Oracle Security Still Problematic

According to 430 Oracle database admins surveyed by the Independent Oracle Users Group, security remains a major problem.   

The survey released last month, found that fewer than 30% encrypt personally identifiable information (PII) in all of their databases, while about 75% acknowledge their organizations cannot prevent privileged database users from reading or tampering with HR, financial or other stored business application data.

The survey shows organizations aren’t applying sufficient resources to improve security, and that there’s been little change in the results from last year’s survey, which indicated that more than two-thirds of the DBAs it polled said they had never installed an Oracle patch on their database servers, no matter how critical the vulnerabilities that were being patched.

  • About 66% of the 2010 survey respondents admitted there was no way to detect or prove that the database administrators were not abusing their privileges in their organizations. 
  • 64% said they don’t monitor database activity. 
  • Close to half of the respondents said a user with “common desktop tools” might be able to gain unauthorized direct access to sensitive information stored in databases. 
  • Less than 33% of those monitoring are watching for sensitive reads and writes.
  • Patch management is problematic for Oracle database admins, with 37% saying most patch after three months. 
  • 6% said they were aware of an enterprise data breach, compromise or tampering over the past year.