Securing your Oracle database means getting up close and personal with the data. The data is the information that runs or is the foundation of the enterprise–whether financial, personally identifiable, trade secrets or simply proprietary. There are also compliance requirements that definitely do not come with a free get-out-of-jail card in case of a data breach.
The protection must focus on both internal detection of misuse, as well as from attack from a variety of outside threats. Oracle comes with a comprehensive array of security solutions and internal controls, but data managers need to be proactive and aware of the “triple-A” gatekeeping safeguards–authentication, access controls, and auditing:
Preventing authentication atrophy
Database managers need to recognize that default user accounts, passwords, and profiles can lead to complacency and pathways to data breaches. Do the following to keep database authentication measures strong:
- Lock or delete all unused Oracle accounts.
- Strengthen default user passwords with hard-to-crack complex character mixes and phrases.
- Change default profiles to restrict usage to need-to-know.
Authentication measures also need to include a secure password policy for all users–application or non-application. The best resource for implementing a hardened password management policy is through a Virtual Private Database. Also, see this publication by the Center for Internet Security for best practices in creating strong passwords.
Controlling access based on job roles
It is easier to grant carte blanche access to every user than it is to assign and manage permissions based on job roles. However, nothing worth doing was ever easy. On the other hand, taking the trouble to grant only the access employees need to fulfill their job tasks actually simplifies security administration.
Consider the following steps for better access controls:
- Focus on the roles and permissions of the organization’s IT personnel. If they administer the access controls, they have the keys to the kingdom and can do extreme damage.
- Inventory the number of privileged accounts and delete those that are redundant and unnecessary.
- Revoke or remove a privileged access account when an employee leaves the organization.
Establishing an ongoing auditing policy
Oracle database auditing is the equivalent of consistent security patrols in a warehouse of valuable material. The audits serve as early warnings to identify potential attacks, and they need to produce reports tailored to the organization’s specific needs. Oracle has built-in levels of auditing that monitor levels of access and activity, and they can protect especially sensitive personal and financial information.
Other proactive security assessments include:
- an annual, high-level review and analysis of all Oracle database security components–user accounts, password policies, etc.
- a comparison of the organization’s security configuration with Oracle’s recommended best practices
- an analysis of the organization’s current environment, using the Center for Internet Security Benchmarks
Securing database information in the face of constant and, unfortunately, sometimes successful attacks against electronic information is a problem faced by organizations everywhere. Oracle database products provide the first line of defense with features that, when used appropriately, can keep your data safe.
However, a proprietary database can be a garden that must be constantly weeded to remove obsolete authentication levels and passwords. At the working level access authorization must match at least the level of job roles, but go no higher or wider. Finally, the old military saying that “the troops perform best what you personally monitor” applies to why a database needs constant auditing.
Read more about securing our Oracle database in this online Oracle Technical Primer.
A word from our Sponsor
Spade Technology is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and news. Contact us at (508) 339-5163 or send us an email at firstname.lastname@example.org for more information.