Oracle Consulting Oracle Training Oracle Support Development
Home
Catalog
Oracle Books
SQL Server Books
IT Books
Job Interview Books
eBooks
Rampant Horse Books
911 Series
Pedagogue Books

Oracle Software
image
Write for Rampant
Publish with Rampant
Rampant News
Rampant Authors
Rampant Staff
 Phone
 800-766-1884
Oracle News
Oracle Forum
Oracle Tips
Articles by our Authors
Press Releases
SQL Server Books
image
image

Oracle 11g Books

Oracle tuning

Oracle training

Oracle support

Remote Oracle

STATSPACK Viewer

Privacy Policy

  

 

ISBN
xxx
ISBN 13
xxx
Library of Congress Number: xxxx
xxx Pages PD 903
Shelving:
Databases/Oracle
Oracle In-Focus Series - # 47
 

Oracle Privacy Security Auditing
Includes HIPAA Regulatory Compliance
Second Edition

Arup Nanda
 

Retail Price $59.95 /  £37.95 

Key Features About the Authors Table of Contents
  Reader Comments Errata
     

Order now and get quick access to the code depot!

  Only $39.95     (30% off)

Get the Security Pack - Half price!
Both books for only 69.95 - A $140 value
Oracle Privacy Security Auditing:  2nd Edition     $69.95
Oracle Forensics $69.95

 Arup Nanda is named "DBA of the Year" by Oracle Corporation!

Oracle is the world's most complex database and it offers a bewildering plethora of tools and techniques for managing privacy, security and auditing.   This is an indispensible book that addresses these issues in Oracle privacy security auditing, a book that uncovers all of the hidden aspects aspects of Oracle security and auditing, and privacy management.

Oracle auditing has become an extremely complex undertaking, and this book is unique because it comes with a code download of read-to-use scripts and tools to help you see the base-level privileges within any Oracle database, no matter how complex.  On top of these issues, we still must address the issues f regulatory compliance, and this book covers HIPAA and data privacy with in-depth examples, and technical explainations.

Written by one the world's most widely-read developers and author of best-selling Oracle books, Arup Nanda target his substantial knowledge of Oracle Internals to this important book. With extensive experience installing Oracle auditing, Arup Nanda shares secrets for the effective creation of auditing mechanisms for HIPAA compliant Oracle systems.

The Health/Insurance Portability and Accountability Act of 1996 (HIPAA) was created to ensure privacy for medical patient data. HIPAA requires complete auditing to show everyone who has viewed confidential medical patient information. This permeates from Hospitals, insurance companies, and dozens of healthcare related industries. HIPAA is a framework that provides a complete security access and auditing for Oracle database information.

This book provides complete details for using Oracle auditing features, including auditing from Oracle redo logs, using system-level triggers, and using Oracle fine-grained auditing (FGA) for auditing of the retrieval of sensitive information.

Best of all, Nanda share dozens of working samples in his online code depot. Examples from all areas of security and auditing are covered with working scripts and code snippets. Your time savings from a single script is worth the price of this great book.

 

 
Key Features

* Provides a complete conceptual framework for all areas of Oracle auditing.

* Covers HIPAA requirements and shows Oracle techniques for enforcing HIPAA requirements inside the Oracle database.

Offers fast working examples for basic Oracle auditing techniques and scripts.

* Show the use of Oracle LogMiner to retrieve audits of database updates.

* Shows how to implement all Oracle system-level triggers for auditing, including DDL triggers, servererror triggers, and use login and log-off triggers.

* Provides working code examples for auditing the viewing of sensitive information using triggers and Oracle9i fine grained auditing (FGA).

About the Authors:

     Arup Nanda

 

Arup Nanda is the recipient of the coveted DBA of the Year 2003 award by Oracle Corporation.  This award is among the most highly coveted in the database industry, and each year only one of more than a quarter million Oracle professionals is honored by this distinction.  A decade of experience as a DBA has made Arup an expert in many Oracle areas including Oracle Design, Oracle Modeling, Oracle Performance Tuning and Oracle Backup & Recovery.

