Database Governance - How to Put the Right Controls in Place to Protect Your Data

Good afternoon, ladies and gentlemen, this is Martin Kuppinger of a call. Welcome to our co a cold webinar database governance. How to put the right controls in place to protect your data. This webinar will have presentations of me, Martin Kuppinger and of Roxana ESCO from Oracle. This webinar is supported by Oracle. Before we start some short information about copy a cooping, a coalition Analyst Analyst company, focusing on enterprise it research advisory decision, supporting networking for it professionals through our subscription services, advisory services and events. Our main events are European identity conference and the cloud conference post helps to be early in may 10 13th of May thousand 11, Munich, all the information available at our website. Another thing I'd like to from you about is that there's a new research out of art from a cold, which is on database governance. It has been published today, defining database governance, talking about the elements or writing about the elements of database governance and covering the trends database governance.
You can find that research note, WW dot.com/reports. So before we start some little bit of housekeeping, so it's a webinar. So we will give you two presentations. You are muted centuries, so you don't have to mute or arm with yourself. We can control these features and we do it. We will record the webinar. So the recording is running right now. If you don't feel confident with don't, please leave at that point of time. But as I said, we will do a recording. The recording will be available usually the next business day via tomorrow, and it'll be at our website. So you can then access it. You can forward the link to your colleagues and all that type of things. Q and a will be at the end of the webinar, you can ask questions using the Q and a tool. At any time, we will pick up the questions at the end or in some cases appropriate.
You might do also during the webinar. So if you look at the right side, there's a go to webinar control panel. There's an area questions. And there, you can answer your questions. And as I said, we will pick up the questions at the end of the webinar. However, my recommendation is, once a question comes to your mind best is to enter that question at that point of time so that we have comprehensive list of questions when we start our Q and a session. Okay, right now let's have a look at the agenda. As I've said, there are two speakers today, which is me, Martin Kuppinger. I will talk about database governance and how database governance should be defined, what it consists of. What are the elements? What are trends in database governance. The second part then will be done by ESCO Oracle. She'll talk about how to implement database governance and practice.
You also will show, I think some, some very interesting numbers about why we really should focus on database governance and parts three finally will be the Q and a session, as I've said before. So don't forget to enter your questions once they come to your mind. So my part will take approximately 20 minutes. The part, for example will also take 25 minutes round about so that we have some time for the Q and a session at the end database governance. When I started with talking and thinking about this webinar and the title, I started also doing a lot of research on this. And the interesting point is there, isn't a definition, or hasn't been a definition now there for database governance. However, we have a lot of governance areas. So we have solar governance, we have access governance, we have corporate governance, we have it governance.
So we have a lot of areas of governance, but we, we didn't have something around database governance. On the other hand, if you look at reality, we see that there are a lot of incidents around database, personal information, being stolen, tax data and so on. And that's, I think a situation where we really need to think about this area of database governance. So what does database governance mean? It's a set of policies, procedures, practices, and organizational structures to ensure the execution of database related activities, according to defined strategies and controls. So it's a set of different things, the policies which describe how do we deal with data and databases, the procedures, how to do it in practice, the practice itself, how to implement it, how to look at the, let's say technical aspects of the organizational aspects and finally the organizational structure. So all these things, the policies and all that type of things doesn't work.
If we don't have the appropriate organizational structure in place, and we have to do it in a way that it works, according to the strategies and controls we have define, we have define for it governance for security and at a higher level. Also for data for corporate governance. One question I'd like to pick before I go to the next slide, the slides will be available later. So we'll make the slides available as PDFs together with the webinar recording so that you can access them latest tomorrow. So you don't have to write everything done. Tom, if we go back to database governance, we have this area of complete governance and protection to look at it all layers. So if we look at what we are doing, we do a lot of things around access governance. So who has access, for example, at the operating system layer at the application layer, we look for to look at, from a security perspective, we do a lot of things around the network system.
We do a lot of things. If you look at applications, for example, for E R P systems for CRM systems, with the specific, specific security and, and protection approaches we are following there, but what we also have observed on several projects. And I think it's very interesting point to observe that there are a lot of situations where people have very good protection at level of their enterprise business systems. They do a lot of around the operating system, do a lot around the network, but they don't do much around the database and frequently they also don't do that much around business analytics. So I think that's a very, very interesting situation we are facing here and, and looking at databases as well, I think is a very important thing. So if you really look at many of the incidents, then companies obviously had protected some part of their environment, but it didn't cover all layers.
And it is still a situation of frequent situation that the database isn't as much in the focus of governance as it should be. So when it put database governance into context, then it's one part of a strategy which covers a lot of areas, which in our overall governance and security initiatives, starting at the upper left edge, we have the high level thing of corporate governance. So that's, these are things where we have our general policies, our book of rules, where we are looking at strategic risks. So where we really are looking at at the entire thing from a very high level perspective, the next layer then is business GRC, where we're looking at operational risks, process and risk controls at CCMS or continuous controls monitoring. The next thing then is it GRC? And we need it GRC. Also, we need it GRC in a tight integration was business GRC and following the high level policies and expectations from corporate governance.
And within it GRC, we have some various established areas like access governance, like our classical security management. We are looking at it risk. And when we are looking at it risk, we also have to cover the area of database governance. And then we have to support supporting technologies and amongst these supporting technologies, to help us to achieve the governance, to really implement governance, to do what we really need to do there, we have things like provisioning technologies, access governance, technologies, team, or database security. And it's very obvious that database governance database security are tightly related. However, you'll see, later on that database security tools itself, doesn't, don't make up database governance. Database governance is more it's about the policies is about the procedures. The organization has structures, the entire big picture and database security is technology, which supports us in doing this by the way, GRC is a term which is used for governance, risk management and compliance.
