UNIT I

Database Security
Security of databases refers to the array of controls, tools, and procedures
designed to ensure and safeguard confidentiality, integrity, and
accessibility.

Security for databases must cover and safeguard the following aspects:

o The database containing data.

o Database management systems (DBMS)
o Any applications that are associated with it.
o Physical database servers or the database server virtual, and
the hardware that runs it.
o The infrastructure for computing or network that is used to
connect to the database.
Security of databases is a complicated and challenging task that requires
all aspects of security practices and technologies. This is inherently at
odds with the accessibility of databases. The more usable and accessible
the database is, the more susceptible we are to threats from security. The
more vulnerable it is to attacks and threats, the more difficult it is to
access and utilize.

Why Database Security is Important?

According to the definition, a data breach refers to a breach of data
integrity in databases. The amount of damage an incident like a data
breach can cause our business is contingent on various consequences or
elements.

o Intellectual property that is compromised: Our

intellectual property--trade secrets, inventions, or proprietary
methods -- could be vital for our ability to maintain an
advantage in our industry. If our intellectual property has
been stolen or disclosed and our competitive advantage is
lost, it could be difficult to keep or recover.
o The damage to our brand's reputation: Customers or
partners may not want to purchase goods or services from us
(or deal with our business) If they do not feel they can trust
our company to protect their data or their own.
o The concept of business continuity (or lack of it): Some
businesses cannot continue to function until a breach has
been resolved.
o Penalties or fines to be paid for not complying: The cost
of not complying with international regulations like the
Sarbanes-Oxley Act (SAO) or Payment Card Industry Data
Security Standard (PCI DSS) specific to industry regulations on
 data privacy, like HIPAA or regional privacy laws like the
European Union's General Data Protection Regulation (GDPR)
could be a major problem with fines in worst cases in excess
of many million dollars for each violation.
o Costs for repairing breaches and notifying consumers
about them: Alongside notifying customers of a breach, the
company that has been breached is required to cover the
investigation and forensic services such as crisis
management, triage repairs to the affected systems, and
much more.

Common Threats and Challenges

Numerous software configurations that are not correct, weaknesses, or
patterns of carelessness or abuse can lead to a breach of security. Here
are some of the most prevalent kinds of reasons for security attacks and
the reasons.

Insider Dangers
An insider threat can be an attack on security from any three sources
having an access privilege to the database.

o A malicious insider who wants to cause harm

o An insider who is negligent and makes mistakes that expose
the database to attack. vulnerable to attacks
o An infiltrator is an outsider who acquires credentials by using
a method like phishing or accessing the database of credential
information in the database itself.
Insider dangers are among the most frequent sources of security breaches
to databases. They often occur as a consequence of the inability of
employees to have access to privileged user credentials.

Human Error
The unintentional mistakes, weak passwords or sharing passwords, and
other negligent or uninformed behaviours of users remain the root causes
of almost half (49 percent) of all data security breaches.

Database Software Vulnerabilities can be

Exploited
Hackers earn their money by identifying and exploiting vulnerabilities in
software such as databases management software. The major database
software companies and open-source databases management platforms
release regular security patches to fix these weaknesses. However, failing
to implement the patches on time could increase the risk of being hacked.
SQL/NoSQL Injection Attacks
A specific threat to databases is the infusing of untrue SQL as well as other
non-SQL string attacks in queries for databases delivered by web-based
apps and HTTP headers. Companies that do not follow the safe coding
practices for web applications and conduct regular vulnerability tests are
susceptible to attacks using these.

Data protection tools and platforms

Today, a variety of companies provide data protection platforms and tools.
A comprehensive solution should have all of the following features:

