As Published In September/October 2008

Protect sensitive information and achieve regulatory compliance with Oracle Database.

Securing information systems from internal as well as external threats is an important part of the security challenge facing IT today. Sensitive information, such as social security and credit card numbers, must be fully protected from outside threats and unauthorized users, but new security and compliance-related restrictions call for the protection of sensitive information inside the enterprise, even from privileged users. New security requirements such as the Payment Card Industry (PCI) Data Security Standard are pushing IT departments to implement new measures to protect sensitive information.

As IT departments evaluate solutions for protecting sensitive information, they often find the answer is safeguarding data at the source— the actual databases in which the data resides. Database security is not only a reliable way to protect information but also what auditors look for when assessing regulatory compliance.

“Companies are strengthening internal protections for database security in response to regulatory drivers, as well as systematic, comprehensive assessments of security in their IT architecture,” says Trent Henry, research director for security and risk management practices for Burton Group, an IT research and advisory firm.

Snapshots Starwood Hotels & Resorts Worldwide Headquarters: White Plains, New York Revenue: US$6.2 billion Employees: 155,000 Oracle products: Oracle Database, Oracle Advanced Security, Oracle Real Application Clusters, Oracle Automatic Storage Management, Oracle Grid Control, Oracle Application Server, Oracle Portal, Oracle Application Express Harbor Capital Advisors Headquarters: Chicago, Illinois Oracle products: Oracle Database, Oracle Database Vault, Oracle Real Application Clusters, Oracle Enterprise Manager Grid Control, Oracle Active Data Guard Dress Barn Headquarters: Suffern, New York Revenue: US$1.43 billion Employees: 15,000 Oracle products: Oracle Database, Oracle Advanced Security, Oracle Partitioning, Oracle Retail Merchandising System, Oracle’s JD Edwards EnterpriseOne

Responsible Security

“All database administrators know they are responsible for protecting their databases from attack and unauthorized access,” says Arup Nanda, senior director of database engineering for Starwood Hotels & Resorts Worldwide. Responsible for the company’s corporate database strategy, Nanda oversees more than 350 Oracle production databases.

Nanda must also ensure that the database infrastructure complies with numerous regulations and that sensitive information such as credit card and passport numbers are protected. To do this, Nanda relies on Oracle encryption technologies. Data is encrypted in transit over the network to and from the applications, in the database, and on backup tapes.

Additionally, access to customer data at Starwood is restricted on a need-to-know basis. “The Oracle Virtual Private Database feature allows us to control access to specific rows in a table,” he explains. “If, say, John Smith manages an account, then he can only see that account’s related records and nothing else.”

“Organizations shouldn’t inherently distrust DBAs or other privileged users,” says Vipin Samar, Oracle’s vice president of database security. “But in today’s highly regulated world, companies need to demonstrate that internal controls are in place to keep data from being stolen or accidentally altered.”

Helen Sun, manager of decision support services at investment management firm Harbor Capital Advisors, agrees. “Oracle Database Vault has helped us limit access to our clients’ sensitive financial data and achieve the separation of duties necessary within our relatively small organization,” says Sun.

With Oracle Database Vault, organizations can implement separation of duties, preventing even privileged database users from accessing sensitive application information. Application data is further protected using Oracle Database Vault’s multifactor policies that control access based on built-in factors such as time of day, IP address, application name, and authentication method, preventing unauthorized ad hoc access and application bypass.

Oracle Database Security Oracle Database 11g addresses data security challenges from data encryption, access control, and data classification to audit and compliance reporting, secure deployments, and data masking. The comprehensive portfolio of security options for Oracle Database 11g, including Oracle Advanced Security, Oracle Database Vault, Oracle Label Security, Oracle Data Masking, as well as Oracle Audit Vault, Oracle Total Recall, and Oracle Configuration Management, helps organizations transparently safeguard against data breaches and ensure regulatory compliance without requiring changes to existing applications. “Oracle has always stepped up to be among the leaders in adding protective capabilities,” Burton Group’s Trent Henry says. “The company also works hard to introduce effective security properties in the platform.”

Meeting and Exceeding Regulations

There are different ways to approach compliance with the PCI security standard. Women’s clothing retailer Dress Barn chose a route that brought the required compliance and more.

“The approach we took was to analyze all the credit card touchpoints in the corporation,” says Sam Lebron, Dress Barn’s senior manager of enterprise Web architecture and development. According to the PCI security standard, touchpoints include any system that stores or acts as a conduit for the credit card data. Dress Barn identified a dozen of these areas across its commercial business applications and homegrown financial systems. But by adopting a “tokenization” approach, Dress Barn was able to reduce the number of actual touchpoints.

“At the earliest possible point where a credit card number enters the Dress Barn enterprise, we simply convert it into a meaningless 16-digit token and send that to all the downstream systems,” Lebron says. “The actual credit card information sits in its own protected world while the tokens are used in 98 percent of the enterprise activities.”

Dress Barn protects that world with Oracle Transparent Data Encryption, part of Oracle Advanced Security. The encryption features in Oracle Advanced Security can transparently encrypt all application data or specific sensitive-data columns, such as credit card numbers or personally identifiable information. With Oracle Advanced Security, data can be encrypted at rest in the database and when it leaves the database over the network or via backups and exports.

Oracle Transparent Data Encryption works as described at Dress Barn. “The Oracle product has truly lived up to its name—it is truly transparent data encryption,” Lebron says. “It was just a matter of getting the license keys and installing it. Within a matter of a few hours, the basic components were running and available, and we didn’t notice any performance impact. The key-management features are built into the product, so we also didn’t have to worry about any other third-party tools to manage the keys.”

Next Steps LEARN more about Oracle Database security solutions READ more about Oracle Advanced Security and Oracle Database Vault oracle.com/database/advanced-security oracle.com/database/database-vault DOWNLOAD Oracle Database 11g

Dress Barn’s tokenization approach and use of Oracle Transparent Data Encryption was cost effective. “If we didn’t go the tokenization route, we would have had to employ a number of encryption technologies. So we were able to save the company quite a bit of money,” says Lebron.

In addition to saving money, this approach paid off with Dress Barn’s auditors. “Our policies and procedures have exceeded the requirements for either PCI or Sarbanes-Oxley compliance,” Lebron concludes.