Compliance & data security

Hi, my name is Paul Needham. I'm Director of Product Management for Database Security of Oracle Corporation. Today I'm going to talk to you about how regulations - such as Sarbanes-Oxley, which are compliance regulations - are driving the need for stronger data security. Today we're going to talk about five areas. They are very, very important for you as you strive to achieve strong data security within your enterprise.

The first is inbound data security. Inbound data security is very important for two reasons: One is network encryption. Network encryption is very important because data can be easily read on the network as it travels between the client and the back end database. So you want the information protected, so it cannot be read.

The second is strong authentication. Strong authentication is very important because you want to make sure that those who actually request access to your data have to provide strong credentials before they can do that.

The second area is what I call storage. We've all heard about tapes gone missing, or laptops being stolen, for example, and all that sensitive information, such as social security numbers, being lost. And so there's two areas in storage encryption that are important: The first is disk encryption - making sure that the data on the disk is actually encrypted.

The second area is backup tapes. Backup tapes, of course, hold a wealth of information. They're basically what you use to restore your system in case it goes down. Well, those backup tapes actually hold sensitive information - such as social security numbers, bank PINs, and credit card numbers - and you want to make sure that that information is encrypted on those tapes.

The third area is what I call access control, and access control is important because you want to make sure that folks such as your DBA don't have access to the sensitive information within the database. And that's what I call "separation of duty" - making sure the DBA can actually keep the database running, but doesn't have access to sensitive application data, such as a social security number and credit card.

A second area under access control, which I think is important, is basically controlling who, when, where, and how your database is accessed. For example, should data only be accessed within the confines of the building where the database is located, versus from the Internet? So those are two very important areas.

Let's move on, now, to the fourth area. The fourth area, I call monitoring, and when I talk about monitoring, what I mean is auditing. Auditing is becoming increasingly important to security, because basically, it lets you record who did what, when and where. And so you may trust everyone, but you want to verify that what they've done is within their job responsibility, and that's what auditing allows you to do. Almost all components have very, very strong auditing capabilities today, so most people are turning those on to actually audit users.

The fifth area is what I call policy. By policy, what I mean is configuration scanning, and by configuration scanning, what I mean is making sure that all the pieces we've talked about so far stay in place. So, inbound data security. The network encryption. Making sure it stays turned on. The strong authentication. Making sure it stays turned on. Storage. Making sure that your encryption actually stays turned on for sensitive information. Access control. Making sure that your separation of duty security stays in place. And, of course, auditing. The policy basically monitors your audit settings to make sure your audit settings stay correct.

So, in summary, your data security policy is what makes sure you stay compliant, so your policy is really what's critical here, and making sure that that stays enforced, so you will be compliant with regulations such as Sarbanes-Oxley.

For more information, go to oracle.com/security.