Sunday Oct 06, 2013

New Database Threats Require New Innovations in Security

If you attended Open World this year, you learned about the advances in Database 12c. As we collect more data and store our data in remote locations and the cloud, 12c restores control with advances to secure your data at the source. At the Chief Security Officer Summit at Leaders Circle, Vipin Samar discussed the changes in the security landscape that are forcing companies to re-examine how data is secured. The recent APT1 report by Mandiant highlights exactly how pervasive the threats are across every industry. 

While the report covers the exploits of a specific government, the techniques being used are similar across the board. A recent report by the Ponemon Insitute noted that 43% of the most serious attacks are SQL injection attacks. The statistic implies that organizations are not as prepared to secure databases and that our most valuable data actually resides in our databases.

 It seems almost every report on the state of IT security mentions database security. As an example, the PWC Global State of Information Security report provides a survey by region of database encryption. In North America alone, 53% of companies don't encrypt databases. Despite the threats, organizations are not fully responding. 

The slides below provide a perspective on how a comprehensive approach to database security can set the foundation for preventing some of the most advanced threats. With Database Security 12c, there are several advances that organizations will want to focus on:

  • Database Redaction - learn more here
  • Privilege Analysis - learn more here.
  • Audit Vault Firewall - learn more here.
  • More about security in 12c here.
For a limited time, you can register for a free copy of a new book on Database Security 12c. 

Tuesday Aug 06, 2013

Learn About The Latest Security Innovations in Oracle Database 12c

More Security Capabilities Than Ever Before 

Join us Thursday, August 15, 2013 at 10:00 a.m. PT / 1:00 p.m. ET for Security Inside Out: Latest Innovations in Oracle Database 12c Webcast (Webcast will be recorded, so you can still use this link)

Did you know that Oracle Database 12c includes more new security capabilities than any other prior release? In this webcast you will learn about these capabilities, as well as innovative new solutions to protect Oracle Database instances and non-Oracle databases.

Join us to hear how Oracle is responding to customer requirements. Discover how Oracle Database 12c helps businesses stay ahead of the evolving security threat and regulatory landscape with preventive and detective security controls that include:

  • Sensitive data discovery
  • Real-time data redaction
  • Privilege analysis

Plug into Defense-in-Depth with Oracle Database 12c

Designed for the Cloud, the new multitenant architecture of Oracle Database 12c now enables customers to greatly simplify and accelerate database consolidation by enabling the management of hundreds of databases as one. To protect the unprecedented amounts of data customers will store within their databases, Oracle Database 12c also introduces more security capabilities than any previous Oracle Database release.

“Oracle Database 12c represents a complete shift in database technology. With the growing amount of stored data, these new multitenant databases will be targeted by both hackers and insiders, and scrutinized by auditors more than ever,” says Vipin Samar, vice president, database security product development, Oracle. “It’s imperative that customers take advantage of the new security capabilities in Oracle Database 12c to protect their data and database infrastructure.”

Key new capabilities to help customers mitigate risks and address compliance requirements include:

Data Redaction. Part of Oracle Advanced Security, Data Redaction complements transparent data encryption (TDE) by ensuring sensitive data is not exposed to users of current applications. While TDE protects information from database bypass attacks at the operating system level, Data Redaction conditionally redacts sensitive data in the outgoing result set by replacing original data with **** or any other fixed or random string of choice based upon the customer requirements. Data is redacted based on simple declarative policies that take into account rich database session context such as IP address, program name, and application user. The original data remains unaltered along with existing operational procedures.

Privilege Analysis. Part of Oracle Database Vault, Privilege Analysis can harden database access by identifying users’ or applications’ unused privileges and roles based upon the actual roles and privileges used at runtime on production servers. Typically over time, applications and users amass powerful privileges and roles that may no longer be necessary. Finding the set of used roles and privileges is important because it helps identify the minimal set required and allows unused privileges to be revoked, reducing the attack surface.

