FEATURE  

As Published In
Oracle Magazine
September/October 2010

Secure in the Knowledge

By David A. Kelly

 

Improve security and efficiency with Oracle Database security solutions.

These days, a good database security strategy isn’t just about security. It’s also about performance, availability, scalability, transparency, and speed of deployment. Just ask CMC Markets, a London, England-based financial services company.

“We need industrial-strength, enterprise-quality security solutions,” says Akash Gharu, head of business data services at CMC Markets. “We’re 24/7 in global markets, so we need high availability and data protection to the highest degree. But at the same time, we’re very concerned about the ease of implementation and access to support.”

CMC Markets is a retail financial trading company that offers real-time pricing, real-time trading, and real-time news updates. It provides a complete institutional trading environment for investors to manage their own list of investment opportunities, for both long-term investors as well as day traders. Although it’s relatively young (only 20 years old), CMC Markets has become one of the leading internet-based investment services organizations in the U.K., Germany, and Australia.

CMC Markets is currently poised to launch a complete revamp of its current trading technology, which company leaders expect will revolutionize the retail trading experience. A significant portion of this new technology is underpinned by state-of-the-art Oracle products.

Snapshots

 

 CMC Markets

cmcmarkets.com
Location: London, England
Industry: Financial services/retail trading
Employees: 1,000
Annual revenue: US$312 million
Oracle products: Oracle Database; Oracle Database Vault; Oracle Audit Vault; Oracle Real Application Clusters; Oracle Coherence; Oracle Business Intelligence Suite, Enterprise Edition; Oracle E-Business Suite; Oracle Active Data Guard; Oracle Real Application Testing; Oracle Hyperion applications

 

 Educational Testing Service

ets.org
Location: Princeton, New Jersey
Market: Educational testing
Employees: More than 6,000
Annual revenue: US$1.2 billion
Oracle products: Oracle Database, Oracle Advanced Security, Oracle Real Application Clusters, Oracle Partitioning, Oracle Tuning Pack, Oracle Diagnostics Pack, Oracle Identity Management, Oracle Enterprise Manager, Oracle Grid Control, PeopleSoft customer relationship management and human resources management applications

“We have a responsibility to protect our customers’ data from external and internal threats,” says Gharu. “And the first step is to protect the databases where this data is stored.” When it came to securing its database, one of the most critical requirements for CMC Markets was being able to meet regulatory requirements easily in a timely and cost-effective manner without having to go back and re-engineer its applications. Fortunately, CMC Markets was able to meet these challenges by using Oracle Database Vault and Oracle Audit Vault.

“Deploying Oracle Database Vault and Oracle Audit Vault allows us to achieve most of our audit requirements without making changes to our applications,” says Gharu. “It allows us to harden our database environment so that the applications continue to work, but direct access to the application data requires that privileged users meet a defined set of criteria.”

CMC Markets isn’t alone in needing new solutions for its data security challenges. Around the world, new regulations for protecting consumer privacy and personally identifiable information are forcing companies to re-evaluate their internal and external database security requirements.

That’s where solutions like Oracle Advanced Security, Oracle Database Vault, and Oracle Audit Vault come in. They allow organizations to easily safeguard their data without significantly affecting performance or IT infrastructure.

“Organizations have the technology to safeguard their databases without trading off performance or manageability,” says Vipin Samar, vice president of database security development at Oracle. “Today’s solutions make it very easy.” 

Securing the Financial Market

For a financial services company such as CMC Markets, compliance, database security, and audit responsibility are especially critical. Systems include lots of private data, including customer details, transaction history, and business data.

“Oracle Database Vault allows us to provide security to areas and applications that had limited or no security before,” says CMC Markets’ Gharu. “Coding a new solution would have taken a lot longer and would have taken time and resources that the business just didn’t have. Using Oracle Database Vault allows us to focus on the real product changes that we have to make and not tie up our time trying to retrofit security.”

And not having to retrofit security means faster security implementations. “By using Oracle Database Vault, we implemented all the hardened security for Oracle E-Business Suite within a week,” says Gharu. “It really shortened the time it would have taken us to deploy high-strength security for our projects.”

CMC Markets is using Oracle security solutions, including Oracle Audit Vault, on hundreds of applications.

“Oracle Audit Vault allows us to start taking a more streamlined approach to auditing by giving the right internal groups access to data so they can keep an eye on violations or restrictions, as well as control access,” says Gharu. “The attractive thing about Oracle Audit Vault is that it works with Oracle and non-Oracle databases. You can use Oracle Audit Vault to get a complete enterprise view of the activity across all your databases.” 

Certified Security

Like CMC Markets, the Educational Testing Service (ETS) in Princeton, New Jersey, also needed advanced database security options to meet new regulatory and customer requirements.

