As Published In
Oracle Magazine
September/October 2009

FEATURE


Information Secured. Identity Confirmed.

By David A. Kelly

Protect your organization’s data, manage users, and grow your business with Oracle database security and identity management solutions.

Organizations have long attempted to protect their data and control access to who gets to see it. From hackers to employees who have inappropriate data access, security threats can result in severe legal penalties and not just loss of revenue but also loss of reputation. Now more than ever, it’s important to ensure that the data is secured at multiple levels to protect against sophisticated attacks from outsiders and insiders.

Security needs to start close to the data, taking into account potential internal security threats while also protecting against traditional outside security threats. “A good strategy should be ‘security inside out,’” says Vipin Samar, vice president of database security development at Oracle. “What we’re doing at Oracle is providing ‘defense-in-depth’ security technology that is also transparent, high-performance, and easy to deploy,” he says.

Defense in depth, Samar explains, has three layers. “First, customers want to be sure that the data itself is encrypted, whether the data goes on the disk or on the tape or on the network itself,” he says. “The next layer of access control should ensure that only authorized people can look at your data and only under specific conditions. Just being a privileged user on the database should not automatically give you access to all the application data.”

The third layer is monitoring and auditing. “We need to trust the people who manage the show, but we should monitor them and know what’s really happening,” Samar says. “For monitoring, first you want to make sure that the systems are configured and secured properly. Second, you want to audit the activities of these users, whether they are insiders or outsiders, or people with superprivileges. Third, you want to keep a history of what they have done and be able to create reports and raise alerts as needed.”

A driver for “security inside out” is an accelerating trend of data privacy and integrity protection regulations that call for information-specific controls.

“We’re seeing an architectural trend of moving security closer to the data that’s being protected,” says Daniel Blum, senior vice president and principal analyst for security and risk management strategies at the Burton Group. “Companies drive security down to the data layer partly because there are so many combinations of data—centralized data, distributed data, structured data, unstructured data, and more—and partly because of increased regulatory activity that requires organizations to protect and retain information.”

Protecting Data at the Source

Snapshots


Yuntaa NV
www.yuntaa.com

Location: Groot-Bijgaarden, Belgium
Industry: Online archiving and sharing
Employees: 30
Oracle products: Oracle Database, Oracle Automatic Storage Management, Oracle Advanced Security, Oracle Partitioning, Oracle Advanced Compression

Northwestern Memorial Hospital
www.nmh.org

Location: Chicago, Illinois
Industry: Healthcare
Employees: 7,200
Oracle products: Oracle Database, Oracle Identity Management, PeopleSoft Human Resources, PeopleSoft Financials, PeopleSoft Inventory


Daewoo Securities
www.bestez.com

Location: Seoul, South Korea
Industry: Financial services
Employees: 3,000
Oracle products:
Oracle Database, Oracle Database Vault, Oracle Advanced Security

Information-centric security starts with protecting data at the source—the database. Using Oracle Advanced Security with Oracle Database 11g, organizations can encrypt data at rest and data traveling between applications and the database without any changes to their applications. The encryption happens transparently inside the database, protecting data against unauthorized system- or network-level access. The data also stays encrypted when it is backed up or exported, so data remains secure even if a backup is lost or stolen.

Yuntaa NV, a company that provides online storing and sharing of digital media such as photos, videos, documents, and audio files, uses Oracle Advanced Security with Oracle Database 11g to protect its data—and proves at the same time that security isn’t always about locking things down and restricting services. High-performance security can enable a company to offer services and open up a path for future growth.

Based in Belgium, Yuntaa currently has more than 50,000 users around the world and uses Oracle Database 11g to store more than 1.6 million files. While the company has plenty of competition for online storage or backup of digital media, Yuntaa does much more—it can function as a complete backup and synchronization solution as well as an online multimedia solution for storing, sharing, and viewing the content that has been backed up. And everything begins with Oracle Database.

“Our Oracle Database implementation is the foundation of Yuntaa.com and our business. It’s allowed us to take the vision of what we want to do for our customers and turn it into a reality,” says Andy Barrett, cofounder and CTO, Yuntaa.

All user-generated content and Yuntaa’s metadata is stored and managed using the Oracle Automatic Storage Management file system, so the company doesn’t have to manage a separate file system or content repository.

