IOUG Insight: Oracle’s ‘Other’ Key Focus Area—Security

At Oracle OpenWorld 2017 and in subsequent company announcements, Oracle has made it clear that it currently has two key focus areas: the Autonomous Cloud Database, starting with the Autonomous Cloud Data Warehouse, and security.

There’s a lot of publicity right now on the first item as it is new and revolutionary in many ways. But the second area also deserves attention as it’s something that affects us all.

Whether you’re an Oracle system or database administrator, an IT manager, or executive, or even just an end user or customer, security should be as important to you as almost anything else. We all hear about breaches in the news all too often. From the executive level to the end customer, none of us want to be anywhere near such a breach.

And, consider timelines: We may or may not be considering a cloud migration or implementation of the Autonomous Cloud Data Warehouse via a proof of concept (PoC) or even a flushed-out road map. That is future-looking or, at best, a work in progress. Security concerns are immediate, affecting us right now, as well as in the future.

So are there action items we can take right now? The answer is definitely yes!

What Did Oracle Announce?

Oracle has announced several facets to improving its, and our, security posture. First of all, the new Autonomous Cloud services such as the Autonomous Cloud Data Warehouse will include automatic patching and machine learning for intrusion detection and anomaly pattern detection.
But again, what about the rest of us—what can we do with our existing systems right now—regardless of whether our systems are old or new or on-premises or in the cloud? The answer is the Oracle Database Security Assessment Tool, or DBSAT.

What Exactly Is DBSAT?

First of all, DBSAT isn’t new. It actually first came out somewhat quietly in 2016 and has been downloadable from My Oracle Support (MOS) ever since. But it did get heavy promotion from Oracle at OOW 2017 in keynotes and lecture sessions, and Oracle subsequently released a major new version, release 2.0.1, in December 2017.

DBSAT is designed to be a small, lightweight command-line tool, run by Oracle DBAs. And its focus is on the database tier: the database and related server settings. It supports most of the major operating systems and Oracle Databases from version onward.
DBSAT produces output in various formats, including HTML for interactive reviews and JSON for ingestion into other tools.

Where Can We Get Quick Benefit?

Ideally we’re using security tools and performing security reviews proactively to constantly improve our security posture. Realistically, that’s not always the case. The reality is that sometimes security is reactive.

For example, what if we get a Monday morning surprise such as: “Management wants a security report on their desk by end-of-day today,” “We suspect there may be some internal bad actors—everything must be locked down as much as possible,” “Application X now falls under new regulatory requirements that we must be in alignment with ASAP,” or, “Auditors are coming this week and nobody told us”?

Again, let’s emphasize that security shouldn’t be reactive and done only to appease auditors, management, and/or external regulations. It should be part of the design criteria and constantly measured to ensure that implementations match technical specifications, corporate policies, industry best practices, and required regulations. But regardless, DBSAT can help with all of the above. And, do it quickly.

Running the collector and reporter can be really simple and, in most circumstances, should only take a matter of minutes to complete with minimal load to the database. After all, it’s only querying metadata.

Keep in mind that the reports should be considered “sensitive” as they likely expose weaknesses or deficiencies that a bad actor could capitalize on. For this reason, the tool includes the option to encrypt the collected data and reports though it just uses standard ZIP encryption. If more robust encryption is required, then you’ll need to encrypt separately.

Overall, the findings cover a wide variety of security aspects related to the database, listener, and OS. And, includes, where appropriate, tags indicating whether the finding relates to CIS (Center for Internet Security), recommendations, or can be of assistance with EU General Data Protection Regulation (GDPR) compliance verification.

The New ‘Discoverer’ Module

A brand new Discoverer module was introduced with DBSAT 2.0.1. Oracle probably could have created this as a brand new standalone tool, but instead it integrated it with DBSAT. This is a good thing, as Oracle Support already provides us with too many independent tools for various purposes.

The new Discoverer module can be used to search the data dictionary for sensitive data. This may be necessary if required to identify, for example, personally identifiable information (PII) and sensitive personally identifiable information (SPII).

The search flexibility is actually quite impressive for the first generation/release of this module. And, the results can be categorized. Oracle provides a pretty decent configuration file to get you started, and, of course, it’s fully customizable and extensible.

Oracle’s Security Focus

Security should be on everyone’s mind and in the forefront of their activities. If it’s not already, it should be. And, assessing security is an iterative process, meaning: Assess, review, adjust—and repeat.

Oracle’s renewed focus on security and the updated DBSAT is a valuable tool to help us all in this area. Regardless of whether we have an old Oracle 10g database running on-premises or a brand new Oracle 18c cloud instance, DBSAT is a valuable asset. And, while it is at a level of maturity where it doesn’t do absolutely everything anyone could possibly want, it definitely does provide enough functionality and value to make it a must-have for supporting any Oracle database.