By Troy Kitch-Oracle on Aug 07, 2014
Oracle database security solutions provide three means of making data at rest unreadable. We sometimes get questions about their differences.
Transparent Data Encryption (TDE), a capability of Oracle Advanced Security, is transparent to applications and users by encrypting data within the Oracle Database on disk, without any changes to existing applications. TDE is available as a part of the Oracle Database, so if you have Oracle, you have Oracle Advanced Security and would simply require a license to activate.
TDE stops would-be attackers from bypassing the database and reading sensitive information from storage by enforcing data-at-rest encryption in the database layer. Applications and users authenticated to the database continue to have access to application data transparently (no application code or configuration changes are required), while attacks from OS users attempting to read sensitive data from tablespace files and attacks from thieves attempting to read information from acquired disks or backups are denied access to the clear text data.
Data Redaction, also a capability of Oracle Advanced Security, provides selective, on-the-fly redaction of sensitive data in SQL query results prior to display by applications so that unauthorized users cannot view the sensitive data. It enables consistent redaction of database columns across application modules accessing the same database information. Data Redaction minimizes changes to applications because it does not alter actual data in internal database buffers, caches, or storage, and it preserves the original data type and formatting when transformed data is returned to the application.
Existing applications often return sensitive data to call center and support staff employees, or even customers that include date of birth, social security numbers, and more. Traditionally, organizations would have to access and change application source code in order to redact sensitive data. This can be error-prone, laborious, and performance-heavy. Data redaction mitigates this risk and helps organizations comply with compliance requirements, such as PCI DSS, by masking displayed data within applications.
Learn more about transparent data encryption and data redaction.
Data Masking enables sensitive information such as credit card or social security numbers to be replaced with realistic values, allowing production data to be safely used for development, testing, or sharing with out-sourcing partners or off-shore teams for other nonproduction purposes..
Data masking is used for nonproduction environments for quality assurance, testing, and development purposes. Many organizations inadvertently breach information when they routinely copy sensitive and regulated production data into nonproduction environments. Data in nonproduction environments, which can be lost or stolen, has increasingly become the target of cyber criminals. Data masking helps organizations reduce this risk and comply with compliance requirements.
Learn more about data masking.
Get the latest edition of Oracle Security Inside Out Newsletter and subscribe to future editions. As a bi-monthly security newsletter, we cover all things security for both Oracle Database Security and Identity Management solutions, news, and events. Here are this month's database security articles:
Advanced persistent threats (APT) are a type of ongoing cyberattack from well-coordinated and funded cybercriminals who penetrate an organization slowly and methodically. Find out from Oracle experts what key lessons your organization can take away from the analysis of an APT attack.
In the new Countering Adversaries webcast series now available on demand, security experts explain how to identify the kinds of adversaries specific industries attract, understand the types of data they are after, and focus in on the tools that provide the most effective deterrence against these specific threats.
Insecure database silos make protecting data challenging and costly. Increasingly, organizations find that database consolidation and private cloud initiatives reduce complexity, risk, and drive down the cost of protecting data and meeting regulatory compliance.
With the recent release of the 2013 Independent Oracle Users Group (IOUG) Enterprise Data Security Survey Report, I caught up with security experts Roxana Bradescu, Director of Database Security Product Management at Oracle and Michelle Malcher, IOUG President and Oracle Ace Director, to get their perspectives on the report, and what organizations should take away from the results.
This year, the report broke down the respondents into database security leaders and laggards based on how proactive they were in protecting their data. What are your thoughts on this?
MM: We thought it was more meaningful to contrast the security practices of leaders and laggards, rather than just report an average, which is not really as representative of what’s happening out there. We decided that for an organization to be a leader, they had to first know where all of their sensitive and regulated data resides, they have to encrypt that data, either at rest or in motion, to protect it outside the database, and monitor for database changes such as sensitive data reads and writes. For those respondents who answered negative to all three, the report qualifies them as laggards. So, we have 22% indicated as leaders at one end of a bell curve and 20% of laggards on the other; everyone else is somewhere on the bell curve.
