ISACA | Reviewed by K. K. Mookhey, CISA, CISM, CISSP
Oracle® is the most widely used database across the world. And even though databases hold some of the most sensitive information, they are often least understood in terms of security controls and auditing.
To address these gaps in an auditor’s understanding of Oracle and its security features, ISACA® offers the third edition of Security, Audit and Control Features Oracle Database. Although written from an auditor’s point of view, the book also serves as an excellent resource to the database administrator (DBA) looking to ensure compliance to security best practices. Chief information security officers (CISOs) and information security managers will also find value in the book as a source for a comprehensive set of database security controls.
The book begins by briefly discussing the history of the Oracle database and the security features gradually introduced from version 6 to the latest version 11g. It then describes important Oracle concepts, such as the difference between an instance and a database, the Oracle processes, and file structures. In chapters 5 and 6, the authors provide the basic background to planning the audit.
A secured database needs to run on a secured operating system. Oracle runs on a wide variety of operating systems, and in chapter 7, the authors cover important security controls for Windows and UNIX operating systems in which Oracle is installed.
In chapter 8, the authors cover the newer security features introduced in version 10g and 11g. Often, awareness of these features can push an organization to upgrade its current database versions.
In chapters 9 through 13, the authors cover key Oracle security features such as Oracle system privileges, controlling access to critical objects such as stored procedures and triggers, the use of roles to group users and permissions together, password controls, resource limits, database links and trusted relationships, operating system security, and network security controls.
Chapter 14 rounds up the discussion with information on general database security controls such as change management, segregation of duties, documentation, monitoring, vulnerability and patch management, and backup and recovery.
The huge dependence of organizations on applications and their underlying databases implies that the availability of the database often affects the very existence of a company. While the cost of an interruption depends on a number of factors, it can be significant enough to impact both the profitability and the reputation of any organization. In light of this, the book covers the important aspects of Oracle’s backup and recovery features, and its other disaster recovery and redundancy capabilities. The reader is encouraged to explore Oracle’s offerings such as Oracle Data Guard, Oracle Advanced Replication, Oracle Recovery Manager (RMAN) and Real Application Clusters (RAC).
The appendices present a wealth of useful information, including an introduction to automated Oracle security assessment tools, a comprehensive audit/assurance program and an internal control questionnaire (ICQ), recommendations for the professional, frequently asked questions, a glossary, an explanation of acronyms, and suggested readings. Appendix 4, Recommendations for the Professional, provides a 10-point list, including gems such as “befriend the DBA” and “think like a hacker.” This is a good example of the emphasis the book puts on the practical aspects of the subject at hand.
Overall, this book provides excellent coverage of Oracle security features and controls for the auditor, information security practitioner and the DBA preparing for their next database audit.
Security, Audit and Control Features Oracle® Database, 3rd Edition, is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in this Journal, visit www.isaca.org/bookstore, e-mail firstname.lastname@example.org or telephone +1.847.660.5650.
Reviewed by K. K. Mookhey, CISA, CISM, CISSPthe principal consultant of Network Intelligence, makers of a comprehensive operating system and database auditing product, AuditPro. Mookhey has provided consulting services in IT governance, risk management and compliance to organizations around the globe. He is the author of numerous articles and books, including ISACA’s Security, Audit and Control Features— Linux. He is also a regular speaker at events such as Blackhat, Interop, OWASP and IT Underground. He can be reached at email@example.com.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.