Monday Mar 16, 2015

Three Big Data Threat Vectors

The Biggest Breaches are Yet to Come

Where a few years ago we saw 1 million to 10 million records breached in a single incident, today we are in the age of mega-breaches, where 100 and 200 million records breached is not uncommon.

According to the Independent Oracle Users Group Enterprise Data Security Survey, 34% of respondents say that a data breach at their organization is "inevitable" or "somewhat likely" in 2015.

Combine this with the fact that the 2014 Verizon Data Breach Investigations Report tallied more than 63,000 security incidents—including 1,367 confirmed data breaches. That's a lot of data breaches.

As business and IT executives are learning by experience, big data brings big security headaches. Built with very little security in mind, Hadoop is now being integrated with existing IT infrastructure. This can further expose existing database data with less secure Hadoop infrastructure. Hadoop is an open-source software framework for storing and processing big data in a distributed fashion. Simply put, it was developed to address massive data storage and faster processing, not security.

With enormous amounts of less secure big data, integrated with existing database information, I fear the biggest data breaches are yet to be announced. When organizations are not focusing on security for their big data environments, they jeopardize their company, employees, and customers.

Top Three Big Data Threats

For big data environments, and Hadoop in particular, today's top threats include:
  • Unauthorized access. Built with the notion of “data democratization”—meaning all data was accessible by all users of the cluster—Hadoop is unable to stand up to the rigorous compliance standards, such as HIPPA and PCI DSS, due to the lack of access controls on data. The lack of password controls, basic file system permissions, and auditing expose the Hadoop cluster to sensitive data exposure.
  • Data provenance. In traditional Hadoop, it has been difficult to determine where a particular data set originated and what data sources it was derived from. At a minimum the potential for garbage-in-garbage-out issues arise; or worse, analytics that drive business decisions could be taken from suspect or compromised data. Users need to know the source of the data in order to trust its validity, which is critical for relevant predictive activities.
  • DIY Hadoop. A build-your-own cluster presents inherent risks, especially in shops where there are few experienced engineers that can build and maintain a Hadoop cluster. As a cluster grows from small project to advanced enterprise Hadoop, every period of growth—patching, tuning, verifying versions between Hadoop modules, OS libraries, utilities, user management etc.—becomes more difficult. Security holes, operational security and stability may be ignored until a major disaster occurs, such as a data breach.
Big data security is an important topic that I plan to write more about. I am currently working with MIT on a new paper to help provide some more answers to the challenges raised here. Stay tuned.

Thursday Jun 13, 2013

Why Rabobank Chose Oracle Database Vault

Rabobank was faced with two major challenges: addressing international compliance requirements and protecting sensitive data from privileged database users. In this podcast, Niels Zegveld, manager of database administration, tackled these challenges using Oracle Database Vault, without impacting system performance or applications.

Niels manages the database team that supports the investment banking business. The team runs Oracle Database 11g and Oracle Enterprise Manager to manage the maintenance of their databases. They have a mix of applications including Oracle FLEXCUBE and custom-built solutions.

Addressing Regulatory Requirements and Demonstrating Separation of Duties

Being an international bank, Rabobank must comply with mulitple regulations and regulatory bodies, including the Dutch National Bank and the FSA. As part of these regulations, Rabobank had to demonstrate that employees, or applications, that have access to sensitive data are the only ones that are authorized to have access.

The requirements of separtion of duties and securing sensitive financial data were originally handed over to the security department. Their first instinct was to look at solutions that were outside of the database, however, none of the solutions were able to cover the requirements. This lead the security team to begin discussions with the database team to find out what suggestions they could offer. Niels' team was able to come up with a solution that would support all  requirements and be easy to manage.

Oracle Database Vault

Working with Oracle security experts and Oracle Database Vault, Rabobank is addressing best practices of separtion of duties and least privilege while protecting sensitive data from privileged users. Niels is happy to say they have passed their audits and found that performance tests show neglible impact to their systems and users. 

Listen to the entire podcast to learn more.  

About Rabobank

According to Hoovers, Rabobank Group was founded as a cooperative of Dutch agricultural banks in 1898, the company has some 140 member banks that have about 875 branches in the Netherlands and dozens of subsidiaries around the world that focus on the food, agribusiness, and financial industries. The cooperative's wholesale and international retail banking arm, Rabobank International, has offices in some 30 countries. 

