Friday Dec 06, 2013

Q&A: 2013 IOUG Enterprise Data Security Survey Report

With the recent release of the 2013 Independent Oracle Users Group (IOUG) Enterprise Data Security Survey Report, I caught up with security experts Roxana Bradescu, Director of Database Security Product Management at Oracle and Michelle Malcher, IOUG President and Oracle Ace Director, to get their perspectives on the report, and what organizations should take away from the results. 

This year, the report broke down the respondents into database security leaders and laggards based on how proactive they were in protecting their data. What are your thoughts on this?

MM: We thought it was more meaningful to contrast the security practices of leaders and laggards, rather than just report an average, which is not really as representative of what’s happening out there. We decided that for an organization to be a leader, they had to first know where all of their sensitive and regulated data resides, they have to encrypt that data, either at rest or in motion, to protect it outside the database, and monitor for database changes such as sensitive data reads and writes. For those respondents who answered negative to all three, the report qualifies them as laggards. So, we have 22% indicated as leaders at one end of a bell curve and 20% of laggards on the other; everyone else is somewhere on the bell curve.

RB: I think looking at the survey results on a bell curve this year really makes this report more actionable for organizations. Many of the companies I talk to are somewhere on the bell curve and are trying to figure out how to be in that top 22%. A lot of attacks are opportunistic and no one wants to be in that bottom 20%, the ones the survey found more likely to face a data breach. To be ahead of the curve, organizations need a defense-in-depth strategy. They need preventive controls like encrypting data, detective controls like monitoring for database changes, as well as administrative controls like knowing where all the sensitive and regulated data resides. But leaders go well beyond that to protect their data.

Of course being a leader requires organizations to make an investment. Michelle, what would you tell IOUG members are the benefits of being a leader?

MM: It is not surprising to see the report found that leadership behavior lowers risk.  Over the past year, leaders experienced a data breach nearly 3 times less than laggards. That’s for actual data breaches. When asked whether a data breach was likely over the next 12 months, 50% of the leaders said they were unlikely to experience one, whereas 62% of laggards said that yes, it is likely, or they were uncertain. 

Roxana, how does an organization move from a laggard to leader position?

Although each organization is different, the approach to protecting databases is common. I suggest organizations start with a database security assessment to understand their risks and controls. It’s critical they consider:

  • Preventing database by-pass
  • Preventing application by-pass
  • Managing privileged user access
  • Detecting and blocking SQL injection attacks 
  • Monitoring databases for system changes

Being able to proactively monitor a secure configuration for the database environment is important as well. Change control in the environment is critical. Oracle offers a lot of materials for customers to protect the mission critical data in their databases.

How can database administrators prepare for the New Year?

MM: Leaders say they have experienced less breaches than laggards, and are less likely to experience them in the future. When we examine what they are doing differently, it’s obvious why. I encourage database administrators and security professionals to read the report and discover where they can improve. 

RB: DBAs play a major role in the security within their organization. IDC states that 66% of sensitive and regulated data resides in databases. By securing their databases, DBAs can protect 66% of the data in their organization - that’s huge. We are seeing DBAs increasingly becoming proactive with a comprehensive database security strategy that includes preventive, detective, and administrative security controls. 

For more analysis and steps you can take to become a leader:

 

Friday Sep 27, 2013

Oracle OpenWorld News: Oracle Big Data Appliance Secures Big Data in the Enterprise

Software Enhancements to Leading Big Data Appliance Help Organizations Secure Data and Accelerate Strategic Business Insights

While Hadoop provides a scalable foundation for Big Data projects, the lack of built-in security has been an obstacle for many enterprises. To meet this need, Oracle has enhanced the Oracle Big Data Appliance to include enterprise-class security capabilities for Hadoop using Oracle Audit Vault and Database Firewall

By consolidating and analyzing the Hadoop audit trail, Oracle Audit Vault and Database Firewall can enforce policies to alert suspicious or unauthorized activities. Additionally, the consolidated audit data allows organizations to demonstrate the controls and generate the reports needed for regulatory compliance and audits.

Read the press release. 

Wednesday Sep 11, 2013

Shedding a Light on Security

Organizations worldwide are scrambling to secure sensitive information in response to regulatory pressure for protecting data privacy and integrity, as well as protect from increasingly sophisticated attacks targeting this data. Encrypting data in applications, however, requires costly and complex code changes, often with disastrous performance consequences. Fortunately these pitfalls can be avoided. Check out this video on data redaction and register to receive the latest information on this new technology in Oracle Database 12c. 