So the overall approach, which focuses on governance and fulfilling regulatory compliance, doing risk management moving forward. So what are our objectives of database for database governance? It's availability. So do we have data available? We have integrity. Is it correct? The data isn't is it unchanged? The traceability who has done what with which type of data, the attentive city? So the question about are the people or the systems changing data, are they authenticated are the ones we expect to do this change confidentially, a very important thing. So if you look at the Wiki league thing, they obviously had a problem with defining, let's say a ly fine crane confidential approach because yeah, it was just confidential and one person could access everything. There was nothing which was sort of fine. Crane. We need confidentially as a very important thing, and we have to look at privacy.
So we have to enforce our privacy policies, our privacy controls when looking at database governance, because I think all of, you know, it, a lot of data we have in databases are around PIIs or the personally identifiable information. So these are in fact, the, the higher level objectives we are following. We're looking at database governance and, and a database governance concept has to implement policies to enforce the rules, to achieve these objectives moving forward. Then it's also very important to understand that it's not only about data at rest. So we have just common language is data addressed data and move data and use. And if you look at a data based governance approach, it's not only about having this data in the database itself. It's about also, how do we export or what happens when we export data? We, we frequently lose control of data.
Once we have created a CSV file. So an expert file or something like this. Once we have brought it into a business analytics tool and we are losing them control of that information, we have the data and move, which is data flowing as a network or being on another type of device. And we have data in use used and application used in business analytics. And from my perspective, we really should focus on all use cases when looking at our data as governance approach. So not only looking at how are data is the data secure, once it is in a database, it's about will the data remain secure once it has left the database. And so we should really some database governance concept focus on all these use cases.
We should also look at it in from different angles. So one of, one of the very important things we have to cover is we should in enforce database governance with respect to all stages we have within our database environment. So we have development. We have test, we have production. A typical issue is that people are looking much at their production environment, but they have PII available in the test environment, which don't usually doesn't meet any regulatory standard. They have the same in the development area. So we need to ensure that all these things are, these stages are secured in, in a consistent way. We have, as the second pillar, we have the users, which means when looking at database governance, it's about looking at the standard users. So the user who is accessing the database, it's looking at the privileged users. So the human ones who are accessing it to database administrators, for example, but it might be also system administrators, which have high level access to the systems to databases are running at.
And we have, on the other hand, the technical users, which are, I think, especially with respect to databases, very, very important. So when, when you look at databases, we have a lot of access based on technical use, which are privileged because they are accessing data for a lot of different people. And for sure, database governance has to cover this. And also to define, for example, when technical use are allowed and not. And my, my recommendation, I've given a lot of webinars around security and security application development. Our things is that avoiding technical users is always a pretty good practice because it reduces a lot of problems you might have here. And it's about security. So database governances around about managing security, it's about monitoring security. And so these are as well from my perspective, very important things. So database governance is a broad field. It's a field which has a lot of layers from the organizational and, and overall process definition down to the technical aspects.
And it also has to cover virtually every power part within the life of a database environment. So development test production, all types of users and not only management, but also monitoring of security. So when I, when I use sort of a process perspective on database governance at the upper level I have to monitoring. So I, I monitor my defined controls. The first step always is to define controls, to define which controls shall we use, what should we do? So how, how do we implement our policies? Then we have these control activities, defining the controls, sometimes having manual controls, where we have to enter data manually ensuring that the controls are implemented correctly and executed correctly. We have the area of risk assessment. So understanding what are the risks associated with controls. So where to really look at, and I think that's also very important thing because frequently don't have a, let's say a differentiated view of different types of data within database. We have to understand which let's say level of risk applies to which type of data, to which instance of databases, to which part within instance of database and so on. And we have to have a database security infrastructure as the foundation to really be able to enforce our policies, to enforce our controls within that environment.
And when looking at these policies controls, how do these things relate? So one immportant thing is obvious. You should start my perspective, sort of a book of rules. So it's about really having the high level rules and policies, which are the foundation for your database governance approach. They are, or they have to be in sync with the overall policies you have to find for your it governance for your corporate governance, things going down there, you have the controls derive from that. I think it's also pretty interesting. We have a very interesting report out there at our website, which defines the GRC reference architecture. And I think that's very helpful when you're, you're thinking about, let's say the organizational framework for database governance, because the, the fundamental principles of implementing such approach just already defined within there. So we have to book of rules, we have to controls, we need to implement processes, ensuring that these controls are implemented and executed correctly.
And that means, although we need the organization, so we need to have this framework and we need to have that's the side of it into something where will talk a little, a lot more about, we need to have technologies for database governance in place, which means we need to have database management systems and the technical features within these systems like logging like authentication access management. So that's sort of the foundation because there is a lot of security in there. We have the database security tools for additional security requirements, like database firewalls, masking tools, and ours. We have to look at privileged, whatever management, user identity, account access management tools. So P XM tools, which are, is a general purpose and support every type of administrators' roots and so on or specific tools for databases to ensure that privileged users are under control. We have identity provisioning to provide user lack of control information to the database management system.
So ensuring that if there new user is created is also if necessary created us some account within a database management system, we have the enterprise PRC tools to integrate all the controls we have into our big framework. So I integrating it into our overall risk management strategies and all that kind of things. And we have the access governance, which is specific set of tools, which is focused more on reviews on existing access controls, not only in databases, but in any system. And in that case with respect to database governance, it's about looking at access control and database management systems. Finally, we have tools like seems to security information on management or enterprise lock management to first analyze our security events and lock five. So database governance is not one tool, but it's not also not that you have to use all these tools at the same point of time.
