Re: Security Measures

  • From: Hans Forbrich <fuzzy.graybeard@xxxxxxxxx>
  • To: oracle-l@xxxxxxxxxxxxx
  • Date: Tue, 07 Apr 2015 06:31:31 -0600

On 07/04/2015 12:26 AM, walid kaakati (Redacted sender walid_alkaakati@xxxxxxxxx for DMARC) wrote:

Hallo List,


I would like to know what security measures you apply other than Auditing to ensure that your database is secure and you are as a DBA has done your home work and you are secure legally.

Best wishes for all !,

Start by defining 'secure'. What do you (or does your organization) mean when you use the term security?

I personally like the definition and information in the Security Guide and the Advanced Security Guide in the docs at http://docs.oracle.com/database/121/nav/portal_25.htm and am impressed by the information in the books [co-]authored by Scott Know such as http://www.amazon.ca/Oracle-Database-Security-Scott-Gaetjen-ebook/dp/B00QKUJ97O

After that, a lot depends on policy, such as "will you apply the quarterly CPUs or PSUs that are made available" and "do passwords need to change regularly" and "why are service passwords controlled by the same stupid policy as user passwords" and so on. Are you using applications in which the vendors have hard-coded passwords?

You also mention "legally". Since Legal is a regional definition, you need to be aware of what that means.

And, there is the cost vs security tradeoff - has the organization bothered to pay for the Enterprise Edition (as compared to SE) and for the Advanced Security Option? Is the organization willing to manage server side certificates? How about firewalls?

And finally, do you include recoverability (backup, restore, DR) and service level agreements in the definition of security.

/Hans

Other related posts: