Thursday Feb 19, 2015

Top Two Cloud Security Concerns: Data Breaches and Data Loss

Apply a Data-centric Security Strategy in the Cloud

Don't miss watching the webcast Applying a Data-centric Security Strategy in the Cloud

Most most organizations are worried about putting sensitive data into the cloud. In fact, industry reports indicate data breaches and data loss are their top two concerns. Rather than apply a one size fits all approach to data security, organizations would be better prepared if they Implemented security controls based on the type of data and its use. In this session, you will learn how to apply the appropriate levels of security controls based on data sensitivity, and then map them to your cloud environment.

Watch now.  

Tuesday Feb 03, 2015

All Data is Not Equal, Map Security Controls to the Value of Data

As you look at data, you will quickly realize that not all data is equal.   What do I mean by that? Quite simply, some data simply does not require the same security controls as other data.   

When explaining this to customers, we use a metals analogy to simplify the provisioning of controls. Bronze to represent the least sensitive data, up through to Platinum, the highest value and most sensitive data within an organization.

Thinking in this manner provides the ability to refine many configurations into a few pre-configured, pre-approved, reference architectures. Applying this methodology is especially important when it comes to the cloud. It comes down to consistency in applying security controls, based on the data itself.

Oracle’s preventive, detective, and administrative pillars can be applied to the various data categorizations. At this point in the conversation, customers begin to understand more pragmatically how this framework can be used to align security controls with the value, or sensitivity, of the data.

Security practitioners can then work with lines of business to assign the appropriate level of controls, both systematically and consistently across the organization.  

So for example, at the bronze level, items such as application of patches, secure configuration scanning and the most basic auditing would be appropriate. Data deemed more sensitive, such as personally identifiable information, or personal health information, require additional security controls around the application data. This would include, for example, blocking default access by those designated as database administrators.

Then finally, at the highest data sensitivity level--Platinum level--should exhibit blocking database changes during production time frames, preventing SQL injection attacks and centralized enterprise-wide reporting and alerting for compliance and audit requirements.  

To learn more about Oracle Security Solutions, download the ebook "Securing Oracle Database 12c: A Technical Primer" by Oracle security experts.

Wednesday Jan 28, 2015

Oracle Cloud Forum - Mapping Security Controls to the Value of Data

Learn how to prioritize your security control deployments by watching Oracle's Cloud Platform Online Forum session, "Applying a Data-Centric Security Strategy in the Cloud."

Most organizations are worried about putting sensitive data into the cloud. In fact, industry reports indicate data breaches and data loss are their top two concerns.

Case in point, my previous blog article discusses how more than a third (34%) of organizations believe that a data breach is "somewhat likely" to "inevitable" in 2015.

Rather than apply a one size fits all approach to data security, organizations would be better prepared if they implemented security controls based on the type of data and its use.

In this session, you will learn how to apply the appropriate levels of security controls based on data sensitivity, and then map them to your cloud environment. 

Register to watch the forum here.  

Tuesday Jan 13, 2015

34% of Organizations Say Data Breach “Somewhat likely” to “Inevitable” in 2015

According to the latest Independent Oracle Users Group (IOUG) Enterprise Data Security Survey, one third of organizations say that a data breach is "somewhat likely" to "inevitable" in the next 12 months, up from 20% in 2008. Are organizations coming to the realization that data breaches will happen? 

2014 IOUG Data Security Survey Likelihood of a Data Breach

Each year, the IOUG surveys a wide range of database security and IT professionals responsible for security, and examines the current state of enterprise data security. They summarize the 2014 findings of 353 data managers and professionals in order to help educate organizations about data security.

The likelihood of a data breach has grown over the years since they first began asking this question, and is similar to other surveys of this ilk. According to the Ponemon 2014 Cost of a Data Breach Study, we see as much as 30% probability.

According to another Ponemon study "Data Breach: The Cloud Multiplier Effect," those surveyed estimate that every one percent increase in the use of cloud services will result in a 3 percent higher probability of a data breach.

When looking at history, survey respondents of the IOUG report say that they often have no idea whether a breach has occurred--or worse--is occurring:

"We cannot be certain there has been no silent breach. There is no evidence we have detected a breach or corruption. But picturing yourself as highly unlikely to be breached we feel is like wearing a ‘kick-me’ sign on your backside."