Arup is a frequent speaker in many Oracle related conferences including IOUG Live and has written several Oracle related articles in technical journals in the US and Europe. He is on the editorial board for SELECT Journal, the publication of the International Oracle Users Group.

Table of Contents:
Section I - Overview
 
Chapter 1: Introduction to HIPAA
Introduction to HIPAA, the law, the requirements and the mandates placed by the new regulation. The chapter stresses that HIPAA consists of two important domains – (i) the mandate to protect data and enforce security and privacy and (ii) the description of several types of EDI/EC transactions; and this book covers the first domain, pertaining to security and data protection.

Chapter 2: Introduction to Oracle Security
A detailed overview of the Oracle security mechanisms and their relevance to HIPAA.
·        Grant security
·        Role-based security
·        Profile based security
·        Grant execute security (invoker & definer rights)
·        Virtual private databases (row-level security, fine-grained access control)
·        Application Server Security
 
Chapter 3: Introduction to Oracle Auditing
An overview of the tools and techniques that are used for HIPAA auditing of Oracle databases. 
·        DDL auditing
·        DML auditing
·        SELECT auditing
o       Oracle audit SQL commands
o       Fined-grained auditing
·        Auditing backup & recovery
o       Auditing disaster recovery plan
o       Auditing continuous availability plan
·        Auditing replicated data
·        Auditing sources for materialized views
 
Section II - Security
 
Chapter 4: General Oracle Security
This is a review of the standard relational grant security as expected in the HIPAA requirements.
 
·        Profile Security
·        Grant security
o       System privileges
o       Object privileges
o       Granting to public
o       Grants with ADMIN option
 
·        Role-based security
o       Views and grant security
o       Row-level security with views
 
·        Grant execute security
o       Definer rights and invoker rights.
 
·        SQL*Plus Security
o       The use of product_user_profile
o       Restricting Logon Attempts
 
 
Chapter 5: Virtual Private Database
Topics include a detailed description of VPD and how they can be used to enforce security and privacy as per HIPAA requirements.
·        Benefits of FGAC
o       Dynamic security – Predicates are assigned to users at runtime, and there is no need to maintain complex roles and grants.
o       Multiple security - Place more than one policy on each object, as well as stack them upon other base policies.
o       No dictionary view proliferation – Thousands of views are no longer required to manage row-level security
o       No back-doors - Users no longer bypass security policies embedded in applications, because the security policy is attached to the data.
o        Complex access rules – Scalar values (e.g. where salary > 50000) can be deployed.
Issues with FGAC
o       Requires a user account for every person accessing Oracle
o       Difficult to reconcile with other GRANT security
o       Access rules are stored inside stored procedures, which can be changed.
o       Foreign key referential integrity can be used to bypass FGAC
o       Cursor caching in pre 8.1.7 allow bypassing of FGAC
·        Predicate-based security internals
·        Security policies
·        Application contexts
·        Example of FGAC in action
Chapter 6: Data Encryption in Oracle
A description of all types of encryption (available in Oracle) to satisfy HIPAA requirements.
 
·        Types of encryption – DES, 3DES, MD5, etc.
·        Details on using the dbms_obfuscation_toolkit package
·        Using hashing functions to encrypt data
·        Using data compression as encryption
 
Chapter 7: Oracle Network Security
·        Vulnerabilities and threats in Oracle Networks
·        Listener Buffer Overflow
·        SQL Injection
·        Packet Sniffing
·        IP Filtering with Connection Manager
 
Section III - Auditing
 
Chapter 8: Oracle Audits
·        Audits in Oracle for various DML statements
·        Managing audit tables
·        Archiving Audit Tables to archival media like CD-ROM or Tape
·        Various examples describing the auditing functionality in Oracle.
 
Chapter 9: Oracle Trigger Auditing
·        DDL Auditing
o       System triggers for DDL auditing
o       Using Dictionary-based DDL
o       Auditing source code changes
o       Auditing DDL versioning
 
·        DML Auditing
o       Installing Automatic Auditing Using LogMiner
o       Usage of Logminer for HIPAA update auditing requirements
o       Auditing with DML triggers
 
·        Server Error Auditing
o       Servererror trigger
o       Reports
Chapter 10: Auditing Grants Security
Overview of data dictionary query scripts to locate faults in grant-based and role-based security to satisfy HIPAA requirements.
 
