securing data at the source 1-08-10

8/3/2019 Securing Data at the Source 1-08-10

1/23

SECURING DATA AT THE SOURCE:A GUIDE TO ORACLE DATABASE SECURITY

Security Inside Out


2/23

SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY

Table o Contents

3 INTRODUCTION

8 DATABASE ENCRYPTION AND MASKING

13 ACCESS AND AUTHORIZATION

16 AUDITING AND MONITORING

21 LOOKING AHEAD

Secure Data At The Source.

Save Time And Money.




3/23

3 SECURING DATA AT THE SOURCE: A GUIDE TO ORACLE DATABASE SECURITY



Over the past ew years, ensuring the security o inormation and

data has become both more challenging and more important.

Indeed, doing so has quickly grown rom a technology challenge

to a key business issue with broad strategic implicationsand

that has put growing pressure on IT proessionals to keep data

sae and secure.

In part, this shit is due to the ever-growing role o electronic

data in business and the unprecedented amounts o transaction,

personal, and nancial datamuch o it condential and

regulatedthat is being generated and stored by corporations

and government agencies. As this growth continues, the

universe o stored data will expand to 1,800 exabytes by 2012,

according to IDC.

Meanwhile, there is a growing range o threats targeting that

data. External threats have evolved rom being primarilyhackers looking or notoriety to being highly organized criminals

looking or nancial gain. In a recent study o 90 conrmed

data breaches in 2008, the Verizon Business Risk security team

ound that 285 million records were lost in those attacks

and the team reports that 91 percent o those compromised

records could be attributed to organized criminal activity. Stolen

sensitive inormationsuch as addresses and credit card and

social security numberscan be sold on the black market or

used in spamming campaigns, credit card raud, identity thet.

and the distribution o malicious sotware. And unlike hackers,

criminals want to stay below the radar, making their attacks

all the more dicult to detect. As Rich Mogull, ounder o the

Securosis research and analysis rm, recently noted, We need

to acknowledge that threats have changed, rom noisy to quiet,

rom the edge o the organization to the center. We also need tounderstand that attackers motivations have changedweb site

deacement isnt the goal; raud and data thet are.

But companies need to consider insider threats as well. Oten,

these come in the orm o accidents or ailures to ollow security

policy. Recent research rom the Ponemon Institute ound thatemployee compliance with company security policies is actually

declining. Employees routinely engage in activities that put

sensitive data at risk, writes Dr. Larry Ponemon, chairman o

the institute. Such activities include downloading data onto

unsecured mobile devices, sharing passwords, losing laptops

and other devices, and turning o security tools on mobile

devices. Writes Ponemon: Interestingly, o those surveyed,

58 percent said their employer ailed to provide adequate data

Unlike hackers, criminals want to stay below the radar,

making their attacks all the more difcult to detect.

Introduction

INTRODUCTION DATABASE ENCRYPTION AND MASKING ACCESS AND AUTHORIZATION AUDITING AND MONITORING LOOKING AHEAD


4/23




security awareness and training, and 57 percent said their

employers data protection policies were ineective. But insider

threats can be malicious as well, and come rom disgruntled

workers or employees seeking personal gain. At times, insider

attacks make headlines, such as the FBIs 2008 arrest o a

ormer Countrywide Financial Corp. employee or alleged

involvement in the thet o some 2 million customer records.

But the Privacy Rights Clearinghouse, which maintains a list

o breaches, shows numerous smaller attacks at corporations,universities, and government agencies. These breaches may

involve only hundreds or tens o thousands o people, but to

the organizations and individuals who are victimized, they are

very serious just the same. Regardless o the motivation behind

internal data breaches, organizations can no longer ignore the

security threat posed by people who are actually authorized

to access systems at some level. An IDC survey ound that

52 percent o large companies had terminated employees or

contractors or internal security violations, and 80 percent o verylarge organizationsthose with more than 10,000 employees

had done so.

The cost o ailing to secure data is high, and getting higher.

Data breaches can lead to administrative costs and, o course,

individual or class-action lawsuits rom consumers. Compliance,

too, can be a costly and growing issue: Companies are liable to

run aoul o a growing range o regulationssuch as Sarbanes-

Oxley, the Health Insurance Portability and Accountability Act,

Financial Instruments and Exchange Law, Basel II, and the EU

Directive on Privacy and Electronic Communications in Europe

which require organizations to implement measures to protect

sensitive inormation and monitor access to that inormation.