You don't have to implement everything at the same point of time, for sure not it's it's about understanding, okay, I have specific policies, I have specific rules, specific controls, and I need specific tools to implement them according to risk associated with. So the most, the things most at risk, the most important things I have to be supported first. And like I've said at the beginning, it's also about understanding that it's not only about having technology. It's about having all the processes in place around the technology to really make this work. Otherwise, you, you don't exactly know why are you doing specific things? You might have a good feeling about why do I do this database securities, and why do I do that? But integrating it into a larger controls framework is a very important thing to do. And so my final slide for today, and as I said, there's a research a lot, and there's definitely a lot of things to talk about around database governance.
The last slide for today is a little bit about future grants and requirements. So I think one important thing is that we, that we move from a technical approach on database security to database governance. So supporting, let's say more, a controls oriented view, really understanding, okay, what are the things we have to keep under control, where we have to look at what we have to audit and do we meet our requirements? Do we meet the baselines or doing that thing? And, and do we, do we meet our thresholds and really understanding the things from a controls oriented view? Another very important thing is integration with other GRC technology. So database governance is one part of our access control. One part of our security. And we have to have a look at the entire big picture because databases, they are built on top of operating systems.
They are communicating wire, the network, they are used by applications. And we have to have a, a big view on this also, not only from an it, but also from a business perspective. I think a very interesting point will be how do we deal with the situation that data leaves database? So we might have very good policies and places our database and saying, okay, marketing encrypter is a lot to do that. Or that was this data. Once the data leaves, we usually lose that policy. So we will need standards to let's say, stick these policies directly to the data, have it flowing with the data and having applications, enforcing that to ensure that this data, these policies are always enforced. You might have a look at my block blocks or code.com where I've recently written about that topic. We might also consider really doing encryption of data based on access control.
So sort of what information rights management covers for documents today applied to structure data that would be broadly the very long term solution. However, what we definitely have to do is we have to understand it's not only about security, ity technology is very important, but we should understand that we have to put a framework around this, which really defines the policies, the rules, the organizations, the processes to correctly deal with database or data was in databases. That's what database governance is about. It's the picture around the technology technical aspects of security. And right now I'm done with my part of the presentation. I will hand over to Roxana right now and make her presenter. And she will then in the second part, talk about how to implement database governance in practice. So we will directly continue with, for HIRA Roxanne.
Okay. Thank you, Martin. I'm going through, hopefully everyone can see my presentation at this point.
Yes.
Good. Thank you very much. So thank you, Martin. I'm Alexei ESCU and I'm responsible for database security, product marketing here at Oracle and for the remainder of the webcast, we're gonna look at Oracle database security solutions for implementing some of the things, some of the database governance principles that Martin talked about. So first off, I'm gonna start off. Why, why is database, you know, why is database governance so important? Well, two thirds of sensitive and regulated data in most organizations resides in their databases. And what we've seen is that amount of data actually doubles every year, right? So which isn't really surprising as more and more of our business processes are becoming automated. So think about all of the things that you know, you used to do with paper, right? All of those things have been turned into applications. All of that data ends up residing in your database.
So two thirds of the data that we really need to look at from a governance standpoint is actually residing in our databases. Now, the other disturbing statistic along with that is that over 900 million records. So that's almost a billion records have been breached over the past few years, and that's been the result of compromise database servers, right? So 90% plus 92% of that data originated from database servers, right by comparison, which is a very interesting contrast. We see that endpoint devices. So like a desktop computer for example, were responsible for less than 1% of the breach records that have been, you know, that are out there. Right. And, and if you think about it, think about how much controls and how much security we put on an average desktop or laptop. You know, most of us have, you know, file encryption, right? We have disc encryption, we have personal firewalls, we have virus software, right?
So there's a lot of controls and a lot of security that's put on these end user devices, even though at the end of the day, most of these devices don't really have a lot of data on them. You know, I don't have the social security numbers or, you know, the credit card numbers of everybody, you know, at Oracle on my laptop. Right. But there's the database server that does. Right. So it's important to make sure that those database servers have the right level of security around them to prevent these kinds of breaches. It's really, and, and a breach to me is really a breakdown in controls. Right. And as we see, it's exactly when we look at, you know, the Verizon data breach report, okay, how did these, you know, how did these breaches occur? They're really ALA their, their attackers are exploiting lack of controls around data and database infrastructure, right?
So 48%, almost half involved, privileged misuse, right? So essentially a ation issue, 40%, you know, of attacks, you know, had a hacking associated with them. But when we drill down into that, we see that that's actually stolen credentials. We're responsible for about 90% of the records as we're sequel injection, which are really just, again, a technique for privilege escalation, right? We're essentially, somebody's gonna bypass some controls. And we're gonna talk about that later in the presentation to perform something that they're not really authorized to do, then we've got things like malware, typically again, just used for stolen credentials and then using those credentials to perform and authorized operations really privileged misuse. Right? So tho those two things are really the top, the top areas, which is privileged misuse, which is really a breakdown of controls. So what is the state of database governance today? Quite frankly, it's bad.
So according, you know, to the 2010 I U G data security report, and what that is is Oracle sponsors every year security survey among the independent Oracle user group. And we ask a number of questions and here's just a summary of some quick results, right? So less than 30% we found are encrypting sensitive data in all their databases. So what that means is that there's really nothing to bypass. There's nothing preventing somebody from bypassing the database. So someone can go with the operating system level, open up a file and see that data T with that data right directly at the operating system level, using an editor. And this is despite all the regulations that we have out there today, calling for data rest encryption, we still see that less a third of users are uniformly, encrypting, sensitive data in all their databases, less than a quarter can prevent a privileged database user from reading or modifying data.
Again, another key control, right? That should be in place, right? Preventing, you know, either a DBA or anybody with privileged database access, which could be an application user, right? So essentially the, the account that an application will connect to the database with less than half, you know, allow database users to access data directly. That means that if I have a spreadsheet on my desktop with ODBC, right, I can use that spreadsheet to attach directly to the database, or I can use a SQL developer tool. And again, I would be bypassing any security controls that are in the application. So these are all essentially ways in which people can circumvent controls, right? Less than 70% can detect database users are abusing privileges. So essentially there's no one watching people can perform an authorized activities. UN detected 66% were insured. If applications were subject to SQL injection injection attacks are basically ways in which somebody can inject unauthorized SQL statements into an application, essentially hijacking that application and having it do unauthorized activities.