Database Vault also enables customers to realize the full potential of Oracle Database 12c multitenant-based consolidation by preventing common database administrators from accessing application data stored in a pluggable database. With three distinct separation-of-duty controls, Database Vault is critical to regulatory compliance in multitenant environments.

Conditional Auditing. Oracle Database 12c introduces a new auditing framework that creates audit records based on the context of the database session. For example, an audit policy can be defined to audit all SQL statements unless they are coming from the application server’s IP address and with the given program name. Out-of-policy connections can be fully audited while no audit data will be generated for others, enabling highly selective and effective auditing.

New roles have been introduced for managing audit data and audit policies inside the database. Audit data integrity is further protected by restricting management to the built-in audit data management package, preventing audit trail tampering using ad hoc SQL commands. Multiple audit statements can be grouped together for easier management. Three default audit policies are configured and shipped out of the box.

Additionally, Oracle Audit Vault and Database Firewall now supports Oracle Database 12c, and can be used to collect, consolidate, alert and report on audit data from Oracle and non-Oracle databases and operating systems. Oracle Audit Vault and Database Firewall can also monitor Oracle Database 12c SQL activity over the network, blocking any unauthorized activity such as SQL injection attacks, or insider abuse.

Sensitive Data Discovery and Management. Locating and cataloging sensitive data is more critical than ever. Oracle Enterprise Manager Data Discovery and Modeling (DDM) and Sensitive Data Discovery (SDD) facilitate the process of locating sensitive data within an application and applying security controls on that data. In addition, the new Oracle Database 12c Transparent Sensitive Data Protection (TSDP) can load sensitive information from Oracle Enterprise Manager Data Discovery and Modeling into the Oracle database and apply security controls such as Data Redaction. This greatly reduces the operational burden of managing sensitive data consistently in Oracle Database 12c environments.

Real Application Security. Oracle Database 12c introduces the next generation authorization framework to support the increased application security requirements in multitenant environments. Unlike the traditional Oracle VPD, Oracle Database 12c Real Application Security (RAS) provides a declarative model that allows developers to define the data security policy based on application users, roles and privileges within the Oracle Database. This new RAS-based paradigm is more secure, scalable, and cost effective.

In addition to these critical new capabilities, Oracle Database 12c greatly strengthens the overall database security posture with new Oracle Database Vault realm controls, Oracle Advanced Security TDE key management, Oracle Enterprise Manager Security Console, and more.

All the security capabilities available in Oracle Database 12c are compatible with the new multitenant architecture in Oracle Database 12c. As a result, customers can quickly and efficiently address the unique security requirements of each pluggable database. The security policies move with the pluggable database when it is unplugged from one and plugged into a new Oracle Database 12c multitenant server.

Learn more about Oracle Database Security

Wednesday Jun 05, 2013

Comprehensive Database Security Defense-in-Depth

Recent successful cyber attacks against some of the most security savvy organizations have put into question IT Security strategies across all industries. The reliance on network security and user credentials have left many institutions vulnerable to attacks by insiders, outsiders exploiting stolen credentials, and SQL injection attacks. Additionally, the pervasive use of production data in non-production environments means that attackers can focus their efforts on a development or test server. Analysts estimate that less than 20% of IT Security plans address database security. 

Oracle Database Security

When Oracle talks about having a comprehensive database strategy, it includes defense-in-depth security controls that protect multiple layers in and around the database environment.

  • Preventive controls are those that are intended to avoid an incident from occurring
  • Detective controls help identify an incident's activities and potentially an intruder
  • Administrative controls are the tools that help with the process and procedures associated with database security
To learn more about each of the Oracle Database Security controls, please visit oracle.com/database/security

Friday Sep 21, 2012

Latest Security Inside Out Newsletter Now Available

The September/October edition of the Security Inside Out Newsletter is now available. Learn about Oracle OpenWorld database security sessions, hands on labs, and demos you'll want to attend, as well as frequently asked question about Label-Based Access Controls in Oracle Database 11g. Subscriber here for the bi-monthly newsletter. 

