ANALYST’S CORNER B Y DAVID BAUM
The Best Defense
Today’s database security tools protect your data
at multiple levels.
Oracle Magazine spoke with Martin Kuppinger, founder and principal
analyst at KuppingerCole, about database
security as the cornerstone of an end-to-end
Oracle Magazine: Why is a multilevel
approach to security important?
Kuppinger: When you look at the well-publicized breaches of IT security, in many
cases the attacker is an internal person
who had access to a database. A layered
security approach protects each part of your
technology stack, from the network to the
application, including the database. While
identity management technology authenticates people at the application level, if the
data is still readable and in plain text, then
there are plenty of ways that a malicious
intruder can access it.
Oracle Magazine: What’s the difference
between securing data in the cloud and
securing data on premises?
Kuppinger: Your security approach should
differ depending on the type of clouds you’re
using. Running a private cloud in a well-defined data center at a specific location is different from simply renting a virtual machine
in a public cloud. One of the issues is that you
often don’t know where your data resides. You
rely on service-level agreements for security,
which comes down to trusting the vendor. In
those instances, it’s important to protect your
data—generally using encryption.
Oracle Magazine: What responsibilities do
enterprises have to secure personally identifiable information [PII], and what are the
primary risks that they must address?
Kuppinger: There are two types of risk here:
monetary penalties and breach notification. PII regulations differ from country to
country. International organizations must
meet the highest levels of security to ensure
that they are fully compliant. As to the
risks, if you lose data then you face breach
JULY/AUGUS T 2012 ORACLE. COM/ORACLEMAGAZINE
A layered security
each part of your
notification penalties and you might end up
making the headlines the next day. Three or
four years ago, you could lose a lot of data
and it would be noted in some computer
magazines. Now you might find yourself on
the front page of the business news, which
can have huge ramifications on the enterprise, on shareholder value, and on your
reputation with customers.
Oracle Magazine: How do database security
technologies help enterprises mitigate
Kuppinger: You need a multifaceted database security portfolio to fulfill regulatory
compliance criteria. Auditability and traceability are very important, as are labeling
data and segmenting it into different
domains. Encryption and strong authentication are also essential.
Organizations must look at the requirements for their industry, region, and country.
They must identify risks and select a variety
of technologies to make sure that they have
covered everything that pertains to them.
Oracle Magazine: DBAs, system administrators, and other technical personnel need
access to database resources. How do organizations secure database information from
their own administrators?
Kuppinger: Limit the actions of privileged
users. For starters, you can segment data
into domains and limit administrative access
to financial data and PII. HR data is often
confidential as well. Privileged users are
important, but they are also a big risk. Don’t
give them access that they don’t need, and
encrypt sensitive data so that they can work
on the database without seeing things that
they don’t need to see.
Oracle Magazine: How does a database firewall differ from a network firewall?
Kuppinger: Both of them are called firewalls,
but they do different things. A network firewall guards the perimeter of the network,
while a database firewall works from within
to detect SQL injections and rogue transactions that shouldn’t be allowed. Place a
database firewall in front of the database
within your data center to analyze the SQL
statements and prevent the execution of
malicious programs or loss of data.
Oracle Magazine: What are the pros and
cons of database-level encryption—such as
transparent data encryption—and full-disk encryption?
Kuppinger: Important data should be
encrypted, partly to protect it from privileged
users who have broad access to information.
Transparent data encryption is applied to the
specific needs of a database environment,
whereas full-disk encryption protects data
at rest on the disk but in no other situation.
Of course, even transparent data encryption
doesn’t protect data while somebody is using
it. But it does protect some part of the communication when the data is in motion.
David Baum ( firstname.lastname@example.org) is
a freelance business writer based in Santa
Founded in 2004, KuppingerCole
( kuppingercole.com) is a leading analyst
company for identity-focused information
security, in classical and cloud environments.
READ about Oracle Database security