COMMENT: Analyst's Corner
Secure Data for Every Business NeedBy David Baum
New needs for compliance mean tighter access control.
Oracle Magazine spoke with Trent Henry of Burton Group about data protection, compliance, encryption, and access control.
Oracle Magazine: What changes in today's business climate are motivating organizations to adopt stronger database security?
Henry: One of the guiding factors is a realization that they need to control what insiders, such as system administrators, can and can't do. Until recently, these folks had system-level privileges to see any data, mainly for the sake of convenience. Today, federal regulators require public companies to constrain what privileged users can see, such as the financial data within a general ledger. Companies can do this explicitly, using fine-grained authorizations, access control, or encryption, as well as after the fact, with database audits and monitoring tools.
Oracle Magazine: What are the guiding principles behind access control?
Henry: The important thing is to ensure that trusted employees obey policies governing their respective roles, because regulators and auditors are asking hard questions about how carefully companies control the activities of these personnel—whether you trust them or not. DBAs may dislike the controls that are put in place, but many times these controls are in response to an external requirement.
Oracle Magazine: How difficult is it to establish these controls?
Henry: In smaller organizations, segregation of duties can be difficult to achieve, because you might have only one administrator. That's when auditing and monitoring make a lot of sense. At Burton Group, we advocate a layered approach to protection. It begins with access control in the database. For example, Oracle Database 11g enables you to isolate certain parts of the database or to implement perimeter control around the database. On top of that, Oracle Audit Vault can be used to ensure that your layered protections are operating as you expect them to operate.
Oracle Magazine: What else can organizations do to protect data from those who shouldn't have access to it?
Henry: Label security lets you describe information as having a particular property or label. It can be used in a wide range of situations—everything from classifying an employee record to protecting national security information. Companies categorize data in a certain way and apply the appropriate label to identify it. After that, the information is always treated the same way, in terms of who can see that data or when people can see it. The database explicitly enforces controls over that information based on that label.
Oracle Magazine: How does encryption fit into this access-control picture?
Henry: Encryption is used to prevent people from seeing certain data. It can be applied to a subset of the database, the whole database, or even the disk hosting the database (sometimes called media-level encryption). The encryption can take place outside of the database, within the application layer. Different levels of encryption protect against different types of threats. Media encryption prevents unauthorized users from accessing a lost or stolen disk but won't prevent inside users from viewing data. Protecting against insiders requires a different level of encryption. For example, you might encrypt social security numbers in a customer database yet still allow support reps to view phone numbers and addresses. You could do this with Oracle Transparent Data Encryption, which provides columnar encryption within the database. This utility doesn't require a third-party tool, so from a configuration and management standpoint, it's easy to put in place.
Oracle Magazine: Do these strategies work for external users as well?
Henry: Encryption works well within an enterprise setting. However, by the time the information is viewed through a Web portal, it may be decrypted. So at that level you may need some type of application-level encryption, in association with Web access control.
Oracle Magazine: How does encryption work with identity management?
Henry: It's tied to identity management, but one challenge with Web access control is that you might be talking about a broader audience than just internal employees. For example, with an extranet portal or e-commerce portal, instead of thousands of employees, there might be millions of users. So there's an issue of scale to consider. There's also an issue of the types of authenticators that may be convenient to deploy. Within the enterprise, you might use one-time password tokens or smart cards to authenticate users, but this can be cost-prohibitive when it comes to strengthening authentication for consumers.
David Baum (firstname.lastname@example.org) is a freelance business writer based in Santa Barbara, California.
Burton Group provides vendor-independent research and advisory services focused on enterprise IT infrastructure technologies.