Written by one the world's most widely-read developers and author of
best-selling Oracle books, Don Burleson and Arup Nanda target
their substantial knowledge of Oracle Internals to this important
book. With decades of experience installing Oracle auditing, Arup
Nanda shares secrets for the effective creation of auditing
mechanisms for HIPAA compliant Oracle systems.
The Health/Insurance Portability and Accountability Act of 1996 (HIPAA)
was created to ensure privacy for medical patient data. HIPAA
requires complete auditing to show everyone who has viewed
confidential medical patient information. This permeates from
Hospitals, insurance companies, and dozens of healthcare
related industries. HIPAA is a framework that provides a complete
security access and auditing for Oracle database information.
This book provides complete details for using Oracle auditing
features, including auditing from Oracle redo logs, using
system-level triggers, and using Oracle9i fine-grained auditing
(FGA) for auditing of the retrieval on sensitive information.
Best of all, Burleson & Nanda share dozens of working samples in
his online code depot. Examples from all areas of auditing are
covered with working scripts and code snippets. Your time savings
from a single script is worth the price of this great book.
* Provides a complete
conceptual framework for all areas of Oracle auditing.
* Covers HIPAA requirements and shows Oracle techniques for
enforcing HIPAA requirements inside the Oracle database.
Offers fast working examples for basic Oracle auditing
techniques and scripts.
* Show the use of the Oracle9i LogMiner to retrieve audits of
* Shows how to implement all Oracle system-level triggers for
auditing, including DDL triggers, servererror triggers, and
use login and log-off triggers.
* Provides working code examples for auditing the viewing of
sensitive information using triggers and Oracle9i fine grained
About the Authors:
Arup Nanda is the recipient of the
coveted DBA of the Year 2003 award by Oracle
Corporation. This award is among the most highly coveted in
the database industry, and each year only one of more than a
quarter million Oracle professionals is honored by this
distinction. A decade of experience as a DBA has made Arup an
expert in many Oracle areas including Oracle Design, Oracle
Modeling, Oracle Performance Tuning and Oracle Backup &
Arup is a frequent speaker in many Oracle
related conferences including IOUG Live and has written
several Oracle related articles in technical journals in the
US and Europe. He is on the editorial board for SELECT
Journal, the publication of the International Oracle Users
Don Burleson is one of the world’s top Oracle Database experts
with more than 20 years of full-time DBA experience. He
specializes in creating database architectures for very large
online databases and he has worked with some of the world’s
most powerful and complex systems. A former
Adjunct Professor, Don Burleson has written 14 books,
published more than 100 articles in National Magazines, and
serves as Editor-in-Chief of Oracle Internals. Don is a
popular lecturer and teacher and is a frequent speaker at
Oracle Openworld and other international database conferences.
Table of Contents:
Section I - Overview
Introduction to HIPAA
Introduction to HIPAA, the law, the requirements and the
mandates placed by the new regulation. The chapter stresses that
HIPAA consists of two important domains – (i) the mandate to
protect data and enforce security and privacy and (ii) the
description of several types of EDI/EC transactions; and this
book covers the first domain, pertaining to security and data
Chapter 2: Introduction to Oracle Security
A detailed overview of the Oracle security mechanisms and their
relevance to HIPAA.
Profile based security
Grant execute security (invoker & definer rights)
Virtual private databases (row-level security,
fine-grained access control)
Application Server Security
Introduction to Oracle Auditing
An overview of the tools and techniques that are used for HIPAA
auditing of Oracle databases.
Oracle audit SQL commands
Auditing backup & recovery
Auditing disaster recovery plan
Auditing continuous availability plan
Auditing replicated data
Auditing sources for materialized views
Chapter 4: General
This is a review of the standard relational grant security as
expected in the HIPAA requirements.
Granting to public
Grants with ADMIN option
Views and grant security
Row-level security with views
Grant execute security
Definer rights and invoker rights.
The use of product_user_profile
Restricting Logon Attempts
Chapter 5: Virtual
Topics include a detailed description of VPD and how they can be
used to enforce security and privacy as per HIPAA requirements.
Benefits of FGAC
Dynamic security – Predicates are assigned to
users at runtime, and there is no need to maintain complex roles
Multiple security - Place more than one policy on
each object, as well as stack them upon other base policies.
No dictionary view proliferation – Thousands of
views are no longer required to manage row-level security
No back-doors - Users no longer bypass security
policies embedded in applications, because the security policy
is attached to the data.
Complex access rules – Scalar values (e.g. where
salary > 50000) can be deployed.
Issues with FGAC
Requires a user account for every person accessing
Difficult to reconcile with other GRANT security
Access rules are stored inside stored procedures,
which can be changed.
Foreign key referential integrity can be used to
Cursor caching in pre 8.1.7 allow bypassing of
Predicate-based security internals
Example of FGAC in action
Chapter 6: Data
Encryption in Oracle
A description of all types of encryption (available in Oracle)
to satisfy HIPAA requirements.
Types of encryption – DES, 3DES, MD5, etc.