RB: I think looking at the survey results on a bell curve this year really makes this report more actionable for organizations. Many of the companies I talk to are somewhere on the bell curve and are trying to figure out how to be in that top 22%. A lot of attacks are opportunistic and no one wants to be in that bottom 20%, the ones the survey found more likely to face a data breach. To be ahead of the curve, organizations need a defense-in-depth strategy. They need preventive controls like encrypting data, detective controls like monitoring for database changes, as well as administrative controls like knowing where all the sensitive and regulated data resides. But leaders go well beyond that to protect their data.
Of course being a leader requires organizations to make an investment. Michelle, what would you tell IOUG members are the benefits of being a leader?
MM: It is not surprising to see the report found that leadership behavior lowers risk. Over the past year, leaders experienced a data breach nearly 3 times less than laggards. That’s for actual data breaches. When asked whether a data breach was likely over the next 12 months, 50% of the leaders said they were unlikely to experience one, whereas 62% of laggards said that yes, it is likely, or they were uncertain.
Roxana, how does an organization move from a laggard to leader position?
Although each organization is different, the approach to protecting databases is common. I suggest organizations start with a database security assessment to understand their risks and controls. It’s critical they consider:
Being able to proactively monitor a secure configuration for the database environment is important as well. Change control in the environment is critical. Oracle offers a lot of materials for customers to protect the mission critical data in their databases.
How can database administrators prepare for the New Year?
MM: Leaders say they have experienced less breaches than laggards, and are less likely to experience them in the future. When we examine what they are doing differently, it’s obvious why. I encourage database administrators and security professionals to read the report and discover where they can improve.
RB: DBAs play a major role in the security within their organization. IDC states that 66% of sensitive and regulated data resides in databases. By securing their databases, DBAs can protect 66% of the data in their organization - that’s huge. We are seeing DBAs increasingly becoming proactive with a comprehensive database security strategy that includes preventive, detective, and administrative security controls.
For more analysis and steps you can take to become a leader:
The latest October edition of the Security Inside Out newsletter is now available and covers the following important security news:
The new multitenant architecture of Oracle Database 12c calls for adopting an updated approach to database security. In response, Oracle security experts have written a new book that is expected to become a key resource for database administrators. Find out how to get a complimentary copy.
On September 23, 2013, the HIPAA Omnibus Rule went into full effect. To help Oracle’s healthcare customers ready their organizations for the new requirements, law firm Ballard Spahr LLP and the Oracle Security team hosted a webcast titled “Addressing the Final HIPAA Omnibus Rule and Securing Protected Health Information.” Find out three key changes affecting Oracle customers.
By 2020, it’s predicted there will be 50 billion devices wirelessly connected to the internet, from consumer products to highly complex industrial and manufacturing equipment and processes. Find out the key challenges of protecting identity and data for the new paradigm called the Internet of Things.
If you attended Open World this year, you learned about the advances in Database 12c. As we collect more data and store our data in remote locations and the cloud, 12c restores control with advances to secure your data at the source. At the Chief Security Officer Summit at Leaders Circle, Vipin Samar discussed the changes in the security landscape that are forcing companies to re-examine how data is secured. The recent APT1 report by Mandiant highlights exactly how pervasive the threats are across every industry.
While the report covers the exploits of a specific government, the techniques being used are similar across the board. A recent report by the Ponemon Insitute noted that 43% of the most serious attacks are SQL injection attacks. The statistic implies that organizations are not as prepared to secure databases and that our most valuable data actually resides in our databases.
It seems almost every report on the state of IT security mentions database security. As an example, the PWC Global State of Information Security report provides a survey by region of database encryption. In North America alone, 53% of companies don't encrypt databases. Despite the threats, organizations are not fully responding.
The slides below provide a perspective on how a comprehensive approach to database security can set the foundation for preventing some of the most advanced threats. With Database Security 12c, there are several advances that organizations will want to focus on:
The latest edition of Oracle Magazine, headlined with Plug into the Cloud, gives many reasons for customers to upgrade to the latest release of Oracle Database 12c .