...and if you haven't already done so, join Oracle Database on these social networks:

Tuesday Aug 07, 2012

Database Insider Newsletter, August: Oracle Data Masking Strengthens Security of Oracle E-Business Suite Data

The August edition of Database Insider highlights new Oracle E-Business Suite templates for Oracle Data Masking:

To more easily and effectively protect sensitive data in nonproduction environments, Oracle has released the new Oracle E-Business Suite 12.1.3 template for data masking. The latest release is part of a suite of products designed specifically to protect sensitive data in Oracle E-Business Suite environments, including Oracle Advanced Security, Oracle Database Vault, Oracle Audit Vault, and Oracle Database Firewall.

“It’s important to protect sensitive production data, especially when copying to nonproduction environments for testing, QA, development, or offshoring and outsourcing purposes,” explains Willie Hardie, vice president, Oracle Database Product Marketing. “However, manually masking data in enterprise application databases can be time-consuming, and if not done correctly, easily prone to error. Masking data must maintain referential integrity so that applications can continue to function properly without exposing sensitive data.”

Read moreSubscribe to Information InDepth, Database Insider Edition and get monthly database news in your inbox. 

Monday Jul 09, 2012

Lockdown Your Database Security

A new article in Oracle Magazine outlines a comprehensive defense-in-depth approach for appropriate and effective database protection. There are multiple ways attackers can disrupt the confidentiality, integrity and availability of data and therefore, putting in place layers of defense is the best measure to protect your sensitive customer and corporate data.

“In most organizations, two-thirds of sensitive and regulated data resides in databases,” points out Vipin Samar, vice president of database security technologies at Oracle. “Unless the databases are protected using a multilayered security architecture, that data is at risk to be read or changed by administrators of the operating system, databases, or network, or hackers who use stolen passwords to pose as administrators. Further, hackers can exploit legitimate access to the database by using SQL injection attacks from the Web. Organizations need to mitigate all types of risks and craft a security architecture that protects their assets from attacks coming from different sources.”

Wednesday May 02, 2012

Database Security Events in May

  • Tue, May 1 - Atlanta, GA
  • Thu, May 3 - Houston, TX
  • Tue, May 8 - Denver, CO
  • Wed, May 9 - Portland, OR
  • Thu, May 10 - Salt Lake City, UT
  • Tue, May 15 - San Francisco, CA
  • Thu, May 17 Orange County, CA

May 14-17, FS-ISAC & BITS Annual Summit - Miami FL

Wed, May 30, Webcast: Best Practices for Database Privileged User Access Control

More Database Security events.

Tuesday Feb 14, 2012

Formulate a Database Security Strategy

Although most organizations are taking stronger measures to protect their data, significant gaps still exist at the very core — their databases. Many don’t have a comprehensive database security strategy to defend against sophisticated attacks, track sensitive data, or even meet emerging regulatory requirements. In addition, organizations tend to focus on detective controls rather than preventive measures when it comes to database security.

By contrast, leading industry analyst, Forrester finds that by implementing a comprehensive and integrated database security solution with a strong emphasis on preventive measures enables organizations to improve security controls and introduce a higher degree of automation across the enterprise. Learn more.

Tuesday Jan 03, 2012

Is Your Organization Susceptible to a Data Breach?

If your answer is yes (or you're not sure), then you aren’t alone. According to the recent Independent Oracle Users Group Data Security Survey, 60% said that a data breach is likely, or they’re not sure what to expect, over the next 12 months. As you prepare to secure your databases in 2012, see the first in our  “real world” video series that illustrate the different ways organizations are susceptible to security breaches and how Oracle can help mitigate.

X Marks the Spot - An oil company finds that their drilling efforts are way off target, someone has tampered with mission-critical enterprise intelligence. More than half of organizations would have no way of knowing if privileged users are abusing their access. Learn about Oracle Audit Vault for database activity auditing, alerting and reporting.

