The Oracle Australia and New Zealand Middleware and Technology Blog.

Friday, August 29, 2008

Can IT beat the clumsy human pt1


One of the greatest challenges is securing data, especially for some reason data that contains information on people. It’s almost like personal data morphs into the people it represents and wants to break free of the constraints placed upon it within the database and applications. When you look at how many ways data can escape these constraints you often wonder is it possible to protect from humans from assisting in data breaches.

So let’s have a quick look at what can go wrong;

“Export” could be the greatest contributor to data breaches ever. How many people use this luxurious command to get data into excel so they can massage it with pivot tables. Now the clumsy human is a simple being so files are often labelled like “first half year forecasts” or “details of registered guests”. Once this data is exported from the confines of a structured data store and let loose in the unstructured world there is little that can be done.

“WEB2.0” have you noticed how easy it is these days to share files across the internet via social network sites, cloud computing, software as a service, online storage, instant message ect. Indeed except for twitter almost every other WEB2.0 technology is a haven for moving data. For the clumsy human it’s all too easy to store data somewhere in the cloud for convenience and backup assurance.

“eBay” unfortunately shows these clumsy humans like nothing else. Only last week it was revealed a poor and i suspect now unemployed individual sold a work PC via ebay that contained private customer data. Regardless what process’s are in place the clumsy human needs to follow them. Do we insist all devices with a hard disk be destroyed via some huge cheese grater when decommissioned? – Probably.

“Smartphones” are again a great leveller when it comes to corporate security. Almost everyone has a phone with at least 256MB of RAM. This amount of RAM seems small these days, but 100MB can store several volumes of an encyclopaedia. Or 1000’s of contact details. With email synchronisation being more common now, again the clumsy human doesn’t have a chance.

See part 2 of the clumsy human for some recomendations

Can IT beat the clumsy human pt2


So how do we stop this pesky private information from escaping? With rose coloured gasses on you could solve this with business process, education and the ubiquitous “Correct usage of IT assets contract”
The chances that everyone will fall in line, is of course farcical. People inherently look for short cuts, forget things and just make mistakes. I am sure the person that sold the PC on ebay thought they deleted the files. Data privacy software is very advanced and the industry has answers for most of these problems.
If data is stored in a database, there is no excuse not to have it locked down.


Data can be masked automatically if it’s moved from the original tables, the same data can be encrypted on disk, on the tape and even up to the presentation layer. If this data needs to be flighted off the database users can wrap security around the data file in excel for instance and set rules around who can open the document and for how long the document can live. These technologies can all be referred to as preventative controls. Additional preventative controls around the database can classify data so only roles or individuals with the right classification can view the data. If you think the term classification seems like something Jason Bourne would have to deal with your correct. In fact most of the database security solutions have been tried and tested with various security organisations around the world.


Identity Management (IDM) also offers a number of elegant ways to protect this data, in my experience most organisations have a reasonable account of how to get new employee into a role and provision him/her with the relevant access entitlements so they can work. What i see however is poor practices around de provisioning users or removing access once this person leaves or even transfers to another role in the organisation. The end result is that most organisations have more employees’ accessing systems than physically on the payroll, because the removal of entitlements is a lower priority that is typically resource intensive. This issue is referred to as orphan accounts; these orphan accounts represent a huge security risk also. Many stories exist in the world of employee’s accessing data after leaving an organisation. At privacyrights.org you can see numerous examples for this. Running “Who has access to what?” reporting may seem mundane but it’s essential. IDM can automate this problem by matching HR or payroll records to the IT systems user databases. See HR here for an article on how this works.


So we might not be able to protect the clumsy human from himself or herself. But we can start using security solutions to protect this data in the first place.

Monday, August 25, 2008

Snap poll


Powered by Wufoo

Thursday, August 21, 2008

Oracle MAA Workshops

Recently Oracle ran two events focusing on Maximun Availability and Business Contiuity. The events, one in Melbourne on the 31st July 2008 and, one in Sydney on the 1st August 2008, attended by a total of 150 customers.

The customers were given a presentation on how the new release of Oracle 11g has made high availability, no longer the domain of the customers who have multi million dollar IT budgets, but can now be affordable by all. Then after the break there was another example of real life, with a DBA 'Bake off'. Called DBA1/DBA2 each live session was given two complex production problems to solve, each problem had to be solved in 4mins.

DBA1 used the common practices of SQL scripts and command line techniques, where as DBA2 used Oracles management framework to solve the problems. Guess who won!!!


