Wednesday Jun 05, 2013

Comprehensive Database Security Defense-in-Depth

Recent successful cyber attacks against some of the most security savvy organizations have put into question IT Security strategies across all industries. The reliance on network security and user credentials have left many institutions vulnerable to attacks by insiders, outsiders exploiting stolen credentials, and SQL injection attacks. Additionally, the pervasive use of production data in non-production environments means that attackers can focus their efforts on a development or test server. Analysts estimate that less than 20% of IT Security plans address database security. 

Oracle Database Security

When Oracle talks about having a comprehensive database strategy, it includes defense-in-depth security controls that protect multiple layers in and around the database environment.

  • Preventive controls are those that are intended to avoid an incident from occurring
  • Detective controls help identify an incident's activities and potentially an intruder
  • Administrative controls are the tools that help with the process and procedures associated with database security
To learn more about each of the Oracle Database Security controls, please visit

Friday Sep 21, 2012

Latest Security Inside Out Newsletter Now Available

The September/October edition of the Security Inside Out Newsletter is now available. Learn about Oracle OpenWorld database security sessions, hands on labs, and demos you'll want to attend, as well as frequently asked question about Label-Based Access Controls in Oracle Database 11g. Subscriber here for the bi-monthly newsletter. 

...and if you haven't already done so, join Oracle Database on these social networks:

Tuesday Aug 07, 2012

Database Insider Newsletter, August: Oracle Data Masking Strengthens Security of Oracle E-Business Suite Data

The August edition of Database Insider highlights new Oracle E-Business Suite templates for Oracle Data Masking:

To more easily and effectively protect sensitive data in nonproduction environments, Oracle has released the new Oracle E-Business Suite 12.1.3 template for data masking. The latest release is part of a suite of products designed specifically to protect sensitive data in Oracle E-Business Suite environments, including Oracle Advanced Security, Oracle Database Vault, Oracle Audit Vault, and Oracle Database Firewall.

“It’s important to protect sensitive production data, especially when copying to nonproduction environments for testing, QA, development, or offshoring and outsourcing purposes,” explains Willie Hardie, vice president, Oracle Database Product Marketing. “However, manually masking data in enterprise application databases can be time-consuming, and if not done correctly, easily prone to error. Masking data must maintain referential integrity so that applications can continue to function properly without exposing sensitive data.”

Read moreSubscribe to Information InDepth, Database Insider Edition and get monthly database news in your inbox. 

Monday Jul 09, 2012

Lockdown Your Database Security

A new article in Oracle Magazine outlines a comprehensive defense-in-depth approach for appropriate and effective database protection. There are multiple ways attackers can disrupt the confidentiality, integrity and availability of data and therefore, putting in place layers of defense is the best measure to protect your sensitive customer and corporate data.

“In most organizations, two-thirds of sensitive and regulated data resides in databases,” points out Vipin Samar, vice president of database security technologies at Oracle. “Unless the databases are protected using a multilayered security architecture, that data is at risk to be read or changed by administrators of the operating system, databases, or network, or hackers who use stolen passwords to pose as administrators. Further, hackers can exploit legitimate access to the database by using SQL injection attacks from the Web. Organizations need to mitigate all types of risks and craft a security architecture that protects their assets from attacks coming from different sources.”

Wednesday May 02, 2012

Database Security Events in May

  • Tue, May 1 - Atlanta, GA
  • Thu, May 3 - Houston, TX
  • Tue, May 8 - Denver, CO
  • Wed, May 9 - Portland, OR
  • Thu, May 10 - Salt Lake City, UT
  • Tue, May 15 - San Francisco, CA
  • Thu, May 17 Orange County, CA

May 14-17, FS-ISAC & BITS Annual Summit - Miami FL

Wed, May 30, Webcast: Best Practices for Database Privileged User Access Control

More Database Security events.

Tuesday Feb 14, 2012

Formulate a Database Security Strategy

Although most organizations are taking stronger measures to protect their data, significant gaps still exist at the very core — their databases. Many don’t have a comprehensive database security strategy to defend against sophisticated attacks, track sensitive data, or even meet emerging regulatory requirements. In addition, organizations tend to focus on detective controls rather than preventive measures when it comes to database security.

By contrast, leading industry analyst, Forrester finds that by implementing a comprehensive and integrated database security solution with a strong emphasis on preventive measures enables organizations to improve security controls and introduce a higher degree of automation across the enterprise. Learn more.

Tuesday Jan 03, 2012

Is Your Organization Susceptible to a Data Breach?

If your answer is yes (or you're not sure), then you aren’t alone. According to the recent Independent Oracle Users Group Data Security Survey, 60% said that a data breach is likely, or they’re not sure what to expect, over the next 12 months. As you prepare to secure your databases in 2012, see the first in our  “real world” video series that illustrate the different ways organizations are susceptible to security breaches and how Oracle can help mitigate.

