Tyler Muth’s Blog

Technology with a focus on Oracle, Application Express and Linux

Wake Up and Smell Reality

Posted by Tyler Muth on August 5, 2008

In case you missed the news, yet another laptop with unencrypted Personally Identifiable Information (PII) was lost (though this one was found again, news story here).  This type of story is in the news all too often.  If you think I’m overreacting, take a look at this Chronology of Data Breaches.  You might even look for your organization or organizations that have your data.  The intended audience of this blog, DBAs and developers, are often the ones who know the most about how their own organization’s data is stored, so I hope at least a few of you read it and think about security a little bit more.  So, here it goes…

 

  • If you are storing unencrypted PII in your database, WAKE UP!
  • If you are backing up PII without encrypting it, WAKE UP!
  • If you are exporting PII in clear text and sharing it with groups (mainframe extracts come to mind here) WAKE UP!
  • If you have any of your customers unencrypted PII on your laptop, WAKE UP!
  • If you transport unencrypted PII on a flash drive, seriously, WAKE UP!
Did I get your blood pressure up?  I hope so, people tend to remember things when emotion is involved.  I’m not trying to offend anyone, but we all need to take this issue a little more seriously.  So, what can you do?
  • Backups are a prime target, and an easy one to solve.  I blogged about RMAN Encrypted Backups, there’s also Oracle Secure Backup (free for a single machine), as well as a plethora of free or for cost file encryption utilities.
  • If you don’t need the info, DON’T STORE IT in the first place.  
  • If you need to say lookup a record using a Social Security Number, but don’t need to display or edit it, store the hash of an SSN using dbms_crypto.mac.  You can then hash the search term, then do a simple equality search on hash = hash.   
  • Use dbms_crypto to programmatically encrypt data if you can.
  • Use Transparent Data Encryption if you can’t or don’t have time to change the application code.
  • Don’t even think of using SSNs as primary keys.  They’ll end up getting propagated to all child tables, and what are you going to do when someone changes their SSN?
  • Use TrueCrypt to encrypt a volume on your laptop, or even your whole drive.  I’ve been using it on my laptops for 2 years now and it’s always worked flawlessly.  It also works on flashdrives. 
  • Help define policies for protecting sensitive information.
  • Talk to your colleagues and managers about concerns you have.  Just starting a dialog about security is a huge step in the right direction.
  • Pick up a copy of “Effective Oracle Database 10g Security by Design” by David Knox.  Yes, David is a friend of mine.  No, I don’t get ANY money from this book.  Note that of the 10 reviews on Amazon, 9 of them give this book 5 stars!  I’ve read it cover to cover and reference it often, it’s such a great resource.
Other Oracle technologies to consider when thinking about security include 11g Tablespace Encryption, Oracle Database Vault, Virtual Private Database, and many more.

 

One Response to “Wake Up and Smell Reality”

  1. Arie Geller said

    Hi Tyler,

    This entry is both important and useful. I absolutely agree with you about the importance of security and encryption in the corporate databases, and our personal laptops. You talked about PII, which can affect the individuals, but the corporate can easily lose valuable commercial information in the exact same way. If tighten the corporate security means spending more money, the latter will probably attract more attention. Unfortunately, most of us just talk about security, few of us actually doing something about it, before the catastrophe is knocking on our door. And that’s the importance of this blog entry, as it is full with valuable resources, some of them absolutely free, that can help us deal with the problems.

    As usual, thanks for sharing,
    Arie.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: