Tuesday May 26, 2015
Tuesday May 19, 2015
By Troy Kitch-Oracle on May 19, 2015
The big data phenomenon is a direct consequence of the digitization and “datafication” of nearly every activity in personal, public, and commercial life. Consider, for instance, the growing impact of mobile phones. The global smartphone audience grew from 1 billion users in 2012 to 2 billion today, and is likely to double again, to 4 billion, by 2020, according to Benedict Evans, a partner with the venture capital firm Andreessen Horowitz.
“Companies of all sizes and in virtually every industry are struggling to manage the exploding amounts of data,” says Neil Mendelson, vice president for big data and advanced analytics at Oracle. “But as both business and IT executives know all too well, managing big data involves far more than just dealing with storage and retrieval challenges—it requires addressing a variety of privacy and security issues as well.”
With big data, comes bigger responsibility. A new joint Oracle and MIT Technology Review paper drills into addressing these big data privacy and security issues.
Get the paper, Securing the Big Data Life Cycle and learn more here.
Monday May 11, 2015
By Troy Kitch-Oracle on May 11, 2015
The unique thing here is that the police officers were directed to the parking structure by a computer program that had predicted that car burglaries were especially likely there that day. This computer program, developed by PredPol, is based on models used for predicting aftershocks from earthquakes, a common occurrence here in California. The algorithms used generated projections about which areas and windows of time are at highest risk for future crimes.
The Innovative Hacker
Organizations struggle to mitigate threats due to the continuing evolution of hackers and their methods of attack. Since William T. Morris Jr. first introduced the infant internet to his Morris worm virus in 1988, organizations have been fighting tweakers, script kiddies, espionage, and organized crime. The problem is that every time a solution is advised, a new hack is created. It’s a never ending cycle, and unfortunately, the turnaround time for hackers is getting shorter and shorter. They are innovating and sharing their innovations with others, who in turn take advantage and increase the number of effective attacks.
Learning from the Past
According to the RAND Corporation's “Predictive Policing" study, there is strong evidence to support the theory that crime is statistically predictable. That’s because criminals tend to operate in their comfort zone. They commit the type of crimes that they’ve committed successfully in the past, generally close to the same time, location and methods.
There is a connection between physical crime and the cybercrime organizations face today. To explain this connection further, the RAND Corporation found that prediction-led policing is not just about making predictions; "but it is a comprehensive business process, of which predictive policing is a part.” That process is summarized here in order to explain the steps taken to analyze past information in order to prevent further criminal activity.
The Importance of Acquiring Good, Clean Data
This entire process hinges on the collection of data and the importance of that data to make predictions.
Organizations today have the data necessary to make these types of predictions. In fact, our systems are churning out this data all the time through system server logs, database audits, event logs and more. If crime is statistically predictable, and we have all evidence right there in front of us, then we need to collect and analyze it.
Of course, the future of predictive analytics and machine learning is much more than analyzing audit and log data and monitoring our databases, however, these two critical practices are important first steps to a comprehensive cybersecurity program.
- Volume or amount of content transfer, such as e-mail attachments or uploads
- Resource access patterns, such as logins or data repository touches
- Time-based activity patterns, such as daily and weekly habits
- Indications of job contribution, such as the amount of source code checked in by developers
- Time spent in activities indicative of job satisfaction or discontent
Wednesday Mar 25, 2015
By Troy Kitch-Oracle on Mar 25, 2015
Information security is simply not detecting the bad guys
This according to the Verizon Data Breach Investigations Report. In fact, antivirus, intrusion detection systems, and log review all pick up less than 1% of data breach incidents. Very few companies do proactive monitoring and those that do are simply troubleshooting problems they already know about. The result is that 86% of data breach incidents were ultimately detected by someone other than the victimized organization; an embarrassing statistic.
Only 35% of organizations audit to determine whether privileged users are tampering with systems. As well, for nearly 70% of organizations, it would take greater than one day to detect and correct unauthorized database access or change. With average data breach compromises taking less than a day, the majority of organizations could lose millions of dollars before even noticing.
Join Oracle and learn how to put in place effective activity monitoring including:
- Privileged user auditing for misuse and error
- Suspicious activity alerting
- Security and compliance reporting
Monday Mar 16, 2015
By Troy Kitch-Oracle on Mar 16, 2015
The Biggest Breaches are Yet to Come
- Unauthorized access. Built with the notion of “data democratization”—meaning all data was accessible by all users of the cluster—Hadoop is unable to stand up to the rigorous compliance standards, such as HIPPA and PCI DSS, due to the lack of access controls on data. The lack of password controls, basic file system permissions, and auditing expose the Hadoop cluster to sensitive data exposure.
