Best practices for computer security have many dimensions. In this chapter, you looked at some of the most important. Security starts with well-defined policies that need to be supported by everyone in the organization—especially the senior management. The policies and procedures form the structure by which the technical security measures will be implemented. Without defined and unambiguous policies, it’s impossible to implement effective security.
The security policies will vary in specificity and details based on the sensitivity of the data they protect. Ensuring the right level of strictness in developing the policies is important to a successful implementation. Policies that are too restrictive can inadvertently cause insecure behaviors to be practiced. The policies have to be practical and should be based on the tenets of security.
I proposed three critical tenets of security—design security into your applications before you begin development, abide by least privileges, and build defense in-depth. These form the guiding principles for employing effective security.
With the security policies and security guidelines in mind, it’s then time to determine what your environment looks like from a security perspective. Security is about managing risks. Risk assessments and risk analysis are important in determining the current state of security as well as what should be developed to increase security in the future. Asset identification and valuation coupled with risk assessments help you determine how much and what type of security measures you should employ. Without a careful analysis, you won’t have properly identified the problems and therefore will not be able to provide effective security solutions.
The only way to ascertain your security posture is to understand the security inter-relationships that exist within your organization. Knowing who is accessing what and how, coupled with other operational information, creates an awareness of the overall security ecosystem. This is criticial in deploying effective security because it provides the knowledge necessary for designing security across applications, application servers, and databases. Taking snapshots of your system allows you to respond logically, quickly, and accurately to security incidents if and when they arise.
A key and fundamental element of security involves ensuring your IT systems are properly configured. Secure configurations apply to all entities in the security ecosystem—the operating systems, the networks, the application servers, the database servers, and the applications. Hardening the servers and networks ensures a solid foundation upon which to build.
In the next chapters, we’ll dive into the Oracle database and explore the various technologies and techniques that can be used to build secure database applications. All of that will be done under the assumptions and principles presented in this chapter.