Thursday Dec 06, 2012

Columbia University Secures PeopleSoft Financials with Oracle's Transparent Data Encryption

Columbia University, the oldest institution of higher learning in New York, protects sensitive data in Oracle's PeopleSoft Financials using Oracle Advanced Security with transparent data encryption. Hear, Nick Caragiulo, manager of database administration, discuss how Columbia helps address internal and regulatory requirements for encryption of data at rest and in motion.

Wednesday Nov 21, 2012

Closing the Gap: 2012 IOUG Enterprise Data Security Survey

The new survey from the Independent Oracle Users Group (IOUG) titled "Closing the Security Gap: 2012 IOUG Enterprise Data Security Survey," uncovers some interesting trends in IT security among IOUG members and offers recommendations for securing data stored in enterprise databases.
Closing the Gap: 2012 IOUG Enterprise Data Security Survey Report
"Despite growing threats and enterprise data security risks, organizations that implement appropriate detective, preventive, and administrative safeguards are seeing significant results," finds the report's author, Joseph McKendrick, analyst, Unisphere Research.

Produced by Unisphere Research and underwritten by Oracle, the report is based on responses from 350 IOUG members representing a variety of job roles, organization sizes, and industry verticals.

Key findings include

  • Corporate budgets increase, but trailing. Though corporate data security budgets are increasing this year, they still have room to grow to reach the previous year’s spending. Additionally, more than half of respondents say their organizations still do not have, or are unaware of, data security plans to help address contingencies as they arise.
  • Danger of unauthorized access. Less than a third of respondents encrypt data that is either stored or in motion, and at the same time, more than three-fifths say they send actual copies of enterprise production data to other sites inside and outside the enterprise.
  • Privileged user misuse. Only about a third of respondents say they are able to prevent privileged users from abusing data, and most do not have, or are not aware of, ways to prevent access to sensitive data using spreadsheets or other ad hoc tools.
  • Lack of consistent auditing. A majority of respondents actively collect native database audits, but there has not been an appreciable increase in the implementation of automated tools for comprehensive auditing and reporting across databases in the enterprise.

IOUG Recommendations
The report's author finds that securing data requires not just the ability to monitor and detect suspicious activity, but also to prevent the activity in the first place. To achieve this comprehensive approach, the report recommends the following.

  • Apply an enterprise-wide security strategy. Database security requires multiple layers of defense that include a combination of preventive, detective, and administrative data security controls.
  • Get business buy-in and support. Data security only works if it is backed through executive support. The business needs to help determine what protection levels should be attached to data stored in enterprise databases.
  • Provide training and education. Often, business users are not familiar with the risks associated with data security. Beyond IT solutions, what is needed is a well-engaged and knowledgeable organization to help make security a reality.

Wednesday Nov 07, 2012

Gone in 60 Seconds: An Insecure Database is an Easy Target

According to the recent Verizon Data Breach Investigations Report, 98% of breached data originates from database servers and nearly half are compromised in less than a minute! Almost all victims are not even aware of a breach until a third party notifies them and nearly all breaches could have been avoided through the use of basic controls.

Join us for this November 28th webcast to learn more about the evolving threats to databases that have resulted in over 1 billion stolen records. Also, hear how organizations can mitigate risks by adopting a defense-in-depth strategy that focuses on basic controls to secure data at the source - the database.

There's no turning back the clock on stolen data, but you can put in place controls to ensure your organization won't be the next headline.

Note, this webcast will be recorded for on-demand access after November 28th. 

Wednesday Aug 29, 2012

Why Cornell University Chose Oracle Data Masking

One of the eight Ivy League schools, Cornell University found itself in the unfortunate position of having to inform over 45,000 University community members that their personal information had been breached when a laptop was stolen. To ensure this wouldn’t happen again, Cornell took steps to ensure that data used for non-production purposes is de-identified with Oracle Data Masking.

