Oracle promises tighter security for SOAs

Oracle Corp. has always made bold claims about the security of its database and applications. Now the company has said it will make security a priority as it begins rolling out its next-generation software products for building service-oriented architectures (SOAs), Oracle Fusion, in the next several years.

Speaking at an event in New York on Wednesday, Oracle President Charles Phillips outlined three areas of security that will be important to Oracle going forward — access control, data privacy and compliance. Acquisitions and internal product development over the last 18 months have given Oracle a comprehensive portfolio in this area, allowing the company to think of security “holistically” across its product line, he said.

“We take it pretty seriously,” Phillips said. “We [are putting] security where it belongs, which is consistent across the architecture.”

Oracle has had its ups and downs when it comes to security. The company is infamous for a 2002 marketing campaign in which it called its database “unbreakable,” a notion that was proven wrong by security researchers.

While Oracle’s database has not been the target of a widespread attack, security experts point out that it is also in a less vulnerable position than many commonly targeted programs. Oracle databases are embedded so deeply in a network’s infrastructure that attacks aimed for it are thwarted by technologies closer to the surface, such as firewalls. The true test of Oracle’s security will come when it begins opening up its products to allow for SOAs, which enable applications to communicate via Web services standards across disparate systems.

“Adding Web services to an architecture makes everything often more insecure because you add an additional way into the database,” said Alexander Kornbrust, chief executive officer of security consulting firm Red Database Security GmbH. “Web services should be designed and developed very carefully.”

Beginning in March 2005, Oracle began a string of purchases to bolster its security portfolio. In March the company purchased Oblix, which has access-management software. Then last November, Oracle acquired Thor Technologies for identity provisioning and compliance software and Octet String for identity virtualization software.

The company is combining these acquired technologies with new software it developed internally: Database Vault, which prevents the database administrator from accessing sensitive information stored in an Oracle database, and Audit Vault, a data warehousing product to keep track of data stored in various places.

The former is available now, while Audit Vault will be available in the next few months, said Thomas Kurian, senior vice president of server technology for Oracle. Together with existing products such as Oracle Identity Federation, the products help shore up a strong portfolio for protecting data across multiple applications and systems in the network, he said.

Oracle has these products now, but they will become increasingly important as SOAs become more prevalent and Oracle rolls out its Fusion architecture over the next couple of years, Kurian said.

“We’ll be making sure at each level of the application, you have common policies that are enforced,” he said. “No matter where you come in [on a network], you can still access security.”

Charles Kolodgy, an IDC security analyst, called Oracle’s presentation on Wednesday “a little underwhelming,” but said the message the company was trying to send is important.

“Many of their customers are not aware that Oracle has security offerings to help customers manage identity, data protection and compliance,” Kolodgy said. “They have been know for building security into their products, but not for building security products.”

However, despite the rosy picture Oracle paints about its past and future security strategy, it’s something customers have traditionally been less than happy with, Kornbrust said. New products like Data Vault and Oracle Transparent Data Encryption — which encrypts database data and stores the encryption keys in another location — show the company is taking security more seriously, he said. But Oracle has a long way to go before it gets it right.

“They are not doing enough helping customers to make their database secure,” Kornbrust said. “The patches are still ugly … Selling new — and expensive — high-end features is good but doesn’t raise the bar for the normal Oracle security. Most databases I see are vulnerable in most cases.”

Still, said Kornbrust — whose firm handles Oracle security exclusively — those responsible for securing Oracle infrastructure “appreciate the direction Oracle is taking in the last month.” However, it will take at least two to four years for most database administrators and developers to see results of the changes taking place now, he said.