RealTime IT News

Does Oracle's Database Need More Security?

Four times a year Oracle releases its Critical Patch Update (CPU), which often reveals database flaws numbering in the double digits. But for users who want to take additional steps to secure their Oracle databases, rather than wait for the quarterly CPU, there are other options.

This week, database security vendor Sentrigo will release an update to Hedgehog, a security solution that defends against unauthenticated attacks launched against Oracle databases.

According to Slavik Markovich, founder and CTO of Sentrigo, many of the SQL injection attacks and other attacks that exploit vulnerabilities in Oracle don't require user authentication.

"Some of the vulnerabilities that were recently patched in the latest Oracle CPU belong to that group, and since many enterprises do not immediately apply those CPUs and sometimes never apply them for various reasons, they remain vulnerable," Markovich told InternetNews.com.

"Hedgehog comes with a set of predefined rules that address many such vulnerabilities, and provide virtual patching with no need for downtime. The rules can trigger alerts or terminate the suspicious sessions, depending on the type of vulnerability and user preference."

In the latest release of Hedgehog, Sentrigo has added new action scripts that further expand database defenses. Markovich said Hedgehog rules previously triggered one or more of several predefined actions: issue an alert, send e-mail, write to log, or terminate user session.

"We've now added action scripts to those triggered actions, so that customers can use a rule to run their own script that would do whatever they wish to do -- for example send a text message to someone, run a backup, shut down applications, print out a report."

Sentrigo has also added features allowing users to tag rules and databases. Markovich said there are several dimensions along which enterprises may find it useful to categorize databases and rules for security and compliance purposes.

For instance, there may be a set of rules intended to protect against privileged user access. They will have certain characteristics in terms of the types of statements, database objects and access methods they apply to, and may send alerts to a person outside the IT organization or database group.

Some of the same rules may also be applicable to Sarbanes-Oxley compliance or PCI-DSS, the credit-card industry's data-security standard. This is why tagging is more useful than simple categorization. A specific rule may be tagged as "privileged user access," "PCI DSS" and "SOX."

Though the need for database security may seem obvious in light of the number of flaws that Oracle reports in its CPUs, there have been barriers to the adoption for Sentrigo's solution.

Markovich said Sentrigo's approach is host-based, which gives it an advantage in protecting against privileged users and sophisticated attacks using stored procedures.

"Historically, host-based systems used native DBMS auditing capabilities, which hurts database performance and has given this approach a bad name," Markovich said. "While Sentrigo's Hedgehog sensors do not use DBMS audit mechanisms at all, and the impact on performance is negligible, it takes some educating of prospects to convince them."

Sentrigo counts AppSec, Guardium and Imperva as competitors in the database security market. But Mark Kraynak, senior director of strategic marketing for Imperva, said the competition might not be so stiff.

Sentrigo is limited to support for a single database platform -- Oracle -- and lacks the ability to address the needs of customers with heterogeneous environments, he said. "In Imperva's experience, nearly every enterprise customer has more than one database platform to address for security and compliance," Kraynak told InternetNews.com.

Kraynak also argued that the Imperva SecureSphere technology takes a hybrid approach that monitors database activity in the network and only uses a light agent on the database server to monitor privileged activity that happens on the database server itself.

Though using a technology solution may help to secure databases, there are some basic items that can trigger database insecurity. An example, Markovich said, is the use of default usernames and passwords.

"Suffice it to say that there are still many options within Oracle that, if not configured properly, present serious gaps in security."