2014 IOUG Data Security Survey Known Data Breaches

To learn more, download the 2014 IOUG Data Security Survey Report here

Wednesday Nov 12, 2014

Oracle Security Webcast Series for UK Customers

Over the next four Thursdays, beginning November 20th through December 11th, our UK team will be addressing security 

Preventive Controls to Avoid Next Data Breach, Nov 20, 2014. 11:00 AM - 11:45 AM (GMT)

Learn how preventive controls can increase your defense arsenal against the evolving threats to databases. Data breaches not only expose your customers' and employees' private data, but also diminish your reputation and impact the bottom line. Oracle Security specialists will demonstrate the latest database security capabilities which enable you to adopt a defense-in-depth strategy to mitigate risks and protect the data at source – the database.

Detective Controls for Compliance & Auditing, Nov 27, 2014, 11:00 AM - 11:45 AM (GMT)

Learn how you can enforce the “trust but verify” principle by consolidating audit and event sources from the Oracle and non-Oracle components of your infrastructure, offering integrated, real-time security analytics. Find out how Oracle detective controls can offer a first line of defense against SQL injection attacks, as well as a simplified compliance reporting platform, for audit data analysis, within a centralized, secure warehouse.

Identity Governance for Extended Enterprise, Dec 4, 2014, 11:00 AM - 11:45 AM (GMT)

As organizations deploy an ever-increasing number of cloud, mobile, and enterprise applications, identifying and managing user access can be a challenge, especially when departmental application deployments are outside the view of corporate IT. Join us for this live webcast to learn how Oracle’s Identity governance solution reduces risks and costs while providing fast access to new services through an intuitive user self-service solution.

Strategies for Mobile Application Security, Dec 11, 2014, 11:00 AM - 11:45 AM (GMT)

Enterprise mobility and the Internet of Things are both new IT endpoints that require melding device and user identities for security reasons.Join us for this live webcast to learn how identity management platform benefits are enabling customers to move deployments to the next level of sophistication, as the mobile security market consolidates.

Monday Nov 10, 2014

Encrypting, Redacting and Masking at Epsilon

Epsilon Uses Oracle Advanced Security and Data Masking and Subsetting“With Transparent Data Encryption, the key rotation process is really much simpler for us…attesting to the audit team is much easier.”

Hear Keith Wilcox discuss how Epsilon addresses their customer’s sensitive application data requirements in production and development databases using Oracle Advanced Security, and Oracle Data Masking and Subsetting


  • Varying requirements across retail, financial, and more
  • Difficulty demonstrating compliance with custom solution
  • Sensitive data showing within customer’s application 
  • Data encryption key rotation 

Why Epsilon Chose Oracle

  • Flexible solution to meet multiple customer requirements
  • Attesting to audit team is more credible using Oracle
  • Provides standard “secure package” for future deployments
  • A lot of great Oracle information available on the internet

Notable Quote:

“We started using data redaction with the one particular client, for PII data, but we really look forward to rolling that out to other [customers], such as our financial clients. We’ll be adding it to our standard ‘secure package’ that we use across the enterprise.”

Friday Oct 17, 2014

Why Infinity Insurance Chose Oracle Advanced Security and Database Vault

Infinity InsuranceI had an opportunity to sit down with Cathy Robinson, Database Administrator at Infinity Property and Casualty Corporation while at Oracle OpenWorld 2014. Infinity Insurance is a public insurance company that deals with high risk maturities, mostly auto insurance, and provide products through a network of approximately 12,500 independent agencies and brokers. Cathy told me how they use Oracle Advanced Security for encryption and Oracle Database Vault for database privilege user controls.

Cathy has an interesting background with the Department of Defense and joined Infinity with a great understanding of what is required to lock down data and secure an IT environment. As I interviewed Cathy, I learned that the main overall issues they face include:

  • Protecting sensitive personally identifiable information ( i.e. payment card, social security numbers)
  • Educating employees on the importance of securing this data
  • Securing older applications where changing software code is prohibitive

So they have been able to implement Oracle Advanced Security to address these security requirements without having to make any application changes. Additionally, there has been "no performance degradation whatsoever."To further put in place a defense in depth database security strategy, Infinity is also implementing Oracle Database Vault for separation of duties and least privilege.

