Major database vendors add layers of security that can be
used on information where it resides inside the database
By Charles Babcock
Sept. 23, 2005
Ari Kaplan, president of the Independent Oracle Users Group, used to work as a database administrator for financial-services companies and government agencies. "For 10 years, I had access to everything--credit-card numbers, Social Security numbers, you name it," he recalls.
That used to be OK. After all, the database administrator was a trusted employee. But with a booming black market for stolen personal data, companies are rethinking whether database administrators should have total access to millions of records. That has major database vendors adding levels of security that can be applied to data where it resides inside the database, rather than relying on security measures in applications that access the data.
Doing so ensures data privacy for both outside and inside users. And by making these security levels easy to apply, data security is becoming more of an "on-demand" feature. It can be quickly applied to part of the database, rather than awaiting a decision on whether the system can withstand the performance hit of encrypting everything. This approach to data privacy is a key part of IBM's on-demand computing initiative. The vendor's experimental Hippocratic database, in development at its Almaden Research Center, extends the concept of data privacy on demand to whoever contributes data.
It has always been possible to encrypt an entire database table, such as rows and columns of customer information, yet unsecured database systems continue to proliferate in companies, including the nearly uncontrolled use of open-source systems that sometimes contain critical company data. Column-level encryption may change that: It's quicker, inflicts less of a performance penalty, and makes more sense since only the most sensitive data is encrypted. Sybase's flagship Adaptive Server Enterprise, Oracle's Oracle 10g, IBM's DB2, and Microsoft's SQL Server offer selective encryption.
Unless the database administrator is given the key to decrypt the data, it remains undecipherable to him as well as everyone else. In light of compliance requirements such as the Sarbanes-Oxley Act, "one of the emerging trends is that the database administrator is no longer considered a trusted entity," says Calvin Powers, senior software engineer for IBM's Tivoli security for data governance. "DBAs can't have access, even if they want to. That's extremely important for internal controls" over data security, says Kaplan, who's now a database consultant.
Michael Heaney didn't conceive of the need for column-level encryption when he started as database manager at the Institute for Genomic Research. "I've had the luxury of trying to open up databases to people, not impose restrictions. We generally give scientists free rein to look anywhere," he says.
But the institute's success in unlocking specific genomes has led to additional contracts from new sources, such as the Monsanto Co. in agribusiness and the Department of Defense in biological weapons. For example, if research at the institute discloses how the anthrax genome can be altered with predictable results, the data from that research has to be kept very secure. With a few commands to the Sybase database, "I can lock down a particular column" through the database's command interface so that no one inside or outside the institute can see it, says Heaney, who has tested such a feature in Sybase's Adaptive Server Enterprise 15. He expects to use the capability when he upgrades the institute's Sybase copies to version 15 later this year. Another plus: Encryption protection extends to archival formats.
The major database vendors offer additional ways to ensure data privacy. Since the 8i version of its database software, Oracle has offered a feature called Virtual Private Database. It started out as a way to tie a data-use policy or restriction to data in a particular table and now extends to individual rows in the table. That gives a database administrator or corporate compliance officer a more calibrated tool for determining who sees what data.
The old method of restricting data access was to set role-based levels of privilege in the code of the application that accesses the database. Based on a user's privilege level, the application would let that user see a table--or not. With today's virtual private database controls, users can be given access to part of a table based on the privileges of their role; some rows may be shown to a human-resources person but would be withheld from a manufacturing employee.
At the annual Oracle OpenWorld user conference last week, executives unveiled a paper that proposes that data sets be controlled as if in a data vault, with the data owner having more control "over the context in which the data is accessed," says Paul Needham, director of Oracle's database security product management. A data owner might want to allow data to be accessed from IP addresses within a company, but not from ones outside, Needham says. Other policies could be attached to a data set to restrict its use to particular parties.
IBM's experimental Hippocratic database implements purpose-based controls that could find their way into many on-demand-type business uses. Purpose-based use lets data contributors set rules on how and when their data may be used. A rules engine inside the database system enforces the rules before allowing a query to access the data, IBM's Powers explains. For example, a hospital patient might say the data is to be used only in connection with a specific treatment. Once the treatment is finished, the data must be deleted.
In some cases, third-party suppliers of data-security software are supplementing what the major vendors already do. Application Security Inc. produces a database-monitoring system that can detect changes to stored procedures in the database and alert an administrator to unauthorized changes. Stored procedures are programs built into a database that are typically tied to core company transactions. A database administrator or other party with access to the system could bypass most security measures by changing the stored procedures.
These and other security measures may be necessary to reverse the rising tide of lost and stolen data. This year, CardSystems Solutions Inc. said that 13.9 million MasterCard accounts were exposed to fraud; Citigroup notified 3.9 million customers that it had lost archive tapes containing their data; Bank of America notified 1.2 million customers of a similar breach; and HSBC North America warned 180,000 customers that their General Motors MasterCard account numbers may have been stolen during transactions at Polo Ralph Lauren. Given the way things are going, tying security measures and data together inside the database is fast becoming a requirement, not an option.
on MasterCard accounts were exposed to fraud; Citigroup notified 3.9 million customers that it had lost archive tapes containing their data; Bank of America notified 1.2 million customers of a similar breach; and HSBC North America warned 180,000 customers that their General Motors MasterCard account numbers may have been stolen during transactions at Polo Ralph Lauren. Given the way things are going, tying security measures and data together inside the database is fast becoming a requirement, not an option.