Wednesday Dec 18, 2013

Teaser for New eBook on Securing Oracle Database 12c

I am really excited about our new book from the Oracle Database Security team here at Oracle. Securing Oracle Database 12c: A Technical Primer, will be available as an early gift to database and security practitioners around the world this holiday season. Go pre-register for your free copy (code: db12c) of the ebook and as a teaser, here's the Introduction. Enjoy.

Introduction to Oracle Database 12c: A Technical Primer

The problem of securing important information has unfortunately become a familiar one to organizations everywhere. A constant stream of news reports tells of successful attacks that gain access to sensitive data and the legal, economic, and reputational damage that results. Even though the vast majority of sensitive data is stored in relational databases, very little of the information security effort in most organizations is devoted to making those databases secure.

While there are many technologies and products available to improve the security of a database in various ways, what is needed is a brief but comprehensive overview that describes the major threats and appropriate techniques to address them. Attackers can be expected to exploit any available weakness including incorrect configuration of security controls in the database, unpatched operating system vulnerabilities, or compromised user accounts. More indirect methods such as SQL injection or intercepting data on the network are also possible. Truly securing a database system requires consideration of any opening an attacker might use.

Each chapter in this book covers a single threat area, but they are all related. There is no single solution that prevents all methods of attack, and each security mechanism reinforces the others. Defense-in-depth is the only way to effectively combat both threats that are known today and those that will be discovered tomorrow.

We begin with security features available within the database itself.

  • Chapter 1: Controlling Data Access and Restricting Privileged Users describes the fundamental notions of authenticating users and controlling the data that they can access. It covers best practices for determining the access that each user requires and limiting the powers of highly privileged users.
  • Chapter 2: Preventing Direct Access to Data explains the use of encryption to prevent attacks that attempt to gain access to data directly, bypassing the access controls described in the previous chapter.
  • Chapter 3: Advanced Access Control covers more sophisticated access control mechanisms that allow for more precise control. These mechanisms include Virtual Private Database, Oracle Label Security, and Real Application Security.
  • Chapter 4: Auditing Database Activity describes the techniques for maintaining an effective audit trail, which is a vital defense-in-depth technique to detect misuse by privileged users and unexpected violations of the security policies implemented in the previous chapters.

We then broaden the discussion to include external components that improve the security of the database and the data it stores.

  • Chapter 5: Controlling SQL Input explains the use of a specialized database firewall to monitor the SQL statements going to the database. This helps to protect the database against SQL injection attacks launched by Web users
  • Chapter 6: Masking Sensitive Data covers the use of data masking to remove sensitive information from data that is used for test or development purposes. It also describes the use of Data Redaction to dynamically mask the results of queries on production databases.
  • Chapter 7: Validating Configuration Compliance describes the need to evaluate the database configuration against accepted standards and the tools available for performing the evaluation to ensure continued compliance.

Throughout the book, we highlight new features found in Oracle Database 12c. However, the majority of the solutions described in this book are applicable to earlier Oracle Database releases as well.

Pre-Register for the ebook now, it will be available before 2014! 

Use access code "db12c". 

Friday Dec 13, 2013

Security Inside Out Newsletter, December Edition

Get the latest edition of Security Inside Out newsletter to learn the top database security trends in 2014 and read the Q&A with Oracle and IOUG data security experts as they discuss key highlights for the new 2013 IOUG Enterprise Data Security Survey Report. Plus, much more.

And don't miss the opportunity to subscribe and receive the newsletter in your inbox every other month! 

Tuesday Nov 26, 2013

Security Inside Out: Where to Start?

Guest article written by Eric Maurice, Director for Oracle Software Security Assurance.

Eric Maurice Director Oracle Software Security AssuranceIn my current role, I assist with the definition and communication of many Oracle security policies as they apply to the development of our products as well as how we look at security internally for the protection of our corporate systems and the systems we host on behalf of our customers.  Since Oracle runs its business on Oracle products, our security organizations have developed extensive expertise in how to secure our products “across the stack” and in various deployment scenarios.  I often interact with customers to answer security questions related to our products (e.g., questions around Oracle’s secure development and vulnerability handling practices) and security processes (e.g., questions related to how we handle security patching and define and enforce secure configurations). 