·        Auditing for system privileges
·        Auditing for WITH ADMIN option
·        Auditing for synonyms
·        Auditing for PUBLIC objects

Chapter 11: Oracle Fine Grained Auditing
The Fine Grained Auditing (FGA) in Oracle 9i provides the hitherto impossible area of auditing the exact statement used by a user to simply select data, not update it, as required by HIPAA.
 
·        Use of the dbms_fga package
·        Auditing select access as per the HIPAA mandated auditing of Patient Health Information (PHI). 
·        Archiving of audit information to tertiary media (optimal CD-ROM & Tape)
·        Combining FGA and Flashback queries to answer the most important question in addition to who saw the data, what they saw.
 
Chapter 12: HIPAA Checklists for Security and Auditing
 
A checklist of HIPAA requirements (and the Oracle features described in this book) that can be used to satisfy the requirements.
 
This book covers Oracle security audit.
 
 

 

Index:

_
_trace_files_public

A
Access Control List 
admin_restrictions
all_def_audit_opts
all_policies
app_ctx   
app_users 
application context 
aud$_combined
audit_actions
audit_column
audit_condition 
audit_file_dest
audit_sys_operations 
audit_trail  
authentication_level  

C
client_identifier
connect_time 
Context Based Access
crypto_checksum_client  

D
Data Definition Language
Data Manipulation Language
dba_audit_exists 
dba_audit_object
dba_audit_policies
dba_audit_session
dba_audit_statement   
dba_audit_trail
dba_col_privs
dba_fga_audit_opts
dba_fga_audit_trail 
dba_obj_audit_opts
dba_policies 
dba_policy_groups 
dba_priv_audit_opts 
dba_role_privs
dba_source
dba_stmt_audit_opts
dba_sys_privs
dba_tab_privs
dba_views 
dbms_fga
dbms_fga.add_policy
dbms_fga.drop_policy 
dbms_flashback  
dbms_lock  
dbms_obfuscation_ toolkit  
dbms_rls 
dbms_session
dbms_shared_pool.keep   
dbms_storage_map 
DBSNMP 
dbsnmp0
decrypted_data 
Designated Record Set 
Digital Encryption Standard 
Discretionary Access Control

E
enable
encrypted_data 
encrypted_string 
encryption_client 
encryption_server 

F
failed_login_attempts 
Federal Information Processing Standards
fga_audit
fga_log$  
Fine Grained Access Control 
function_schema           

G
get_system_change_number 
Gramm-Leach-Bliley Act

H
handler_module  

I
identity theft
idle_time
input
input_string  
input_vector 
iv  
iv_string     

K
Kennedy-Kassenbaum Bill 
key 
key_string  

L
l_user_id  

M
Mandatory Access Control  
Materialized View
mts_dispatchers 

N
Network Address Translation    

O
object_name 
object_schema  
ops$
optimizer_goal 
optimizer_mode
ORA-02289
ORA-12546
ORA-28110
ORA-28112
ORA-28113 
ORA-28115 
ORA-28116
os_authent_prefix  
osauth_prefix_domain
OUTLN

P
password_grace_time 
password_life_time 
password_lock_time
password_reuse_max
password_reuse_time
password_verify_function
passwords_listener
Patient Health Information
PERFSTAT
policy_function  
policy_name 
policy_type
present_dba_obj_ audit_opts  
Protected Health Information
ps –aef   

R
remote_os_authent  

S
Safe Harbor Act  
Safe Harbor Law
save_config_on_stop 
sec_relevant_cols
servererror_log   
session_context
session_roles
sessions_per_user


Set User ID Bit
set_user_role 
Snapshot 
snmp_rw.ora 
SQL Injection
sql_trace 
sqlnet.crypto_seed 
sqlplus_product_profile
statement_types 
static_policy
stats$ddl_log
stats$sysstat 
stats$user_log
stats_user_log
stmt_audit_option_map 
sys_context 
system_privilege_map 

