|
Written by one the
world's most widely-read developers and author of best-selling Oracle books,
Don Burleson and Arup Nanda target their substantial knowledge of
Oracle Internals to this important book. With decades of
experience installing Oracle auditing, Arup Nanda shares secrets
for the effective creation of auditing mechanisms for HIPAA
compliant Oracle systems.
The
Health/Insurance Portability and Accountability Act of 1996
(HIPAA) was created to ensure privacy for medical patient data.
HIPAA requires complete
auditing to show everyone who has
viewed confidential medical patient information. This
permeates from Hospitals, insurance companies, and dozens of
healthcare related industries. HIPAA is a framework that
provides a complete security access and auditing for Oracle
database information.
This book provides
complete details for using Oracle auditing features, including
auditing from Oracle redo logs, using system-level triggers, and
using Oracle9i fine-grained auditing (FGA) for auditing of the
retrieval on sensitive information.
Best of all,
Burleson & Nanda share dozens of working samples in his online
code depot. Examples from all areas of auditing are covered with
working scripts and code snippets. Your time savings from a single
script is worth the price of this great book.
Key Features:
-
Provides a complete conceptual
framework for all areas of Oracle auditing.
-
Covers HIPAA requirements and shows
Oracle techniques for enforcing HIPAA requirements inside the
Oracle database.
-
Offers fast working examples for
basic Oracle auditing techniques and scripts.
-
Show the use of the Oracle9i
LogMiner to retrieve audits of database updates.
-
Shows how to implement all Oracle
system-level triggers for auditing, including DDL triggers,
servererror triggers, and use login and log-off triggers.
-
Provides working code examples for
auditing the viewing of sensitive information using triggers and
Oracle9i fine grained auditing (FGA).
About the Authors:
Arup
Nanda |
|
Arup Nanda is the recipient of the
coveted DBA of the Year 2003 award by Oracle
Corporation. This award is among the most highly coveted in
the database industry, and each year only one of more than a
quarter million Oracle professionals is honored by this
distinction. A decade of experience as a DBA has made Arup an
expert in many Oracle areas including Oracle Design, Oracle
Modeling, Oracle Performance Tuning and Oracle Backup &
Recovery.
Arup is a frequent speaker in many Oracle
related conferences including IOUG Live and has written
several Oracle related articles in technical journals in the
US and Europe. He is on the editorial board for SELECT
Journal, the publication of the International Oracle Users
Group.
|
|
|
|
|
Don Burleson |
|
Don Burleson is one of the world’s top Oracle Database experts
with more than 20 years of full-time DBA experience. He
specializes in creating database architectures for very large
online databases and he has worked with some of the world’s
most powerful and complex systems. A former
Adjunct Professor, Don Burleson has written 14 books,
published more than 100 articles in National Magazines, and
serves as Editor-in-Chief of Oracle Internals. Don is a
popular lecturer and teacher and is a frequent speaker at
Oracle Openworld and other international database conferences. |
Table of Contents:
Section I - Overview
Chapter 1:
Introduction to HIPAA
Introduction to HIPAA, the law, the requirements and the
mandates placed by the new regulation. The chapter stresses that
HIPAA consists of two important domains – (i) the mandate to
protect data and enforce security and privacy and (ii) the
description of several types of EDI/EC transactions; and this
book covers the first domain, pertaining to security and data
protection.
Chapter 2: Introduction to Oracle Security
A detailed overview of the Oracle security mechanisms and their
relevance to HIPAA.
·
Grant security
·
Role-based security
·
Profile based security
·
Grant execute security (invoker & definer rights)
·
Virtual private databases (row-level security,
fine-grained access control)
·
Application Server Security
Chapter 3:
Introduction to Oracle Auditing
An overview of the tools and techniques that are used for HIPAA
auditing of Oracle databases.
