Tuesday May 26, 2015
Monday Mar 09, 2015
By Troy Kitch-Oracle on Mar 09, 2015
"Let me begin with my vision of the FTC and its role in light of the emergence of big data. I grew up in a beach town in Southern California. To me, the FTC is like the lifeguard on a beach. Like a vigilant lifeguard, the FTC’s job is not to spoil anyone’s fun but to make sure that no one gets hurt. With big data, the FTC’s job is to get out of the way of innovation while making sure that consumer privacy is respected."
- Edith Ramirez, Chairwoman, Federal
Trade Commission Ms. Ramirez highlights the FTC's role in protecting consumers from what she refers to as "indiscriminate data collection" of personal information. Her main concern is that organizations can potentially use this information to ultimately implicate individual privacy. There are many instances highlighting the ability to take what was previously considered anonymous data, only to correlate with other publicly available information in order to increase the ability to implicate individuals.
Finding Out Truthful Data from "Anonymous" Information
Her concerns are not unfounded; the highly referenced paper Robust De-anonymization of Large Sparse Datasets, illustrates the sensitivity of supposedly anonymous information. The authors were able to identify the publicly available and "anonymous" dataset of 500,000 Netflix subscribers by cross referencing it with the Internet Movie Database. They were able to successfully identify records of users, revealing such sensitive data as the subscribers' political and religious preferences, for example. In a more recent instance of big data security concerns, the public release of a New York taxi cab data set was completely de-anonymized, ultimately unveiling cab driver annual income, and possibly more alarming, the weekly travel habits of their passengers.
Many large firms have found their big data projects shut down by compliance officers concerned about legal or regulatory violations. Chairwoman Hernandez highlights specific cases where the FTC has cracked down on firms they feel have violated customer privacy rights, including the United States vs. Google, Facebook, and Twitter. She feels that big data opens up additional security challenges that must be addressed.
"Companies are putting data together in new ways, comingling data sets that have never been comingled before," says Jeff Pollock, Oracle vice president for product management. "That’s precisely the value of big data environments. But these changes are also leading to interesting new security and compliance concerns."
The possible security and privacy pitfalls of big data center around three fundamental areas:
- Ubiquitous and indiscriminate collection from a wide range of devices
- Unexpected uses of collected data, especially without customer consent
- Unintended data breach risks with larger consequences
Organizations will find big data experimentation easier to initiate when the data involved is locked down. They need to be able to address regulatory and privacy concerns by demonstrating compliance. This means extending modern security practices like data masking and redaction to the full big data environment, in addition to the must-haves of access, authorization and auditing.
Securing the big data lifecycle requires:
- Authentication and authorization of users, applications and databases
- Privileged user access and administration
- Data encryption of data at rest and in motion
- Data redaction and masking for non production environments
- Separation of roles and responsibilities
- Implementing least privilege
- Transport security
- API security
- Monitoring, auditing, alerting and compliance reporting
With Oracle, organizations can achieve all the benefits that big data has to offer while providing a comprehensive data security approach that ensures the right people, internal and external, get access to the appropriate data at right time and place, within the right channel. The Oracle Big Data solution prevents and safeguards against malicious attacks and protects organizational information assets by securing data in-motion and at-rest. It enables organizations to separate roles and responsibilities and protect sensitive data without compromising privileged user access, such as database administrators. Furthermore, it provides monitoring, auditing and compliance reporting across big data systems as well as traditional data management systems.
Learn more about Oracle Security Solutions.
This article has been re-purposed from the Oracle Big Data blog.
Tuesday Feb 03, 2015
By Troy Kitch-Oracle on Feb 03, 2015
As you look at data, you will quickly realize that not all data is equal. What do I mean by that? Quite simply, some data simply does not require the same security controls as other data.
When explaining this to customers, we use a metals analogy to simplify the provisioning of controls. Bronze to represent the least sensitive data, up through to Platinum, the highest value and most sensitive data within an organization.
Thinking in this manner provides the ability to refine many configurations into a few pre-configured, pre-approved, reference architectures. Applying this methodology is especially important when it comes to the cloud. It comes down to consistency in applying security controls, based on the data itself.
Oracle’s preventive, detective, and administrative pillars can be applied to the various data categorizations. At this point in the conversation, customers begin to understand more pragmatically how this framework can be used to align security controls with the value, or sensitivity, of the data.
Security practitioners can then work with lines of business to assign the appropriate level of controls, both systematically and consistently across the organization.
So for example, at the bronze level, items such as application of patches, secure configuration scanning and the most basic auditing would be appropriate. Data deemed more sensitive, such as personally identifiable information, or personal health information, require additional security controls around the application data. This would include, for example, blocking default access by those designated as database administrators.
Then finally, at the highest data sensitivity level--Platinum level--should exhibit blocking database changes during production time frames, preventing SQL injection attacks and centralized enterprise-wide reporting and alerting for compliance and audit requirements.
To learn more about Oracle Security Solutions, download the ebook "Securing Oracle Database 12c: A Technical Primer" by Oracle security experts.
