Security,
Forensics, and Privacy in the Database
The main marketing theme for Oracle9i was
unbreakable, specifically with a heavy focus on security. Even with that marketing hoopla, however, only a
few industry segments cared much about the security aspect -- namely some of the ones that
always care about security, such as national defense.
Outside of those industries, it seems that security is not a major competitive
issue, and advanced security features get little use.
Thats a pity, because theres a lot of
substance to go with the marketing hype. Oracle offers value-based security in
applications (Virtual Private Database), pre-built tools to administer this security
outside the application (Oracle Label Security), and forensic tools to monitor suspicious
activity or analyze it after the fact (SelectiveAudit). Oracles
major competitors lack some of these features, but at least provide the framework on which
similar capabilities could be built.
DBMS-based security could, if more widely used, provide
considerable benefits. If nothing else, a
large fraction of all OLTP applications need built-in security, and its easier to
provide this through the databases security features than it is to code it from
scratch. Also, internet and intranet document search could in many cases be much upgraded if highly
sensitive documents were eligible to be included alongside less sensitive ones. While leading specialty search engines offer
flexible document-level security features of their own, DBMS-based security could offer
extra real and perceived security, permitting some more such applications to get off the
ground.
Even more important are privacy-specific uses, in both
health care and homeland security applications. There
are life-and-death treatment reasons to integrate the entire history of a persons
medical care. And homeland security could
benefit greatly if, for example, all of a persons credit card transactions were
tracked together. Neither of these data
integration efforts will -- or should! -- be completed without radical upgrades to privacy
safeguards, legal and technical alike. DBMS-based
security is a huge and hugely necessary component of the technical solution.
Its difficult to judge what exactly how much to
invest in security. But if tools make it
relatively easy to add extra levels of security without inconveniencing end-users
then in a whole lot of cases its a good idea to use them.
For more information, please contact Curt Monash or Linda Barlow.
To reach Monash
Information Services by phone, please call 978-266-1815.
Copyright 1996-2003, Monash Information Services. All
rights reserved.
Updated: 05/10/04 |