Protecting enterprise networks from corporate intellectual property theft
When it comes to security threats and cyber attacks, issues such as Website defacement pale in comparison to the new target of malicious groups: intellectual property.
“The real money these days is in intellectual property theft,” says Mary Ann Davidson, chief security officer at Oracle. “It’s industrial espionage. When you read news accounts of corporate systems breaches, it’s not all things like credit card information. People are walking off with major trade secrets worth millions of dollars. After all, why put the capital into inventing or designing something if you can steal that information?”
With the stakes so high, the security of enterprise systems is a top priority in the boardroom, not just the IT department. Safeguarding data requires a layered approach, including a detailed evaluation of how thoroughly protection is embedded within IT’s foundation—the infrastructure. “How do people typically break security?” asks Davidson. “Not through the front door—they find a hole in the foundation and tunnel through.”
In order to build that intrusion-proof foundation, business leaders need to bring the security discussion to the earliest phases of technology evaluation by requiring that infrastructural components are developed securely, and that the vendors supplying these components have strong security practices. “Your vendors’ security assurance practices can impact corporate security, so you need to look at the security assurance methodologies in use,” says Davidson.
Davidson and her group design and deliver the practices that give bite to Oracle Software Security Assurance methodology, and she strongly emphasizes the need to make security an integral part of the design process of technology products. “With a company as big as Oracle, we need to make sure that people have tools and techniques embedded into the process—we can’t be looking over their shoulders as they code,” says Davidson.
Davidson says there are several factors that indicate a strong commitment to security by technology vendors. For example, companies should look for vendors with a mature development model and built-in, consistent, and measurable compliance practices. “They need to demonstrate that they comply with the widely accepted norms in the industry throughout their development and product lifecycles,” she says. Moreover, vendors must have strong vulnerability handling, disclosure, and remediation policies. “These policies need to effectively balance the need to preserve the security posture of customers versus their security operation costs,” says Davidson.
Oracle has security leads with supporting teams within the development group of each technology component. “They are the go-to person with that group for security, and they create a community around that within the group,” says Davidson. Her group also requires that developers use automated tools that look for exploitable security vulnerabilities during the development process. Finally, her group holds every line of business accountable for adherence to the assurance process. “We actually score every line of business according to how they do against our required assurance practices, so their performance is very clearly measured,” says Davidson.
Another aspect to look for is how secure products are by default—in other words, how secure is the product out of the box? Can the product be easily configured for stronger security beyond that default position? “You want highly configurable software, but as a customer, you should expect that there are certain things that will work securely right out of the box,” says Davidson. “You don’t want to have to tweak things across 50 servers to make it secure.”
Proof of Oracle’s commitment to security can be found in its compliance with ISO/IEC 15408—the Common Criteria, an international standard that validates software security. “Customers have a right to know that their vendors take this seriously and have internal practices that they can validate,” says Davidson. “You want them to be able to prove that they don’t ship products with holes big enough to slip a cruise ship through.”
And as a company that uses these same products to protect its own intellectual property, Oracle has more than just its reputation on the line. “At Oracle, we can say that we treat your secrets like they are ours, because we are running the same software,” says Davidson. “If we do a bad job with security, we put our own company at risk.”