| |
Oracle
2009 security survey released
October 2, 2009
The
Independent Oracle Users Group has
just released their IOUG
2009 Oracle security survey.
All shops should download this important Oracle security
survey.
This
is a Oracle security survey with data from some of America’s largest
Oracle shops, a great place to see new trends on Oracle security.
The main points of this security survey include:
-
Hacking is up - Unauthorized data breaches and
leaks are up 50% on last year. When things get tight,
spending in security is often the first thing cut from the Oracle
budget.
-
Inside jobs remain a major threat
- In my experience as an Oracle forensics analyst,
internal threats are a big issue, and there are many
security
Horror Stories. There are specialized Oracle auditing tools
that audit the DBA and other privileged users, but these are
expensive and difficult to manage. Many shops rely on strict
background checks (both criminal checks and credit checks) to
weed-out DBA staff. For example, a bad credit history shows
moral turpitude and a disrespect for obligations, and many major
corporations will not hire DBA's with a history of dishonesty, no
matter how minor.
-
Offshoring poses a major security
risk - Outsourcing your Oracle DBA functions leaves
Oracle shops unprotected by US data security and privacy laws.
While Oracle Remote DBA
support remains popular, it's critical to
outsource only within the
USA. Also see this
Computerworld article titled Offshore Outsourcing Poses Privacy
Perils.
-
The DBA is an exposure -
DBA's are people too, and many security exposures have been traced
to dishonest DBA's. It's critical to audit the DBA, and to
do strict background and security checks for DBA's. I won't
even hire a DBA with parking tickets because it indicates
disrespect for the law. See how a
San Francisco city Network
Administrator was arrested. See my book
Oracle
Privacy Security Auditing.
-
Not enough emphasis on security
- The security survey notes that many shops are
complacent. I once consulted for a shop that did not know
that their entire database was being stolen and e-mailed to China,
the result of hiring a cheap non-USA Oracle support provider.
This breech was so severe that they went out of business.
-
Not enough on data security best
practices - Many shops surveyed did not follow data
security best practices and do not deploy the advanced Oracle
security tools are are so secure that they are used in classified
government systems. Shops that truly care about their data
security can hire an Oracle expert with an
Oracle United
States Security Clearance to deploy advanced security.
In sum, the 2009 Oracle Security survey underscores the
importance of not skimping on security activities and keeping all
Oracle support in-house or only using trusted USA remote support
options.
See my general notes here on Oracle security best practices:
Oracle Auditing for Risk
Management and Regulatory Compliance
BC Remote DBA security policies
Protecting
your Oracle data against theft
 |
If you like Oracle tuning, you may enjoy my new book "Oracle
Tuning: The Definitive Reference", over 900 pages
of BC's favorite tuning tips & scripts.
You can buy it direct from the publisher for 30%-off and get
instant access to the code depot of Oracle tuning scripts. |
|
|