Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Nice Summary of setting up audit options"] [Next entry: "Spoofing users and programs and presenting at OWASP"]

Oracle's new Oracle database security and compliance solution

I saw a few posts on news channels at the turn of the current month talking about Oracles new "Oracle database security and compliance solution". A quick search of google shows that this seems to have been a heavilly promoted launch for India. The problem for me is two fold.

Firstly, the name of the "solution" entices interest for me as its Oracle Security related so I wanted to have a look. The press releases talk about the fact that RBI guidelines demand secure use and storage of financial data such as credit card and personal banking details; The solution aims to help banks reach compliance guidelines quickly. There are lots of nice words about enforcing security at the database level; there is talk about the solution building controls at the data level and the fact that 80% of India's banks use Oracle is quite compelling for a solution such as this BUT for me there is a lack of detail about what exactly it is; except that is for a list of Oracle products, database vault, audit vault, label security, enterprise management packs such as patch management, data masking and much more.

Second, most, if not all are cost options on top of enterprise edition licenses but even if you move the cost out of the equation implementing these packages is an immense undertaking in its own right (more cost). Where is the actual solution? - I cannot find more details on the net or on Oracles' site. If you need to implement these packages for RBI compliance then whats the "glue" that hold them together; that makes implementing simple? a standard solution should not be possible as every site has different combinations of database versions, platforms, applications used and importanly implementation details.

The fact that this is launched for the Indian market only and for RBI compliance certainly hints that its definetely not just a list of additional cost options and that there is more details substance to "how" you would use these products to comply in India.

I am all for new Oracle security solutions, I would just like to see what the value add is with this, how it works and also to confirm that its not just a list of value add products; which I am sure it isn't.