Also, learn more about data redaction here


Tuesday Aug 13, 2013

Data Redaction: New for Oracle Database 12c

New to Oracle Advanced Security, Data Redaction provides selective, on-the-fly redaction of sensitive data in SQL query results prior to application display so that unauthorized users cannot view the sensitive data. It enables consistent redaction of database columns across application modules accessing the same database information. Data Redaction minimizes changes to applications because it does not alter actual data in internal database buffers, caches, or storage, and it preserves the original data type and formatting when transformed data is returned to the application. Data Redaction has no impact on database operational activities such as backup and restore, upgrade and patch, and high availability clusters.

Unlike historical approaches that relied on application coding and new software components, Data Redaction policies are enforced directly in the database kernel. Declarative policies can apply different data transformations such as partial, random, and full redaction. Redaction can be conditional, based on different factors that are tracked by the database or passed to the database by applications such as user identifiers, application identifiers, or client IP addresses. A redaction format library provides pre-configured column templates to choose from for common types of sensitive information such as credit card numbers and national identification numbers. Once enabled, polices are enforced immediately, even for active sessions

For more information on data redaction:

Thursday May 02, 2013

Demo of Oracle Data Masking Using Enterprise Manager 12c

Data masking, also known as data scrambling or data anonymization, is the process of obscuring sensitive information copied from a production database to a test or non-production database. Data masking is ideal for confidential or regulated data that needs to be shared with non-production users who require access to the original data, but not true data.

Watch this demo to see how the Oracle E-Business Suite Template for the Data Masking Pack, when applied with the Oracle Enterprise Manager 12c Cloud Control Data Masking tool, scrambles sensitive data in a copy of the production system.

Thursday Mar 21, 2013

Security Inside Out Newsletter Available - Subscribe Now!

The latest edition of Security Inside Out newsletter is now available. If you don't get this bi-monthly security newsletter in your inbox, then please subscribe. The latest news includes:

Q&A: Ontario Commissioner and Leading Privacy Expert Dr. Ann Cavoukian

Dr. Ann Cavoukian is both Ontario's information and privacy commissioner and one of the leading privacy experts in the world. In January, Dr. Cavoukian and Oracle released a new white paper covering the convergence of privacy and security. 

Read More

Oracle Named a Leader in Gartner Magic Quadrant for Data Masking Technology

Gartner, Inc. has named Oracle as a leader in its “Magic Quadrant for Data Masking Technology,” published in December 2012.

Read More

Virgin Media Relies on Oracle Identity Management to Secure Wi-Fi Service in the London Underground

Leading up to the 2012 Olympics, Virgin Media was entrusted with a massive undertaking—to quickly and securely provide London's Underground stations with Wi-Fi service. The company turned to two Oracle Identity Management solutions—Oracle Virtual Directory and Oracle Entitlements Server—to successfully deliver.

Read More

Thursday Feb 14, 2013

Gartner Positions Oracle in Leaders Quadrant for Data Masking

Gartner, Inc. has named Oracle as a Leader in its first “Magic Quadrant for Data Masking Technology(1). Gartner’s Magic Quadrant reports position vendors within a particular quadrant based on their completeness of vision and ability to execute.

According to Gartner, “Adopting data masking helps enterprises raise the level of security and privacy assurance against abuses. At the same time, data masking helps enterprises meet compliance requirements with the security and privacy standards recommended by regulating/auditing authorities.”

Gartner continued, “…we expect a relatively high speed of technology maturity for data masking. By 2016, the static data masking [SDM] market will reach the Plateau of Productivity in Gartner's Hype Cycle, with approximately 50% of the target audience adopting it.”

“With more structured and unstructured data in enterprise databases, companies need simple and consistent tools to comply with data privacy regulations and mask sensitive data during application development, testing or data analysis,” said Vipin Samar, Vice President of Database Security Product Development, Oracle. “Oracle is the world’s #1 database provider, integrating best-in-class hardware and software to deliver extreme performance and ensure robust database security for our customers.”

Oracle Data Masking Pack is a component of Oracle Enterprise Manager and part of the Oracle Database Security defense-in-depth solution. Get the Gartner Magic Quadrant for Data Masking Technology here.

(1) Gartner, Inc., “Magic Quadrant for Data Masking Technology,” by Joseph Feiman, Carsten Casper, December 20, 2012

Wednesday Jan 23, 2013

SquareTwo Enables Development Efficiency, Compliance with Oracle

SquareTwo Financial, a leader in the $100 billion asset recovery and management industry, enables fast growth and regulatory compliance with Oracle Database Security defense-in-depth solutions. Hear J-T Gaietto, manager of information security, discuss how they use Oracle Database Firewall, Oracle Data Masking, and Oracle Advanced Security to enable fast growth and comply with regulatory mandates. 

