By roxana.bradescu on January 29, 2008 12:02 PM
Welcome to Oracle's newest Security blog at what is probably the industry's oldest security company! Although many people don't think of Oracle as a security company, "the world's largest enterprise software company" actually got its start more than 30 years ago when Larry Ellison, Bob Miner, Ed Oates and Bruce Scott founded a company called Software Development Labs (SDL) based on a CIA project code-named "Oracle". The first commercial version of the software - the first commercial RDBMS on the market - was sold to Wright-Patterson Air Force Base. To put this in perspective, RSA Data Security was not founded until the early 80s and Microsoft didn't offer password policies in SQL Server until 2005. Fast forward 30 years and Oracle is unrivaled in depth and breadth of security solutions. In many ways we were ahead of the times. For example we introduced encryption capabilities almost 20 years before anyone was thinking about PCI compliance, and we introduced Label Security decades before protecting sensitive private identification information (pii) was top of mind for enterprises worldwide. "Security Inside Out" not only refers to our tag line about protecting data at the source - the database - it's about sharing our views on security and listening to yours.
By roxana.bradescu on January 29, 2008 7:15 PM
Oracle recently sponsored a Ziff Davis eSeminar called Top Five Database Security and Compliance Resolutions for 2008. Rich Mogull was the speaker and we had such a great turn out (thank you everyone who participated!) that by the time I got to my presentation the servers were so overloaded I couldn't advance my slides. Despite my technical difficulties, the feedback on the event was very positive and I encourage you to view the recorded presentation if you missed it. And let me know what you think since planning the next one for March.
One of the topics we discussed was data masking. If you're not familiar with data masking it refers to "scrubbing" sensitive production data like personal identification information, credit card and social security numbers in order to share that data with development/test, analysis groups, business partners, etc. During the presentation we ran a poll on data masking and found that 58.7% of respondents did not perform any data masking when generating and development data, and 39.9% either did it on an ad-hoc basis or didn't use tools (which might as well be ad-hoc since manual data masking is very error-prone). This means that a whopping 98.6% of our poll participants are at risk of leaking sensitive production when they transfer data from secure product environments to non-secure environments.
The good news is that data masking is one of the easiest security measure to put in place given Oracle introduced a solution for data masking a few months back. Unlike other solutions on the market, with Oracle Data Masking, the data is masked as close to the production database as possible to prevent data breaches. Also the data masking process is automated using an extensible library of formats and templates that ensure consistent masking for referential integrity across databases. Most importantly Oracle Data Masking is part of Oracle Enterprise Manager and can be used to enforce data masking policies across all Oracle databases enterprise-wide to help address regulatory mandates like PCI and GLBA. Check out the Oracle Data Masking data sheet for more info.
