Wednesday Feb 05, 2014
Thursday Jan 09, 2014
By Troy Kitch-Oracle on Jan 09, 2014
Get your complimentary copy of the new database security ebook: Securing Oracle Database 12c: A Technical Primer.
The book is for database administrators who want to learn more about Oracle Database security and for security professionals who want to learn more about how to secure Oracle Databases in an overall IT environment. While the title references Oracle Database 12c, most of the content is applicable to Oracle Database 9i and above.
Add this to your electronic book shelf and keep readily available as your new go-to book for Oracle Database 12c security.
The book was written by two members of our database security team: Paul Needham, Senior Director of Product Management, and Scott Rotondo, Consulting Member of Technical Staff; as well as Michelle Malcher, IOUG President and DBA Team Lead, DRW Holdings. What they've compiled is a great technical primer of the security capabilities available for Oracle Database 12c and how you can take advantage of them now.
- Register for the new ebook here.
- Here's Michelle's blog.
- Here's a video of my interview with Scott discussing how organizations can help address data security risks and how to mitigate.
- Table of contents posted here
Wednesday Dec 18, 2013
Friday Dec 13, 2013
Tuesday Nov 26, 2013
By Troy Kitch-Oracle on Nov 26, 2013
Guest article written by Eric Maurice, Director for Oracle Software Security Assurance.
In my current role, I assist with the definition and communication of many Oracle security policies as they apply to the development of our products as well as how we look at security internally for the protection of our corporate systems and the systems we host on behalf of our customers. Since Oracle runs its business on Oracle products, our security organizations have developed extensive expertise in how to secure our products “across the stack” and in various deployment scenarios. I often interact with customers to answer security questions related to our products (e.g., questions around Oracle’s secure development and vulnerability handling practices) and security processes (e.g., questions related to how we handle security patching and define and enforce secure configurations).
In addition, I am periodically engaged in more general discussions with customers in regards to how to best strategically approach security in their organizations. These conversations are usually prompted by failed security audits of some systems, change in IT management in the organization (new IT managers or CISO), launch of major IT projects, or suspicions and sometimes evidence of a past security incident. In such instances, a renewed focus on securing the organization can quickly become overwhelming. There are many IT frameworks intended to help organizations tackle security policies such as COBIT and ISO/IEC 27000. However, what IT professionals more often need in these instances is to adopt a security philosophy, and to switch to a new perspective on IT operations. Only then can they fully leverage the various frameworks available to them, as opposed to blindly engaging in a security documentation exercise that has little practical value for the organization besides generating healthy profits for outside auditors and pen testers.
So where do you start? What intellectual process must you follow to take a fresh look at your organization’s security posture? In my opinion, the first challenge is to come to the realization that your organization needs to “get back to the basics.” What are your top 10 business-critical systems (or mission-critical systems)? What components of your IT infrastructure comprise these business-critical systems? What does it mean if any one of them is compromised or unavailable? What are the top threats in your environment? In my experience, many organizations’ IT investments or security policies are not intended to address the top threats that affect their business critical systems. Are yours? Do you actually invest your time and security resources to address significant threats to your business-critical systems? The ugly truth that we all have to come to term with is that unless you have an unlimited IT budget or a very small IT environment to manage (and no operational needs to ever change it), you cannot afford to strongly secure all your systems equally well all the time.
The second challenge with taking a fresh look at your organization’s security posture is thinking multidimensionally. Security does not exist in a silo, even though most large organizations where specialization is required have such IT silos. Are DBA’s aware of existing network security access controls around the databases they manage? Do they understand the security model of the applications? Do application managers and users understand database security models? Have system security configurations been developed collaboratively between the different IT staffs? Do systems administrators understand the chain of trust that exists between the different systems they manage? This is where the traditional concept of “security-in-depth” comes to play. Has the organization implemented complementary (and not necessarily redundant) security controls across the technology stack in the enterprise? For example, application bypass attacks can be prevented by strong database access control security policies. OS access control policies should be enforced so that privileges around system files as well as against relevant database and application files (and log files), and resources on all servers in the environment are tightly controlled. At a network level, network access control policies should be set so as to limit, as much as possible, connections of database servers with their respective application servers. Note, however, that network access control policies should not prevent customers from implementing valid node-checking in their databases.