ETS is a global leader in creating, managing, and evaluating a wide range of assessment tests including the GRE test and the College Board’s SAT test. Last year, the company administered and evaluated more than 50 million tests in 180 countries.

The company has always recognized the importance of protecting its customer data, and a few years ago it implemented a program to demonstrate, through externally established standards, that it safeguards the personal data it collects.

Next Steps


 READ more about Oracle Database security products
 

 DOWNLOAD a free Oracle Audit Vault Resource Kit

“We must ensure that our customer information is safe and secure, as well as protect our globally recognized brand equity,” says Brad Peiffer, IT director at ETS.

The organization was able to use the Transparent Data Encryption feature of Oracle Advanced Security to protect a wide range of databases and systems.

“Even though we evaluated other options, we chose Oracle Advanced Security because it’s important to us to make sure we get the right level of protection for our Oracle systems,” says Peiffer. “By using the Transparent Data Encryption capabilities, even the personal data on our backups that are shipped to off-site locations is protected because it’s encrypted.”

Meeting external regulatory deadlines was another important consideration in ETS’s selection of Oracle Advanced Security.

“We had time frames we had to meet in providing certain levels of data protection to be certified and not incur any penalties,” says Peiffer. “By using Oracle’s Transparent Data Encryption, we were able to meet and beat those time frames. It’s been a solid solution.”

“We’re very pleased with Oracle Advanced Security Transparent Data Encryption. Not only does it protect all the information we have in our databases; it also protects our backups, and it’s easy because all the tools and applications we were using before all continue to work,” says Peiffer. “Oracle Advanced Security saves us time, resources, and money.” 

The Future Looks Secure

Like most technologies today, security solutions can’t stand alone. They have to work seamlessly with a wide range of internal and external IT systems, databases, and applications. They also need to meet performance, availability, and reliability requirements that didn’t exist 10 years ago and be capable of responding effectively to dynamically changing regulatory and business requirements.

The most-effective security solutions enable an organization to streamline processes, securely manage customer information and critical corporate data, and optimize business opportunities by removing potential risks or liabilities. “With all the potential threats today, organizations can deploy multiple technologies to adequately protect their data,” says Oracle’s Samar. “Different organizations will perceive risks differently, and Oracle has the solutions to cover those different risks.”

Defense in Depth

Good database security takes a multifaceted (but straightforward) strategy.
 

“A defense-in-depth approach to security allows organizations to completely protect important data, while balancing performance and manageability,” says Vipin Samar, vice president of database security development at Oracle.
 

Defense-in-depth means that an organization must create multiple barriers to defend its data against many different potential attacks. A complete defense-in-depth strategy includes three main components: encryption, access control (especially privileged user access control), and auditing and monitoring. Database security must be part of a comprehensive IT security strategy that also takes into account other security best practices such as identity management, role-based access control, and enterprisewide entitlements management. 

     

  • Encryption. Encryption ensures that even if unauthorized users gain physical access to your data, they won’t be able to read the data because it is encrypted. Almost all states in the U.S. and many other countries have passed laws requiring organizations to protect personally identifiable information data as well as important financial information such as credit card numbers. By encrypting data, organizations ensure that someone who may get access to the database file, database traffic, or database backups cannot actually read the data. Oracle Advanced Security provides a complete encryption solution that addresses all these needs without changes to applications. 
  •  

  • Access control. Encrypting data isn’t enough for total security. In addition, organizations should make sure they manage who has access to what data, and take particular care to manage highly privileged database users (such as DBAs) who otherwise might have very broad access. In addition to Oracle Database’s fine-grained access control model, Oracle provides access control options through Oracle Database Vault. Oracle Database Vault limits the access of highly privileged database users to sensitive application data, but still allows them to carry out their standard database management responsibilities, such as tuning and optimization. 

    “Oracle Database Vault provides full control over the conditions under which you can access data,” says Samar. “For example, access can be limited by IP address or date and time.” 

  •  

  • Auditing and monitoring. In addition to encryption and access control, organizations need to ensure that they monitor the activities of their users—especially the privileged users. Most modern databases can create an audit trail of what changes have been made and by whom, or if someone is reading sensitive data. That’s where Oracle Audit Vault comes in. Oracle Audit Vault enables organizations to collect audit logs from multiple systems, including non-Oracle databases, into a centralized warehouse from which users can run security and compliance reports. Oracle Audit Vault can raise alerts on any sensitive operations and set audit policies centrally.
 


David A. Kelly (dkelly@upsideresearch.com) is a business, technology, and travel writer who lives in West Newton, Massachusetts.

 

Send us your comments