Editor: Secure on the Inside

PRODUCTS

Database
Middleware
Developer Tools
Enterprise Management
Applications Technology
Products A-Z

TECHNOLOGIES

BI & Data Warehousing
Embedded
Java
Linux
.NET
PHP
Security
Technologies A-Z

ARCHITECTURE

Enterprise Architecture
Enterprise 2.0
Grid
Service-Oriented Architecture
Virtualization

COMMUNITY

Join OTN
Oracle ACEs
Oracle Mix
Oracle Wiki
Blogs
Podcasts
Events
Newsletters
Oracle Magazine
Oracle Books
Certification
User Groups
Partner White Papers

Printer View

E-mail this page

Bookmark

As Published In

September/October 2006

From the Editor

Secure on the Inside
By Tom Haunert

Identify and protect against the security threat inside the enterprise.

When I was a student I worked for several different retail stores. While security was important at each of these stores, one particular store initially surprised me with its security focus, until I realized it had correctly identified the most serious security threat.

This store was part of a large national discount chain, and what first struck me about the store's security was that it didn't seem to have any. There was no merchandize or inventory control technology, and shoplifters could—too easily in my opinion—walk items out the unprotected front door.

After working there for just a few weeks, I discovered that the company was actually very committed to security, just not to security focused on the outside theft of shoplifters. The company focused its security efforts on the inside threat.

This retail company used professional auditors posing as shoppers to determine whether employees were properly following a very simple process for accurately ringing up merchandize, creating and providing receipts, properly handling money, and correctly handling inventory.

As a result of these audits, several employees that I had worked with were caught stealing and charged with theft. The first prosecution that I witnessed was followed by another a few weeks later, and another a few weeks after that. All employees knew that the company did these audits, and all employees knew about a prosecution as soon as it happened. The fact that there were multiple prosecutions over an extended period surprised me—perhaps the audits and prosecutions were preventing some theft, but they were most definitely not stopping it.

Oracle Database Vault

Concern about corporate compliance audits is a driving force in information technology. In the "Security Inside" article on page 40, David A. Kelly talks with Trent Henry, senior analyst, Burton Group, about compliance. "What we've seen at a lot of companies is that when auditors come in, they find that privilege isn't separated among multiple users or that there are separation-of-duties problems, such as DBAs being able to do much more with a repository than they should be able to. One of the key concerns is integrity of the information and making sure that it can't get changed in an unauthorized way," says Henry.

A new Oracle security product—Oracle Database Vault—addresses these types of internal security concerns by providing control over who can access data, when, and where, protecting the data from malicious actions and simple mistakes. Oracle Database Vault also reports who is accessing what and when, and controls data access by highly privileged database users.

Scrutiny Brings Security

Next Steps

READ more about
Oracle Security
OTN Database Vault
Oracle OpenWorld 2006
Compliance audit concern has driven initiatives to create compliant processes and access controls. But the possibility of an audit and the audit itself do not prevent malicious activity or even simple mistakes. Some audits, of retail stores, income tax returns, and corporate compliance, will uncover problems because mistakes—intentional and accidental—happen (unless they are prevented by a product like Oracle Database Vault).

When a compliance audit turns up a significant problem, unlike a simple retail store audit scenario looking at whether a cashier properly handles receipts and money, the compliance audit may be only the beginning of an investigation into both company compliance and the people—including more highly privileged users—involved.

An audit that uncovers significant problems will certainly have repercussions, perhaps even including job terminations and legal prosecutions, but it will also identify the internal security weakness. And unlike the retail store that can—or must—simply continue to audit the same cashier process, companies will need to respond to and resolve the security issue, and that solution will immediately improve the internal security of the enterprise.

Whether an audit finds or does not find problems, however, it draws attention to internal security and the threat within the enterprise, and that can only make the enterprise more secure.

It's Here

Oracle OpenWorld is here. I'll be at the show October 22-26, meeting with authors, editorial board members, and partners; recording podcasts; talking to customers; getting ideas for future articles; and more. If you see me there, please say hello, and tell me what you'd like to read in Oracle Magazine.

Tom Haunert, Editor in Chief
tom.haunert@oracle.com

Send us your comments

E-mail this page

Printer View

	About Oracle \| \| Careers \| Contact Us \| Site Maps \| Legal Notices \| Terms of Use \| Privacy