Oracle 11g, AppSecInc a Go?
Security isn’t a current stumbling block for Oracle 11g and Applications Security Inc. represents a breed plugging database security gaps
Early in July, Oracle announced the latest version of their industrial database, Oracle 11g. My question was not: is Oracle 11g superior to its predecessors? My question was: is it safe?
After discussions with several early-deployment customers and industry analysts, the conclusion is that 11g’s security is not a stumbling block to adoption. The prevailing comments indicate that Oracle 11g offers sufficient security improvements, along with all other remaining reasons, so that corporations/institutions should consider this version a compelling upgrade.
Obviously, no existing customer will replace current working infrastructure with a rapid upgrade adoption simply for security reasons. Likewise, the product hasn’t yet been vetted in the court of massive deployment. It's almost a sure bet that, in such a complex product, vulnerabilities are guaranteed to exist.
Rich Mogull, security research VP at Gartner Group, has a positive opinion of the product but doesn’t feel that 11g has undergone the same internal security review with as much rigor as Microsoft’s SQL Server 2005. He also points out that Oracle is aggressive about fixing discovered vulnerabilities.
Mogull is also intrigued by Oracle’s Audit Vault and Database Vault tools, a security barrier protecting databases from privilege abuse. He also admits that third-party products can be better.
This comment answered my questions about the company, Application Security, Inc. (nicknamed AppSec in the industry), which Mogull sees as one of the major companies offering database security products (the other companies he named are Guardium, Impreva, Lumigent, and Tizor).
Application Security makes three major database security products. DbProtect (an integrated suite for database scanning, vulnerability assessment, and activity monitoring), AppDetectivePro (a network-based database vulnerability scanner), and DbEncrypt (an application toolkit with extensive key management for column-level encryption within databases). Application Security supports databases other than Oracle.
Ted Julian, AppSec’s VP of marketing and strategy, said the company has about 900 customers. He also noted that the major drivers of database security are legislative initiatives such as Sarbanes-Oxley, HIPAA, or those from the payment card industry.
Discussions with Mogull and Julian both highlighted the same topic: whom do you trust with the keys to your kingdom?
Whom Do You Trust?
In most companies, the usual response is system administrators, since they have access to entire systems. In enterprises, however, no single person or group of administrators has access to all files and all systems. Division of labor and authority is motivated more by physical realities of a twenty-four-hour day and human endurance than by security policies.
As more crown jewels are mined and gathered, there is a newer class of individuals to whom the trust question must be posed: database administrators (DBAs). In many cases, they can enter, alter, and leave a database and not leave a detectable trace. In some cases, they can climb application walls and nibble on databases outside of their normal authority.
When you weight the burden of the myriad regulatory and compliance issues, database applications must go beyond program logic to screen invalid or nonsensical input to preserve the integrity of the data. We must also remain on guard against both outside hacks and insider fraud, and for all three, programmatic database auditing is being adopted by more companies and on more databases. Application Security has a very good product.
To complete the loop, the activity of all privileged users needs to be audited, including activity of DBAs.
Database scanning is the low-hanging fruit for automation. It picks out missing patching and misconfigurations that would normally be detected by humans were the scope and numbers of databases in the enterprise not so onerous. Julian also asserts that discovering all of an organization’s databases where there is heavy federation or large organic growth can justify the investment of the scanners.
Interestingly, both Julian and Mogull see encryption as the far end of the process, typically needing more than a year to implement fully. Julian asserts that PCI 1.1 specification doesn’t demand encryption for at-rest data, but does demand full auditing of sensitive or protected data.
Both Mogull and Julian fully agree that using database security and audit monitoring tools are absolutely essential for compliance. They agree that hybrid sensing, where network and database server activity is monitored (the latter necessary to catch all privileged use including DB administrators), is the only acceptable approach.
Mogull and I agree that programmatic alerts to compliance violations are essential security tools. Mogull prefers more active, real-time alerting for compliance violations. Given the level of activity, I think most companies need very few real-time alerts and that overnight compliance runs for database activity seems good enough. For a long time, however, messenger-delivered telegrams were good enough. As technologies and needs change, so will my opinion.
Julian, noting that nothing is free, suggests that security staff build diplomatic bridges across multiple parts of their organization to obtain budgeting support for these investments. For example, pushing the Sarbanes-Oxley button may get the CFO involved.
There is only one thing worse than waiting for the next TJX security breach and that is becoming the next TJX security breach. Given the regulatory and compliance environment, when planning to upgrade a database with a product such as Oracle 11g, make sure the database security and compliance issues get a complete examination. When you make the move, companies such as Application Security have the required packages.