If you want to hear the podcasts for this event click away below. And for more information on these topics please contact Barry Matthews. His link is on the side bar of this blog or go here




Tuesday, August 19, 2008

BAE Takes SOA From 0-100 In 3 Months

Check out this latest Oracle Video on YouTube of Craig Mackereth, Manager of Business Systems, at BAE Systems Australia talking about the SOA journey that BAE has taken recently. As one of the leading defense organisations with huge global reach they face all the typical challenges of managing a complex distributed application infrastructure and more.

Craig talks of the classic need of a flexible, scalable IT infrastructure that supports the acquisition strategy typical of the defense industry. The acquisition strategy gives rise to a real need to rapidly link together disperate systems. Craig details how BAE used Oracle SOA Suite and Oracle Identity Managment Suite to link and secure Oracle eBusiness Suite HR, Finance and Maintenance Repair Systems to older legacy applications that needed to be kept in place with no changes. The use of SOA Suite in particular realised a responsive, more managable environment that supported future integration requirements arising from new acquisitions.



The work was done in 3 months with no prior knowledge of SOA and skillsets of many developers coming from Microsoft environments could be re-used with a small training effort. So much for the belief that SOA is too hard!

This system has since been given an Innovation Award at Oracle Open World in recognition of the rapid delivery of a valuable business solution. Its great to see real world examples of SOA in action.

[BTW there are plenty more Oracle videos at YouTube- just seach for "OracleVideo"].

Saul.

Monday, August 18, 2008

Podcasts


Over the last few months we have been adding a number of podcasts. These can easily be missed so now they are all stored in one location here . You can stream or download all the podcasts that have been published or if you have embraced anything with an "i" in it such as the ubiquitous ipod then all the podcasts are available at the itunes store also here.


Have you ignored PCI


Think about who has your credit card details, when you look at your household dealings they include council, electricity, gas, water, building insurance, car insurance, petrol and it goes on. I am sure all of us have at least 50 relationships with various organisations via consumer spending with credit cards. In fact it would be greater when you factor in frequent purchases like clothing. When you consider the rapid growth of internet espionage, fraud and identity theft what is being done to protect us. PCI is the best example of legislation that is designed to protect the mums and dads.

The PCI Data Security Standard is nothing new; it has been around for a few years and depending on the region it can be front of mind or ignored. In the land of compliance (USA) of course PCI has seen heavy adoption, but in Asia Pacific the adoption has been lagging.

So what is PCI, well to put it simply the card merchants AMEX, Diners, Visa, JCB and Mastercard came up with a set of recommendations or best practices for any organisation that deals with credit card data. For example encrypting card numbers or making sure your systems are patched to the current versions so they are less succeptable to hacking are examples of these recomendations. There are 12 in total, and on reviewing them you have to wonder why they wouldn’t be adopted. It just makes good sense.

That’s clearly the problem, when does “good sense” make a good business plan. Rarely if at all is my opinion. With the IT industry unable to propose anything it seems unless tied to an ROI, TCO, SLA or some other acronym, simply put compliance especially in Australia is a tough sell. Where is the pain!

Well the pain is coming, credit vendors currently do fine organisations for failing PCI audits, but the organisation may never suffer the fine. Banks can at their discretion choose to absorb the fine and not pass it onto their customer. If the organisation that has failed the audit has significant financial heft, and hence contributes a large revenue stream the bank would for the sake of the relationship simply eat the fine. But these fines are now becoming more frequent and larger. Plus the smaller Level 2 and 3 merchants are coming under closer scrutiny. So now the banks will be forced through the size and frequency of the fines to start passing more of them onto their customers. This of course is great news for consumers like you and me since we deserve a better deal when it comes to privacy and protection of our financial dealings.

With this changing dynamic of banks pasing down the fines, and the continuous IT mantra of “do more with less” IT automation is coming of age across the board. Most organisations have come to terms with automating employee on boarding or provisioning user accounts, offering self service to change your home address, mobile phone number or a password. So why not automate your compliance regime.

The following deck outlines the 12 guiding principles of PCI and shows how oracle IDM and Database Security solutions can overlay these requirements.

If you would like more information on PCI, and how to start. Give us a call.


Read this document on Scribd: PCI Presentation by Carl Terrantroy

Enterprise 2.0


There's a lot of buzz in the industry, and has been for a while to be brutally honest, around Enterprise 2.0. I first became familiar with the term whilst at my previous employer - our chief architect globally presented his views on the subject in an informative manner to the lead architects globally. We digested his thoughts and provided feedback - some of which was positive and constructive! This was 3 years ago which is a lifetime in the IT industry.

Billy Cripe has come up with his views on Enterprise 2.0 and it is recommended reading to you all - especially if you want to learn more about Oracle's take on the subject and how we are combining our ECM technologies with other components and solutions from the stack. You can find the presentation here.

Happy viewing

Paul