A recent podcast highlights why organizations like Cornell are choosing Oracle Data Masking to irreversibly de-identify production data for use in non-production environments. Organizations often copy production data, that contains sensitive information, into non-production environments so they can test applications and systems using “real world” information. Data in non-production has increasingly become a target of cyber criminals and can be lost or stolen due to weak security controls and unmonitored access. Similar to production environments, data breaches in non-production environments can cost millions of dollars to remediate and cause irreparable harm to reputation and brand.

Cornell’s applications and databases help carry out the administrative and academic mission of the university. They are running Oracle PeopleSoft Campus Solutions that include highly sensitive faculty, student, alumni, and prospective student data. This data is supported and accessed by a diverse set of developers and functional staff distributed across the university.

Several years ago, Cornell experienced a data breach when an employee’s laptop was stolen.  Centrally stored backup information indicated there was sensitive data on the laptop. With no way of knowing what the criminal intended, the university had to spend significant resources reviewing data, setting up service centers to handle constituent concerns, and provide free credit checks and identity theft protection services—all of which cost money and took time away from other projects.

To avoid this issue in the future Cornell came up with several options; one of which was to sanitize the testing and training environments.

“The project management team was brought in and they developed a project plan and implementation schedule; part of which was to evaluate competing products in the market-space and figure out which one would work best for us.  In the end we chose Oracle’s solution based on its architecture and its functionality.” – Tony Damiani, Database Administration and Business Intelligence, Cornell University

The key goals of the project were to mask the elements that were identifiable as sensitive in a consistent and efficient manner, but still support all the previous activities in the non-production environments. Tony concludes, 

“What we saw was a very minimal impact on performance. The masking process added an additional three hours to our refresh window, but it was well worth that time to secure the environment and remove the sensitive data. I think some other key points you can keep in mind here is that there was zero impact on the production environment. Oracle Data Masking works in non-production environments only. Additionally, the risk of exposure has been significantly reduced and the impact to business was minimal.”

With Oracle Data Masking organizations like Cornell can:

  • Make application data securely available in non-production environments
  • Prevent application developers and testers from seeing production data
  • Use an extensible template library and policies for data masking automation
  • Gain the benefits of referential integrity so that applications continue to work

Listen to the podcast to hear the complete interview. 

Learn more about Oracle Data Masking by registering to watch this SANS Institute Webcast and view this short demo.

Monday Jul 16, 2012

IOUG 2012 Enterprise Data Security Survey Results

-- Please note: the date of this webcast has been changed to August 30, 2012 ---

The Independent Oracle Users Group (IOUG), the leading association of Oracle database and technology professionals, recently surveyed its members to determine the current state of enterprise data security. The survey covers all aspects of database security from access controls to activity monitoring and blocking, top security threats, and more. Join Oracle and IOUG security experts on July 26 as they share the latest survey results and discuss what organizations can learn from this comprehensive analysis to better combat security risks.

Register for the webcast and learn about

  • Key findings of the Enterprise Data Security Survey
  • Improving database security – enterprise-wide
  • Mitigating the risk of data breaches

Tuesday Jul 03, 2012

SANS Webcast: Label Based Access Controls in Oracle Database 11g

Controlling access to data subsets within an application table can be difficult and inefficient especially when faced with specific data ownership, consolidation and multi-tenancy requirements. However, this can be elegantly addressed using label based access control (LBAC). In this webcast you will learn how LBAC using Oracle Label Security and Oracle Database 11g can easily enforce row-level access based on user security clearance. In addition, Oracle security experts will discuss real world case studies demonstrating how customers, in industries ranging from retail to government, are relying on Oracle Label Security for virtual information partitioning and secure consolidation of information.

 Register for the July 12 webcast now.

Monday May 14, 2012

Best Practices for Database Privileged User Access Controls

Insider threats and stolen credentials continue to account for the greatest incidents of data breaches and loss. On May 30th, we'll be discussing database access control best practices for all database users, including highly privileged users using Oracle Database Vault. You'll learn how to enforce who can access what data, and when and how that data is accessed in order to prevent application bypass and enable secure database consolidation. You will also hear how Oracle customers use Oracle Database Vault and Oracle Database 11g to protect sensitive data and comply with regulatory mandates.