The impact on the business rom data losses can be deep, and it

can be ar-ranging in terms o damaged reputation and reduced

customer loyalty. In research rom the Chie Marketing Ocer

Council, more than hal o the surveyed consumers said that

they would strongly consider or denitely take their business

elsewhere i their personal inormation were compromised. The

same held true with business-to-business relationships, withabout hal o surveyed executives saying they would consider or

would recommend taking their business elsewhere i a business

partner experienced a security breach that compromised

their data.

In a recent study, more than hal o the surveyed large

companies have had to terminate employees or contractorsor internal security violations.



5/23


6/23




Similarly, outsourcing arrangements oten mean that other

companies have access to corporate systems and dataand that

picture can become even more complicated when oshoring

puts work into countries where partners may be working

under dierent laws and regulations regarding data security.

In its research, the Ponemon Institute ound that third-party

organizations account or more than 44 percent o data

breach incidents.

The solution to such challenges, then, is to saeguard data where

it livesin the database. Indeed, database security is rapidly

becoming a recognized best practicebut oten, companies

lag behind in this area. Despite signicant eort to protect

enterprise databases, attack rates continue to rise across several

industries, including nancial services, education, retail, the

public sector, and manuacturing, notes a report rom Noel

Yuhanna, principal analyst at Forrester Research. Today, attacks

on enterprise databases are more sophisticated than ever, and

many occur without enterprises being aware that an attack is

taking place, especially in the case o internal attacks, which are

the hardest to detect. Advanced security measures that can help

are availablebut, reports Yuhanna, only 25 percent o surveyed

enterprises are using those types o measures.

The Oracle Approach to Database Security

Oracle provides a comprehensive portolio o database security

solutions to ensure data privacy, protect against insider threats,

and enable regulatory compliancewithout requiring changesto existing applications. These solutions build on Oracles

long history o innovation in the eld. The industry rsts it has

delivered include row-level access control, ne-grained auditing,

transparent data encryption, and data masking. Today, Oracle

solutions are used to protect a signicant amount o data,

with Oracle Database being used or 48.9 percent o the

worlds databases.

Today, Oracle solutions are used to protect a signifcant

amount o data, with Oracle Database being used or 44

percent o the worlds databases.



7/23




Given the sophistication and variety o security threats acing

businesses, most organizations know that eective security

programs are typically based on multiple layers o preventive

measures. Oracles database security options all into three

broad categories:

Encryption and Masking, which includes Oracle Advanced

Security, Oracle Secure Backup, and Oracle Data Masking Pack,

Access and Authorization, which includes Oracle DatabaseVault and Oracle Label Security

Auditing and Monitoring, which includes Oracle Audit

Vault, Oracle Total Recall, and Oracle Conguration

Management Pack

These oerings are discussed in detail in the ollowing chapters.

LEARN MORE

Seminar

Protecting Data at the Source with Oracle Database 11g

Release 2

Demo

Oracle Database 11g Security and Compliance

Analyst Report

Oracle Database Security: Cost-Eective Data Leak

Prevention Starts at the Source

http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=8042809&p_referred=FlashISeminar&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=8042809&p_referred=FlashISeminar&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=8042809&p_referred=FlashISeminar&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=8131846&p_referred=undefined&p_width=1000&p_height=675http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=8131846&p_referred=undefined&p_width=1000&p_height=675http://www.oracle.com/corporate/analyst/reports/infrastructure/sec/idc-219001-080109.pdfhttp://www.oracle.com/corporate/analyst/reports/infrastructure/sec/idc-219001-080109.pdfhttp://www.oracle.com/corporate/analyst/reports/infrastructure/sec/idc-219001-080109.pdfhttp://www.oracle.com/corporate/analyst/reports/infrastructure/sec/idc-219001-080109.pdfhttp://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=8131846&p_referred=undefined&p_width=1000&p_height=675http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=8042809&p_referred=FlashISeminar&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=8042809&p_referred=FlashISeminar&p_width=800&p_height=620


8/23




Security strategies have long relied on the encryption o

inormation, but in recent years, the need or encryption has

increased signicantly, with the rise o identity thet and criminal

attacks targeting social security numbers, credit card numbers,

and other sensitive inormation. Encryption at the database

level can help protect data rom unauthorized backdoor access

by dishonest administrators and other insiders, and romoperating system- and network-level attacks by outsiders. It

also helps protect rom media thet involving laptops, storage

disks being removed or maintenance, and backup tapes.

Over the years, weve seen requirements to expand protection

around critical data such as medical data, personal identiable

inormation, and credit card inormation, says Gary Loveland,

PricewaterhouseCoopers Advisory principal and security

practice leader in the United States. There is no doubt that in

[the near uture] even more data will need to be protected. Being

able to encrypt all application data eciently is a big benet to

organizations in terms o keeping up with business needs and

staying ahead o regulatory requirements.

