COMMENT: All Secure
The Future Is NowBy Mary Ann Davidson
More security automation means less finger lifting.
I just watched a replay of the Oracle Database 11g launch, and it made me think of the old cartoon The Jetsons (hear me out, please). In the futuristic world of the Jetsons, there was a mechanical gadget to automate everything—you hardly had to lift a finger in your daily business (and if you did, there was probably an automatic finger-lifter). As described at the launch, Oracle Database 11g, across the board, enables automation of many tasks that have, to date, been manual and highly repetitive, and security is positively affected in a number of ways. For one thing, while security is hardly the tail that wags the IT dog, any organization that can do better work faster or with fewer people can use those savings on something else—such as better security. Automation also helps reduce risks introduced by human error.
For example, there has never been an easy way to upgrade mission-critical systems, because organizations always need to thoroughly test upgrades or patches in their own environments (on top of the tests Oracle does, that is). To date, customer testing has been both labor- and time-intensive. In Oracle Database 11g, however, Oracle Real Application Testing enables companies to capture transactions (for example, over an entire day) and then use that "typical day" for testing. One description of Oracle Real Application Testing is "a DVD recorder for your applications." I suspect that it will be particularly useful for security patching, since many organizations are pressed—by their own formal security policies or their auditors—to apply security patches quickly. Automated testing will save time and money and will help everyone maintain a strong security posture more effectively.
What also strikes me about the Oracle Database 11g launch: the option and product releases before the launch. Oracle has released a number of innovative database security options, products, and features over the last two years, including Oracle Database Vault and Oracle Audit Vault. These two offerings were so important that Oracle did not wait for the Oracle Database 11g release; instead, Oracle shipped them when they were ready for market.
For the longest time, everyone accepted the security model that database administrators have unlimited privileges. Between the amount of information stored in databases and an increased regulatory environment, that security model no longer works. Oracle Database Vault enables organizations to separate managing the nuts and bolts of a database from accessing the data contained in them.
Organizations have also come to expect that the audit kahuna will be someone other than the database administrator. Oracle Audit Vault is the answer to the age-old question: Quis custodiet ipsos custodes? (Who watches the watchmen?) Even changes to Oracle Database Vault settings can be captured and managed in Oracle Audit Vault.
One of the things that I like about Oracle Database 11g is that I see Oracle trying to solve some of the hard security problems in a way that is easy to use. For example, encryption of stored data has always been difficult, because key management is just so darn hard. Who manages the keys? Where are they stored? If you store the key in a place that is too easily accessible, there goes your encryption. Oracle Database 11g supports hardware security modules (a good thing: hardware is generally a better secret key keeper than software). Also, if you are encrypting data to add that extra "virtual Kevlar" to personally identifiable information (PII), you can now encrypt the entire megillah if it lives together in one big, happy tablespace. Let's face it: encrypting address separately from credit card number separately from name is too much work, not to mention being computationally intensive.
I think that anytime you can morph security to reflect new realities—such as "multiple people have to manage security now" and "make it easy for us to do good security," you've helped your customers do more with less. Oracle Database 11g, Oracle Database Vault, and Oracle Audit Vault reflect new security realities, and the resulting better security and easier administration mean that some repetitive finger lifting previously required for security can be directed to other, more-strategic tasks. Because in security or anything else, nobody ever complains that they have too many people and not enough to do.
Mary Ann Davidson is the chief security officer at Oracle, responsible for secure development practice, security evaluations, and assessments. She represents Oracle on the board of directors of the Information Technology Information Security Analysis Center (IT-ISAC) and the Defense Science Board and is on the editorial review board of SC Magazine.