5

Does anybody have experience with Oracle ExaData Security? Client wants to move all of his Oracle DB to central Oracle ExaData server. So on same machine will be hosted DBs of different vendors and even competitors. What should we be aware of? (We = one of the vendors)

I found following Oracle document: Oracle ExData Database Machine Security Overview

Are there any other relevant resources on this?

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
AaronS
  • 2,575
  • 5
  • 22
  • 26
  • Generally questions that are likely to result in discussion or polling like answers are frowned upon. – Scott Pack Dec 03 '12 at 14:38
  • @AaronS - [this slide presentation](http://www.slideshare.net/ddragane/6-oracle-exadata-security-trend-ecs-final) discusses Exadata security to some extent. As you'll see, the main _'problem'_ with Exadata is that its default mode is `Open-Security`, and from there on you'd be assigning more restricted modes (`Open-Security`->`ASM-Scoped Security`->`Database-Scoped Security`) depending on your needs. Infiniband's [Leaf Switch Log-ins](http://seclists.org/fulldisclosure/2012/Nov/229) also appear in need of looking into before deployment, with shadow files exposed in `/conf/shadow` by default. – TildalWave Feb 24 '13 at 16:52

2 Answers2

1

Don't expect database encryption to magically solve these security concerns. When yet another oracle db exploit hits metasploit a competitor could use this to compromise all data and all encryption keys stored on the database. In short, an adversary doesn't need SQL Injection to deliver a metasploit payload, they already have access to the database which is a much easier attack to carry out.

Personally, I wouldn't trust my data stored on a database where competitors have access. I also wouldn't depend on Oracle for security. They are very slow to roll out patches in mission critical software and do not handle 0-days very well. (TWO botched patches for the most recent java 0-day, really? This does not inspire consumer confidence.)

rook
  • 46,916
  • 10
  • 92
  • 181
0
  1. separate production and non-production clusters , you can always create multiple instances for each.
  2. separated management, network from client network
  3. for the management network , use mutual authentication in addition your identity management.
  4. if you need to secure your data at rest, you can use TDE (transparent data encryption)
  5. if you are offering self service (in a private cloud setting), make sure that you turn on auditing.

obviously these are some some data points. you security strategy must be driven from your requirements such as data loss prevention (DLP), compliance such as HIPPA and PCI etc.

Hugo R
  • 177
  • 2