In addition, I am periodically engaged in more general discussions with customers in regards to how to best strategically approach security in their organizations.  These conversations are usually prompted by failed security audits of some systems, change in IT management in the organization (new IT managers or CISO), launch of major IT projects, or suspicions and sometimes evidence of a past security incident.  In such instances, a renewed focus on securing the organization can quickly become overwhelming.  There are many IT frameworks intended to help organizations tackle security policies such as COBIT and ISO/IEC 27000.  However, what IT professionals more often need in these instances is to adopt a security philosophy, and to switch to a new perspective on IT operations.  Only then can they fully leverage the various frameworks available to them, as opposed to blindly engaging in a security documentation exercise that has little practical value for the organization besides generating healthy profits for outside auditors and pen testers.

So where do you start?  What intellectual process must you follow to take a fresh look at your organization’s security posture?  In my opinion, the first challenge is to come to the realization that your organization needs to “get back to the basics.”  What are your top 10 business-critical systems (or mission-critical systems)?  What components of your IT infrastructure comprise these business-critical systems?  What does it mean if any one of them is compromised or unavailable?  What are the top threats in your environment?  In my experience, many organizations’ IT investments or security policies are not intended to address the top threats that affect their business critical systems.  Are yours?  Do you actually invest your time and security resources to address significant threats to your business-critical systems?  The ugly truth that we all have to come to term with is that unless you have an unlimited IT budget or a very small IT environment to manage (and no operational needs to ever change it), you cannot afford to strongly secure all your systems equally well all the time. 

The second challenge with taking a fresh look at your organization’s security posture is thinking multidimensionally.  Security does not exist in a silo, even though most large organizations where specialization is required have such IT silos.  Are DBA’s aware of existing network security access controls around the databases they manage?  Do they understand the security model of the applications?  Do application managers and users understand database security models?  Have system security configurations been developed collaboratively between the different IT staffs?  Do systems administrators understand the chain of trust that exists between the different systems they manage?  This is where the traditional concept of “security-in-depth” comes to play.  Has the organization implemented complementary (and not necessarily redundant) security controls across the technology stack in the enterprise?  For example, application bypass attacks can be prevented by strong database access control security policies.  OS access control policies should be enforced so that privileges around system files as well as against relevant database and application files (and log files), and resources on all servers in the environment are tightly controlled.    At a network level, network access control policies should be set so as to limit, as much as possible, connections of database servers with their respective application servers.  Note, however, that network access control policies should not prevent customers from implementing valid node-checking in their databases. 

On a related topic, native network encryption and SSL/TLS and strong authentication services (Kerberos, PKI, and RADIUS) no longer require a separate  license and are available in all licensed editions of all supported releases of the Oracle database.  Database customers should take advantage of this licensing change to enable network encryption and, if possible, strong authentication.  A similar hardening approach should be used between applications servers and web servers when the applications are exposed to the Internet.  Tightly controlling subnets around critical systems and controlling how systems can connect with each other bring organizations a long way toward maintaining a good security posture.

Multidimensional thinking should not be limited to technical issues affecting the IT environment.  Multidimensional security thinking should also apply to the organization overall.  For example, the human factor remains one of the weakest links from a security perspective.  Organizations generally train staff about what constitute good passwords, but do they sensitize staff to social engineering issues?  Ongoing security training for all staff is necessary for the organization in the same way that firewalls and traditional security technologies are required. 

So where do you start when you need to reassess the security posture of the organization?  Start with the basics: know your systems and who uses them.  Try to think like a hacker and question closely-held assumptions and technical silos: malicious hackers will not feel bound by technical diagrams and organizational expectations of how systems will be accessed.  By all means, take advantage of the various security methodologies and frameworks, but do not get caught exclusively in a policy documentation or audit exercise.  Periodically assess your security readiness, and when appropriate do selective pen-testing (keeping in mind that demonstrating how to break a window does not necessarily help you safeguard the entire house).  Understand the security assurance practices of your strategic vendors as they will have great impact on the security posture of the organization.  And of course, keep up with releases and Oracle’s Critical Patch Updates.  Obsolete and unsupported versions, regardless of their initial vendors, can become ticking time bombs, as security patches become no longer available, but exploits for these systems become widely known (and scripted into hacking tools).  

Sunday Oct 06, 2013

New Database Threats Require New Innovations in Security

If you attended Open World this year, you learned about the advances in Database 12c. As we collect more data and store our data in remote locations and the cloud, 12c restores control with advances to secure your data at the source. At the Chief Security Officer Summit at Leaders Circle, Vipin Samar discussed the changes in the security landscape that are forcing companies to re-examine how data is secured. The recent APT1 report by Mandiant highlights exactly how pervasive the threats are across every industry. 

