Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Looking Forwards To 2022!!"] [Next entry: "Pete, Did You Deliver The Wrong Product?"]

How do we Train Staff to do Oracle Security?

I am asked this question comes up a lot and indeed this morning on a webex it came up again so I decided to discuss this question here. I started in this Oracle Security space a very long time ago; more than 20 years ago and whilst I know of a small number of people who have been in the Oracle Database Security space over these years there are not a lot of people out there that do Oracle Database Security specifically. There are not a lot of people who have focused on Oracle database security in a blog or books; there are some of course but a tiny percentage of the whole of information security practitioners. Why is this? I ask this as a rhetorical question. My answer needs a discussion in a few areas:

  • Is Oracle database security needed?: Yes of course, absolutely. Data is the new Gold rush and as the big players deal in data particularly personal data then every company of a certain size inadvertently becomes a potential data broker as well. The potential of the data value sometimes is more important than the actual product being sold. Data is important and it is being stolen at alarming rates because is safer for the criminals to steal data than to walk in to banks with guns; and data is probably more valuable than money

  • Do companies take the security of the data seriously?: Obviously companies feel that they do take data security seriously BUT my experience of working with companies and talking to people at companies and specifically looking at Oracle databases and talking about them is that data security is not taken seriously enough - in my opinion. How do i arrive at this opinion? well usually there is little to no evidence of security at the data layer itself. No defaults removed, passwords not changed for 14 years in one example recently, no password management; no data security at all - everything granted to everyone with admin rights. Why? we will come to that in a minute

  • Do companies have the skills to secure data at the data layer?: At a high level probably but the better question is do they have the skills to decide where and how and what to secure at the data layer?, no probably not. They often have DBAs and sometimes developers and with guidance and expertise they could secure data in the database

  • What about third party applications that use databases?:This is an interesting area as a lot of companies use big applications such as EBS or Peoplesoft or JDE etc but also companies use third party applications that use an Oracle database as a data store. I find in these cases its even harder to get serious about low level database security because it is usually deemed as a complete application including the database and not their problem

Some interesting problems and questions. Why do people not take data security in the Oracle database seriously? mostly because they lack skills to design and architect the changes within the database. Often also because the focus is on functionality and SLAs (Service Level Agreements) and often because the Oracle database is treated like a hidden and magic store that doesn't need to be changed or tweaked. They assume quite often that the database is secure; its not unfortunately because just like you need to design tables and code you need to design your own data security; its not Oracles job, its yours.

There is also a fear of breaking a working system "after the fact" by retrospectively adding security to the data. Yes, this can be the case if you don't know what you are doing. If the application is a big Oracle ERP or third party then they feel often the database level security cannot be changed.

The issue is that often an ERP controls the security at the ERP level BUT you can simply bypass this at the database level with ease and steal the data. So no matter the clever design and settings within the ERP if database access is possible then the data can be accessed.

So, back to the core question how do we solve this?, we need people who understand security and data security and how to tweak or change a database to protect the data. So is it easier to take a skilled security person and let them decide how to secure Oracle at a detailed level or is it easier to take an Oracle person and allow them to design security?

Both are hard; a skilled security person simply wont take on the task to learn a lot about Oracle to confidently know how to tweak and change the database or the application design to make data secure. An Oracle person conversely has the Oracle skills and knows what can and cannot be done to a database or data model - but this is a mixture of two or more Oracle roles (DBA, Architect, Developer,...) and do they have the time and inclination to also learn security.

I think we now know why there are not so many people out there that are specialised on securing data in an Oracle database; a skills gap from both sides. We can help with this. We can be your Oracle security expert on a call off consulting basis or we can help with designs or security audits and we also have 10 days of expert training in this exact space. Talk to me via social media or email me pete at petefinnigan dot com and we can help you solve this problem