Again, an example of unauthorized access, privilege abuse, that kind of thing, less than an and close to 50% are actually copying sensitive production data to non-production environment, which means that the data can be accessed by developers by testers. Typically pretty much anyone in the organization since development organization development environment tends to not have a lot of controls, right? So essentially what we find is that there's very little controls in place and you guys can go read, you know, the report is available on oracle.com. You can read the, the entire report, but fundamentally there's not a lot of controls out there around database infrastructure and data, right? So what we're gonna look at for the remainder of the presentation is what tools can we put in place to essentially have the controls that are needed to have database governance, right? As, as Martin put, it, there's a lot more to governance than just, you know, the technology piece, but the fir you know, the key pieces to controls, right?
Because we can have all the policies in place, but unless we have controls to actually implement and enforce those policies, you know, we're, we're not getting anywhere. Right? So the first thing we're gonna look at is preventing an authorized database access initially and upfront. And the Oracle database firewall provides the first line of defense. And it looks like there's the typo that's slide, but it's just the Oracle database firewall, which is really gonna be your first line of defense. It's that's between your application servers and your database, and it's monitoring database traffic. So it's able to detect unauthorized database access, things like SQL injection, which will look like an unauthorized SQL statement, privilege, or role escalation, legal access, sensitive data, and it can perform any number of different enforcement options. So we can block that activity. We can potentially allow it and log it, or, you know, we can substitute it depending on what the policies are now, the way the database firewall works.
And it's actually analyzes the sequel grammar of the incoming of the incoming traffic against the set of policies. So what that means is that you don't have any false positives, right? You essentially have a white list and blacklist approach. So anything that's on the white list, essentially you set up a baseline for your applications and anything that gets through, you know, anything that's on that white list is allowed to go through. So you don't end up with any false positive, which would actually disrupt your business and go back to that first point that Martin made about one of the most important aspects of, of governance is also availability, right? It doesn't help if we have lots of controls, but, you know, as a result of that, none of our data is available. So we wanna make sure that we put controls in place that are highly accurate, that don't disrupt the business based the enforcement options, because we're analyzing SQL grammar statements also allow us to be very flexible in how we enforce.
So one of the, you know, very important enforcement option is actually substitution. So what that means is, is that let's say somebody did have a, you know, you do see a statement that looks like SQL injection, right? It doesn't match an authorized statement. Well, you can replace that with a statement that essentially returns no data. What that means is that there's no disruption to your application. There's no, you know, the application won't block, but the, the, there would be attacker, the, the person who's trying to get that data, isn't gonna get anything back, right? So there's very flexible ways in which you can enforce these policies because we are actually operating at this level. And it's also a very scalable architecture so that you can deploy it in any kind of enterprise environment with large and small databases, both in line and out of band.
And it also works with Oracle and non-oral databases. So that's an important point to make here is that this is, you know, really your first line of defense and can block threats from reaching any of your enterprise databases. And it's got a number of built in and custom reports and dashboards for thoughts, PCI, and other kinds of regulations. The next thing we're gonna look at is enforcing database security controls, right? So we have a number of controls. I'm gonna talk in a moment about within the database itself. Right. But what if, you know, we wanna make sure that we, that people can't access data outside the database, right? So they can't bypass the database controls and just access directly data at the operating system level or by eavesdropping on the network, right. Again, or a backup tape. Right. So essentially we need to make sure that the database, that the controls that are in the database essentially are enforced even when the data leaves the database.
Right? So the way we do that is with encryption, right? As Martin mentioned earlier, and with Oracle advanced security, it's a complete encryption solution that addresses data rest to prevent, you know, to prevent somebody from being able to access data at the operating system level, the data also stays encrypted when it's backed up or exported. So again, you, you deal with, you know, if your backup falls into the long hands, your database security controls are still in place, right? The data's encrypted, no one can read that data. We call the feature transparent data encryption. And the reason for that is because really, as I mentioned earlier, the goal here isn't really access control, right? So the goal isn't to provide access control to database users, the goal is really to prevent somebody from bypassing the database. So what that means is that any authenticated and authorized database user is actually going to give back clear text data, right?
They're so the encryption operations are transparent to them. The encryption happens within the Oracle database kernel as the data is written and read out to this. So essentially there's no changes to the application, right? So if an application, user, or any user, right, any authorized database user, isn't gonna even know that that data was encrypted, right? Because that's where the access control mechanisms within the database come into place. The advanced security also includes the built into tier key management, which allows for separation of duties, another key concept with most of, you know, governance, right? Making sure that we have separation of duties and also support for centralized key management using HSNs or key management systems that allow for even greater, you know, for even greater separation of duties. So for example, if you wanted to do multiple secret sharing, so all of those capabilities are also available in an HSM KMS type of solution as well.
You also have strong. The other thing that's included in Oracle advanced security is strong authentication of database users for greater identity assurance. Again, you know, one of the key things is knowing who our users are. We know from the Verizon data breach investigations report, that one of the key ways and controls breakdown is through stolen credentials, right? So somebody steals the credential and all of a sudden, you know, they've now become your database administrator, right? They call up, you know, social engineering attacks, they manage to get those credentials. So we wanna be able to ensure that the assurance of our users, right, and the way we do that is the strong authentication techniques like PKI, like one time only password. So we support a radius interface, which allows you to plug in multiple authentication mechanisms. There's also borough supportive natively and PKI supportive natively. So again, very important to do that from an integrity of, you know, user integrity standpoint, the next control we're gonna look at is enforcing application security controls, right?