However, it is still common to nd unencrypted data at many

companiesand that data is at risk o being compromised. In a

recent Independent Oracle User Group survey, only 21 percent

o the respondents said that they encrypt personal inormation

on all databasesand 37 percent said that they either have no

encryption o such data, or that they arent sure whether or

not they do.

Encryption is important, but it doesnt cover every situation. For

example, encryption will not protect against unauthorized access

to production data in nonproduction environments. By denition,

developers, administrators, and others need to be able to access

data in these environments.

Overall, companies can address these security challenges with

the capabilities provided by Oracle Advanced Security, Oracle

Secure Backup, and Oracle Data Masking Pack.

Oracle Advanced Security

With Oracle Advanced Security, companies can transparently

encrypt all application data or specic sensitive columns,

Database Encryption And Masking

Being able to encrypt all application data efciently

is a big beneft to organizations in terms o keeping upwith business needs and staying ahead o

regulatory requirements.



9/23




such as credit card numbers, social security numbers, or

personally identiable inormation. By encrypting data at rest

in the databaseas well as when it leaves the database over

the network or via backup mediaOracle Advanced Security

provides a cost-eective solution or data protection.

Oracle Advanced Security Transparent Data Encryption (TDE)

provides robust encryption solutions to saeguard sensitive data

against unauthorized access at the operating system level, or

through the thet o hardware or backup media. With a simplecommand or point-and-click interace, an administrator can

encrypt sensitive data within an existing application table.

Unlike most database encryption solutions, TDE is completely

transparent to existing applications, and no triggers, views, or

other application changes are required. Data is transparently

encrypted when written to disk and transparently decrypted

ater an application user has successully authenticated, and

passed all authorization checks. Authorization checks include

veriying the user has the necessary select and update privileges

on the application table and checking Database Vault, Label

Security, and Virtual Private Database enorcement policies.

Existing database backup routines will continue to work, with

the data remaining encrypted in the backup.To saeguard data

in transit, Oracle Advanced Security provides an easy-to-deploy

and comprehensive solution or protecting all communication

to and rom the Oracle Database, providing both native network

encryption and SSL-based encryption. The Oracle Database can

be congured to reject connections rom clients with encryption

turned o, or optionally allow unencrypted connections or

deployment fexibility.

Overall, Oracle Advanced Security lets companies:

Protect all application data quickly and easily, with the ability

to encrypt the entire tablespace or specic sensitive columns

without making any changes to existing applications

Take a comprehensive approach to encryption, with

transparent encryption or Oracle database trac, disk

backups, and exports

Achieve high levels o identity assurance, with support or PKI,

Kerberos, and RADIUS-based strong authentication solutions

Manage costs, with the ability to leverage complete built-in

encryption key liecycle management, including integration

with industry-leading Hardware Security Modules (HSM) or

other enterprisewide key management solutions.

With a simple command or point-and-click interace,

an administrator can easily encrypt sensitive data within

an existing application table.



10/23




The ability to de-identiy sensitive data is an

increasingly important element o data-privacy protection

laws around the globe.

Oracle Secure Backup

Oracle Secure Backup provides an integrated, easy-to-use backup

solution that encrypts data to tape to saeguard against the

misuse o sensitive data in the event that backup tapes are lost

or stolen. With a low entry cost, Oracle Secure Backup is ideal or

small and midsize businesses and large enterprises alike.

Oracle Secure Backup gives companies complete data protection

or Oracle environments. It provides network tape backup or

UNIX, Linux, Windows, and Network Attached Storage (NAS) le

system data, as well as the Oracle Database, and supports more

than 200 dierent tape devices rom leading vendors. It enables

Oracle Database-to-tape backup through integration with Oracle

Recovery Manager (RMAN)supporting versions Oracle9i to

Oracle Database 11gas well as le system data protection o

local and distributed servers and policy-based tape

backup management.

Companies can also take advantage o the Oracle Secure

Backup Cloud module, which enables ecient Oracle Database

backups to the Amazon Simple Storage Service (Amazon

S3). Such cloud-based backups oer reliability and virtually

unlimited capacity that is available on-demand and requires no

up-ront capital expenditure. This module is ully integrated with

RMAN and Oracle Enterprise Manager, providing users with

amiliar interaces or Cloud-based backups. It can be used to

complement existing backup strategies and can be

run independently o Oracle Secure Backup tape-

management oerings.

