Hi, my name is Paul Needham. I'm Director of ProductManagement for Database Security of Oracle Corporation. Today I'm going to talkto you about how regulations - such as Sarbanes-Oxley, which are complianceregulations - are driving the need for stronger data security. Today we'regoing to talk about five areas. They are very, very important for you as youstrive to achieve strong data security within your enterprise.
The first is inbound data security. Inbound data security isvery important for two reasons: One is network encryption. Network encryptionis very important because data can be easily read on the network as it travelsbetween the client and the back end database. So you want the informationprotected, so it cannot be read.
The second is strong authentication. Strong authenticationis very important because you want to make sure that those who actually requestaccess to your data have to provide strong credentials before they can do that.
The second area is what I call storage. We've all heardabout tapes gone missing, or laptops being stolen, for example, and all thatsensitive information, such as social security numbers, being lost. And sothere's two areas in storage encryption that are important: The first is diskencryption - making sure that the data on the disk is actually encrypted.
The second area is backup tapes. Backup tapes, of course,hold a wealth of information. They're basically what you use to restore yoursystem in case it goes down. Well, those backup tapes actually hold sensitiveinformation - such as social security numbers, bank PINs, and credit cardnumbers - and you want to make sure that that information is encrypted on thosetapes.
The third area is what I call access control, and accesscontrol is important because you want to make sure that folks such as your DBAdon't have access to the sensitive information within the database. And that'swhat I call "separation of duty" - making sure the DBA can actuallykeep the database running, but doesn't have access to sensitive applicationdata, such as a social security number and credit card.
A second area under access control, which I think isimportant, is basically controlling who, when, where, and how your database isaccessed. For example, should data only be accessed within the confines of thebuilding where the database is located, versus from the Internet? So those aretwo very important areas.
Let's move on, now, to the fourth area. The fourth area, Icall monitoring, and when I talk about monitoring, what I mean is auditing.Auditing is becoming increasingly important to security, because basically, itlets you record who did what, when and where. And so you may trust everyone, butyou want to verify that what they've done is within their job responsibility,and that's what auditing allows you to do. Almost all components have very,very strong auditing capabilities today, so most people are turning those on toactually audit users.
The fifth area is what I call policy. By policy, what I meanis configuration scanning, and by configuration scanning, what I mean is makingsure that all the pieces we've talked about so far stay in place. So, inbounddata security. The network encryption. Making sure it stays turned on. Thestrong authentication. Making sure it stays turned on. Storage. Making surethat your encryption actually stays turned on for sensitive information. Accesscontrol. Making sure that your separation of duty security stays in place. And,of course, auditing. The policy basically monitors your audit settings to makesure your audit settings stay correct.
So, in summary, your data security policy is what makes sureyou stay compliant, so your policy is really what's critical here, and makingsure that that stays enforced, so you will be compliant with regulations suchas Sarbanes-Oxley.
For more information, go to oracle.com/security.
