Reviewed by K. K. Mookhey, CISA, CISM, CISSP
Oracle® is the most widely used database across the world. And even though databases hold some of the most sensitive information, they are often least understood in terms of security controls and auditing.
To address these gaps in an auditor’s understanding of Oracle and its security features, ISACA® offers the third edition of Security, Audit and Control Features Oracle Database. Although written from an auditor’s point of view, the book also serves as an excellent resource to the database administrator (DBA) looking to ensure compliance to security best practices. Chief information security officers (CISOs) and information security managers will also find value in the book as a source for a comprehensive set of database security controls.
The book begins by briefly discussing the history of the Oracle database and the security features gradually introduced from version 6 to the latest version 11g. It then describes important Oracle concepts, such as the difference between an instance and a database, the Oracle processes, and file structures. In chapters 5 and 6, the authors provide the basic background to planning the audit.
A secured database needs to run on a secured operating system. Oracle runs on a wide variety of operating systems, and in chapter 7, the authors cover important security controls for Windows and UNIX operating systems in which Oracle is installed.
In chapter 8, the authors cover the newer security features introduced in version 10g and 11g. Often, awareness of these features can push an organization to upgrade its current database versions.
In chapters 9 through 13, the authors cover key Oracle security features such as Oracle system privileges, controlling access to critical objects such as stored procedures and triggers, the use of roles to group users and permissions together, password controls, resource limits, database links and trusted relationships, operating system security, and network security controls.
Chapter 14 rounds up the discussion with information on general database security controls such as change management, segregation of duties, documentation, monitoring, vulnerability and patch management, and backup and recovery.
The huge dependence of organizations on applications and their underlying databases implies that the availability of the database often affects the very existence of a company. While the cost of an interruption depends on a number of factors, it can be significant enough to impact both the profitability and the reputation of any organization. In light of this, the book covers the important aspects of Oracle’s backup and recovery features, and its other disaster recovery and redundancy capabilities. The reader is encouraged to explore Oracle’s offerings such as Oracle Data Guard, Oracle Advanced Replication, Oracle Recovery Manager (RMAN) and Real Application Clusters (RAC).
The appendices present a wealth of useful information, including an introduction to automated Oracle security assessment tools, a comprehensive audit/assurance program and an internal control questionnaire (ICQ), recommendations for the professional, frequently asked questions, a glossary, an explanation of acronyms, and suggested readings. Appendix 4, Recommendations for the Professional, provides a 10-point list, including gems such as “befriend the DBA” and “think like a hacker.” This is a good example of the emphasis the book puts on the practical aspects of the subject at hand.
Overall, this book provides excellent coverage of Oracle security features and controls for the auditor, information security practitioner and the DBA preparing for their next database audit.
Security, Audit and Control Features Oracle® Database, 3rd Edition, is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in this Journal, visit www.isaca.org/bookstore, e-mail email@example.com or telephone +1.847.660.5650.
Reviewed by K. K. Mookhey, CISA, CISM, CISSP
the principal consultant of Network Intelligence, makers of a comprehensive operating system and database auditing product, AuditPro. Mookhey has provided consulting services in IT governance, risk management and compliance to organizations around the globe. He is the author of numerous articles and books, including ISACA’s Security, Audit and Control Features— Linux. He is also a regular speaker at events such as Blackhat, Interop, OWASP and IT Underground. He can be reached at firstname.lastname@example.org.