Tuesday Aug 26, 2014
By Troy Kitch-Oracle on Aug 26, 2014
Get the Oracle Information InDepth - Security Inside Out Newsletter
New Product Launch: Secure and Centralize Key Management with Oracle Key Vault
Security at Oracle OpenWorld 2014: Don't-Miss Sessions and More
Monday Jun 30, 2014
By Troy Kitch-Oracle on Jun 30, 2014
Get the latest edition of Oracle Security Inside Out Newsletter and subscribe to future editions. As a bi-monthly security newsletter, we cover all things security for both Oracle Database Security and Identity Management solutions, news, and events. Here are this month's database security articles:
Advanced persistent threats (APT) are a type of ongoing cyberattack from well-coordinated and funded cybercriminals who penetrate an organization slowly and methodically. Find out from Oracle experts what key lessons your organization can take away from the analysis of an APT attack.
In the new Countering Adversaries webcast series now available on demand, security experts explain how to identify the kinds of adversaries specific industries attract, understand the types of data they are after, and focus in on the tools that provide the most effective deterrence against these specific threats.
Wednesday Jun 04, 2014
By Troy Kitch-Oracle on Jun 04, 2014
Friday Feb 28, 2014
By Troy Kitch-Oracle on Feb 28, 2014
Get the latest edition of our bi-monthly (that's every other month) Security Inside Out newsletter featuring both database security and identity management news. This month's articles:
SANS Study Explores Maturity of Security Strategies Among Healthcare Organizations
A new report from the SANS Institute, a leading security education and research organization, surveys real-world organizations to discover how the healthcare industry is adapting to this new security landscape. Find out how organizations like yours are responding to the new challenges of more-stringent regulations and new mobile and cloud technologies.
New Report Puts Oracle Audit Vault and Database Firewall to the Test
A new report from leading security organization SANS Institute finds that Oracle Audit Vault and Database Firewall successfully achieves three key security objectives: audit collection, SQL traffic monitoring, and security event reporting.
Key Cloud Security Paradigms and Oracle’s Identity Management Roadmap
Find out the most common approaches to achieving security in the cloud and whether using a third-party identity management solution is a good strategy.
Tuesday Dec 17, 2013
By Troy Kitch-Oracle on Dec 17, 2013
- Where is all of my sensitive data?
- Who has access to that data?
As we look forward into 2014, the following trends highlight the importance of data security. Read More in the latest edition of the Security Inside Out Newsletter.
Tuesday Oct 29, 2013
By Troy Kitch-Oracle on Oct 29, 2013
The latest October edition of the Security Inside Out newsletter is now available and covers the following important security news:
Securing Oracle Database 12c: A Technical Primer
The new multitenant architecture of Oracle Database 12c calls for adopting an updated approach to database security. In response, Oracle security experts have written a new book that is expected to become a key resource for database administrators. Find out how to get a complimentary copy.
HIPAA Omnibus Rule Is in Effect: Are You Ready?
On September 23, 2013, the HIPAA Omnibus Rule went into full effect. To help Oracle’s healthcare customers ready their organizations for the new requirements, law firm Ballard Spahr LLP and the Oracle Security team hosted a webcast titled “Addressing the Final HIPAA Omnibus Rule and Securing Protected Health Information.” Find out three key changes affecting Oracle customers.
The Internet of Things: A New Identity Management Paradigm
By 2020, it’s predicted there will be 50 billion devices wirelessly connected to the internet, from consumer products to highly complex industrial and manufacturing equipment and processes. Find out the key challenges of protecting identity and data for the new paradigm called the Internet of Things.
Monday Sep 16, 2013
By Troy Kitch-Oracle on Sep 16, 2013
Pre-register For Your Copy Now
With the launch of Oracle Database 12c, securing your databases is more important than ever. For a limited time you can pre-register for a new complimentary eBook and learn about Oracle Database Security from the experts who brought you the #1 database in the world.
Are you an Oracle DBA who wants to protect your databases? The new ebook, Securing Oracle Database 12c: A Technical Primer, will be the book that database administrators will want to turn to for their database security questions.
For a limited time, Oracle Press will be offering this book free of charge, so pre-register for your copy now.
Tuesday Jun 25, 2013
By Troy Kitch-Oracle on Jun 25, 2013
The latest edition of Security Inside Out newsletter is now available. If you don't get this bi-monthly security newsletter in your inbox, then subscribe to get the latest database security news. This bi-monthly edition includes:
Q&A: Oracle CSO Mary Ann Davidson on Meeting Tomorrow's Security Threats
Oracle Chief Security Officer Mary Ann Davidson shares her thoughts on next-generation security threats. Read More
New Study: Increased Security Spending Still Not Protecting Right Assets
Despite widespread belief that database breaches represent the greatest security risk to their business, organizations continue to devote a far greater share of their security resources to network assets rather than database assets, according to a new report issued by CSO and sponsored by Oracle. Read More
Wednesday Mar 27, 2013
By Troy Kitch-Oracle on Mar 27, 2013
Thursday Mar 21, 2013
By Troy Kitch-Oracle on Mar 21, 2013
Q&A: Ontario Commissioner and Leading Privacy Expert Dr. Ann Cavoukian
Dr. Ann Cavoukian is both Ontario's information and privacy commissioner and one of the leading privacy experts in the world. In January, Dr. Cavoukian and Oracle released a new white paper covering the convergence of privacy and security.
