Security, Requirements, Threats, and Concepts - Part 1

Dear Readers,

My name is Franz Devantier, creator of this blog.  I am an Oracle Certified Professional (OCP DBA 11g) Security DBA.  I will be sharing with you the basic duties of an Oracle DBA, and also some of the undocumented, and not so well known tasks. 

Security, Requirements, Threats, and Concepts  -  Part 1

Database security requirements arise from the need to protect data.  Data can be corrupted and lost in many different ways; Sometimes accidently and sometimes deliberately.

Other concerns with the contents of a database, are to do with delays in accessing the data.  Delays that could have been avoided.  Sometimes the delays could get to the point that the end users are suffering from a denial of service.  The costs of such security breaches currently run into the billions of USD per annum.  Sometimes the cost of security breaches to individual companies can have far reaching effects, even resulting in companies closing down and filing for liquidation in some cases.

Security requirements remain dynamic, as new technologies continually emerge, and new practices provide new avenues for accidental or malicious abuse of the sensitive data in a company.  Even stable and seemingly secure products and environments can fall prey, because of new satellite technology around existing technology.  Security is a real concern in our current global village for both new and existing database installations.

As we start to understand the security requirements better, we get into a better position to apply security principles to the threats around us, and we can develop solutions that disable the myriad of threats around us, including traditional, email, and internet avenues of attack.

The security solutions that we apply will differ in their effectiveness, depending on the relevance in the specific environment, and the degree to which they fit the specific environment.   Security measures have an impact on hardware, software, efficiency, responsiveness, human resources, and general management and maintenance costs.  The security solution should always be designed in such a way as to be cost effective, manageable, and scale-able through the projected life-span of an application or installation.

The basic elements to protect against in a database environment, are connections to a server, to a schema.  Access to tables with potentially sensitive data, and alteration of the tables structures and table data.  Mainly this access is through an application, so the application must be secured.  The high powered administrators who have access to all of the sensitive data in a database, can present a security problem to the enterprise or organization.  Data and functional and structural definitions in the database can be altered either accidentally or maliciously, by database administrators, by application programmers, or power users.  Access from the internet should be securely locked down in such a way, that there is free access to it through a controlled medium such as a web based application.  When taking the internet into consideration, we need to provide additional security in order to prevent security breaches.

Possible security configuration to accommodate internet access to company data.

Notice how the internet access is from the other side of a firewall.  Once through the firewall, the internet application reaches web server.  Having the database configured on the other side of an additional firewall provides another level of security.  People on the inside who access things on the intranet, may also pose a security threat.  So there must also be measures in place, to protect against possible security breaches from within the organization.

You can create additional security measures, by dividing different areas and users into categories.  Each category can then have a security plan or profile applied to it for protection.

Security Categories

Category	Security Issues
Physical	Computers must be made physically inaccessible to unauthorized users by keeping them in a secure physical environment.
Personnel	The people responsible for the physical security, system administration, and data security of the site must be reliable. Performing background checks on DBAs before making hiring decisions is a wise protective measure.  Certain DBA consulting companies have suggested a military type security clearance before getting employed as a DBA
Procedural	The procedures and policies used in the operation of your system must assure reliable data. It is often wise to separate out users' functional roles in data management. For example, one person can be responsible for database backups. Her only role is to be sure the database is up and running. Another person can be responsible for generating application reports involving payroll or sales data. His role is to examine the data and verify its integrity. Further, you can establish policies that protect tables and schemas against unauthorized, accidental, or malicious usage.
Technical	Storage, access, manipulation, and transmission of data must be safeguarded by technology that enforces your particular information control policies. When you think carefully about security risks, the solutions you adopt will apply well to the actual situation you are addressing. All security problems do not necessarily have a technical fix. For example, employees must occasionally leave their desks unattended. Depending on the sensitivity of their work and on your required level of security, your security procedures could require them to do any of the following: ·         Have another person cover for them while they're away ·         Clear the desk surface, locking all sensitive materials away, before leaving ·         Lock their doors, if they have private offices ·         Explicitly lock their computer screens before leaving the desk

No technical solution can fix a physically insecure work environment or a corrupt or disaffected employee. It is true, though, that procedural and technical protection might be able to limit the damage that a physical breach or a disgruntled employee (or an ex-employee) can inflict.  Logon credentials for ex-employees must also be managed, especially where VPN access is concerned.  This may be an easy way for hackers to breach your security, if ex-employees were to fall prey to privacy hacking; and their former credentials are still valid on the systems, and so gain access to the most sensitive of data.

Franz Devantier,

Need a database health check, or a security audit?

devantierf@gmail.com

Income stabilizer (win-win opportunity)

Join the carefully selected and tested cash-flow generating program below to potentially create a long-term residual or annuity type income enhancer for yourself.

Traffic Wave - Free Report:  The report will give you all the information you need to start making a nice long-term residual income stream for yourself.