As Published In September/October 2008

FEATURE

Restrictions Apply

Protect sensitive information and achieve regulatory compliance with Oracle Database.

Securing information systems from internal as well as external threats is an important part of the security challenge facing IT today. Sensitive information, such as social security and credit card numbers, must be fully protected from outside threats and unauthorized users, but new security and compliance-related restrictions call for the protection of sensitive information inside the enterprise, even from privileged users. New security requirements such as the Payment Card Industry (PCI) Data Security Standard are pushing IT departments to implement new measures to protect sensitive information.

As IT departments evaluate solutions for protecting sensitive information, they often find the answer is safeguarding data at the source— the actual databases in which the data resides. Database security is not only a reliable way to protect information but also what auditors look for when assessing regulatory compliance.

“Companies are strengthening internal protections for database security in response to regulatory drivers, as well as systematic, comprehensive assessments of security in their IT architecture,” says Trent Henry, research director for security and risk management practices for Burton Group, an IT research and advisory firm.

Responsible Security

“All database administrators know they are responsible for protecting their databases from attack and unauthorized access,” says Arup Nanda, senior director of database engineering for Starwood Hotels & Resorts Worldwide. Responsible for the company’s corporate database strategy, Nanda oversees more than 350 Oracle production databases.

Nanda must also ensure that the database infrastructure complies with numerous regulations and that sensitive information such as credit card and passport numbers are protected. To do this, Nanda relies on Oracle encryption technologies. Data is encrypted in transit over the network to and from the applications, in the database, and on backup tapes.

Additionally, access to customer data at Starwood is restricted on a need-to-know basis. “The Oracle Virtual Private Database feature allows us to control access to specific rows in a table,” he explains. “If, say, John Smith manages an account, then he can only see that account’s related records and nothing else.”

“Organizations shouldn’t inherently distrust DBAs or other privileged users,” says Vipin Samar, Oracle’s vice president of database security. “But in today’s highly regulated world, companies need to demonstrate that internal controls are in place to keep data from being stolen or accidentally altered.”

Helen Sun, manager of decision support services at investment management firm Harbor Capital Advisors, agrees. “Oracle Database Vault has helped us limit access to our clients’ sensitive financial data and achieve the separation of duties necessary within our relatively small organization,” says Sun.

With Oracle Database Vault, organizations can implement separation of duties, preventing even privileged database users from accessing sensitive application information. Application data is further protected using Oracle Database Vault’s multifactor policies that control access based on built-in factors such as time of day, IP address, application name, and authentication method, preventing unauthorized ad hoc access and application bypass.

Meeting and Exceeding Regulations

There are different ways to approach compliance with the PCI security standard. Women’s clothing retailer Dress Barn chose a route that brought the required compliance and more.

“The approach we took was to analyze all the credit card touchpoints in the corporation,” says Sam Lebron, Dress Barn’s senior manager of enterprise Web architecture and development. According to the PCI security standard, touchpoints include any system that stores or acts as a conduit for the credit card data. Dress Barn identified a dozen of these areas across its commercial business applications and homegrown financial systems. But by adopting a “tokenization” approach, Dress Barn was able to reduce the number of actual touchpoints.

“At the earliest possible point where a credit card number enters the Dress Barn enterprise, we simply convert it into a meaningless 16-digit token and send that to all the downstream systems,” Lebron says. “The actual credit card information sits in its own protected world while the tokens are used in 98 percent of the enterprise activities.”

Dress Barn protects that world with Oracle Transparent Data Encryption, part of Oracle Advanced Security. The encryption features in Oracle Advanced Security can transparently encrypt all application data or specific sensitive-data columns, such as credit card numbers or personally identifiable information. With Oracle Advanced Security, data can be encrypted at rest in the database and when it leaves the database over the network or via backups and exports.

Oracle Transparent Data Encryption works as described at Dress Barn. “The Oracle product has truly lived up to its name—it is truly transparent data encryption,” Lebron says. “It was just a matter of getting the license keys and installing it. Within a matter of a few hours, the basic components were running and available, and we didn’t notice any performance impact. The key-management features are built into the product, so we also didn’t have to worry about any other third-party tools to manage the keys.”

Dress Barn’s tokenization approach and use of Oracle Transparent Data Encryption was cost effective. “If we didn’t go the tokenization route, we would have had to employ a number of encryption technologies. So we were able to save the company quite a bit of money,” says Lebron.

In addition to saving money, this approach paid off with Dress Barn’s auditors. “Our policies and procedures have exceeded the requirements for either PCI or Sarbanes-Oxley compliance,” Lebron concludes.
 

Send us your comments