It only takes a single mistake for the “bad guys” to be able to exploit a misconfiguration and exfiltrate your data. Thanks to the Center for Internet Security, Oracle Database users can avoid such scenarios by following the best practices defined by CIS. With the high rate of change in DevOps-oriented development teams and the profilferation of data across on-premise and cloud environments, database administrators now have an easy way to comply with these standards right within Oracle Enterprise Manager.
Configuration and Compliance management has been part of Oracle Enterprise Manager Database Lifecycle Management for a long time, and we’re happy to report that Oracle Enterprise Manager has been certified by CIS Benchmarks™ to compare the configuration status of Oracle Databases against the consensus-based best practice standards contained in the Oracle Database Benchmark v2.1.0, Level 1- RDBMS. Organizations that leverage Oracle Enterprise Manager can now ensure that the configurations of their critical assets align with the CIS Benchmarks consensus-based practice standards for all their database releases including Oracle Database 18c and 19c. For more details on Oracle’s CIS listings visit Center for Internet Security Web Site.
“Data is a company’s most valuable asset, and securing it has never been more important. We are pleased to support the industry standard CIS Benchmarks as part of our comprehensive Enterprise Manager automation and compliance offerings.”
Wim Coekaerts, Senior Vice President, Software Development
“This certification is issued by CIS® (Center for Internet Security, Inc.) Cybersecurity challenges are mounting daily, which makes the need for standard configurations imperative. By certifying its product with CIS, Oracle has demonstrated its commitment to actively solve the foundational problem of ensuring standard configurations are used throughout a given enterprise.”
Curtis Dukes, CIS Executive Vice President of Security Best Practices & Automation Group.
Let’s look at how DBAs can now take advantage of these capabilities right within their Enterprise Manager consoles.
Enterprise Manager supports 2 flavors of the CIS v2.1.0 benchmarks, one for Single-Instance Database and one for Cluster Database. Below is a screenshot of what the listings look like in the Compliance Framework.
Figure 1. CIS Benchmarks as they appear in the Enterprise Manager user interface.
CIS provides comprehensive configuration coverage for Oracle database, including:
- User Privileges
Below are examples of some of the specific areas the Benchmark focuses on:
Figure 2. Samples of evaluation areas in the CIS Benchmarks for Oracle Database.
In addition to the CIS Benchmarks included in the latest release of Oracle Enterprise Manager, we’ve also included new Oracle-provided Security benchmarks for Database 18c and 19c. We’re committed to continuing to bring you best-in-class security offerings to harden your security posture across your data estate, whether on-premise or in the cloud.
For more information about Oracle Enterprise Manager, visit http://www.oracle.com/enterprise-manager and for more information about the Center for Internet Security (CIS), visit https://www.ciscecurity.org.
CIS® (Center for Internet Security, Inc.) is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats. The CIS Controls™ and CIS Benchmarks™ are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continuously refined and verified by a volunteer, global community of experienced IT professionals. Our CIS Hardened Images™ are virtual machine emulations preconfigured to provide secure, on-demand, and scalable computing environments in the cloud. CIS is home to both the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the go-to resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the Elections Infrastructure Information Sharing and Analysis Center™ (EI-ISAC™), which supports the cybersecurity needs of U.S. State, Local and Territorial elections offices. To learn more, visit CISecurity.org or follow us on Twitter: @CISecurity.