Oracle Chief Security Officer Mary Ann Davidson recently talked with Dan Verton from Computerworld US about the current state of IT security and its future role in defense.
Q: When you look across the landscape of issues surrounding homeland security, what do you see as the main IT challenges or obstacles for both the government and private-sector companies that own and operate the bulk of the nation's critical infrastructure?Both sectors have to deal with the same challenge, and a lot of it has to do with information assurance. It's absolutely critical that we understand that how people build products is as important, if not more important, than what they build. Someone other than the vendor has to certify security claims. Evaluations are important for three reasons. One, they force a security development process on the vendor. Two, they produce a better product. And three, they create a culture of security.
Q: Assuming that the issues of policy, people and process can be worked out, can the current state-of-the-art in IT really make a significant difference in the nation's security?You can't really find a technical solution that will solve everything without those other parts in place. But yes, I think it can make a difference. A good example is in the area of information sharing. We have technology today that can enable both data sharing and data separation seamlessly. Oracle Label Security, for example, is being used in the intelligence community now.
Q: What should private companies that own and operate critical infrastructures and systems be doing from a technology investment and policy perspective that they are currently not doing?The answer to that question would be speculative, but I do think that security has to be part of their corporate culture. If you don't ultimately embed within every member of the organization what their responsibility is as far as security goes, you're not going to be successful. Everybody in the company doesn't need to have the same level of responsibility, and every company doesn't need to have the same culture. But every company has assets to protect. I don't change my speeches on this topic for different audiences.
Q: What should the government be doing differently?Well, I will tell you what they're doing well and need to do more of. They need to extend the [Pentagon's] IT purchasing policy [which states that all new IT systems must be certified for security by an independent third party] to all government systems. We keep hearing that there will be no waivers to the [Pentagon] policy. It's also in the House version of the defense authorization bill. I think this can change the IT market.
Q: Did Sept. 11 and the new security realities the country now faces change anything in particular about how Oracle does security? Are there any lessons that Oracle can offer other companies about how security can be enhanced, both from a software/network perspective and a physical perspective?It hasn't changed how we're doing security for our products. We've been fairly fanatical about security since our inception. The roots of the company have been tightly coupled with the so-called professional paranoid community [that is, intelligence agencies]. Nothing has changed except that I'm extending that focus to every product at Oracle. By definition, security is a show-stopper for product development. We don't ship the product if security is not ready.
Q: What are the issues, concerns and questions you now hear most from customers regarding security?It depends on the customer base. Some are more attuned to information assurance than others. One of the main issues is centralizing identity management. That doesn't sound very sexy but its absolutely necessary. Five years ago, the only customer I ever talked to about security was the intelligence community. Now every customer that comes into Oracle wants to talk about security. Sept. 11 really crystallized the issue in everybody's mind.