'Concern Over Unauthorised Information Access Has Never Been Greater'

T Srinivasan, vice president-Sales, Oracle India, speaks about the need for IT security investments and explains what Oracle Database Vault has to offer in this space.

How are organisations viewing security in IT and what are some of the reasons for them to invest in new security technologies?

There are two macro issues driving security requirements for IT organisations today:

- How to protect against the ‘insider threat’ — attack from within an organisation by rogue individuals with privileges, who are thought to be trustworthy, but prove otherwise,

- The need to put in place controls to address compliance requirements like Sarbanes-Oxley, PCI, HIPAA, Gramm-Leach Bliley, the Japanese Privacy Act, BASEL II etc resulting from a deluge of privacy and corporate governance regulations.

How can Oracle Database Vault enhance security?

Regulations such as Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), Basel II, and PCI have common themes that include internal controls, separation of duty and strong access controls to sensitive information. While many requirements found in regulations such as SOX and HIPAA are procedural in nature, technical solutions are required to mitigate the risks associated with issues such as unauthorised modification of data and unauthorised access.

Oracle Database Vault is a database security solution for addressing regulatory requirements and reducing the risk of insider threats. Oracle Database Vault protects application data from DBA access, enforces real-time preventive controls on database structures from unauthorised change, and sets a variety of access controls to implement dynamic security norms. These features help to adhere to standards for separation of duties, regulatory compliance, and internal control. One can use Oracle Database Vault on standalone Oracle Database installations as well as in Oracle Real Application Cluster environments.

Oracle Database Vault uses a number of technical, real-time controls to achieve these protections. These include:

0 Realms - Prevent highly privileged users from accessing application data

0 Command Rules - Enforce operational policies based on IT Security and internal or external auditor recommendations

0 Multi-Factor Authorisation - Create trusted paths to data, defining the who, when, where and how of data access and determining how applications, data and databases are handled

0 Separation of Duty - Control administrative actions within the database to prevent actions that may violate regulations and best practices

0 Reports - Run security related reports on attempted realm violations and other Database Vault enforcement controls

How can this technology help detect the insider threat?

While problems such as the insider threat are certainly not new, the concern over unauthorised access to sensitive information has never been greater. The cost of data theft both from a financial and public relations standpoint can be significant. At the same time, remaining competitive in a global economy requires the flexibility to deploy IT systems in a cost-effective manner while still adhering to industry best practices and regulatory mandates.

Modifying existing applications can be a time consuming and costly exercise. As a result, new security products must protect transparently, without any modification to existing applications. Oracle Database Vault provides a transparent solution for mitigating the risk of insider threats and complying with regulatory requirements.

Database Vault addresses the ‘insider threat’ by enabling controls on how databases, applications and data are accessed. In addition, Database Vault enables additional protection against power users in the database such as those with super-privileges (DBAs). Database Vault places restrictions on what data these users can access using a security feature called a realm. Database Vault also provides command rules and multi-factor authorisation to control when, how, and where databases, applications and data are accessed.

How does Database Vault help address customer compliance requirements?

Database Vault can be used by organisations as a preventive control. In other words, organisations can configure Database Vault to prevent users with super-privileges (DBAs) from accessing application data. By instituting a control in this manner, an organisation can demonstrate compliance with specific regulations that require separation of duties among individuals accessing a system.

This requirement is common across a number of regulations and is specifically called out in Section 404 of Sarbanes-Oxley. Payment Card Industry regulations such as PCI Requirement 7 calls for restricting access to cardholder data by business need-to-know. This can be enforced with Oracle Database Vault.

Additionally, Oracle Database Vault ships with a set of pre-defined reports that show who is accessing what data and under what conditions. These reports offer a means by which organisations can demonstrate proof of compliance.

How is this valuable for SMBs, financial institutions and government agencies?

Such technologies are valuable to every organisation, irrespective of their industry, size and nature of business. More and more organisations including government departments are outsourcing their IT operations to third-party service organisations and they need to have control over their strategic information assets.

In financial institutions like banks, Database Vault can protect sensitive customer information and monetary transactions. In governments, it can help to protect information like citizen identities, passport data, PAN card data etc. With the evolution of the global marketplace and with Indian companies serving as component suppliers or outsourced partners or businesses associated with larger corporations within or outside the country, it has become mandatory for them to meet the necessary compliance and regulatory requirements to function smoothly.

Are other Oracle Database Security Options included in Oracle Database Vault?

Both Oracle Label Security and Oracle Advanced Security can be used with Oracle Database Vault, but are licenced separately. Oracle Label Security provides the ability to turn on security clearances inside the Oracle Database and enforce multi-level security. Oracle Advanced Security provides encryption of network traffic, strong authentication and Transparent Data Encryption. Transparent Data Encryption provides management and encryption transparency to applications, protecting personally identifiable information (PII) on disk and backup tape.

Is Oracle Database Vault available now and what platforms is it available for?

Yes. Oracle Database Vault is available today and is downloadable from the Oracle Technology Network portal on our website. It is currently available for a number of platforms including Linux x86 (32-bit), Solaris Operating System (SPARC) (64-bit), HPUX, AIX, and MS Windows.