You Need More than a Firewall to Protect Your Oracle DatabasesFeb 19, 2015 / Posted By:Robert Buda
Unless you’ve been in suspended animation for the past few years, you know that major government agencies and global enterprises are hacked with numbing regularity despite their best efforts to defend themselves. Whether from nation states, cybercriminals or disgruntled staff, your Oracle databases are vulnerable to similar attack.
In most organizations, two-thirds of sensitive and regulated data resides in databases. Those databases represent your organization’s “crown jewels,” yet they may as exposed as if they were left on a shelf for anyone “passing by” (inside your firewall) to read, change or delete.
If you think the perimeter defenses securing your network, IT systems and endpoints are enough—think again. You need a multilayered security strategy that includes specific protection for your sensitive data. Otherwise it’s only a matter of time before it is compromised.
Hackers can steal passwords and pose as administrators, or exploit legitimate data access via SQL injection attacks on vulnerable applications, to cite but two examples of how breaches are routinely accomplished. According to Verizon’s 2014 Data Breach Investigations Report, databases are frequently targeted in many types of attack patterns. Further, when databases are breached a significant percentage of records tend to be compromised.
A database security strategy is a plan to mitigate risk to your data. It should define and identify security objectives and controls to meet those objectives, as well as metrics to test and manage the controls. By thinking in terms of risk—how much exists and how much you can tolerate—you can proactively address the biggest issues first and minimize risk exposure given the resources available. Remember, the cost of risk mitigation is almost always a drop in the bucket compared with the cost of a breach.
How best to protect your Oracle databases? Here is an overview the top approaches:
- Data segmentation. Keep high-value data separate from less sensitive data, so you can prioritize managing the risk to it and put the protection where it will do the most good. SMBs are notoriously neglectful of this critical strategy.
- Database encryption. Encryption (combined with effective key management) make it much difficult for attackers to exploit ill-gotten access to your data.
- Control configurations. This one is easy! First, make sure you’re not using default admin passwords (which is incredibly common). Second, eliminate test databases from production database servers.
- Patch management. Exploitation of well-known vulnerabilities in database software is a major way that hackers steal data. Vulnerability scanning is an excellent way to plug those holes.
- Identity management. Role-based access controls and account revocation are first steps in making sure that only those who currently need access to your data can get it.
- Security-conscious web application development. Blocking SQL injection vulnerabilities in your web apps will greatly reduce the risk of Oracle database breaches.
Because many IT security professionals aren’t well versed in Oracle database security issues, this tasks often falls on DBAs—who frequently don’t know much about it, either.
How vulnerable are your Oracle databases? Are you facing more risk than you know? A database security assessment is a worthwhile and cost-effective way to review your database security policies, audit and report on vulnerabilities, and get started with a plan to mitigate the key vulnerabilities.
To talk over how a database security assessment could help your organization reduce financial and reputational risk by protecting your Oracle databases, contact Buda Consulting.