Wednesday Dec 18, 2013

Teaser for New eBook on Securing Oracle Database 12c

I am really excited about our new book from the Oracle Database Security team here at Oracle. Securing Oracle Database 12c: A Technical Primer, will be available as an early gift to database and security practitioners around the world this holiday season. Go pre-register for your free copy (code: db12c) of the ebook and as a teaser, here's the Introduction. Enjoy.

Introduction to Oracle Database 12c: A Technical Primer

The problem of securing important information has unfortunately become a familiar one to organizations everywhere. A constant stream of news reports tells of successful attacks that gain access to sensitive data and the legal, economic, and reputational damage that results. Even though the vast majority of sensitive data is stored in relational databases, very little of the information security effort in most organizations is devoted to making those databases secure.

While there are many technologies and products available to improve the security of a database in various ways, what is needed is a brief but comprehensive overview that describes the major threats and appropriate techniques to address them. Attackers can be expected to exploit any available weakness including incorrect configuration of security controls in the database, unpatched operating system vulnerabilities, or compromised user accounts. More indirect methods such as SQL injection or intercepting data on the network are also possible. Truly securing a database system requires consideration of any opening an attacker might use.

Each chapter in this book covers a single threat area, but they are all related. There is no single solution that prevents all methods of attack, and each security mechanism reinforces the others. Defense-in-depth is the only way to effectively combat both threats that are known today and those that will be discovered tomorrow.

We begin with security features available within the database itself.

  • Chapter 1: Controlling Data Access and Restricting Privileged Users describes the fundamental notions of authenticating users and controlling the data that they can access. It covers best practices for determining the access that each user requires and limiting the powers of highly privileged users.
  • Chapter 2: Preventing Direct Access to Data explains the use of encryption to prevent attacks that attempt to gain access to data directly, bypassing the access controls described in the previous chapter.
  • Chapter 3: Advanced Access Control covers more sophisticated access control mechanisms that allow for more precise control. These mechanisms include Virtual Private Database, Oracle Label Security, and Real Application Security.
  • Chapter 4: Auditing Database Activity describes the techniques for maintaining an effective audit trail, which is a vital defense-in-depth technique to detect misuse by privileged users and unexpected violations of the security policies implemented in the previous chapters.

We then broaden the discussion to include external components that improve the security of the database and the data it stores.

  • Chapter 5: Controlling SQL Input explains the use of a specialized database firewall to monitor the SQL statements going to the database. This helps to protect the database against SQL injection attacks launched by Web users
  • Chapter 6: Masking Sensitive Data covers the use of data masking to remove sensitive information from data that is used for test or development purposes. It also describes the use of Data Redaction to dynamically mask the results of queries on production databases.
  • Chapter 7: Validating Configuration Compliance describes the need to evaluate the database configuration against accepted standards and the tools available for performing the evaluation to ensure continued compliance.

Throughout the book, we highlight new features found in Oracle Database 12c. However, the majority of the solutions described in this book are applicable to earlier Oracle Database releases as well.

Pre-Register for the ebook now, it will be available before 2014! 

Use access code "db12c". 

Tuesday Dec 17, 2013

Top Database Security Trends in 2014

Analysts estimate that two-thirds of organizations' sensitive and regulated data resides in their databases—and the total amount of that sensitive data is growing fast, along with the rest of the digital universe. One analyst claims it will reach 35 zettabytes by 2020. 

As a result, security professionals and database administrators need to be asking two fundamental questions.
  • Where is all of my sensitive data?
  • Who has access to that data?

As we look forward into 2014, the following trends highlight the importance of data security. Read More in the latest edition of the Security Inside Out Newsletter.

Friday Dec 13, 2013

Security Inside Out Newsletter, December Edition

Get the latest edition of Security Inside Out newsletter to learn the top database security trends in 2014 and read the Q&A with Oracle and IOUG data security experts as they discuss key highlights for the new 2013 IOUG Enterprise Data Security Survey Report. Plus, much more.

And don't miss the opportunity to subscribe and receive the newsletter in your inbox every other month! 

Friday Dec 06, 2013

Q&A: 2013 IOUG Enterprise Data Security Survey Report

With the recent release of the 2013 Independent Oracle Users Group (IOUG) Enterprise Data Security Survey Report, I caught up with security experts Roxana Bradescu, Director of Database Security Product Management at Oracle and Michelle Malcher, IOUG President and Oracle Ace Director, to get their perspectives on the report, and what organizations should take away from the results. 

This year, the report broke down the respondents into database security leaders and laggards based on how proactive they were in protecting their data. What are your thoughts on this?

MM: We thought it was more meaningful to contrast the security practices of leaders and laggards, rather than just report an average, which is not really as representative of what’s happening out there. We decided that for an organization to be a leader, they had to first know where all of their sensitive and regulated data resides, they have to encrypt that data, either at rest or in motion, to protect it outside the database, and monitor for database changes such as sensitive data reads and writes. For those respondents who answered negative to all three, the report qualifies them as laggards. So, we have 22% indicated as leaders at one end of a bell curve and 20% of laggards on the other; everyone else is somewhere on the bell curve.

RB: I think looking at the survey results on a bell curve this year really makes this report more actionable for organizations. Many of the companies I talk to are somewhere on the bell curve and are trying to figure out how to be in that top 22%. A lot of attacks are opportunistic and no one wants to be in that bottom 20%, the ones the survey found more likely to face a data breach. To be ahead of the curve, organizations need a defense-in-depth strategy. They need preventive controls like encrypting data, detective controls like monitoring for database changes, as well as administrative controls like knowing where all the sensitive and regulated data resides. But leaders go well beyond that to protect their data.

Of course being a leader requires organizations to make an investment. Michelle, what would you tell IOUG members are the benefits of being a leader?

MM: It is not surprising to see the report found that leadership behavior lowers risk.  Over the past year, leaders experienced a data breach nearly 3 times less than laggards. That’s for actual data breaches. When asked whether a data breach was likely over the next 12 months, 50% of the leaders said they were unlikely to experience one, whereas 62% of laggards said that yes, it is likely, or they were uncertain. 

Roxana, how does an organization move from a laggard to leader position?

Although each organization is different, the approach to protecting databases is common. I suggest organizations start with a database security assessment to understand their risks and controls. It’s critical they consider:

  • Preventing database by-pass
  • Preventing application by-pass
  • Managing privileged user access
  • Detecting and blocking SQL injection attacks 
  • Monitoring databases for system changes

Being able to proactively monitor a secure configuration for the database environment is important as well. Change control in the environment is critical. Oracle offers a lot of materials for customers to protect the mission critical data in their databases.

How can database administrators prepare for the New Year?

MM: Leaders say they have experienced less breaches than laggards, and are less likely to experience them in the future. When we examine what they are doing differently, it’s obvious why. I encourage database administrators and security professionals to read the report and discover where they can improve. 

RB: DBAs play a major role in the security within their organization. IDC states that 66% of sensitive and regulated data resides in databases. By securing their databases, DBAs can protect 66% of the data in their organization - that’s huge. We are seeing DBAs increasingly becoming proactive with a comprehensive database security strategy that includes preventive, detective, and administrative security controls. 

For more analysis and steps you can take to become a leader:

 

About

Who are we?

Follow us on

  • TwitterFacebookLinkedIn

Search

Archives
« December 2013 »
SunMonTueWedThuFriSat
1
2
3
4
5
7
8
9
10
11
12
14
15
16
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today