Information is the world’s new currency. Databases are the digital banks that store and retrieve valuable information. The growing number of high-profile incidents in which customer records, confidential information and intellectual property are leaked, lost or stolen has created an explosive demand for solutions that protect against the deliberate or inadvertent release of sensitive information.Oracle is the global leader in relational database technology, and has built a rich set of database security products and database features within its product portfolio.

1. Best Practices in Implementing
Oracle Database Security Products
White Papers Abstract
Information is the world’s new currency. Databases are the
digital banks that store and retrieve valuable information. The
growing number of high-profile incidents in which customer
records, confidential information and intellectual property are
leaked, lost or stolen has created an explosive demand for
solutions that protect against the deliberate or inadvertent
release of sensitive information. Moreover, numerous
information-intensive government and industry regulations
require organizations to protect the integrity of customer,
employee and proprietary information and corporate digital
assets. Security breaches can no longer be "swept under the
rug" because of strict breach disclosure laws.
Addressing information protection and control (IPC) is a
complex challenge. Today, nearly all organizational
information exists in electronic form, typically stored in
databases. So, it stands to reason that enterprises must
secure their databases as part of any IPC strategy to protect
sensitive information and comply with regulations. Database
security represents a preemptive strategy to preventing
enterprise data theft and regulatory compliance infractions.
Seemakiran
Oracle is the global leader in relational database technology,
Head of India Operations and has built a rich set of database security products and
database features within its product portfolio. Implementing
effective database security on the Oracle platform requires a
Estuate deep knowledge of the Oracle product stack and experience
1183 Bordeaux Dr, Suite 4 in real-world security implementation using Oracle. Estuate
brings strong credentials to its clients in both respects,
Sunnyvale, CA 94089 emanating from our deep Oracle product engineering roots
Phone: +1 408-400-0680 and years of Oracle-based client work.
Fax: +1 408-400-0683
This paper profiles the best practices in implementing Oracle-
www.estuate.com based information security that we have built from our years
of experience.
January 2009

2. ESTUATE
WHITEPAPER
Complex Applications Made Easy
Estuate is a global information technology (IT) services company based in the heart of Silicon Valley.
Our founders have decades of deep software product experience at Oracle, particularly in Oracle-based
applications development, integration and modernization, and unmatched Oracle E-Business Suite
product knowledge. Our focus is two-fold:
• Providing expert software product development services to software companies
• Providing high-value application implementation and management services to enterprise clients.
We pride ourselves on being highly-responsive, nimble and efficient, and we are very honored to let our
clients speak on our behalf.
Our software product development focus includes core product development and testing, business
process integration and technology modernization. Our software company clients include Arena
Solutions, Cisco, Citrix, Escalate, IBM, Oracle, Performant, Pictage, Salesforce.com, DataFlux (division
of SAS) and WebEx.
Our enterprise application implementation and management focus is on custom application development
and the full Oracle E-Business Suite platform. Our enterprise application clients include Bechtel, Fox
Interactive Media, HP, Matson, Stanford University, Visa and Wells Fargo.
For more information, please contact info@estuate.com or visit www.estuate.com
Copyright © 2009 Estuate Inc. All rights reserved.
The entire contents of this document are subject to copyright with all rights reserved.
All copyrightable text and graphics, the selection, arrangement and presentation of all information and the
overall design of the document are the sole and exclusive property of Estuate.
2
© 2009 Estuate. All rights reserved.

3. ESTUATE
WHITEPAPER
Complex Applications Made Easy
Contents
1. Overview of Oracle Security Products……...............................4
2. User Management Best Practices…………………………..…....5
3. Access Control Best Practices…………………………………...6
4. Data Protection Best Practices…………………...………….......7
5. Compliance Monitoring Best Practices…….............................9
6. Conclusion……………………………………………....................10
3
© 2009 Estuate. All rights reserved.

4. ESTUATE
WHITEPAPER
Complex Applications Made Easy
Overview of Oracle Security Products
With solutions spanning user management, access control, data protection, and monitoring/alerting for
compliance management, Oracle provides a comprehensive information security architecture and best-in-
class products.
Oracle Security Data Products
4
© 2009 Estuate. All rights reserved.

5. ESTUATE
WHITEPAPER
Complex Applications Made Easy
User Management Best Practices
We have effectively used Oracle Enterprise User Security to simplify user management for a
manufacturing client. We accomplished this by enabling database user accounts to be centrally managed
in the Oracle Internet Directory, the core of Oracle’s Identity Management product suite. Oracle Directory
Synchronization Service, part of Oracle Internet Directory, facilitates synchronization between Oracle
Internet Directory and other directories and user repositories, including Microsoft Active Directory and
SunONE, allowing users to authenticate data using credentials stored in one of these other repositories.
Oracle Enterprise User Security provides support for strong authentication based on PKI digital
certificates or Kerberos.
5
© 2009 Estuate. All rights reserved.

