Home » RDBMS Server » Security » Key Points on Database security best practices (Oracle 11gR2)
Key Points on Database security best practices [message #618964] Thu, 17 July 2014 00:44 Go to next message
hitesh.bhatt
Messages: 84
Registered: February 2014
Location: INDIA
Member
Hello All,

Can you please help me with bullet points on Database security best practices?

Many Thanks in advance.
Re: Key Points on Database security best practices [message #618965 is a reply to message #618964] Thu, 17 July 2014 00:50 Go to previous messageGo to next message
tarundua
Messages: 1080
Registered: June 2005
Location: India
Senior Member
Can you please be more elaborative on what exactly you are looking for?

Database profiles, auditing....
Re: Key Points on Database security best practices [message #618966 is a reply to message #618965] Thu, 17 July 2014 00:58 Go to previous messageGo to next message
hitesh.bhatt
Messages: 84
Registered: February 2014
Location: INDIA
Member
Thanks for quick reply,

Mainly I am looking for Database profiles(User access to Database architect, Senior DBA, Junior DBA access)
Re: Key Points on Database security best practices [message #618968 is a reply to message #618966] Thu, 17 July 2014 01:02 Go to previous messageGo to next message
Michel Cadot
Messages: 66446
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

More specifically?

Re: Key Points on Database security best practices [message #618970 is a reply to message #618968] Thu, 17 July 2014 01:07 Go to previous messageGo to next message
hitesh.bhatt
Messages: 84
Registered: February 2014
Location: INDIA
Member
Mainly I am looking for following -

What all profile / roles grant to Database architect?
What all profile / roles grant to Junior DBA?
What all profile / roles grant to Senior DBA?
As they do not want even DBA to see the sensitive data, so what all privileges to grant to DBA's so DBA can work on all DB related activities but without damaging the sensitive data.

Thanks in advance.
Re: Key Points on Database security best practices [message #618976 is a reply to message #618970] Thu, 17 July 2014 01:31 Go to previous messageGo to next message
Michel Cadot
Messages: 66446
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

These are your enterprise notions, there is no such general notions, each enterprise chooses what they mean for them.
Have a look at the following post:
http://www.orafaq.com/forum/m/486121/?srch=dba_level#msg_486121

Re: Key Points on Database security best practices [message #619026 is a reply to message #618970] Thu, 17 July 2014 07:52 Go to previous messageGo to next message
EdStevens
Messages: 1081
Registered: September 2013
Senior Member
hitesh.bhatt wrote on Thu, 17 July 2014 01:07
Mainly I am looking for following -

What all profile / roles grant to Database architect?
What all profile / roles grant to Junior DBA?
What all profile / roles grant to Senior DBA?
As they do not want even DBA to see the sensitive data, so what all privileges to grant to DBA's so DBA can work on all DB related activities but without damaging the sensitive data.

Thanks in advance.

============================================================================

"When I use a word," Humpty Dumpty said in rather a scornful tone, "it means just what I choose it to mean -- neither more nor less."
(Lewis Carroll - Through the Looking Glass)

And so it is with job titles.

The first two places I worked in IT had exactly the same set of job title for what we now refer to as developers. They were

Programmer/Analyst I
Programmer/Analyst II
Programmer/Analyst III

In one shop, the P/A I was entry level and P/A III was senior/team lead
In the other shop, exactly the opposite.



============================================================================
If you want to protect stuff from even the DBA, you need DataVault. But then who do you trust to configure THAT?
Re: Key Points on Database security best practices [message #619032 is a reply to message #619026] Thu, 17 July 2014 08:27 Go to previous messageGo to next message
Michel Cadot
Messages: 66446
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

Maybe it is not a matter of trusting but preventing from juniors doing wrong actions which can hurt the databases.
This was the case, more than security (although it was also there), in the enterprise where I implement the solution I mentioned in the link.

The problem with Database Vailt is organization, you must have a security team that will allow DBA to do some actions and of course this security must be 24/24 7/7 in case something happens during the night that implies to grant some accesses.
Till now I see no enterprise which wants to 1) buy Databa Vault option 2) create a new team or hire new people for the current one.

Re: Key Points on Database security best practices [message #619162 is a reply to message #619032] Fri, 18 July 2014 09:17 Go to previous messageGo to next message
EdStevens
Messages: 1081
Registered: September 2013
Senior Member
Michel Cadot wrote on Thu, 17 July 2014 08:27


The problem with Database Vailt is organization, you must have a security team that will allow DBA to do some actions ...
Till now I see no enterprise which wants to .... 2) create a new team or hire new people for the current one.



And that was what I was getting at. In my admittedly limited experience, I've never seen an implementation of DB Vault, probably for the very reason cited above. That leaves auditors and management often insisting that DBA's implement some hare-brained scheme that that they think will protect the database from the DBA. And it always comes back to the DBA himself being the one to actually implement the scheme. So they don't trust the DBA with the database, but they trust the DBA with the keys that are supposed to protect the database from the DBA ....
Re: Key Points on Database security best practices [message #619766 is a reply to message #619162] Thu, 24 July 2014 23:31 Go to previous messageGo to next message
hitesh.bhatt
Messages: 84
Registered: February 2014
Location: INDIA
Member
Many Thanks to all for details
Re: Key Points on Database security best practices [message #620326 is a reply to message #619162] Thu, 31 July 2014 04:29 Go to previous message
Roachcoach
Messages: 1576
Registered: May 2010
Location: UK
Senior Member
EdStevens wrote on Fri, 18 July 2014 15:17
Michel Cadot wrote on Thu, 17 July 2014 08:27


The problem with Database Vailt is organization, you must have a security team that will allow DBA to do some actions ...
Till now I see no enterprise which wants to .... 2) create a new team or hire new people for the current one.



And that was what I was getting at. In my admittedly limited experience, I've never seen an implementation of DB Vault, probably for the very reason cited above. That leaves auditors and management often insisting that DBA's implement some hare-brained scheme that that they think will protect the database from the DBA. And it always comes back to the DBA himself being the one to actually implement the scheme. So they don't trust the DBA with the database, but they trust the DBA with the keys that are supposed to protect the database from the DBA ....


Security theatre is the best, isn't it?

Really it's a balance between practicality vs security. At the end of the day, you have to trust SOMEONE. Although we did at one point talk about binary style keys with two holders with half each, thankfully that lasted all of ten seconds.
Previous Topic: How can I audit ALL activity for a specific Client Id?
Next Topic: Lock the SYS account
Goto Forum:
  


Current Time: Mon Jun 24 12:19:07 CDT 2019