A NEED TO RETHINK TOMORROW
This post was originally written for Dbvisit – a company providing added values to any Oracle Standard Edition Environment
Many people within the Oracle Community share their knowledge about the Oracle database from an Oracle Enterprise Edition database perspective, and therefore the advice might not be suitable for an Oracle Standard Edition 2 database due to license restrictions.
Back in 2014, my idea was not only to increase the awareness of the Oracle Standard Edition database pitfalls but also highlight its potential and opportunities by blogging and speaking at conferences about it.
I assume most of the people within the Oracle Community already know, that the luxury of using features like AWR, ASH, compression, partitioning and advanced security are out of reach for an Oracle Standard Edition 2 database customer and DBA in 2018.
Back in 2014 it was easy to advocate for the Oracle Standard Edition database, since it had the same solid core technique as Oracle Enterprise Edition and was only lacking some neat features and options, that most ISV vendors anyhow had not implemented in their application. The missing features/options like diagnostic and tuning pack wasn’t having any impact noticeable for an application user. It was more of a DBA kind of issue or problem. But….
The big buzz word in Europe is the “GDPR”, which is the General Data Protection Regulation. Everybody working in ICT is searching for a technical solution that supports a company’s daily business struggles to become GDPR compliant and the lack of advanced security features are starting to give Oracle Standard Edition 2 database customers in 2018 a bad headache.
Oracle provide a nice battery of technical solutions to tackle the new GDPR challenges. Following Oracle’s GDPR papers might give you an idea of the range of technical solutions for good compliance at the Oracle database level:
I agree with Oracle on this one:
“GDPR is technology-neutral and does not mandate organizations to implement specific security controls, technologies or methodologies. However, Article 32 does provide guidance on certain security measures that organizations may consider implementing to help secure the data….”
Since GDPR is more a technical-neutral thing, than an edition specific thing, I was expecting specific advice for all the other database editions as well. Undoubtedly the fact that Oracle provide technical solutions from an Oracle Enterprise Edition database perspective is a big challenge for many Oracle Standard Edition 2 database users today and when asking Oracle about this challenge, the answer is of course “join our cloud”.
Cloud is for sure a nice thing, but for many reasons a move to the cloud is not an option for some companies. What options are then available for such a customer? Move to another database vendor, who will provide free or very low-cost security options? Sure, why not, but for sure such a solution will also require some new investments. So far, I haven’t heard of many business applications built-in such way, that you can switch the database without any application modifications.
AVDF ON ORACLE STANDARD EDITION
At OOW17, I talked to people at the Oracle Security stand, who told me that the Oracle “Audit Vault & Database Firewall” product now is available for Oracle Standard Edition 2 databases as well. This is great, because I saw an opportunity for Oracle Standard Edition 2 database customers today to build a solution that would ease their “GDPR headache”. Please note that Oracle also has a solution called “Audit Vault”, which is a completely different product.
Short summary on AVDF:
“At a High-Level Oracle Audit Vault and Database Firewall (AVDF) provides organizations with three key database security requirements: audit collection, SQL traffic monitoring and security event reporting. With an easy-to-use interface, AVDF is for organizations looking to increase security with enterprise wide database activity monitoring, auditing and reporting.”
To my understanding, at a minimum GDPR compliance requires, that a company has a good picture of and a broad understanding of their data, its sensitivity, who is using the data and for what purpose, so that if a breach occurs, they can inform the authorities.
MONITOR, BLOCK AND AUDIT
Naturally I had to test AVDF 22.214.171.124 together with an Oracle Standard Edition 2 database to get some insight. The amount of audit trail with only a standard audit option is of course a challenge in itself. I tested an approach of combining standard audit with the FDA-solution and some triggers.
The “SE2+AVDF” solution I tested is not as elegant as the ones available out-of-the-box for an Oracle Enterprise Edition database, but it gave me some new ideas on how this solution might be refined and therefore could be helpful. But no doubt the option of buying security options for an Oracle Standard Edition 2 database would be a relief.
Since Oracle Standard Edition 2 database customers are facing a challenge now, I have also checked for alternative solutions. There are many other candidates available on the market and it’s obvious they will be explored.
“So first, we [the business world] have gotta provide security without slowing down our other tasks, and we HAVE TO ELEVATE the priority of security in our data centers—because NO ONE wants to be on the front page about having lost their company’s data,” Ellison said at OOW17.
Sounds good and promising.
The fact that the Oracle Standard Edition 2 database doesn’t include advanced security or fine-grained auditing options is well-known, and probably one of the most significant challenges in the era of GDPR.
Both Oracle’s announcement at OOW17 about making security their business and this statement from one of the above presentations make me believe in the Oracle Standard Edition 2 opportunities:
“GDPR is technology-neutral and does not mandate organizations to implement specific security controls, technologies or methodologies.” As an optimistic and positive person, the statements make me believe in the power of “rethink tomorrow”.
Security is everybody’s concern, and should IMHO not be a matter of money. It should be a default “de facto” in every database like “Sun & Moon”, “Bonnie & Clyde” or “Cruffin & Coffee”.
Take care, stay well and let’s see what the future of tomorrow looks like.
Helsinki 20 Feb 2018