How to Protect Your Data — While Still Using It
Databases weren’t connected to the Internet in the early days of data analytics, and since they were accessed only by authorized database administrators, there was little concern about data theft. Today, databases are the foundation of every action we take in business, powering countless applications that are accessed daily by thousands of users with different needs and agendas.
In this chaotic environment, keeping that data safe is an ever-changing challenge for enterprise and IT leaders. Organizations seek to ensure security with firewalls, network appliances, and even physical measures. But the area that requires significantly more of your attention protects the storehouse of that data: your databases.
The scope of cybercrime
According to Trustwave’s 2013 Global Security Report, which reveals insights from the company’s security activities over the previous year, cybercrime is increasing at lightning speed. Although some cybercriminals target specific organizations, any company is a potential target for corporate or political espionage, particularly organizations with eCommerce sites or other financial information (e.g., credit card numbers, personally identifiable information).
Cybercriminals are constantly finding new ways to directly and indirectly access databases. Web applications are now the most popular attack vector; in 2012 alone, the number of mobile malware programs grew by 400%, according to the Trustwave report.
SQL injection and remote access are still the most common methods of intrusion. Equally devastating are intrusion methods that are hard to detect, such as zero-day attacks that exploit unknown vulnerabilities and stealth malware that stays under the radar, trying to gain long-term control of systems.These advanced attacks don’t announce their presence — in fact, cybercriminals encrypt over 25% of data during exfiltration, making data loss hard to see and hard to track.
Keep the bad guys out; let the good guys in
In this volatile security climate, database administrators and IT leaders have discovered that providing data access and maintaining security is a real balancing act. The complexities of user access make managing security even more challenging.
According to Securing Oracle Database 12c: A Technical Primer, you need to address database security at multiple levels:
- Control data access — Determine what data users need, then implement controls to make sure no one else can access it.
- Close backdoors — Cybercriminals tend to avoid the database’s “front door” because it’s protected by access controls. Instead, they might try to gain access to the system as a privileged operating system user (e.g., root) in order to change the database’s behavior so that it ignores the access control settings. Close backdoors by taking additional data security measures such as hardening the operating system and using encryption to protect the data.
- Implement advanced access controls — For example, if a table contains information about customers’ purchases, take measures to ensure that the marketing analysts can access information about which products the customers purchased but not the credit cards they used.
- Actively audit databases — Create and maintain an audit trail to detect misuse by privileged users. Be on the lookout for evidence that users might have been unintentionally given more dataaccess privileges than necessary.
- Control SQL input — Implement a specialized firewall to monitor SQL statements going into the database to protect it against SQL injection attacks.
- Mask data — Mask sensitive or regulated data used for testing and development purposes. If you’re running Oracle 12c, use the Data Redaction feature to dynamically mask the results of queries on production databases as well.
- Validate configuration compliance — Cybercriminals often look for configuration weaknesses, such as the use of well-known username and password combinations. Sadly, when Trustwave analyzed more than 3 million passwords in 2012, it found that 50% of users followed the bare minimum password-security measures, with Password1 being the most popular password. Perform regular security configuration scans to identify and fix problems.
Where to start
When addressing these layers of security, you must be thorough but also balance cost and maintenance considerations. The recommended first step is to look at the age and state of your current databases.
Oracle updates its technology to stay ahead of the curve in terms of security, functionality, and ease of administration. It pays to stay in step with the latest tools, and use them to your advantage. Oracle 12c offers many significant security enhancements; with the latest release, you can do the following:
- Use the new Privilege Analysis feature to see what privileges are being used by both users and applications and identify unused and excessive privileges.
- Use the new Data Redaction feature to prevent the display of data columns that contain sensitive or regulated data (e.g., credit card numbers, U.S. Social Security numbers).
- Use the SHA-2 algorithm to hash sensitive data. Now, you can even use the SHA-2 algorithm with the Procedural Language/Structured Query Language (PL/SQL) DBMS_CRYPTO package.
- Associate roles with PL/SQL packages, functions, and procedures, eliminating the need to grant these roles to runtime users. Reducing the database privileges granted to users helps enforce the security concept of least privilege.
- Create and enable database audit policies with no production database downtime. This is possible because Oracle 12c has a new unified auditing architecture in which auditing is enabled by default.
- Better protect applications’ tables when those tables contain sensitive data. With the new mandatory realms feature, you can block users who have direct object grants from accessing that sensitive data.
Keep the Cybercriminals Out
Oracle 12c offers solid security so that you can keep the bad guys out while letting the good guys in. Security is an ongoing investment, but it’s one investment that you won’t regret.