Thursday Sep 10, 2015

Database Security at OpenWorld, 2015 -- Security is Hot!

Cybersecurity is Hot! In fact, so is the weather here in California at this moment. I write this in sweltering 95 degree temperatures and wonder if October--coincidentally National Cyber Security Awareness month--will be as hot outside San Francisco's Moscone Halls (and surrounding buildings) as it will be inside. Join me at Oracle OpenWorld, October 25-27th to find out. 

We are very excited to offer our customers over 77 talks on security, including our latest database security innovations.

Plan your days accordingly to attend these hot database security focused sessions. 

 Monday, Oct 26

  • What’s New in Oracle Database Security [CON6819]
  • Oracle Audit Vault and Database Firewall—Detect Breaches and Prevent Attacks [CON8668]
  • Data Protection in an Oracle E-Business Suite Situation? Oracle Label Security Is the Answer [CON2075]

Tuesday, Oct 27

  • Oracle Database Maximum Security Architecture—Protecting Critical Data Assets [CON8803]
  • Mask and Subset Sensitive Data for Test/Dev Databases On Premises or in the Cloud [CON8625]
  • Database Security: Preventing and Detecting Privileged User Attacks [HOL10437]

Wednesday, Oct 28

  • Oracle Database Vault for Pluggable Databases [CON1922]
  • Encrypting Oracle E-Business Suite 12.1 on Oracle Exadata Using TDE Functionality [CON2975]
  • Oracle Database Vault—Shrinking the Attack Surface for Your Application [CON8624]
  • Oracle Advanced Security—Enterprise-Grade Encryption for Your Sensitive Data [CON8563]
  • Minimize Security Risks by Masking and Subsetting Sensitive Data in Test and Developmen [HOL10507]

Thursday, Oct 29

  • Minimize Security Risks by Masking and Subsetting Sensitive Data in Test and Developmen [HOL10507]
  • Managing Advanced Security Database Encryption Keys with Oracle Key Vault [CON8562]
  • Oracle Database Security Customer Panel: Strategies and Best Practices [CON8655].

Get the details here with our focus on Database Security. And you can focus on all Security as well.  

Wednesday Jul 29, 2015

Security Inside Out Newsletter, July Edition is Out

The July edition of the Security Inside newsletter is now available. Sign up here for the Security Inside Out newsletter where we highlight key Oracle Security news and provide information on the latest webcasts, events, training and more. 

This month in the news:

Inoculating the Cloud

Another day, another data breach. From the recent cyber attack on the Internal Revenue Service to news of a security bug called VENOM, it seems as if frequent cybersecurity incidents represent the new normal. What new methods can your security group deploy to augment traditional perimeter defenses? The key is to focus on your most valuable asset—data—and build a security strategy that protects data at its source. 

Now Available! Oracle Identity Management 11g Release 2 PS3

Read about the new business-friendly user interface that simplifies the tasks associated with provisioning and managing today’s robust, identity-driven environments. Also learn about the expansion of mobile device management capabilities and a consolidated policy management framework that enables simplified provisioning of devices, applications, and access.

Securing Data Where It Matters Most

Putting defense in depth database protection in place is the first step to a security inside out data strategy. Even if an organization’s perimeter is breached, organizations can reduce risks by placing security controls around sensitive data, detecting and preventing SQL injection attacks, monitoring database activity, encrypting data at rest and in transit, redacting sensitive application data, and masking nonproduction databases. Read insights from Oracle Vice President of Security and Identity Solutions, Europe, the Middle East, and Africa, Alan Hartwell.

Tuesday Jun 02, 2015

MIT Technology Review: Diversity of Big Data Sources Creates Big Security Challenges

According to Oracle’s Neil Mendelson, many companies today make a key mistake in setting up their big data environments.

“In an effort to gain insights and drive business growth, companies can too often overlook or underestimate the challenge of securing information in a new and unfamiliar environment,” says Mendelson, vice president for big data and advanced analytics at Oracle. That lack of attention to big data security requirements can, of course, leave the organization open to attacks from any number of unknown sources. 

Other evolving circumstances also contribute to a wide range of security-related risks, hurdles, and potential pitfalls associated with big data. As the Cloud Security Alliance, an industry group, notes: “Large-scale cloud infrastructures, diversity of data sources and formats, the streaming nature of data acquisition, and high-volume inter-cloud migration all create unique security vulnerabilities.”

Learn more here about factors that complicate big data implementations, and what is required for organizations to secure the big data life cycle. 

