Friday Sep 11, 2015

Secure the Crown Jewels

What's the secret to being the longest running Monarch in British history? I'd like to think keeping your crown jewels safe; they symbolize the power and continuity of the monarchy. However, as anything that represents worth, or power, there will always be attempts to steal it.

In 1671, Colonel Thomas Blood  attempted to steal the crown jewels from inside the Tower of London. Just like we have cyber criminals stealing privileged users' credentials in order to fly under the radar and steal from our governments and corporations, so did Mr. Blood. Over a period of time, he gained the trust--and eventually access to the jewels--from the Master of the Jewel House, Talbot Edwards. Blood and his fellow criminals then managed to subdue Edwards and steal the Crown Jewels, but only for a short time. Blood was ultimately caught and interestingly awarded for his crime

The new Crown Jewels are organization and government data. This data represents information that organized criminals can sell on the black market, or intellectual property that espionage hackers can use for political or monetary advantage, or worse, blackmail and secrets that political hacktivists can expose. Unfortunately, unlike the case of Blood's attempt on the Crown Jewels, many of these cyber criminals are never caught because they weave an intricate and hidden path to the data, and exfiltrate it without being caught.

Data breaches continue to make headlines, and they are not just about stolen credit card information anymore. Data breaches are now targeting different industries and different types of information. What’s going on, and what can organizations do to protect their corporate data?

Oracle Magazine sat down with Vipin Samar, vice president of Oracle Database security, to talk about the latest data breaches, how data breach threats are evolving, and how to work with the wide variety of data that needs protection in the enterprise.

Read more here

Monday Aug 24, 2015

Watch the Security Learning Streams

I wanted to call everyone's attention to the latest Oracle Learning streams for database security. 

Oracle's product management team has put together these three 13- to 25-minute clips in order to help our customers understand the value and benefits of a few of our database security solutions. Check them out:

Wednesday Jun 17, 2015

Database Administrators –the Undercover Security Superheroes

Over the past five years, while enterprise IT departments were focusing on the rise of cloud, mobile, and social technologies, a lucrative black market emerged around the acquisition and sale of information. Today, this includes personal data, intellectual property, financial details and almost any form of information with economic value. 

It suffices to say that when it comes to data security, businesses now find themselves under assault like never before, and are in dire need of leadership to help overcome this systemic problem. Step forward the database administrator; the person with the knowledge and power to help secure sensitive data on behalf of the organization and its employees.

Like most free markets, the information black market sets the value of its focal commodity – in this case data – and allows buyers and sellers to connect via a complex underground network. Just as the world is producing more data than at any other point in history, these organized groups are finding new ways of stealing and monetizing this information.

For their part, senior executives are only too painfully aware of what’s at stake for their businesses, but often don’t know how to approach the problem. In an era where information is arguably the most valuable asset a company has, they will look to database professionals to help the business take a stand and prepare itself to best protect this crucial asset.

However, the knowledge gap these individuals will be addressing is large. Two-fifths of businesses admit they are not fully aware of where all the sensitive data in their organizations is kept, according to respondents to a recent Independent Oracle Users Group survey. Those taking proactive measures to lock down data and render it useless to outsiders are still in the minority, and relatively few have any safeguards in place to counter accidental or intentional staff abuse that could lead to a breach. These safeguards should also extend to DBAs themselves, as ultimately everyone in the organization is in a position to commit a data breach, whether inadvertently or intentionally. 40 Percent Unaware of Where Sensitive Data Resides

That said, together with security professionals, database administrators do have a fighting chance to combat assaults on their organization’s data. Their background gives them a unique understanding of what the risks are to the organization, where to find them and how they can ultimately be addressed or, in the best case, pre-empted.

As the stewards of highly sensitive intellectual property and personal information, database administrators will need to step up and lead the battle against the villains of the black market. As Voltaire once said, “With great power comes great responsibility”, a credo that holds as true for comic book superheroes as it does for the security champions of the enterprise.

If database administrators can bring security concerns front-of-mind for employees across the business, and help drive protective measures at every level of the organization’s IT, they will be well placed to take a stand and fend off the security challenges of the coming years.

Check out the Security Super Hero Infographic here.

Thursday Jun 04, 2015

Inoculate the Cloud: Moving to the Cloud FOR Security

Forbes BrandVoice features a new article, Inoculating the Cloud, on how organizations will be moving to the cloud in order to be more secure.

