Security, Audit and Control Features: Oracle Database 3rd 版 旨在帮助评估人员审查Oracle数据库环境的安全性. This book is an ideal handbook for auditors, 希望详细了解Oracle数据库安全性的数据库管理员(dba)和安全从业人员.
The book covers technical topics such as the Oracle database architecture, operating system controls, 审计和日志记录, 网络安全, and the new security features covered in Oracle 10g and 11g. Topics such as automated assessment tools, enterprise resource planning (ERP), 本书涵盖了客户关系管理(CRM)体系结构和与遗留系统的接口. 它旨在指导评估人员根据业务目标和风险对Oracle数据库的安全性进行全面评估, 为读者提供了有效审计最新Oracle数据库环境的知识和工具.
The objective of the book is to provide the reader with a practical, 根据策略审计Oracle数据库安全性的实际方法, 标准 and technical controls of an organization. It recommends a risk-based IT audit approach based on the COBIT 4.1框架. 除了策略之外,Oracle提供的技术特性还加强了COBIT框架控制目标, 标准, management commitment, people and processes.
这本书在高层次上解释了Oracle数据库体系结构,并解释了系统上存在的组件以及与系统相关的技术风险因素. The audit planning process includes understanding the business, architecture and technology risk; determining the risk profile; and developing the test plan.
Assessors must understand the relationship of the operating system, 数据库服务器和网络环境,以及它们如何相互作用,以确定数据是否得到充分保护. 本书解释了dba需要与应用程序开发人员和安全架构师一起开发满足澳门赌场官方下载安全需求的数据库加密策略. The assessor should review applications, 数据库设计文档和访谈管理,以了解哪些敏感数据被应用程序使用并存储在应用程序的数据库中. 除了, 这本书涵盖了加密如何保护高度机密的信息不被dba和未经授权的人滥用. The transparent data encryption (TDE) feature, 例如, 哪些构成了Oracle 10g数据库版本高级安全性的一部分, provides column-based encryption for sensitive fields.
有效地管理Oracle数据库中的安全特权和访问控制对于确保数据库的安全至关重要. 因此,强大的用户访问控制是良好安全模型的基本组成部分. 访问安全性必须足够灵活,以控制不同类型的用户访问,包括dba. 本书从评估员的角度解释了DBA的安全访问控制实践,因为评估员拥有“王国的钥匙”,” so it is very important to have controls in place.
管理数据库的供应商应该受解决安全需求的服务水平协议(sla)的约束, which should be reviewed by the assessors for acceptable use. Security, Audit and Control Features: Oracle Database 3rd 版 explains the procedure for emergency access, how to handle generic accounts, password controls and resource limits.
审计有助于监视数据库,以检测可能发生的未经授权的活动. Oracle数据库提供了对任何数据库对象或用户在系统上执行的操作执行细粒度审计的功能. The various audit options are explained in detail in the book.
本书涵盖了识别弱公共、私有和全球数据库链接的问题. 它概述了与不安全链接相关的风险,以及可以采取哪些措施来减轻这种风险. 网络安全是Oracle整体安全策略的重要组成部分. This book has a chapter on 网络安全, 这一章旨在帮助评估员理解与Oracle数据库相关的网络风险. 透明网络基板(TNS)侦听器向服务器验证远程客户端,并且是希望破坏Oracle数据库的攻击者的第一个接口, so its configuration needs to be secured. Oracle数据库服务器应该位于内部网络中受保护的数据库层中,并且永远不能从公共Internet访问.
这本书解释了Oracle高级安全性如何用于加密客户端之间的网络流量, database servers and application servers. Oracle Net Manager可用于管理Oracle客户端和服务器的Oracle高级安全设置, including configuration options for authentication, 完整性, encryption and SSL security. Centralized user management can be implemented using OID, which can be configured to authorize user connections using LDAP-, Kerberos-or secure sockets layer (SSL)-based authentication.
关键的一般控制环境区域应该被审查,以帮助确保保护Oracle系统, including change management, information classifications, segregation of duties, system development life cycle, 事件响应, vulnerability and patch management, and monitoring backup and recovery processes are covered in this book.
本书详细讨论了使用安全的面向web的应用程序的重要性,因为尽管有安全的Oracle配置,但脆弱和不安全的应用程序可能成为数据窃取的后门. 还讨论了市场上可用的可以评估数据库逻辑安全性的工具. 针对COBIT制定和审查了审计计划和内部控制问卷, key issues and components are enumerated in detail in this book.
的作者 Security, Audit and Control Features: Oracle Database 3rd 版 是否成功地为评估Oracle数据库的安全控制提供了高层次的指导.
Reviewed by Ravi Ayappa, Ph.D.,危机,危机,危机
谁目前是美国Cognizant Technology Solutions公司的首席安全顾问. Over the last 25 years of his career, he has worked in the domains of governance, risk and compliance consulting; Internet of Things security; infrastructure security; application security; business continuity planning; disaster recovery; and information and communications technology security in Asia, Europe and the United States across various industries, including the military. 他也是密歇根州底特律ISACA认证课程的志愿者讲师, 美国)章.