On a related topic, native network encryption and SSL/TLS and strong authentication services (Kerberos, PKI, and RADIUS) no longer require a separate license and are available in all licensed editions of all supported releases of the Oracle database. Database customers should take advantage of this licensing change to enable network encryption and, if possible, strong authentication. A similar hardening approach should be used between applications servers and web servers when the applications are exposed to the Internet. Tightly controlling subnets around critical systems and controlling how systems can connect with each other bring organizations a long way toward maintaining a good security posture.
Multidimensional thinking should not be limited to technical issues affecting the IT environment. Multidimensional security thinking should also apply to the organization overall. For example, the human factor remains one of the weakest links from a security perspective. Organizations generally train staff about what constitute good passwords, but do they sensitize staff to social engineering issues? Ongoing security training for all staff is necessary for the organization in the same way that firewalls and traditional security technologies are required.
So where do you start when you need to reassess the security posture of the organization? Start with the basics: know your systems and who uses them. Try to think like a hacker and question closely-held assumptions and technical silos: malicious hackers will not feel bound by technical diagrams and organizational expectations of how systems will be accessed. By all means, take advantage of the various security methodologies and frameworks, but do not get caught exclusively in a policy documentation or audit exercise. Periodically assess your security readiness, and when appropriate do selective pen-testing (keeping in mind that demonstrating how to break a window does not necessarily help you safeguard the entire house). Understand the security assurance practices of your strategic vendors as they will have great impact on the security posture of the organization. And of course, keep up with releases and Oracle’s Critical Patch Updates. Obsolete and unsupported versions, regardless of their initial vendors, can become ticking time bombs, as security patches become no longer available, but exploits for these systems become widely known (and scripted into hacking tools).
Sunday Oct 06, 2013
By Naresh Persaud-Oracle on Oct 06, 2013
If you attended Open World this year, you learned about the advances in Database 12c. As we collect more data and store our data in remote locations and the cloud, 12c restores control with advances to secure your data at the source. At the Chief Security Officer Summit at Leaders Circle, Vipin Samar discussed the changes in the security landscape that are forcing companies to re-examine how data is secured. The recent APT1 report by Mandiant highlights exactly how pervasive the threats are across every industry.
While the report covers the exploits of a specific government, the techniques being used are similar across the board. A recent report by the Ponemon Insitute noted that 43% of the most serious attacks are SQL injection attacks. The statistic implies that organizations are not as prepared to secure databases and that our most valuable data actually resides in our databases.
It seems almost every report on the state of IT security mentions database security. As an example, the PWC Global State of Information Security report provides a survey by region of database encryption. In North America alone, 53% of companies don't encrypt databases. Despite the threats, organizations are not fully responding.
The slides below provide a perspective on how a comprehensive approach to database security can set the foundation for preventing some of the most advanced threats. With Database Security 12c, there are several advances that organizations will want to focus on:
- Database Redaction - learn more here.
- Privilege Analysis - learn more here.
- Audit Vault Firewall - learn more here.
- More about security in 12c here.
Tuesday Aug 06, 2013
By Troy Kitch-Oracle on Aug 06, 2013
More Security Capabilities Than Ever Before
Join us Thursday, August 15, 2013 at 10:00 a.m. PT / 1:00 p.m. ET for Security Inside Out: Latest Innovations in Oracle Database 12c Webcast (Webcast will be recorded, so you can still use this link)
Did you know that Oracle Database 12c includes more new security capabilities than any other prior release? In this webcast you will learn about these capabilities, as well as innovative new solutions to protect Oracle Database instances and non-Oracle databases.
Join us to hear how Oracle is responding to customer requirements. Discover how Oracle Database 12c helps businesses stay ahead of the evolving security threat and regulatory landscape with preventive and detective security controls that include:
- Sensitive data discovery
- Real-time data redaction
- Privilege analysis
By Troy Kitch-Oracle on Aug 06, 2013
Designed for the Cloud, the new multitenant architecture of Oracle Database 12c now enables customers to greatly simplify and accelerate database consolidation by enabling the management of hundreds of databases as one. To protect the unprecedented amounts of data customers will store within their databases, Oracle Database 12c also introduces more security capabilities than any previous Oracle Database release.
“Oracle Database 12c represents a complete shift in database technology. With the growing amount of stored data, these new multitenant databases will be targeted by both hackers and insiders, and scrutinized by auditors more than ever,” says Vipin Samar, vice president, database security product development, Oracle. “It’s imperative that customers take advantage of the new security capabilities in Oracle Database 12c to protect their data and database infrastructure.”