- Data provenance. In traditional Hadoop, it has been difficult to determine where a particular data set originated and what data sources it was derived from. At a minimum the potential for garbage-in-garbage-out issues arise; or worse, analytics that drive business decisions could be taken from suspect or compromised data. Users need to know the source of the data in order to trust its validity, which is critical for relevant predictive activities.
- DIY Hadoop. A build-your-own cluster presents inherent risks, especially in shops where there are few experienced engineers that can build and maintain a Hadoop cluster. As a cluster grows from small project to advanced enterprise Hadoop, every period of growth—patching, tuning, verifying versions between Hadoop modules, OS libraries, utilities, user management etc.—becomes more difficult. Security holes, operational security and stability may be ignored until a major disaster occurs, such as a data breach.
Monday Mar 09, 2015
By Troy Kitch-Oracle on Mar 09, 2015
"Let me begin with my vision of the FTC and its role in light of the emergence of big data. I grew up in a beach town in Southern California. To me, the FTC is like the lifeguard on a beach. Like a vigilant lifeguard, the FTC’s job is not to spoil anyone’s fun but to make sure that no one gets hurt. With big data, the FTC’s job is to get out of the way of innovation while making sure that consumer privacy is respected."
- Edith Ramirez, Chairwoman, Federal
Trade Commission Ms. Ramirez highlights the FTC's role in protecting consumers from what she refers to as "indiscriminate data collection" of personal information. Her main concern is that organizations can potentially use this information to ultimately implicate individual privacy. There are many instances highlighting the ability to take what was previously considered anonymous data, only to correlate with other publicly available information in order to increase the ability to implicate individuals.
Finding Out Truthful Data from "Anonymous" Information
Her concerns are not unfounded; the highly referenced paper Robust De-anonymization of Large Sparse Datasets, illustrates the sensitivity of supposedly anonymous information. The authors were able to identify the publicly available and "anonymous" dataset of 500,000 Netflix subscribers by cross referencing it with the Internet Movie Database. They were able to successfully identify records of users, revealing such sensitive data as the subscribers' political and religious preferences, for example. In a more recent instance of big data security concerns, the public release of a New York taxi cab data set was completely de-anonymized, ultimately unveiling cab driver annual income, and possibly more alarming, the weekly travel habits of their passengers.
Many large firms have found their big data projects shut down by compliance officers concerned about legal or regulatory violations. Chairwoman Hernandez highlights specific cases where the FTC has cracked down on firms they feel have violated customer privacy rights, including the United States vs. Google, Facebook, and Twitter. She feels that big data opens up additional security challenges that must be addressed.
"Companies are putting data together in new ways, comingling data sets that have never been comingled before," says Jeff Pollock, Oracle vice president for product management. "That’s precisely the value of big data environments. But these changes are also leading to interesting new security and compliance concerns."
The possible security and privacy pitfalls of big data center around three fundamental areas:
- Ubiquitous and indiscriminate collection from a wide range of devices
- Unexpected uses of collected data, especially without customer consent
- Unintended data breach risks with larger consequences
Organizations will find big data experimentation easier to initiate when the data involved is locked down. They need to be able to address regulatory and privacy concerns by demonstrating compliance. This means extending modern security practices like data masking and redaction to the full big data environment, in addition to the must-haves of access, authorization and auditing.
Securing the big data lifecycle requires:
- Authentication and authorization of users, applications and databases
- Privileged user access and administration
- Data encryption of data at rest and in motion
- Data redaction and masking for non production environments
- Separation of roles and responsibilities
- Implementing least privilege
- Transport security
- API security
- Monitoring, auditing, alerting and compliance reporting
With Oracle, organizations can achieve all the benefits that big data has to offer while providing a comprehensive data security approach that ensures the right people, internal and external, get access to the appropriate data at right time and place, within the right channel. The Oracle Big Data solution prevents and safeguards against malicious attacks and protects organizational information assets by securing data in-motion and at-rest. It enables organizations to separate roles and responsibilities and protect sensitive data without compromising privileged user access, such as database administrators. Furthermore, it provides monitoring, auditing and compliance reporting across big data systems as well as traditional data management systems.
Learn more about Oracle Security Solutions.
This article has been re-purposed from the Oracle Big Data blog.
Wednesday Mar 04, 2015
By Troy Kitch-Oracle on Mar 04, 2015
We are in the midst of a data breach epidemic, fueled by a lucrative information black market. The perimeter security most IT organizations rely on has become largely ineffective. Nearly 70% of security resources are focused on perimeter controls, but most exploited vulnerabilities are internal.
Effective modern security requires an inside-out approach with a focus on data and internal controls.
A New Hacker Economy
Today, a layered economy of specialized, organized hackers has created a black market estimated to be more lucrative than the illegal drug trade. (Lillian Ablon 2014) Hacking-for-hire has made the black market accessible to non-experts, expanding its reach exponentially. As businesses grow their online footprints, criminals find new ways of attacking their vulnerabilities.
