Perimeter
5/24/2011
11:41 AM
Adrian Lane
Adrian Lane
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Oracle 11G Available On AWS

When testing Oracle on Amazon AWS, consider how you will secure your data

Amazon announced availability of Oracle 11G machine images on Amazon AWS. It's fairly apparent that what's being provided is not really intended for production deployments at this time. Still, it's a neat way for customers test out the elasticity of Platform as a Service and sample Oracle 11G capabilities without having to invest in database licenses and new hardware.

But Amazon environments are very different than managing traditional IT. Sure, you can spin up a database really fast, but to do anything with it, you'll need to configure just about every aspect of your environment. And it's harder to inspect and monitor servers in the cloud. That applies to security as well as general administration.

In Amazon's announcement, security information is limited to automatic patching of the image files, and the following: "You can also control access and security for your instance(s) and manage your database backups and snapshots." Automated patching is a great advantage.

Unfortunately, there is a lot more to Oracle security than patching: you'll have to figure out access control and archive encryption, as the Amazon guidance leaves big gaps between the theory and the execution for access controls and archive security. From a security perspective, there are a lot of steps you need to perform in order to secure the database so that you'll be able to reliably store any data, much less sensitive information.

It's pretty clear that this service -- at least for the time being -- is not for production usage. Even if you are not planning on building a production database, it's beneficial to consider the security implications while you run your tests. Here is a quick rundown of what you need to consider for access controls and archive security:

Encryption: You are going to need to encrypt your archives and snapshots; Amazon S3 is simple but not necessarily secure. I'll jump right to the point and say you'll want transparent database encryption so that any archive or snapshots are automatically encrypted. You'll need to acquire the add-on Oracle package or install a OS layer encryption product like Vormetric. In both cases, since Amazon is patching the image files, you'll need to understand how this affects additional encryption features; most likely you will re-apply setup scripts or re-install products to the virtual image.

Authentication:You need to determine how you are going to authenticate users, internally or externally. I recommend external, but that still leaves a couple options as to how you do this. You can create and deploy an LDAP service in the cloud, or leverage Amazon services for credentials, or you can link back to your existing IT services. Any way you go, you are responsible for user setup and validating security on what you deploy.

If you plan on doing anything more than basic testing and proof of concepts -- and then totally dismantling the database afterwards -- here are several other things you should consider:

Certificate Management: There is a lot of management to the machine images, disk images, virtual networking, and data management; you will be running scripts to auto-configure images at startup and linking all of the resources together. You'll have certificates issued to validate connections and admin capabilities, so you need to capture these certificates in a secure location and distribute to select few. I don't recommend keeping public and private keys in the same directory, and I definitely don't recommend installing certificates on images were they can compromised.

Network Access: The database should only be indirectly accessible through your applications, or through some secured connection from your existing IT environment. You have the option of creating a virtual network with Amazon's Elastic Beanstalk and controlling how database connections can be created. You'll want to set up a VPN tunnel for management connections, and you'll want to set up the database with a private IP address so that it cannot be publicly addressed.

Assessment: Assessment of the database configuration to ensure you turn off unwanted services and reset default passwords. If you are quickly spinning up and shutting down databases, it's easy to miss configuration details, so get an assessment tool to validate security settings. Consider creating a script file that runs prior to launching the images so your systems have a secure baseline configuration.

Key Management: Consider how you want to manage encryption keys for the database. Sure, you can install the keys on the disk image, but that's not very secure as they can be read by attackers. You'll likely need a key server in the cloud, or once again, supporting the cloud from your existing IT environment.

Masking: If you're testing a new application, or the viability of an existing applications in the cloud, you'll need test data. Any data that you put in the cloud should not be production data until you have audited database security. Do yourself a favor and get a masking tool that will auto-generate data for you, or obfuscate existing data, before moving into the cloud database. Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.