Data Security Is Cool AgainBy Mary Ann Davidson
The data is what you want to secure.
For the past few years, a lot of the focus in the security space has been on identity management—probably because it's the first security product area that also functions as business software. People deploy identity management software for reasons as diverse as lower operating costs (fewer help desk calls for password resets), faster application deployment (through an existing access management framework), and regulatory compliance (one place to manage users and their access rights). Clearly, identity management is an important focus for many businesses, and, speaking as a user, I am really happy I get access to needed stuff faster (via provisioning) and have fewer account lockouts (due to single sign-on). Identity management has dominated the security landscape so much over the last few years that plain old data security seems to have been relegated to the back burner, like one of Cinderella's ugly stepsisters.
No longer. Whether it is the number of data breaches, the sheer volume of information stored in databases, regulatory issues requiring stronger data security, or people simply remembering that it's actually data you want to secure, there's been a recent resurgence of interest in data security.
I confess that my interest in this topic is more than just academic. I got my security start in Oracle database security and have always had a soft spot for it. Leaving that team was one of the hardest things I ever did.
There are many security folks at companies that vary in size, industry, segment, and geographic location who as members of the Oracle Security Customer Advisory Board help Oracle set our product security directions. We recently had a board meeting at our corporate headquarters, and one of the real pleasures of this meeting—aside from the great feedback from our customers—was getting to see the database security team at Oracle cover their product areas. (I won't go into future product direction since it is, well, in the future. You will just have to stay tuned.) I was amazed at the resurgence of database security as a product focus. We appear to be all over problems that seemed so hard to solve a few years ago (or for which there was not a lot of customer interest at the time).
I won't go so far as to say that we are pumping out new security products in Database Land almost as fast as we have (sometimes) seemed to be acquiring companies, but this is a large and growing focus area for the company.
One of our key database security product features is definitely Transparent Data Encryption—encryption that is just there and works, without requiring you to recode your application. (Encrypting data in an operational database transparently to an application is not all that easy, or we'd have done it a long time ago.) We can encrypt backups, too, by using Oracle Secure Backup, and given the amount of sensitive information stored off-site in backups, that's a great thing. Just ask any company whose unencrypted backup tapes of all their customer data have gone missing. We have also started tackling that perennial "other hard security problem" of the godlike-privileged DBA by enabling customers to separate database administration from data access in the administered database by using Oracle Database Vault. And, last but not least, with Oracle Secure Enterprise Search we provide the ability to harness the power of all your data in disparate places across your enterprise through a powerful search engine, while limiting (in some cases, for security reasons) people from even knowing that a document exists. I confess that, for someone who works at a tech company, I am a closet Luddite, but database security is definitely cool again.
At some point, the importance of data security becomes personal. I am a U.S. armed services veteran, and last year I, along with many other veterans, had my Social Security number and other personal information compromised by a careless Veterans Affairs employee who had all that data on an unencrypted laptop that went missing. And I wondered why, for the umpteenth time, people collect data they think they must have, if they don't bother to secure it? If you collect it, it's probably important, and if it is important, you need to secure it. It's just that simple. I'm glad that a lot of great folks at Oracle are making data security just that simple. I think our customers—and their customers—will be glad too.
Mary Ann Davidson is the chief security officer at Oracle, responsible for secure development practice, security evaluations, and assessments. She represents Oracle on the board of directors of the Information Technology Information Security Analysis Center and the Defense Science Board and is on the editorial review board of SC Magazine.