|
Feature
Security Inside
By David A. Kelly
Oracle database vault secures the inside of the enterprise.
Creating a data security strategy that fits your business is more than simply ensuring that basic access controls are defined or proper firewalls are in place. Having a comprehensive security plan means going beyond traditional security approaches to find flexible solutions that can help reduce internal and external risks, improve accountability, and enable organizations to do business more efficiently.
For example, running a profitable TV production and broadcast company requires more than simply broadcasting half-hour shows and half-minute commercials—it means enabling secure access to a wide range of critical corporate data for both internal and external users. One company that has done this successfully is Artear, one of Latin America's leading television producers and broadcasters. Artear used Oracle Label Security to move the management of security out of the application and into the database while they were migrating from an AS/400 to a clustered Linux environment.
Using Oracle Label Security eliminated the internally developed security efforts and reduced the amount of investment required to develop and manage the security aspects of Artear's key business applications, while enabling flexible and fast access for a wide range of users. "Because much of the data is sensitive and we have to provide a wide level of access, we needed the flexibility to control who views the data," says Graciela Mucci, CIO, Artear.
Access has become an issue for many companies. "Businesses have optimized their supply chains and use customer relationship management software to manage relationships with their clients. In doing so, systems have become much 'closer' to each other and much 'closer' to the end users," writes Ron Ben-Natan in Implementing Database Security and Auditing (Digital Press, 2005). "Sure, we use firewalls to secure our networks and we don't connect databases directly to the Internet, but ... databases are much more exposed than they used to be. Ten years ago the database was accessed by applications that were only available to internal employees. Now it is (indirectly through the application) accessed by anyone who has access to the Web site (i.e., everyone in the world)."
Guarding Against Threats
In fact, for most organizations, traditional security approaches—authentication, authorization, and access controls—are just the starting point. But with increased security and privacy pressures ranging from ever-more-sophisticated internal and external attacks to increased regulations such as HIPAA and Sarbanes-Oxley, organizations need to move beyond the traditional authentication, authorization, and access approaches. Artear's use of Oracle Label Security is just one example of how organizations are meeting these new security requirements.
Oracle is helping companies formulate a strategic approach to today's data security issues by extending its products in multiple ways. With new solutions like Oracle Database Vault, Transparent Data Encryption, Oracle Secure Backup, and Oracle Identity Management, Oracle makes it possible for organizations to ensure that their data is protected and that they can meet security, compliance, and risk management challenges efficiently and cost-effectively.
Extending the protection around the database is critical. "When you're looking at some of the major compliance drivers like Gramm-Leach-Bliley for customer information or Sarbanes-Oxley for the integrity of financials, then the databases become incredibly important systems of record for the types of information that auditors look closely at. That's why enhancing the security tools and protection mechanisms around the database makes sense," says Trent Henry, senior analyst, Burton Group.
|
Solving the Audit Issue
Today's organizations must not only comply with a wide range of regulatory requirements but also prove their compliance through audits. While some databases and other products provide auditing capabilities, ensuring their accuracy is tougher than simply turning them on.
"There's an increasing need for companies to put systems in place that can monitor everything that's going on in a database system so an organization can validate that the activities are approved, identify exceptional activities that may need to be investigated further, and have a trusted record of activities on their systems," says Cliff Pollan, CEO at Lumigent, an Oracle partner that provides audit applications that can help organizations analyze audit data from both Oracle and non-Oracle database systems.
Auditing information can also be used to enable organizations to react when some change has occurred—malicious or not—to a database, according to Ted Gary, product manager at Tripwire, an independent software vendor whose Tripwire Enterprise 5.5 supports change auditing for Oracle databases.
"Our customers are trying to deliver services that comply with regulations and that meet service-level agreements and have appropriate levels of security," says Gary. "What they find is, oftentimes the great culprit to achieving those things is changes made internally by their own people. While you want to monitor for external hacking, many of the security problems our customers are having result from unauthorized changes to configuration settings or something else in the software stack."
Enter Oracle Audit Vault
"Compliance regulations have changed the way databases are secured and audited. Audit trails contain a wealth of valuable information, and auditors are placing a great deal of focus on the audit logs. The first thing that auditors ask for when they come in for a compliance audit is to see your audit logs," says Jack Brinson, principal product manager (database security), Oracle Audit Vault.
"Customers in every industry are being asked to turn on auditing to track activity for compliance and internal security requirements," Brinson says. "One of the major challenges is the audit logs are distributed in multiple silos across the enterprise. For many years, customers have been asking for an audit warehouse that centralizes the audit silos into a secure repository where you can do analysis and reporting on the consolidated audit data."
Oracle Audit Vault gives organizations a secure repository for enterprise audit data—basically an audit warehouse or a way to collect and ensure the security of auditing information from both Oracle and non-Oracle systems—and provides insight into who did what to which data when, including privileged users who have direct access to the database.