 To learn more, register for this, and our other Best Practices for Database Security and Compliance webcasts.

Tuesday Mar 06, 2012

Protecting Life-Saving Patient and Donor Data

With more than 9 million donors as part of its Be the Match registry, the National Marrow Donor Program (NMDP) collects and manages a large amount of sensitive medical information. This data has helped enable more than 43,000 marrow and umbilical cord blood transplants for patients suffering from diseases such as lymphoma and leukemia. As the director of IT infrastructure for NMDP, Kyle Nelson understands the importance of both patient and donor information and the systems that protect this data. “Arguably our most-critical technologies are the Oracle databases and comprehensive database defense-in-depth security solutions that store and protect the sensitive information of critical marrow and cord blood patients and donors,” says Nelson. 

NMDP Discusses Oracle Database Security Solutions

National Marrow Donor Program: Oracle Database Security Defense in Depth
Hear how the National Marrow Donor Program protects life-saving patient and donor data with Oracle Database Security defense-in-depth solutions including Oracle Advanced Security, Oracle Database Vault and Oracle Data Masking.

Every year, thousands of patients with life-threatening diseases such as leukemia, lymphoma, and sickle cell disease need a marrow or cord blood transplant, but don’t have a match in their family. Learn how you can help.

Tuesday Feb 14, 2012

Formulate a Database Security Strategy

Although most organizations are taking stronger measures to protect their data, significant gaps still exist at the very core — their databases. Many don’t have a comprehensive database security strategy to defend against sophisticated attacks, track sensitive data, or even meet emerging regulatory requirements. In addition, organizations tend to focus on detective controls rather than preventive measures when it comes to database security.

By contrast, leading industry analyst, Forrester finds that by implementing a comprehensive and integrated database security solution with a strong emphasis on preventive measures enables organizations to improve security controls and introduce a higher degree of automation across the enterprise. Learn more.

Tuesday Feb 07, 2012

Concerned That Security Investments Still Leave You Vulnerable?

This Thursday at 9am, the ISACA Webcast Series presents a joint Forrester and Oracle presentation on how to formulate a database security strategy.

With the growing internal and external attacks on corporate and government applications and stronger regulatory compliance enforcement, investing in data security is a top priority for organizations. Yet significant gaps still exist at the very core — the databases that house the corporate crown jewels. A recent study by Forrester Consulting* found that most organizations don’t have a comprehensive enterprise database security strategy resulting in ad-hoc deployment of point solutions focused on detection rather than prevention. In this webcast, guest speaker Forrester Research, Inc. Principal Analyst Noel Yuhanna will discuss the findings of this study and the importance of an integrated and comprehensive database security platform that can provide better security at lower cost. You will also hear from Roxana Bradescu, Director of Database Security Product Management at Oracle, about the recent innovations in Oracle’s database security platform, and learn how you can make the most of your security investments.

Register now for ISACA Webcast this Thursday, February 9 at 9am PT/12pm ET.

*Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements, a commissioned study conducted by Forrester Consulting on behalf of Oracle, January 2012.

Thursday Feb 02, 2012

RSA Conference 2012: Oracle to Highlight Oracle Database Firewall

Amid a growing onslaught of data breaches around the world, this year's RSA Conference will highlight the latest in security insights and technology—including the most recent advances in Oracle Database Firewall. The conference, which will take place in San Francisco, February 27 to March 2, features a keynote address by former British Prime Minister Tony Blair, 17 separate technical tracks, 220 hands-on sessions, and myriad networking opportunities for attendees.

RSA Conference 2012 attendees will also have access to Oracle security experts with in-depth insight into the latest developments in Oracle Database Firewall, including extended support for MySQL Enterprise Edition, new reporting infrastructure for modifying the layout of existing reports, new built-in reports to help comply with regulatory mandates and more. 

Until February 24, 2012, attendees can also opt to register for a complimentary exhibit hall-only pass by using discount code EC12ORAC. 

