The “crown jewels” for most organizations, and indeed most hackers, is the database
server. Protecting the database is priority number one for security and operations
teams alike. Gaps in security and weaknesses in processes can put many organizations
at risk as they try to balance efficiencies against operational impact. While proper
configuration and timely patching can help address platform vulnerabilities, they do not
address the three common database attack vectors being used today:
y Brute force attacks against weak or default passwords: Oracle environments are
often put at risk when weak, or common, usernames and passwords are used across
the infrastructure – or when passwords are infrequently changed. Once credentials
are compromised, attackers can siphon sensitive data from the organization via
custom malware and other malicious techniques.
y Privilege compromise: Successfully compromised legitimate accounts that have
database access are difficult to detect.
y Malicious insider (privilege abuse): Users (employees, contractors, or service
providers) abuse legitimate data access privileges for unauthorized purposes.
From a risk perspective these privilege attacks are especially dangerous in
environments where database users are given excessive permissions that exceed the
requirements of their job function and where weak database audit policies are in place.
Although databases and their contents are vulnerable to a host of internal and
external threats, it is possible to dramatically reduce the attack vectors. By specifically
addressing these threats you can tighten security controls and meet the requirements
of the most regulated industries in the world.
FIVE COMMON SIGNS OF ORACLE ACCOUNT SECURITY RISKS
1. Default or common passwords are not configured correctly
2. Credentials are shared across multiple database servers
3. Passwords remain unchanged for excessive periods of time
4. Privileged sessions are unmonitored
5. No accountability controls exist for outsourced DBAs
Any of these scenarios can set your organization up for a serious data breach.
Fortunately, there is a simple and effective way to tighten controls and enhance the
security of your database systems against account-based risks while maintaining
audit controls and reducing operational impact: privileged password management with
PowerBroker® Password Safe.
Securing Oracle® Infrastructures
Privileged Password Management
and Privileged Session Management
NETWORK-BASED ASSET DISCOVERY
Scan, identify, and profile all users and
services; automatically onboard systems
and accounts under management,
speeding time to value.
DYNAMIC RULES & ASSET
Build Smart Rules to trigger alerts or auto
provision based on system categorization,
speeding time to resolution.
SIMPLIFIED SSH KEY MANAGEMENT
Schedule SSH key rotation and enforce
granular access control and workflow.
UNIFIED PASSWORD AND
Use a single solution for both password
management and session management,
lowering cost and complexity.
AGENTLESS SESSION MANAGEMENT
Utilize native tools including Microsoft®
Remote Desktop and PuTTY to connect to
systems without the need for Java.
Get control over scripts, files, code, and
embedded keys by automatically eliminated
hard-coded or embedded credentials.
ADVANCED WORKFLOW CONTROL
Add context to workflow requests by
considering the day, date, time, and
location when a user accesses resources.
THREAT ANALYTICS & REPORTING
Leverage a central data warehouse to
collect, correlate, trend, and analyze key
threat metrics; customize reports to meet
AUTOMATED PRIVILEGED PASSWORD MANAGEMENT FOR ORACLE
PowerBroker Password Safe is an automated password and privileged session management
solution offering secure access control, auditing, alerting ,and recording for any privileged
account. Password Safe strengthens database security by:
1. Ensuring no host environment or server has a default password for admin accounts
2. Guaranteeing each host environment or database server has a unique complex password
3. Automatically rotating passwords based on age and usage
4. Limiting administrative access and communications to authorized individuals
SECURING ORACLE ACCOUNTS WITH POWERBROKER PASSWORD SAFE
Password Safe secures privileged accounts across your enterprise environment, including:
y DBAs, service accounts, operating systems, network devices, databases (A2DB), and
applications (A2A) accounts
y Local or domain shared admin accounts across physical and virtual host environments
y Personal admin accounts (in the case of dual accounts)
y SSH keys, cloud, and social media accounts
PowerBroker Password Safe enables you to secure Oracle infrastructure with complete
control and audit all privileged account access.
y Discover all database servers, and verify that no default passwords exist on any device
y Manage all Oracle databases using PowerBroker Smart Rules, and store a unique
password for each device
y Automatically rotate each device’s password based on age or after each admin
y Provide a complete workflow for device access, including an approval process for
y Database session management enabling database access without disclosing
y Achieve DB session control including lock, terminate, and over the shoulder monitoring
y Report on all privileged credentials requested and used
y Native integration with Oracle Enterprise Manager workflow to orchestrate password
changes using extensive API support
y Flexible application level control to lock privileged sessions to specific DBMS tools (TOAD,
Squirrel, SQLdev, etc)
y Record and playback all privileged sessions to document and review device changes
y Detect abnormal device and credential access, and receive alerts, via advanced
BeyondInsight® Clarity threat analytics
EXTEND ORACLE SECURITY WITH BEYONDTRUST LEAST PRIVILEGE SOLUTIONS
PowerBroker for Unix & Linux least privilege solutions enable you to further harden your
Oracle infrastructure. These solutions reduce the risk of privilege misuse, especially when
third-party tools and other applications are required to manage the database infrastructure.
With PowerBroker, you can eliminate local admin privileges, enforce least-privilege policy,
maintain application access control, and keystroke all log privileged activities. © 2016 BeyondTrust Corporation. All rights
reserved. BeyondTrust, BeyondInsight and
PowerBroker are trademarks or registered
trademarks of BeyondTrust in the United
States and other countries. Oracle, and other
marks are the trademarks of their respective
owners. June 2016
The BeyondTrust PowerBroker
Privileged Access Management
Platform is a modular, integrated
solution that provides visibility
and control over all privileged
accounts and users. By uniting
capabilities that many providers
offer as disjointed tools, the
platform simplifies deployments,
reduces costs, improves system
security, and reduces privilege risks.
y Server Privilege Management:
Control, audit, and simplify access
to business critical systems.
y Enterprise Password Security:
Provide accountability and
control over privileged credentials
y Endpoint Least Privilege: Remove
excessive user privileges and
control applications on endpoints.
Tel: 800.234.9072 or 480.405.9131
Tel: +44 (0)1133 970445
Tel: +65 6701 8267