T
table_privileges 
TKPROF
TRACESVR
tracing
Transparent Network Substrate

U
update_check
user_audit_trail 
user_dump_dest   
user_obj_audit_opts  
user_policies  
utl_file  
utl_file_dir  

V
v$circuit 
v$db_object_cache
v$session
Virtual Private Database
VISA USA Cardholder Security Agreement

W
which        

Reader Comments

 
One reader says:
I was waiting for this to come on Bookpool.  I think I have recovered more than it's worth. At least the section on Virtual Private Database along with application contexts is simply excellent. The authors know their stuff.
 

 
Tiara from Hartford, CT says:
I bought this book to learn more about Virtual Private Database which I am implementing now - and it was a pleasant surprise see that not only that but all other areas are detailed as well. The chapter on VPD goes much beyond the Oracle common references and explains concepts like application contexts, in such clarity and relative to to real life examples that the chapter alone may be worth the price of the book.

Other things that make the book must read - the material on listener security, a simple firewall settings, fine grained auditing, and the 10g features. SQL Injection and Application User models described in the book were exactly what we were missing and we got it in this.


A reader from San Diego says:

I haven't finished reading my copy yet, but I had to chime in to concur with the previous reviews: this book is terribly well laid out. The writing is clear and descriptive, but almost as important, it's rather engaging. That helps when trying to dig to the bottom of these often daunting security concepts.

Another reviewer covered this, but I have to say that my favorite parts are also the chapter summaries. They do a great job of recapping the details that were covered. Having all that information covered in such depth is great, but I'd probably have forgotten each chapter's contents had there not been that nice, succinct conclusion at each one's end.


Landmark book for Oracle shops, July 11, 2004
 
Reviewer: Mike Tarrani "www.tarrani.com" (Deltona, FL USA) - See all my reviews
(TOP 50 REVIEWER)    (REAL NAME)    (COMMUNITY FORUM 04)   
This remarkable book covers how to use Oracle 9i security and auditing facilities to achieve compliance with three major laws. While the book emphasizes HIPAA, it also addresses, either directly or indirectly, privacy security and auditing with respect to the Gramm-Leach-Bliley Act (Subtitle A: Disclosure of Nonpublic Personal Information 15 U.S.C. 6801-6810 and Subtitle B: Fraudulent Access to Financial Information 15 U.S.C. 6821-6827), HIPAA requirements for protecting data and enforcing security and privacy, and Sarbanes-Oxley Act Section 404 requirements related to integration of transactional systems, logs and auditing trails, and data security.

Structure of this book is in three sections:

Section I gives an introductions to HIPAA, Oracle security and Oracle auditing. Among the topics covered are grant, role-based, and profile based security, as well as virtual private databases (row-level security, fine-grained access control), and application server security.

Section II goes deeper into general Oracle security, covering relational grant security as it relates specifically to HIPAA (but can be also used for Gramm-Leach-Bliley and Sarbanes-Oxley compliance because the requirements are similar regarding these mechanisms and techniques). Also covered are encryption and network security.

Section III deals with auditing using Oracle facilities, tables, DDL and DML, and covers the spectrum from grants auditing to fine-grained audits. Again, the focus is on HIPAA requirements (Chapter 11, for example, contains the following topics: Auditing select access as per the HIPAA mandated auditing of Patient Health Information, and Combining FGA and Flashback queries to answer the most important question in addition to who saw the data, what they saw.) This section ends with HIPAA security and auditing checklists, which can be also applied to Sarbanes-Oxley and Gramm-Leach-Bliley security and auditing.

This book is an outstanding addition to bodies of knowledge spanning three disciplines - internal auditing, DBA, and IT security & privacy. A copy should be provided to managers and subject matter experts in each of those domains.

 

Errata:

 

   

 Copyright © 1996 -2016 by Burleson. All rights reserved.


Oracle® is the registered trademark of Oracle Corporation. SQL Server® is the registered trademark of Microsoft Corporation. 
Many of the designations used by computer vendors to distinguish their products are claimed as Trademarks