6. ESTUATE
WHITEPAPER
Complex Applications Made Easy
Access Control Best Practices
Another client, a world-class university, wanted to protect highly-confidential, sensitive employee data
from its organization’s internal database administrators. We accomplished this by implementing Oracle
Database Vault.
Oracle Database Vault
Oracle Database Vault Overview
Oracle Database Vault provides enterprises with protection from insider threats and inadvertent leakage
of sensitive application data. Access to application data by users and database administrators (DBAs) is
controlled using Database Vault realms, command rules and multifactor authorization. Database Vault
addresses access privilege by separating access to application data from traditional database and
security administration responsibilities. Database Vault realms block ANY-type privileges (SELECT ANY)
commonly available to DBAs from being used to access application data. Using multifactor authorization,
database access can be easily restricted based on IP address, time of day and other parameters.
Command rules enable Database Vault security administrators to associate rule sets or policies with
Oracle Database commands. Combined with multifactor authorization, command rules allow powerful
policies to be deployed inside the database, further reducing the security risk associated with insiders
bypassing the application.
Additionally, Database Vault’s numerous out-of-the-box reports address a wide range of security metrics,
such as attempted data access requests blocked by Realms. For example, if a DBA attempts to access
data from an application table protected by a Realm, Database Vault creates an audit record in a
specially-protected table within Database Vault. A Realm violation report makes it easy to view these
audit records.
6
© 2009 Estuate. All rights reserved.

7. ESTUATE
WHITEPAPER
Complex Applications Made Easy
Data Protection Best Practices
Transparent Data Encryption Overview
Oracle Advanced Security
We have successfully implemented data protection policies and procedures for several Estuate clients
using Oracle Advanced Security. Oracle Advanced Security Transparent Data Encryption (TDE) provides
the most advanced encryption capabilities for protecting sensitive information without requiring any
changes to the existing application. TDE is a native database solution that is completely transparent to
existing applications with no triggers, views or other application changes required. Data is transparently
encrypted when written to disk, and transparently decrypted after an application user has successfully
authenticated and passed all authorization checks. Authorization checks include verifying that the user
has the necessary read/update privileges. TDE can be used to encrypt columns that contain sensitive
data, or entire database objects residing in a tablespace. Tablespace encryption ensures all database
objects are encrypted at the file system level. When the database reads data blocks from the encrypted
tablespace, it transparently decrypts the data blocks. TDE also supports storing the TDE master
encryption key on a hardware security module (HSM) device. This provides an even higher level of
assurance protecting the TDE master key, as well as centralized key management in a clustered
environment.
Advanced Security also provides strong protection for data in transit by using comprehensive network
encryption capabilities. Advanced Security’s easy-to-deploy, comprehensive network encryption provides
both native network encryption and SSL/TLS-based encryption. In addition, it can be configured to accept
or reject communication from clients not using encryption, providing optimal deployment flexibility.
Configuration of network security is managed using the Oracle Network Configuration administration tool,
allowing businesses to easily deploy network encryption without any changes to applications.
7
© 2009 Estuate. All rights reserved.

8. ESTUATE
WHITEPAPER
Complex Applications Made Easy
Oracle Secure Backup (OSB)
We have also implemented effective backup security for Estuate clients using Oracle’s comprehensive
tape backup solution for Oracle databases and file systems. Tight integration with the Oracle Database
provides optimal security and performance, eliminating backup of any associated database UNDO data.
A centralized administrative server provides a single point of control for enterprise-wide tape backup and
any associated encryption keys. The administrative server maintains a tape backup catalog and manages
security policies for distributed servers and tape devices. OSB encrypts data before the data leaves the
database, resulting in continuous data security when in transit to the tape drive unit. OSB also provides
the ability to back up and encrypt file systems directly to tape.
Oracle Data Masking Pack
We use Oracle Data Masking Pack to maintain the confidentiality of sensitive or confidential client data in
development, test or staging environments. The Data Masking Pack uses an irreversible process to
replace sensitive data with realistic-looking but scrubbed data based on masking rules, and ensures that
the original data cannot be retrieved or recovered. The Data Masking Pack provides out-of-the-box mask
primitives for various data types, such as random numbers, random digits, random dates and constants,
as well as built-in masking routines, such as shuffling, which shuffles the values in a column across
different rows. The Data Masking Pack helps maintain the integrity of the application while masking
sensitive data.
8
© 2009 Estuate. All rights reserved.

9. ESTUATE
WHITEPAPER
Complex Applications Made Easy
Compliance Monitoring Best Practices
Oracle Audit Vault Overview
Oracle Audit Vault
We use Oracle Audit Vault as an effective security compliance monitoring tool for our clients.
Audit Vault transparently collects and consolidates audit data from multiple databases across the
enterprise, providing valuable insight into who did what to which data when, including privileged users
who have direct access to the database. The integrity of audit data is ensured by using sophisticated
controls, including Oracle Database Vault and Oracle Advanced Security. Access to the audit data within
Audit Vault is strictly controlled. Privileged DBA users cannot view or modify the audit data, and even
auditors are prevented from modifying the audit data.
Audit Vault provides proactive threat detection through alerting. Event alerts help mitigate risk and protect
from insider threats by providing proactive notification of suspicious activity across the enterprise. Audit
Vault continuously monitors the inbound audit data, evaluating audit data against alert conditions. Alerts
can be associated with any auditable database event, including system events such as changes to
application tables, role grants and privileged user creation on sensitive systems. Audit Vault provides
graphical summaries of activities causing alerts. In addition, database audit settings are centrally
managed and monitored from within Audit Vault to ensure consistent auditing policies across the
enterprise.
9
© 2009 Estuate. All rights reserved.

10. ESTUATE
WHITEPAPER
Complex Applications Made Easy
Conclusion
Using Oracle Database Security products, we have delivered a full range of data security solutions to our
clients across the spectrum of user management, access control, data protection and compliance
monitoring business processes. We find that Oracle Database Security products, when properly
implemented using our best practices, provide comprehensive, world-class information security across all
Oracle-based applications.
10
© 2009 Estuate. All rights reserved.