Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Database Security Bang for the Buck

Database Security Bang for the Buck

From: Deborah Lorraine <>
Date: Fri, 16 Mar 2007 16:06:10 -0700
Message-ID: <>

Your thoughts please, on what to choose: the upcoming IOUG conference or a three-day Oracle training seminar? The training is local while the conference involves travel, hotel, and such, but it seems to me, getting security advice from a source other than the vendor makes more sense.

The vendor blurb:
In this (three-day) course, the students learn how they can use Oracle database features to meet the security requirements of their organization. They learn how to secure their database and how to use the database features that enhance security. The course starts with basic database security features, and progresses to basic Oracle Network features. Also covered are using Connection Manager as a firewall, middle tier authentication, virtual private database, various forms of database auditing, and introductions to Oracle Label Security and Enterprise Identity Management.

Some of the interesting sessions at IOUG:

Oracle Forensics: Collecting Evidence After an Attack (2 hours): Databases house an organization's most valuable assets. With database attacks on the rise, being able to recover from these attacks is critical to the success of your database security plan. When a database is compromised, a methodology for collecting information and deriving legal evidence is critical for determining the extent of an attack, as well as for providing proof that can be used in the prosecution of the case. Often the most trouble you will get in is not being able to assess how much data was actually stolen. This presentation discusses the techniques that can be used to uncover evidence of an attack and outlines a methodology for post attack analytics. It also discusses the features of Oracle that can be used to collect this evidence and shows how to use them without destroying the trail of the attacker.

Oracle 10g Transparent Data Encryption (1 hour): Transparent Data Encryption allows Oracle users to secure their data from media theft. It complies with new regulatory requirements regarding the privacy of information. This talk explores the features of TDE and the implications for using this particular style of encryption within the database, in export files and backup files. Changes in storage and performance are investigated in detail.

Oracle CSI (2 hours): When your database is a crime scene - due to fraud, illegal access, unauthorized data changes or theft - how do you handle it? This presentation will walk through data crime scene scenarios and provide guidance regarding detection, evidence handling, auditing procedures, and data preservation. Oracle features that help avoid or mitigate data loss, such as transparent data encryption, will also be covered. With the proper procedures in place you can be prepared for - or avoid - the worst.

Abstract (1 hour): Oracle provides many auditing options for the DBA - too may to keep track of them all! Dave will demonstrate "old style" auditing and compare it to the Fine Grained Auditing (FGA) and Oracle's new Audit Vault. Dave will discuss when to use one approach over another and also share performance benchmarks of each option.

DML Auditing with LogMiner (1 hour): When you need to know who entered/modified/deleted data there are several options, but most have an impact upon the production server. This session will take you through our implementation of DML Auditing using LogMiner. There are some limitations, but the end result is not much different than what Oracle is promising with Audit Vault.

Oracle Security - Are you at risk ? (1 hour) This presentation will cover the major topics considering Oracle Security. It will include a discussion on how to set standards of Oracle Security in your organization, how to audit your db for weaknesses and how to bulletproof the same. Techniques included will involve risk assessment, auditing,various types of encryption, protection against SQL Injection.

Received on Fri Mar 16 2007 - 18:06:10 CDT

Original text of this message