When you think about security, is protecting the privacy of your customers and the security of your data at the top of your list of concerns?
You might be quick to answer yes, but CTO Ron Ben Natan said in his session at the Collaborate ’10 conference on Monday that for most people, compliance is usually the bigger worry — not whether your data is protected, but whether or not you’re going to pass your audit.
But to stay compliant, one must understand the many aspects of Oracle 10g and 11g security, a topic which Ben Natan of Guardium discussed with the approximately 20 people in attendance. He talked about the long process of securing your Oracle data — including hardening, assessing, classifying, monitoring, auditing, enforcing and encrypting — and offered tips for making it through each of these steps successfully.
This process is different for Oracle databases compared to Oracle applications, Ben Natan said. He pointed out that it’s much more difficult to know all of the user privileges and entitlements in an Oracle database environment, thus making the database more vulnerable to breaches involving the “unknown factor.”
What’s the “unknown factor”?
According to Ben Natan, nine out of 10 breaches involve:
- A system unknown to the organization
- A system storing data that the organization did not know existed
- A system that had unknown network connections
- A system that had unknown accounts or privileges
Oracle also has a highly complex privilege model, he said. Privileges grant users the right to run a specific type of SQL statement or perform a certain database operations. These privileges are grouped into user roles, and the high number of roles Oracle has can make it difficult to keep track. However, Oracle 11g only has 30 roles, compared to the 120 that were in 10g.
But some of these privileges, especially system privileges, of which Oracle has over 100, are very risky. Nearly any system privilege can be used by an attacker to assume DBA privileges, Ben Natan said. Oracle even notes this in its own documentation:
System privileges can be very powerful, and should be granted only when necessary to roles and trusted users of the database.”
What’s the best way to combat such vulnerabilities?
Ben Natan stressed the importance of installing quarterly Oracle’s Critical Patch Updates, a practice that not everyone agrees is as critical as Oracle claims. However, he said that “the only way to address vulnerability is to apply these patches,” even when it comes to simple attacks (of which the majority of security attacks are) like password breaches.
Still, the security decisions you make depend on many unique factors within your organization. Where do your security priorities lie? How do you assign roles and privileges in your company? What are your own experiences with applying Oracle’s patch updates?