o Discovery: The ability to discover is often needed to meet

regulatory compliance requirements. Look for a tool that can
detect and categorize weaknesses across our databases,
whether they're hosted in the cloud or on-premises. It will also
provide recommendations to address any vulnerabilities that
are discovered.
o Monitoring of Data Activity: The solution should be
capable of monitoring and analysing the entire data activity in
all databases, whether our application is on-premises, in the
cloud, or inside a container. It will alert us to suspicious
activity in real-time to allow us to respond more quickly to
threats. It also provides visibility into the state of our
information through an integrated and comprehensive user
interface. It is also important to choose a system that enforces
rules that govern policies, procedures, and the separation of
duties. Be sure that the solution we select is able to generate
the reports we need to comply with the regulations.
o The ability to Tokenize and Encrypt Data: In case of an
incident, encryption is an additional line of protection against
any compromise. Any software we choose to use must have
the flexibility to protect data cloud, on-premises hybrid, or
multi-cloud environments. Find a tool with volume, file, and
application encryption features that meet our company's
regulations for compliance. This could require tokenization
(data concealing) or advanced key management of security
keys.
o Optimization of Data Security and Risk Analysis: An
application that will provide contextual insights through the
combination of security data with advanced analytics will
allow users to perform optimizing, risk assessment, and
reporting in a breeze. Select a tool that is able to keep and
combine large amounts of recent and historical data about the
security and state of your databases. Also, choose a solution
 that provides data exploration, auditing, and reporting
capabilities via an extensive but user-friendly self-service
dashboard.

Best use of Database Security

As databases are almost always accessible via the network, any security
risk to any component or part of the infrastructure can threaten the
database. Likewise, any security attack that impacts a device or
workstation could endanger the database. Therefore, security for
databases must go beyond the limits of the database.

In evaluating the security of databases in our workplace to determine our

organization's top priorities, look at each of these areas.

o Security for physical security: If the database servers are

on-premises or the cloud data centre, they should be placed in
a secure, controlled climate. (If our server for database is
located in a cloud-based data centre, the cloud provider will
handle the security on our behalf.)
o Access to the network and administrative
restrictions: The practical minimum number of users granted
access to the database and their access rights should be
restricted to the minimum level required to fulfil their tasks.
Additionally, access to the network is limited to the minimum
permissions needed.
o End security of the user account or device: Be aware of
who has access to the database and when and how data is
used. Monitoring tools for data can notify you of data-related
activities that are uncommon or seem to be dangerous. Any
device that connects to the network hosting the database
must be physically secured (in the sole control of the
appropriate person) and be subject to security checks
throughout the day.
o Security: ALL data--including data stored in databases, as
well as credential information should be secured using the
highest-quality encryption when in storage and while in
transport. All encryption keys must be used in accordance
with the best practices guidelines.
o Security of databases using software: Always use the
most current version of our software to manage databases
and apply any patches immediately after they're released.
o Security for web server applications and websites: Any
application or web server that connects to the database could
be a target and should be subjected to periodic security
testing and best practices management.
o Security of backups: All backups, images, or copies of the
database should have the identical (or equally rigorous)
security procedures as the database itself.
 o Auditing: Audits of security standards for databases should
be conducted every few months. Record all the logins on the
server as well as the operating system. Also, record any
operations that are made on sensitive data, too.

What is GDPR?
The European Union (EU) introduced its previous data protection
standard 20 years ago through the Data Protection Directive
95/46/EC. Since the EU requires each member state to implement a
directive into national law, Europe ended up with a patchwork of
different privacy laws across different countries. In addition,
increasing security breaches, rapid technological developments, and
globalization over the last 20 years saw new challenges for the
protection of personal data come to the forefront. In an effort to
address this situation, the EU developed the GDPR, which is directly
applicable as law across all member states.

GDPR—data security
Security and protection of the customer data are shared
responsibilities between the customer and Oracle. Likewise, privacy
compliance is also a shared responsibility between Oracle and the
customer.

This shared responsibility in the context of the GDPR is defined by

three key actors:

 Data subject: An individual whose personal data is gathered and

processed by the controller
 Controller: An entity that determines the purposes and means by
which the data is processed
 Processor: An entity that only processes data at the controller’s
command

Why GDPR matters to Oracle and our

customers
Once it goes into effect, the GDPR will apply broadly to companies
that:

 Are based both inside and outside the EU

 Collect and handle personal data from EU-based individuals
Personal data, also known as personal information or personally
identifiable information in other parts of the world, is defined as any
 information relating to an individual that can be directly or indirectly
identified, for example, by reference to identifiers such as:

 Names, identification numbers, and/or location data

 Online identifiers, or to one or more factors specific to the
individual’s physical, physiological, genetic, mental, economic,
cultural, or social identity
The world has changed for companies collecting and handling
personal data in the EU, both offline and online (that is, involving
ecommerce or online advertising activities), due to:

 New and strengthened rights for individuals

 Accountability requirements for companies
 Increased scrutiny by regulators.
Therefore, companies collecting and handling personal data in the
EU will need to consider and manage their data handling practices
and use cases more carefully than ever before.

