Oracle Database 10g Update Tackles Security, Compliance

Q&A: Oracle Senior Vice President of Server Technologies Andy Mendelsohn says new security features in Oracle Database 10g R2 will help with compliance and prevent headaches from application changes.

/zimages/6/114596.jpgSAN FRANCISCO—Everybodys taking the heat on security.

Regulations require that databases be audited, while data encryption too often means a drag on performance and multiple migraines induced by application changes.

Oracle Corp., for one, has been tackling these issues in the database server. Evidence of its work was on display at Oracle OpenWorld this week in San Francisco, as the company demoed the second release of its flagship database, Oracle 10g.

Specifically, in R2, Oracle is delivering Transparent Data Encryption, a data lock-down that requires no application modification. R2 also delivers Oracle Secure Backup, a backup-to-tape product that encrypts entire backups, thus foiling the bad guys who swipe tapes off of FedEx trucks.

These are just some of the big features in R2 that eWEEK.com News Editor Lisa Vaas got to go over with Oracle Senior Vice President of Server Technologies Andy Mendelsohn when the two sat down at OpenWorld.

Whats driving the need for encryption?

Compliance, and [regulations such as] SarbOx [Sarbanes-Oxley Act] are driving a lot of this as well.

Whats the coolest new security feature in R2?

Transparent Data Encryption. Security at this point, its very topical: Theres been a lot of news about people stealing identity, about tapes disappearing off FedEx trucks.

But weve got encryption. What new security techniques is Oracle bringing to the table?

In the past youve had strong security. You couldnt see the credit card data unless you were authorized to see that. But even within a credit card organization, a hacker, say a privileged DBA [database administrator], can go in and swipe his ID card and access credit card data.

In R2 weve added a few things to deal with the problem. Weve got Oracle Secure Backup, a backup-to-tape product.

Its key feature is when you back up and move data to a tape, it can encrypt the whole backup for you. So when the tape is stolen off the back of the truck, who cares? Nobody can read the data.

Entire tape backup is a heavy-handed solution. What else have you got for dealing with inside jobs?

You need a finer-grained instrument. You need to encrypt data before its on disk.

The barrier to doing that in the past has been if you do that and just encrypt credit card data, you have to change the application. If youre using a packaged application, you cant easily go in and encrypt information like that.

Even if you own the application, its expensive. Developers have to start [lengthy] projects and change the code.

/zimages/6/28571.gifClick here to read more about Oracles security challenges.

So in R2 we have Transparent Data Encryption. With a single line, a DBA can say, Change this table so the credit card data is encrypted.

So the application still sees the credit card data. When we pull the data off the disk, we decrypt it and hand it back to the program.

Coupled with the secure backup product coming out, we have a complete solution to encrypt on tape and on disk.

What in R2 will help people deal with SarbOx requirements?

Data centers now have to be careful who has access to data. They have to document processes, etc.

Theyre very interested in separation of privilege. In a big Oracle system, there are often multiple applications running on a single system: HR, financials, payroll, all on the same system. Its a common setup with how people run [Oracles] E-Business Suite or PeopleSoft, for example.

They usually want an administrator to administrate one of those systems. The problem is that with security on Oracle, if you want to grant an administrator powerful privilege to manage lots of information on the system, the easiest way to do that is to give them the ability to access all the information on the system. But you dont want that.

Next Page: Rolling up databases for the auditor.