X Marks the Spot - An oil company finds that their drilling efforts are way off target, someone has tampered with mission-critical enterprise intelligence. More than half of organizations would have no way of knowing if privileged users are abusing their access. Learn about Oracle Audit Vault for database activity auditing, alerting and reporting.

Friday Nov 04, 2011

RSA Attack Tip of the Iceberg and Wake Up Call for Organizations Worldwide?

Security experts now say that RSA wasn’t the only corporation victimized in the attack that shook the corporate and government leaders worldwide. If this could happen to a Security company like RSA, could this happen to any organization? Apparently the answer is yes. About 760 other organizations according to a recent post on Brian Krebs blog. Interestingly enough none of these organizations have spoken out. Is it because they don’t want the brand hit or is it just that they didn’t know what happened? My money’s on the latter.

Every year Verizon reports that the majority of data breaches are discovered by third parties. I wonder how many of the 760 companies Krebs named are scrambling to figure what was compromised in the attack.  Were critical business plans stolen? Or were manufacturing parameters changed? Going through logs looking for clues. But wait what logs? According to a recent survey of the Independent Oracle User Group only 30% of organizations are monitoring reads and writes to sensitive data stored in their databases. Taken in combination with the lack of preventive controls at the database layer, most organizations are soft targets for Advanced Persistent Threats as well as not so advanced opportunistic attacks like the Liza Moon SQL injection attack used to compromise over 4 million databases in a single day.

So what’s the solution: Auditing? Database Firewalls? Encryption? Privileged user controls? Strong authentication? Multi-factor authorization? Yes, yes, yes, yes, yes, and yes. The answer is defense in depth. I am still surprised how many seasoned IT Security professionals don’t want to hear this answer. But security requires investment and vigilance. Our defenses must become as advanced and persistent as the threats we are trying to combat.

Thursday Sep 15, 2011

IDC Report: Effective Data Leak Prevention Programs - Start by Protecting Data at the Source, Your Databases

What’s Missing from your Data Loss Prevention Strategy?

Although most organizations have data leak prevention (DLP) programs in place, IDC finds they are missing strategic solutions to protect their most valuable data assets – databases. IDC estimates the amount of data is doubling every two years and as the overall amount of data grows, so does the amount of sensitive and regulated information.

This IDC white paper presents a proactive approach to data protection, discusses the growing enterprise data threats and the impact government regulations have on requiring additional data protections.

Download the report and learn how enterprises must adopt security best practices that combine both DLP and database security to mitigate data breaches while ensuring data availability.

Wednesday Aug 24, 2011

Shady RAT Raises the Ante on Data Breaches

Recently McAfee published an interesting report about what they called Operation Shady RAT, focusing on a series “advanced persistent threat” attacks. Although many of these attacks were not so advanced and more often than not opportunistic rather than persistent, the represent a new phenomenon:

“The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime.”

The report says that victims include government agencies in the United States, Taiwan, South Korea, Vietnam, and Canada, the Olympic committees in three countries, and the International Olympic Committee. Rounding out the list of countries where Shady rat hacked into computer networks: Japan, Switzerland, the United Kingdom, Indonesia, Denmark, Singapore, Hong Kong, Germany, and India. The vast majority of victims—49—were U.S.-based companies, government agencies, and nonprofits. The category most heavily targeted was defense contractors—13 in all.

What does this mean to organizations? It’s no longer just about credit card and social security numbers or even your reputation any more. It’s about your business. Trade secrets. Customers. Strategic plans. All of it. It’s hard to disagree with the McAfee’s conclusion that the Fortune Global 2000 firms now fall into two categories: those that know they’ve been compromised and those that don’t yet know.

I am still amazed by the number of customers I talk to that really are doing nothing to protect the databases that hold their crown jewels. The majority of customers I talk to still don’t have enough auditing to know who’s accessing or tampering with data in their databases or the database infrastructure itself. Even more importantly they don’t have the preventive controls to ensure that this doesn’t happen. More on this as the 2011 IOUG Security Survey results are released.

For now, I urge organizations to really look at what they are doing to protect their databases, think about the the bad guys are doing to attack their databases, and stop going around “eyes wide shut”…

Wednesday Aug 03, 2011

Q&A from Oracle Database 11g Security and Compliance Webcast

Last week we had more than 2900 registrants for the Oracle Database 11g Security and Compliance webcast with guest speaker Tom Kyte. With hundreds of questions coming in, we weren’t able to answer them all. Here are answers to some of the most common questions. If you missed the webcast and want to watch the recording, or would like to sign up for upcoming webcasts in the series, register here.