In the article Time to Upgrade, Michelle Malcher, President of the Independent Oracle Users Group (IOUG) and Oracle ACE Director, says "Oracle Database 12c is packed with several new and enhanced security features. A great new security feature is privilege analysis, which allows DBAs to get to the bottom of what permissions are really needed and used. How much time is that going to save in audit reports and managing the security for least privilege?"
To prepare for the latest edition of Oracle Database, Malcher had
an opportunity sit down and beta test the latest features with others. During this time, we captured some of her comments,
along with other beta testers, about another new feature: data
redaction (see below video).
She goes on to say "Redaction is another security features that is easy to implement and probably will save a lot of time previously spent having to mask data in different environments or code solutions to hide private data and information. Setting up a comprehensive redaction policy for users, applications, and environments can further protect sensitive data.
Learn more about the new security features in the latest release of Oracle Database 12c.
By consolidating and analyzing the Hadoop audit trail, Oracle Audit Vault and Database Firewall can enforce policies to alert suspicious or unauthorized activities. Additionally, the consolidated audit data allows organizations to demonstrate the controls and generate the reports needed for regulatory compliance and audits.
With the launch of Oracle Database 12c, securing your databases is more important than ever. For a limited time you can pre-register for a new complimentary eBook and learn about Oracle Database Security from the experts who brought you the #1 database in the world.
Are you an Oracle DBA who wants to protect your databases? The new ebook, Securing Oracle Database 12c: A Technical Primer, will be the book that database administrators will want to turn to for their database security questions.
For a limited time, Oracle Press will be offering this book free of charge, so pre-register for your copy now.
Oracle OpenWorld is Sept 22-26, 2013 in San Francisco and this Focus On Database Security organizes all database security content including, sessions, hands-on-labs, and demos . This document is subject to change, so check back as we get closer to OpenWorld.
Here's a brief summary:
See the complete Focus On Database Security here.
Designed for the Cloud, the new multitenant architecture of Oracle Database 12c now enables customers to greatly simplify and accelerate database consolidation by enabling the management of hundreds of databases as one. To protect the unprecedented amounts of data customers will store within their databases, Oracle Database 12c also introduces more security capabilities than any previous Oracle Database release.
“Oracle Database 12c represents a complete shift in database technology. With the growing amount of stored data, these new multitenant databases will be targeted by both hackers and insiders, and scrutinized by auditors more than ever,” says Vipin Samar, vice president, database security product development, Oracle. “It’s imperative that customers take advantage of the new security capabilities in Oracle Database 12c to protect their data and database infrastructure.”
Key new capabilities to help customers mitigate risks and address compliance requirements include:
Data Redaction. Part of Oracle Advanced Security, Data Redaction complements transparent data encryption (TDE) by ensuring sensitive data is not exposed to users of current applications. While TDE protects information from database bypass attacks at the operating system level, Data Redaction conditionally redacts sensitive data in the outgoing result set by replacing original data with **** or any other fixed or random string of choice based upon the customer requirements. Data is redacted based on simple declarative policies that take into account rich database session context such as IP address, program name, and application user. The original data remains unaltered along with existing operational procedures.
Privilege Analysis. Part of Oracle Database Vault, Privilege Analysis can harden database access by identifying users’ or applications’ unused privileges and roles based upon the actual roles and privileges used at runtime on production servers. Typically over time, applications and users amass powerful privileges and roles that may no longer be necessary. Finding the set of used roles and privileges is important because it helps identify the minimal set required and allows unused privileges to be revoked, reducing the attack surface.
Database Vault also enables customers to realize the full potential of Oracle Database 12c multitenant-based consolidation by preventing common database administrators from accessing application data stored in a pluggable database. With three distinct separation-of-duty controls, Database Vault is critical to regulatory compliance in multitenant environments.
