Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Is Your Oracle Database More Secure in the Cloud?

I get asked a question often "Is your database more secure if its moved to the cloud?" and it does not matter which cloud we are talking about; could be Oracle OCI or Amazon or...

This is an interesting question from a lot of people over many years. A lot of people / customers are taken in by the association often of the word cloud and security and assume that there is some magical way that an Oracle database or database in general becomes more secure simply by relocating it to the cloud.

Lets be fair the cloud infrastructures now are mature and the interfaces to design and layout and specify security amongst other things are good and the whole infrastructure is probably better than your own in-house IT and servers and local management BUT that is not the whole picture

One big problem is that often customers do not know their data and therefore database is insecure already when hosted in-house and believe that the additional features of the cloud make it more secure.

If you have a database where you process customer data and the applications are littered with security issues such as SQL Injection bugs then does moving to the cloud fox these? - of course not. If you have half your staff accessing the database directly with development tools and reporting tools and more and the people share well known single accounts with rights to access any data then moving this to the cloud does not make the data more secure because half the staff access the data directly and it is therefore insecure. If the application design has made it so all data and code is in one schema then moving to the cloud does not fox this lack of privilege granularity. If the application design has allowed permissions on data and other rights to be the opposite of least privilege; in other words anyone connected can do anything to the data; then moving this design to the cloud does not secure the data. Or, if your DBAs use SYSDBA or oracle or DBA day in day out; then they can access and change anything and moving this to the cloud does not improve the security of the data.


Oracle security is about more than the location of the database; it's about the applications design including permissions and grants and access and the code and the security of the users, the data and the database settings itself. The security of the data is not the Cloud settings and cloud design; it is the database and application and data design.

If you think about this, it is obvious and we must tackle the securing of the data in the database primarily, the users and database settings; this leads to the obvious conclusion that if a database is insecure on-premise it is still insecure in a cloud or vice-versa; if a database is secure on premise then its secure in the cloud.

The cloud security matters but it does not magically make your data secure. In cloud we must also consider what model we are buying; who is in charge of the cloud and services and who is responsible for what? if we allow a third party to manage the database for instance; it is the same as allowing a third party to manage the database on premise or at their location; there is a risk that others outside can access your data directly or indirectly.

Let us be clear, this is not about cloud specifically but about the security of data at all levels of the design and deployment.

An insecure database cannot be magically be made secure by putting it in any cloud; only you can do that with good design, management and processes

#oracleace #sym_42 #oracle #database #security #cloud #data #breach #cloudsecurity