COMMENT: All Secure
Context Is EverythingBy Mary Ann Davidson
Move from brittle to contextual security.
To date, most IT security models have been all-or-nothing. That is, once you've proved you are you (via, say, a password), you get access to all the information "you" are authorized to see, change, add, or delete. It's the security equivalent of putting all your eggs in one basket: all access is based on proving who you are, exactly once. The big problem with this security model is that it is brittle: if I can break security at a single, critical point (for example, by guessing a password), I'm you and I have access to your stuff.
What's needed, particularly as the boundaries between inside and outside the network erode and people want ubiquitous data access from a single smart endpoint, is a clever mousetrapsuch as one that can distinguish between mice and out-and-out rats. Instead of all-or-nothing authentication and all-or-nothing authorization, what we need is nuanced security, where who you are and what you can see is contextual. By that I mean that applications should accept "you" as "you" not merely based on your handing over a correct password just once but based on whether you are behaving like you.
Similarly, authorizations should not always be all-or-nothing but rather, on occasion, some-or-partial, depending on factors such as when you logged in, from where, and what you are trying to access. Enabling contextualand more-adaptiveauthentication and authorization provides a built-in, layered defense, which is harder to defeat, misuse, or abuse. How else can we secure the Web 2.0 world, where users want all data from all applications all the time?
I read recently about a man who was fired for sending an e-mail that said, "I Hate All Blacks." You figure that the guy was a hateful bigot and good riddance, right? However, his employers decided that they had been a bit hasty after they realized that the e-mail thread actually related to a discussion of rugby. The guyan Australiangot his job back after it came out that he had merely been commenting on Australia's upcoming match against New Zealand, whose national team's name is the All Blacks. Context really is everything.
Context and Oracle
Oracle has continued to evolve its product offerings so that application security decisions can be made in context. Oracle Adaptive Access Manager uses several factors to continually validate user identity in real time, including behavior patterns, location (the mobile device or computer used to log in), and knowledge of highly sophisticated fraud patterns. Oracle Adaptive Access Manager can rate "user identity risk" in real time and trigger organizational alerts as well as automate other actions, such as issuing an online challenge to the user or requiring additional authentication. Oracle Adaptive Access Manager moves security from brittle, yes/no security decisions to continuous validation of identity. In short, you are you only if you act like you and, if asked, can continue to prove you are you. Sorting out mice from potential rats is very useful, whether an organization is concerned about online fraud prevention or just wants stronger compliance capabilities.
Oracle Database Vault comes from a long line of Oracle products that have sliced authorization into smaller and more-nuanced pieces. Trusted Oracle7 enabled access control on all data based on the user's clearance, such as Top Secret, and a label associated with a row of data. Oracle Virtual Private Database enabled programmable row-level security based on data elements (columns) that could also include anything else the database captured about the user or the session. Oracle Label Security provided more-flexible, automated label-based access control on selected data (instead of on all data). Oracle Database Vault enables out-of-the-box, context-based security to limit when, how, and what a user accesses, based on several rules and factors (such as time of day, type of authentication, or where a user is connecting from). User access is therefore contextual (I may not get access unless I am logging in from the right middle tier) and layered (administrators don't necessarily get to see data for applications they administer). Being able to limit access based on a multiplicity of factors instead of the old yes/no or you-have-access-or-you-don't rules is another way to make sure users receive a particular key to a particular door in a particular hallway in a particular turret in the castle, instead of the keys to the kingdom.
Mary Ann Davidson is the chief security officer at Oracle, responsible for secure development practice, security evaluations, and assessments. She represents Oracle on the board of directors of the Information Technology Information Security Analysis Center (IT-ISAC) and the Defense Science Board and is on the editorial review board of SC Magazine.