Oracle is aiming to make it easier for enterprises to secure databases with a new product announced this week. The Oracle Audit Vault and Database Firewall 12c is an evolution of two separate product families that are now merging to provide a more comprehensive solution for the challenge of database security.
"This was a full re-architecture and represents a brand new platform," Vipin Samar, vice president, Oracle Database Security, explained to eSecurity Planet.
Oracle's Database Firewall debuted in February of 2011 and was last updated in January of this year. The new product goes beyond being just a firewall, with the integration of audit capabilities.
In addition, the new product makes it possible to consolidate and analyze non-database audit trails including operating system (OS), file system and directory audit logs.
"This means customers can audit all activity from their applications all the way to the database and the file system," Samar said. "There are dozens of built-in reports which can easily be filtered and customized as well as custom reporting."
The audit trail includes the database as well as operating system and directory audit logs.
"This product offers expanded enterprise wide auditing and the ability to have more visibility into database activity," Samar said. "Only native auditing can provide information about database session and full visibility into database activity such as stored procedures, nested procedures, recursive SQL, triggers, scheduled jobs, etcetera."
Fighting SQL Injection
SQL injection is one of the most common forms of database attack. While Oracle Database Firewall can be deployed to protect against SQL injection, Samar stressed that it can do much more. The Database Firewall can enforce the source of database connections to authorized IP addresses as well as have consideration for time of day and day of the week. Additionally, it can detect and stop any unauthorized activity, like insiders bypassing application security and connecting directly to the database to access unauthorized data.
"Also some customers choose to deploy Database Firewall for monitoring only using a span port similar to an IDS," Samar said. "It's their database early warning system -- the first line of defense. So the scope has also broadened from that perspective as well."
Over the course of the last year threats to databases have evolved, but the attack vectors have stayed relatively constant, according to Samar. The reason is that many organizations have still not put in place the proper mitigations. SQL injection attacks and attacks using stolen credentials are good examples of this.
"Without controls at the database layer, which many customers have still not deployed, these attacks will work as well today as they did two years ago," Samar warned. "Non-production and outsourced environments represent another area many organizations have still not addressed. These environments are typically still unmonitored, widely accessible and contain unmasked data."
Making Database Security a Priority
When it comes to improving the state of database security, education is a critical factor. In Samar's view many organizations understand the need for high-availability databases but don't adopt a similar approach for high-security databases. He wants organizations to start treating security just like they do high availability.
"Many organizations still do not understand the risk legitimate access to databases poses and the need to deploy mitigating controls like monitoring and auditing to ensure that legitimate access cannot be exploited and abused," he said.