Oracle Secure Backups client-server architecture enables

centralized tape backup management o heterogeneous

clients, servers and tape devices rom a single point called the

Administrative Server. The Administrative Server maintains

a tape backup catalog that houses metadata, conguration

inormation, backup encryption keys, schedules, and user-dened polices.

Key pieces o Oracle Secure Backup unctionality are embedded

directly inside the Oracle Database engine, making it possible

to achieve higher levels o security, perormance, and ease o

use. For example, to help ensure high levels o security, Oracle

Secure Backup encrypts data during all stages o a backup.

Encryption is perormed beore the data leaves the Oracle

database, eliminating the risk o data being stolen while in transit

to tape. In addition, the data on tape is stored in encrypted

orm. The Oracle Database then automatically decrypts backups

during the restore process. Oracle Secure Backup also eatures



11/23




certicate-based authentication o host systems participating

in a backup or restore to ensure that outside parties cannot

impersonate an authorized host.

In terms o perormance, Oracle Secure Backup provides veryrapid backups to tape. Its tight integration with RMAN enables it

to read the database block layout structure directly and optimize

storage access. The solution typically perorms backups 10

percent to 25 percent more quickly than comparable media

management utilities, with up to 30 percent less CPU utilization.

Oracle Data Masking Pack

IT proessionals oten need to share data with other parts o the

organization. For example, DBAs may need to make copies oproduction data available to in-house developers or oshore

testers or their work. The problem is that such production copies

oten contain condential, sensitive, or personally identiable

inormation that government regulations require companies to

protect. In act, the ability to de-identiy sensitive data is an

increasingly important element o data-privacy protection laws

around the globe.

With Oracle Data Masking, sensitive inormation such as

credit card or social security numbers can be replaced with

realistic values, allowing production data to be saely used or

development, testing, and staging, and shared with outsourcing

or oshore partners or various nonproduction purposes.

Sensitive data never has to leave the database, and is kept out o

nonproduction databases.

The solution uses an irreversible process to replace sensitive

data, helping to ensure that the original data cannot beretrieved, recovered, or restored. It also provides a centralized

approach to masking. Traditionally, DBAs have had to create and

maintain custom scripts to mask data in each o their corporate

databasesa method that is not scalable or truly auditable.

Oracle Data Masking, on the other hand, provides a central

repository or common masking ormats. Security administrators

dene the masking rules once, and then those rules are applied

automatically every time the database administrator masks the

database. Companies can apply data privacy rules consistently

to all sensitive data to help ensure compliance with regulations.

Oracle Data Masking Pack ships with out-o-the-box mask

ormats or various types o sensitive data, such as credit card

numbers, phone numbers, and national identiers (social

security number or U.S., national insurance number or U.K.).

Data masking capabilities let companies apply data

privacy rules consistently to all sensitive data to help

ensure compliance with regulations.



12/23




In addition, companies with specialized masking requirements

can add user-dened mask ormats to the collection o the mask

ormats, allowing them to use ormats that are appropriate or

their business or industry. Financial institutions, or example,

oten use complex algorithms to generate account numbers

to prevent raud. With user-dened ormats, they can generate

ctitious account numbers to replace the original data and still

remain compliant with the security standard built into the

account numbers.

Oracle Data Masking Pack is securely integrated with the

database-cloning capabilities in Oracle Enterprise Manager.

That means that in addition to the standalone masking process,

database administrators can now add data masking to the

database clone process by pointing the production database to a

staging environment and speciying the masking denitions that

need to be run ater cloning. The solution also provides several

options to allow administrators greater control over the masking

process and to enable them to test and veriy the integrity o the

masking process beore deploying it.

LEARN MORE

Podcast

Data Privacy Protection with PricewaterhouseCoopers

Database Security or Database and Security Administrators

Customer Snapshot

Dressbarn Relies on Oracle Advanced Security or

PCI Compliance

Demo

Forrester Research Oracle Database 11gSecurity:

Data Masking

http://streaming.oracle.com/ebn/podcasts/db_insider/6958087_Alex_Fowler_100708.mp3http://streaming.oracle.com/ebn/podcasts/db_insider/6790837_Rich_Mogull_081808.mp3http://www.oracle.com/customers/snapshots/the-dress-barn-snapshot.pdfhttp://www.oracle.com/customers/snapshots/the-dress-barn-snapshot.pdfhttp://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060297&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060297&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060297&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060297&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060297&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060297&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060297&p_referred=0&p_width=800&p_height=620http://www.oracle.com/customers/snapshots/the-dress-barn-snapshot.pdfhttp://www.oracle.com/customers/snapshots/the-dress-barn-snapshot.pdfhttp://streaming.oracle.com/ebn/podcasts/db_insider/6790837_Rich_Mogull_081808.mp3http://streaming.oracle.com/ebn/podcasts/db_insider/6958087_Alex_Fowler_100708.mp3


13/23




Controlling access to inormation is undamental to data

securityand regulations and best practices alike require

companies to have strong access and authorization controls.