·
DDL auditing
·
DML auditing
·
SELECT auditing
o
Oracle audit SQL commands
o
Fined-grained auditing
·
Auditing backup & recovery
o
Auditing disaster recovery plan
o
Auditing continuous availability plan
·
Auditing replicated data
·
Auditing sources for materialized views
Section II
- Security
Chapter 4: General
Oracle Security
This is a review of the standard relational grant security as
expected in the HIPAA requirements.
·
Profile Security
·
Grant security
o
System privileges
o
Object privileges
o
Granting to public
o
Grants with ADMIN option
·
Role-based security
o
Views and grant security
o
Row-level security with views
·
Grant execute security
o
Definer rights and invoker rights.
·
SQL*Plus Security
o
The use of product_user_profile
o
Restricting Logon Attempts
Chapter 5: Virtual
Private Database
Topics include a detailed description of VPD and how they can be
used to enforce security and privacy as per HIPAA requirements.
·
Benefits of FGAC
o
Dynamic security – Predicates are assigned to
users at runtime, and there is no need to maintain complex roles
and grants.
o
Multiple security - Place more than one policy on
each object, as well as stack them upon other base policies.
o
No dictionary view proliferation – Thousands of
views are no longer required to manage row-level security
o
No back-doors - Users no longer bypass security
policies embedded in applications, because the security policy
is attached to the data.
o
Complex access rules – Scalar values (e.g. where
salary > 50000) can be deployed.
·
Issues with FGAC
o
Requires a user account for every person accessing
Oracle
o
Difficult to reconcile with other GRANT security
o
Access rules are stored inside stored procedures,
which can be changed.
o
Foreign key referential integrity can be used to
bypass FGAC
o
Cursor caching in pre 8.1.7 allow bypassing of
FGAC
·
Predicate-based security internals
·
Security policies
·
Application contexts
·
Example of FGAC in action
Chapter 6: Data
Encryption in Oracle
A description of all types of encryption (available in Oracle)
to satisfy HIPAA requirements.
·
Types of encryption – DES, 3DES, MD5, etc.
·
Details on using the dbms_obfuscation_toolkit
package
·
Using hashing functions to encrypt data
·
Using data compression as encryption
Chapter 7: Oracle Network
Security
·
Vulnerabilities and threats in Oracle Networks
·
Listener Buffer Overflow
·
SQL Injection
·
Packet Sniffing
·
IP Filtering with Connection Manager
Section
III - Auditing
Chapter 8: Oracle
Audits
·
Audits in Oracle for various DML statements
·
Managing audit tables
·
Archiving Audit Tables to archival media like
CDROM or Tape
·
Various examples describing the auditing
functionality in Oracle.
Chapter 9: Oracle
Trigger Auditing
·
DDL Auditing
o
System triggers for DDL auditing
o
Using Dictionary-based DDL
o
Auditing source code changes
o
Auditing DDL versioning
·
DML Auditing
o
Installing Automatic Auditing Using LogMiner
o
Usage of Logminer for HIPAA update auditing
requirements
o
Auditing with DML triggers
·
Server Error Auditing
o
Servererror trigger
o
Reports
Chapter 10:
Auditing Grants Security
Overview of data dictionary query scripts to locate faults in
grant-based and role-based security to satisfy HIPAA
requirements.
·
Auditing for system privileges
·
Auditing for WITH ADMIN option
·
Auditing for synonyms
·
Auditing for PUBLIC objects
Chapter 11: Oracle Fine Grained Auditing
The Fine Grained Auditing (FGA) in Oracle 9i provides the
hitherto impossible area of auditing the exact statement used by
a user to simply select data, not update it, as required by
HIPAA.
·
Use of the dbms_fga package
·
Auditing select access as per the HIPAA mandated
auditing of Patient Health Information (PHI).
·
Archiving of audit information to tertiary media
(optimal CD-ROM & Tape)
·
Combining FGA and Flashback queries to answer the
most important question in addition to who saw the data, what
they saw.
Chapter 12: HIPAA
Checklists for Security and Auditing
A checklist of HIPAA requirements (and the Oracle features
described in this book) that can be used to satisfy the
requirements.
This book covers Oracle security
audit.
|
