Protecting the Data - A Security Checklist

Protecting the Data - A Security Checklist
At the end of the day, what needs to be protected is the data. While Blue Core Research is in the business of Oracle database security, one must never lose sight of the ultimate goal – protecting the data itself.
This page does not aim to be the ultimate guide to data security, but it should raise many of the important points you should consider in your security strategy
Go to page123All

Security by Obscurity

Security by Obscurity refers to security that is based on the notion that an attacker would not be able to understand its design or implementation. It has become synonymous with no security based on the assumption that any design or implementation can eventually be discovered. It is also dismissed because it calls for complex designs and implementations that are difficult to maintain and support.
However, many companies today already have complex systems for various reasons. While those complex systems exist there is no reason not to leverage their complexity as an additional security barrier.
For example, if your organization has dozens (or hundreds) of applications and databases moving data between them as part of a big process, that complexity can prevent internal fraudsters from being able to compromise the overall process. That complexity will also hinder an external attacker, and provide a good means of separation of duties for administrators.
All it takes is to ensure that the different teams that maintain, support, and administer the different subsystems, do not have unneeded access to or unneeded knowledge of other subsystems.

Encryption

Encryption can help reduce many risks. It should not be the only means your security relies on, but it is a good tool that should be used.
Encryption can be performed at different levels and by different systems, each having different benefits and limitations.
Encrypting data at rest is about encrypting data stored on disks, tapes etc:
  • Application – The application can encrypt all the data it saves. While uncommon for all data, it can be important for highly sensitive data
  • Database – Databases can encrypt all the data they store. This can be very valuable in many cases, including a stolen disk drive, stolen backup tape, copied database file, etc.
  • File System – Some file systems have encryption capabilities. This is not a common thing to use.
  • Disk – Encryption at the disk level is pretty rare, but can be important in the case of laptops
  • Backup – Most backup systems have encryption capabilities, and it is very important to do this
Encrypting data in motion is about encrypting data transmitted over a network:
  • VPN – Virtual Private Networks allow connection between two trusted networks over an insecure medium (such as the internet). Preventing users from connecting from home would be preferable, but given the reality, a VPN is the next best thing.
  • Hardware (NIC) – Encryption at the network card level is uncommon in wired networks, but very common (and vital) in wireless networks
  • TCP/IP – Encryption at the TCP/IP stack level is not very common, but has benefits in certain environments.
  • Database – Network encryption of all database communication can be important in many environments.
  • Application – Network encryption at the application level is not common except for certain types of applications (e.g. https and ssh)