Tuesday May 26, 2015

Oracle Database 12c Real Application Security Administration Application - Now Available on OTN

The release of Oracle Database 12c and the new Real Application Security (RAS) technology further demonstrated Oracle's decades long commitment to delivering cutting edge security technology to our customers.  The release of RAS fundamentally changed the technology available to application developers and data security architects.

“The release of RAS with Oracle Database 12c was the most important database security enhancement for application developers since the release of Oracle's ground breaking row level security solution, Virtual Private Database in 1998,” said Paul Needham, Senior Director for Oracle Database Security Product Management.  

Over the past two decades nearly every application developed has had its own unique security model.   Application users, roles, and privileges are mostly stored in custom application tables that require very specific domain knowledge to maintain.   This complexity has made it difficult and costly to keep pace with ever changing privacy and compliance regulations and protect against hackers.

Integrated with Oracle Fusion Middleware and Oracle Application Express 5.0, Real Application Security enables developers to build the world’s most secure applications by centralizing security policies within the database.  Benefits of Oracle Database 12c Real Application Security include:

  • End-user session propagation to the database
  • Data security based on application roles and privileges
  • Simplified security administration

Today, the database security development team is pleased to announce the release of Real Application Security Administration Application (RASADM).   RASADM is the new Oracle APEX 5.0-based tool for managing Oracle Database 12c Real Application Security.   It complements the comprehensive RAS PL/SQL API available today and is designed for both developers and application security policy administrators.   RASADM is designed to accelerate adoption of the powerful Oracle Database 12c RAS technology.  

"The release of Real Application Security with Oracle Database 12c demonstrates Oracle's continuous innovation in the database security arena.  RASADM was one of the first requests from those building on RAS with Oracle Database 12c and we are pleased to be able to deliver this to our customers,” says Vipin Samar, Vice President, Oracle Database Security.

Security Inside Out Newsletter, May Edition

Get the latest Security Inside Out newsletter and hear about securing the big data life cycle, data security training, and more.

Also, subscribe to get the bi-monthly news in your own inbox . 

Tuesday May 19, 2015

Securing the Big Data Life Cycle: A New MIT Technology Review and Oracle Paper

The big data phenomenon is a direct consequence of the digitization and “datafication” of nearly every activity in personal, public, and commercial life. Consider, for instance, the growing impact of mobile phones. The global smartphone audience grew from 1 billion users in 2012 to 2 billion today, and is likely to double again, to 4 billion, by 2020, according to Benedict Evans, a partner with the venture capital firm Andreessen Horowitz. 

“Companies of all sizes and in virtually every industry are struggling to manage the exploding amounts of data,” says Neil Mendelson, vice president for big data and advanced analytics at Oracle. “But as both business and IT executives know all too well, managing big data involves far more than just dealing with storage and retrieval challenges—it requires addressing a variety of privacy and security issues as well.”

With big data, comes bigger responsibility. A new joint Oracle and MIT Technology Review paper drills into addressing these big data privacy and security issues.

Get the paper, Securing the Big Data Life Cycle and learn more here.

Wednesday Mar 25, 2015

86% of Data Breaches Miss Detection, How Do You Beat The Odds?

Information security is simply not detecting the bad guys

This according to the Verizon Data Breach Investigations Report. In fact, antivirus, intrusion detection systems, and log review all pick up less than 1% of data breach incidents. Very few companies do proactive monitoring and those that do are simply troubleshooting problems they already know about. The result is that 86% of data breach incidents were ultimately detected by someone other than the victimized organization; an embarrassing statistic.

Only 35% of organizations audit to determine whether privileged users are tampering with systems. As well, for nearly 70% of organizations, it would take greater than one day to detect and correct unauthorized database access or change. With average data breach compromises taking less than a day, the majority of organizations could lose millions of dollars before even noticing.

Join Oracle and learn how to put in place effective activity monitoring including:

  • Privileged user auditing for misuse and error
  • Suspicious activity alerting
  • Security and compliance reporting 

Monday Mar 16, 2015

Three Big Data Threat Vectors

The Biggest Breaches are Yet to Come

Where a few years ago we saw 1 million to 10 million records breached in a single incident, today we are in the age of mega-breaches, where 100 and 200 million records breached is not uncommon.

According to the Independent Oracle Users Group Enterprise Data Security Survey, 34% of respondents say that a data breach at their organization is "inevitable" or "somewhat likely" in 2015.

Combine this with the fact that the 2014 Verizon Data Breach Investigations Report tallied more than 63,000 security incidents—including 1,367 confirmed data breaches. That's a lot of data breaches.