Oracle Named a Leader in Gartner Magic Quadrant for Data Masking Technology
Gartner, Inc. has named Oracle as a leader in its “Magic Quadrant for Data Masking Technology,” published in December 2012.
Virgin Media Relies on Oracle Identity Management to Secure Wi-Fi Service in the London Underground
Leading up to the 2012 Olympics, Virgin Media was entrusted with a massive undertaking—to quickly and securely provide London's Underground stations with Wi-Fi service. The company turned to two Oracle Identity Management solutions—Oracle Virtual Directory and Oracle Entitlements Server—to successfully deliver.
Friday Mar 15, 2013
By Troy Kitch-Oracle on Mar 15, 2013
One of the many issues security professionals face is tracking down information for their particular security challenges. Oracle has a multitude of resources across our comprehensive database security defense-in-depth solutions. Quite frankly, it can be difficult to find the particular information you're looking for. So, here's an attempt to consolidate some of those key resources:
- Oracle Database Security Solutions
- Oracle Audit Vault and Database Firewall (database activity monitoring and firewall)
- Oracle Advanced Security (transparent data encryption)
- Oracle Database Vault (privileged user access controls)
- Oracle Label Security (label based access controls)
- Oracle Data Masking (masking data in non-production database environments)
- Oracle Technology Network
Customer Case Studies
Events and Training
Analyst, News, and Social
- Security Analyst Reports
- Oracle Database on Twitter @OracleDatabase
- Oracle Database on Facebook
- Oracle Database on LinkedIn
- Oracle Database on Google+
- Security Inside Out blog (hint: you're here!)
- Security Inside Out newsletter
- Data Sheets
- White Papers
- Documentation: Oracle Database 11g Security
- Documentation: Oracle Audit Vault and Database Firewall
Wednesday Nov 21, 2012
By Troy Kitch-Oracle on Nov 21, 2012
The new survey from the Independent Oracle Users Group (IOUG) titled "Closing the Security Gap: 2012 IOUG Enterprise Data Security Survey," uncovers some interesting trends in IT security among IOUG members and offers recommendations for securing data stored in enterprise databases.
"Despite growing threats and enterprise data security risks, organizations that implement appropriate detective, preventive, and administrative safeguards are seeing significant results," finds the report's author, Joseph McKendrick, analyst, Unisphere Research.
Produced by Unisphere Research and underwritten by Oracle, the report is based on responses from 350 IOUG members representing a variety of job roles, organization sizes, and industry verticals.
Key findings include
- Corporate budgets increase, but trailing. Though corporate data security budgets are increasing this year, they still have room to grow to reach the previous year’s spending. Additionally, more than half of respondents say their organizations still do not have, or are unaware of, data security plans to help address contingencies as they arise.
- Danger of unauthorized access. Less than a third of respondents encrypt data that is either stored or in motion, and at the same time, more than three-fifths say they send actual copies of enterprise production data to other sites inside and outside the enterprise.
- Privileged user misuse. Only about a third of respondents say they are able to prevent privileged users from abusing data, and most do not have, or are not aware of, ways to prevent access to sensitive data using spreadsheets or other ad hoc tools.
- Lack of consistent auditing. A majority of respondents actively collect native database audits, but there has not been an appreciable increase in the implementation of automated tools for comprehensive auditing and reporting across databases in the enterprise.
The report's author finds that securing data requires not just the ability to monitor and detect suspicious activity, but also to prevent the activity in the first place. To achieve this comprehensive approach, the report recommends the following.
- Apply an enterprise-wide security strategy. Database security requires multiple layers of defense that include a combination of preventive, detective, and administrative data security controls.
- Get business buy-in and support. Data security only works if it is backed through executive support. The business needs to help determine what protection levels should be attached to data stored in enterprise databases.
- Provide training and education. Often, business users are not familiar with the risks associated with data security. Beyond IT solutions, what is needed is a well-engaged and knowledgeable organization to help make security a reality.
Who are we?
Follow us on
- Database Administrators –the Undercover Security Superheroes
- Inoculate the Cloud: Moving to the Cloud FOR Security
- MIT Technology Review: Diversity of Big Data Sources Creates Big Security Challenges
- Oracle Database 12c Real Application Security Administration Application - Now Available on OTN
- Security Inside Out Newsletter, May Edition
- Securing the Big Data Life Cycle: A New MIT Technology Review and Oracle Paper
- Using Earthquakes to Predict Cybercrime
- 86% of Data Breaches Miss Detection, How Do You Beat The Odds?
- Three Big Data Threat Vectors
- Security and Governance Will Increase Big Data Innovation in 2015