| While many companies think they're being
proactive with security, too many are addressing
security at the application level rather than
the database level, according Oracle security
expert Arup Nanda. Nanda, 32, a Norwalk,
Conn.-based DBA who runs Proligence, an Oracle
consultancy, is co-author of a new book called
Oracle Privacy and Security Auditing. The book
focuses on security and auditing regulations for
the health care industry; these rules are part
of HIPAA (the Health Insurance Portability and
Accountability Act of 1996). In an interview
with SearchOracle.com, Nanda discusses what
steps companies can take to meet the
requirements HIPPA, Sarbanes-Oxley and other
regulations without doling out thousands of
dollars in new software. What are some
of the most fundamental security precautions
that companies can take to protect their Oracle
database?
Arup Nanda: Securing Oracle is not difficult,
but some companies don't follow the most basic
steps. Actually it only takes a little bit of
diligence and systematic thinking. The first is
making sure that the Listener service is kept up
to date and that a password is set on it.
Companies also fail to realize that by using
Oracle's SQL*NAT function, you can create a
simple firewall for the database at no
additional cost. Lastly, Oracle's row-level
security feature provides access control at the
individual row level. Rather than opening up an
entire table to any individual user who has any
privileges on the table, row-level security
restricts access to specific rows in a table.
What is your biggest concern regarding
security?
Nanda:My biggest concern is that database
security is not being handled at the database
level, but at the application level. That can
cause a lot of holes. Companies are currently
focusing on Sarbanes-Oxley compliance, HIPPA
(Health Insurance Portability and Accountability
Act) regulations, and credit card rules. Nearly
all companies are working to create an audit
trail to comply with Sarbanes-Oxley and they are
working to ensure that their financial
information is secure. With HIPPA,
pharmaceutical and insurance companies are
working to ensure that customer data is
encrypted and out of the reach of attackers. The
hotel industry has always been concerned with
the rules credit card companies impose to
protect customer data. In order to be a partner
with Visa, Mastercard or American Express,
companies must document their processes and show
that access to customer information is limited.
Why is security a large part of becoming
compliant with HIPPA regulations?
Nanda: HIPPA regulations, which affect all
insurance and pharmaceutical companies, require
these companies to make sure access to
information, such as a customer's medical
history and Social Security numbers, is tightly
controlled. Companies were required to prove
compliance by October of 2003, but many got an
extension until later this year.
 |
|
|
|
|
My biggest concern
is that database
security is not being
handled at the database
level, but at the
application level. That
can cause a lot of
holes.
Arup
Nanda
Oracle security expert
|
|
|
|
|
|
|
|
|
|
|
|
In response, a lot of companies are
documenting their security processes. By doing
this, they identify the potential holes. I
always check to see if there is a policy that
restricts access to information based on who an
employee is. For example, a customer service
representative shouldn't see all information
except for the customers they handle.
What are some steps companies can take to
protect their critical financial data?
Nanda: It's simple for companies to take some
security measures and protect themselves from
people who come through the application server
and Web servers. Companies securing themselves
must ensure that the network itself is
protected. Protection is needed from an outsider
who can come into a network and sniff or just
view packets of information flowing across the
network. Data can flow across encrypted to
protect the information from spoofing, which is
the modifying of that data. This is all very
important and relatively easy to do. |
