I spoke at the UKOUG special security day event last week at Bletchley Park just outside of Milton Keynes. We had a great agenda for the day which was focused on Data Security. We had Ian Glover of CREST and CLAS and also Bloodhound SSC as the keynote speaker; unfortunately I arrived at the end of Ian's talk but just in time to get the main points from his conclusion. Ian gave a great argument for structured testing of Oracle databases in a similar way that servers and networks are penetration tested in the UK by companies with CHECK team members and CHECK team leaders. In otherwords a repeatable service is provided so that organisations know they are getting a proper assessment of their security. The same is missing in the UK at least and probably most other countries. A centralised standard should be created that doesnt focus on hardening but instead focuses on securing data. This should be the basis in which companies secure their data and also which security companies test against. This would be a great move forward and would also be bolstered should there ever be a UK database security legislation that affects more databases that say PCI DSS, SoX etc do now.
Mary Ann Davidson, Oracle's CISO was next to speak and she gave a very good talk. She is quite open and realistic about security which is great to hear. The delegates also went on a tour around Bletchley Park where in the war years the team there cracked the German Enigma code machines. Then it was George Fyffe's turn to talk about Data Breaches and cyber Security.
Then I spoke. The focus of my talk was really the point that "It is not Oracle security it is data security". I wanted to really focus peoples attention onto where the data really is and who can really access it and therefore how a plan must be created to secure the data in all locations not simply by hardening a database using a checklist. The focus also should be on understanding what the current security status of the data is and then to establish a policy. You cannot secure data unless there is a basis to secure it to. In otherwords you have to know when to start securing and also when it is stopped - i.e. secured to the standard.
Finally Lindsay spoke about legislation and business drivers.
My slides are available on my Oracle Security White Papers Page