When I asked why they chose Oracle, Cathy responded with the following:

  • One vendor instead of multiple point solution vendors
  • Deep integration with Oracle Databases
  • Oracle security expertise, which included a database security assessment
Click here to listen to the interview.

Tuesday Oct 14, 2014

ISACA Webcast: Data-Centric Audit and Protection, Reducing Risk and Improving the Security Posture

A security strategy must begin with protecting the databases that hold the majority of sensitive and regulated data. Unfortunately, organizations do not have such a plan in place. They fail to protect their sensitive customer and organizational data. Join Oracle security expert, Roxana Bradescu, as she outlines a data-centric audit and protection strategy to help reduce organizational risk and improve the security posture. During this webcast you will learn:

  • What to audit and how to audit
  • Secure data infrastructure practices
  • How to prevent disclosures and leaks
  • And much more. 

Friday Sep 12, 2014

New KuppingerCole Report on Audit Vault and Database Firewall

KuppingerCole analyst Rob Newby recently (August 2014) put together an executive review of the award-winning Oracle Audit Vault and Database Firewall that you can pick up here for a fee. The paper (4 pages on AVDF, 7 total) goes into a description of the solution and how it works from both the Audit Vault, and Database Firewall perspectives. It further covers reporting and alerting, as well as integration with other Oracle products, summarizing with strengths and challenges.

Happy weekend reading.

Wednesday Sep 10, 2014

SANS Webcast: Simplifying Data Encryption and Redaction Without Touching the Code

SANS Analyst and Instructor and well known security expert, Dave Shackleford, will be doing a review of Oracle Advanced Security on September 16, 12:00 p.m. ET/ 3:00 p.m. ET

Register now for the webcast "Simplifying Data Encryption and Redaction Without Touching the Code" 

The need for organizations to protect sensitive information has never been more paramount. The risks of data breaches and sensitive data exposures are driving organizations to look for solutions, as an increasing amount of data is being stored and processed outside the perimeter, in cloud applications and service environments. Organizations must protect this sensitive data at its heart, in the databases. In this webcast, we discuss a recent review by SANS Analyst and Instructor Dave Shackleford of Oracle Advanced Security for Oracle Database 12c and its encryption and redaction capabilities.

Register for the webcast and be among the first to receive an advance copy of a SANS whitepaper discussing the Analyst Program's review of Oracle Advanced Security.

Tuesday Sep 02, 2014

Oracle Audit Vault and Database Firewall Wins Reader's Choice Award for Best Database Security Solution

Thank you to all those who voted for the Database Trends and Applications Reader's Choice Awards, 2014 and voting Oracle Audit Vault and Database Firewall as the best database security solution on the market. 

"Unlike any other awards programs conducted by DBTA, this one is special because the nominees are submitted and the winners are chosen by the experts—whose opinions carry more weight than all others—you, the readers. With more than 22,000 votes cast across 31 categories, the contest between candidates was often neck and neck. As a result, we are showcasing both winners and finalists in each category."

Oracle wins in a number of categories including:

  1. Best Relational Database: Oracle Database
  2. Best Cloud Database: Oracle Database 12c
  3. Best Database Appliance: Oracle Exadata
  4. Best Database Administration Solution: Oracle Enterprise Manager
  5. Best Database Performance Solution: Oracle Enterprise Manager
  6. Best Database Backup Solution: Oracle Database Backup Logging Recovery Appliance
  7. Best Data Replication Solution: Oracle GoldenGate 12c
  8. Best Change Data Capture Solution: Oracle CDC
  9. Best Data Virtualization Solution: Oracle Database 12c Multitenant
  10. Best Cloud Integration Solution: Oracle Cloud Integration
  11. Best Streaming Data Solution: Oracle Streams
  12. Best Data Mining Solution: Oracle Advanced Analytics

Wednesday Aug 27, 2014

Oracle Key Vault Interview with Vipin Samar, Vice President of Oracle Database Security

I had an opportunity to discuss Oracle Key Vault with Oracle's vice president of database security, Vipin Samar. Vipin talks about the challenges facing security professionals and database administrators as they try to manage encryption keys and other secrets, such as SSL certificates and Java keystores, across the enterprise. Watch the below video and learn how Oracle Key Vault, a new centralized key manager, secures, shares, and manages keys and secrets for the enterprise.

