Wednesday, August 24, 2016

Database encryption in transit, why is this still a question?



As data flows between systems, applications and databases, valuable information is pass along either internal, external or a combination of both types of networks. The data can be intercepted by several different tools including monitoring tools that companies use to verify that the applications are working and network availability. There is a great deal of security focused on the network and encrypting information being sent back and forth. Even with minimizing risk and various network security in place, there are opportunities to sniff or pull data in transit. It would seem like this security control would be a default for a secure configuration. However, there are still questions and open issues with database encryption and data encryption from to and from the database.

This seems like a first place to start for database security. Data in transit and data at rest can be encrypted with basic implementation steps and become part of a standard database build. With several database platforms these types of encryption are transparent to applications and data users. The client configurations received the data encrypted because the server has setup the proper configuration for encrypting the data in transit.

The question is still, why is this not a standard?  It could be because of other focus areas for the business or resource issues.  It can also be because this is something that is being handled after the databases have been created, and because of concerns of how the applications might handle the secured settings of the database servers if changed. However, since this configuration is part of the server, even if not part of the initial install, it can be part of the configurations and the standard build of the databases. Database as a Service (DBaaS) can provide these types of configurations as a baseline installation of the database server. Using a service like this or having these configurations as part of the deployment of the database will eliminate the question of encryption in transit. 

Set up the DBaaS with the needed encryption configuration will take care of the future standard, new builds, migrations, etc. But what about existing servers? This will need to be planned to change the configuration. Just as changes to parameters and patches are made, these server side configurations can be made and tested in non-production. As much as I would normally like to do one change at a time, there are a few things I would group this change with especially because there are limited maintenance windows. 

The database servers need to be configured to use SSL which is on the server side for both Oracle and Microsoft SQL Server. This is a high level view of what needs to be done for each database environment, which is basically parameter changes and restarting of a service or listener.
For Oracle parameters are set in the sqlnet.ora file:
SQLNET.ENCRYPTION_SERVER = required
SQLNET.CRYPTO_CHECKSUM_SERVER = required
For SQL Server, the Server Configuration Manager will help set the Protocols under the Network Configuration for the server. The properties for should have Force Encryption set to Yes.

Should this still really be a question? Encryption of data should just be a standard. Start by verifying that the data in transit is encrypted. Data at rest encryption would be the next step, followed by other data access controls and protection.

Tuesday, August 16, 2016

Database Olympics - Training for the Medals?

I will admit, I have been inspired by watching the Olympics. The work, training and even reinventing that the athletes do to be successful at the competitions. I enjoy sports and have participated where I could but accepted the fact over the years that being short and now getting older has created some physical limitations. It is still fun, and if you didn't know this about me, swimming was my sport that helped me fund my schooling (as a coach). I was even a flyer and a sprinter, not to keen on long distances, though a nice long slow swim is very relaxing to me now. I do get excited about the swimmers doing well and watching how the sport has changed over the years.
The photo for my blog here is even me standing next to Michael Phelps just a "few" years ago...
One might even say that I temporary retired from writing blog posts (considering how old the last post was), but now feel that this part of my new training plan. I have been impressed how he has refocused and set goals in order to accomplish what he has this year. Katie Ledecky, even though competing in the longer distances, has dominated her events, amazed by how hard she works and trains, and seen earlier photos with Phelps and might have used meeting him for some encouragement to work harder.
But this isn't an article about Phelps, it is about what we can learn and be inspired to do as Olympians in our own field. Yes, I said that we are Olympians. There is even a TV commercial out there with Kayla Harrison (awesome Judo athlete) saying that things we do normally earn us medals. (If you don't know anything about Kayla, google her and "This is My Day").
So, what are we training for, any upcoming events? Where do we have to do things differently? What conditions have changed? If we are looking at database environments, there is so much growth and potential here in these environments because of new technologies and business needs. Databases are being provided as services where self-provisioning has definitely changed the landscape for the DBAs, might even consider that DBAs are needing to adjust just because the skills are getting older and newer (younger) options are coming. The knowledge is needed to provide data intelligence and still provide highly available, well-performing and secured data sources.
We might be preparing for the migration or upgrade (12cR2???) event coming soon. Our training would be learning the new features, testing our environments and getting prepared to succeed in that event. Just image celebrating those victories with medals or other types of awards.
Doing things differently, we might adapt new technologies or automate parts of our job in order to focus on different areas to work more with the business to provide the data solutions.
Data security is a higher priority, which I have been focused on to look at access controls, data protection and how to validate and monitor the controls are in place and continue to be effective.
Processes, new technologies, working differently are things I have heard as the athletes that have come back year after year are doing in the Olympics, and why shouldn't we embrace that for what we do and how we are working in our environments.
Validate the processes and controls, work on using services and automation to not have to constantly repeat tasks to be "faster" at delivery and continue to learn and if needed refocus on areas that meet business requirements.
Let's be inspired to learn more, work more efficiently and celebrate what we do.