Oracle Database Security (part 1)

Your Oracle databases hold a significant amount of data, much of it sensitive – intellectual property, personal data, financial information – the list goes on. Protecting that data may be your direct responsibility (perhaps you are the data owner, security administrator, or database administrator), or you may simply be interested in how the data SHOULD be protected.

Data is the new currency

Organizations worldwide are experiencing the impact of data breaches at an unprecedented rate. It seems like every day brings a news story about a service provider losing subscribers’ personal information, an employer losing employee HR records, or a government contractor losing sensitive intellectual property. Data is the new currency, and bad actors can often leverage stolen data for financial or political advantage for years after a breach.

And where do they keep their sensitive data? At the end of the day, this data is stored and managed mostly in databases. Perimeter security solutions such as network firewalls were once considered sufficient for protecting internal systems and repositories such as databases from data theft. However, the threat environment for organizations has changed considerably in recent years. Tools vary widely depending upon the attackers, from exploiting unpatched systems to very advanced methods where hackers penetrate a network, search for vulnerabilities, and then covertly exfiltrate data from servers. These attacks can go undetected for weeks, months, or even years.

Threat actors and the “Dirty Dozen”

The most effective way to protect data is to enable security controls at multiple levels of the application stack. If an attacker circumvents one security control, additional controls can address the threat. We describe this approach as defense-in-depth. To understand why a defense-in-depth approach to database security is essential, we must examine the actors who want your data and how they try to get it.

Threat actors can be broadly divided into “outsiders” and “insiders.” Outsiders vary widely in their level of skill and resources. They include everyone from lone “hacktivists” and cyber criminals seeking business disruption or financial gain to criminal groups and nation-state-sponsored organizations seeking to perpetrate fraud and create disruption at a national scale. Insiders include current or former employees, curiosity seekers, and customers or partners who take advantage of their position of trust to steal data. Both groups’ targets include personal, financial, trade secrets, and regulated data.

What tools or techniques do these threat actors use to compromise data? Many information security professionals are familiar with the OWASP Top Ten. OWASP stands for the Open Worldwide Application Security Project - an online community founded in 2001 focused on improving application security. The OWASP Top Ten aims to raise awareness about application security by listing the most critical security risks to web applications according to broad consensus. This list is updated regularly by OWASP as the threat environment evolves. Part of the value of the OWASP Top Ten is that it guides web administrators and developers in where to spend their effort and resources to deploy more secure applications. In this way, it is an essential step towards a more secure web infrastructure.

Similarly, we have proposed a list of the twelve most common database security risks we call the “Dirty Dozen.” The items on this list are a hacker’s “tool chest” of tactics, techniques and ways they might use to compromise the data stored in databases. These tactics include:

1. Exploiting unpatched systems or misconfigured databases to bypass access controls.
2. Escalating run-time privileges by exploiting vulnerable applications.
3. Searching for sensitive data in unprotected databases, applications and systems.
4. Stealing the credentials of a privileged administrator or application user through email-based phishing and other forms of social engineering or by using malware to sniff for credentials and data.
5. Accessing accounts through password guessing or exploiting careless credential management.
6. Exploiting application weaknesses with techniques like SQL injection, bypassing application layer security by embedding SQL code into a seemingly innocuous end-user-provided input.
7. Exploiting unprotected systems as a bridge to launch attacks against more sensitive systems.
8. Creating rogue user accounts on systems as a base for reconnaissance and possible escalation of privilege.
9. Targeting copies of live production data used in development and test systems where the data is typically not as well protected as in production systems.
10. Accessing unencrypted database system files on the disk or in backup files.
11. Encrypting data or stealing the encryption keys from encrypted data, rendering it inaccessible to users and demanding a ransom.

A complete list of the Dirty Dozen appears in Table 1.1

Addressing the Dirty Dozen through data security controls

?A well-structured data security solution can help mitigate the risks from the Dirty Dozen. The best approach incorporates multiple layers of security controls to provide defense-in-depth protection from threats. We can group these controls into the following four categories:

? Assessment controls help assess the security posture of a database, including the ability to monitor and identify configuration changes. They also help you assess your users' security configuration, how much sensitive data you may have in the database, and where it resides.

? Preventive controls block access to data by unauthorized users with technologies such as encryption and database-level controls.

? Detective controls monitor user and application data access, allowing administrators to detect and block threats and support compliance reporting.

? Exposure-limiting controls selectively redact or obfuscate sensitive data to limit their opportunity for compromise or disclosure for various uses.

? Data controls enforce fine-grained access at the row and column level within the database, providing a consistent authorization model across multiple applications, reporting tools, and database clients.

? User controls enforce proper user authentication and authorization policies, ensuring only authenticated and authorized users can access their data.

With this comprehensive set of database security controls, we now begin to see how to deploy defense-in-depth security to address threats such as the Dirty Dozen listed in Table 1.1.

Initially, many organizations begin by implementing security controls on a project-by-project basis but then later expand the scope after realizing that hackers would target any unprotected system on the network and then use that as a launching point to attack other systems with sensitive data. Many organizations then move to centralized security management using tools and cloud services such as Oracle Data Safe, Oracle Audit Vault and Database Firewall, Oracle Key Vault, and Oracle Enterprise Manager.

Finally, since many organizations are migrating their workloads to the cloud and embracing new, agile deployment models, these controls need to scale and work seamlessly across on-premises, private cloud, public cloud, and hybrid cloud environments.

This series of articles takes you through the various aspects of Oracle’s defense-in-depth security for databases and provides a high-level overview of how they work and the types of protection they provide. The following articles cover different aspects of database security.

References

Oracle Database Security: A Technical Primer. September 2023, Version 5.0.

Copyright ? 2023, Oracle Corporation and/or its affiliates.