While the report covers the exploits of a specific government, the techniques being used are similar across the board. A recent report by the Ponemon Insitute noted that 43% of the most serious attacks are SQL injection attacks. The statistic implies that organizations are not as prepared to secure databases and that our most valuable data actually resides in our databases.

 It seems almost every report on the state of IT security mentions database security. As an example, the PWC Global State of Information Security report provides a survey by region of database encryption. In North America alone, 53% of companies don't encrypt databases. Despite the threats, organizations are not fully responding. 

The slides below provide a perspective on how a comprehensive approach to database security can set the foundation for preventing some of the most advanced threats. With Database Security 12c, there are several advances that organizations will want to focus on:

  • Database Redaction - learn more here
  • Privilege Analysis - learn more here.
  • Audit Vault Firewall - learn more here.
  • More about security in 12c here.
For a limited time, you can register for a free copy of a new book on Database Security 12c. 

Tuesday Aug 06, 2013

Learn About The Latest Security Innovations in Oracle Database 12c

More Security Capabilities Than Ever Before 

Join us Thursday, August 15, 2013 at 10:00 a.m. PT / 1:00 p.m. ET for Security Inside Out: Latest Innovations in Oracle Database 12c Webcast (Webcast will be recorded, so you can still use this link)

Did you know that Oracle Database 12c includes more new security capabilities than any other prior release? In this webcast you will learn about these capabilities, as well as innovative new solutions to protect Oracle Database instances and non-Oracle databases.

Join us to hear how Oracle is responding to customer requirements. Discover how Oracle Database 12c helps businesses stay ahead of the evolving security threat and regulatory landscape with preventive and detective security controls that include:

  • Sensitive data discovery
  • Real-time data redaction
  • Privilege analysis

Plug into Defense-in-Depth with Oracle Database 12c

Designed for the Cloud, the new multitenant architecture of Oracle Database 12c now enables customers to greatly simplify and accelerate database consolidation by enabling the management of hundreds of databases as one. To protect the unprecedented amounts of data customers will store within their databases, Oracle Database 12c also introduces more security capabilities than any previous Oracle Database release.

“Oracle Database 12c represents a complete shift in database technology. With the growing amount of stored data, these new multitenant databases will be targeted by both hackers and insiders, and scrutinized by auditors more than ever,” says Vipin Samar, vice president, database security product development, Oracle. “It’s imperative that customers take advantage of the new security capabilities in Oracle Database 12c to protect their data and database infrastructure.”

Key new capabilities to help customers mitigate risks and address compliance requirements include:

Data Redaction. Part of Oracle Advanced Security, Data Redaction complements transparent data encryption (TDE) by ensuring sensitive data is not exposed to users of current applications. While TDE protects information from database bypass attacks at the operating system level, Data Redaction conditionally redacts sensitive data in the outgoing result set by replacing original data with **** or any other fixed or random string of choice based upon the customer requirements. Data is redacted based on simple declarative policies that take into account rich database session context such as IP address, program name, and application user. The original data remains unaltered along with existing operational procedures.

Privilege Analysis. Part of Oracle Database Vault, Privilege Analysis can harden database access by identifying users’ or applications’ unused privileges and roles based upon the actual roles and privileges used at runtime on production servers. Typically over time, applications and users amass powerful privileges and roles that may no longer be necessary. Finding the set of used roles and privileges is important because it helps identify the minimal set required and allows unused privileges to be revoked, reducing the attack surface.

Database Vault also enables customers to realize the full potential of Oracle Database 12c multitenant-based consolidation by preventing common database administrators from accessing application data stored in a pluggable database. With three distinct separation-of-duty controls, Database Vault is critical to regulatory compliance in multitenant environments.

Conditional Auditing. Oracle Database 12c introduces a new auditing framework that creates audit records based on the context of the database session. For example, an audit policy can be defined to audit all SQL statements unless they are coming from the application server’s IP address and with the given program name. Out-of-policy connections can be fully audited while no audit data will be generated for others, enabling highly selective and effective auditing.

New roles have been introduced for managing audit data and audit policies inside the database. Audit data integrity is further protected by restricting management to the built-in audit data management package, preventing audit trail tampering using ad hoc SQL commands. Multiple audit statements can be grouped together for easier management. Three default audit policies are configured and shipped out of the box.

Additionally, Oracle Audit Vault and Database Firewall now supports Oracle Database 12c, and can be used to collect, consolidate, alert and report on audit data from Oracle and non-Oracle databases and operating systems. Oracle Audit Vault and Database Firewall can also monitor Oracle Database 12c SQL activity over the network, blocking any unauthorized activity such as SQL injection attacks, or insider abuse.

