Is your data secure?

As, I read the article on the incident where Microsoft’s databases were exposed and data was exploited (Read More here - https://www.scmp.com/tech/big-tech/article/3146567/microsoft-cloud-databases-exposed-thousands-customers-unexploited), it made me explore options within Oracle on how to secure data and see what security options where available for our end customers.

Oracle can help to secure your data in many ways and this article aims to explain those. Oracle’s Database Security Options allow you to secure databases from deliberate security attacks, such as cyber security threats, but also from the misuse of those who can access internally. The big questions are around the fact that -

Who wants your data? - Insiders, Nation States, Criminals, Hacktivists, Competitors, Customers, Former employees, Curiosity seekers.

And,

What are the attacking Techniques? - Stolen credentials, SQL injection, Privilege escalation, XSS attacks, Unpatched systems, App exploits, Buffer overflow, Phishing.

Oracle has 6 major value-added database products in the security portfolio.

Advanced Security, Database Vault & Label Security are DB EE Options. Data Masking & Subsetting is from DB Management Pack.

Let’s go through them one by one.

1.     Advanced Security

Advanced Security is best known for encryption, but also includes data redaction. This is what lets you encrypt an Oracle Database. It’s our best-selling product and one that every customer need.

Encryption and redaction

• Encrypt data at rest with Transparent Data Encryption.
• Column and Tablespace Encryption.
• Encrypt database exports with Data Pump Encryption.
• Encrypt database backups with RMAN Encryption.
• Control the display of sensitive data with Data Redaction .

2.     Key Vault

Key Vault is one of the easiest products to understand, but at the same time is one of the most critical for customers to get right. If you encrypt a database, then you have an encryption key for that database. There needs to be some way to manage those keys, and for the Oracle Database that key management comes from Oracle Key Vault. If you’re using or considering Oracle Advanced Security, you should be looking at Oracle Key Vault as well.

Encryption Key Storage and Management

• Addresses regulatory and management challenges posed by wallets.
• Provides centralized key storage and lifecycle management for Oracle Advanced Security TDE master keys, with up to 16 nodes for continuous key availability across global data center distributions.
• Archive wallets and key-stores for long-term retention and easy recovery when these files are required.
• Integrate with HSM for root-of-trust.

3.     Database Vault

Database Vault lets you control access to sensitive data and is one of the best solutions to a real security problem – the compromise of privileged user and application service accounts.

Advanced Access Control

a. Separation of duty: It entails everything with the way user administration, database administration and data administration is done. It also allows for the fine grained control till the command and object level.

b. Context-aware authorization policies: It allows to enforce a trusted path to application data and rules are based on IP addresses, OS users, LDAP attributes, programs and even time of the day.

4.     Data Masking & Subsetting (DMS)

Data Masking and Subsetting solves the problem of multiplying risk. Many customers copy production databases to use for test and development. DMS helps them remove sensitive data from those clones, replacing it with “fake” or scrambled data that can still be used for test and development, but doesn’t carry the same risk in the event of data breach.

• Subsetting provides a relationally intact and yet fractional representation of production data for test and development.
• Subsetting may be based upon a percentage of production data, or upon a selection criterion. e.g. Retain 15% of data or Retain departments 20 and 50.
• Data Masking replaces sensitive production data with realistic yet obscured data that can safely be used for test / dev and shared with partners.

5.     Audit Vault & Database Firewall (AVDF)

Audit Vault and Database Firewall collects audit data from databases and puts it into a secure data warehouse where it can be analyzed, reported on, and produce alerts when bad things are detected. The “Firewall” piece of the product can block attacks like SQL injection from reaching the database.

Database activity monitoring

• Centralized collection and management of audit data for Oracle and non-Oracle Databases. It includes - On-premises (including Cloud at Customer) & Cloud (Oracle, AWS, Azure, etc.).
• Database anomaly detection – if it’s new, it should be investigated.
• Support forensic investigation.
• Detect and block SQL Injection.

6.     Label Security

It allows fine grained access to database records.

Data and user labels

• Controls access to classified data based on the classification of the data and the security clearance of the user.
• Restrict exposure of sensitive data based on the security clearance of the user.
• Restrict access to data using ad hoc tools based on the security clearance of the user.
• Controls on database operations permitted based on the security clearance of the user.

The above 6 Oracle database security options comprehensively cover the needs of the customers to protect their data assets and their customers data assets without worrying about the technological aspects. There is more to security than just the database security like the Identity management and what Oracle has to offer in that space. But that's for another day of #InCaseYouDidntKnow series.