As Published In
Oracle Magazine
January/February 2008

COMMENT: All Secure

Beyond Data Protection

By Mary Ann Davidson

Oracle Secure Enterprise Search and Oracle Information Rights Management protect information.

One of the most worrisome trends in security is the rise in organized crime seeking to access large datasources. Coupled with the actual increased accessibility of large data stores (either by design or miscalculation), it's no longer some teenage kid with a keystroke logger trying to grab the credit card number of a grandma from Des Moines; it's a criminal organization going after the credit card numbers of everybody in Des Moines.

Consider a recent headline-grabbing breach involving an online jobs company. The company's search engine was designed to allow inquiries like "Find everyone who has 'fluent in Attic Greek' on their résumé." This broad-ranging search capability (a nice feature) was abused to return detailed personal information that the Bad Guys used to mount a spearphishing attack (for example, sending a very convincing e-mail that looks like it came from someone you really know, to trick you into clicking a link that installs something bad on your desktop). The company wasn't "hacked" per se: their useful tools were just used against them.

Outside the enterprise, we use search engines for everything from finding out where a cool new movie is playing in our neighborhood to reading obscure ancient texts online. These search engines are both promiscuous and dumb: you ask for X, you get links to X returned.

Inside the enterprise, search engines need to be smart and choosy: they must help people find what they need, without allowing them to snoop for what they aren't supposed to have. Oracle Secure Enterprise Search was built to be a "better mousetrap": an intelligent, security-aware search engine. For example, suppose I am an evil-minded employee at Company X who wants advance information on mergers and acquisitions so I can trade on that information (which is both illegal and unethical). A dumb enterprise search engine, when asked to search for "M&A [mergers and acquisitions] Plans," would happily cough up those corporate secrets. 

Next Steps

LEARN more about
Oracle Secure Enterprise Search
Oracle Information Rights Management

 READ more Davidson

 DISCUSS Security

Oracle Secure Enterprise Search
Oracle Information Rights Management

Oracle Secure Enterprise Search, being a smart search engine, realizes that because I am not in the M&A department, I should not even know that "M&A plan for Company Y" exists (because the name of even a potential acquisition in the title makes the document too sensitive to know about). Oracle Secure Enterprise Search is also smart enough to realize that someone else might need to know that such a plan exists but would need to get specific access rights to the plan. In other words, search results are contextual, based on who I am, what I am asking to see, and other information, including the nature of the document itself. Oracle Secure Enterprise Search is programmable and configurable, so the answer to my "Where is?" or "Can I see?" question might not be black-and-white but gray—a really nice shade of gray that meshes with your corporation's privacy and security policies.

As the world has become more collaborative, there is an increasing amount of information access from remote and mobile devices outside the enterprise (for example, smartphones). These devices are now so flexible and the distinction between "inside" and "outside" the network so mutable that companies must be able to extend their security policies beyond the enterprise. Otherwise, an enterprise could potentially lose its intellectual-property shirt and the corporate crown jewels. Oracle Information Rights Management can help organizations "seal" data from secondary uses, even outside the enterprise. For example, if I have access to the M&A plan, I cannot necessarily forward it to someone else, e-mail it outside the company, or even print it and hand a copy to someone else. Furthermore, the M&A plan might be so sensitive that any access to it is centrally logged and monitored. Not all information in an enterprise needs such rigorous controls, but some really and truly does.

We are entering the next generation of internet-based technology, where organizations harness new tools to get the best of "What's out there?" and "Where is?" and "Who has?" and "Can I see?" collaboration while preventing collaborative criminals. It's not just data protection anymore; it's information protection.


Mary Ann Davidson is the chief security officer at Oracle, responsible for secure development practice, security evaluations, and assessments. She represents Oracle on the board of directors of the Information Technology Information Security Analysis Center (IT-ISAC) and the Defense Science Board and is on the editorial review board of SC Magazine.

Send us your comments