Layered Defenses in Oracle 12c: The New Benchmark for Database Security

Oracle databases support more than two thirds of SAP deployments in mid to large size enterprises. Oracle’s domination of the SAP database market is due to a widely regarded performance edge in areas such as compression, availability and scalability. Oracle databases are also optimized for SAP technology as a result of a long-standing partnership between Oracle and SAP that includes joint software development. Oracle development teams work closely with SAP developers in Walldorf, Germany to performance test Oracle releases against SAP systems and incorporate new Oracle features in SAP releases. Dedicated Oracle technical support teams are also based at SAP HQ in Walldorf to respond to escalated database issues reported by SAP customers.

Database security has improved markedly since the first R3 release on Oracle in 1992. Oracle pioneered Transparent Data Encryption (TDE) and granular access controls through the Database Vault for Release 2 of Database 10g. The latest generation of the flagship Oracle database incorporates more security enhancements than any previous release. Launched by Oracle on July 1, Database 12c introduces redaction capabilities designed to protect the display of sensitive data. Redaction masks sensitive data in real time based on user, group, application, IP address or other variables configured in declarative policies. Since redaction is context-dependant rather than universal, organisations are able to conceal sensitive data displayed in applications from specific groups while revealing it to others. Redaction compliments TDE used to protect sensitive data at the database level by extending data protection to the application level. Redaction can be used to partially or fully transform displayed information without altering data in buffers, caches or storage. It is enforced directly in the database kernel.

Oracle 12c also introduces an important enhancement to the Database Vault through Privilege Analysis. This feature can be used to identify unused permissions based on an analysis of the actual usage of roles and privileges. Enabling the new privilege capture mode through the Vault triggers an advanced logging feature that tracks the use of privileges granted to users and applications. This allows organisations to identify and remove unused permissions and roles and enforce access based on the principle of least privilege.

The third major innovation introduced in 12c is Conditional Auditing. The ability to configure precise, context-dependant logging should reduce the performance overhead associated with database auditing and enable more effective analysis of audit logs. Conditional Auditing supports highly selective logging policies that minimize log entries to specific events such as particular SQL statements including the actions CREATE or ALTER originating from outside specific application servers identified by IP address. Other variables include programs, time periods and connection types. Conditional Auditing also introduces AUDIT_ADMIN and AUDIT_VIEWER roles to better protect the integrity of policies and logs which are now part of single unified architecture. Database auditing in 12c can be integrated with the Oracle Audit Vault and Database Firewall, used to control and monitor SQL network activity. Unlike standard packet filter firewalls that operate at layers 3 and 4 of the OSI model, the Oracle Database Firewall performs highly accurate analysis of SQL traffic at layer 7 and can block SQL injection attacks.

Database 12c introduces Data Discovery and Modelling (DDM) and Sensitive Data Discovery (SDD) functions to scan for sensitive data. Once discovered, organisations are provided with built-in tools to protect information through a combination of encryption, redaction, masking and/or auditing.

12c also includes an improved authorization framework that incorporates the use of ACLs to control operations such as SELECT, INSERT, UPDATE and DELETE for database objects based on users or roles.

Taken together with pre-existing database security features such as TDE, privileged user management using schemas and roles based on protective zones known as realms, whitelisting for SQL statements using the Oracle Firewall, data labeling, online patching and configuration scanning, Oracle 12c provides a comprehensive suite of functions to counteract a wide array of internal and external threats while balancing requirements for performance and high availability. 12c sets a new standard for database security and should strengthen Oracle’s position as the preferred database for SAP customers.