As business and IT executives are learning by experience, big data brings big security headaches. Built with very little security in mind, Hadoop is now being integrated with existing IT infrastructure. This can further expose existing database data with less secure Hadoop infrastructure. Hadoop is an open-source software framework for storing and processing big data in a distributed fashion. Simply put, it was developed to address massive data storage and faster processing, not security.

With enormous amounts of less secure big data, integrated with existing database information, I fear the biggest data breaches are yet to be announced. When organizations are not focusing on security for their big data environments, they jeopardize their company, employees, and customers.

Top Three Big Data Threats

For big data environments, and Hadoop in particular, today's top threats include:
  • Unauthorized access. Built with the notion of “data democratization”—meaning all data was accessible by all users of the cluster—Hadoop is unable to stand up to the rigorous compliance standards, such as HIPPA and PCI DSS, due to the lack of access controls on data. The lack of password controls, basic file system permissions, and auditing expose the Hadoop cluster to sensitive data exposure.
  • Data provenance. In traditional Hadoop, it has been difficult to determine where a particular data set originated and what data sources it was derived from. At a minimum the potential for garbage-in-garbage-out issues arise; or worse, analytics that drive business decisions could be taken from suspect or compromised data. Users need to know the source of the data in order to trust its validity, which is critical for relevant predictive activities.
  • DIY Hadoop. A build-your-own cluster presents inherent risks, especially in shops where there are few experienced engineers that can build and maintain a Hadoop cluster. As a cluster grows from small project to advanced enterprise Hadoop, every period of growth—patching, tuning, verifying versions between Hadoop modules, OS libraries, utilities, user management etc.—becomes more difficult. Security holes, operational security and stability may be ignored until a major disaster occurs, such as a data breach.
Big data security is an important topic that I plan to write more about. I am currently working with MIT on a new paper to help provide some more answers to the challenges raised here. Stay tuned.

Monday Mar 09, 2015

Security and Governance Will Increase Big Data Innovation in 2015

"Let me begin with my vision of the FTC and its role in light of the emergence of big data. I grew up in a beach town in Southern California. To me, the FTC is like the lifeguard on a beach. Like a vigilant lifeguard, the FTC’s job is not to spoil anyone’s fun but to make sure that no one gets hurt. With big data, the FTC’s job is to get out of the way of innovation while making sure that consumer privacy is respected."

- Edith Ramirez, Chairwoman, Federal

Trade Commission Ms. Ramirez highlights the FTC's role in protecting consumers from what she refers to as "indiscriminate data collection" of personal information. Her main concern is that organizations can potentially use this information to ultimately implicate individual privacy. There are many instances highlighting the ability to take what was previously considered anonymous data, only to correlate with other publicly available information in order to increase the ability to implicate individuals.

Finding Out Truthful Data from "Anonymous" Information 

Her concerns are not unfounded; the highly referenced paper Robust De-anonymization of Large Sparse Datasets, illustrates the sensitivity of supposedly anonymous information. The authors were able to identify the publicly available and "anonymous" dataset of 500,000 Netflix subscribers by cross referencing it with the Internet Movie Database. They were able to successfully identify records of users, revealing such sensitive data as the subscribers' political and religious preferences, for example. In a more recent instance of big data security concerns, the public release of a New York taxi cab data set was completely de-anonymized, ultimately unveiling cab driver annual income, and possibly more alarming, the weekly travel habits of their passengers.

Many large firms have found their big data projects shut down by compliance officers concerned about legal or regulatory violations. Chairwoman Hernandez highlights specific cases where the FTC has cracked down on firms they feel have violated customer privacy rights, including the United States vs. Google, Facebook, and Twitter. She feels that big data opens up additional security challenges that must be addressed.

"Companies are putting data together in new ways, comingling data sets that have never been comingled before," says Jeff Pollock, Oracle vice president for product management. "That’s precisely the value of big data environments. But these changes are also leading to interesting new security and compliance concerns."

The possible security and privacy pitfalls of big data center around three fundamental areas:

  • Ubiquitous and indiscriminate collection from a wide range of devices 
  • Unexpected uses of collected data, especially without customer consent 
  • Unintended data breach risks with larger consequences

Organizations will find big data experimentation easier to initiate when the data involved is locked down. They need to be able to address regulatory and privacy concerns by demonstrating compliance. This means extending modern security practices like data masking and redaction to the full big data environment, in addition to the must-haves of access, authorization and auditing.