Key new capabilities to help customers mitigate risks and address compliance requirements include:
Data Redaction. Part of Oracle Advanced Security, Data Redaction complements transparent data encryption (TDE) by ensuring sensitive data is not exposed to users of current applications. While TDE protects information from database bypass attacks at the operating system level, Data Redaction conditionally redacts sensitive data in the outgoing result set by replacing original data with **** or any other fixed or random string of choice based upon the customer requirements. Data is redacted based on simple declarative policies that take into account rich database session context such as IP address, program name, and application user. The original data remains unaltered along with existing operational procedures.
Privilege Analysis. Part of Oracle Database Vault, Privilege Analysis can harden database access by identifying users’ or applications’ unused privileges and roles based upon the actual roles and privileges used at runtime on production servers. Typically over time, applications and users amass powerful privileges and roles that may no longer be necessary. Finding the set of used roles and privileges is important because it helps identify the minimal set required and allows unused privileges to be revoked, reducing the attack surface.
Database Vault also enables customers to realize the full potential of Oracle Database 12c multitenant-based consolidation by preventing common database administrators from accessing application data stored in a pluggable database. With three distinct separation-of-duty controls, Database Vault is critical to regulatory compliance in multitenant environments.
Conditional Auditing. Oracle Database 12c introduces a new auditing framework that creates audit records based on the context of the database session. For example, an audit policy can be defined to audit all SQL statements unless they are coming from the application server’s IP address and with the given program name. Out-of-policy connections can be fully audited while no audit data will be generated for others, enabling highly selective and effective auditing.
New roles have been introduced for managing audit data and audit policies inside the database. Audit data integrity is further protected by restricting management to the built-in audit data management package, preventing audit trail tampering using ad hoc SQL commands. Multiple audit statements can be grouped together for easier management. Three default audit policies are configured and shipped out of the box.
Additionally, Oracle Audit Vault and Database Firewall now supports Oracle Database 12c, and can be used to collect, consolidate, alert and report on audit data from Oracle and non-Oracle databases and operating systems. Oracle Audit Vault and Database Firewall can also monitor Oracle Database 12c SQL activity over the network, blocking any unauthorized activity such as SQL injection attacks, or insider abuse.
Sensitive Data Discovery and Management. Locating and cataloging sensitive data is more critical than ever. Oracle Enterprise Manager Data Discovery and Modeling (DDM) and Sensitive Data Discovery (SDD) facilitate the process of locating sensitive data within an application and applying security controls on that data. In addition, the new Oracle Database 12c Transparent Sensitive Data Protection (TSDP) can load sensitive information from Oracle Enterprise Manager Data Discovery and Modeling into the Oracle database and apply security controls such as Data Redaction. This greatly reduces the operational burden of managing sensitive data consistently in Oracle Database 12c environments.
Real Application Security. Oracle Database 12c introduces the next generation authorization framework to support the increased application security requirements in multitenant environments. Unlike the traditional Oracle VPD, Oracle Database 12c Real Application Security (RAS) provides a declarative model that allows developers to define the data security policy based on application users, roles and privileges within the Oracle Database. This new RAS-based paradigm is more secure, scalable, and cost effective.
In addition to these critical new capabilities, Oracle Database 12c greatly strengthens the overall database security posture with new Oracle Database Vault realm controls, Oracle Advanced Security TDE key management, Oracle Enterprise Manager Security Console, and more.
All the security capabilities available in Oracle Database 12c are compatible with the new multitenant architecture in Oracle Database 12c. As a result, customers can quickly and efficiently address the unique security requirements of each pluggable database. The security policies move with the pluggable database when it is unplugged from one and plugged into a new Oracle Database 12c multitenant server.
Learn more about Oracle Database Security
Wednesday Jun 05, 2013
By Troy Kitch-Oracle on Jun 05, 2013
Recent successful cyber attacks against some of the most security savvy organizations have put into question IT Security strategies across all industries. The reliance on network security and user credentials have left many institutions vulnerable to attacks by insiders, outsiders exploiting stolen credentials, and SQL injection attacks. Additionally, the pervasive use of production data in non-production environments means that attackers can focus their efforts on a development or test server. Analysts estimate that less than 20% of IT Security plans address database security.
When Oracle talks about having a comprehensive database strategy, it includes defense-in-depth security controls that protect multiple layers in and around the database environment.
