Oracle Magazine - July/August 2012

Andrew Meade, senior database administrator at TransUnion Interactive, leads a team of DBAs charged with keeping the company’s data available, secure, and compliant. “We have a lot of sensitive information that we must protect, and Oracle gives us many different ways to defend our data against attacks,” he says.

modify databases, and grant privileges makes internal system administrators and DBAs a security risk to the enterprise and a target for hackers. And they aren’t the only potential liabilities: in some cases, sensitive production data moves through development and test environments, where any developer can see it.

“In most organizations, two-thirds of sensitive and regulated data
resides in databases,” points out Vipin Samar, vice president of data-
base security technologies at Oracle. “Unless the databases are pro-
tected using a multilayered security architecture, that data is at risk to
be read or changed by administrators of the operating system, data-
bases, or network, or hackers who use stolen passwords to pose as
administrators. Further, hackers can exploit legitimate access to the
database by using SQL injection attacks from the Web. Organizations
need to mitigate all types of risks and craft a security architecture that
protects their assets from attacks coming from different sources.”
Companies spend billions of dollars each year securing their I T
systems worldwide, including software, services, and support, Samar
adds. Despite these massive investments, attacks have continued,
and the attackers—with the help of social engineering and sophis-
ticated automated tools—have continued to succeed. This is partly
because traditional security strategies have focused on protecting
the network perimeter and desktop and laptop machines, rather than
internal server assets. Ultimately, what is most important is pro-
tecting the databases themselves, yet this is the area that many com-
panies overlook. According to Forrester Research, while 70 percent
of companies have an information security plan, only 20 percent of
them have a database security plan.

DATABASE ENCRYPTION

Oracle Advanced Security, an Oracle Database 11g option, helps organizations protect sensitive data on the network, on storage media, and within the database. It addresses privacy and regulatory requirements including the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and numerous breach notification laws.

A need to comply with PCI DSS regulations motivated TransUnion Interactive to adopt Oracle Advanced Security’s Transparent Data Encryption feature and Oracle Database Firewall.