Securing the big data lifecycle requires:

  • Authentication and authorization of users, applications and databases 
  • Privileged user access and administration 
  • Data encryption of data at rest and in motion 
  • Data redaction and masking for non production environments 
  • Separation of roles and responsibilities 
  • Implementing least privilege 
  • Transport security 
  • API security 
  • Monitoring, auditing, alerting and compliance reporting

With Oracle, organizations can achieve all the benefits that big data has to offer while providing a comprehensive data security approach that ensures the right people, internal and external, get access to the appropriate data at right time and place, within the right channel. The Oracle Big Data solution prevents and safeguards against malicious attacks and protects organizational information assets by securing data in-motion and at-rest. It enables organizations to separate roles and responsibilities and protect sensitive data without compromising privileged user access, such as database administrators. Furthermore, it provides monitoring, auditing and compliance reporting across big data systems as well as traditional data management systems.

Learn more about Oracle Security Solutions.

This article has been re-purposed from the Oracle Big Data blog.  

Wednesday Mar 04, 2015

Securing Information in the New Digital Economy

We are in the midst of a data breach epidemic, fueled by a lucrative information black market. The perimeter security most IT organizations rely on has become largely ineffective. Nearly 70% of security resources are focused on perimeter controls, but most exploited vulnerabilities are internal. 

Effective modern security requires an inside-out approach with a focus on data and internal controls.

A New Hacker Economy

Today, a layered economy of specialized, organized hackers has created a black market estimated to be more lucrative than the illegal drug trade. (Lillian Ablon 2014) Hacking-for-hire has made the black market accessible to non-experts, expanding its reach exponentially.  As businesses grow their online footprints, criminals find new ways of attacking their vulnerabilities.

Thinking Inside-Out

Internal systems are the new perimeter – the new front line in the battle for data security. Security should be built into the customer and employee experiences.

  • Manage privileged user access and think beyond the password: another layer of authentication can vastly increase security.
  • Make it more costly and difficult for attackers by protecting the most valuable information first. 

Rebalancing Information Security

Diminish the information supply chain and cut off the cash flow to the black market. Taking a security inside-out approach could bring an end to the arms race, giving economic recovery a chance.

To learn more about Securing Information in the New Digital Economy, read the joint Oracle and Verizon Report.

Tuesday Feb 03, 2015

All Data is Not Equal, Map Security Controls to the Value of Data

As you look at data, you will quickly realize that not all data is equal.   What do I mean by that? Quite simply, some data simply does not require the same security controls as other data.   

When explaining this to customers, we use a metals analogy to simplify the provisioning of controls. Bronze to represent the least sensitive data, up through to Platinum, the highest value and most sensitive data within an organization.

Thinking in this manner provides the ability to refine many configurations into a few pre-configured, pre-approved, reference architectures. Applying this methodology is especially important when it comes to the cloud. It comes down to consistency in applying security controls, based on the data itself.

Oracle’s preventive, detective, and administrative pillars can be applied to the various data categorizations. At this point in the conversation, customers begin to understand more pragmatically how this framework can be used to align security controls with the value, or sensitivity, of the data.

Security practitioners can then work with lines of business to assign the appropriate level of controls, both systematically and consistently across the organization.  

So for example, at the bronze level, items such as application of patches, secure configuration scanning and the most basic auditing would be appropriate. Data deemed more sensitive, such as personally identifiable information, or personal health information, require additional security controls around the application data. This would include, for example, blocking default access by those designated as database administrators.

Then finally, at the highest data sensitivity level--Platinum level--should exhibit blocking database changes during production time frames, preventing SQL injection attacks and centralized enterprise-wide reporting and alerting for compliance and audit requirements.  

To learn more about Oracle Security Solutions, download the ebook "Securing Oracle Database 12c: A Technical Primer" by Oracle security experts.

Friday Oct 17, 2014

Why Infinity Insurance Chose Oracle Advanced Security and Database Vault

Infinity InsuranceI had an opportunity to sit down with Cathy Robinson, Database Administrator at Infinity Property and Casualty Corporation while at Oracle OpenWorld 2014. Infinity Insurance is a public insurance company that deals with high risk maturities, mostly auto insurance, and provide products through a network of approximately 12,500 independent agencies and brokers. Cathy told me how they use Oracle Advanced Security for encryption and Oracle Database Vault for database privilege user controls.