- Preventive controls are those that are intended to avoid an incident from occurring
- Detective controls help identify an incident's activities and potentially an intruder
- Administrative controls are the tools that help with the process and procedures associated with database security
Friday Sep 21, 2012
Tuesday Aug 07, 2012
Database Insider Newsletter, August: Oracle Data Masking Strengthens Security of Oracle E-Business Suite Data
By Troy Kitch-Oracle on Aug 07, 2012
The August edition of Database Insider highlights new Oracle E-Business Suite templates for Oracle Data Masking:
To more easily and effectively protect sensitive data in nonproduction environments, Oracle has released the new Oracle E-Business Suite 12.1.3 template for data masking. The latest release is part of a suite of products designed specifically to protect sensitive data in Oracle E-Business Suite environments, including Oracle Advanced Security, Oracle Database Vault, Oracle Audit Vault, and Oracle Database Firewall.
“It’s important to protect sensitive production data, especially when copying to nonproduction environments for testing, QA, development, or offshoring and outsourcing purposes,” explains Willie Hardie, vice president, Oracle Database Product Marketing. “However, manually masking data in enterprise application databases can be time-consuming, and if not done correctly, easily prone to error. Masking data must maintain referential integrity so that applications can continue to function properly without exposing sensitive data.”
Monday Jul 09, 2012
By Troy Kitch-Oracle on Jul 09, 2012
A new article in Oracle Magazine outlines a comprehensive defense-in-depth approach for appropriate and effective database protection. There are multiple ways attackers can disrupt the confidentiality, integrity and availability of data and therefore, putting in place layers of defense is the best measure to protect your sensitive customer and corporate data.
“In most organizations, two-thirds of sensitive and regulated data resides in databases,” points out Vipin Samar, vice president of database security technologies at Oracle. “Unless the databases are protected using a multilayered security architecture, that data is at risk to be read or changed by administrators of the operating system, databases, or network, or hackers who use stolen passwords to pose as administrators. Further, hackers can exploit legitimate access to the database by using SQL injection attacks from the Web. Organizations need to mitigate all types of risks and craft a security architecture that protects their assets from attacks coming from different sources.”
Wednesday May 02, 2012
By Troy Kitch-Oracle on May 02, 2012
- Tue, May 1 - Atlanta, GA
- Thu, May 3 - Houston, TX
- Tue, May 8 - Denver, CO
- Wed, May 9 - Portland, OR
- Thu, May 10 - Salt Lake City, UT
- Tue, May 15 - San Francisco, CA
- Thu, May 17 Orange County, CA
May 14-17, FS-ISAC & BITS Annual Summit - Miami FL
Tuesday Feb 14, 2012
By Troy Kitch-Oracle on Feb 14, 2012
Although most organizations are taking stronger measures to protect their data, significant gaps still exist at the very core — their databases. Many don’t have a comprehensive database security strategy to defend against sophisticated attacks, track sensitive data, or even meet emerging regulatory requirements. In addition, organizations tend to focus on detective controls rather than preventive measures when it comes to database security.
Tuesday Jan 03, 2012
By Troy Kitch-Oracle on Jan 03, 2012
If your answer is yes (or you're not sure), then you aren’t alone. According to the recent Independent Oracle Users Group Data Security Survey, 60% said that a data breach is likely, or they’re not sure what to expect, over the next 12 months. As you prepare to secure your databases in 2012, see the first in our “real world” video series that illustrate the different ways organizations are susceptible to security breaches and how Oracle can help mitigate.
X Marks the Spot - An oil company finds that their drilling efforts are way off target, someone has tampered with mission-critical enterprise intelligence. More than half of organizations would have no way of knowing if privileged users are abusing their access. Learn about Oracle Audit Vault for database activity auditing, alerting and reporting.
Who are we?
Follow us on
- ISACA Webcast on Cloud Security Prediction, Feb 11, 2016
- Oracle at RSA Conference 2016
- Cloud Prediction #2: Security as an Enabler
- Encryption is the Easy Part; Managing those Keys is Difficult
- Secure the Crown Jewels
- Database Security at OpenWorld, 2015 -- Security is Hot!
- Ready to meet privacy, security issues that come with Big Data?
- Watch the Security Learning Streams
- Security Inside Out Newsletter, July Edition is Out
- Database Administrators –the Undercover Security Superheroes