Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "April 2009 CPU is out"] [Next entry: "Checking if a password is valid using SQL"]

The right way to secure a database

I have just posted the slides to my recent talk (The Right Method To Secure An Oracle Database) at the UKOUG Northern Server technology day held in my home city of York to my Oracle security white papers page in the usual single slide to one page and size slides to one page format.

This was an interesting talk and I wanted to focus just on one thing; this is the importance to start any security project to secure an Oracle database with the "data" itself not simply follow a checklist. Checklists are fine but they should not be a starting point if you want to "secure data". A checklist in this case focuses on the Oracle software settings not your data so, for instance if you followed every step in the CIS benchmark and it would take a long time, would the key data (say your credit cards) you want to protect be protected? - in general the base level of security has definitely risen in the database, there is no doubt, but the specific data you want to secure has not had any specifc security settings applied to it.

This is the point, checklists will help with general hardening but they wont specifically - specifically is the keyword - help with securing your key identified data. So the message is start with the data, understand where it it, how it "flows", how its used, who uses it and then formulate a plan to secure it; checklists can be part of the plan but start with the data.