Cathy has an interesting background with the Department of Defense and joined Infinity with a great understanding of what is required to lock down data and secure an IT environment. As I interviewed Cathy, I learned that the main overall issues they face include:

  • Protecting sensitive personally identifiable information ( i.e. payment card, social security numbers)
  • Educating employees on the importance of securing this data
  • Securing older applications where changing software code is prohibitive

So they have been able to implement Oracle Advanced Security to address these security requirements without having to make any application changes. Additionally, there has been "no performance degradation whatsoever."To further put in place a defense in depth database security strategy, Infinity is also implementing Oracle Database Vault for separation of duties and least privilege.

When I asked why they chose Oracle, Cathy responded with the following:

  • One vendor instead of multiple point solution vendors
  • Deep integration with Oracle Databases
  • Oracle security expertise, which included a database security assessment
Click here to listen to the interview.

Wednesday Sep 10, 2014

SANS Webcast: Simplifying Data Encryption and Redaction Without Touching the Code

SANS Analyst and Instructor and well known security expert, Dave Shackleford, will be doing a review of Oracle Advanced Security on September 16, 12:00 p.m. ET/ 3:00 p.m. ET

Register now for the webcast "Simplifying Data Encryption and Redaction Without Touching the Code" 

The need for organizations to protect sensitive information has never been more paramount. The risks of data breaches and sensitive data exposures are driving organizations to look for solutions, as an increasing amount of data is being stored and processed outside the perimeter, in cloud applications and service environments. Organizations must protect this sensitive data at its heart, in the databases. In this webcast, we discuss a recent review by SANS Analyst and Instructor Dave Shackleford of Oracle Advanced Security for Oracle Database 12c and its encryption and redaction capabilities.

Register for the webcast and be among the first to receive an advance copy of a SANS whitepaper discussing the Analyst Program's review of Oracle Advanced Security.

Tuesday Sep 02, 2014

Oracle Audit Vault and Database Firewall Wins Reader's Choice Award for Best Database Security Solution

Thank you to all those who voted for the Database Trends and Applications Reader's Choice Awards, 2014 and voting Oracle Audit Vault and Database Firewall as the best database security solution on the market. 

"Unlike any other awards programs conducted by DBTA, this one is special because the nominees are submitted and the winners are chosen by the experts—whose opinions carry more weight than all others—you, the readers. With more than 22,000 votes cast across 31 categories, the contest between candidates was often neck and neck. As a result, we are showcasing both winners and finalists in each category."

Oracle wins in a number of categories including:

  1. Best Relational Database: Oracle Database
  2. Best Cloud Database: Oracle Database 12c
  3. Best Database Appliance: Oracle Exadata
  4. Best Database Administration Solution: Oracle Enterprise Manager
  5. Best Database Performance Solution: Oracle Enterprise Manager
  6. Best Database Backup Solution: Oracle Database Backup Logging Recovery Appliance
  7. Best Data Replication Solution: Oracle GoldenGate 12c
  8. Best Change Data Capture Solution: Oracle CDC
  9. Best Data Virtualization Solution: Oracle Database 12c Multitenant
  10. Best Cloud Integration Solution: Oracle Cloud Integration
  11. Best Streaming Data Solution: Oracle Streams
  12. Best Data Mining Solution: Oracle Advanced Analytics

Thursday Aug 07, 2014

Introducing Oracle Key Vault for Centralized Key Management

Oracle Customers Secure Critical Encryption Keys with Oracle Key Vault

Centrally Manage Oracle Database Encryption Master Keys, Oracle Wallets, Java KeyStores and Other Credential Files

Encryption is widely recognized as the gold standard for protecting data privacy, but encryption is only as strong as its key management. Critical credential files such as Oracle Wallets, Java KeyStores, SSH key files and SSL certificate files are often widely distributed across servers and server clusters with error-prone synchronization and backup mechanisms.

To address the need for robust key management, Oracle today introduced Oracle Key Vault, a software appliance designed to securely manage encryption keys and credential files in the enterprise data center.

Read the press release and register for the webcast to learn how Oracle Key Vault:
  • Centralizes Keys in a modern, secure, and robust key management platform
  • Secures, shares, and manages keys and secrets for the enterprise
  • Manages key lifecycle stages including creation, rotation, and expiration

Oracle Key Vault Learn more: Oracle Key Vault enables customers to quickly deploy encryption and other security solutions.

Webcast: August 21, 2014
10:00 a.m. PT/1:00 a.m. ET
Hardware and Software Engineered to Work Together
Copyright © 2014, Oracle Corporation and/or its affiliates.
All rights reserved.
Contact Us | Legal Notices and Terms of Use | Privacy Statement

Who are we?

Follow us on

  • TwitterFacebookLinkedIn


« October 2015