The Oracle Australia and New Zealand Middleware and Technology Blog.
One of the greatest challenges is securing data, especially for some reason data that contains information on people. It’s almost like personal data morphs into the people it represents and wants to break free of the constraints placed upon it within the database and applications. When you look at how many ways data can escape these constraints you often wonder is it possible to protect from humans from assisting in data breaches.
So let’s have a quick look at what can go wrong;
“Export” could be the greatest contributor to data breaches ever. How many people use this luxurious command to get data into excel so they can massage it with pivot tables. Now the clumsy human is a simple being so files are often labelled like “first half year forecasts” or “details of registered guests”. Once this data is exported from the confines of a structured data store and let loose in the unstructured world there is little that can be done.
“WEB2.0” have you noticed how easy it is these days to share files across the internet via social network sites, cloud computing, software as a service, online storage, instant message ect. Indeed except for twitter almost every other WEB2.0 technology is a haven for moving data. For the clumsy human it’s all too easy to store data somewhere in the cloud for convenience and backup assurance.
“eBay” unfortunately shows these clumsy humans like nothing else. Only last week it was revealed a poor and i suspect now unemployed individual sold a work PC via ebay that contained private customer data. Regardless what process’s are in place the clumsy human needs to follow them. Do we insist all devices with a hard disk be destroyed via some huge cheese grater when decommissioned? – Probably.
“Smartphones” are again a great leveller when it comes to corporate security. Almost everyone has a phone with at least 256MB of RAM. This amount of RAM seems small these days, but 100MB can store several volumes of an encyclopaedia. Or 1000’s of contact details. With email synchronisation being more common now, again the clumsy human doesn’t have a chance.
See part 2 of the clumsy human for some recomendations
Michael Specht posted an interesting article on his blog regarding the continual problem of organisation loosing sensitive information. I posted a reply outlinning some other challenges around data protection. This is indeed an area where Oracle has a significant value proposition to help protect an organisation.
When you look at where sensitive data resides it often sits on some type of system that has Oracle involvement. Either simple the data may reside on an Oracle database, be access via an Oracle Application or rights granted from Oracle's Identity Management Suite.
So with the complexities of modern enterprise organisations where do you start ?. A good place is the security tool that in a few minutes can give you a high level overveiw on your current data risk. Once you know yor risk it then depends on the individual organisations appetite for risk. Public sector and FSI for instance need to treat data protection and the privacy of their employee's and customers with the utmost respect. While other organisations perhaps in manufacturing dont have the same customer issues since they deal with B2B and hence looking after their own employee's tax file number and bank details could be enough.
Oracle does excel in several significant areas of data protection including Information Rights Management to help lock down sensitive information that could be leaked outside of the firewall. Idnetity Management has an excellent attestation capability to give you an accurate view on who has access to what. Once you know who has access to what Enterprise Role Manager can help you digest and manage the complex relationships between the organisational business roles and IT system levels of privilages access. With IDM and ERM you no have a clear picture of who has access to what. But then due to various access rights and privilage creep you still can benefit from preventative and detective controls to close the loop.
With Datavault protecting your Oracle systems a company can be assured that the super user's are not violating privacy policies by masking or preventing access to sensitive data on the database. Or AuditVault can be used as a method of deploying a secure audit capability that will prove who accessed what critical or confidential peice of information. Auditvault not only looks after Oracle databases that are typically at the core of an organisation but ende databases by other vendors that are typically used at the departmental level and outside of the tight contols associated with a datacenter.
If you or your customer is concerned with privacy, or intellectual propery theft or leakage. Is wondering what the impending eDiscovery legislation means to you or the Privacy Act ammendments then talk to Oracle today.
Cheers
Carl Terrantroy
