Oracle Database 10g Update Tackles Security, Compliance

 
 
By Lisa Vaas  |  Posted 2005-09-22 Email Print this article Print
 
 
 
 
 
 
 

Q&A: Oracle Senior Vice President of Server Technologies Andy Mendelsohn says new security features in Oracle Database 10g R2 will help with compliance and prevent headaches from application changes.

SAN FRANCISCO—Everybodys taking the heat on security. Regulations require that databases be audited, while data encryption too often means a drag on performance and multiple migraines induced by application changes. Oracle Corp., for one, has been tackling these issues in the database server. Evidence of its work was on display at Oracle OpenWorld this week in San Francisco, as the company demoed the second release of its flagship database, Oracle 10g.
Specifically, in R2, Oracle is delivering Transparent Data Encryption, a data lock-down that requires no application modification. R2 also delivers Oracle Secure Backup, a backup-to-tape product that encrypts entire backups, thus foiling the bad guys who swipe tapes off of FedEx trucks.
These are just some of the big features in R2 that eWEEK.com News Editor Lisa Vaas got to go over with Oracle Senior Vice President of Server Technologies Andy Mendelsohn when the two sat down at OpenWorld. Whats driving the need for encryption?
Compliance, and [regulations such as] SarbOx [Sarbanes-Oxley Act] are driving a lot of this as well. Whats the coolest new security feature in R2? Transparent Data Encryption. Security at this point, its very topical: Theres been a lot of news about people stealing identity, about tapes disappearing off FedEx trucks. But weve got encryption. What new security techniques is Oracle bringing to the table? In the past youve had strong security. You couldnt see the credit card data unless you were authorized to see that. But even within a credit card organization, a hacker, say a privileged DBA [database administrator], can go in and swipe his ID card and access credit card data. In R2 weve added a few things to deal with the problem. Weve got Oracle Secure Backup, a backup-to-tape product. Its key feature is when you back up and move data to a tape, it can encrypt the whole backup for you. So when the tape is stolen off the back of the truck, who cares? Nobody can read the data. Entire tape backup is a heavy-handed solution. What else have you got for dealing with inside jobs? You need a finer-grained instrument. You need to encrypt data before its on disk. The barrier to doing that in the past has been if you do that and just encrypt credit card data, you have to change the application. If youre using a packaged application, you cant easily go in and encrypt information like that. Even if you own the application, its expensive. Developers have to start [lengthy] projects and change the code. Click here to read more about Oracles security challenges. So in R2 we have Transparent Data Encryption. With a single line, a DBA can say, Change this table so the credit card data is encrypted. So the application still sees the credit card data. When we pull the data off the disk, we decrypt it and hand it back to the program. Coupled with the secure backup product coming out, we have a complete solution to encrypt on tape and on disk. What in R2 will help people deal with SarbOx requirements? Data centers now have to be careful who has access to data. They have to document processes, etc. Theyre very interested in separation of privilege. In a big Oracle system, there are often multiple applications running on a single system: HR, financials, payroll, all on the same system. Its a common setup with how people run [Oracles] E-Business Suite or PeopleSoft, for example. They usually want an administrator to administrate one of those systems. The problem is that with security on Oracle, if you want to grant an administrator powerful privilege to manage lots of information on the system, the easiest way to do that is to give them the ability to access all the information on the system. But you dont want that. Next Page: Rolling up databases for the auditor.


 
 
 
 
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...

 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel