Improving Oracle Security by azaaaaa5


									Enterprise Systems | Improving Oracle Security                                                                  Page 1 of 2

                             Improving Oracle                                    More Security News
                             Security                                            Best Practices in VoIP
                             Logical Apps offers granular                        Security
                             security for Oracle databases                       Corporate Security
                                                                                 Awareness Grows but
                             by Mathew Schwartz                                  Funding Lags
                                                                                 In Brief
                                                                                 Buyer Beware: Putting
                                                                                 Intrusion Protection to the
                             Logical Apps in Irvine, Calif., released            Test
                             AppsRules 4.0, a rules-driven, meta data-
                             based engine that adds a separate,                Unraveling Common VPN
                             customizable security layer to Oracle             Flaws
                             databases. The engine can filter the
                             records any particular user can see, audit
                             all access and changes, and maintain a
                             complete change history. In other words,
                             organizations can selectively restrict access to database information or
                             keep an eye on who changes it.

                             Normally, when organizations want to restrict access to sensitive
                             information in enterprise databases (perhaps based on roles or
                             departments or in a way so as to prevent users from updating or over-
                             writing data), they need to custom code the alterations. Customizations can
                             be time-intensive and costly. When the database gets upgraded,
                             customizations also frequently break; the work needs to be redone—
                             assuming IT has the available resources.

                             Restricting access is becoming more of a mantra in the aftermath of Enron
                             and related scandals. Legislation is driving companies to create—and
                             document—better security controls.

                             Unfortunately, Oracle’s built-in database security is inadequate for many
                             organizations. “The whole fault with Oracle is it’s inflexible out of the box,”
                             says Hollis Bischoff, vice president, Technology Research Services for
                             consultancy Meta Group. “[It’s] one size fits none. It really is the lowest
                             common denominator, and most companies don’t run themselves as the
                             lowest common denominator.”

                             In other words, Oracle applications “give you the base functionality, or they
                             lock you down to functionality, and what a process like this does is open up
                             locked-down processes and put boundaries around wide open processes.”

                             Organizations need to give different people inside and outside the company
                             different levels of access. A project planner, for example, needs to see lead
                             times, but for data integrity reasons shouldn’t be able to alter delivery dates.
                             Likewise, business partners need to see parts availability but suppliers don’t
                             want to reveal the item’s actual cost, just its retail price. Unfortunately, in
                             many Oracle modules security is all or nothing.

                             As a result, “Organizations are forced to do system surgery—go into the
                             application and reverse-engineer it to alter it,” says Chris Capdevila,
                             founder and CEO of Logical Apps. That surgery faces two challenges: often
                             there’s no lasting record of what was done, and changes frequently break
                             when the underlying application or database gets upgraded.

                             That was the dilemma faced by Cymer Inc., a semiconductor equipment
                             manufacturer in San Diego, Calif., which wanted to upgrade its three-and-a-
                             half-year old Oracle 11i implementation from 11.5.6 to 11.5.8 last summer,
                             with a stipulation: security and business rules customizations shouldn’t
                             break from upgrade to upgrade. After evaluating business process engines,
                             Cymer chose AppsRules about eight months ago.

                             Cymer’s previous code customization process was laborious—developers
                             spent lots of time writing, testing, then taking the SQL code live. “Once it's
                             there, you lose visibility of it, because now it's a compiled library, and
                             without the right tools, you're not able to see it,” notes Jeff Wolf, a Cymer
                             business analyst.

                             In comparison, AppsRules let Cymer separate business logic from
                             application code. Wolf says it installed without difficulty, and adding new
                             rules now takes little time. “We put in a new rule last week. From inception                                                               3/4/2005
Enterprise Systems | Improving Oracle Security                                                                  Page 2 of 2
                             to production-ready was about a half an hour, and it was very simple.”
                             Before, it could take a day for developers to code, test, and migrate the
                             changes, once they had time to tackle the project. Now users with some
                             knowledge of Oracle basics—they don’t have to be experienced
                             programmers—can make the changes instead. “The gist of it is, it's
                             something that our business analysis group can maintain, rather than going
                             through a developer cycle.”

                             The engine is also self-documenting, says Wolf. “I gain the visibility, I know
                             what's been done—I can look at all the rules on one screen.” Cymer uses it
                             for instances where “even though you might want something visible, you
                             might not want it updateable, and this will apply to a field, or individual
                             groups of fields. That functionality is not available in Oracle out of the box.”
                             For example, customer service representatives can see a customer’s credit
                             limit, but not change it, or see any more sensitive information.

                             AppsRules competes with other business process management tools that
                             allow companies to specify business rules in their applications. The notable
                             difference with Logical Apps, says Meta’s Bischoff, is that it will run with
                             Oracle—and only Oracle—out of the box. Other tools can work with multiple
                             applications, but then “you need to add code to stripe it for Oracle.” As a
                             result, “I would say this is more aimed toward folks who are later adopters,
                             because early adopters did custom code.” Logical Apps says it will expand
                             beyond Oracle in the future.

                             Could such tools, rather than custom code, also help organizations better
                             document their security controls in accordance with the Sarbanes-Oxley Act
                             of 2002? Bischoff says, “Absolutely, because a lot of these modeling tools
                             are self-notational.” Unlike custom coding, creating a new rule in these tools
                             produces a recoverable record of the process—unlike custom coding.

                             You can contact Mathew Schwartz about Improving Oracle Security at
                             back to previous page                                                               3/4/2005

To top