever."To further put in place a defense in depth database security strategy, Infinity is also implementing Oracle Database Vault for separation of duties and least privilege.

When I asked why they chose Oracle, Cathy responded with the following:

  • One vendor instead of multiple point solution vendors
  • Deep integration with Oracle Databases
  • Oracle security expertise, which included a database security assessment
Click here to listen to the interview.

Tuesday Oct 14, 2014

ISACA Webcast: Data-Centric Audit and Protection, Reducing Risk and Improving the Security Posture

A security strategy must begin with protecting the databases that hold the majority of sensitive and regulated data. Unfortunately, organizations do not have such a plan in place. They fail to protect their sensitive customer and organizational data. Join Oracle security expert, Roxana Bradescu, as she outlines a data-centric audit and protection strategy to help reduce organizational risk and improve the security posture. During this webcast you will learn:

  • What to audit and how to audit
  • Secure data infrastructure practices
  • How to prevent disclosures and leaks
  • And much more. 

Friday Sep 12, 2014

New KuppingerCole Report on Audit Vault and Database Firewall

KuppingerCole analyst Rob Newby recently (August 2014) put together an executive review of the award-winning Oracle Audit Vault and Database Firewall that you can pick up here for a fee. The paper (4 pages on AVDF, 7 total) goes into a description of the solution and how it works from both the Audit Vault, and Database Firewall perspectives. It further covers reporting and alerting, as well as integration with other Oracle products, summarizing with strengths and challenges.

Happy weekend reading.

Wednesday Sep 10, 2014

SANS Webcast: Simplifying Data Encryption and Redaction Without Touching the Code

SANS Analyst and Instructor and well known security expert, Dave Shackleford, will be doing a review of Oracle Advanced Security on September 16, 12:00 p.m. ET/ 3:00 p.m. ET

Register now for the webcast "Simplifying Data Encryption and Redaction Without Touching the Code" 

The need for organizations to protect sensitive information has never been more paramount. The risks of data breaches and sensitive data exposures are driving organizations to look for solutions, as an increasing amount of data is being stored and processed outside the perimeter, in cloud applications and service environments. Organizations must protect this sensitive data at its heart, in the databases. In this webcast, we discuss a recent review by SANS Analyst and Instructor Dave Shackleford of Oracle Advanced Security for Oracle Database 12c and its encryption and redaction capabilities.

Register for the webcast and be among the first to receive an advance copy of a SANS whitepaper discussing the Analyst Program's review of Oracle Advanced Security.

Tuesday Sep 02, 2014

Oracle Audit Vault and Database Firewall Wins Reader's Choice Award for Best Database Security Solution

Thank you to all those who voted for the Database Trends and Applications Reader's Choice Awards, 2014 and voting Oracle Audit Vault and Database Firewall as the best database security solution on the market. 

"Unlike any other awards programs conducted by DBTA, this one is special because the nominees are submitted and the winners are chosen by the experts—whose opinions carry more weight than all others—you, the readers. With more than 22,000 votes cast across 31 categories, the contest between candidates was often neck and neck. As a result, we are showcasing both winners and finalists in each category."

Oracle wins in a number of categories including:

  1. Best Relational Database: Oracle Database
  2. Best Cloud Database: Oracle Database 12c
  3. Best Database Appliance: Oracle Exadata
  4. Best Database Administration Solution: Oracle Enterprise Manager
  5. Best Database Performance Solution: Oracle Enterprise Manager
  6. Best Database Backup Solution: Oracle Database Backup Logging Recovery Appliance
  7. Best Data Replication Solution: Oracle GoldenGate 12c
  8. Best Change Data Capture Solution: Oracle CDC
  9. Best Data Virtualization Solution: Oracle Database 12c Multitenant
  10. Best Cloud Integration Solution: Oracle Cloud Integration
  11. Best Streaming Data Solution: Oracle Streams
  12. Best Data Mining Solution: Oracle Advanced Analytics

Wednesday Aug 27, 2014

Oracle Key Vault Interview with Vipin Samar, Vice President of Oracle Database Security

I had an opportunity to discuss Oracle Key Vault with Oracle's vice president of database security, Vipin Samar. Vipin talks about the challenges facing security professionals and database administrators as they try to manage encryption keys and other secrets, such as SSL certificates and Java keystores, across the enterprise. Watch the below video and learn how Oracle Key Vault, a new centralized key manager, secures, shares, and manages keys and secrets for the enterprise.

Learn more about Oracle Key Vault by watching the launch webcast.

Tuesday Aug 26, 2014

August Edition of Oracle's Security Inside Out Newsletter

Get the Oracle Information InDepth - Security Inside Out Newsletter

Read the latest edition of Oracle Security news in this month's bi-monthly Security Inside Out Newsletter that features both database security and identity management news, webcasts, events, training and more. Subscribe here to have your own copy emailed to you. 

New Product Launch: Secure and Centralize Key Management with Oracle Key Vault

In August 2014, Oracle launched Oracle Key Vault, a central key management platform that enables efficient and secure deployment of encryption across the enterprise. Get details on the new release. 

Security at Oracle OpenWorld 2014: Don't-Miss Sessions and More

High-profile breaches, combined with increasing regulatory complexity, are driving unprecedented investment in security. Organizers of Oracle OpenWorld expect security-related activities to draw even higher attendance than last year. Find out what key sessions Oracle’s security team recommends you add to your agenda. 


Who are we?

Follow us on

  • TwitterFacebookLinkedIn


« October 2015