Q: What is the performance overhead of implementing Oracle Advanced Security with Transparent Data Encryption?
A: According to internal benchmarks and feedback from successful production implementations, the performance overhead is in the single digits. With Oracle Database 11g Release 2 Patchset 1 (, the hardware crypto acceleration based on AES-NI available in most Intel® XEON® 5600 CPUs is automatically leveraged by TDE tablespace encryption, making TDE tablespace encryption a 'near-zero impact' encryption solution. Listen to TransUnion talk about their experience deploying tablepace encryption.

Q: Can the Oracle Database Firewall be used to monitor performance?
A: Yes. The Oracle Database Firewall can non-intrusively monitor SQL traffic coming to/from the database, including database response and status of SQL statement execution, so the Oracle Database Firewall can help developers to monitor and assess SQL queries performance on production databases, find slow or inconsistently performing queries and also help to identify all clients connecting to a specific database before and after migration by providing execution times on logged database activity. Learn more in the upcoming Database Firewall webcast.

Q: How does Oracle Data Masking protect sensitive data in non-production environments?
A: With Oracle Data Masking, sensitive information such as credit card or social security numbers can be replaced with realistic values, allowing production data to be safely used for development, testing, or sharing with out-source or off-shore partners for other non-production purposes. In other words sensitive data is protected by not being made available in these environments. To better understand data masking, take a look at the flash demo.

Q: Can the Oracle Database Vault administrator/owner see data protected by a realm?
A: No. The Oracle Database Vault owner account can only setup the realm. It cannot see data protected by a realm. This is part of the separation of duty that Oracle Database Vault enforces. Learn more in the Oracle Database Vault Best Practices whitepaper.

And the most frequently asked question…

Q: Is this webcast being recorded?
A: Yes, you can get the recording here, as well as register for upcoming webcasts in the series. Don’t miss the next one, Blocking SQL Injection Attacks and Other Threats with Oracle Database Firewall on August 25th at 11am PT, featuring guest speaker Steve Moyle, CTO of Oracle Database Firewall.

Monday Jul 18, 2011

Oracle Database 11g Security and Compliance Solutions Webcast Series

As many of you are rolling out Oracle Database 11g across your enterprise, and taking advantage of the unprecedented performance of the new Oracle Exadata Database Machine to consolidate your databases, now is the time to think about security. So for the next few months, we will be presenting a series of webcasts on Oracle Database 11g Security and Compliance to help you take advantage of your database infrastructure to protect data privacy, address regulatory compliance requirements, and defend against SQL injection and other attacks.

Our first webcast, July 28 at 10am PT, will feature Tom Kyte of the popular “Ask Tom” web site. Tom will introduce you to the comprehensive database security solutions offered by Oracle and help you understand the importance of each solution in a complete database defense in depth strategy.

When you register for this webcast, you will also have an opportunity to register for all the webcasts in the series:

  • Blocking SQL Injection Attacks and Other Threats with Oracle Database Firewall
  • Database Activity Auditing, Alerting and Reporting with Oracle Audit Vault
  • Transparent Data Encryption with Oracle Database 11g
  • Privileged User Access Control with Oracle Database 11g
And in the meantime, check out our new Oracle Database Security Resource Library. It includes whitepapers, demos, and everything else you need to get started today.

Tuesday Jun 21, 2011

Oracle Security Inside Out Newsletter – June Edition

This month’s Information In Depth Newsletter, Security Inside Out Edition is now available.

In this edition we look at the Gartner Security and Risk Management Summit 2011, discuss safeguarding data from threats with Oracle Database Vault, and reveal the latest database security webcasts, videos, training, events and more.

If you don’t have a subscription to this bi-monthly security information update, you can sign up here at the bottom of the page.

Monday May 23, 2011

KuppingerCole "Strongly Recommends" Oracle's Database Security Offerings

In a recently released report, leading European-based analyst firm KuppingerCole "strongly recommends" that organizations with Oracle Databases in production should consider Oracle's database security offerings. "From the KuppingerCole perspective, Oracle currently has the broadest portfolio in the market and delivers leading-edge products in all areas of database security," writes the report's author, Martin Kuppinger, founder and principal analyst, KuppingerCole.

Well-known for their thought leadership in information security and governance, risk management, and compliance, KuppingerCole decided to focus their attention on database security. Kuppinger writes that "the need for database security solutions is obvious," and explains that a significant number of data breaches and data theft occur at the databases level.

In the report, Kuppinger evaluated solutions such as Oracle Advanced Security, Oracle Database Vault, and Oracle Label Security, which run within the Oracle Database, as well as solutions such as the new Oracle Database Firewall and Oracle Audit Vault, which run outside the database and support both Oracle and non-Oracle databases. You can read the report here.

Thursday Apr 15, 2010

Protect Data and Save Money? Learn How Best-in-Class Organizations do Both

[Read More]

Who are we?

Follow us on

  • TwitterFacebookLinkedIn


« April 2014