Policy-Based Enforcement of Database Security Configuration through Autonomic Capabilities

Significant emphasis has been placed recently on the hardening of databases and on regular audits of such systems by independent auditors and certified Information Systems Security Officers (ISSO). Data centers hosting sensitive data and mission-critical systems, especially centers that belong to governmental agencies, have been under tremendous pressure to secure their databases in compliance with several security guidelines. Such requirements mandate that each system passes a strict security scan before it is deemed suitable to go into operational mode and that it be subjected to regular audits thereafter. This in turn has been putting tremendous pressure on database administrators who, in many cases, are already overwhelmed by the tasks of installing, properly maintaining, and configuring their systems in a way that provides optimal performance. However, it is becoming extremely challenging, time consuming, and resource intensive to address security demands under tight budgets and timelines. Therefore, it would be advantageous to implement autonomic features into database systems to address some aspects of this challenge. This paper presents a framework that embeds autonomic capabilities into database systems to provide self- protection features in case of unauthorized, inadvertent, or intentional change in security parameters. This is achieved by embedding into the database the capability to compare each security configuration parameter change attempt (or request) with an embedded predefined security policy before allowing or rejecting the change. The paper demonstrates how the proposed framework can be implemented in an Oracle 10g Release 2 database.