So the same way that we wanna make sure that people can't bypass the controls within the database, we wanna make sure that people can't bypass the controls within the application. Right? So within a typical application, let's say, you know, I've got a number of controls in place, right? Let's say we're dealing with an HR application. So one of the controls, you know, that's in the application is that a manager, you know, can see all the data, but that, you know, somebody else, you know, a regular employee can only see their own, you know, their own gallery information, let's say, but if somebody connects directly to the database, as I mentioned earlier, they're bypassing those application level controls, right? So with Oracle database vault, there's, there's two things that we can do. So the first thing is we can actually set up, what's called the realm to protect application data from any users, including privileged users.
Because again, privileged users are another type of bypass from an application, right? When I'm building my application, I've got my security control from the application. You know, I, that should apply to the database administrator as well, right? Like the database administrators shouldn't necessarily be able to see the application data that's stored in that database, if they're not an authorized application user. So we can basically set up that, that level of control with the realm. So a realm allows us more fine brain privileges and around the various data database object, right? That the schema level, we can also store procedures in there to prevent somebody from tampering, with applications. And it also prevent allows us to set up policies that prevent even a database administrator from being able to see the data in the database that you're managing. So again, we've got two key concepts here, at least privilege and separation of duties, both very key from a governance standpoint that we can enforce using database vault realms, and also what's called command rules that allow us to put in policies that reflect how the data's being accessed, what application is being used. That's what prevents application bypass things like time of day, we can even put in policies, for example, to require two DBAs, to be present, perform certain kinds of operations. And it also allows securely consolidating application data or enabling multi-tenant data management, because we can't put in place these kinds of controls to essentially limit what people can do within the database. So this is our access control and our controls within the database itself.
We can also use your user clearance levels to act, to manage access to data, right? So going back to, you know, sort of, what's now become, you know, the, the famous, the famous WikiLeaks, right? Essentially we can have a mechanism for labeling specific rows in the database that we could save the use. This is public information, this is confidential, and this is very sensitive information. We can then apply clearance levels to our users. So anybody who doesn't have sensitive, you know, clearance would automatically not be able to get data back. That's marked as sensitive. This is all again, done, very transparently and that, you know, the user wouldn't even know that they're not seeing all of the data. So for example, if I only have public access to specific data, and I did a select against a specific table, the database automatically mediates that access and won't return to me the rows that have been more sensitive, right?
So essentially it's transparent row level access control. The user classification can be managed through the Oracle identity management suite. So it's easy to manage that, you know, centrally and the classification labels can also be used as factors in other policies. So for example, we can also look at the clearance level of a user when we're looking at our database vault command rules and policies. The next thing we really wanna do look at from a control standpoint is tracking sensitive application data changes, right? This is a requirement in many, in many data privacy regulations, especially in the EU. So we wanna be able to track whenever sensitive data has changed with Oracle total recall, you can automate change tracking within the Oracle database. So essentially before and after values are automatically captured and they're stored very efficiently in a tamper resistant area within the database itself.
What that means is that we now have realtime access to that historical application data using what's called flashback SQL. You can see an example there of what it looks like, but it fundamentally looks like that's QL with this where as of timestamp. So, and it would return back, for example, all of the changes that were made by admin between this particular range, right? This is very, very useful for forensics, for recovery, for being able to prove to an auditor when your data was changed. Right. So very, very important. And all of this is done automatically. There's no, you know, you don't have to, to go through your redo logs or anything like that. It's automatic when it's available in real time, in a very useful sort of interface. Now, the next thing we wanna do is audit database activity, right? So, you know, in addition to preventive controls, we also wanna have protective controls and database audits are just in incredibly valuable.
Now we wanna be able to do them in real time. Right? One of the things we saw in our I O U G survey is that 70% of, of Oracle users do have database auditing turned on, but nobody's looking at the data most of the time it's actually being left either in the database or on the system, potentially subject to tampering, right? So we wanna be able to take that audit data, consolidate it in real time into a centralized repository, actually analyze it in real time. So as we're putting it into the repository, we actually wanna look at it. And if we detect any kind of suspicious activities, we wanna be able to, you know, we wanna be able to monitor somebody. Now it's important to also look at privileged users again. So, you know, unfortunately, you know, not that, you know, not that there's anything specifically MIS MIS MIS mistrusting about privileged users, but privileged users do have a lot of power and organizations.
So most governance requirements actually require us to look and be able to prove that privileged users aren't abusing their, their privileges. So we can detect on that as well. So you can actually, for example, set up some sort of alerting on your privileged users, including application users. So there's also out of the box compliance reports to address, you know, requirements for socks, PCI, and other kinds of regulations. So examples of these would be, you know, ed user audit, entitlements failed, failed logins and regulated data access. Like I said, we didn't get into the entire I U G report here, but one of the key findings is that less than 30% of users are actually looking at who's reading and writing sensitive data, right. We don't know who's reading it. We don't know who's writing it. That's definitely something we should be auditing. So we wanna be able to look at all of those kinds of things, and we wanna be able to look at it across all of our databases.
So with Oracle audit vault, again, this is a solution that supports Oracle and non-oral databases so that we can get this consolidated view across all of the enterprise, all of our enterprise databases and really all of our enterprise applications. Right? So it's really being able to see the HR database, the, the CRM database CRP, right? So we wanna be able to have that audit all consolidated and be able to see reports across all of these different databases. Now, we can also streamline the audit process with report generation. So we can automatically say, I wanna see this report generated every day. I wanna see, you know, my privileged user report every day, right? I wanna be notified that the report is available and then an it auditor can go in a test to that report and it's automatically archived. So what that means is that, you know, typically today, most organizations conduct a database audit, maybe on a yearly basis.
