oracle-database-security-primer.pdf

Murkey

160页

3次

2023-10-18

免费下载

Oracle Database Security

a technical primer

Fifth edition

September, 2023, Version 5.0

Foreword

Having been in the security space for over 25 years, the front seat view has been exhilarating. Twenty-five years ago,

mostly governments and financial institutions were interested in security while everybody else trusted the

administrators, users, and computing environment to keep their data secure. It was only when browsers opened up

new vistas for commerce over the net in the 90s that companies began to understand the vital need for security. This

new perspective led to SSL, network firewalls, and strong cryptography.

Fast forward to the present, and just like before, we find ourselves living in a dramatically different world where every

piece of data is online and available 24/7. To address this new reality, we see many different security technologies

protecting various layers of the IT stack, from the applications down to the chipsets. While the global security spend is

expected to exceed $195 billion in 2025, hacks are becoming bigger and bolder, impacting everything from customer

and citizen databases to vaccine data and Wi-Fi routers.

Hackers have built sophisticated tools along with a thriving underground market to go after everything we have,

whether on mobile devices, laptops, file servers, or databases. For most hackers, the target of choice is not a laptop or

a spreadsheet–the target is most often a database with hundreds of millions of records. The hackers may try to break

in through attacks on the network, applications, operating systems, and databases. They primarily target the users

who have legitimate access to those systems. Sometimes, it’s the insiders with deep knowledge of data and defenses

who attack the systems for nefarious gains.

Why are organizations so vulnerable to attacks? Many might say they don’t know where their sensitive data is, where

they are vulnerable, and what the fixes might be. They might also fear that the fixes may break their applications or

that the insiders may exploit the trust placed in them. Too many stop at securing the perimeter, not recognizing how

easily hackers can bypass the network perimeter, get to the databases, and quietly walk away with their data. It is not

surprising that, on average, it takes the victims six months to even know that they have been breached, and it also

isn’t surprising that they typically learn about the breach from customers or law enforcement.

Many information technology, database, and security leaders now realize that securing databases should be one of

their most important goals. After all, in most companies, it is their databases that contain most of the sensitive data

assets. They also acknowledge that while they would never be able to block every path hackers might take, protecting

databases serves their constituents well since every path eventually leads to one.

During the last twenty years, I’ve seen a significant shift in how hackers go after databases. In response, Oracle has

built multiple security technologies for securing data at the source–within the database. We have focused on all pillars

of security: evaluating the risk posture, preventing the attacks, and detecting/alerting malicious behavior. Industry

analysts and security professionals recognize that the Oracle Database provides the industry’s most comprehensive

security.

This book, authored by my Database Security Product Management team, explains in simple terms the adversaries of

today, how they exploit the weaknesses, and how they access your sensitive data. This book is not meant to be a

prescriptive cookbook or a manual but rather a quick study into what every Database or Security Director/ VP should

know about the security of Oracle databases. You will learn about multiple assessment, preventive, and detective

security controls for databases so that you can provide high-level guidance to your teams on how to shrink the attack

surface and keep your databases secure.

Breaches are coming faster than we can imagine, and we must be prepared! Your data is your asset, but unless you

protect it well, it could fall into the wrong hands and become a liability. Let’s start by securing the source!

Vipin Samar

Senior Vice President, Oracle Database Security Development

September 2023

From the authors’ desk

As security product managers, we often hear from customers grappling with the challenge of managing security risks

while keeping their databases running 7 * 24. Some were tasked to address a specific compliance requirement or

implement a specific security control, while others were asked to improve the security of their databases. Despite

Oracle’s comprehensive security portfolio, what became evident was the lack of a cohesive strategic approach to

securing databases. What to protect? How? From whom? Recognizing that adversaries rarely adhere to a fixed attack

pattern, we would advocate for a "defense in depth" mindset.

Moreover, we observed that the responsibility for database security was dispersed across different roles within

organizations. Some entrusted DBAs and application administrators with this duty, while others placed it in the hands

of network and system security administrators who might not possess a deep understanding of database architecture

or available tools. This book serves as a security roadmap within the context of the Oracle Database, catering to

security officers, database owners, DBAs, application administrators, system administrators, and security teams.

Instead of presenting a collection of product highlights, we opted for a threat-and-solution perspective. While this

approach may lead to multiple mentions of specific products addressing various threats across chapters, in-depth

product features are readily available on our website.

After reading this technical primer, we hope you’ll gain insight into how the adversaries exploit the vulnerabilities,

what database security controls are available to help you secure your databases, and what risks those controls

address. Please note that this ebook is not intended to replace product documentation or offer any regulatory advice.

Since the initial publication of this book, its scope has expanded from sixty pages to approximately 180 pages. This

expansion mirrors the evolving threat landscape and regulatory environment, as well as the advancements in

database security control and capabilities. We've added an executive summary to help navigate this comprehensive

resource – perhaps the longest “executive summary” you’ve ever seen.

We hope this book broadens your perspective on database security, equips you with actionable insights, and helps

you secure your data.

Angeline Dhanarani

Rich Evans

Hakim Loumi

Russ Lowenthal

Pedro Lopes

Michael Mesaros

Bettina Schaeumer

Peter Wahl

Alan Williams

Nazia Zaidi

of 160

免费下载

oracle 安全

文档被以下合辑收录

Murkey的Oracle回顾之旅（共49篇）

多年的工作和学习，一些文档和blog的汇总和分享。

文档被以下合辑收录

相关文档

评论