SquareTwo Financial Enables Development Efficiency and Compliance with Oracle Database Security

Watch the video.

Challenges

  • Comply with a number of regulations: GLBA, HIPAA HITECH, SOX, and PCI DSS
  • Prove separation of duties for Sarbanes-Oxley Act compliance
  • Quickly scale IT security to address fast 37% company growth
  • Minimal disruption to 5.9 million accounts while maintaining growth
  • Secure heterogeneous database environment, with no application changes

Solution

  • Address compliance with database firewall, transparent data encryption,
    data masking for a comprehensive database security defense-in-depth strategy
  • Database activity monitoring to protect against insider and external threats,
    including SQL injection attacks
  • Secure Oracle Exadata and Microsoft SQL Server database activity, with
    no application changes 

 Listen to the podcast for more details.

Thursday Dec 20, 2012

Oracle Audit Vault and Database Firewall In the News

Here's some news coverage regarding our recent announcement of Oracle Audit Vault and Database Firewall.

 ...and some quotable quotes:

"Oracle is simplifying its security offerings by combining a pair of existing tools into a single package. The offering, Oracle Audit Vault and Database Firewall, provides both network traffic sniffing for security threats and audit data analysis.” – IDG News Service

“Oracle is merging a couple of its existing security products together to make one big solution to tackle Oracle and non-Oracle database traffic.” – ZDNet Between the Lines blog

“The consolidated, centralized repository enables all audit and event logs to be analyzed in real-time against pre-defined policies; offers visibility into stored procedure execution, recursive SQL and operational activities; comes with dozens of built-in reports to meet compliance requirements; and provides a range of alerts, including multi-event alerts and alert thresholds.” – Database Trends and Applications

Thursday Dec 06, 2012

Columbia University Secures PeopleSoft Financials with Oracle's Transparent Data Encryption

Columbia University, the oldest institution of higher learning in New York, protects sensitive data in Oracle's PeopleSoft Financials using Oracle Advanced Security with transparent data encryption. Hear, Nick Caragiulo, manager of database administration, discuss how Columbia helps address internal and regulatory requirements for encryption of data at rest and in motion.

Wednesday Nov 21, 2012

Closing the Gap: 2012 IOUG Enterprise Data Security Survey

The new survey from the Independent Oracle Users Group (IOUG) titled "Closing the Security Gap: 2012 IOUG Enterprise Data Security Survey," uncovers some interesting trends in IT security among IOUG members and offers recommendations for securing data stored in enterprise databases.
Closing the Gap: 2012 IOUG Enterprise Data Security Survey Report
"Despite growing threats and enterprise data security risks, organizations that implement appropriate detective, preventive, and administrative safeguards are seeing significant results," finds the report's author, Joseph McKendrick, analyst, Unisphere Research.

Produced by Unisphere Research and underwritten by Oracle, the report is based on responses from 350 IOUG members representing a variety of job roles, organization sizes, and industry verticals.

Key findings include

  • Corporate budgets increase, but trailing. Though corporate data security budgets are increasing this year, they still have room to grow to reach the previous year’s spending. Additionally, more than half of respondents say their organizations still do not have, or are unaware of, data security plans to help address contingencies as they arise.
  • Danger of unauthorized access. Less than a third of respondents encrypt data that is either stored or in motion, and at the same time, more than three-fifths say they send actual copies of enterprise production data to other sites inside and outside the enterprise.
  • Privileged user misuse. Only about a third of respondents say they are able to prevent privileged users from abusing data, and most do not have, or are not aware of, ways to prevent access to sensitive data using spreadsheets or other ad hoc tools.
  • Lack of consistent auditing. A majority of respondents actively collect native database audits, but there has not been an appreciable increase in the implementation of automated tools for comprehensive auditing and reporting across databases in the enterprise.

IOUG Recommendations
The report's author finds that securing data requires not just the ability to monitor and detect suspicious activity, but also to prevent the activity in the first place. To achieve this comprehensive approach, the report recommends the following.

  • Apply an enterprise-wide security strategy. Database security requires multiple layers of defense that include a combination of preventive, detective, and administrative data security controls.
  • Get business buy-in and support. Data security only works if it is backed through executive support. The business needs to help determine what protection levels should be attached to data stored in enterprise databases.
  • Provide training and education. Often, business users are not familiar with the risks associated with data security. Beyond IT solutions, what is needed is a well-engaged and knowledgeable organization to help make security a reality.