No matter what survey you look at regarding challenges of moving to the cloud, you'll usually see "security" as one of, if not the top, concern. It makes sense that organizations worry about putting their sensitive customer and company data in the cloud because of data breach risks and compliance concerns. "Who can protect my data, better than myself," they question.

However, I would much rather trust my money to a bank than putting it under my mattress. I think the bank is better positioned to protect my money.  I believe this same rationale goes for securing sensitive data. I would argue that a cloud vendor like Oracle could protect sensitive data better than corporations can. They should be focused on their core business, not maintaining and securing IT infrastructure.

The Forbes BrandVoice article highlights this logic:

A recent study from Harvard Business Review Analytic Services (sponsored by Oracle) found that 62% of survey respondents thought security issues were by far the biggest barriers to expanded cloud adoption at their companies. Nearly half pointed out that data is more difficult to secure in the cloud.

But those very same concerns will soon make security a selling point for the cloud. Established cloud vendors have the internal expertise and resources to install and maintain multilayer security—a level of expertise that many companies cannot hope to duplicate in house.

“This is one factor steering many CIOs toward established vendors for cloud services—they have the resources to invest in state-of-the-art security—both physical and logical,” according to the HBR-AS study.

Then, too, big service providers can automate and simplify many security measures such as implementing security patches, access management, and regulatory compliance.

Learn more by reading the article here

Tuesday May 26, 2015

Oracle Database 12c Real Application Security Administration Application - Now Available on OTN

The release of Oracle Database 12c and the new Real Application Security (RAS) technology further demonstrated Oracle's decades long commitment to delivering cutting edge security technology to our customers.  The release of RAS fundamentally changed the technology available to application developers and data security architects.

“The release of RAS with Oracle Database 12c was the most important database security enhancement for application developers since the release of Oracle's ground breaking row level security solution, Virtual Private Database in 1998,” said Paul Needham, Senior Director for Oracle Database Security Product Management.  

Over the past two decades nearly every application developed has had its own unique security model.   Application users, roles, and privileges are mostly stored in custom application tables that require very specific domain knowledge to maintain.   This complexity has made it difficult and costly to keep pace with ever changing privacy and compliance regulations and protect against hackers.

Integrated with Oracle Fusion Middleware and Oracle Application Express 5.0, Real Application Security enables developers to build the world’s most secure applications by centralizing security policies within the database.  Benefits of Oracle Database 12c Real Application Security include:

  • End-user session propagation to the database
  • Data security based on application roles and privileges
  • Simplified security administration

Today, the database security development team is pleased to announce the release of Real Application Security Administration Application (RASADM).   RASADM is the new Oracle APEX 5.0-based tool for managing Oracle Database 12c Real Application Security.   It complements the comprehensive RAS PL/SQL API available today and is designed for both developers and application security policy administrators.   RASADM is designed to accelerate adoption of the powerful Oracle Database 12c RAS technology.  

"The release of Real Application Security with Oracle Database 12c demonstrates Oracle's continuous innovation in the database security arena.  RASADM was one of the first requests from those building on RAS with Oracle Database 12c and we are pleased to be able to deliver this to our customers,” says Vipin Samar, Vice President, Oracle Database Security.

Wednesday Mar 04, 2015

Securing Information in the New Digital Economy

We are in the midst of a data breach epidemic, fueled by a lucrative information black market. The perimeter security most IT organizations rely on has become largely ineffective. Nearly 70% of security resources are focused on perimeter controls, but most exploited vulnerabilities are internal. 

Effective modern security requires an inside-out approach with a focus on data and internal controls.

A New Hacker Economy

Today, a layered economy of specialized, organized hackers has created a black market estimated to be more lucrative than the illegal drug trade. (Lillian Ablon 2014) Hacking-for-hire has made the black market accessible to non-experts, expanding its reach exponentially.  As businesses grow their online footprints, criminals find new ways of attacking their vulnerabilities.

Thinking Inside-Out

Internal systems are the new perimeter – the new front line in the battle for data security. Security should be built into the customer and employee experiences.

  • Manage privileged user access and think beyond the password: another layer of authentication can vastly increase security.
  • Make it more costly and difficult for attackers by protecting the most valuable information first. 

Rebalancing Information Security

Diminish the information supply chain and cut off the cash flow to the black market. Taking a security inside-out approach could bring an end to the arms race, giving economic recovery a chance.

To learn more about Securing Information in the New Digital Economy, read the joint Oracle and Verizon Report.

