A recent study from Forrester states, a comprehensive database security strategy should focus on proactively protecting data from internal and external attacks, minimizing data exposure to privileged IT users, and securing all databases, including production and non-production. As most enterprises often focus on perimeter-based network security, low importance has been given to database security.
Stunning statistics that force us to re-think database security
In order to address several of the above threats, Oracle provides a number of options to secure the database environment. Its extremely important for DBAs, security architects to understand these capabilities and implement appropriately. But remember, not all these options come without writing few more checks to Oracle.
Where do I start?
Recently, I attended a DB security session by Tom Kyte that helped me to draft a better enterprise db security strategy. An important first step is to understand where all our sensitive data resides, do we even know our data is breached, are we aware of all regulatory mandates, what best practices are we following, where do we see any security holes? I can’t agree more enough with Tom on these questions. Even though these seems pretty obvious, I guess working collaboratively with appropriate teams to get comprehensive answers to those questions will certainly put a better perspective to an upbeat db security strategy. Its very interesting how Oracle put the pieces together to get a categorical overview of Oracle DB security.
Mitigate Database bypass
Securing the data with proper authentication and encryption is significant in mitigating database bypass. Since there are several ways to bypass the database and still access the sensitive data via other means, paying attention to Oracle’s Advanced Security Option’s Transparent Database Encryption (TDE), provides significant value to transparently apply encryption within the database without impacting existing applications. TDE provides the benefit of encryption without the overhead associated with traditional database encryption solutions that typically require expensive and lengthy changes to applications, incl. database triggers and views. More so, TDE works perfectly with RMAN and other database backup tools. In RMAN’s case, it decrypts, compress, and re-encrypt the tablespaces. TDE doesn’t have any restrictions even when using DataGuard, Streams or even Golden Gate. Performance impact is well below 5 % and thus should not be a concern.
Prevent Applications bypass
As organizations have multiple roles with in DBAs such as Security DBA, Application DBA, Production support DBA, etc. segregation of DBA duties becomes significantly important. Oracle’s Database Vault comes in handy to protect application data from the DBA and other powerful users as well as implementing robust controls on access to the database and application. With ODV, realms restrict access to sensitive data. Enforce controls over whom, when and how the data can be accessed using rules and factors.
Consolidate auditing and compliance reporting
As its becoming inevitable for organizations to understand data accessibility, its imperative to have a report pool to get needed accessibility data. Moreover, when it comes to DB security, many of us rush to conference rooms to work on postmortem analysis on breaches as oppose to taking pro-active approaches. In such scenarios Oracle Audit-Vault comes in handy. It works even with non-Oracle databases too. Interestingly, Oracle Audit Vault includes dozens of out-of-the-box reports. Reports related to Sarbanes-Oxley (SOX), Health Insurance Portability Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI-DSS) can be easily accessed from the Oracle Audit Vault dashboard.
Nonetheless, Oracle Audit Vault enables security alerts to be pro-actively issued, providing early notification of potential threats. Oracle Audit Vault continuously monitors inbound audit data, generating alerts based on rules defined inside Oracle Audit Vault.
Monitor Database traffic and block threats
Even though Oracle EM helps in monitoring and even blocking certain threats, Oracle Database Firewall is a nice fit to further secure Oracle DB environment. Oracle Database Firewall acts as a first line of defense for databases, providing real-time monitoring of database activity on the network. Oracle Database Firewall is installed on the network either on a bridge or a span port and monitors every SQL transaction request. It even integrates with F5 BIG-IP Application Security Manager using a plug-in connector. It protects against application bypass, SQL injection and similar threats. Simply put, Oracle Database Firewall is easy to deploy but the benefits are simply great. One best practice, ‘prevent all DDL in production by default’, can be prevented using db firewall.
Production databases Protection
Finally, a product that can help without puncturing corporate balance sheets. Since OEM scans databases against 400+ best practices and industry standards, OEM can play a significant role in securing database life-cycle strategy and can be core part of your enterprise database security. It becomes even more vital tool for automated patching and secure provisioning.
Non-Production database Protection
When we scrumming to protect production database, we pay far less attention in protecting non-production databases. At times, organizations try to address non-production db protection most with custom hand-crafted solutions or re-purposed existing data manipulation tools within the enterprise to solve this problem. Oracle Data Masking is yet another option to be considered to mask sensitive information such as credit card or social security numbers can be replaced with realistic values, allowing production data to be safely used for development, testing, or sharing with out-source or off-shore partners for other non-production purposes. Oracle Data Masking supports masking of sensitive data in heterogeneous databases such as IBM DB2 and Microsoft SQLServer through the use of Oracle Database Gateways.
Even though this article sounds like a marketing propaganda for Oracle’s Database security tools, I personally wanted to understand the tools and capabilities that Oracle provides to secure our enterprise database environment. Before making any viable security enhancement decisions, I wanted to ensure that we have a full picture in play. Especially in Oracle shop such as ours, its obvious that we look for a strong natural security integration at lower TCO but can come mostly from a single vendor such as Oracle to avoid cobbling together point solutions.
This article has been written from what I learned from DB security sessions presented by Tom Kyte, research articles from Forrester, Oracle MOS, etc. Thanks Tom for all the valuable information.
Reference documents library
Even though Oracle provides several advanced security tools at a price, its highly recommended that you complete at least the below basic checklist.
MOS article: Security Check List: Steps to Make Your Database Secure from Attacks [ID 131752.1]
To understand the licensing and product pricing, please refer the below document.