Wednesday Sep 10, 2014

SANS Webcast: Simplifying Data Encryption and Redaction Without Touching the Code

SANS Analyst and Instructor and well known security expert, Dave Shackleford, will be doing a review of Oracle Advanced Security on September 16, 12:00 p.m. ET/ 3:00 p.m. ET

Register now for the webcast "Simplifying Data Encryption and Redaction Without Touching the Code" 

The need for organizations to protect sensitive information has never been more paramount. The risks of data breaches and sensitive data exposures are driving organizations to look for solutions, as an increasing amount of data is being stored and processed outside the perimeter, in cloud applications and service environments. Organizations must protect this sensitive data at its heart, in the databases. In this webcast, we discuss a recent review by SANS Analyst and Instructor Dave Shackleford of Oracle Advanced Security for Oracle Database 12c and its encryption and redaction capabilities.

Register for the webcast and be among the first to receive an advance copy of a SANS whitepaper discussing the Analyst Program's review of Oracle Advanced Security.

Tuesday Sep 02, 2014

Oracle Audit Vault and Database Firewall Wins Reader's Choice Award for Best Database Security Solution

Thank you to all those who voted for the Database Trends and Applications Reader's Choice Awards, 2014 and voting Oracle Audit Vault and Database Firewall as the best database security solution on the market. 

"Unlike any other awards programs conducted by DBTA, this one is special because the nominees are submitted and the winners are chosen by the experts—whose opinions carry more weight than all others—you, the readers. With more than 22,000 votes cast across 31 categories, the contest between candidates was often neck and neck. As a result, we are showcasing both winners and finalists in each category."

Oracle wins in a number of categories including:

  1. Best Relational Database: Oracle Database
  2. Best Cloud Database: Oracle Database 12c
  3. Best Database Appliance: Oracle Exadata
  4. Best Database Administration Solution: Oracle Enterprise Manager
  5. Best Database Performance Solution: Oracle Enterprise Manager
  6. Best Database Backup Solution: Oracle Database Backup Logging Recovery Appliance
  7. Best Data Replication Solution: Oracle GoldenGate 12c
  8. Best Change Data Capture Solution: Oracle CDC
  9. Best Data Virtualization Solution: Oracle Database 12c Multitenant
  10. Best Cloud Integration Solution: Oracle Cloud Integration
  11. Best Streaming Data Solution: Oracle Streams
  12. Best Data Mining Solution: Oracle Advanced Analytics

Wednesday Aug 27, 2014

Oracle Key Vault Interview with Vipin Samar, Vice President of Oracle Database Security

I had an opportunity to discuss Oracle Key Vault with Oracle's vice president of database security, Vipin Samar. Vipin talks about the challenges facing security professionals and database administrators as they try to manage encryption keys and other secrets, such as SSL certificates and Java keystores, across the enterprise. Watch the below video and learn how Oracle Key Vault, a new centralized key manager, secures, shares, and manages keys and secrets for the enterprise.

Learn more about Oracle Key Vault by watching the launch webcast.

Tuesday Aug 26, 2014

August Edition of Oracle's Security Inside Out Newsletter

Get the Oracle Information InDepth - Security Inside Out Newsletter

Read the latest edition of Oracle Security news in this month's bi-monthly Security Inside Out Newsletter that features both database security and identity management news, webcasts, events, training and more. Subscribe here to have your own copy emailed to you. 

New Product Launch: Secure and Centralize Key Management with Oracle Key Vault

In August 2014, Oracle launched Oracle Key Vault, a central key management platform that enables efficient and secure deployment of encryption across the enterprise. Get details on the new release. 

Security at Oracle OpenWorld 2014: Don't-Miss Sessions and More

High-profile breaches, combined with increasing regulatory complexity, are driving unprecedented investment in security. Organizers of Oracle OpenWorld expect security-related activities to draw even higher attendance than last year. Find out what key sessions Oracle’s security team recommends you add to your agenda. 

Friday Aug 08, 2014

Focus on Database Security at Oracle OpenWorld, 2014

Data security threats and regulatory compliance are the new "death" and "taxes" that we can all be certain of. Security is a hot topic across all organizations, whether you have 100 or 100,000 employees. Organizations are scrambling to mitigate threats and comply with regulatory requirements. Oracle OpenWorld is the place for customers to hear about the latest advances in data security, meet with security experts, and learn the next steps to help secure the sensitive data they hold.

