David Knox, Scott Gaetjen, Hamza Jahangir, Tyler Muth, Patrick Sack, Richard Wark and Bryan Wise | Reviewed by Horst Karin, Ph.D., CISA, CISSP, ITIL
Applied Oracle Security is the follow-up to David Knox’s 2004 book Effective Oracle Database 10g Security by Design, a basic introduction to security and its implementation for the Oracle Database 10g Release 1. The new book, Applied Oracle Security, goes a step further and expands its scope making the new book attractive to application developers and security administrators because it presents Oracle’s security capabilities for the application layer.
Information security does not stop at the database layer. Security of information is determined by the whole and complex framework of technical, detailed security settings and permissions at the database; the developer’s program coding of procedures and data handling, processing and interfacing with other applications; and the architectures that enable business intelligence applications. Important parts of this framework are controls and audit considerations, which establish integrity and accountability. These aspects of applied Oracle information security are presented in chapter three of the book and are need-to-knows for the Oracle security administrator and the Oracle auditor.
Finally, this is an Oracle security book that is an excellent resource for database and application developers, Oracle security administrators, and auditors because it combines the technical side with the audit side, enabling developers to learn about the audit and controls requirements that they need to consider, and enabling auditors to learn where and how these controls work and how to audit them. Security, controls, governance and audit are usually not considered exciting, and are often moved to the low end of the project agenda, but they are important and critical for a successful business application. For that reason, the authors pay a considerable amount of attention to these topics, demonstrate their importance and show how to utilize Oracle’s capabilities to implement these principles.
The content is advanced technical, but it is presented in an easy-to-understand style supported by text and background information. New terms are explained, and readers will learn the details while often being reminded about the important big picture—including the requirements for compliance and governance.
Chapter eight, Architecting Identity Management, is of special interest for developers and security administrators from the controls perspective. It describes the requirement for compliance and the processes for user provisioning, management of authentication, authorization and role management.
Chapter 14 and the appendix are especially important and useful to readers because of the growing market of OBI products.
The strength of this book is its comprehensive knowledge, which is presented in an easy-to-understand style with useful supporting background information. It is written by seven experienced authors who are longtime Oracle employees, ranking from technical specialist to director and technical vice president (VP).
Applied Oracle Security is available from the ISACA Bookstore. The ISACA Technical Reference Series includes two publications on Oracle: Security, Audit and Control Features Oracle E-Business Suite, 3rd Edition and Security, Audit and Control Features Oracle Database, 3rd Edition. For information, see the ISACA Bookstore Supplement in this Journal, visit www.isaca.org/bookstore, e-mail email@example.com or telephone +1.847.660.5650.
Reviewed by Horst Karin, Ph.D., CISA, CISSP, ITILpresident of DELTA Information Security Consulting Inc. Karin provides consulting services in information security and risk management; SAP security/governance, risk and compliance (GRC); public key infrastructure (PKI); and WebTrust, and has provided advisory services in regulatory/ sustainable compliance since 1998. His most recent publication is a standard book for security and risk management in SAP systems (German and English versions, 2010), which he coauthored with Mario Linkies.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.