Oracle has always made bold claims about the security of its database and applications. Now the company has said it will make security a priority as it begins rolling out its next-generation software products for building service-oriented architectures (SOAs), Oracle Fusion, in the next several years.
Speaking at an event in New York on Wednesday, Oracle President Charles Phillips outlined three areas of security that will be important to Oracle going forward -- access control, data privacy and compliance. Acquisitions and internal product development over the last 18 months have given Oracle a comprehensive portfolio in this area, allowing the company to think of security "holistically" across its product line, he said.
"We take it pretty seriously," Phillips said. "We [are putting] security where it belongs, which is consistent across the architecture."
Oracle has had its ups and downs when it comes to security. The company is infamous for a 2002 marketing campaign in which it called its database "unbreakable," a notion that was proven wrong by security researchers.
While Oracle's database has not been the target of a widespread attack, security experts point out that it is also in a less vulnerable position than many commonly targeted programs. Oracle databases are embedded so deeply in a network's infrastructure that attacks aimed for it are thwarted by technologies closer to the surface, such as firewalls. The true test of Oracle's security will come when it begins opening up its products to allow for SOAs, which enable applications to communicate via Web services standards across disparate systems.
"Adding Web services to an architecture makes everything often more insecure because you add an additional way into the database," said Alexander Kornbrust, chief executive officer of security consulting firm Red Database Security GmbH. "Web services should be designed and developed very carefully."
Beginning in March 2005, Oracle began a string of purchases to bolster its security portfolio. In March the company purchased Oblix, which has access-management software. Then last November, Oracle acquired Thor Technologies for identity provisioning and compliance software and Octet String for identity virtualization software.
The company is combining these acquired technologies with new software it developed internally: Database Vault, which prevents the database administrator from accessing sensitive information stored in an Oracle database, and Audit Vault, a data warehousing product to keep track of data stored in various places.
The former is available now, while Audit Vault will be available in the next few months, said Thomas Kurian, senior vice president of server technology for Oracle. Together with existing products such as Oracle Identity Federation, the products help shore up a strong portfolio for protecting data across multiple applications and systems in the network, he said.
Oracle has these products now, but they will become increasingly important as SOAs become more prevalent and Oracle rolls out its Fusion architecture over the next couple of years, Kurian said.
"We'll be making sure at each level of the application, you have common policies that are enforced," he said. "No matter where you come in [on a network], you can still access security."