I mean, quite frankly, many of them don't do it at all, or do it very, you know, very ad hoc. If an auditor sort of shows up and says, Hey, we need to audit the database, but using Oracle audit vault, you can completely streamline that audit process and automated to where you're doing a database audit on a daily or weekly basis. Plus on top of that, you've got the alerts that are coming in that can, that can tell you if there's anything suspicious, right? So it's very important to audit database activity. Now, the next thing we wanna look at from a control standpoint is monitoring the entire database environment. And we wanna make sure that we prevent drift there's many regulations that call for this, right? So essentially keeping tight controls over our it environment. So things like COVID frameworks and staff, 70 requirements call for that as well.
Right? So we wanna be able to do a number of things in terms of our entire database environment. So we wanna be able to discover and classify our databases. So many organizations are very surprised when they run this specific tool that they discovered databases that they didn't know. They had somebody typically, you know, a department may throw up an application and there might be a database associated with it. And, you know, the it department never really knew that we wanna be able to classify the databases into policy groups. So what are our key, you know, what are our key databases or less key databases? And we wanna scan these databases against, you know, common, you know, common policies and frameworks. So for example, CIS COVID type of things. So we wanna use best practices, industry standards, and also anything that's enterprise specific. So these, this library of policies can also be customized to specific, to specific configuration policies.
Now, the most important thing in this is that once we've secured our environment, we wanna make sure that it stays that way. The biggest issue is typically drift in most organizations. So we secure the environment, we set everything up, right. But then no, if somebody does something, right? So we set up permissions and ownership on our files properly, but someone needs to do something. They change permissions on some file and they forget to change it back. So we wanna make sure that we can detect and potentially even prevent any kind of unauthorized database changes. There's also in configuration management, again, all kinds of dashboards and compliance reports to help you detect. There's also an automated trouble ticketing interface that allows you to create a ticket. If you discover that something has changed so that somebody can go in and investigate that the last control we're gonna look at today is, is removing sensitive data from production environments.
Again, you know, many regulations that, for example, in the us or telecommunications regulations that specifically call for not using live data, it's for non-production use PCI is another example of that, but how do we test our applications, right? We need to have, you know, data real realistic data for testing and development purposes. So the way we wanna do that is by masking that data. So masking that data allows us to make application data securely available in a non-production environment. And it prevents application and developers from not just even seeing production data, but potentially accessing production environment. A lot of times we get developers saying, oh, I really need to go into the production environment. Cause that's the only place I can see the data well with masking, we can create a complete database that doesn't contain any sensitive information. There's an extension, there's an extensive policy library of templates and policies to mask the automation.
So we can basically say, you know, we wanna replace this particular, you know, name with a name out of an existing name database. We wanna be able to replace a social security number with, you know, with a number that has the same characteristics in our case, for example, the first three digits of indicated state that it was issued. So all of those kinds of things that most importantly is referential integrity. And we wanna make sure that if we mask social security number, for example, in a particular way in a table, we mask that particular social security number consistently in all the tables. So that if the application were to aggregate data, based on that social security number, it would continue to work. So with Oracle data masking, those kinds of constraints are automatically detected as foreign key constraints. So we can actually go in and do that masking consistently.
And in addition to that, you can also specify other kinds of constraints that are applications specific so that you can be sure that the data set that gets generated will work with your applications. So that's pretty much, you know, that's a, that's kind of all I have for today just to quickly wrap up, you know, this essentially we refer to this as, you know, database defense in depth, or really, you know, controls in depth as well. Right? And, and what we offer is the complete portfolio of solutions that allow you to put in place the controls that are needed to essentially enforce your database governance policies. It's a comprehensive set of solutions and they're integrated with your Oracle database where they need to be. So for example, things like encryption, things like privileged user controls, really those have to be done within the database. We support non-oral databases when we're essentially dealing with controls outside the database, like database firewall and audit vault.
So those kinds of controls that live outside the database support Oracle and non-oral databases, and very easy to deploy. So essentially all of the solutions we talked about today have point and click interfaces really require no changes to your existing applications because essentially we're adding controls at the database level, right. And of course, you know, proven solutions as you know, as I'm sure all of, you know, you know, Oracle is the leading vendor and we have a number of customers, you know, large customers that have deployed many of these controls and regulated industries today. And, you know, obviously based on the records, you know, on the studies and stuff, there's a lot more organizations that need to do this for more information on the materials that I presented today, you can go to oracle.com/database/security. And with that, we can go to questions and you also have my email address on the Q and a in case there's anything we don't get to today specific to Oracle, feel free to send me an email message. And thank you. I turn it over a
Thank you and just a little bit shown there. So, so please, your questions. We have several questions in there. So we directly can start with the Q and a session. I think the first question is one I'd like to pick because it's okay during my part of the presentation. So what the ISO standards are used to define the areas of database governance. So if, if you look at different ISO standards, then there's no, no one standard or single standard, which truly focuses on the database governance itself. However, I think it's, it's helpful to follow them the sort of usual suspects amongst all these standards. So, so looking at the COVID one standard, which I really like in that area, but also the is, was 20,000, 27,030 1030 8,500, which are around in that order of security, risk management and governance. So I think that probably are the best places to start when looking at that type of standards. So that's the first thing I'd like, or the first question like, and Roxanne feel free if you have some, some additions to any of my answers to directly enter. But I think there are also a lot of very specific database questions to the next one. I think I
Was just gonna add to that just really briefly. Yes. I think what we find, you know, when you look at a, regardless of what framework you use, whether it's 2,700 or whether it's COVID or even specific, you know, even specific requirements like TCI or socks in north America, we find that a lot of the controls when you get down to the control level tend to be the same. Right? So all of these ultimately come down to, are you managing privilege, user access? Are you auditing, right? So at a certain level, you, when you start getting to the control standpoint, many of the controls and many of the reporting requirements you'll find are actually very similar.
