Are you encrypting database traffic? Are you sure? You should be!
By Roxana Bradescu on Oct 02, 2008
Less than a quarter of the 2008 IOUG Data Security Report respondents said they were encrypting all the application data on the network to/from databases, but about a third said they were encrypting some of their application data on the network to/from database. To be honest, I was kind of surprised by this last part. I talk to a lot of our customers and unfortunately many of them are still not encrypting any of the traffic between their application servers and their databases. So while at Oracle Open World I decided to pose this question to some of the customers that came by our Oracle Advanced Security booth to see if I could get more insight into this response.
Sure enough about a third said they were only encrypting some of their application data. When I asked them to tell me more they said their database applications use HTTPS to encrypt some of the data. So if your database application uses HTTPS then the application data is encrypted on the network to/from the database, right? Unfortunately this is not actually the case. HTTPS (or HTTP over SSL) only means that the data between the web browser and the web/application server is encrypted, it does not mean that the connections from web/application server to the database are encrypted.
The upshot of this is that some of the folks that think they are encrypting some of their application data on the network, may be in for a rude surprise if a hacker gets access to their networks and starts eavesdropping on their traffic. In fact, the 25% of the 2008 IOUG Data Security respondents who said they were not encrypting any of the traffic and the 17% who said they were unsure if they were encrypting traffic may be in for the same rude surprise: a really big data breach. As I'm sure you recall, more than 45 million credit card numbers were stolen from TJX by hackers that got access to the company’s network and eavesdropped on unencrypted traffic.
So if you’re one of the organizations that are not encrypting all your database traffic, you really should be. With Oracle Advanced Security, you can set up network encryption to your database in a matter of hours. You can also configure your Oracle databases to only accept mutually authenticated and encrypted connections. This means that in addition to protecting against network eavesdropping, you can also protect against unauthorized connections to your database.
To get started with Oracle Advanced Security today, check out Oracle Technical Network.