Re: Securing 3rd party connections to Oracle DB's?

[mike () citadelis co uk]

On the technical side (depending on the evironment of course), I would look at abstracting the access rather than 
direct access, suggesting web services for exposing and controlling access to the data:  SSL for transport security and 
certificate based or usernane/password authentication for each client.  On the database side, match the certificates or 
userId to a client specific DB user account that only has access to view the data for that client, thus ensuring that 
each client can only access the data they need to access.   Remember to make sure that all web services methods are 
properly validating input parameters to prevent SQL Injection.  Restricting by IP address can help too, but certainly 
do not rely on this to prevent cross-client access to data.

I would not consider exposing the database directly to untrusted clients as your post seems to suggest (apologies if 
i've misread).

For non-technical controls, always ensure an appropriate contract is in place with proper info security clauses such as 
nondisclosure, protection of data, acceptable use etc.

hth
Mike