Wednesday Aug 27, 2014

Oracle Key Vault Interview with Vipin Samar, Vice President of Oracle Database Security

I had an opportunity to discuss Oracle Key Vault with Oracle's vice president of database security, Vipin Samar. Vipin talks about the challenges facing security professionals and database administrators as they try to manage encryption keys and other secrets, such as SSL certificates and Java keystores, across the enterprise. Watch the below video and learn how Oracle Key Vault, a new centralized key manager, secures, shares, and manages keys and secrets for the enterprise.

Learn more about Oracle Key Vault by watching the launch webcast.

Monday May 12, 2014

Human Error is Greatest Risk to Data Security...

...according to the Independent Oracle Users Group (IOUG) Enterprise Data Security survey. Joe McKendrick, Forbes and Database Trends and Applications (DBTA) Analyst/Contributor, writes about the escalating stakes of data security.

"When asked what they saw as the greatest risks, threats, or vulnerabilities to their data, human error came out on top, cited by 77% of respondents. Second was fear of inside hacks, cited by 63%, up from 57% in 2010."

The new 2014 Verizon Data Breach Investigations Report provides even further details around types of errors that are most common, including misdelivery (44%), publishing error (22%), and more. 

"The data seems to suggest that highly repetitive and mundane business processes involving sensitive info are particularly error prone. It’s also noteworthy that this pattern contains more incidents caused by business partners than any other."

Both are interesting reads, so check into them when you get a chance. And, if you are a member of the IOUG, please be sure to provide your responses to this year's 2014 Enterprise Data Security Survey. You should have received your invitation to participate via email. 

Friday Apr 11, 2014

Protecting the Electric Grid in a Dangerous World

Required by Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards mandate sweeping security programs for North America’s electricity industry. Oracle’s data security and identity management solutions empower bulk power companies to implement enterprise-wide protection. North America’s power suppliers and distributors are under intense pressure to protect the bulk electric system (BES). The widespread use of standard computing platforms and systems linked to the Internet expose the electric grid to new risks of internal and external compromise, and potential disruption that did not exist even a decade ago.

Read the whitepaper Protecting the Electric Grid in a Dangerous World to learn about Oracle’s identity management and database security solutions that offer an effective, defense-in-depth security strategy to help meet NERC CIP compliance.

Monday Mar 10, 2014

Part 4: Controlling Data Access and Restricting Privileged Data in Oracle Database

This is the fourth and final excerpt from Chapter 1 of Securing Oracle Database 12c: A Technical Primer ebook, Oracle Press. You can read the complete chapter on controlling data access and restricting privileged data by downloading your own copy. Thanks for reading.

Controlling Privileged Users

System privileges and powerful roles give significant control of the database, including the ability to view all data and make changes to the data. Some administrative users need these powerful privileges for maintenance, tuning, and backups, but they don’t need access to all of the data. Even though the administrative users are trusted, it is important to secure company data assets and personal information even from these privileged accounts in order to prevent unauthorized use by insiders or attackers.

Oracle Database Vault provides several kinds of operational controls within the database including realms, which enforce limits on access to specified objects such as tables and views. After creating a Database Vault realm, objects are added to the realm and database users can be designated as realm participants. This provides access only to the realm participants, and excludes other users, even if they have powerful system privileges like SELECT ANY TABLE that would otherwise allow them to access the objects in the realm.

The following illustration shows an example of two realms, protecting database schemas containing human resources (HR) and finance (FIN) data. Once enabled, the realms prevent privileged administrative users or other application owners from using their elevated privileges to access data. The privileged application owner HR is prevented from accessing data inside the FIN realm, and even an administrator with the DBA role is unable to access data in the HR and FIN realms.

Oracle Database Vault Realms

In addition to regular realms, Oracle Database 12c adds the ability to create mandatory realms. A regular realm will block the use of system privileges such as SELECT ANY TABLE if the user is not a realm participant, but it doesn’t block the schema owner or other users who gain access to the data using object privileges. Mandatory realms prevent access by anyone who is not a realm participant. One popular use for a mandatory realm is to continue to protect sensitive data during patching and upgrades, when an administrator needs to make changes to the application schema but should not have access to the data tables in that schema.

When Oracle Database Vault is configured, a couple of additional users are created. The first of these is the Database Vault owner, who can create and manage realms to control access to sensitive data. The second user is the Database Vault account manager, who has the responsibility for creating users in the database. While a single user could perform both functions, the ability to divide these duties among multiple users allows for separation of duty as described earlier. Furthermore, there is a DVOWNER role that can be granted to other users to delegate the ability to manage Database Vault realms. This role should be granted to administrators who are responsible for the security configuration of the database, rather than the general database administrator.