But this is an area that is not always well managed. In a recent

Deloitte Touche Tohmatsu global security survey, excessive

access rights was cited as the primary internal or external audit

nding over the last year, and unauthorized access to personalinormation was cited as the top concern in terms o ensuring

data privacy. Not only do companies need to manage access

or employees across the corporation to make sure the right

people are using the right data, they must also work to control

the access given to privileged usersin particular, database

administratorswithout limiting those users ability to perorm

their jobs. Together, the Oracle Database Vault and Oracle Label

Security options can help companies meet those challenges.

Oracle Database Vault

Today, a number o regulations require companies to maintain

internal controls to protect sensitive inormation, such as

nancial, health, and credit card records, rom unauthorized

access and modication. Oracle Database Vault helps companies

comply with those requirements with strong controls designed

to protect data against threats rom insiders.

Oracle Database Vault oers Realms, Rules, and Factors eatures,

which work together inside the database to restrict access

rom even the most powerul users without interering with

the normal day-to-day database administration. Realms can be

dened and placed around an entire application or set o tables.

For example, a database administrator who can manage all the

application databases can be restricted rom actually reading thedata stored in those databases. Or, an HR application user who

has ull access to the HR application database can be prevented

rom accessing data in the nancial application database i

those two databases are dened as dierent realms. The ability

to prevent privileged users rom accessing data outside o their

authorized area is increasingly critical because many companies

are consolidating application databases on the same database

server as they search or ease o management and lower total

cost o ownership.

Access and Authorization

Companies must work to control the access given

to privileged usersin particular, database

administratorswithout limiting those users ability

to perorm their jobs.



14/23




Meanwhile, Rules and Factors signicantly tighten application

security by limiting who can access which databases, data, and

applications, and when and how they can access them. Multiple

actors, such as time o day, IP address, application name, and

authentication method, can be used in a fexible and adaptable

manner to enorce authorization requirements. For example,

i company policy mandates no changes to databases during

production hours, and a new DBA tries to do an upgrade at the

wrong time, Database Vault can block that action or require that a

second DBA be present in order to make such a change. Overall,

such multiactor control helps prevent unauthorized ad hoc

access and application bypass.

Oracle Database Vault provides powerul separation o duty

controls, oering three distinct out-o-the-box responsibilities

or security administration, account management, and resource

management. For example, the solution blocks a DBA with

the create user privilege rom creating a new user i he

or she doesnt have the proper responsibility. The resource

administration responsibility can be urther subdivided

into backup, perormance, and patching responsibilities. Or,

responsibilities can be consolidated.

Because Oracle Database Vault runs inside the Oracle Database,

it does not require changes to existing applications. In addition,

Oracle provides certied customizable Oracle Database Vault

policies or Oracle E-Business Suite, Oracle PeopleSot, Oracle

Siebel CRM, and Oracle JD Edwards applications to help

companies deploy quickly.

Oracle Label Security

Oracle Label Security is the industrys most advanced label-

based access control product. It gives companies a powerul and

easy-to-use tool or classiying data and mediating access to data

based on the datas classication.

Traditional controls ocus on roles or stop at the object levela

company would be able to control, or example, a users access

to a customer table, but not to specic subsets within the table.

Oracle Label Security extends database security authorization

by enabling powerul row-level access controls in the Oracle

Database using data sensitivity labels, and essentially assigning

a data label to each row.

Label Security provides an easy-to-use policy-based

administration model. This lets companies create policies specic

to their needs. Moreover, multiple policies can reside in the

same database, making it easy to create policies or dierent

applications in a consolidated environment.

The Oracle sotwares multiactor control approach helps

prevent unauthorized ad hoc access and application bypass.



15/23




Oracle Label Security enables organizations to:

Restrict access to individuals with the appropriate clearance. It

allows administrators to classiy every row in a table, so that

only those with the right clearance can access sensitive data.

Enorce regulatory compliance. It provides a policy-based

administration model that enables organizations to establish

custom data-classication schemes or implementing need to

know access ortheir applications.

Leverage labels fexibly. Labels can be used as actors within

Oracle Database Vault or multiactor authorization policies.

Oracle Label Security also integrates with Oracle Identity

Management, enabling centralized management o

policy denitions.

