Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Auditing the SQL a black box application submits to the database"] [Next entry: "Two more accounts of the Chuck Rozwat 10g R2 keynote at OOW"]

Oracle Database 10g Release 2 keynote at Oracle Open World



Today at Open World one of the key notes was about the introduction of Oracle 10g Release 2. With Release 2 the main thrust is improving efficiency and reducing the cost of management. Its all about Grid computing and automation and self managing databases. What’s in it for us Oracle security aficionados?

Well the most direct points from the http://www.oracle.com/technology/products/database/oracle10g/pdf/10gr2_highlights.pdf - (broken link) Oracle database 10g Release 2: new feature highlights document are the quotes to say 10g grid provides 24*7 data access whilst being secure. They don't go to say how the data is secure!, lots of 24*7, such as clusterware redundancy and higher availability, integrated tape backup and recovery (These facts are important for data security), fast failover and most interestingly integrated transparent data encryption and key management in the database. This helps to allow customers to protect their data seamlessly without changing applications - they say. This sounds a very interesting addition, one of which I am keep to get my hands on 10gR2 to test and run through its paces. Encryption of data in the database is an interesting problem. There are three main commercial players in this space - see the links on my Oracle Security Tools page. The fact that Oracle say they will support the handling of keys seamlessly in the database is very interesting. I for one would like to know more.

The backup and high availability functions and improvements are also key features for those interested in security. Backups and recovery processes and also high availability strategies should be a key part of any Oracle security policies and procedures.

One other key item of note in the note in the second page that Oracle are now proving statistics collection from the SGA directly from memory. This means that direct SGA access methods are being used. I have some links to papers written by Kyle Hailey and Miladin Modrakovic on my Oracle Internals page that readers may find very interesting to see how Oracle are doing this. I also talked about Direct SGA access in a couple of previous blog entries.