by Robert Buda | Mar 3, 2020 | Best Practices, Database Security, Oracle DBA
Managed Health Systems of Indiana patient health information, July-September, 2019; Microsoft customer service and support records, January 22, 2020; Wyze email addresses, December 30, 2019; Georgia Tech student data, March 2019.
What do all of these breaches have in common? The data that was stolen was inside a database.
Yet when most companies think about data security, they still focus on securing the network, and spend very little time and energy making sure the databases—where the data actually lives—are safe.
When was the last time you had a network security assessment done? If yours is like most companies, it was pretty recently… and that’s good.
But when was the last time you had a database security assessment done? If yours is like many companies, the answer is “Never.”
Even if your network security posture is robust, it is only a matter of time before your network is breached. And don’t forget about “insider threats,” both malicious and accidental. It is best to add another layer of protection between the bad actors and your data.
Make sure that when cybercriminals do get past your network protections, your database will keep them out.
Download our Database Security Roadmap get valuable insights into create an in-depth defensive posture to protect your data.
by Robert Buda | Feb 19, 2020 | Best Practices, Database Patch News, database patching, Database Security, Oracle, SQL Server
Welcome to Database Patch News, Buda Consulting’s monthly newsletter of current patch information for Oracle and Microsoft SQL Server. Here you’ll find information on available patches—including security patches—and desupported versions made available during the past month.
Why should you care about patching vulnerabilities and bugs? Two big reasons:
- Unpatched systems are a top cyber attack target. Patch releases literally advertise vulnerabilities to the hacker community. The longer you wait to patch, the greater your security risk.
- Along with running a supported database version, applying the latest patches ensures that you can get support from the vendor in case of an issue. Patching also helps eliminate downtime and lost productivity associated with bugs.
Here are the latest patch updates for Oracle and SQL Server:Oracle Patches:
19c
DATABASE RELEASE UPDATE 18.9.0.0.0.200114
OJVM RELEASE UPDATE 18.9.0.0.0.200114
18c
DATABASE RELEASE UPDATE 19.6.0.0.0.200114
OJVM RELEASE UPDATE 19.6.0.0.0.200114
12cR2
DATABASE RELEASE UPDATE 12.2.0.1.200114
OJVM RELEASE UPDATE 12.2.0.1.200114
Regular support ends Mar 2023 and extended support ends Mar 2026
12cR1
DATABASE PATCH SET UPDATE 12.1.0.2.200114
(Extended Support Contract Required)
OJVM PATCH SET UPDATE 12.1.0.2.200114
(Extended Support Contract Required)
The last freely available patch was July 2019 for 12.1.0.2. The Oct 15 2019 Patch Set Update (PSU) is available but may require an extended support purchase to access it. Patches will be released until July 2021 for this version. PSU 12.1.0.2.191015 is available.
11gR4
DATABASE PATCH SET UPDATE 11.2.0.4.200114
(Extended Support Contract Required)
OJVM PATCH SET UPDATE 11.2.0.4.200114
(Extended Support Contract Required)
The last freely available patch was October 2018 for 11.2.0.4. PSU 11.2.0.4.191015 is available but may require clients to purchase extended support to access it.
Oracle Engineered Systems
Oracle Exadata System Software for 18.1.24, 19.2.10 & 19.3.4
Oracle Exadata QFSDP for Jan 2020
Oracle SuperCluster QFSDP for Jan 2020
SQL Server Patches:
SQL Server 2019 – Cumulative Update 1 released on 01/07/2019
SQL Server 2017 – Cumulative Update 18 released on 12/09/2019
SQL Server 2016 Service Pack 2 – Cumulative Update 11 released on 12/09/2019
SQL Server 2016 Service Pack 1 – Cumulative Update 15 released on 07/09/2019
SQL Server 2014 Service Pack 3 – Cumulative Update 4 released on 07/29/2019
SQL Server 2014 Service Pack 2 – Cumulative Update 18 released on 07/29/2019
by Robert Buda | Jan 31, 2020 | Best Practices, Cloud, Database Security, Uncategorized
In response to the recent Capital One data breach, where a hacker exploited a misconfigured open-source Web Application Firewall hosted within Amazon Web Services (AWS), the Amazon CTO reminded customers that they must secure their own data when housed on AWS infrastructure.
This seems obvious, but it is a very important point.
When you move your data into AWS or any cloud provider, because it is not in our your data centers, and because you often no longer employ full-time people to manage the server hardware and software that house that data, you might get the feeling that someone else is managing our data just as carefully as our own staff once did.
That may be true for some dimensions of data management. For example, the cloud provider is responsible for making sure that the hardware stays up and running. Likewise, when you use software as a service (SaaS) or platform as a service (PaaS), the service provider is responsible for making sure that the application software and/or operating system stays up and running. In the case of infrastructure as a service (IaaS) offerings, the customer is still responsible for the latter two functions.
But in all the above cases, the customer is ultimately responsible for the security of their own data. The AWS security documentation describes it this way:
-
- Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS Compliance Programs. To learn about the compliance programs that apply to Amazon EC2, see AWS Services in Scope by Compliance Program.
- Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.
The key takeaway is that if you have your data in any cloud service, you must be as rigorous in securing that data as if it were in your own data center—and in some cases even more so.
Following are some key things to think about when moving your data into the cloud. These are the same considerations you need to focus on when keeping your data in-house. Some of these concerns only apply to IaaS in the cloud, while others are relevant to all cloud service scenarios.
-
- Is the underlying storage configured properly so that only the database software, application software and authorized users can access it?
- Is the data encrypted both at rest and in transit?
- Is proper authentication in place for the application or database, to ensure that only proper users can gain access to the system?
- Is proper authorization in place for the application or database, such that data is exposed only to the proper users?
- Is the network configured properly to reduce the surface area vulnerable to attack?
These considerations are not new. In fact, our Database Security Roadmap, initially created primarily with on-premises systems in mind, is still completely relevant with cloud technology.
Download the roadmap to make sure you have all the bases covered.
by Robert Buda | Dec 4, 2019 | Best Practices, Oracle DBA, Uncategorized
When working with customers, we face many situations that might result in conflict. This is bad for obvious reasons. As service providers, conflict keeps us from providing outstanding value to our customers. It hurts our relationship and reduces the chance that they will continue to use our services.
Customers are at different technical levels and have different “personal styles.” Some are very technical and want to be part of designing the solution. Others won’t want to know any details and just want something that works at the end. Until we get to know the customer well, the potential for conflict is higher for reasons like these.
I have certainly not mastered the art of avoiding all conflict with every customer. But I continue to strive to improve. This post describes two kinds of situations where conflict is likely to occur if we don’t handle things well, along with some thoughts about how to avoid conflict in these and other instances.
The customer is always right!
Of course, we know that the customer is not literally always right. We also know (or had better know) that we are not always right, either.
But even though the customer is not always right, we must always respect them as if they are right. Why? Because it is the right way to treat people, and because they pay us. They are the reason we are in business.
We have all had times when a customer wanted us to do something that we felt was not in their best interest, was not efficient, or was just plain wrong.
So how do we handle it when we think our client is wrong? Below are some basic “rules of conduct” for reaching agreement. It’s good practice to follow these in order. Hopefully this will lead to building great relationships with our clients and avoiding conflicts.
-
- Listen completely to what the customers says, so we fully understand what they mean. This means not interrupting them before they have finished their thought. This takes patience. Often, if we let them talk through an issue long enough, they will come to the same conclusion we would have, and we have just avoided a conflict. Likewise, we may come to understand their position better and we will agree with them; and again, we have avoided a conflict.
- If after careful listening there is still not agreement, asking questions may help both parties see aspects of the issue that the other does not see. Try to use probing questions, not leading questions. Our frame of mind should be “How can they convince me that they are right?” Not “How can I convince them that I am right?” In other words, assume they are right, and help them prove it. I am not suggesting that you disregard your knowledge and expertise. But it’s important to acknowledge that you don’t know everything your customer knows. Challenge their position rigorously, but with an open mind.
- If there is still not agreement after they have expressed their entire thought and you have asked your questions and listened to the answers, try offering alternative approaches that may meet their objectives, but with methods that you think are more effective.
- If you and your customer still don’t agree after all that, then respectfully suggest that you table the issue and follow up via email with additional thoughts (in the same spirit of understanding that was described above).
If, after all your effort, you still think that what the customer is asking you to do is either not in their best interest or is ethically or legally wrong, then you may have to respectfully decline to provide the service they are asking for. I have done this and it’s not the end of the world.
Notice that nowhere did I recommend arguing with the client. Why? Because we never argue with the client. That is disrespectful. Oh, and they pay us.
This approach requires patience—but it’s worth it. Great communications allows us to add more value. Also they pay us, so they deserve it.
This approach might require that we answer the same question ten times. But that is also worth it, because great communications allows us to add more value, and because the client pays us.
This approach might also require that we ask the same question ten times or explain the same thing ten times. But it is worth it. Why? Because great communications allows us to add more value, and because they pay us.
The cranky customer
Right or wrong, the customer might get cranky with us from time to time. But it is worth it to endure this calmly and politely, because they pay us.
This does not mean accepting abuse. If a client is truly abusive, fire them. I’ve done that, and it’s not the end of the world. Service providers deserve and demand the same respect that they give to their customers.
But it does mean that we may have to accept expressions of frustration and even anger at times. When this happens, it is almost always due to problems with communication. And it is up to us to fix the communication problems. Why? Because they pay us.
Here are some simple steps to avoiding communication problems that lead to cranky customers:
-
- Over-communication: When giving an explanation, provide a littlemore information than you think is necessary, as long as that information is useful. If a customer tells you that you should provide less detail, then do so in future communications. It is better to be told you provide too much information than too little.
- Frequent communication: During the course of a project, particularly when a deliverable is expected soon, provide short, frequent status updates. The frequency depends on the length and urgency of the project. If the deliverable is due in one week and is urgent, then a daily email with a quick status can put a customer’s mind at ease. If it is a six-month project with ongoing deliverables, then a weekly recap may be enough.