Tuesday Jul 03, 2012

SANS Webcast: Label Based Access Controls in Oracle Database 11g

Controlling access to data subsets within an application table can be difficult and inefficient especially when faced with specific data ownership, consolidation and multi-tenancy requirements. However, this can be elegantly addressed using label based access control (LBAC). In this webcast you will learn how LBAC using Oracle Label Security and Oracle Database 11g can easily enforce row-level access based on user security clearance. In addition, Oracle security experts will discuss real world case studies demonstrating how customers, in industries ranging from retail to government, are relying on Oracle Label Security for virtual information partitioning and secure consolidation of information.

 Register for the July 12 webcast now.

Monday May 14, 2012

Best Practices for Database Privileged User Access Controls

Insider threats and stolen credentials continue to account for the greatest incidents of data breaches and loss. On May 30th, we'll be discussing database access control best practices for all database users, including highly privileged users using Oracle Database Vault. You'll learn how to enforce who can access what data, and when and how that data is accessed in order to prevent application bypass and enable secure database consolidation. You will also hear how Oracle customers use Oracle Database Vault and Oracle Database 11g to protect sensitive data and comply with regulatory mandates.

 To learn more, register for this, and our other Best Practices for Database Security and Compliance webcasts.

Wednesday Aug 03, 2011

Q&A from Oracle Database 11g Security and Compliance Webcast

Last week we had more than 2900 registrants for the Oracle Database 11g Security and Compliance webcast with guest speaker Tom Kyte. With hundreds of questions coming in, we weren’t able to answer them all. Here are answers to some of the most common questions. If you missed the webcast and want to watch the recording, or would like to sign up for upcoming webcasts in the series, register here.

Q: What is the performance overhead of implementing Oracle Advanced Security with Transparent Data Encryption?
A: According to internal benchmarks and feedback from successful production implementations, the performance overhead is in the single digits. With Oracle Database 11g Release 2 Patchset 1 (11.2.0.2), the hardware crypto acceleration based on AES-NI available in most Intel® XEON® 5600 CPUs is automatically leveraged by TDE tablespace encryption, making TDE tablespace encryption a 'near-zero impact' encryption solution. Listen to TransUnion talk about their experience deploying tablepace encryption.

Q: Can the Oracle Database Firewall be used to monitor performance?
A: Yes. The Oracle Database Firewall can non-intrusively monitor SQL traffic coming to/from the database, including database response and status of SQL statement execution, so the Oracle Database Firewall can help developers to monitor and assess SQL queries performance on production databases, find slow or inconsistently performing queries and also help to identify all clients connecting to a specific database before and after migration by providing execution times on logged database activity. Learn more in the upcoming Database Firewall webcast.

Q: How does Oracle Data Masking protect sensitive data in non-production environments?
A: With Oracle Data Masking, sensitive information such as credit card or social security numbers can be replaced with realistic values, allowing production data to be safely used for development, testing, or sharing with out-source or off-shore partners for other non-production purposes. In other words sensitive data is protected by not being made available in these environments. To better understand data masking, take a look at the flash demo.

Q: Can the Oracle Database Vault administrator/owner see data protected by a realm?
A: No. The Oracle Database Vault owner account can only setup the realm. It cannot see data protected by a realm. This is part of the separation of duty that Oracle Database Vault enforces. Learn more in the Oracle Database Vault Best Practices whitepaper.

And the most frequently asked question…

Q: Is this webcast being recorded?
A: Yes, you can get the recording here, as well as register for upcoming webcasts in the series. Don’t miss the next one, Blocking SQL Injection Attacks and Other Threats with Oracle Database Firewall on August 25th at 11am PT, featuring guest speaker Steve Moyle, CTO of Oracle Database Firewall.

About

Who are we?

Follow us on

  • TwitterFacebookLinkedIn

Search

Archives
« March 2015
SunMonTueWedThuFriSat
1
2
3
5
6
7
8
10
11
12
13
14
15
17
18
19
20
21
22
23
24
26
27
28
29
30
31
    
       
Today