Sensitive Data Discovery and Management. Locating and cataloging sensitive data is more critical than ever. Oracle Enterprise Manager Data Discovery and Modeling (DDM) and Sensitive Data Discovery (SDD) facilitate the process of locating sensitive data within an application and applying security controls on that data. In addition, the new Oracle Database 12c Transparent Sensitive Data Protection (TSDP) can load sensitive information from Oracle Enterprise Manager Data Discovery and Modeling into the Oracle database and apply security controls such as Data Redaction. This greatly reduces the operational burden of managing sensitive data consistently in Oracle Database 12c environments.

Real Application Security. Oracle Database 12c introduces the next generation authorization framework to support the increased application security requirements in multitenant environments. Unlike the traditional Oracle VPD, Oracle Database 12c Real Application Security (RAS) provides a declarative model that allows developers to define the data security policy based on application users, roles and privileges within the Oracle Database. This new RAS-based paradigm is more secure, scalable, and cost effective.

In addition to these critical new capabilities, Oracle Database 12c greatly strengthens the overall database security posture with new Oracle Database Vault realm controls, Oracle Advanced Security TDE key management, Oracle Enterprise Manager Security Console, and more.

All the security capabilities available in Oracle Database 12c are compatible with the new multitenant architecture in Oracle Database 12c. As a result, customers can quickly and efficiently address the unique security requirements of each pluggable database. The security policies move with the pluggable database when it is unplugged from one and plugged into a new Oracle Database 12c multitenant server.

Learn more about Oracle Database Security

Wednesday Jun 05, 2013

Comprehensive Database Security Defense-in-Depth

Recent successful cyber attacks against some of the most security savvy organizations have put into question IT Security strategies across all industries. The reliance on network security and user credentials have left many institutions vulnerable to attacks by insiders, outsiders exploiting stolen credentials, and SQL injection attacks. Additionally, the pervasive use of production data in non-production environments means that attackers can focus their efforts on a development or test server. Analysts estimate that less than 20% of IT Security plans address database security. 

Oracle Database Security

When Oracle talks about having a comprehensive database strategy, it includes defense-in-depth security controls that protect multiple layers in and around the database environment.

  • Preventive controls are those that are intended to avoid an incident from occurring
  • Detective controls help identify an incident's activities and potentially an intruder
  • Administrative controls are the tools that help with the process and procedures associated with database security
To learn more about each of the Oracle Database Security controls, please visit oracle.com/database/security

Friday Sep 21, 2012

Latest Security Inside Out Newsletter Now Available

The September/October edition of the Security Inside Out Newsletter is now available. Learn about Oracle OpenWorld database security sessions, hands on labs, and demos you'll want to attend, as well as frequently asked question about Label-Based Access Controls in Oracle Database 11g. Subscriber here for the bi-monthly newsletter. 

...and if you haven't already done so, join Oracle Database on these social networks:

Tuesday Aug 07, 2012

Database Insider Newsletter, August: Oracle Data Masking Strengthens Security of Oracle E-Business Suite Data

The August edition of Database Insider highlights new Oracle E-Business Suite templates for Oracle Data Masking:

To more easily and effectively protect sensitive data in nonproduction environments, Oracle has released the new Oracle E-Business Suite 12.1.3 template for data masking. The latest release is part of a suite of products designed specifically to protect sensitive data in Oracle E-Business Suite environments, including Oracle Advanced Security, Oracle Database Vault, Oracle Audit Vault, and Oracle Database Firewall.

“It’s important to protect sensitive production data, especially when copying to nonproduction environments for testing, QA, development, or offshoring and outsourcing purposes,” explains Willie Hardie, vice president, Oracle Database Product Marketing. “However, manually masking data in enterprise application databases can be time-consuming, and if not done correctly, easily prone to error. Masking data must maintain referential integrity so that applications can continue to function properly without exposing sensitive data.”

Read moreSubscribe to Information InDepth, Database Insider Edition and get monthly database news in your inbox. 

Monday Jul 09, 2012

Lockdown Your Database Security

A new article in Oracle Magazine outlines a comprehensive defense-in-depth approach for appropriate and effective database protection. There are multiple ways attackers can disrupt the confidentiality, integrity and availability of data and therefore, putting in place layers of defense is the best measure to protect your sensitive customer and corporate data.

