SAN FRANCISCO -- Last June, when a bot infection hit the university database at Penn State, 15,805 social security numbers stored in the database were compromised. A couple of years earlier, a laptop with social security numbers on it was stolen at the University of Pittsburgh.
When he was hired to lead the school’s security efforts, Matthew Stewart, director of information security at Robert Morris University (RMU), wanted to prevent such database security lapses from happening. In his session at Oracle OpenWorld on Tuesday, Stewart talked about the difficulties of securing educational institutions.
“The unique thing about universities is that they have to be open,” Stewart said. “They have academic freedom; you can’t lock them down. But you have to be compliant. It presents a lot of unique challenges.”
For example, when people move around from school to school within one institution, it’s easy to forget all the different levels of access they’ve had. But insiders aren’t the only threat -- Stewart said that hackers, students, malware, phishing, physical theft and even DBA mistakes were all significant security concerns for him.
He turned to Oracle for help.
When Stewart joined RMU, security was in “pretty bad shape.” They were running Oracle 8.1, had poor patch cycles, and too much access was granted to too many people. But by using Oracle Advanced Security -- a product that helps with several key areas such as network encryption, transparent data encryption and protection of data in backups – Stewart was able to turn things around quickly.
“We used a layered security approach that covers everything,” he said, describing the six layers he created: proactive software assurance, blocking network-based attacks, blocking host-based attacks, eliminating security vulnerabilities, safely supporting authorized users, and a layer of tools to manage security and maximize effectiveness.
Stewart also emphasized the importance of transparent data encryption (TDE), which is the encryption of data at rest. He said Robert Morris chose to go with tablespace TDE over column-based TDE because of the large number of transactions the university was dealing with. Performance testing showed that performance was barely taking a hit for the amount of security the encryption was adding.
Kurt Lysy, a senior security deployment expert at Oracle, said that your TDE should also align with your backup and recovery strategy.
“When you look at the grand perspective of encrypting data at rest, never forget the importance of encrypting those backups,” Lysy said.
However, Stewart may be in the minority with the measures he is taking to protect his organization’s data. Results from a new data security survey from the Independent Oracle Users Group (IOUG) showed that fewer than 30% of 430 respondents are encrypting personally identifiable information in all of the databases in their organization.
Many respondents also feel that they are taking a reactive rather than preventative approach to database security, and three out of four do not have a way to prevent privileged database users from accessing HR, financial, or other business application data in their databases.
Today, RMU is moving to an Oracle 11g Database on 64-bit enterprise Linux and has a patch management process. Stewart said RMU is making progress with reducing data access through its use of Oracle Advanced Security, but they can still improve. One of the next Oracle products he hopes to use is Audit Vault.
“I want to see what each and every user is doing,” he said. “This will be a very big piece for us.”
Why companies may need to pay more attention to securing databases