Friday Nov 04, 2011

RSA Attack Tip of the Iceberg and Wake Up Call for Organizations Worldwide?

Security experts now say that RSA wasn’t the only corporation victimized in the attack that shook the corporate and government leaders worldwide. If this could happen to a Security company like RSA, could this happen to any organization? Apparently the answer is yes. About 760 other organizations according to a recent post on Brian Krebs blog. Interestingly enough none of these organizations have spoken out. Is it because they don’t want the brand hit or is it just that they didn’t know what happened? My money’s on the latter.

Every year Verizon reports that the majority of data breaches are discovered by third parties. I wonder how many of the 760 companies Krebs named are scrambling to figure what was compromised in the attack.  Were critical business plans stolen? Or were manufacturing parameters changed? Going through logs looking for clues. But wait what logs? According to a recent survey of the Independent Oracle User Group only 30% of organizations are monitoring reads and writes to sensitive data stored in their databases. Taken in combination with the lack of preventive controls at the database layer, most organizations are soft targets for Advanced Persistent Threats as well as not so advanced opportunistic attacks like the Liza Moon SQL injection attack used to compromise over 4 million databases in a single day.

So what’s the solution: Auditing? Database Firewalls? Encryption? Privileged user controls? Strong authentication? Multi-factor authorization? Yes, yes, yes, yes, yes, and yes. The answer is defense in depth. I am still surprised how many seasoned IT Security professionals don’t want to hear this answer. But security requires investment and vigilance. Our defenses must become as advanced and persistent as the threats we are trying to combat.

Thursday Sep 15, 2011

IDC Report: Effective Data Leak Prevention Programs - Start by Protecting Data at the Source, Your Databases

What’s Missing from your Data Loss Prevention Strategy?

Although most organizations have data leak prevention (DLP) programs in place, IDC finds they are missing strategic solutions to protect their most valuable data assets – databases. IDC estimates the amount of data is doubling every two years and as the overall amount of data grows, so does the amount of sensitive and regulated information.

This IDC white paper presents a proactive approach to data protection, discusses the growing enterprise data threats and the impact government regulations have on requiring additional data protections.

Download the report and learn how enterprises must adopt security best practices that combine both DLP and database security to mitigate data breaches while ensuring data availability.

Wednesday Aug 24, 2011

Shady RAT Raises the Ante on Data Breaches

Recently McAfee published an interesting report about what they called Operation Shady RAT, focusing on a series “advanced persistent threat” attacks. Although many of these attacks were not so advanced and more often than not opportunistic rather than persistent, the represent a new phenomenon:

“The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime.”

The report says that victims include government agencies in the United States, Taiwan, South Korea, Vietnam, and Canada, the Olympic committees in three countries, and the International Olympic Committee. Rounding out the list of countries where Shady rat hacked into computer networks: Japan, Switzerland, the United Kingdom, Indonesia, Denmark, Singapore, Hong Kong, Germany, and India. The vast majority of victims—49—were U.S.-based companies, government agencies, and nonprofits. The category most heavily targeted was defense contractors—13 in all.

What does this mean to organizations? It’s no longer just about credit card and social security numbers or even your reputation any more. It’s about your business. Trade secrets. Customers. Strategic plans. All of it. It’s hard to disagree with the McAfee’s conclusion that the Fortune Global 2000 firms now fall into two categories: those that know they’ve been compromised and those that don’t yet know.

I am still amazed by the number of customers I talk to that really are doing nothing to protect the databases that hold their crown jewels. The majority of customers I talk to still don’t have enough auditing to know who’s accessing or tampering with data in their databases or the database infrastructure itself. Even more importantly they don’t have the preventive controls to ensure that this doesn’t happen. More on this as the 2011 IOUG Security Survey results are released.