Learn more and register for the RSA Conference 2012 now

Friday Jan 20, 2012

Best Practices for Database Security and Compliance Webcast Series Begins Feb 1

As the amount of digital information continues to grow, so do the challenges of safeguarding that data. Two-thirds of sensitive and regulated data resides in databases, yet most IT Security programs fail to adequately address database security.

Please join Tom Kyte, Senior Technical Architect at Oracle, as he kicks off the database security best practices webcast series and discusses the threats every IT Database and Security administrator needs to be aware of. Tom will cover an overview of the best practices for securing your databases and guarding against SQL injection attacks, encrypting sensitive data, enforcing least privilege and separation of duties, database auditing and masking non-production data.

  • Feb 1 - Best Practices for Database Security and Compliance
  • Feb 29 - Best Practices for Database Activity Monitoring and Blocking
  • Mar 28 - Best Practices for Database Auditing, Alerting and Reporting
  • Apr 25 - Best Practices for Transparent Data Encryption
  • May 30 - Best Practices for Database Privileged User Access Control
*All webcasts begin 10 a.m. PT | 1 p.m. ET | London 6 p.m GMT

Tuesday Jan 03, 2012

Is Your Organization Susceptible to a Data Breach?

If your answer is yes (or you're not sure), then you aren’t alone. According to the recent Independent Oracle Users Group Data Security Survey, 60% said that a data breach is likely, or they’re not sure what to expect, over the next 12 months. As you prepare to secure your databases in 2012, see the first in our  “real world” video series that illustrate the different ways organizations are susceptible to security breaches and how Oracle can help mitigate.

X Marks the Spot - An oil company finds that their drilling efforts are way off target, someone has tampered with mission-critical enterprise intelligence. More than half of organizations would have no way of knowing if privileged users are abusing their access. Learn about Oracle Audit Vault for database activity auditing, alerting and reporting.

Friday Nov 04, 2011

RSA Attack Tip of the Iceberg and Wake Up Call for Organizations Worldwide?

Security experts now say that RSA wasn’t the only corporation victimized in the attack that shook the corporate and government leaders worldwide. If this could happen to a Security company like RSA, could this happen to any organization? Apparently the answer is yes. About 760 other organizations according to a recent post on Brian Krebs blog. Interestingly enough none of these organizations have spoken out. Is it because they don’t want the brand hit or is it just that they didn’t know what happened? My money’s on the latter.

Every year Verizon reports that the majority of data breaches are discovered by third parties. I wonder how many of the 760 companies Krebs named are scrambling to figure what was compromised in the attack.  Were critical business plans stolen? Or were manufacturing parameters changed? Going through logs looking for clues. But wait what logs? According to a recent survey of the Independent Oracle User Group only 30% of organizations are monitoring reads and writes to sensitive data stored in their databases. Taken in combination with the lack of preventive controls at the database layer, most organizations are soft targets for Advanced Persistent Threats as well as not so advanced opportunistic attacks like the Liza Moon SQL injection attack used to compromise over 4 million databases in a single day.

So what’s the solution: Auditing? Database Firewalls? Encryption? Privileged user controls? Strong authentication? Multi-factor authorization? Yes, yes, yes, yes, yes, and yes. The answer is defense in depth. I am still surprised how many seasoned IT Security professionals don’t want to hear this answer. But security requires investment and vigilance. Our defenses must become as advanced and persistent as the threats we are trying to combat.

Thursday Sep 15, 2011

IDC Report: Effective Data Leak Prevention Programs - Start by Protecting Data at the Source, Your Databases

What’s Missing from your Data Loss Prevention Strategy?

Although most organizations have data leak prevention (DLP) programs in place, IDC finds they are missing strategic solutions to protect their most valuable data assets – databases. IDC estimates the amount of data is doubling every two years and as the overall amount of data grows, so does the amount of sensitive and regulated information.

This IDC white paper presents a proactive approach to data protection, discusses the growing enterprise data threats and the impact government regulations have on requiring additional data protections.

Download the report and learn how enterprises must adopt security best practices that combine both DLP and database security to mitigate data breaches while ensuring data availability.


Who are we?

Follow us on

  • TwitterFacebookLinkedIn


« April 2015