The following illustration shows the use of the Database Configuration Assistant for enabling Oracle Database Vault. Management of Database Vault requires the use of these specialized users and roles. The SYSDBA administrative privilege cannot be used for realm or user management when Database Vault is enabled.

Oracle Database Vault and Label Security

From the free ebook, Oracle Database 12c: A Technical Primer by Michelle Malcher, Paul Needham, and Scott Rotondo.

Friday Feb 28, 2014

Bitcoin Exchange Files Bankruptcy in Wake of Cyber Attack

There are a lot of interesting nuggets to pull from the downfall of Mt. Gox, but the Christian Science Monitor sums it up under "What it All Means":

Mt. Gox serves as a reminder that you're not just buying Bitcoins; you're also involved in the company performing the exchange. There are no watchmen to answer to, and things can go downhill quickly if a breach happens. It's not an isolated incident, either: In 2012, the exchange site Bitcoinica was hacked for over $460,000 worth of Bitcoins, according to The Verge.

If you're not familiar with the story, Mt Gox (Picture Source: The building that houses the Mt. Gox offices in Tokyo. Photo: Ariel Zambelich/WIRED) was targeted by hackers who stole around $350 million in Bitcoins over a two year period and they have stopped exchanging bitcoins as of Tuesday.

The building that houses the Mt. Gox offices in Tokyo. Photo: Ariel Zambelich/WIRED

Wired has a great write-up here on the exploit and alleged repercussions and predictions of the attack, some of which have already come true: bankruptcy. The hackers exploited a bug in Mt. Gox's website, but it's not clear exactly what they did at this point:

Now, according to the alleged leaked document, it looks like hackers had been exploiting that bug for two years, and even removing bitcoins from supposedly secure “cold” wallets that the company had stored offline. Typically, cold wallets are disconnected from the internet and cannot be emptied by online attackers. However, the “cold storage has been wiped out due to a leak in the hot wallet,” the document states.

Wired is referring to this leaked document.  Analysis at the end of the document says "Expertise to find: Analysts, top class developers (crypto), IT security expert..." I'll say they need an IT security expert. 

There's more to learn on this one. 

Thursday Feb 27, 2014

Part 3: Controlling Data Access and Restricting Privileged Data in Oracle Database

This is the third post on controlling data access and restricting privileged data in Oracle Database, pulled from the free ebook, Securing Oracle Database 12c: A Technical Primer. Here are the first and second posts. The book highlights new security features found in Oracle Database 12c; however, the majority of the solutions are applicable to earlier Oracle Database releases as well.

Users with Administrative Privileges

Certain users can connect with special administrative privileges, such as SYSDBA and SYSOPER, to allow maintenance operations even when the database is not open. These users can authenticate using a network-based authentication service such as Oracle Internet Directory or based on membership of the connecting user in a particular operating system group.

If a user must connect with administrative privilege using a password for authentication, the password is stored outside the database in a password file, which is administered using the orapwd command. User management functions such as locking an account after multiple failed login attempts are not available for users in the password file, although each failed attempt will cause an exponentially increasing delay to limit password guessing when the database is running.

Proxy Authentication and Authorization

Sometimes administrators need to connect to an application schema to perform maintenance. Sharing the application schema password among several administrators would provide no accountability. Instead, proxy authentication allows the administrators to authenticate with their own credentials first and then proxy to the application schema. In such cases, the audit records show the actual user who performed the maintenance activities. This form of proxy authentication is supported in Oracle Call Interface (OCI), JDBC, and on the SQL*PLUS command line. Here is an example where the user app_dba is allowed to connect to the database and act as hrapp.


Now the user app_dba can connect using his own password and assume the identity of the hrapp user by proxy as follows:

CONNECT app_dba[hrapp]
Enter password: <app_dba_password>

Stay tuned for more. Or, you can read ahead by downloading the complimentary ebook here. Also, let me know if you are enjoying these posts by adding comments below.  

Friday Feb 21, 2014

Part 2: Controlling Data Access and Restricting Privileged Data in Oracle Database

This is the second post on controlling data access and restricting privileged data in Oracle Database, pulled from the ebook, Securing Oracle Database 12c: A Technical Primer. The first post can be found here. The book highlights new features found in Oracle Database 12c; however, the majority of the solutions are applicable to earlier Oracle Database releases as well.