Internal systems are the new perimeter – the new front line in the battle for data security. Security should be built into the customer and employee experiences.
- Manage privileged user access and think beyond the password: another layer of authentication can vastly increase security.
- Make it more costly and difficult for attackers by protecting the most valuable information first.
Rebalancing Information Security
Diminish the information supply chain and cut off the cash flow to the black market. Taking a security inside-out approach could bring an end to the arms race, giving economic recovery a chance.
To learn more about Securing Information in the New Digital Economy, read the joint Oracle and Verizon Report.
Friday Oct 17, 2014
By Troy Kitch-Oracle on Oct 17, 2014
I had an opportunity to sit down with Cathy Robinson, Database Administrator at Infinity Property and Casualty Corporation while at Oracle OpenWorld 2014. Infinity Insurance is a public insurance company that deals with high risk maturities, mostly auto insurance, and provide products through a network of approximately 12,500 independent agencies and brokers. Cathy told me how they use Oracle Advanced Security for encryption and Oracle Database Vault for database privilege user controls.
Cathy has an interesting background with the Department of Defense and joined Infinity with a great understanding of what is required to lock down data and secure an IT environment. As I interviewed Cathy, I learned that the main overall issues they face include:
- Protecting sensitive personally identifiable information ( i.e. payment card, social security numbers)
- Educating employees on the importance of securing this data
- Securing older applications where changing software code is prohibitive
So they have been able to implement Oracle Advanced Security to address these security requirements without having to make any application changes. Additionally, there has been "no performance degradation whatsoever."To further put in place a defense in depth database security strategy, Infinity is also implementing Oracle Database Vault for separation of duties and least privilege.
When I asked why they chose Oracle, Cathy responded with the following:
- One vendor instead of multiple point solution vendors
- Deep integration with Oracle Databases
- Oracle security expertise, which included a database security assessment
Wednesday Sep 10, 2014
By Troy Kitch-Oracle on Sep 10, 2014
SANS Analyst and Instructor and well known security expert, Dave Shackleford, will be doing a review of Oracle Advanced Security on September 16, 12:00 p.m. ET/ 3:00 p.m. ET
Register now for the webcast "Simplifying Data Encryption and Redaction Without Touching the Code"
Thursday Aug 07, 2014
By Troy Kitch-Oracle on Aug 07, 2014
Friday Dec 06, 2013
By Troy Kitch-Oracle on Dec 06, 2013
With the recent release of the 2013 Independent Oracle Users Group (IOUG) Enterprise Data Security Survey Report, I caught up with security experts Roxana Bradescu, Director of Database Security Product Management at Oracle and Michelle Malcher, IOUG President and Oracle Ace Director, to get their perspectives on the report, and what organizations should take away from the results.
This year, the report broke down the respondents into database security leaders and laggards based on how proactive they were in protecting their data. What are your thoughts on this?
MM: We thought it was more meaningful to contrast the security practices of leaders and laggards, rather than just report an average, which is not really as representative of what’s happening out there. We decided that for an organization to be a leader, they had to first know where all of their sensitive and regulated data resides, they have to encrypt that data, either at rest or in motion, to protect it outside the database, and monitor for database changes such as sensitive data reads and writes. For those respondents who answered negative to all three, the report qualifies them as laggards. So, we have 22% indicated as leaders at one end of a bell curve and 20% of laggards on the other; everyone else is somewhere on the bell curve.
RB: I think looking at the survey results on a bell curve this year really makes this report more actionable for organizations. Many of the companies I talk to are somewhere on the bell curve and are trying to figure out how to be in that top 22%. A lot of attacks are opportunistic and no one wants to be in that bottom 20%, the ones the survey found more likely to face a data breach. To be ahead of the curve, organizations need a defense-in-depth strategy. They need preventive controls like encrypting data, detective controls like monitoring for database changes, as well as administrative controls like knowing where all the sensitive and regulated data resides. But leaders go well beyond that to protect their data.
Of course being a leader requires organizations to make an investment. Michelle, what would you tell IOUG members are the benefits of being a leader?
MM: It is not surprising to see the report found that leadership behavior lowers risk. Over the past year, leaders experienced a data breach nearly 3 times less than laggards. That’s for actual data breaches. When asked whether a data breach was likely over the next 12 months, 50% of the leaders said they were unlikely to experience one, whereas 62% of laggards said that yes, it is likely, or they were uncertain.
Roxana, how does an organization move from a laggard to leader position?
Although each organization is different, the approach to protecting databases is common. I suggest organizations start with a database security assessment to understand their risks and controls. It’s critical they consider:
- Preventing database by-pass
- Preventing application by-pass
- Managing privileged user access
- Detecting and blocking SQL injection attacks
- Monitoring databases for system changes
Being able to proactively monitor a secure configuration for the database environment is important as well. Change control in the environment is critical. Oracle offers a lot of materials for customers to protect the mission critical data in their databases.