With Oracle OpenWorld, 2014 about 2 months away, we've compiled the database security sessions, hands on labs, and more, that are critical for database administrators, security experts and executives to attend. As an example of just some of the talks this year:

Oracle Database 12c: Defense-in-Depth Security [CON8194]

Attend this session to quickly get up to speed on the powerful preventive and detective controls available in Oracle Database 12c. It provides an overview of security capabilities in Oracle Database 12c and is ideally suited for those who are new to security or want to get quickly get up to speed on protecting the data stored in their mission-critical databases. The presentation drills down particularly into the new Oracle Database 12c unified and conditional auditing facility. Learn how to create audit policies with conditional clauses, enabling highly selective and effective auditing. See a demonstration of a conditional audit policy based on a connection from a database link and a connection using proxy authentication.

Introducing Oracle Key Vault: Centralized Keys, Wallets, and Java Keystores [CON8189]

Attend this technical session to learn how the new Oracle Key Vault helps organizations accelerate encryption initiatives by addressing proliferating wallets, managing them centrally. See demonstrations of how to set up, configure, and administer Oracle Key Vault for centralized key management for OSs, databases, and middleware. Get best practices for using Oracle Key Vault, a security-hardened software appliance, with existing key storage files such as Oracle wallets and Java Keystores. Learn about optimizations for Oracle Database 11g and Oracle Database 12c, where Oracle Key Vault directly connects to Oracle Advanced Security transparent data encryption (TDE).

Oracle Database Security Strategy and Best Practices: Customer Case Study Panel [CON8192]

Oracle Database security solutions are transparent and easy to deploy and offer comprehensive data protection in a rapidly evolving threat landscape. In this session, you will hear from Oracle customers that have successfully deployed transparent data encryption, data masking, database firewalls, and database auditing and monitoring to protect their data and address regulatory compliance requirements. You will hear why they did it, how they did it, and the lessons learned. This is a highly interactive session—you will have an opportunity to pose questions to the panel and get real-world tips and best practices from your peers.

Plus much more... 

Register for OracleOpenWorld

Register now and get the focus on database security document here to begin planning. Please note agenda is subject to change and will be filled out with session dates/times and room locations as we get closer to OpenWorld, Sept 28-Oct 2, 2014 in San Francisco. And a tip: read Securing Oracle Database 12c ebook to get prepared; we look forward to see you there! 

Thursday Aug 07, 2014

Introducing Oracle Key Vault for Centralized Key Management

[ENTER PAGE TITLE]
Banner
Oracle Customers Secure Critical Encryption Keys with Oracle Key Vault

Centrally Manage Oracle Database Encryption Master Keys, Oracle Wallets, Java KeyStores and Other Credential Files

Encryption is widely recognized as the gold standard for protecting data privacy, but encryption is only as strong as its key management. Critical credential files such as Oracle Wallets, Java KeyStores, SSH key files and SSL certificate files are often widely distributed across servers and server clusters with error-prone synchronization and backup mechanisms.

To address the need for robust key management, Oracle today introduced Oracle Key Vault, a software appliance designed to securely manage encryption keys and credential files in the enterprise data center.

Read the press release and register for the webcast to learn how Oracle Key Vault:
  • Centralizes Keys in a modern, secure, and robust key management platform
  • Secures, shares, and manages keys and secrets for the enterprise
  • Manages key lifecycle stages including creation, rotation, and expiration

Oracle Key Vault Learn more: Oracle Key Vault enables customers to quickly deploy encryption and other security solutions.

ipad
Webcast: August 21, 2014
10:00 a.m. PT/1:00 a.m. ET
Hardware and Software Engineered to Work Together
Copyright © 2014, Oracle Corporation and/or its affiliates.
All rights reserved.
Contact Us | Legal Notices and Terms of Use | Privacy Statement

Monday Aug 04, 2014

Securing Data in the New Digital Economy Webcast

2014 has already witnessed some of the largest data breaches on record. As the black market for stolen data becomes increasingly organized, the supply chain for information is providing an efficient means to monetize a vast array of stolen information. A the same time, our legal economy is becoming more hyper-connected providing more digital services, and making companies are more vulnerable to attacks. In this session we will explore the security requirements for information in the new digital economy and with the vast amount of case information from breach investigations, distill a security strategy to reduce risk.

Register to hear the recorded webcast. 