Conditional Auditing. Oracle Database 12c introduces a new auditing framework that creates audit records based on the context of the database session. For example, an audit policy can be defined to audit all SQL statements unless they are coming from the application server’s IP address and with the given program name. Out-of-policy connections can be fully audited while no audit data will be generated for others, enabling highly selective and effective auditing.
New roles have been introduced for managing audit data and audit policies inside the database. Audit data integrity is further protected by restricting management to the built-in audit data management package, preventing audit trail tampering using ad hoc SQL commands. Multiple audit statements can be grouped together for easier management. Three default audit policies are configured and shipped out of the box.
Additionally, Oracle Audit Vault and Database Firewall now supports Oracle Database 12c, and can be used to collect, consolidate, alert and report on audit data from Oracle and non-Oracle databases and operating systems. Oracle Audit Vault and Database Firewall can also monitor Oracle Database 12c SQL activity over the network, blocking any unauthorized activity such as SQL injection attacks, or insider abuse.
Sensitive Data Discovery and Management. Locating and cataloging sensitive data is more critical than ever. Oracle Enterprise Manager Data Discovery and Modeling (DDM) and Sensitive Data Discovery (SDD) facilitate the process of locating sensitive data within an application and applying security controls on that data. In addition, the new Oracle Database 12c Transparent Sensitive Data Protection (TSDP) can load sensitive information from Oracle Enterprise Manager Data Discovery and Modeling into the Oracle database and apply security controls such as Data Redaction. This greatly reduces the operational burden of managing sensitive data consistently in Oracle Database 12c environments.
Real Application Security. Oracle Database 12c introduces the next generation authorization framework to support the increased application security requirements in multitenant environments. Unlike the traditional Oracle VPD, Oracle Database 12c Real Application Security (RAS) provides a declarative model that allows developers to define the data security policy based on application users, roles and privileges within the Oracle Database. This new RAS-based paradigm is more secure, scalable, and cost effective.
In addition to these critical new capabilities, Oracle Database 12c greatly strengthens the overall database security posture with new Oracle Database Vault realm controls, Oracle Advanced Security TDE key management, Oracle Enterprise Manager Security Console, and more.
All the security capabilities available in Oracle Database 12c are compatible with the new multitenant architecture in Oracle Database 12c. As a result, customers can quickly and efficiently address the unique security requirements of each pluggable database. The security policies move with the pluggable database when it is unplugged from one and plugged into a new Oracle Database 12c multitenant server.
Learn more about Oracle Database Security
More information is coming out as we introduce the next edition of Oracle Database 12c, including more new security capabilities than any other release in Oracle history! During the webcast featuring Mark Hurd, Andy Mendelsohn, and Tom Kyte, you'll also hear from Vipin Samar, Vice President of Oracle Database Security as he highlights some of these new features including sensitive data redaction and privilege analysis.
This is a must-see event, so register now for the July 10th webcast: Introducing Oracle Database 12c.
Plus, we'll have some security experts on hand to answer your questions via the chat console.
Recent successful cyber attacks against some of the most security savvy organizations have put into question IT Security strategies across all industries. The reliance on network security and user credentials have left many institutions vulnerable to attacks by insiders, outsiders exploiting stolen credentials, and SQL injection attacks. Additionally, the pervasive use of production data in non-production environments means that attackers can focus their efforts on a development or test server. Analysts estimate that less than 20% of IT Security plans address database security.
When Oracle talks about having a comprehensive database strategy, it includes defense-in-depth security controls that protect multiple layers in and around the database environment.
Oracle will be a Silver sponsor at this year's Gartner Security & Risk Management Summit in Maryland, and showcasing Oracle Database Security solutions. Stop by to meet and interact with Oracle Security experts throughout the event.
As the premier gathering of enterprise IT security and risk management executives, the summit takes a comprehensive look at the entire spectrum of IT security, business continuity management and risk, including: network and infrastructure security, identity and access management, compliance, privacy, fraud, business continuity management, and resilience. This year’s summit offers five in-depth, role-based programs:
Who are we?
Follow us on