Re: Advanced Security

From: Evan <eehrenh_at_emory.edu>
Date: Tue, 12 Sep 2006 09:30:08 -0400
Message-ID: <4506B660.4060406@emory.edu>

Brian Peasland wrote:

>> Can you (I) make a case to install it on all machines?

>
>
> Might I make a suggestion? Instead of taking a look at ASO, start with
> your business requirements. Do you have a need to encrypt sensitive
> data? Do you have a need to limit access to certain rows of data in a
> table? Do you have a need to generate an audit trail when individuals
> access certain rows or columns of data? Take a look at your business
> requirements and *then* pick the Oracle solution that implements those
> requirements. You already have a start documenting some of your
> requirements:
>
> 1. Hundreds of users will access the database from Windows clients
> 2. There are five app servers that will access the database
> 3. There is sensitive data in the database
>
> But there is lots more than you need to figure out. My questions above
> are only a start. But I let my requirements dictate my solution set, not
> the other way around.
>
>
> Cheers,
> Brian
>
>

The applications (from vendors) don't allow for field encryption. Row restriction is not needed.
I feel that auditing allows us to look in the barn and see who took the horse. I want to keep anyone from looking in the barn. This is data which MUST be protected. It is enough to allow identity theft.

Web pages using HTTPS protect the contents between clients and webpages. ASO protects the content between the database and the web server.

The issue is connection from

1) application fat clients,
2) ODBC clients,
3) and SQLPlus clients.

We have the DB server configured to use ASO with "request" and the web servers set to "required". They are ok.

I have been told that ASO is not needed since to sniff the packets, you would need to tap into a box which receives the packets. Is this nonsense or is there another reason to use it? Received on Tue Sep 12 2006 - 08:30:08 CDT