Learn more about Oracle Key Vault by watching the launch webcast.

Tuesday Aug 26, 2014

August Edition of Oracle's Security Inside Out Newsletter

Get the Oracle Information InDepth - Security Inside Out Newsletter

Read the latest edition of Oracle Security news in this month's bi-monthly Security Inside Out Newsletter that features both database security and identity management news, webcasts, events, training and more. Subscribe here to have your own copy emailed to you. 

New Product Launch: Secure and Centralize Key Management with Oracle Key Vault

In August 2014, Oracle launched Oracle Key Vault, a central key management platform that enables efficient and secure deployment of encryption across the enterprise. Get details on the new release. 

Security at Oracle OpenWorld 2014: Don't-Miss Sessions and More

High-profile breaches, combined with increasing regulatory complexity, are driving unprecedented investment in security. Organizers of Oracle OpenWorld expect security-related activities to draw even higher attendance than last year. Find out what key sessions Oracle’s security team recommends you add to your agenda. 

Friday Aug 08, 2014

Focus on Database Security at Oracle OpenWorld, 2014

Data security threats and regulatory compliance are the new "death" and "taxes" that we can all be certain of. Security is a hot topic across all organizations, whether you have 100 or 100,000 employees. Organizations are scrambling to mitigate threats and comply with regulatory requirements. Oracle OpenWorld is the place for customers to hear about the latest advances in data security, meet with security experts, and learn the next steps to help secure the sensitive data they hold.

With Oracle OpenWorld, 2014 about 2 months away, we've compiled the database security sessions, hands on labs, and more, that are critical for database administrators, security experts and executives to attend. As an example of just some of the talks this year:

Oracle Database 12c: Defense-in-Depth Security [CON8194]

Attend this session to quickly get up to speed on the powerful preventive and detective controls available in Oracle Database 12c. It provides an overview of security capabilities in Oracle Database 12c and is ideally suited for those who are new to security or want to get quickly get up to speed on protecting the data stored in their mission-critical databases. The presentation drills down particularly into the new Oracle Database 12c unified and conditional auditing facility. Learn how to create audit policies with conditional clauses, enabling highly selective and effective auditing. See a demonstration of a conditional audit policy based on a connection from a database link and a connection using proxy authentication.

Introducing Oracle Key Vault: Centralized Keys, Wallets, and Java Keystores [CON8189]

Attend this technical session to learn how the new Oracle Key Vault helps organizations accelerate encryption initiatives by addressing proliferating wallets, managing them centrally. See demonstrations of how to set up, configure, and administer Oracle Key Vault for centralized key management for OSs, databases, and middleware. Get best practices for using Oracle Key Vault, a security-hardened software appliance, with existing key storage files such as Oracle wallets and Java Keystores. Learn about optimizations for Oracle Database 11g and Oracle Database 12c, where Oracle Key Vault directly connects to Oracle Advanced Security transparent data encryption (TDE).

Oracle Database Security Strategy and Best Practices: Customer Case Study Panel [CON8192]

Oracle Database security solutions are transparent and easy to deploy and offer comprehensive data protection in a rapidly evolving threat landscape. In this session, you will hear from Oracle customers that have successfully deployed transparent data encryption, data masking, database firewalls, and database auditing and monitoring to protect their data and address regulatory compliance requirements. You will hear why they did it, how they did it, and the lessons learned. This is a highly interactive session—you will have an opportunity to pose questions to the panel and get real-world tips and best practices from your peers.

Plus much more... 

Register for OracleOpenWorld

Register now and get the focus on database security document here to begin planning. Please note agenda is subject to change and will be filled out with session dates/times and room locations as we get closer to OpenWorld, Sept 28-Oct 2, 2014 in San Francisco. And a tip: read Securing Oracle Database 12c ebook to get prepared; we look forward to see you there! 


Who are we?

Follow us on

  • TwitterFacebookLinkedIn


« August 2016