What are some of the most fundamental security precautions that companies can take to protect their Oracle database?
Arup Nanda: Securing Oracle is not difficult, but some companies don't follow the most basic steps. Actually it only takes a little bit of diligence and systematic thinking. The first is making sure that the Listener service is kept up to date and that a password is set on it. Companies also fail to realize that by using Oracle's SQL*NAT function, you can create a simple firewall for the database at no additional cost. Lastly, Oracle's row-level security feature provides access control at the individual row level. Rather than opening up an entire table to any individual user who has any privileges on the table, row-level security restricts access to specific rows in a table.
 

What is your biggest concern regarding security?

Arup Nanda

Nanda: My biggest concern is that database security is not being handled at the database level, but at the application level. That can cause a lot of holes. Companies are currently focusing on Sarbanes-Oxley compliance, HIPPA (Health Insurance Portability and Accountability Act) regulations, and credit card rules. Nearly all companies are working to create an audit trail to comply with Sarbanes-Oxley and they are working to ensure that their financial information is secure. With HIPPA, pharmaceutical and insurance companies are working to ensure that customer data is encrypted and out of the reach of attackers. The hotel industry has always been concerned with the rules credit card companies impose to protect customer data. In order to be a partner with Visa, Mastercard or American Express, companies must document their processes and show that access to customer information is limited.
 

Why is security a large part of becoming compliant with HIPPA regulations?

Nanda: HIPPA regulations, which affect all insurance and pharmaceutical companies, require these companies to make sure access to information, such as a customer's medical history and Social Security numbers, is tightly controlled. Companies were required to prove compliance by October of 2003, but many got an extension until later this year.

In response, a lot of companies are documenting their security processes. By doing this, they identify the potential holes. I always check to see if there is a policy that restricts access to information based on who an employee is. For example, a customer service representative shouldn't see all information except for the customers they handle.

What are some steps companies can take to protect their critical financial data?

Nanda: It's simple for companies to take some security measures and protect themselves from people who come through the application server and Web servers. Companies securing themselves must ensure that the network itself is protected. Protection is needed from an outsider who can come into a network and sniff or just view packets of information flowing across the network. Data can flow across encrypted to protect the information from spoofing, which is the modifying of that data. This is all very important and relatively easy to do.

"My biggest concern is that database security is not being handled at the database level, but at the application level. That can cause a lot of holes."
Arup Nanda
Oracle security expert

Arup Nanda is the co-author of Oracle Privacy Security Auditing by Rampant TechPress.