"Understanding who accessed, altered, updated, deleted, or merely viewed sensitive data is an essential component to satisfying compliance requirements and protecting data," says Brinson. "Oracle Audit Vault provides the capability to detect, monitor, alert, and report the history of privileged user changes, schema modifications, and even data-level access. By consolidating and centralizing all the information that is captured across different systems, companies can do audit reporting from this repository, making the data meaningful."
Oracle Audit Vault is in beta testing and is scheduled for release in late 2006.
|
"What we've seen at a lot of companies is that when auditors come in, they find that privilege isn't separated among multiple users or that there are separation-of-duties problems, such as DBAs being able to do much more with a repository than they should be able to," Henry says. "One of the key concerns is integrity of the information and making sure that it can't get changed in an unauthorized way."
In response to those types of internal threats, Oracle extended its security capabilities with the release of
Oracle Database Vault, which gives organizations the mechanisms to restrict access to super and privileged users with database realms. A database realm allows an organization to define a protection zone around a specific application, part of an application, or a set of data. Access to this zone is protected from power users, such as those with the DBA role. Additionally, Database Vault multifactor authorization can block access based on factors such as time of day (for example, only between 9 a.m. and 5 p.m.), IP address limitations (so that someone can't log in remotely), or other considerations. Rules can be associated with dozens of database commands, enabling strict control over their usage.
"Oracle Database Vault allows you to control the super and privileged user access," says Wynn White, senior director, security and identity marketing, Oracle. "By using Oracle Database Vault, you have more-granular access control mechanisms to specific data sets, as well as the ability to restrict access for individuals only to the specific data they need to do their jobs. This is something new to the industry."
Oracle Database Vault helps organizations manage aspects of regulatory compliance. "We've been spending a lot of our time with companies whose external auditors have raised the issue of data security from a financial reporting integrity issue," says Jay Thompson, a managing director at Protiviti, a leading international provider of independent internal audit and business and technology risk consulting services.
"Some companies will find that using [Oracle] Database Vault is a very simple way for them to restrict access selectively to data, and they'll be able to address a significant security risk issue they're facing by limiting access to sensitive information," he adds.
Protecting from Internal Threats
Today, reducing risk and meeting auditing requirements means being able to protect against not only traditional external threats but new internal threats as well—something that most organizations are just starting to take seriously.
"I think that many companies have a handle on the external security threats and have good tools and processes for dealing with them. More recently, we're finding that there are a lot of potential internal threats, so the challenge for organizations is how to go about focusing on solving those internal data security threats without overdoing it and restricting business," says Thompson.
"Oracle Database Vault is a good example of a preventive control that Oracle essentially leads the market with," Thompson continues. "Going forward, I believe these capabilities will be a fundamental requirement to stay in the database market."
Flexible Security
While restricting internal access to corporate data through technologies such as Oracle Database Vault is important, creating flexible security architectures that can enable organizations to do more than they could previously is often equally important. Artear manages this balance by using Oracle Label Security to enable highly flexible but extremely secure internal and external access to critical sales, billing, and business systems and data.
"Instead of maintaining security policies in our applications and database, Oracle Label Security allowed us to apply these access controls where it matters most: the centralized database on a scalable Oracle RAC [Real Application Clusters] system," says Artear's Mucci. "Instead of having to change our application logic each time we add a new TV channel, we are able to use Oracle Label Security to quickly and easily change or create access policies. For example, we are now able to add new TV channels much more rapidly than ever before."
|
Oracle Software Security Assurance:
Strong from the Ground Up
A complete security strategy starts well before deployment of a new application or database. In fact, it starts before an organization purchases a database. "We've taken a lot of measures to ensure the security of our products and enable fast response to vulnerabilities," says Darius Wiles, senior manager, security alerts, Oracle. "For example, we've adopted practices internally, including training developers on the types of attack mechanisms used by hackers, security code reviews, and using internal and external teams to try and break into products before they're shipped. We're doing a lot to make Oracle products stronger and even more secure."
The Oracle Software Security Assurance process helps ensure that security is designed and built into products and provides a consistent way to apply patches and critical fixes. It covers everything from product definition and development to continuous assurance, guaranteeing that security considerations are given high priority.
In the product definition stage, developers use security standards, tools, software libraries, and formal secure coding standards. These functions and libraries are developed by experts; many of them are subjected to third-party testing and independent certification. Critical security functionality is consolidated into core modules and services that are used by development teams to ensure uniformity and security across Oracle products. Members of a Security Steering Committee review and coordinate efforts, helping to cross-pollinate security technology across divisions.
Oracle's development processes incorporate security into functional specification, design, implementation, and testing of products. In the specification phase, security plans must be incorporated for the design to be approved. The design phase aims to reduce the vulnerability of a production system to attack, including restricting user privileges, removing unneeded functionality, and closing off nonessential modes of access to the system, such as unused default user accounts or network ports. This configuration effort helps ensure that products are secure out of the box.
Secure development tools include security-oriented regression testing as part of Oracle's quality assurance process, and testing with specialized security vulnerability analysis tools in the product development phase. Oracle also uses "ethical hacking" to find product defects that could allow a user to bypass security mechanisms. Both internal and external teams do product assessments on Oracle products before their release.
