Probably one of the biggest challenges that company IT departments have is the security of their infrastructure, processes and data. Security is an issue that increasingly demands time and effort from organizations; and therefore, from their IT professionals. The DBA is not an exception, and is concerned not only by the risk of a possible data breach, but also by ensuring compliance with current regulations.
In May 2018, the "General Data Protection Regulation" (GDPR) of the European Union came into force. This new regulation aims to give people more control over their personal data.
Perhaps some DBAs believe that this regulation does not affect them because it is a European Union regulation. However GDPR applies to the data processing of people residing in the European Union. In other words, an organization that is outside of Europe will be affected by the regulations if it collects, processes and maintains data of residents of the European Union. For example, an Argentine application whose users are citizens of the EU will have to adapt to European legislation. As a result, the regulation affects a large number of companies that operate globally.
“I am DBA. And my database is under the scope of the new regulation. What should I do?”
First of all, do not despair! Be informed! There’s a lot of useful Oracle documentation available on the web. And at last, if you have any doubt, you can always o go to the source; that is, the original text of the regulation. Here is a link: (https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1528874672298&uri=CELEX%3A32016R0679)
Second, it is important to learn the terminology. GDPR defines several actors to explain the concepts of data protection. It is not the intention of this article to go into much detail; but it is important to mention the most important actors:
- Data subject. The physical person whose personal data is the core object of GDPR
- Controller. The company that processes the personal data of the data subject
- Processor. The person who processes the personal data of the data subject on behalf of the controller. For example, a developer, an analyst or a database administrator (you!).
- Third party. Another person, who is neither the data subject, nor the controller, nor the processor, but is authorized to process the data of the data subject under the directives of the controller or processor. For example, a subcontracted company or person.
- Supervisory Authority. An independent public authority established by a member state of the EU.
As an example, imagine an American company that offers an application whose users (data subjects) reside in the European Union. Analysts, developers and database administrators are subcontracted in Argentina and India. For the payment of its services, the American company uses the platform of a third party in Sweden and provides the personal data of its users to process their payments. Although the company and its partners reside outside the EU, they will be under the scope of GDPR.
Broadly speaking, the requirements of GDPR, arising from its articles, could be classified into the following categories:
- Assessment. The controller must carry out impact evaluations. That is, assess risks to prevent data breaches.
- GDPR recommends the following techniques: encryption, anonymization and pseudonymization, access control with granular privileges, and data minimization.
- Monitoring. Through data auditing and constant monitoring of activities. GDPR obliges the controllers to explain to the data subject how his or her data is used every time the data subject requires it.
- Detection. Notifications and alerts on time. In case of any violation of the security of the personal data, the situation must be reported without delay.
- Protection. GDPR recommends centralized administration. It establishes that if the data subject requests it, the controller must give him a copy of all his personal data. The so-called “right to be forgotten” obliges the controller to eliminate personal data.
Once the DBA is aware of the regulations, he or shee will need to search for the tools that will allow compliance with GDPR requirements. Fortunately Oracle offers several products that the DBA will be able to evaluate and that will surely be very useful.
- Enterprise Manager Application Data Modeling. Allows storing the list of applications, tables and relationships between the columns of the tables. The data model of the application maintains sensible data types and their associated columns.
- Database Vault Privilege Analysis. Allows evaluating how sensitive data is accessed through the analysis of roles and privileges.
- Enterprise Manager Database Lifecycle Management Pack. By collecting configuration data, allows evaluation of the security profile of the databases.
- Database Security Assessment Tool. Allows the evaluation of the database’s security configuration, implemented security policies, user status, roles and granted privileges.
- Oracle Transparent Data Encryption. Allows encryption of columns of the database and administration of encryption keys.
- Oracle Data Redaction. With this feature it is possible to protect the data displayed to the user in real time, without the need to make changes in the application.
- Oracle Data Masking and Subsetting. With this product you can extract and obfuscate a subset of data from a database and then share it with third parties inside or outside the company. The integrity of the database is preserved by ensuring the continuity of the applications.
- Oracle Label Security. Provides security at the row level. Protects the rows of a table by using labels on individual rows. If a user tries to access a protected row of data, he or she must have the appropriate authorization as determined by the label.
- Oracle Database Vault. With this product you can control privileged accounts to prevent unwanted access to application data.
- Real Application Security. Enables the use of strong authentication techniques such as SSL or Kerberos to verify the identity of those database users and applications that are accessing sensitive information.
- Oracle Database Auditing. Allows the supervision and registration of actions that are done on the database. Can be based on individual actions, such as the type of SQL statement executed, or on combinations that can include schema objects or privileges.
- Oracle Fine Grained Auditing. Allows auditing of access to the data at the most granular level and on actions based on content using Boolean logic. Enables auditing based on access or changes at the level of relevant columns.
- Oracle Audit Vault and Database Firewall. Allows monitoring and sending alerts on time when suspicious behavior is detected
In May 2018 GDPR has entered into force. The regulation affects a large number of Oracle databases globally. It is essential that the database administrators learn about the scope of the regulations and available tools in the market in order to comply with all the legal requirements.