What are the key requirements of

GDPR?
The GDPR was built on established and widely accepted privacy
principles, such as purpose limitation, lawfulness, transparency,
integrity, and confidentiality. It strengthens existing privacy and
security requirements, including requirements for notice and
consent, technical and operational security measures, and cross-
border data flow mechanisms.

To adapt to the new reality of a digital, global, and data-driven

economy, the GDPR also formalizes new privacy principles, such as
accountability and data minimization, which are reflected
throughout the text, including in the following requirements:

 Data security. Companies must implement an appropriate level

of security, encompassing both technical and organizational
security controls, to prevent data loss, information leaks, or other
unauthorized data processing operations. The GDPR encourages
companies to incorporate encryption, incident management, and
network and system integrity, availability, and resilience
requirements into their security program.
 Extended rights of individuals. Individuals have greater
control—and ultimately greater ownership of—their own data.
They also have an extended set of data protection rights,
including the right to data portability and the right to be
forgotten.
 Data breach notification. Companies have to inform their
regulators and/or the impacted individuals without undue delay
 after becoming aware that their data has been subject to a data
breach.
 Security audits. Companies will be expected to document and
maintain records of their security practices, to audit the
effectiveness of their security program, and to take corrective
measures where appropriate.

How does GDPR impact Oracle

Marketing Cloud?
Organizations around the world are continuing to focus on ensuring
their systems, processes, and policies support GDPR guidelines.
Marketing teams continue to be tasked with implementing changes
in the way they manage processes, people, and technical controls in
order to comply with the legislation. Oracle Marketing Cloud
welcomes the positive changes the GDPR has brought to our
services and we remain committed to helping our customers
address GDPR requirements that are relevant to our products and
services, including any applicable processor accountability
requirements. Many of our services already have built-in privacy and
security features to put our customers in control and to help build
consumer trust.

Advanced security solutions and options

for SaaS, PaaS, and IaaS customers
If you have additional data privacy and security needs beyond the standards and
options built into software-as-a-service (SaaS) applications, or you use platform as a
service (PaaS) or infrastructure as a service (IaaS), Oracle offers additional cloud
security solutions and options. These solutions are designed to protect data, manage
user identities, and monitor and audit IT environments. Oracle Cloud customers can
also select additional Managed Security Services to leverage Oracle expertise in
deployment and security technology management to further accelerate or enhance
GDPR compliance.
Oracle Marketing Cloud comes prepared
to support your GDPR requirements
As part of our commitment to help customers address GDPR requirements, Oracle
Marketing Cloud comes packaged with a robust set of built-in privacy and security
features that put marketers in control of the personal data they handle and helps them
build consumer trust. These native capabilities span the broader Oracle Marketing
Cloud portfolio and can be grouped into these categories:

Collecting Oracle Marketing Cloud enables marketers to

Personal capture personal data across many different
Data channels. As part of these data capture
 processes, marketers have the ability to
incorporate mechanisms that enable their
customers to make informed decisions about
the use of their personal data. Whether
someone is visiting your website, submitting a
web form, or even sharing personal data
across social media channels, Oracle
Marketing Cloud provides controls that can be
configured to meet specific business
requirements.

Managing As today’s businesses capture vast amounts of

Personal personal data, marketing teams require
Data powerful tools that enable them to manage
data at scale. Oracle Marketing Cloud
provides a comprehensive portfolio of features
that makes it easy for marketers and
customers to manage personal data. This
includes the ability for marketers and
customers to update personal data on request,
as well as to securely transfer personal data
at scale, leveraging modern APIs and SFTP
mechanisms.

Protecting Businesses hold a responsibility to secure

Personal personal data to protect the integrity of their
Data customers. Native to Oracle’s core business,
Oracle Marketing Cloud provides state-of-the-
art data security mechanisms and controls
derived from privacy by design and privacy by
default principles. These include capabilities
like encryption, anonymization, and more to
protect personal data at the highest possible
standard as well granular access controls that
enable organizations to distinguish which
individuals or groups should have access to
personal data.