Thursday Jul 17, 2014

What's the Difference Between Oracle Transparent Data Encryption, Data Masking and Data Redaction?

Oracle database security solutions provide three means of making data at rest unreadable. We sometimes get questions about their differences.

Oracle Advanced Security 

Transparent Data Encryption (TDE), a capability of Oracle Advanced Security, is transparent to applications and users by encrypting data within the Oracle Database on disk, without any changes to existing applications. TDE is available as a part of the Oracle Database, so if you have Oracle, you have Oracle Advanced Security and would simply require a license to activate.

When would you use TDE? 

TDE stops would-be attackers from bypassing the database and reading sensitive information from storage by enforcing data-at-rest encryption in the database layer. Applications and users authenticated to the database continue to have access to application data transparently (no application code or configuration changes are required), while attacks from OS users attempting to read sensitive data from tablespace files and attacks from thieves attempting to read information from acquired disks or backups are denied access to the clear text data.

Data Redaction, also a capability of Oracle Advanced Security, provides selective, on-the-fly redaction of sensitive data in SQL query results prior to display by applications so that unauthorized users cannot view the sensitive data. It enables consistent redaction of database columns across application modules accessing the same database information. Data Redaction minimizes changes to applications because it does not alter actual data in internal database buffers, caches, or storage, and it preserves the original data type and formatting when transformed data is returned to the application. 

When would you use data redaction? 

Existing applications often return sensitive data to call center and support staff employees, or even customers that include date of birth, social security numbers, and more.  Traditionally, organizations would have to access and change application source code in order to redact sensitive data. This can be error-prone, laborious, and performance-heavy. Data redaction mitigates this risk and helps organizations comply with compliance requirements, such as PCI DSS, by masking displayed data within applications.

Learn more about transparent data encryption and data redaction. 

Oracle Data Masking and Subsetting

Data Masking enables sensitive information such as credit card or social security numbers to be replaced with realistic values, allowing production data to be safely used for development, testing, or sharing with out-sourcing partners or off-shore teams for other nonproduction purposes..  

When would you use data masking?  

Data masking is used for nonproduction environments for quality assurance, testing, and development purposes. Many organizations inadvertently breach information when they routinely copy sensitive and regulated production data into nonproduction environments. Data in nonproduction environments, which can be lost or stolen, has increasingly become the target of cyber criminals. Data masking helps organizations reduce this risk and comply with compliance requirements.

Learn more about data masking. 

Monday Jun 30, 2014

June Ed of Security Inside Out Newsletter Is Out

Get the latest edition of Oracle Security Inside Out Newsletter and subscribe to future editions. As a bi-monthly security newsletter, we cover all things security for both Oracle Database Security and Identity Management solutions, news, and events. Here are this month's database security articles:

Five Hard Lessons Learned from the Verizon Report on APT1 Attack

Advanced persistent threats (APT) are a type of ongoing cyberattack from well-coordinated and funded cybercriminals who penetrate an organization slowly and methodically. Find out from Oracle experts what key lessons your organization can take away from the analysis of an APT attack.
Read More


Know Your Enemy: Profile Attackers and Defend Targeted Assets

In the new Countering Adversaries webcast series now available on demand, security experts explain how to identify the kinds of adversaries specific industries attract, understand the types of data they are after, and focus in on the tools that provide the most effective deterrence against these specific threats.
Read More

Friday Jun 27, 2014

Securing Gas and Electrical Utilities with Oracle Audit Vault and Database Firewall

Medicine Hat is a city of 61,180 people in southeast Alberta, Canada. The City of Medicine Hat Electric Utility began generating electricity in 1910 using diesel fuel. Today, the power plant uses co-generation turbines with natural gas and steam to produce electricity for its customers. The Electric Utility generates, transmits and distributes electricity to approximately 30,000 customers within the City of Medicine Hat, Redcliff, Dunmore, Veinerville and outlying rural areas adjacent to the city.

Medicine Hat IT security challenges

  • Provide secure online utility billing system with direct database access
  • Work with limited IT department resources, including 17 people for the entire city
  • Secure a heterogeneous database environment: Oracle and SQL Server

Solution

The City of Medicine Hat chose Oracle Audit Vault and Database Firewall to monitor database traffic and detect and block threats such as SQL injection and privilege escalation attacks. 

Listen to the podcast to hear database administrator Chris Maxwell explain how the City of Medicine Hat uses Oracle Audit Vault and Database Firewall to protect their billing system web application and Microsoft SQL Server database.


