Tips for auditing and securing database backups in Oracle

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Oracle database security How to use DBMS_CRYPTO package for Oracle password encryption/hashing How to decrypt an Oracle password using John the Ripper and checkpwd How to use the CREATE SESSION command to track Oracle database logins How to troubleshoot Oracle critical patch updates using OPatch Can I automate Oracle patching when installing Oracle Standard Edition? Is it possible to automate Oracle CPUs for a DoD project? Three steps to help improve Oracle database security How to prevent a SQL injection attack in Oracle Oracle database security Oracle delivers database fixes in Critical Patch Update How to use DBMS_CRYPTO package for Oracle password encryption/hashing How to decrypt an Oracle password using John the Ripper and checkpwd How to use the CREATE SESSION command to track Oracle database logins How to troubleshoot Oracle critical patch updates using OPatch Can I automate Oracle patching when installing Oracle Standard Edition? Is it possible to automate Oracle CPUs for a DoD project? Three steps to help improve Oracle database security How to prevent a SQL injection attack in Oracle Forrester outlines database security trends in 2009

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Two important facets of Oracle database security (or security for a database from any other vendor) that often get less attention than others, are definitely auditing and securing database backups.

No matter how hardened a system may be, there is always a way in. Most organizations spend the bulk of their time making it very difficult for an external attacker to gain access to their systems and data. While this is effort well-spent, we must assume that someone, someday, will be clever enough to break into our enterprise. It is after the intrusion that auditing is key to assessing and mitigating the compromise. A well-planned implementation of Oracle's native auditing capabilities can help us answer these questions:

• What was compromised?
• What was changed?
• Where did the attack come from?
• Can we rely on our current data?

Anyone can easily rebuild your database from your backups. Given that a great many companies choose to utilize a third-party backup storage company to house their backups, securing your database backups becomes crucial! There have been at least three major news stories last year regarding lost or stolen tapes -- even at the sites of high-end backup storage providers. Ensure that your backups are encrypted before they leave your organization's profession.

Many tape drives now offer encryption built into their hardware, and Oracle has been offering support for encrypted backups since 10gR2. In Oracle 11g, DataPump exports can also be natively encrypted (Note: DataPump's purpose is for moving data, not disaster recovery, but it can be handy to logically capture subsets of your data in certain circumstances). There are also many other third-party offerings for protecting your data. No matter which product you consider, allowing your backups to leave your organization without appropriate protection is an incredible risk.