Wednesday Nov 07, 2012

Gone in 60 Seconds: An Insecure Database is an Easy Target

According to the recent Verizon Data Breach Investigations Report, 98% of breached data originates from database servers and nearly half are compromised in less than a minute! Almost all victims are not even aware of a breach until a third party notifies them and nearly all breaches could have been avoided through the use of basic controls.

Join us for this November 28th webcast to learn more about the evolving threats to databases that have resulted in over 1 billion stolen records. Also, hear how organizations can mitigate risks by adopting a defense-in-depth strategy that focuses on basic controls to secure data at the source - the database.

There's no turning back the clock on stolen data, but you can put in place controls to ensure your organization won't be the next headline.

Note, this webcast will be recorded for on-demand access after November 28th. 

Wednesday Aug 29, 2012

Why Cornell University Chose Oracle Data Masking

One of the eight Ivy League schools, Cornell University found itself in the unfortunate position of having to inform over 45,000 University community members that their personal information had been breached when a laptop was stolen. To ensure this wouldn’t happen again, Cornell took steps to ensure that data used for non-production purposes is de-identified with Oracle Data Masking.

A recent podcast highlights why organizations like Cornell are choosing Oracle Data Masking to irreversibly de-identify production data for use in non-production environments. Organizations often copy production data, that contains sensitive information, into non-production environments so they can test applications and systems using “real world” information. Data in non-production has increasingly become a target of cyber criminals and can be lost or stolen due to weak security controls and unmonitored access. Similar to production environments, data breaches in non-production environments can cost millions of dollars to remediate and cause irreparable harm to reputation and brand.

Cornell’s applications and databases help carry out the administrative and academic mission of the university. They are running Oracle PeopleSoft Campus Solutions that include highly sensitive faculty, student, alumni, and prospective student data. This data is supported and accessed by a diverse set of developers and functional staff distributed across the university.

Several years ago, Cornell experienced a data breach when an employee’s laptop was stolen.  Centrally stored backup information indicated there was sensitive data on the laptop. With no way of knowing what the criminal intended, the university had to spend significant resources reviewing data, setting up service centers to handle constituent concerns, and provide free credit checks and identity theft protection services—all of which cost money and took time away from other projects.

To avoid this issue in the future Cornell came up with several options; one of which was to sanitize the testing and training environments.

“The project management team was brought in and they developed a project plan and implementation schedule; part of which was to evaluate competing products in the market-space and figure out which one would work best for us.  In the end we chose Oracle’s solution based on its architecture and its functionality.” – Tony Damiani, Database Administration and Business Intelligence, Cornell University

The key goals of the project were to mask the elements that were identifiable as sensitive in a consistent and efficient manner, but still support all the previous activities in the non-production environments. Tony concludes, 

“What we saw was a very minimal impact on performance. The masking process added an additional three hours to our refresh window, but it was well worth that time to secure the environment and remove the sensitive data. I think some other key points you can keep in mind here is that there was zero impact on the production environment. Oracle Data Masking works in non-production environments only. Additionally, the risk of exposure has been significantly reduced and the impact to business was minimal.”

With Oracle Data Masking organizations like Cornell can:

  • Make application data securely available in non-production environments
  • Prevent application developers and testers from seeing production data
  • Use an extensible template library and policies for data masking automation
  • Gain the benefits of referential integrity so that applications continue to work

Listen to the podcast to hear the complete interview. 

Learn more about Oracle Data Masking by registering to watch this SANS Institute Webcast and view this short demo.

Monday Jul 16, 2012

IOUG 2012 Enterprise Data Security Survey Results

-- Please note: the date of this webcast has been changed to August 30, 2012 ---

The Independent Oracle Users Group (IOUG), the leading association of Oracle database and technology professionals, recently surveyed its members to determine the current state of enterprise data security. The survey covers all aspects of database security from access controls to activity monitoring and blocking, top security threats, and more. Join Oracle and IOUG security experts on July 26 as they share the latest survey results and discuss what organizations can learn from this comprehensive analysis to better combat security risks.

Register for the webcast and learn about

  • Key findings of the Enterprise Data Security Survey
  • Improving database security – enterprise-wide
  • Mitigating the risk of data breaches

Tuesday May 29, 2012

Data Masking for Oracle E-Business Suite

E-Business Suite customers can now use Oracle Data Masking to obscure sensitive information in non-production environments. Many organizations are inadvertently exposed when copying sensitive or regulated production data into non-production database environments for development, quality assurance or outsourcing purposes. Due to weak security controls and unmonitored access, these non-production environments have increasingly become the target of cyber criminals. Learn more about the announcement here.
About

Who are we?

Follow us on

  • TwitterFacebookLinkedIn

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
2
3
4
5
6
7
8
9
10
12
13
15
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today