Finally, security depends on ongoing assurance. A good example of this process is Oracle's critical patch update scheme. In the past, Oracle issued security fixes on a one-off basis as needed. While this addressed the need to correct potential security threats, many organizations asked for a regular, planned patching cycle to allow testing and roll-out to be scheduled in advance. As a result, Oracle now offers customers a Critical Patch Update capability as part of Software Security Assurance.
"With Critical Patch Update, fixes are bundled into a single unit so that every quarter there's only one thing for customers to test and apply to their systems," says Wiles. "The patches are cumulative, meaning each patch includes the contents of previous patches. This allows customers to skip an update—for example, because they're at financial year-end and don't wish to patch their systems—and simply pick up the next patch, which will include everything they need. The whole scheme is designed to maximize flexibility and make it easier for customers to apply security fixes to their systems."
|
All of Artear's applications run on a single grid infrastructure, where the company has dynamic flexibility to reassign capacity on demand among the applications, to better distribute loads or skirt hardware malfunctions. Mucci explains: "The grid infrastructure allows us to save on hardware and software investments while offering a higher level of service that avoids business losses from downed environments or fragmented infrastructure that is unable to react to business capacity needs."
Reducing Risk
In addition to improving security management, eliminating internally developed security efforts, reducing investment costs, and freeing up development resources and shortening project lifecycles, the move to Oracle Label Security has helped to reduce risk. "We are able to rely upon the strong, well-tested security infrastructure that Oracle Label Security provides and avoid depending upon our programmers for creating and modifying the security infrastructure each time we add a new station or role, which would be very susceptible to errors," says Mucci. "Instead we can rapidly and confidently deploy profiles that have been previously created. Oracle Label Security gives us security and confidence."
Artear has a four-node cluster running Oracle Database 10g and Oracle RAC on IBM Blade HS20 with Novell SUSE Linux Enterprise Server for its production site and has a similar two-node development/test cluster. It also uses Novell eDirectory as the LDAP solution; Oracle Label Security provides the flexibility for keeping information securely separated.
Artear has used Oracle Label Security to help build a consolidated application environment for its mission-critical applications, including a Film Library Rights Management system; a Video Tape Library; broadcasting and cable sales management applications (for five broadcast stations) that manage program scheduling, inventory, revenue management, and more; a billing system for financial management that integrates with SAP; and a data warehouse.
Many of the applications are used by employees of the different stations as well as by advertisers, who are provided direct access to their own information. "Because much of the data is sensitive and the wide level of access we need to provide, we need the flexibility to control who views the data," says Mucci. Artear provides services to other members of Grupo Clarin companies (its sister companies), so it needs to segregate access to data not only by advertiser but also by company and role.
Artear's Oracle Label Security-based solution allows the company to define the policies without depending on which database or platform it is developing on. For example, the same assignment of roles and functions is used for Oracle and Lotus Notes. In addition, the combination of Oracle Label Security and Novell's eDirectory gives Artear a single point of administration and delegation for all aspects of managing users, an important feature for managing new employees and changing employee roles if someone is promoted or transferred. A critical benefit is also the system's ability to react instantaneously and remove or revoke security privileges when an individual leaves the company.
|
Snapshot
Artear
www.artear.com.ar
Location: Buenos Aires, Argentina
Industry: High technology
Employees (Grupo Clarin): 8,000
Oracle products: Oracle Database 10g Release 2, Oracle Label Security, Oracle Real Application Clusters
|
The Big Picture
While security, risk management, regulatory compliance, and auditing have taken on increasing importance for almost all organizations, Oracle has been steadily increasing its enterprise security footprint and capabilities, which span solution areas such as identity management, encryption, and audit.
"The Oracle database will be an increasingly important component of the security infrastructure," says Paul Needham, director, database security product management, at Oracle. "Our strategy has really been about moving from manual processes to automated processes for all types of security technologies. As we move forward, we're building in more automation and transparency, just as we did in Oracle Database 10g Release 2 with Oracle Transparent Data Encryption and its ability to help customers address critical business requirements quickly."
The same process is happening with Oracle Database Vault, a product that addresses many of the key business concerns that organizations face today: regulatory compliance, separation of duty, strong internal controls, and concerns around database consolidation security as well as reporting. "Customers want to be able to keep their power users and super users (or DBAs) from accessing application data, and Oracle Database Vault enables organizations to do that," explains Needham.
Strategic Vision
But it doesn't stop there. A strategic data security vision includes a much broader landscape than ever before—especially with the increased threat of internal attacks, theft, or simple mistakes, and the necessity of meeting new regulatory compliance and auditing requirements.
"IT and data security is no longer a specialized niche within the IT organization as it used to be, but something that has to be considered across the organization," says Oracle's White. "Security has evolved from a technology to a business issue, with applicability to all organizations across all industries—which makes it more important than ever before. By delivering a broader footprint of security technologies, Oracle ensures the protection of an organization's information assets."
David A. Kelly (dkelly@upsideresearch.com) is a business, technology, and travel writer who lives in West Newton, Massachusetts.
|
Bookmark