Wednesday Jun 11, 2014

Q&A: Oracle's Paul Needham on How to Defend Against Insider Attacks

Source: Database Insider Newsletter:

The threat from insider attacks continues to grow. In fact, just since January 1, 2014, insider breaches have been reported by a major consumer bank, a major healthcare organization, and a range of state and local agencies, according to the Privacy Rights Clearinghouse

We asked Paul Needham, Oracle senior director, product management, to shed light on the nature of these pernicious risks—and how organizations can best defend themselves against the threat from insider risks.

Q. First, can you please define the term "insider" in this context?

A. According to the CERT Insider Threat Center, a malicious insider is a current or former employee, contractor, or business partner who "has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems." 

Q. What has changed with regard to insider risks?

A. We are actually seeing the risk of privileged insiders growing. In the latest Independent Oracle Users Group Data Security Survey, the number of organizations that had not taken steps to prevent privileged user access to sensitive information had grown from 37 percent to 42 percent. Additionally, 63 percent of respondents say that insider attacks represent a medium-to-high risk—higher than any other category except human error (by an insider, I might add).

Q. What are the dangers of this type of risk?

A. Insiders tend to have special insight and access into the kinds of data that are especially sensitive. Breaches can result in long-term legal issues and financial penalties. They can also damage an organization's brand in a way that directly impacts its bottom line. Finally, there is the potential loss of intellectual property, which can have serious long-term consequences because of the loss of market advantage. 

Q. How can organizations protect themselves against abuse of privileged access?

A. Every organization has privileged users and that will always be the case. The questions are how much access should those users have to application data stored in the database, and how can that default access be controlled? Oracle Database Vault (See image) was designed specifically for this purpose and helps protect application data against unauthorized access. 

Oracle Database Vault can be used to block default privileged user access from inside the database, as well as increase security controls on the application itself. Attacks can and do come from inside the organization, and they are just as likely to come from outside as attempts to exploit a privileged account. 

Using Oracle Database Vault protection, boundaries can be placed around database schemas, objects, and roles, preventing privileged account access from being exploited by hackers and insiders. 

A new Oracle Database Vault capability called privilege analysis identifies privileges and roles used at runtime, which can then be audited or revoked by the security administrators to reduce the attack surface and increase the security of applications overall. 

For a more comprehensive look at controlling data access and restricting privileged data in Oracle Database, download Needham's new e-book, Securing Oracle Database 12c: A Technical Primer

Friday Jun 06, 2014

Payback Is The Coupon King

PAYBACK GmbH operates the largest marketing and couponing platforms in the world—with more than 50 million subscribers in Germany, Poland, India, Italy, and Mexico. 

The Security Challenge

Payback handles millions of requests for customer loyalty coupons and card-related transactions per day under tight latency constraints—with up to 1,000 attributes or more for each PAYBACK subscriber. Among the many challenges they solved using Oracle, they had to ensure that storage of sensitive data complied with the company’s stringent privacy standards aimed at protecting customer and purchase information from unintended disclosure.

Oracle Advanced Security

The company deployed Oracle Advanced Security to achieve reliable, cost-effective data protection for back-up files and gain the ability to transparently encrypt data transfers.

By using Oracle Advanced Security, organizations can comply with privacy and regulatory mandates that require encrypting and redacting (display masking) application data, such as credit cards, social security numbers, or personally identifiable information (PII).

Learn more about how PAYBACK uses Oracle.

Wednesday Jun 04, 2014

The Top Ten Security Top Ten Lists

As a marketer, we're always putting together the top 3, or 5 best, or an assortment of top ten lists. So instead of going that route, I've put together my top ten security top ten lists. These are not only for security practitioners, but also for the average Joe/Jane; because who isn't concerned about security these days? Now, there might not be ten for each one of these lists, but the title works best that way. Top Ten Security Top Ten Lists

Starting with my number ten (in no particular order):

10. Top 10 Most Influential Security-Related Movies

Amrit Williams pulls together a great collection of security-related movies. He asks for comments on which one made you want to get into the business. I would have to say that my most influential movie(s), that made me want to get into the business of "stopping the bad guys" would have to be the James Bond series. I grew up on James Bond movies: thwarting the bad guy and saving the world. I recall being both ecstatic and worried when Silicon Valley-themed "A View to A Kill" hit theaters: "An investigation of a horse-racing scam leads 007 to a mad industrialist who plans to create a worldwide microchip monopoly by destroying California's Silicon Valley." Yikes!