Yes. And, and frequently it's just about really implementing what is a good or best practice. Exactly, exactly. So, so really following your, your, your good sense helps in these areas without killing yourself with exactly following very complex there sometimes. Okay. But moving forward to the next question, just one best answers. What is the overhead for the firewall? So the database firewall in that case, performing a sequel analyzes for each application, connecting to hundreds of databases.
That's an excellent question. So this is sort of where you will, the special sauce comes in, right? So what we do in the database firewall is we take the policies, right? And, and really when you're talking about a white list, right? So baseline of allowed SQL, you can have, you know, literally thousands of policies, if you're dealing, especially in a consolidated environment where you have multiple applications going against the same database. So what we're able to do is take those SQL statements and reduce them to a very small number of characteristics, what we call clusters, SQL clusters. So that essentially at the incoming traffic is evaluated against those policies that we're able to do that in constant time. So it doesn't matter how many policies you have, we're able to evaluate them in constant time. Now also the database firewall is a software appliance, right? So essentially we're not bound to a specific hardware configuration. It's essentially what we call a fully stacked appliance. So it comes with Oracle enterprise Linux included and the database firewall software itself, right? So essentially you deploy it on any size Intel platform that you need to in order to support the, the traffic that's coming in. So with the right kind of hardware, essentially, you can get this to near wire speed performance. So we see very little latency that's introduced by deploying the database firewall in and why mode.
Okay. Maybe I, I try to recommend again. So I've mentioned it before the present, both presentations will be available for download as PDF versions tomorrow at link to the webinar. So if you've got a copy, a call.com until you'll find the link to the, this webinar and the PDFs under recording will be available there, including for sure all the links and email addresses we have shown during the webinar. So Porwal, seest way to access that information later on. So the next question you've mentioned IO, UT how to join the IO. UT
You can go to the independent Oracle user group. I believe it's IU g.org is the website, and you have lots of information on how to join that organization. And it's a great organization, big presence in Europe. I'm sure all of you will find very useful. I think they just finished, I believe their largest conference in Europe, which was in the UK very recently, but just go to i.org.
Okay. So next question again, one, I probably best pick first, how can we define database governance and security using I, so, so first of all, I thing I is not the very best standard when it comes to security. However, if you look at Itel there, for example, the area of access management, so it version three, some things have been added in that area. And like you deal with, for example, access, access management, or with incident management, you can for sure define things for database governance, you can follow the same way you're doing there using it. However, I would say database governance, something which is more or where it is, is one element in a bigger governance picture where database governance fits as well. And it's something which is only partially related. Okay. Another question. Can Oracle audit tools identify actions and access by cloud slash hosting service providers?
Yeah, sure. I mean, it depends on obviously how you're deploying, right? But let's say that you're databases where in the cloud somewhere, right though, you're essentially deployed in the cloud databases. You have native auditing turned on on your databases and you can basically, you know, see collect that audit trail and see what happened in that audit trail as well. It depends on a lot of, it's obviously gonna depend on the configuration and whether you're monitoring at a database level where you monitor by specific users and where, where that basically comes down to is how your cloud provider has set up, you know, for example, their databases. So do they have separate schema for tenants? Do they have separate database instances for tenants? Right. So it depends in some sense on how you set up that, you know, that multitenancy environment, but you can do that. And you can also use the Oracle database firewall as well as an additional control. Right? These two controls are very complimentary. So one is basically, you know, the analogy I like to use is one is the guard, you know, outside the door. One is the camera that's inside. So you can also use, you can also use a database firewall to see what's coming to your, to your database. And you can potentially deploy that either in an on-prem environment or within the cloud, depending again, on how your, and where you put those dividing lines.
Okay. And that more, again, a more generic question. How does the governance of meta data, data and data models fit into database governance? I think it, it's something you, you can justify as part of your policies of your controls of your organization. So it shouldn't be a problem to implement it within an overall governance framework from our perspective, and you definitely can fit it. And I didn't have it in my focus, but we're probably able add this in an update of, of my writing raw data west governance. The next time, then my question again for, could you please say more about role of security in order house, the system performance affected in this case?
So Oracle virtual, so Oracle label security, right, is basically the mechanism for doing classification. And again, that's built into the Oracle database itself. So there's minimal overhead in terms of, in terms of any of the solutions that we talked about, because that's actually integrated within the Oracle database Nel itself. So if you're doing role level access control, you really shouldn't see any kind of significant impact to that. Again is transparent to your users are just gonna be to the, that they're
Okay. The physical theft of the database hardware, and therefore the database on it gives the receive an extensive period of time to attempt to access the data. How strong is the protection of theoretical database without encryption? And secondly, how strong is it with encryption? So how good does it protect you against theft of physical storage.
So for theft to physical storage, I mean, if somebody literally walks out with your hard drive, you know, and you've encrypted the data encrypted, right. Same thing with media, I'm not sure if that was the question. I missed the part about hardware at the beginning. So, so fundamentally when you do data rest encryption, the data's encrypted right at rest, it's literally read and written out encrypted. So if somebody tries to attack at the operating system level, they're going to see encrypted data. Right. So if they walk out with your, with your hard drive, it's encrypted, if they walk out with your export, it's encrypted, if they walk out with your, you know, backups they're encrypted. Right. So, so essentially the data stays encrypted to prevent bypass, but I wasn't sure if that was exactly what was being asked. So if I didn't,
So, so the question was mainly about if someone has access to the hardware, how strong is protection with or without encryption?
Well, encryption definitely provides that level, but that said, you know, that there's just, if, if somebody has rude access on a machine, right. And they can do all kinds of other things to your running process or to the data, you know, to the machine itself, you know, kind of, I like to say, you know, all bets are off, right. I mean, essentially the, the database itself, the runtime isn't hardened against, you know, operating system type, you know, rude attack necessarily. Right. And they can go in and kill the process. Right. There's not much you can do about that, but the data that's there for example, would be encrypted.