- Set expectations with a communication rhythm: if you are in the middle of ongoing work with frequent deliverables, let the customer know that you will check Slack or email twice a day; for example, at 12 and 5. That way they won’t be disappointed or anxious if you don’t respond immediately to their 9:15 email asking for a status update. If you are on a longer-term project, let them know what days of the week you will provide status updates.
- Communicate problems or concerns immediately: If your project falls behind schedule, or runs into problems that are beyond your control, inform your customer immediately. This can be a difficult conversation to have, but the sooner they know about a blocking issue, the easier and less expensive it is to resolve it. And the moment you have the conversation, you will feel better!
- Be responsive: If your client asks you for something, either respond promptly with the answer, or acknowledge their request as soon as you see it and tell them when you will be able to get to it.
Here is the takeaway: the root of most conflict is misunderstanding, and the root of most misunderstanding is poor communication. As service providers, proper communications are our responsibility. It is part of our job.
We can build all the environments, databases and applications in the world. But if we don’t communicate well with our customers then we have not added the value that we should have.
To get maximum value from your Oracle database investments and clear communications from your service provider, contact Buda Consulting.
by Robert Buda | Nov 25, 2019 | Database Security, SQL Server
These days it’s only a matter of time before our firewalls or access controls are breached. Then what?
In a multi-tiered security strategy, data encryption is a critical next line of defense. Data encryption is also mandated by a number of widely applicable regulations, including PCI-DSS and GDPR.
Fortunately for SQL Server users, Microsoft has developed a range of capabilities that enable you to encrypt database files at rest, in transit, in backups, when being accessed and even “always.” This post will give you an overview the five types of encryption that SQL Server offers.
SSL Transport Encryption For Data In Transit
Similar to how web applications secure traffic between the server and the browser, you can configure SQL Server to use Secure Sockets Layer (SSL) to encrypt data in transit between the server and the client.
This capability is available across all supported versions and all editions of SQL Server. It’s a great way to thwart so-called “man in the middle”/proxy attacks because it makes network traffic almost impossible to read.
For more information, including how to install a certification a SQL Server to support SSL, see this Microsoft Support page.
Backup Encryption
SQL Server allows you to encrypt SQL backups at the whole file level. Available for both Standard and Enterprise editions in SQL Server 2014 and newer, this is a powerful security measure as it protects backups even at offsite locations.
This feature gives you a choice of encryption algorithms and can use either a certificate or asymmetric key. You can also use backup encryption and Transparent Data Encryption (TDE, see below) at the same time (but with separate certificates/keys).
For more information on implementing cell-level encryption, see this Microsoft Docs page.
Transparent Data Encryption (TDE)
Available since SQL Server 2008 for Enterprise editions only, TDE lets you encrypt SQL data “at rest” within the files on disk. This protects the physical media—including the entire database, log files and any backups or snapshots—from being read in the event of unauthorized access to the media. (Data in unencrypted files can be accessed simply by restoring the files to another server.)
TDE is “transparent” in the sense that no changes are required for client or server applications to use a TDE-encrypted database. When SQL Server mounts an encrypted data file, it uses a database encryption key (DEK) to decrypt the data during use and then re-encrypts it again before writing it back to the file. A limitation of this approach is that data encrypted with TDE is unencrypted and potentially vulnerable both in memory and over the network.
For more information on implementing TDE see this Microsoft Docs page.
Cell-Level Encryption
SQL Server’s Cell-Level Encryption lets you encrypt specific columns within a database that contain sensitive data; e.g., credit card numbers, social security numbers, passwords, etc. This feature is available in all SQL Server editions.
Unlike with TDE, when data encrypted with Cell-Level Encryption is selected in a query, it remains encrypted by default, even in memory. However, all it takes to decrypt it is a call to the decryptbykey function in the query. Further, the need to use a function call for decryption means code changes in existing applications and queries.
For more information on implementing cell-level encryption, see this Microsoft Docs page.
Always Encrypted
Always Encrypted is a new (since SQL Server 2016) way to do column-level encryption for client applications using up-to-date data libraries. Always Encrypted encrypts data transparently at the client via the data connection layer, with no code changes required (though it requires a driver on client systems).
Data thus secured remains encrypted in transit, in memory and at rest—making it the only option for securing data from misuse by even the most privileged SQL users, like sysadmins. This makes it a good choice for applications that require separation of data owners and managers.
However, since SQL Server isn’t doing the encrypting, many functions won’t work with this approach. In particular, you can’t sort, index, look for string fragments or do calculations on data that’s encrypted.
For more information on implementing cell-level encryption, see this Microsoft Docs page.
In Conclusion
Microsoft has a strong focus on security, and this is evident in the wide range of options available to SQL Server users. But every organization’s needs are different, and there is no one-size-fits-all approach to implementing SQL Server encryption. Your SQL Server version and licensing scenario, application requirements, business processes, performance needs, regulatory environment and security risk profile will all impact your path to implementing encryption.
For expert guidance on how best to implement encryption in your database environment, including help with configuration and key management, contact Buda Consulting.
