News Stay informed about the latest enterprise technology news and product updates.

Expert tips for securing Oracle DBMS

While many companies think they're being proactive with security, too many are addressing security at the application level rather than the database level, according Oracle security expert Arup Nanda. Nanda, 32, a Norwalk, Conn.-based DBA who runs Proligence, an Oracle consultancy, is co-author of a new book called Oracle Privacy and Security Auditing. The book focuses on security and auditing regulations for the health care industry; these rules are part of HIPAA (the Health Insurance Portability and Accountability Act of 1996). In an interview with, Nanda discusses what steps companies can take to meet the requirements HIPPA, Sarbanes-Oxley and other regulations without doling out thousands of dollars in new software.

What are some steps companies can take to protect their critical financial data?

For More Information

Featured topic:DBMS security

Exclusive story: Common security mistakes

It's simple for companies to take some security measures and protect themselves from people who come through the application server and Web servers. Companies securing themselves must ensure that the network itself is protected. Protection is needed from an outsider who can come into a network and sniff or just view packets of information flowing across the network. Data can flow across encrypted to protect the information from spoofing, which is the modifying of that data. This is all very important and relatively easy to do.

To provide feedback on this article, contact Robert Westervelt.

Why is security a large part of becoming compliant with HIPPA regulations?
HIPPA regulations, which affect all insurance and pharmaceutical companies, require these companies to make sure access to information, such as a customer's medical history and Social Security numbers, is tightly controlled. Companies were required to prove compliance by October of 2003, but many got an extension until later this year.

 My biggest concern is that database security is not being handled at the database level, but at the application level. That can cause a lot of holes.
Arup Nanda
Oracle security expert

In response, a lot of companies are documenting their security processes. By doing this, they identify the potential holes. I always check to see if there is a policy that restricts access to information based on who an employee is. For example, a customer service representative shouldn't see all information except for the customers they handle.

What is your biggest concern regarding security?
Arup Nanda
My biggest concern is that database security is not being handled at the database level, but at the application level. That can cause a lot of holes. Companies are currently focusing on Sarbanes-Oxley compliance, HIPPA (Health Insurance Portability and Accountability Act) regulations, and credit card rules. Nearly all companies are working to create an audit trail to comply with Sarbanes-Oxley and they are working to ensure that their financial information is secure. With HIPPA, pharmaceutical and insurance companies are working to ensure that customer data is encrypted and out of the reach of attackers. The hotel industry has always been concerned with the rules credit card companies impose to protect customer data. In order to be a partner with Visa, Mastercard or American Express, companies must document their processes and show that access to customer information is limited. What are some of the most fundamental security precautions that companies can take to protect their Oracle database?
Securing Oracle is not difficult, but some companies don't follow the most basic steps. Actually it only takes a little bit of diligence and systematic thinking. The first is making sure that the Listener service is kept up to date and that a password is set on it. Companies also fail to realize that by using Oracle's SQL*NAT function, you can create a simple firewall for the database at no additional cost. Lastly, Oracle's row-level security feature provides access control at the individual row level. Rather than opening up an entire table to any individual user who has any privileges on the table, row-level security restricts access to specific rows in a table.

Dig Deeper on Oracle database security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.