Oracle Label Security was originally designed to meet the

high-security requirements o government and deenseorganizations. Such organizations typically use the solution

or multilevel securitythat is, to compartmentalize access

to sensitive and highly sensitive data stored in the same

application table. Commercial organizations can use data labels

to compartmentalize data in order to control access to regulatory

data and enorce need-to-know policies, and to enhance security

in multi-tenancy databases and hosting and sotware-as-a-

service arrangements.

LEARN MORE

Podcast

Protecting Your Databases Against CyberEspionage

Demo

Forrester Research Oracle Database 11g Security:

Access Control

Oracle Database Vault: Privileged User and Multi-

Factor Controls

Seminar

Rich Mogull on Enorcing Separation o Duties or Database

and Security Administrators

http://streaming.oracle.com/ebn/podcasts/db_insider/7169324_david_knox_111108.mp3http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060296&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060296&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=5641797&p_referred=undefined&p_width=800&p_height=600http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=5641797&p_referred=undefined&p_width=800&p_height=600http://www.oracle.com/pls/ebn/live_viewer.main?p_shows_id=6469943&p_referred=undefinedhttp://www.oracle.com/pls/ebn/live_viewer.main?p_shows_id=6469943&p_referred=undefinedhttp://www.oracle.com/pls/ebn/live_viewer.main?p_shows_id=6469943&p_referred=undefinedhttp://www.oracle.com/pls/ebn/live_viewer.main?p_shows_id=6469943&p_referred=undefinedhttp://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=5641797&p_referred=undefined&p_width=800&p_height=600http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=5641797&p_referred=undefined&p_width=800&p_height=600http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060296&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060296&p_referred=0&p_width=800&p_height=620http://streaming.oracle.com/ebn/podcasts/db_insider/7169324_david_knox_111108.mp3


16/23




Security threats continue to shit and grow, and the use o

technology continues to evolveall o which means that the

security landscape is constantly changing. Eective security can

not be accomplished with a set it and orget it approachit

requires continued vigilance and comprehensive monitoring o

the state o security in the enterprise.

In part, that means that companies need to be able to audit

changes in the database, to see who altered what when in

order to analyze problems, uncover suspicious activity, and

comply with regulatory reporting requirements. Today, it is also

increasingly important to monitor activity in real time, so that the

company can detect unauthorized access and act quickly to avoid

problems or minimize their impact. And nally, companies need

to assess their potential vulnerabilities during deployment and

ongoing database operations. This is key to working proactively,and heading o security problems beore they start.

To strengthen auditing and monitoring, companies can draw

on the Oracle Audit Vault, Oracle Total Recall, and Oracle

Conguration Management Pack options.

Oracle Audit Vault

Experts who have investigated data breaches have ound

that auditing can help detect problems early on, reducing thenancial impact o the breaches. Oracle Audit Vault transparently

collects and consolidates audit data, providing valuable insight

into who did what to which data whenincluding privileged

users who have direct access to the database.

Oracle Audit Vault automatically collects audit data rom Oracle,

DB2, Sybase, and SQL Server databases. It consolidates this data

in a secure and highly scalable audit warehouse, with access

strictly controlled through the use o predened administrativeroles. It also leverages Oracles industry-leading database

security and data warehousing technology or managing,

analyzing, storing, and archiving large volumes o audit

data securely.

The solution enables proactive threat detection, with alerts

that highlight suspicious activity across the enterprise. It

continuously monitors inbound audit data, evaluating it against

Auditing and Monitoring

It is increasingly important to monitor activity in real time,

so that the company can detect unauthorized access and

act quickly to avoid problems or minimize their impact.



17/23




alert conditions. Alerts can be associated with any auditable

database event, including changes to application tables, role

grants, and privileged user creation on sensitive systems. The

solution gives companies graphical summaries o the activities

that are causing alerts.

Database audit settings are centrally managed and monitored

rom within Oracle Audit Vault. With the solution, IT security

personnel work with auditors to dene audit settings on

databases and other systems to meet both compliancerequirements and internal security policies. Oracle Audit Vault

lets companies provision and review audit settings in multiple

Oracle databases rom a central console, reducing the cost and

complexity o managing audit settings across the enterprise.

Oracle Audit Vault also oers simplied, out-o-the-box

compliance reporting. It gives companies standard audit-

assessment reports covering privileged users, account

management, roles and privileges, object management, andsystem management. Companies can dene parameter-driven

reports that show user log-in activity across multiple systems

and within specic time periods, such as weekends. The solution

also provides an open audit warehouse schema that can be

accessed rom Oracle BI Publisher, Oracle Application Express,

or third-party reporting tools.