Yuntaa also uses Oracle Partitioning and Oracle Advanced Compression in its growing multiterabyte database. But the key to Yuntaa’s ability to grow is the built-in data security from Oracle.

“Security for Yuntaa is paramount. It’s our key focus and our key objective,” says Barrett. “Yuntaa is all about securing and protecting our customers’ data, as well as enabling them to make use of that data.”

In fact, Yuntaa’s security architecture is so solid that it was able to obtain an insurance policy—valued at €250,000 for each user—if Yuntaa is responsible for the loss or theft of a customer’s data.

To help secure that data, Yuntaa uses Oracle Advanced Security. “It provides the best encryption available,” says Barrett. “We use Oracle Advanced Security to secure the data at rest and protect against intrusions. Each object and all user-generated content is encrypted inside the database and remains encrypted until it’s presented to the authenticated user. Oracle Advanced Security saves us a lot of development time and ensures that the security will work with all types of files and media.”

Instead of requiring users to keep track of encryption keys or other technical requirements, Oracle Advanced Security allows Yuntaa to make the extra security transparent, so its users can focus on their digital content. “Oracle Advanced Security is a real benefit for our users,” Barrett says.


Oracle Identity Management 11g—Innovations in User Management


As part of Oracle Fusion Middleware 11g, several new and updated components ofOracle Identity Management 11g are now available, including Oracle Platform Security Services, Oracle Directory Services, Oracle Web Services Manager, Oracle Access Manager, and Oracle Identity Federation.

Oracle Platform Security Services delivers the industry’s first service-oriented security foundation. This comprehensive declarative security framework allows developers to build security into their applications and deploy them into a centralized identity management framework.

Oracle Directory Services features a newly integrated administration console—Oracle Directory Services Manager—to manage and configure LDAP directories, virtual directories, and metadirectories from a single point. It also features new wizards to help accelerate directory deployments by simplifying tasks such as sizing, tuning, and replication.

Oracle Web Services Manager and Oracle Access Manager have been enhanced to provide integrated access control including message encryption, identity propagation, and policy management for Web-based applications and Web services in a heterogeneous, multivendor environment.

Oracle Identity Federation now features the Universal Federation Framework, extending connectivity to a broad set of protocols including SAML 2.0, Microsoft CardSpace, Liberty, WS-Federation, and more. Oracle Identity Federation 11g has also passed Liberty Alliance SAML 2.0 interoperability testing, demonstrating that user-driven, identity-enabled applications can interoperate across networks, devices, and regions.

“The advantage of Oracle’s new identity management innovations is that organizations can now build or deploy entire applications with tightly integrated security but have that security independently packaged,” says Amit Jasuja, vice president of development at Oracle. “The security elements can be automatically deployed with the application and then managed with Oracle Identity Manager, so you can easily administer the rules to decide which permissions get combined and aggregated into a single role. The entire lifecycle of an application has been integrated with the identity management system, and if you look across the industry today, nobody else can do that.”


Using Oracle Advanced Security to implement advanced encryption wasn’t hard for Yuntaa. “All there was to it was adding the keyword ‘encrypt’ to the BLOB columns in the database, creating an Oracle wallet for the master key, and then restarting the database,” says Barrett. “It couldn’t be simpler than that.”

For Barrett, one of the most positive aspects about Oracle Advanced Security capabilities isn’t even about security. It’s about performance.

“I haven’t noticed any additional overhead on the CPU for encrypting or unencrypting the data using Oracle Advanced Security,” says Barrett. “It’s really a dream come true. I’m completely satisfied with it.”

Managing User Access

The second layer of “security inside out” involves managing who has access to specific data. And while access control has always been important in IT, access control that helps to meet regulatory requirements has become critical in many industries. For example, compliance mandates such as the Health Insurance Portability and Accountability Act (HIPAA) have had a big impact on data security in hospitals and healthcare institutions. Northwestern Memorial Hospital, in Chicago, Illinois—a teaching hospital with 873 beds, 1,603 affiliated physicians, and 7,200 staff—is no exception.