“In most organizations, two-thirds of sensitive and regulated data resides in databases,” points out Vipin Samar, vice president of database security technologies at Oracle. “Unless the databases are protected using a multilayered security architecture, that data is at risk to be read or changed by administrators of the operating system, databases, or network, or hackers who use stolen passwords to pose as administrators. Further, hackers can exploit legitimate access to the database by using SQL injection attacks from the Web. Organizations need to mitigate all types of risks and craft a security architecture that protects their assets from attacks coming from different sources.”

Wednesday May 02, 2012

Database Security Events in May

  • Tue, May 1 - Atlanta, GA
  • Thu, May 3 - Houston, TX
  • Tue, May 8 - Denver, CO
  • Wed, May 9 - Portland, OR
  • Thu, May 10 - Salt Lake City, UT
  • Tue, May 15 - San Francisco, CA
  • Thu, May 17 Orange County, CA

May 14-17, FS-ISAC & BITS Annual Summit - Miami FL

Wed, May 30, Webcast: Best Practices for Database Privileged User Access Control

More Database Security events.

Tuesday Feb 14, 2012

Formulate a Database Security Strategy

Although most organizations are taking stronger measures to protect their data, significant gaps still exist at the very core — their databases. Many don’t have a comprehensive database security strategy to defend against sophisticated attacks, track sensitive data, or even meet emerging regulatory requirements. In addition, organizations tend to focus on detective controls rather than preventive measures when it comes to database security.

By contrast, leading industry analyst, Forrester finds that by implementing a comprehensive and integrated database security solution with a strong emphasis on preventive measures enables organizations to improve security controls and introduce a higher degree of automation across the enterprise. Learn more.

Tuesday Jan 03, 2012

Is Your Organization Susceptible to a Data Breach?

If your answer is yes (or you're not sure), then you aren’t alone. According to the recent Independent Oracle Users Group Data Security Survey, 60% said that a data breach is likely, or they’re not sure what to expect, over the next 12 months. As you prepare to secure your databases in 2012, see the first in our  “real world” video series that illustrate the different ways organizations are susceptible to security breaches and how Oracle can help mitigate.

X Marks the Spot - An oil company finds that their drilling efforts are way off target, someone has tampered with mission-critical enterprise intelligence. More than half of organizations would have no way of knowing if privileged users are abusing their access. Learn about Oracle Audit Vault for database activity auditing, alerting and reporting.

Friday Nov 04, 2011

RSA Attack Tip of the Iceberg and Wake Up Call for Organizations Worldwide?

Security experts now say that RSA wasn’t the only corporation victimized in the attack that shook the corporate and government leaders worldwide. If this could happen to a Security company like RSA, could this happen to any organization? Apparently the answer is yes. About 760 other organizations according to a recent post on Brian Krebs blog. Interestingly enough none of these organizations have spoken out. Is it because they don’t want the brand hit or is it just that they didn’t know what happened? My money’s on the latter.

Every year Verizon reports that the majority of data breaches are discovered by third parties. I wonder how many of the 760 companies Krebs named are scrambling to figure what was compromised in the attack.  Were critical business plans stolen? Or were manufacturing parameters changed? Going through logs looking for clues. But wait what logs? According to a recent survey of the Independent Oracle User Group only 30% of organizations are monitoring reads and writes to sensitive data stored in their databases. Taken in combination with the lack of preventive controls at the database layer, most organizations are soft targets for Advanced Persistent Threats as well as not so advanced opportunistic attacks like the Liza Moon SQL injection attack used to compromise over 4 million databases in a single day.

So what’s the solution: Auditing? Database Firewalls? Encryption? Privileged user controls? Strong authentication? Multi-factor authorization? Yes, yes, yes, yes, yes, and yes. The answer is defense in depth. I am still surprised how many seasoned IT Security professionals don’t want to hear this answer. But security requires investment and vigilance. Our defenses must become as advanced and persistent as the threats we are trying to combat.

Thursday Sep 15, 2011

IDC Report: Effective Data Leak Prevention Programs - Start by Protecting Data at the Source, Your Databases

What’s Missing from your Data Loss Prevention Strategy?

Although most organizations have data leak prevention (DLP) programs in place, IDC finds they are missing strategic solutions to protect their most valuable data assets – databases. IDC estimates the amount of data is doubling every two years and as the overall amount of data grows, so does the amount of sensitive and regulated information.

This IDC white paper presents a proactive approach to data protection, discusses the growing enterprise data threats and the impact government regulations have on requiring additional data protections.

Download the report and learn how enterprises must adopt security best practices that combine both DLP and database security to mitigate data breaches while ensuring data availability.

About

Who are we?

Follow us on

  • TwitterFacebookLinkedIn

Search

Archives
« July 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
       
Today