With these capabilities, Oracle Audit Vault helps companies:

Simpliy compliance reporting, with the ability to easily analyze

audit data and take action in a timely ashion using out-o-the-

box or custom reporting

Detect threats more eectively, with the ability to quickly

and automatically identiy unauthorized activities that violate

security and governance policies, and to thwart perpetrators

who try to cover their tracks

Lower IT costs, with the ability to centrally manage audit

settings across all databases

With Oracle Audit Vault, organizations are in a much better

position to enorce privacy policies, guard against insider

threats, and address regulatory requirements.

Today, companies need to keep data or long periods o

time, but doing so in a secure manner has traditionallybeen a difcult and inefcient process.



18/23




Oracle Total Recall

Today, companies need to retain historical data or long

periods o time in order to comply with various regulations. In

addition, many recognize the potential value that such historical

data holds in terms o enabling the analysis o problems and

the understanding o market trends and customer behavior.

As a result, they are keeping such data or even longer than

regulations demand. Doing all o this in a secure manner,

however, has traditionally been a dicult andinecient process.

Oracle Total Recall addresses that problem by allowing historical

data to be kept inside the database very ecientlyand by

enabling the instant access to historical data needed to conduct

various analyses. Overall, it lets companies transparently track

changes to database tables data in a highly secure and

ecient manner.

Oracle Total Recall can be used to support internal auditing,

human-error correction, and regulatory compliance processes.

There is no limit on the time period or storing historical data,

because that data is stored in the database itsel; the solution

can handle any retention period the business requires. And the

solution provides real-time access to historical archives, with the

ability to query data as o any point in time in the past through

the use o standard SQL statements.

Based on Flashback Data Archive, the solution provides:

Eciency o perormance and storage. The capture process

minimizes perormance overhead, and historical data is stored

in compressed orm to reduce storage requirements.

Complete protection rom accidental or malicious update.

No onenot even administratorscan update historical

data directly.

Automated ongoing historical data management. Oracle

Database 11gautomatically enorces rules and sends problem

alerts when needed to minimize administrator intervention.

Oracle Total Recall is easy to congure and implement.

Administrators can enable historical data capture or one table or

all tables in a database with a simple enable archive command.

In addition, the solution requires no application changes or

special interaces. And it eliminates the need or third-party or

custom solutions in the management o historical data. Overall,

Oracle Total Recall is designed to be easily managed and make

the most ecient use o all related resources, including CPU,

storage, and administrator time.

The Oracle sotware lets companies automatically detect,

validate, and report on authorized and unauthorized

confguration changes.



19/23




Oracle Confguration Management Pack

The Oracle Conguration Management Pack helps companies

ensure that their database congurations are secure by

automatically detecting, validating, and reporting on authorized

and unauthorized conguration changes.

To help track assets and uncover problems, this management

pack collects deep conguration inormation or a range o

components, including hardware, operating systems, and Oracle

Database, middleware, application server, and WebLogic server

sotware. The pack can be used to support both Oracle and third-

party IT components.

Oracle Conguration Management enables the proactive

assessment o key compliance areas such as security,

conguration, and storage to help companies identiy

vulnerabilities and areas where best practices are not being

ollowed. The solution includes a built-in collection o more

250 best practices based on industry standards or security

and conguration management, which can be customized by

administrators or their specic IT environment.

In addition, the pack has a Critical Patch Update Advisory eature

that alerts companies to critical patches issued by Oracle and

immediately identies those systems across the enterprise that

may require the new patch. Companies can also use a patch

wizard to automatically deploy the patch, helping to ensure that

application databases are always up-to-date and protected.

A key part o this management pack is the Conguration

Change Console, which provides real-time change detection and

reporting. The console automatically collects the required data,

detecting and capturing any actions by users or applications that

result in changes to the inrastructure. No user input is requested

or required to capture and document changes. The console

monitors a variety o areas, including les and directories,

processes, user accounts, server resources, databases, and the

network. With the console, companies can use compliance-

reporting dashboards that convert continuous evaluation resultsinto compliance scores and present them in at-a-glance views

that highlight key indicators, provide the ability to drill down

to details, and help decision makers track progress toward

compliance over time.


The solution includes a built-in collection o more 250 best

practices based on industry standards or security and

confguration management


20/23




By letting companies detect and prevent unauthorized changesmore eciently and eectively, the Oracle Conguration

Management Pack helps ensure compliance with IT control

rameworks such as Control Objectives or Inormation and

related Technology (COBIT) and COSO Internal Control-

Integrated Framework as required by Sarbanes-Oxley and

similar global directives. By doing so, it helps them increase

security, mitigate risk, and provide demonstrable control over the

entire IT environment or governance and compliance.