9. Top Ten Security Careers

From movies that got you into the career, here’s a top 10 list of security-related careers. It starts with number then, Information Security Analyst and ends with number one, Malware Analyst. They point out the significant growth in security careers and indicate that "according to the Bureau of Labor Statistics, the field is expected to experience growth rates of 22% between 2010-2020. If you are interested in getting into the field, Oracle has many great opportunities all around the world

8. Top 125 Network Security Tools

A bit outside of the range of 10, the top 125 Network Security Tools is an important list because it includes a prioritized list of key security tools practitioners are using in the hacking community, regardless of whether they are vendor supplied or open source. The exhaustive list provides ratings, reviews, searching, and sorting.

7. Top 10 Security Practices

I have to give a shout out to my alma mater, Cal Poly, SLO: Go Mustangs! They have compiled their list of top 10 practices for students and faculty to follow. Educational institutions are a common target of web based attacks and miscellaneous errors according to the 2014 Verizon Data Breach Investigations Report.   

6. (ISC)2 Top 10 Safe and Secure Online Tips for Parents

This list is arguably the most important list on my list. The tips were "gathered from (ISC)2 member volunteers who participate in the organization’s Safe and Secure Online program, a worldwide initiative that brings top cyber security experts into schools to teach children ages 11-14 how to protect themselves in a cyber-connected world…If you are a parent, educator or organization that would like the Safe and Secure Online presentation delivered at your local school, or would like more information about the program, please visit here.”

5. Top Ten Data Breaches of the Past 12 Months

This type of list is always changing, so it's nice to have a current one here from Techrader.com. They've compiled and commented on the top breaches. It is likely that most readers here were effected in some way or another.

4. Top Ten Security Comic Books

Although mostly physical security controls, I threw this one in for fun. My vote for #1 (not on the list) would be Professor X. The guy can breach confidentiality, integrity, and availability just by messing with your thoughts.

3. The IOUG Data Security Survey's Top 10+ Threats to Organizations

The Independent Oracle Users Group annual survey on enterprise data security, Leaders Vs. Laggards, highlights what Oracle Database users deem as the top 12 threats to their organization. You can find a nice graph on page 9; Figure 7: Greatest Threats to Data Security.

2. The Ten Most Common Database Security Vulnerabilities

Though I don't necessarily agree with all of the vulnerabilities in this order...I like a list that focuses on where two-thirds of your sensitive and regulated data resides (Source: IDC). 

1. OWASP Top Ten Project

The Online Web Application Security Project puts together their annual list of the 10 most critical web application security risks that organizations should be including in their overall security, business risk and compliance plans. In particular, SQL injection risks continues to rear its ugly head each year. Oracle Audit Vault and Database Firewall can help prevent SQL injection attacks and monitor database and system activity as a detective security control.

Did I miss any?

Tuesday May 27, 2014

Oracle Key Vault Sneak Peek at NYOUG

The New York Oracle Users Group will get a sneak peek of Oracle Key Vault on Tuesday, June 3, by Todd Bottger, Senior Principal Product Manager, Oracle.Oracle Key Vault

If you recall, Oracle Key Vault made its first appearance at last year's Oracle OpenWorld in San Francisco within the session "Introducing Oracle Key Vault: Enterprise Database Encryption Key Management."

You can catch Todd's talk from 9:30 to 10:30 am.

Session Abstract

With many global regulations calling for data encryption, centralized and secure key management has become a need for most organizations. This session introduces Oracle Key Vault for centrally managing encryption keys, wallets, and passwords for databases and other enterprise servers. Oracle Key Vault enables large-scale deployments of Oracle Advanced Security’s Transparent Data Encryption feature and secure sharing of keys between Oracle Real Application Clusters (Oracle RAC), Oracle Active Data Guard, and Oracle GoldenGate deployments. With support for industry standards such as OASIS KMIP and PKCS #11, Oracle Key Vault can centrally manage keys and passwords for other endpoints in your organization and provide greater reliability, availability, and security. 

About

Who are we?

Follow us on

  • TwitterFacebookLinkedIn

Search

Archives
« May 2015
SunMonTueWedThuFriSat
     
1
2
3
4
5
6
7
8
9
10
12
13
14
15
16
17
18
20
21
22
23
24
25
26
27
28
29
30
31
      
Today