Inside Oracle 42

Oracle Database has some powerful options for keeping your data secure. Grey Matter’s Oracle expert Graham Keitch explains.

HardCopy Issue: 42 | Found In: Database | Published: 01/11/2008 | Last Revision: 06/07/2010

Data protection is an increasingly important consideration and impacts on the developer and ISV as well as the end-user. In this article I will take a quick look at a few Oracle Database options that are of particular interest to these communities as they address data protection and security at both the application and data level. Oracle came into being some 30 years ago as a result of work its founder members were doing for the CIA and other government agencies. From the outset, Oracle has delivered the industry’s most advanced technology to safeguard data where it lives — in the database. Today’s greater reliance on data and the exponential growth in the amounts being held and processed requires high levels of security and availability. Given Oracle’s background, it is not surprising that data security and protection are cornerstone features of the latest Oracle Database 11g specification. Oracle provides a number of add-on options (mostly for the Enterprise Edition) that address requirements for data privacy and protect against insider threats and satisfy regulatory compliance. This is achieved via privileged user and multi-factor access control, data classification, transparent data encryption, auditing, monitoring and data masking that do not require changes to the applications. Regulations such as Sarbanes-Oxley and similar global directives call for ‘separation-of-duties’ and other preventive controls to ensure data integrity and data privacy. Oracle Database Vault allows you to safeguard application data from being accessed by privileged database users. Data Vault uses ‘Realms’ to classify database schemas and roles into functional groups in order to provide fine grained access control. This helps build security into the application framework. Application data can be further protected using Oracle Database Vault’s multi-factor policies that regulate access with built-in controls such as time of day, IP address, application name and authentication method, preventing unauthorised access and application by-pass.

An overview of the Oracle Database Vault, helping to ensure the secure use of sensitive data by authorised personnel.

The regulatory bodies also require that companies make historical data available for long periods of time. As an add-on for Database 11g Enterprise Edition, Oracle Total Recall stores this data in a secure, tamper proof database while keeping it accessible to existing applications. Total Recall requires no application changes or special interfaces. Encryption technology is playing an increasingly important role in protecting data. Oracle Advanced Security provides transparent encryption of all application data or columns that hold sensitive data such as credit card details, social security numbers or personally identifiable information. At the application tier, it is possible to encrypt the entire table space or specific sensitive columns without making any changes to existing applications. Advanced Security encrypts the data at rest in the database as well as when it leaves to travel over the network to interact with applications. It provides the highest level of Identity Assurance - support for PKI, Kerberos and RADIUS based strong authentication solutions. Data protection also places high demands on testing and QA environments. Oracle Data Masking pack for Enterprise Manager ensures that sensitive information can be replaced with realistic values, allowing production data to be safely used for development, testing and sharing without violating data privacy regulations or risking sensitive data leaks. Oracle Data Masking uses a library of templates and format rules to transform data so that referential integrity is maintained for applications. And there’s more. Real Application Testing is a separate licensed option that consists of several components used to capture, analyse and replay production database transactions to assist in testing. This falls under the umbrella of change management but is nevertheless important in ensuring that data assets are protected from unforeseen corruption due to system changes, upgrades or migrations. Keeping both the database and its applications up to date also helps protect the system and its data. Oracle Configuration Management pack for Enterprise Manager can be used to increase the security of the Oracle databases to ensure compliance with IT control frameworks. The pack combines discovery, vulnerability scanning, compliance benchmarking and central management to detect and prevent configuration drift or unauthorised changes. Additionally, Configuration Management’s Critical Patch Update Advisory feature alerts customers to critical patches issued by Oracle. It immediately identifies those systems across the enterprise that may require the new patch, optionally invoking a wizard to deploy the patch.