What is Database Encryption
Security auditors look for airtight security systems that prevent exploitation of vulnerabilities by adhering to a system of checks and balances to prevent the bypass of security controls. Implementation of strict security principles and adherence to organisational security policy may require that the Data Base Administrator (DBA) is prevented from accessing database audit logs or viewing rows or columns of data.
While the DBA is generally considered a ‘trusted’ party in regards to permitting access to information stored on databases, the ability of the DBA to access and, potentially, tamper with database audit logs conflicts with the separation of duties principle. Audit log files, therefore, must be stored outside of the database tablespace where the DBA cannot access them. Storing the files in an operating system directory, however, leaves the files outside the sphere of traditional database vendors protection, and vulnerable to access by other unauthorised users if not properly protected.
A security solution is needed to prevent exploitation of audit logs stored outside of the database domain.
Why is Database Encryption Important
IT administrators responsible for applications, networks and data management often require root privileges to perform their job duties. Root privileges may also provide them with the ability to access and view information which they do not have a need to know, especially when it conflicts with the organisation’s security policy, privacy legislation or industry best practices for the safekeeping of sensitive data.
With the increasing awareness of insider attacks targeting valuable information, this is a significant point of interest for auditors and security officers. The limitations of existing security solutions have made it unavoidable that anyone requiring root privilege is automatically awarded trusted status. Implementing effective internal security requires controlling the scope of root privileges and preventing root users from using operating system commands to view, copy or alter DBMS files. Any resource files located outside the control of the DBMS environment and potentially vulnerable to compromise should also be protected from unauthorised access and tampering.
Recognition of the vulnerabilities to stored data has led to the passage of a variety of legislative and regulatory mandates targeted at ensuring security for personal and confidential information. Information stored on databases is frequently affected by these measures since personal data is most often organised into a structured format for convenient access and processing. Data encryption, a commonly prescribed security measure that protects against unauthorised users accessing or copying sensitive data from storage or archives, can be a challenge to implement using Oracle or SQL once the DBMS and applications are operational. A robust encryption solution requires that encryption keys be stored in a secure location off of the host server where they cannot be obtained by hackers, and backed up for data recovery purposes. High performance is also a must to avoid an adverse impact on performance. A transparent, scalable, easy to install, and easy to manage encryption solution is needed to avoid disruption of IT operations.
Scenario 1: Protected Oracle log, library and configuration files
In this scenario, Digital Pathways CoreGuard encryption has been added specifically to protect the audit log files and any configuration files located in operating system file directories. Locating the audit logs here removes them from the sphere of influence of the DBA in accordance with auditing or regulatory requirements. CoreGuard security can assure auditors and management that unauthorised system administrators, external attackers, or other unauthorised users are prevented from accessing and viewing the protected files.
Since CoreGuard takes a deterministic approach to protect data files by specifically associating authorised applications with protected data targets to identify the permitted accesses, any access attempts that are not specifically authorised are denied by default. Users with root privilege can also be restricted from running OS commands to view or copy protected data files. Any other potentially vulnerable configuration files located in an OS file directory could also be protected using a similar policy definition. Note that while creating and testing these policies, the policy can be run in Warn mode, whereby violations are alerted, but access is not denied, permitting adjustments to be made as required before locking down the protection policies.
Scenario 2: Complete Oracle environment security
In this scenario, CoreGuard security has been expanded to lock down the Oracle (or any other database) environment, preventing any unauthorised persons or processes from bypassing Oracle security to access or alter protected data files.
Data protection policies are implemented that:
• Protect audit logs in the OS file directory (refer to Scenario 1)
• Protect resource files for Oracle and database applications
• Encrypt database files
Since data integrity is the overriding concern, rather than preventing unauthorised viewing of Oracle resource files, the Oracle resource files are cryptographically signed, but not encrypted. Database application resource files can be protected as well, providing that a CoreGuard PEM has been installed on the application host.
Protecting the database files themselves with encryption requires that the Oracle DBMS be able to access and view (decrypt) as required. Other applications, such as file backup, are provided with access privileges to the encrypted data files but are denied data viewing privileges. This ensures that administrators requiring data access to perform their jobs are provided with those privileges, but are not able to misuse their privileges to view database content.