Security at UKOUG
By Antony Reynolds-Oracle on Nov 15, 2006
Security at UKOUG
or Reminisces of the Maginot Line
Yesterday was the first day of the UK Oracle User group Conference. I stayed up till 3AM the night before writing a new presentation - What is Identity Management Anyway? It was a bit of a security day yesterday. In addition to my presentation, which was excellently chaired by Pete Finnigan (though very offputting having such a guru sitting on the front row nodding or shaking his head at the different points you make), I attended a couple of sessions, one by Duncan Mills - Lockdown! Securing your ADF and Fusion Applications - and one by Pete Finnigan himself - Encrypting data, is it possible to prevent access?.
Despite a hacking cough Pete was on good form and gave us a comprehensive view of different data encryption strategies. One thing that he said made me think of a conversation with my 9 and 11 year old sons last friday evening. We were talking about World War II and how German troops had overrun first Poland, then Denmark, Norway, Holland, Belgium and France. One of my sons made the point that the French had invested large amounts of money and trust in an unbreachable wall around their frontier - the Maginot line. As we all know the Maginot line was never breached - the Germans just marrched their troops through Holland and Belgium, bypassing the Maginot line. Failure to think of the big picture was a costly mistake for the French.
Pete made the point that when encrypting data we need to consider the data flow rather than focus on just the data in the database. He observed that hackers don't play by the rules and they will attack the weakest point - just like the German Panzers in 1940.
Another point of Pete's that caught my attention was the use of dilution rather than encryption to protect data. He observed that some data may be more secure not encrypted because encryption just draws attention to high value data and if the investment is not made in a secure key infrastructure and solid encryption algorithmns then the data may be less secure in an encrypted state. A better approach in this case may be to make the valuable data harder to find - diluting it by mixing it with less valuable data.
A questioner asked if it was possible to make the data in an Oracle database secure. Pete's view was that the data can be made secure from non-DBAs, but not from a DBA who will generally have too many priviligies that allow him to compromise the security of data encrypted in the database. Pete suggested that securing data from DBAs was more an HR issue, although there were some features in 10gR2 that helped.
Some good sessions and lots of great networking opportunities, I think UKOUG is still one of my favorite conferences.