Okay. Another, I think very interesting question. However, one which opens entirely new field again, is around how do you position CML or the extensive access control market language in the context of this presentations and then the context of database governance. So, so first maybe I start with, I think it's one part to express policies. However, it's done a little bit from different angles. Aren't really the authorization or entitlement management, and exactly is becoming increasingly important as the standard to express such things. And for example is part, if you look at Oracle entitlement server, where, which is, I think one, one thing maybe works on, we'll talk a little bit more. So I think it's one thing which relates to it the way of how can I implement specific types of policies and controls, but it's only, let's say one part, it's more aside topic with respect to the overall database governance. Maybe you'd like to talk a little bit more about UMEC entitlement server and how it relates to databases
Fundamentally today. I mean, most of the access control and policies that we talked about are really essentially database, right? Definitely, you know, declarative security models are an area that we're looking at and you'll see us talk more about sort of, how do you do declarative security around data itself. Right. But before we kind of get there, I mean, there basic controls that we need to put in place today at the infrastructure and the database level, but that's definitely an area sort of for futures that we'll be talking more about and how we deal with, you know, declarative security.
Okay. Which of the solutions can be implemented standard addition.
So for Oracle standard edition, you can use native auditing, right? You can also use database firewall. So essentially the controls that are outside the database are all work with standard edition as well. The controls that are within the database that for example, advanced security for encryption database vault, all of those work with Oracle enterprise, but any of the controls that are outside the database, like database firewall work, Oracle.
Okay. How to in real time, the database management system administrator is not infringing on the data after company
Oracle database vault. So essentially Oracle database vault will not just allow you to track it, but essentially enforce policies. I mean, and it gets into a really, into a really, you know, important point, right? I mean, declare, you know, detective controls are good, but from a governance standpoint, we want preventive controls, right? We want as many, you know, we want as many preventive controls that will actually enforce our policies rather than sort of after the fact detective controls, I mean, both are important in terms of a complete governance solution, but our emphasis really needs to be on policy enforcement and essentially preventive controls. So for privileged user type of controls, we wanna look at a solution like database law, where we explicitly state what, you know, privileged users could do and can't do right. We also do have auditing in place to make sure that those controls are working, that people aren't circumventing those controls, but we wanna be able to do as many things upfront in a preventative mode as possible, same thing with Oracle database firewall. We wanna be able to prevent anything through that. And when it comes to privileged user controls, there's only so much you can really do outside the database, right? There's certain kinds of controls for privileged users that really have to be inside the database. So that's why we, we say, if you're really serious about privileged user control, then you really need to look at controls within the database itself, like database laws.
Okay. Going back to encryption encryption sounds good, but what is, or what to stop an authorized administrator? So route actually deleting the database files, thus withdrawing one of the base governance objectives of availability.
Well, like I said, if your route user, if your root user goes in and blows away, you know, all of your database files, then you know, your database doesn't work and you're pretty much closed, right? So there's some level, you know, that's where you need to look at other kinds of controls at the operating system level to prevent your privileged users from potentially being able to delete files, right. The database isn't meant to be in run time, essentially tamper proof from your root user. Right. Essentially kind of like most applications assumes a relatively trusted, you know, computing environment. Right. We can get into like V2 operating systems and things like that. I don't know if they still make those, but you, but essentially if you're trying to put controls in place against like runtime privileged users, you're not gonna be able to prevent a privileged user from deleting those files when that happens, though, your database essentially stops running. Right. And then that's when you wanna make sure that you've done things like, you know, backup your files, that you have a disaster recovery type of scenario that you can do a switchover. Right.
Okay. Is the data held in memory encrypted?
So the data held in memory, if you're doing column level encrypted is going to be encrypted in memory. It's not, if fundamentally, you know, really it's a data rest encryption solution. There are things that you can do, like for example, encrypted swap to kind of keep your memory encrypted, but overall, the data is not gonna be encrypted in memory across the board. So for example, if we're doing table space level encryption, the blocks in memory are going to be unencrypted. And it's important. The reason for that is because if you want things like indexes to work, right. Indexes work against the SGA, right? So in order to do that, that data has to be unencrypted for those operations to happen in memory. So really today I would say that there's really no solution for, you know, for encrypted data memory across the board. The only thing you can really do is do things like encrypted swap.
Okay. I think one of the last questions right now, how do active products integrate with other identity management regimes like simplified T identity manager or Aday ADL based products?
Sure. So we have a feature that allows us essentially to externalize authentications called us. It stands for enterprise user security, and it allows us to define essentially the users outside of the database. So they can be managed in any LDAP directory, whether it's an Oracle directory, whether it's an active directory or a Tivoli directory. Right. So all of that can be done natively. I mentioned that for you also have a radius authentication interface and advanced security. So if you wanna plug in any kind authentication using the radius protocol, you can do that using advanced security as well, but S is actually a feature of the Oracle enterprise database itself.
Okay. So the last question I have here right now is can single on, in way at system controlling database. So from my perspective, I would say it's, it's first to look at tools out of the, the privileged. So the P XM areas are privileged account user identity, whatever management, where, where we have several tools, which allow you to, for example, provide onetime passwords to administrate other things. So that's the way you probably best can address it in the way restricting administrative access as a additional action together with which you can do. And I think there are several things in the, the Oracle products you can do there. So that would be, be the thing single sign on itself. Not necessarily because it's, it's depends on what, what our user can bypass or not. That's it? I think what we had on questions, if there are any open questions we will go through list again, then we will answer your question offline per email. So thank you to all the attends for listening to this cooking cold webinar, which has been supported by Oracle. Thank you to Alexei for doing her, her presentation and providing all the answers to these questions. Thank you, Martin.