“Our main challenge is achieving IT general controls—making sure that the hospital is following the appropriate guidelines for security by tracking approval on all access to its systems, using role-based security where possible, and ensuring that transfers and terminations are executed correctly and quickly,” says Sue Lopardo, director for administrative systems at Northwestern Memorial.

The hospital decided to implement an identity management solution based on Oracle Identity Management, which allows organizations to manage the end-to-end lifecycle of user identities across all enterprise resources, as well as protect all applications and data.


“Oracle Identity Management was deployed to improve compliance with our IT security policies and provide a central repository for all requests and approvals,” says Mary Beth Jezuit, manager of administrative systems at Northwestern Memorial.


There were three key goals driving the deployment of Oracle Identity Management. The first was to maintain control over who has access to the hospital’s applications and data. The second was to provide a foundation to support self-service password management in an increasingly decentralized environment. Last, Northwestern Memorial wanted automated controls to ensure that the right people had access to the right information at the right time.


Oracle Identity Management was launched at Northwestern Memorial in October 2008 with provisioning to the hospital’s Microsoft Active Directory, four PeopleSoft systems, its clinical and revenue systems, and more. Now, when an employee leaves the hospital or changes roles, his or her rights are turned off or adjusted across all the systems consistently. “Automated controls triggered by terminations and transfers are critical to a successful security program,” says Lopardo.


For the hospital, the new system reduces staff workload. “Before we had Oracle Identity Management, we had to do a lot of legwork to verify and review everyone who had access to the systems and confirm their rights,” says Lopardo. “Now, with Oracle Identity Management, we get notices of terminations as part of the workflow, so it is easy to validate that the right people have the right access policies. The types of auditing, reporting, and monitoring capabilities that Oracle Identity Management provides are critical.”


The new system reduces workload in another way as well. Northwestern Memorial used Oracle Identity Management to roll out a self-service password-reset solution that’s already cutting down on help desk calls. The Northwestern Memorial IT help desk received more than 35,000 calls for password resets in 2008 alone. With Oracle Identity Management, Northwestern Memorial applications now provide self-service password management with challenge questions.


Northwestern Memorial plans to expand its use of Oracle Identity Management, including connecting it to additional applications that use Microsoft Active Directory, and enabling a workflow process that allows managers to request and provision specialized or advanced system access for staff members.

Protecting Against Insider Threats

Perhaps nowhere are regulatory requirements felt more acutely than in the high-stakes world of international finance. Take the example of Daewoo Securities, a leading financial services company offering investment, banking, and brokerage services to retail and corporate clients around the world.

As a company handling large financial transactions, Daewoo Securities must consider both internal and external security threats, as well as the enforcement of strict ethical guidelines for business practices. Specifically, the company wanted to ensure that access to the personal and financial data of its customers would be limited to authorized employees and applications.

Next Steps


 READ more about
Oracle Identity Management
Oracle Database security
 

 VISIT the Oracle Database forum
 

 DOWNLOAD
Oracle Identity Manager
Oracle Database 11g



That’s why Daewoo Securities implemented Oracle Database Vault and Oracle Advanced Security. Using Oracle Database Vault, Daewoo was able to enforce least privilege and separation of duties and allow DBAs to manage the database while preventing them from being able to access sensitive customer data. Similarly, Oracle Advanced Security allows system and storage administrators to manage servers and storage but
prevents them from being able to see unencrypted customer data. Customers are protected, and day-to-day operations remain unaffected.


“We used Oracle’s database security solutions to resolve internal security issues—a common challenge for financial institutions,” says Jung HakSoo, deputy manager of the Infrastructure Development Department at Daewoo Securities.


“Oracle Database Vault offers internal controls that help secure human resources data,” he adds, “while Oracle Advanced Security has automated encryption functions that further protect sensitive information.”


A Secure Foundation for Growth

Today’s successful organizations are securing their information and applications from the inside out and making sure that access is granted only to those who need it. Such solutions not only protect information and stakeholders, but they also provide a foundation for future growth. By leveraging Oracle identity management solutions and the transparent database security solutions of Oracle Database 11g, organizations can ensure security while focusing on business needs.




David A. Kelly (dkelly@upsideresearch.com) is a business, technology, and travel writer who lives in West Newton, Massachusetts.


Send us your comments