LEARN MORE

Podcast

Chase Paymentech Relies on Oracle Audit Vault or Security

and Compliance

Demo

Oracle Audit Vault: Database Audit and Activity Monitoring

Database Vulnerability Assessment and Secure Conguration

Seminar

Forrester Research Oracle Database 11g Security: Activity and

Conguration Monitoring

http://streaming.oracle.com/ebn/podcasts/db_insider/media/8231852_David_DeLuca_110609.mp3http://streaming.oracle.com/ebn/podcasts/db_insider/media/8231852_David_DeLuca_110609.mp3http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=6067319&p_referred=undefined&p_width=800&p_height=600http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7652999&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060298&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060298&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060298&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7060298&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=7652999&p_referred=0&p_width=800&p_height=620http://www.oracle.com/pls/ebn/swf_viewer.load?p_shows_id=6067319&p_referred=undefined&p_width=800&p_height=600http://streaming.oracle.com/ebn/podcasts/db_insider/media/8231852_David_DeLuca_110609.mp3http://streaming.oracle.com/ebn/podcasts/db_insider/media/8231852_David_DeLuca_110609.mp3


21/23




Looking AheadDatabase security is clearly a vital and challenging issue,

and companies need to be prepared or this reality. At many

organizations, however, there is considerable room or

improvement on this ront. For example, in a recent IOUG

security survey:

Only one out o our respondents said that all their databases

are locked down against attacks.

Most respondents said that they do not have mechanisms in

place to prevent database administrators and other privileged

database users rom reading or tampering with sensitive

inormationand most said that they are unable to detect

such incidents.

Responses indicated that one in our o the sites covered by the

survey do not encrypt data within their databases, and nearlyone in ve were not sure whether such encryption takes place.

Two out o ve responding organizations said that they use

actual production data in nonproduction environments, which

typically puts that data in an unsecured setting.

These types o gaps represent signicant vulnerabilitiesand

the world is likely to be less and less orgiving o such lapses in

the months and years to come. Compliance is likely to become

increasingly challenging, as data privacy regulationsand nes

or noncompliancebecome more and more stringent. The sheer

volume o sensitive data that needs to be protected continues to

grow. And threats posed by insiders and outsiders alike will only

become more sophisticated.

The risks around data security can be expected to keep growing

and evolving to become ever-more challenging, as criminals

step up eorts to tap into what is a very valuable asset, says

Securosis ounder Rich Mogull. That means that advanced,

comprehensive security is only growing more important, and

that companies will need to tighten control over the sensitive

inormation held in their databases. In short, database security

has already become a critical technical and business issue, and

looking orward, the eort to protect data where it lives will

play an increasingly vital role in an organizations success.



22/23





LEARN MORE

Podcast

Database Security or Database and Security Administrators

Anaylst Report

Forrester Research: Your Enterprise Security Strategy

or 2010

Blog

Security Inside Out

Data Security Sel-Assessment Tool
http://streaming.oracle.com/ebn/podcasts/db_insider/media/7405578_Ian_Abramson_021909.mp3http://streaming.oracle.com/ebn/podcasts/db_insider/6790837_Rich_Mogull_081808.mp3http://www.oracle.com/corporate/analyst/reports/infrastructure/dbms/forrester-database-security.pdfhttp://www.oracle.com/corporate/analyst/reports/infrastructure/dbms/forrester-database-security.pdfhttp://www.oracle.com/corporate/analyst/reports/infrastructure/dbms/forrester-database-security.pdfhttp://blogs.oracle.com/securityinsideout/http://blogs.oracle.com/securityinsideout/http://www.oracle.com/broadband/survey/security/index.htmlhttp://www.oracle.com/broadband/survey/security/index.htmlhttp://blogs.oracle.com/securityinsideout/http://www.oracle.com/corporate/analyst/reports/infrastructure/dbms/forrester-database-security.pdfhttp://www.oracle.com/corporate/analyst/reports/infrastructure/dbms/forrester-database-security.pdfhttp://streaming.oracle.com/ebn/podcasts/db_insider/6790837_Rich_Mogull_081808.mp3http://streaming.oracle.com/ebn/podcasts/db_insider/media/7405578_Ian_Abramson_021909.mp3


23/23

Copyright 2009, Oracle and/or its

afliates. All rights reserved. Oracle is a

registered trademark o Oracle Corporation

and/or its afliates. Other names may be

trademarks o their respective owners.

securing data at the source 1-08-10

Documents