Details on using the dbms_obfuscation_toolkit
Using hashing functions to encrypt data
Using data compression as encryption
Chapter 7: Oracle Network
Vulnerabilities and threats in Oracle Networks
Listener Buffer Overflow
IP Filtering with Connection Manager
III - Auditing
Chapter 8: Oracle
Audits in Oracle for various DML statements
Managing audit tables
Archiving Audit Tables to archival media like
CDROM or Tape
Various examples describing the auditing
functionality in Oracle.
Chapter 9: Oracle
System triggers for DDL auditing
Using Dictionary-based DDL
Auditing source code changes
Auditing DDL versioning
Installing Automatic Auditing Using LogMiner
Usage of Logminer for HIPAA update auditing
Auditing with DML triggers
Server Error Auditing
Chapter 10: Auditing Grants Security
Overview of data dictionary query
scripts to locate faults in grant-based and role-based security
to satisfy HIPAA requirements.
Auditing for system
Auditing for WITH ADMIN
Auditing for synonyms
Auditing for PUBLIC objects
Chapter 11: Oracle Fine Grained Auditing
The Fine Grained Auditing (FGA) in
Oracle 9i provides the hitherto impossible area of auditing the
exact statement used by a user to simply select data, not update
it, as required by HIPAA.
Use of the dbms_fga package
Auditing select access as per
the HIPAA mandated auditing of Patient Health Information (PHI).
Archiving of audit
information to tertiary media (optimal CD-ROM & Tape)
Combining FGA and Flashback
queries to answer the most important question in addition to who
saw the data, what they saw.
Chapter 12: HIPAA Checklists for
Security and Auditing
A checklist of HIPAA requirements
(and the Oracle features described in this book) that can be
used to satisfy the requirements.
This book covers Oracle security
Access Control List
Context Based Access
Data Manipulation Language
Designated Record Set
Digital Encryption Standard
Discretionary Access Control
Federal Information Processing Standards
Fine Grained Access Control
Mandatory Access Control
Network Address Translation
Patient Health Information
Protected Health Information
Safe Harbor Act
Safe Harbor Law
User ID Bit
Transparent Network Substrate
Virtual Private Database
Cardholder Security Agreement
One reader says:
I was waiting for this to come on Bookpool. I think I have
recovered more than it's worth. At least the section on Virtual
Private Database along with application contexts is simply
excellent. The authors know their stuff.
Tiara from Hartford, CT says:
I bought this book to learn more about Virtual Private
Database which I am implementing now - and it was a pleasant
surprise see that not only that but all other areas are detailed
as well. The chapter on VPD goes much beyond the Oracle common
references and explains concepts like application contexts, in
such clarity and relative to to real life examples that the
chapter alone may be worth the price of the book.
Other things that make the book must read - the material on
listener security, a simple firewall settings, fine grained
auditing, and the 10g features. SQL Injection and Application User
models described in the book were exactly what we were missing and
we got it in this.
A reader from San Diego says:
I haven't finished reading my copy yet, but I had to chime
in to concur with the previous reviews: this book is terribly well
laid out. The writing is clear and descriptive, but almost as
important, it's rather engaging. That helps when trying to dig to
the bottom of these often daunting security concepts.
Another reviewer covered this, but I have to say that my
favorite parts are also the chapter summaries. They do a great job
of recapping the details that were covered. Having all that
information covered in such depth is great, but I'd probably have
forgotten each chapter's contents had there not been that nice,
succinct conclusion at each one's end.
book for Oracle shops
, July 11, 2004
This remarkable book covers how to use
Oracle 9i security and auditing facilities
to achieve compliance with three major laws.
While the book emphasizes HIPAA, it also
addresses, either directly or indirectly,
privacy security and auditing with respect
to the Gramm-Leach-Bliley Act (Subtitle A:
Disclosure of Nonpublic Personal Information
15 U.S.C. 6801-6810 and Subtitle B:
Fraudulent Access to Financial Information
15 U.S.C. 6821-6827), HIPAA requirements for
protecting data and enforcing security and
privacy, and Sarbanes-Oxley Act Section 404
requirements related to integration of
transactional systems, logs and auditing
trails, and data security.
Structure of this book is in three
Section I gives an introductions to
HIPAA, Oracle security and Oracle auditing.
Among the topics covered are grant,
role-based, and profile based security, as
well as virtual private databases (row-level
security, fine-grained access control), and
application server security.
Section II goes deeper into general
Oracle security, covering relational grant
security as it relates specifically to HIPAA
(but can be also used for Gramm-Leach-Bliley
and Sarbanes-Oxley compliance because the
requirements are similar regarding these
mechanisms and techniques). Also covered are
encryption and network security.
Section III deals with auditing using
Oracle facilities, tables, DDL and DML, and
covers the spectrum from grants auditing to
fine-grained audits. Again, the focus is on
HIPAA requirements (Chapter 11, for example,
contains the following topics: Auditing
select access as per the HIPAA mandated
auditing of Patient Health Information, and
Combining FGA and Flashback queries to
answer the most important question in
addition to who saw the data, what they
saw.) This section ends with HIPAA security
and auditing checklists, which can be also
applied to Sarbanes-Oxley and
Gramm-Leach-Bliley security and auditing.
This book is an outstanding addition to
bodies of knowledge spanning three
disciplines - internal auditing, DBA, and IT
security & privacy. A copy should be
provided to managers and subject matter
experts in each of those domains.