SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

Last Week's DB Security Workshop @ Oracle Montreal

DB Security Workshop @ Oracle Montreal

I have dedicated several posts on the importance of being a Data Steward, and the consequences of not doing so, or in my case having been prevented from doing so within the government due to my ethnicity. But I digress  back to stressing the significance of recurrent security training.

Last week, a colleague and I participated in an extremely interesting one-day workshop at Oracle’s offices here in Montreal focused on information protection, privacy and accountability.  Here are some of the notes I jotted down (full slides here) please excuse their terseness in advance:

It should be of no surprise, that a Verizon study report on data breaches reveals that 70% are from internal users.  There are several strategies below you can use, and, by the way, if you did not catch K. Brian Kelley’s Bulletproof Security Strategy Webcast, it is worth the time.

Data breach legislation examples: CA Senate Bill 1386 Security Breach Notification
Up and coming Bill C-12 Canadian data protection will make data breach notifications mandatory (everyone say YAY!)

Beware of Malware and hacking, since DBs are the top of the list for data breaches, because as we database admin.s already know, 92% of the corporate data is located there.
Breaches disclosure laws can cost companies $240/record (burnt, and ruins some companies)

IOUG data security report says that 44% of users could access data directly
48% not aware of all DBs with sensitive data
Obviously, the DBA working on these institutions did not have a chance
to implement Database Security Best Practices for the Vigilant DBA

Compliance and regulations are greater than ever - BASEL is the new acronym we heard also.
Fragmented response is typical and it is an afterthought to fix security – but as I have said before, Databases are not a place to be lax on Security!

Solutions: consolidate, automate and embed!

Oracle Security Inside Out, encryption, masking, multi-factor authorization, secure configuration
Auditing and monitoring, blocking and logging, Access control (proper access management)

HSM Hardware Security Device
Big picture is that there should be a DB firewall, another additional security layer
– network SQL monitoring activity (to prevent unauthorized db access), stop SQL injections, privilege or role escalation, and blocking. 
Encrypted backups, encrypted Bus, encrypted exports, and data masking.
Highly accurate sql grammar based analysis.

DB data can be sensitive, confidential or public: 
audited with unauthorized local activity, consolidated DB security

TDE: Transparent DB encryption does not require application changes; there is an Oracle security wallet
built-in key management, RMAN encrypt backups to disk, and encrypt export files from Data pump
Master key has to be safeguarded because it controls all (chose the role of who should be our Master Key holder – delegate to the responsible within a the security team, if available).
If you lose the Master key, you are SCREWED!
All table space can be encrypted since it is highly efficient

Only REAL DBAs can open the Oracle Wallet (oops, sorry, that is an inside joke).

During our Oracle encryption lab, we came across a tool to validate whether the data was actually encrypted in the file (perhaps a file you can use too with SQL Server encryption validation?).
Khexedit allows us to view individual records from DBFs (data base files). We can see the data unless TDE is enabled, since the TXT interprets the Hexi data value.

So after altering the column to encrypt it, we can no longer find the data:

If you lose your keys – well, just do not lose them (or at least upon generation, give them to the security team or your Boss/Manager, etc. to be sure they are safe).

For more details here is a great FAQ on Oracle Transparent Data Encryption (you can be I am going to read up on SQL Server’s implementation of TDE next )

During the workshop we also covered Network encryption + strong authentication. Standard based encryption for data in transit, strong authentication of users and servers, no infrastructure changes required, easy to implement

Secure Backup product. Integrated Tape or Cloud BU management

Masking removes the sensitive data from non-prod dbs – a good practice for refreshes to all other environments outside of production!

Irreversible de-identification, while keeping referential integrity so apps continue to work
Sensitive data never leaves the DB

DB Vault handles Separation of duties and privileged user controls (let DBAs work with HR data without compromising sensitive info). 
Out of the box compliance reports,
centralized audit policy management. 
Limits powers of privileged users by restricting highly privileged users to certain operations,
Securely consolidate application data
No application changes required.
Consolidate audit data into secure repository
private DBs are were the vault will be used – access restriction features make Oracle the lead
DB factor to secure, by IP, by account, by
realm violation audit reports can be built-in
Reports such as who is really in the DBA role
Prevent DBA from accessing application data, pre-build policies include realms and command rules, complements application security, transparent to existing applications, customizable.

Label security – classifying users

Total Recall – secure change tracking
transparently track data changes
Efficient, tamper-resistant storage of archives,
real-time access to historical data,
simplified forensics and error correction

Data explosion depends on each application – those that are well developed will auto-aggregate the data to save rows (as VM VCenter databases do rather nicely).
Oracle Configuration management is much like grid control (aka enterprise manager)
Continuous scanning against 375+ best practices and industry standards, extensible
Detect and prevent unauthorized configuration changes
change management compliance reports...
A matter of taking the time to implement recommendations.

Rule of thumb: When in doubt, encrypt
encryption is a defacto expectation to protect data

PCI says any traces of Credit Card data have to be encrypted
encrypt personal identity info to comply with EU Data privacy
Medical records in DB might need to comply with CAAB 1298
Off-site backups should be encrypted.

Advanced security over the network…and then we dove into the labs.

End of notes and warning -
Failing to be vigilant with data could also result in the loss of billions of dollars of public money, a situation I unfortunately witnessed first-hand six months after I had internally provided a report detailing an audit failure at Canada’s largest public Institutionalized pension fund manager, the Quebec Deposit and Investment Fund (CDP Capital).

PS – if anyone is interested in Oracle Enterprise Manager 12c, here’s a great webcast:


No comments.

Leave a Comment

Please register or log in to leave a comment.