How can database administrators prepare for the New Year?
MM: Leaders say they have experienced less breaches than laggards, and are less likely to experience them in the future. When we examine what they are doing differently, it’s obvious why. I encourage database administrators and security professionals to read the report and discover where they can improve.
RB: DBAs play a major role in the security within their organization. IDC states that 66% of sensitive and regulated data resides in databases. By securing their databases, DBAs can protect 66% of the data in their organization - that’s huge. We are seeing DBAs increasingly becoming proactive with a comprehensive database security strategy that includes preventive, detective, and administrative security controls.
For more analysis and steps you can take to become a leader:
- Download the 2013 IOUG Enterprise Data Security Survey Report
- Listen to the ISACA webcast Database Security Leaders v Laggards : IOUG 2013 Security Survey with Roxana.
- Register for a complimentary eBook, Securing Oracle Database 12c: A Technical Primer (Use access code db12c).
Friday Sep 27, 2013
By Troy Kitch-Oracle on Sep 27, 2013
Software Enhancements to Leading Big Data Appliance Help Organizations Secure Data and Accelerate Strategic Business Insights
By consolidating and analyzing the Hadoop audit trail, Oracle Audit Vault and Database Firewall can enforce policies to alert suspicious or unauthorized activities. Additionally, the consolidated audit data allows organizations to demonstrate the controls and generate the reports needed for regulatory compliance and audits.
News on the announcement
- Security Week: Oracle Appliance Helps Protect Big Data in the Enterprise
- Executive Biz Blog: Oracle Adds Security Features to Enterprise Data Mgmt Appliance; Cetin Ozbutun Comments
- PC World: Oracle makes 'big data' push even bigger
- Datacenter Knowledge: Oracle Updates Big Data Appliance
Wednesday Sep 11, 2013
By Troy Kitch-Oracle on Sep 11, 2013
Organizations worldwide are scrambling to secure sensitive information in response to regulatory pressure for protecting data privacy and integrity, as well as protect from increasingly sophisticated attacks targeting this data. Encrypting data in applications, however, requires costly and complex code changes, often with disastrous performance consequences. Fortunately these pitfalls can be avoided. Check out this video on data redaction and register to receive the latest information on this new technology in Oracle Database 12c.
Also, learn more about data redaction here.
Tuesday Aug 13, 2013
By Troy Kitch-Oracle on Aug 13, 2013
New to Oracle Advanced Security, Data Redaction provides selective, on-the-fly redaction of sensitive data in SQL query results prior to application display so that unauthorized users cannot view the sensitive data. It enables consistent redaction of database columns across application modules accessing the same database information. Data Redaction minimizes changes to applications because it does not alter actual data in internal database buffers, caches, or storage, and it preserves the original data type and formatting when transformed data is returned to the application. Data Redaction has no impact on database operational activities such as backup and restore, upgrade and patch, and high availability clusters.
Unlike historical approaches that relied on application coding and new software components, Data Redaction policies are enforced directly in the database kernel. Declarative policies can apply different data transformations such as partial, random, and full redaction. Redaction can be conditional, based on different factors that are tracked by the database or passed to the database by applications such as user identifiers, application identifiers, or client IP addresses. A redaction format library provides pre-configured column templates to choose from for common types of sensitive information such as credit card numbers and national identification numbers. Once enabled, polices are enforced immediately, even for active sessions
For more information on data redaction:
- Oracle Technology Network
- Customers discuss data redaction
- Sabre talks about data redaction
- Encryption and Redaction in Oracle Database 12c whitepaper
Thursday May 02, 2013
By Troy Kitch-Oracle on May 02, 2013
Data masking, also known as data scrambling or data anonymization, is the process of obscuring sensitive information copied from a production database to a test or non-production database. Data masking is ideal for confidential or regulated data that needs to be shared with non-production users who require access to the original data, but not true data.
Watch this demo to see how the Oracle E-Business Suite Template for the Data Masking Pack, when applied with the Oracle Enterprise Manager 12c Cloud Control Data Masking tool, scrambles sensitive data in a copy of the production system.
Who are we?
Follow us on
- Oracle Database 12c Real Application Security Administration Application - Now Available on OTN
- Security Inside Out Newsletter, May Edition
- Securing the Big Data Life Cycle: A New MIT Technology Review and Oracle Paper
- Using Earthquakes to Predict Cybercrime
- 86% of Data Breaches Miss Detection, How Do You Beat The Odds?
- Three Big Data Threat Vectors
- Security and Governance Will Increase Big Data Innovation in 2015
- Securing Information in the New Digital Economy
- Top Two Cloud Security Concerns: Data Breaches and Data Loss
- All Data is Not Equal, Map Security Controls to the Value of Data