Best practices for computer security have many dimensions. In this chapter, you looked at some of the most important. Security starts with well-defined policies that need to be supported by everyone in the organization—especially the senior management. The policies and procedures form the structure by which the technical security measures will be implemented. Without defined and unambiguous policies, it’s impossible to implement effective security.
The security policies will vary in specificity and details based on the sensitivity of the data they protect. Ensuring the right level of strictness in developing the policies is important to a successful implementation. Policies that are too restrictive can inadvertently cause insecure behaviors to be practiced. The policies have to be practical and should be based on the tenets of security.
I proposed three critical tenets of security—design security into your applications before you begin development, abide by least privileges, and build defense in-depth. These form the guiding principles for employing effective security.
With the security policies and security guidelines in mind, it’s then time to determine what your environment looks like from a security perspective. Security is about managing risks. Risk assessments and risk analysis are important in determining the current state of security as well as what should be developed to increase security in the future. Asset identification and valuation coupled with risk assessments help you determine how much and what type of security measures you should employ. Without a careful analysis, you won’t have properly identified the problems and therefore will not be able to provide effective security solutions.
The only way to ascertain your security posture is to understand the security inter-relationships that exist within your organization. Knowing who is accessing what and how, coupled with other operational information, creates an awareness of the overall security ecosystem. This is criticial in deploying effective security because it provides the knowledge necessary for designing security across applications, application servers, and databases. Taking snapshots of your system allows you to respond logically, quickly, and accurately to security incidents if and when they arise.
A key and fundamental element of security involves ensuring your IT systems are properly configured. Secure configurations apply to all entities in the security ecosystem—the operating systems, the networks, the application servers, the database servers, and the applications. Hardening the servers and networks ensures a solid foundation upon which to build.
In the next chapters, we’ll dive into the Oracle database and explore the various technologies and techniques that can be used to build secure database applications. All of that will be done under the assumptions and principles presented in this chapter.
Chapter 2: Securing The Database
This chapter focuses on the steps you’ll use to help secure your OracleDatabases. You’ll see how applying the best practice principles (explored in Chapter 1) to an Oracle database will help to further secure it.
This chapter looks at securing database schemas by limiting their privileges, providing good password support, restricting access using multiple defenses, and securing the network channels to and from the database. These steps represent many of the best practices used by organizations today. These are the actions you should also be taking to configure and operate a secure Oracle Database.
The remaining chapters of this book discuss how to effectively apply technology features and capabilities to the task of building secure database applications. For this to happen successfully, you’ll first have to apply the lessons taught in this chapter. You’ll need to take certain actions and practice certain behaviors to ensure a good security foundation.