Information-centric security starts with protecting data at the source—the database. Using Oracle Advanced Security with Oracle Database 11g, organizations can encrypt data at rest and data traveling between applications and the database without any changes to their applications. The encryption happens transparently inside the database, protecting data against unauthorized system- or network-level access. The data also stays encrypted when it is backed up or exported, so data remains secure even if a backup is lost or stolen.
Yuntaa NV, a company that provides online storing and sharing of digital media such as photos, videos, documents, and audio files, uses Oracle Advanced Security with Oracle Database 11g to protect its data—and proves at the same time that security isn’t always about locking things down and restricting services. High-performance security can enable a company to offer services and open up a path for future growth.
Based in Belgium, Yuntaa currently has more than 50,000 users around the world and uses Oracle Database 11g to store more than 1.6 million files. While the company has plenty of competition for online storage or backup of digital media, Yuntaa does much more—it can function as a complete backup and synchronization solution as well as an online multimedia solution for storing, sharing, and viewing the content that has been backed up. And everything begins with Oracle Database.
“Our Oracle Database implementation is the foundation of Yuntaa.com and our business. It’s allowed us to take the vision of what we want to do for our customers and turn it into a reality,” says Andy Barrett, cofounder and CTO, Yuntaa.
All user-generated content and Yuntaa’s metadata is stored and managed using the Oracle Automatic Storage Management file system, so the company doesn’t have to manage a separate file system or content repository.
Yuntaa also uses Oracle Partitioning and Oracle Advanced Compression in its growing multiterabyte database. But the key to Yuntaa’s ability to grow is the built-in data security from Oracle.
“Security for Yuntaa is paramount. It’s our key focus and our key objective,” says Barrett. “Yuntaa is all about securing and protecting our customers’ data, as well as enabling them to make use of that data.”
In fact, Yuntaa’s security architecture is so solid that it was able to obtain an insurance policy—valued at €250,000 for each user—if Yuntaa is responsible for the loss or theft of a customer’s data.
To help secure that data, Yuntaa uses Oracle Advanced Security. “It provides the best encryption available,” says Barrett. “We use Oracle Advanced Security to secure the data at rest and protect against intrusions. Each object and all user-generated content is encrypted inside the database and remains encrypted until it’s presented to the authenticated user. Oracle Advanced Security saves us a lot of development time and ensures that the security will work with all types of files and media.”
Instead of requiring users to keep track of encryption keys or other technical requirements, Oracle Advanced Security allows Yuntaa to make the extra security transparent, so its users can focus on their digital content. “Oracle Advanced Security is a real benefit for our users,” Barrett says.
Oracle Identity Management 11g—Innovations in User Management
Using Oracle Advanced Security to implement advanced encryption wasn’t hard for Yuntaa. “All there was to it was adding the keyword ‘encrypt’ to the BLOB columns in the database, creating an Oracle wallet for the master key, and then restarting the database,” says Barrett. “It couldn’t be simpler than that.”
For Barrett, one of the most positive aspects about Oracle Advanced Security capabilities isn’t even about security. It’s about performance.
“I haven’t noticed any additional overhead on the CPU for encrypting or unencrypting the data using Oracle Advanced Security,” says Barrett. “It’s really a dream come true. I’m completely satisfied with it.”
The second layer of “security inside out” involves managing who has access to specific data. And while access control has always been important in IT, access control that helps to meet regulatory requirements has become critical in many industries. For example, compliance mandates such as the Health Insurance Portability and Accountability Act (HIPAA) have had a big impact on data security in hospitals and healthcare institutions. Northwestern Memorial Hospital, in Chicago, Illinois—a teaching hospital with 873 beds, 1,603 affiliated physicians, and 7,200 staff—is no exception.
“Our main challenge is achieving IT general controls—making sure that the hospital is following the appropriate guidelines for security by tracking approval on all access to its systems, using role-based security where possible, and ensuring that transfers and terminations are executed correctly and quickly,” says Sue Lopardo, director for administrative systems at Northwestern Memorial.
The hospital decided to implement an identity management solution based on Oracle Identity Management, which allows organizations to manage the end-to-end lifecycle of user identities across all enterprise resources, as well as protect all applications and data.
“Oracle Identity Management was deployed to improve compliance with our IT security policies and provide a central repository for all requests and approvals,” says Mary Beth Jezuit, manager of administrative systems at Northwestern Memorial.
There were three key goals driving the deployment of Oracle Identity Management. The first was to maintain control over who has access to the hospital’s applications and data. The second was to provide a foundation to support self-service password management in an increasingly decentralized environment. Last, Northwestern Memorial wanted automated controls to ensure that the right people had access to the right information at the right time.
Oracle Identity Management was launched at Northwestern Memorial in October 2008 with provisioning to the hospital’s Microsoft Active Directory, four PeopleSoft systems, its clinical and revenue systems, and more. Now, when an employee leaves the hospital or changes roles, his or her rights are turned off or adjusted across all the systems consistently. “Automated controls triggered by terminations and transfers are critical to a successful security program,” says Lopardo.
For the hospital, the new system reduces staff workload. “Before we had Oracle Identity Management, we had to do a lot of legwork to verify and review everyone who had access to the systems and confirm their rights,” says Lopardo. “Now, with Oracle Identity Management, we get notices of terminations as part of the workflow, so it is easy to validate that the right people have the right access policies. The types of auditing, reporting, and monitoring capabilities that Oracle Identity Management provides are critical.”
The new system reduces workload in another way as well. Northwestern Memorial used Oracle Identity Management to roll out a self-service password-reset solution that’s already cutting down on help desk calls. The Northwestern Memorial IT help desk received more than 35,000 calls for password resets in 2008 alone. With Oracle Identity Management, Northwestern Memorial applications now provide self-service password management with challenge questions.
Northwestern Memorial plans to expand its use of Oracle Identity Management, including connecting it to additional applications that use Microsoft Active Directory, and enabling a workflow process that allows managers to request and provision specialized or advanced system access for staff members.
Perhaps nowhere are regulatory requirements felt more acutely than in the high-stakes world of international finance. Take the example of Daewoo Securities, a leading financial services company offering investment, banking, and brokerage services to retail and corporate clients around the world.
As a company handling large financial transactions, Daewoo Securities must consider both internal and external security threats, as well as the enforcement of strict ethical guidelines for business practices. Specifically, the company wanted to ensure that access to the personal and financial data of its customers would be limited to authorized employees and applications.
VISIT the Oracle Database forum
Today’s successful organizations are securing their information and applications from the inside out and making sure that access is granted only to those who need it. Such solutions not only protect information and stakeholders, but they also provide a foundation for future growth. By leveraging Oracle identity management solutions and the transparent database security solutions of Oracle Database 11g, organizations can ensure security while focusing on business needs.