Storing Passwords

Users are expected to provide the password when they connect to the database, but applications, middle-tier systems, and batch jobs cannot depend on a human to type the password. Earlier, a common way to provide passwords was to embed user names and passwords in the code or in scripts. This increased the attack surface and people had to make sure that their scripts were not exposed to anyone else. Also, if passwords were ever changed, changes to the scripts were required. Now you can store password credentials by using a client-side Oracle wallet. This reduces risks because the passwords are no longer exposed on command-line history, and password management policies are more easily enforced without changing application code whenever user names or passwords change.

To configure password storage using an Oracle wallet, set the WALLET_LOCATION parameter in the sqlnet.ora file. The applications can then connect to the database without providing login credentials, as follows:


Stay tuned for more. Or, you can read ahead by downloading the complimentary ebook here.

Wednesday Feb 19, 2014

Controlling Data Access and Restricting Privileged Data in Oracle Database

In a series of blog posts I will be pulling excerpts directly from the ebook Securing Oracle Database 12c: A Technical Primer by Michelle Malcher, Paul Needham, and Scott Rotondo. Previously, I posted the introduction of the book and now I will continue with the first chapter: Controlling Data Access and Restricting Privileged Users. If you don't want to wait for each post, I encourage you to download your own free copy of the book.

Controlling Data Access and Restricting Privileged Users

The most fundamental step in securing a database system is determining who should be able to access which data. This chapter describes the management of user accounts and the mechanisms for determining the access that each user has. It continues with a discussion of the types of privileged access that a user may have and available tools for removing any additional access they do not need.

User Management

All access to the database is through users, whether these are administrative users, application accounts, or regular users. As the users have direct connection to the database, it is important that they are properly authenticated and have appropriate roles, and that their accounts cannot easily be compromised. It is also important to ensure that there are proper resource constraints on their usage, or else the rest of the database may be indirectly affected.

The CREATE USER statement is used to create a database user and its associated schema. In the following example, the user is identified by a password, and the account follows the policy specified by org_profile.


A profile specifies a named set of resource limits and password parameters that restricts excessive consumption of system resources and enforces constraints on the passwords. The password-specific parameters provide password management including account locking, password aging, password history, and password complexity verification. The password verification function is perhaps the most important control to ensure that users pick complex passwords, making it difficult for intruders to guess them. The FAILED_LOGIN_ATTEMPTS parameter limits brute-force password-guessing attacks by locking the account after a specified number of incorrect logins.

 FAILED_LOGIN_ATTEMPTS 6 -- attempts allowed before locking
 PASSWORD_LIFE_TIME 180 -- max life-time for the password 
 PASSWORD_VERIFY_FUNCTION ora12c_verify_function; -- Password complexity check

The dictionary views DBA_USERS and DBA_PROFILES describe the users and profiles, respectively. The privilege to create users must be limited to the DBA or the security administrator. Each user should have an assigned tablespace; otherwise, any objects they create would go into the SYSTEM tablespace, thus creating contention between the data dictionary objects and the user objects.

Oracle Multitenant Database Users

Oracle Multitenant, an Oracle Database 12c option, includes both common and local users. A common user is created in the container database and has the same user name and password in all of the pluggable databases that are part of the container database. The common user can have privileges that are granted at the container level, and other privileges that are granted in each pluggable database. The privileges can be different in each of the pluggable databases, but the user doesn’t need to be created in each pluggable database.

To create a common user for the container database and all of the pluggable databases, log in to the container database as SYSTEM and create a user with CONTAINER=ALL. Note that all common user names begin with the prefix C##.

Enter password: **********

A local user, on the other hand, is created in the pluggable database, and does not have access to the container. This is good for the administrator who manages a pluggable database but does not manage the overall system. To create a local user, connect to the pluggable database as SYSTEM, create the user, and grant the needed roles and privileges as before, but specify CONTAINER=CURRENT instead of CONTAINER=ALL.

Enter password: *********

 Stay tuned for more...

Tuesday Feb 11, 2014

Webcast with ISACA - Want Better Data Security?

Insecure database silos make protecting data challenging and costly. Increasingly, organizations find that database consolidation and private cloud initiatives reduce complexity, risk, and drive down the cost of protecting data and meeting regulatory compliance. 

In this webcast, you will learn how to:

  • Consolidate databases securely
  • Address database security at the infrastructure level
  • Adopt a defense in depth strategy 
Watch Now and learn the controls needed to safeguard your mission critical enterprise data.  


Who are we?

Follow us on

  • TwitterFacebookLinkedIn


« November 2015