Database administrators are spending an increasing amount of time and effort to ensure that their systems comply with one or more regulatory or privacy mandates such as PCI-DSS, Sarbanes-Oxley SAS70 and HIPAA. Regardless of the specific regulations you must satisfy, meeting the requirements demanded by these mandates has become a critical function for most IT managers and database administrators. I suggest a simple approach to reduce the pain and effort involved in satisfying these regulatory requirements by placing the emphasis on the proper configuration and hardening of all your technology components. Although this article is mainly geared toward Oracle DBAs, the strategy applies to system administrators, Oracle E-Business administrators and application developers as well.
Be Proactive: In order to minimize the amount of time you spend on the annual (or sometimes quarterly or biannual) security and compliance related audits, the smart strategy is always to implement a proactive security strategy. What happens in most companies is that the auditing team comes in and sets up shop, and you (and your managers) are waiting anxiously to see what security loopholes the auditors might find and how you're going to mitigate them, either by fixing them directly or by convincing the auditors to accept compensating controls instead to satisfy specific regulatory requirements. If instead, you start by building in security and compliance features right from the time you install, configure and implement your technology stack and applications, you'll find the going a lot easier come audit time.
Create an Organization-Wide Plan: One of the very first things you must do in order to ensure a strong regulatory compliance stance is to create and implement a formal organization-wide security plan. The security plan will include databases and applications, as well as the network, web applications and other critical technology components. In the security plan, you must clearly lay down how you're going to implement various security policies that are designed to ensure compliance with key regulations your company must satisfy. You must include policies relating to access control and authorization as well as any scheduled security related operations such as the periodic changing of passwords, for example. Additionally, you can also include detailed backup and recovery strategies and disaster recovery policies in your security plan. Note that your security plan must contain both the security policies that you intend to follow in order to comply with various regulations, as well as detailed step-by-step implementation plans for each of those security policies.
Let me provide a simple example of how a strong security plan enhances your security and compliance status: Most regulations require that you encrypt credit card numbers in applications such as the Oracle E-Business Suite. Your encryption policy can state that the encryption keys must be rotated every three months. The security plan must provide the schedules for the rotation of the encryption keys as well as the exact steps necessary to implement the policy.
Use Oracle Best Practice Recommendations: Possibly the best thing you can do to enhance database and application security, as well as your compliance readiness, is to simply start off by implementing Oracle's best practice recommendations. You can find the latest Oracle best practice recommendations for the Oracle E-Business Suite, for example, by going to Oracle's Metalink and checking out the document titled "Best Practices for Securing Oracle E-Business Suite Release 12" (Metalink Note 403537.1). As comprehensive as Oracle's best practice recommendations are, there is sometimes a possibility of finding dated information as well as a narrowly scoped security recommendation. In order to tighten down security and enhance compliance with regulations, you probably are better off going the extra mile by studying other security guidelines and checklists such as those offered at www.cisecurity.org and www.checklist20.com.
I can already hear some of you yawning, thinking to yourself that you're aware of all the best practice recommendations, but you're looking for some serious security guidelines. The truth is that a vast majority of companies fall well short of Oracle's best practice recommendations. Database and system administrators have too much on their plates and work under tight deadlines and are judged by how well the applications perform and how functional the system is from the end users' point of view. Security and compliance is almost never the most (or even the second, third or fourth most) important goal when designing and implementing new systems. I can assure you that once you truly pay attention to the available best practices and implement your systems as closely as possible to the suggested guidelines, you are indeed on a very firm ground regarding numerous security configurations that have a direct bearing on compliance. These configuration items include those dealing with database hardening, default user accounts and what to do with them, UNIX and Windows file permissions, access permissions and privileges and numerous other critical security related policies. Many regulations require that you implement separation of duties in your applications — the Oracle best practice list covers this, as well other key compliance related issues such as the auditing of E-Business Suite application activity, by showing you how to implement Oracle application auditing.
Implement what you have access to: After you harden your systems and applications by following Oracle's best practices, you can turn to the built-in Oracle security features. These are features that you've already paid for and most of these are very easy to set up. You can dynamically control and limit user privileges to modify data based on the specific environment of each user by implementing Oracle's Virtual Private Database in your applications. If protecting yourself from potential internal threats is a high priority, you can use Oracle's auditing capabilities to audit various types of user activity, such as logons and logoffs, accessing of critical data and the use of critical system privileges. You can additionally deploy the built-in Oracle Fine Grained Auditing (FGA) policies to control user activity within your database. You probably are already aware that implementation of policies such as FGA satisfies several regulatory compliance requirements.
Due to heavy workloads as well as a lack of understanding of key regulations, most companies leave virtually all of their test and development databases and applications in a state of benign neglect, as far as security goes. But the fact is that regulators really don't care where exactly you're storing critical data such as customer credit card numbers. Regardless of the nature of the database (production or test), the regulations require that you encrypt key data. In light of this, place an equal emphasis on securing data in the test and development databases as you place on securing your production data — the data is exactly the same in almost all cases.
Use Oracle Options: In addition to taking advantage of built-in Oracle security features, you might also want to consider purchasing Oracle options such as Oracle Advanced Security and Oracle Data masking, for example. Oracle Advanced Security helps you encrypt data at the column or even the tablespace level. You can also employ this option to encrypt data passing through the network. You can employ Oracle Data masking to mask personally identifiable data such as credit card numbers. This capability comes in very handy to quickly obfuscate key data when you clone test databases from your production databases.
Similarly, Oracle Database Vault helps you protect your data from misuse by privileged internal users such as database administrators. Oracle Audit Vault helps you centrally manage your audit strategy and provides features such as an audit data warehouse and dramatically simplifies compliance reporting.
Whether you choose to use Oracle or another software vendor, database security and compliance should not go unnoticed, as it is a critical function within any organization.
Sam Alapati, Senior Technical Director at Miro Consulting Inc., is a bestselling author of eight Oracle DBA books, including several Oracle Certification guides published by Oracle Press. Alapati is considered a renowned expert on Oracle database technology. He has also taught Oracle DBA and UNIX system administration classes at various technical training institutes. During his career he has helped companies save hundreds of millions of dollars by restructuring and managing their database systems. Most recently, Alapati worked as the Lead Oracle Database Manager at Boy Scouts of America where he managed the organization's databases nationwide. Prior to that, he held Oracle Database Administrator positions at Blanch Insurance Group, Sabre and AT&T/Lucent. Additionally, Alapati was a Senior Principal Consultant with Oracle where he managed critical support systems for Lehman Brothers. Alapati holds a Ph.D. in Economics from Kansas State University and conducted post-doctoral research in Information Systems at the University of Texas at Austin. He currently resides in Dallas.