Securing your Oracle database means getting up close and personal with the data. The data is the information that runs or is the foundation of the enterprise–whether financial, personally identifiable, trade secrets or simply proprietary. There are also compliance requirements that definitely do not come with a free get-out-of-jail card in case of a data breach.
The protection must focus on both internal detection of misuse, as well as from attack from a variety of outside threats. Oracle comes with a comprehensive array of security solutions and internal controls, but data managers need to be proactive and aware of the “triple-A” gatekeeping safeguards–authentication, access controls, and auditing:
Preventing authentication atrophy
Database managers need to recognize that default user accounts, passwords, and profiles can lead to complacency and pathways to data breaches. Do the following to keep database authentication measures strong:
Lock or delete all unused Oracle accounts.
Strengthen default user passwords with hard-to-crack complex character mixes and phrases.
Change default profiles to restrict usage to need-to-know.
Authentication measures also need to include a secure password policy for all users–application or non-application. The best resource for implementing a hardened password management policy is through a Virtual Private Database. Also, see this publication by the Center for Internet Security for best practices in creating strong passwords.
Controlling access based on job roles
It is easier to grant carte blanche access to every user than it is to assign and manage permissions based on job roles. However, nothing worth doing was ever easy. On the other hand, taking the trouble to grant only the access employees need to fulfill their job tasks actually simplifies security administration.
Consider the following steps for better access controls:
Focus on the roles and permissions of the organization’s IT personnel. If they administer the access controls, they have the keys to the kingdom and can do extreme damage.
Inventory the number of privileged accounts and delete those that are redundant and unnecessary.
Revoke or remove a privileged access account when an employee leaves the organization.
Establishing an ongoing auditing policy
Oracle database auditing is the equivalent of consistent security patrols in a warehouse of valuable material. The audits serve as early warnings to identify potential attacks, and they need to produce reports tailored to the organization’s specific needs. Oracle has built-in levels of auditing that monitor levels of access and activity, and they can protect especially sensitive personal and financial information.
Other proactive security assessments include:
an annual, high-level review and analysis of all Oracle database security components–user accounts, password policies, etc.
a comparison of the organization’s security configuration with Oracle’s recommended best practices
Securing database information in the face of constant and, unfortunately, sometimes successful attacks against electronic information is a problem faced by organizations everywhere. Oracle database products provide the first line of defense with features that, when used appropriately, can keep your data safe.
However, a proprietary database can be a garden that must be constantly weeded to remove obsolete authentication levels and passwords. At the working level access authorization must match at least the level of job roles, but go no higher or wider. Finally, the old military saying that “the troops perform best what you personally monitor” applies to why a database needs constant auditing.
Read more about securing our Oracle database in this online Oracle Technical Primer.
A word from our Sponsor
Raleigh IT Support Company and IT Services Provider | CSP Inc. is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and news. Contact us at (919) 424-2000 or send us an email at firstname.lastname@example.org for more information.
Always at your service to provide the highest level of quality support to our customers.
Anthony Firth Client Engineer
“I’m passionate about building and fostering relationships, and finding solutions for success.”
Michael Koenig Client Account Manager
“I help clients stabilize and grow their IT infrastructure so they can focus on growing their core business.”
Josh Wilshire Systems Engineer Team Lead
“I strive to provide the highest level of quality service to our customers.”
Tommy Williams Sr. Hardware Engineer
“I’m driven by the steadfast belief that technology must serve as a business enabler. This mantra has driven 21
Years of successful partnerships.”
Stephen Riddick VP Sales & Marketing
“CSP doesn’t succeed unless your company succeeds.”
Stephen Allen Inventory Manager
“Through my intuition and genuine concern to help others I have built long-lasting relationships with our customers, co-workers and business partners.”
Scott Forbes VP Support Services
“Every day, I work with clients to help plan the future of their businesses.”
Michael Bowman vCIO
“Your IT problems become our IT solutions.”
Mark McLemore Project Engineer
“Managing internal and external operations to ensure that CSP provides quality and reliable customer service .”
Margie Figueroa Business Manager
“Providing quality internal and externals financial support to our customers and accounting support to CSP.”
Katie Steiglitz Accounting Administrator
“Some call me the CEO. I call myself the Cheerleader for an awesome team!”
William B. Riddick Founder & CEO
“CSP is here to assist you with your IT needs.”
Beth Wylie Inside Sales Manager
Thinking ofHiring A New IT Company?
On What Questions You Need To Ask Before Signing Any Agreement.