For now, I urge organizations to really look at what they are doing to protect their databases, think about the the bad guys are doing to attack their databases, and stop going around “eyes wide shut”…

Wednesday Aug 03, 2011

Q&A from Oracle Database 11g Security and Compliance Webcast

Last week we had more than 2900 registrants for the Oracle Database 11g Security and Compliance webcast with guest speaker Tom Kyte. With hundreds of questions coming in, we weren’t able to answer them all. Here are answers to some of the most common questions. If you missed the webcast and want to watch the recording, or would like to sign up for upcoming webcasts in the series, register here.

Q: What is the performance overhead of implementing Oracle Advanced Security with Transparent Data Encryption?
A: According to internal benchmarks and feedback from successful production implementations, the performance overhead is in the single digits. With Oracle Database 11g Release 2 Patchset 1 (11.2.0.2), the hardware crypto acceleration based on AES-NI available in most Intel® XEON® 5600 CPUs is automatically leveraged by TDE tablespace encryption, making TDE tablespace encryption a 'near-zero impact' encryption solution. Listen to TransUnion talk about their experience deploying tablepace encryption.

Q: Can the Oracle Database Firewall be used to monitor performance?
A: Yes. The Oracle Database Firewall can non-intrusively monitor SQL traffic coming to/from the database, including database response and status of SQL statement execution, so the Oracle Database Firewall can help developers to monitor and assess SQL queries performance on production databases, find slow or inconsistently performing queries and also help to identify all clients connecting to a specific database before and after migration by providing execution times on logged database activity. Learn more in the upcoming Database Firewall webcast.

Q: How does Oracle Data Masking protect sensitive data in non-production environments?
A: With Oracle Data Masking, sensitive information such as credit card or social security numbers can be replaced with realistic values, allowing production data to be safely used for development, testing, or sharing with out-source or off-shore partners for other non-production purposes. In other words sensitive data is protected by not being made available in these environments. To better understand data masking, take a look at the flash demo.

Q: Can the Oracle Database Vault administrator/owner see data protected by a realm?
A: No. The Oracle Database Vault owner account can only setup the realm. It cannot see data protected by a realm. This is part of the separation of duty that Oracle Database Vault enforces. Learn more in the Oracle Database Vault Best Practices whitepaper.

And the most frequently asked question…

Q: Is this webcast being recorded?
A: Yes, you can get the recording here, as well as register for upcoming webcasts in the series. Don’t miss the next one, Blocking SQL Injection Attacks and Other Threats with Oracle Database Firewall on August 25th at 11am PT, featuring guest speaker Steve Moyle, CTO of Oracle Database Firewall.

Monday Jul 18, 2011

Oracle Database 11g Security and Compliance Solutions Webcast Series

As many of you are rolling out Oracle Database 11g across your enterprise, and taking advantage of the unprecedented performance of the new Oracle Exadata Database Machine to consolidate your databases, now is the time to think about security. So for the next few months, we will be presenting a series of webcasts on Oracle Database 11g Security and Compliance to help you take advantage of your database infrastructure to protect data privacy, address regulatory compliance requirements, and defend against SQL injection and other attacks.

Our first webcast, July 28 at 10am PT, will feature Tom Kyte of the popular “Ask Tom” web site. Tom will introduce you to the comprehensive database security solutions offered by Oracle and help you understand the importance of each solution in a complete database defense in depth strategy.

When you register for this webcast, you will also have an opportunity to register for all the webcasts in the series:

  • Blocking SQL Injection Attacks and Other Threats with Oracle Database Firewall
  • Database Activity Auditing, Alerting and Reporting with Oracle Audit Vault
  • Transparent Data Encryption with Oracle Database 11g
  • Privileged User Access Control with Oracle Database 11g
And in the meantime, check out our new Oracle Database Security Resource Library. It includes whitepapers, demos, and everything else you need to get started today.
About

Who are we?

Follow us on

  • TwitterFacebookLinkedIn

Search

Archives
« April 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
  
       
Today