Re: Database Security Bang for the Buck

Deborah,

Hmm . . . tough choice. I think it depends on what you need to learn. If security is a big hot button at your site and you are relatively new to these topics, I'd go for the vendor training. Can't speak too directly to the IOUG conference, since I haven't been lately, but others can. May even be some security seninars at the conference. If security isn't heavy on your agenda, then I'm sure you'll pick up info on a broad range of topics at IOUG.
   Assuming you aren't taking vacation and paying for this from your own pocket, a lot will depend on what your boss wants to pay for. If said boss is really hot for one or the other or considers the out of town seminar a company-paid vacation, that will influence what you lobby for. Likewise if your boss has heard the vendor pitch, and really likes them, well, you see.

   I wouldn't worry too much about getting one vendor's slant on security. The verbage you forwarded doesn't make it sound like they are pushing their particular product, just providing well-rounded training in all the aspects of Oracle security. Could get you off to a fast start if your boss thinks you need to beef up security.

Dennis Williams

On 3/16/07, Deborah Lorraine <dlorraine_at_ucdavis.edu> wrote:
>
> Your thoughts please, on what to choose: the upcoming IOUG conference
> or a three-day Oracle training seminar? The training is local while the
> conference involves travel, hotel, and such, but it seems to me, getting
> security advice from a source other than the vendor makes more sense.
>
> The vendor blurb:
> In this (three-day) course, the students learn how they can use Oracle
> database features to meet the security requirements of their
> organization. They learn how to secure their database and how to use the
> database features that enhance security. The course starts with basic
> database security features, and progresses to basic Oracle Network
> features. Also covered are using Connection Manager as a firewall,
> middle tier authentication, virtual private database, various forms of
> database auditing, and introductions to Oracle Label Security and
> Enterprise Identity Management.
>
> * Use basic database security features
> * Manage secure application roles
> * Secure the database and its listener
> * Manage users using proxy authentication with an application context
> * Manage secure application roles
> * Implement fine-grain access control
>
> Some of the interesting sessions at IOUG:
>
> Oracle Forensics: Collecting Evidence After an Attack (2 hours):
> Databases house an organization's most valuable assets. With database
> attacks on the rise, being able to recover from these attacks is
> critical to the success of your database security plan. When a database
> is compromised, a methodology for collecting information and deriving
> legal evidence is critical for determining the extent of an attack, as
> well as for providing proof that can be used in the prosecution of the
> case. Often the most trouble you will get in is not being able to assess
> how much data was actually stolen. This presentation discusses the
> techniques that can be used to uncover evidence of an attack and
> outlines a methodology for post attack analytics. It also discusses the
> features of Oracle that can be used to collect this evidence and shows
> how to use them without destroying the trail of the attacker.
>
> Oracle 10g Transparent Data Encryption (1 hour): Transparent Data
> Encryption allows Oracle users to secure their data from media theft. It
> complies with new regulatory requirements regarding the privacy of
> information. This talk explores the features of TDE and the implications
> for using this particular style of encryption within the database, in
> export files and backup files. Changes in storage and performance are
> investigated in detail.
>
> Oracle CSI (2 hours): When your database is a crime scene - due to
> fraud, illegal access, unauthorized data changes or theft - how do you
> handle it? This presentation will walk through data crime scene
> scenarios and provide guidance regarding detection, evidence handling,
> auditing procedures, and data preservation. Oracle features that help
> avoid or mitigate data loss, such as transparent data encryption, will
> also be covered. With the proper procedures in place you can be prepared
> for - or avoid - the worst.
>
> Abstract (1 hour): Oracle provides many auditing options for the DBA -
> too may to keep track of them all! Dave will demonstrate "old style"
> auditing and compare it to the Fine Grained Auditing (FGA) and Oracle's
> new Audit Vault. Dave will discuss when to use one approach over another
> and also share performance benchmarks of each option.
>
> DML Auditing with LogMiner (1 hour): When you need to know who
> entered/modified/deleted data there are several options, but most have
> an impact upon the production server. This session will take you through
> our implementation of DML Auditing using LogMiner. There are some
> limitations, but the end result is not much different than what Oracle
> is promising with Audit Vault.
>
> Oracle Security - Are you at risk ? (1 hour) This presentation will
> cover the major topics considering Oracle Security. It will include a
> discussion on how to set standards of Oracle Security in your
> organization, how to audit your db for weaknesses and how to bulletproof
> the same. Techniques included will involve risk assessment,
> auditing,various types of encryption, protection against SQL Injection.
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

--
http://www.freelists.org/webpage/oracle-l