Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "GDPR for the Oracle DBA"] [Next entry: "Grants WITH GRANT"]

GDPR

I posted a couple of days ago my slides from the recent UKOUG Northern Technology day in Leeds where I spoke about GPPR for the Oracle DBA. I said then that i am also preparing a service line for helping customers specifically with the problem of Oracle Security for GPDR (compliance). I am working on releasing information for a new one day class that i will be teaching called Oracle Security for GDPR. A two page pdf flyer will be added to our training page in the next couple of days. I will also announce the GPDR service lines that we will be adding soon in the next few days. We have helped customers already with work towards GDPR compliance with work specifically in the areas of Oracle security that we can cover; these include:


  • Detailed security audits performed of customers Oracle database

  • We have used PFCLScan to audit a large number of customer databases

  • Help creating a database security policy for customers

  • Breach notice policy creation

  • We have been involved with a number of incident response and forensics

  • We have helped with audit trail design, creations and implementations

  • We have of course helped with training by teaching people on our classes about Oracle security

  • We have helped with masking of data

  • Many more...



As I said I will be publishing our range of oracle security services specific for GDPR in the next few days and also talking more in details here about that and also about our new one day training class Oracle Security for GDPR that we have created.

I wanted to talk a little here about GDPR in general as we have spent a lot of efforts in PeteFinnigan.com Limited to work towards GDPR compliance. We have done data assessments to locate all personal data they we hold and documented where we hold it and why and the reason for holding it. This was an interesting exercise. A lot of people state how GDPR is a good for business - For instance this article propounds the virtues of stronger security because of GDPR.

There is a flip side though. GDPR also can cause some security weakness in my opinion if you put the need to ensure that you are compliant with GDPR above the needs of collecting what is now classified as personal data. IP addresses and similar details are now classed as personal details. There is a lot written about this; some say that including IP Addresses in your Apache web logs and error logs is collecting personal data and therefore requires you to be GDPR compliant with this; so if someone were to breach your website and steal an apache weblog with tens of thousands of IP Addresses this would be a major data breach and much be reported and you would have to notify the owners of the IP address. If we argue that we keep the access_log for needs of security then maybe its OK and a valid reason to keep it and to keep thousands of what is personal data. What about running a webalizer report to check out how many people visit your website; thats not a reason to keep this data. You could argue that you never look at the access_log but you still collect that details. You could also argue that the IP address is not personal; problem is it is for some people. If you run a whois report or you combine the ip addresses in the access_log with personal search details from the google page that brought them to the site and maybe combine with a website account (http passwd) then its a problem. Some websites I looked at say its OK to keep this data and some say no its not and you run the risk of a 20M Euro fine.

This problem basically means that whilst some articles suggest that GDPR is a good thing for businesses its could also be a bad thing if you decide the risk of a GDPR breach and a 20M Euro fine is worse than the need to keep the server logs for webalizer then this can lead to less security - a breach that occurs with no logs is an undetected breach.

You may have noticed that at the top of most pages on this website there is a "number of visitors online" field. This is generated also by collecting every unique IP Address for a short period of time (30 minutes) and then checking how many unique IP addresses are on line; this is also a GDPR problem so we decided to use still collect IP addresses BUT to anonymise them as we dont care what the IP Address is we just care to count unique visits; So this took code changes to a number of pieces of software built into the website to achieve this. The same intermediate approach can be done with Apache logs or security logs - to anonymise IP Addresses and others data.

Also we have a forum on the website and this had many hundreds of entries that people have posted over the years; these are also personal details. So instead of trying to ask each person for permission again we went through and anonymised all of the entries to change all IP addresses to dummy, all emails to me, all names to me and so on. This had to be repeated for comments in blogs for the same reason and also in a number of other places.

We also conducted Cookie audits on all of our websites using PFCLCookie our tool that can be used to locate cookies in websites as they are also considered personal data. We have eliminated all cookies that our sites created.

We also never do email marketing so this is a big area that causes you to need to comply and register with the ICO; we don't do this so its not a problem.

We also updated our privacy policy and split it into a separate privacy policy, cookie policy and legal policy. We also updated our security policies and also worked to ensure we only collect personal data for business reasons of record keeping and accounts. This is an exception to GDPR. Actually trying to understand whether you need to comply with GDPR is not simple. The ICO in the UK has a tool on its website (a questionnaire) that allows you to see if you need to register. I went through this tool and was reasonably sure that we didn't need to register. I was sure we didn't need to comply with the old data protection act. In the end i had to call the ICO to be sure; no we didn't need to register but as suggested on the ICO website you can register anyway. So even if you are convinced that you do not need to register it makes sense to do so; to show that you are taking GDPR seriously BUT you still have to treat all data with GDPR in mind.

I have been watching others attempts at GDPR; here are some examples:


We currently store some of your personal data so that we can keep you informed of any new initiatives, information or opportunities, plus invitations to our events and updates on our upcoming programmes. The data we usually hold are your contact details.

We will always tell you how we use your data, and we will make sure we collect and store your data safely and securely. We will never pass your personal information to any third party without your specific consent.

If you are happy that we keep your details to enable us to contact you with relevant information you need to do nothing further. If you would like your details to be removed from our database, please do so by clicking...


The above is an email i received two days before GDOR became live. I never registered with this security company; I didn't consent to receive their marketing emails and they don't get consent; The idea is that it has to be conscious not opt in by default. because this was sent two days before GDPR its not strictly wrong in my opinion but as soon as they send me a marketing email it is wrong. Another email i received on the 1st of June, so after GDPR:


...
We still intend on meeting " and exceeding " those goals; however, with GDPR coming into effect, we want to make sure we are abiding by the law (and ensuring you continue to see our emails in your inbox).

If you’d like to continue receiving our emails, including the latest .... webinars (and we hope you will!), please...


After GDPR, a marketing email asking me to re-subscribe to their marketing!! There have been many, many more similar ones.

GDPR compliance is an on going process and its hard work and a lot of work.