Business Intelligence Network business intelligence resources

Blog: Dan E. Linstedt

« Microsoft wants Spyware?? | Main | The ground-swell of Nanotech »

Security and our Data Warehousing Solutions

There's been a lot of talk about security, fire-walls, VPN access, anti-spam, and anti-hack systems - but most of the break ins and data leaks appear to be caused when a hacker reaches the RDBMS systems we put in place.

Why then, aren't the RDBMS vendors stepping to the plate to join up with many of the security firms? Why aren't we seeing acquisitions of security technology to become embedded within the RDBMS engines?

Even major authority figures have written about the hacks that can compromise database security, here, Donald K Burleson (a well known author on Oracle) discusses 9i hacks - as early as 2002.

A more recent breach found in December 2004, is written here. An instance of a hack against Teradata controllers was written here (click then FIND Teradata). Even with 10g, there are suggested security management procedures outside the database. Again, Don Burleson reports.

There's even a quote in the DB2 UDB PDF:
"by 2005, enterprises that don't encrypt stored sensitive data will spend 50 percent more than enterprises that do, due to failure to comply with regulatory or contractual data protection requirements (0.7 probability).",When and how to use enterprise data encryption, Rich Mogull, Gartner, March 2004

Here are some press releases that I found where vendors are beginning to work at the solution:
Teradata Press Release. June 2005
I was unable to locate one for Oracle10g - but will gladly accept links to one in the comments.
DB2 UDB Cross-Vendor Solution.

There are many different articles out there, spread across many different vendors, some positive, some negative - but the general gist is this: Businesses must consolidate their information stores in order to...
1. Save on cost of management
2. Become more competitive with information assets it has
3. Become better integrated with the information assets it wants to create
4. Understand it's own business better

But with consolidation, comes risk - greater risk of security problems, not only can the business get better answers, but now - anyone hacking into the centralized system all of the sudden has access to better answers too. Read this article on Data Center Server consolidations.

It's nice to hear that vendors are training people in RDBMS security, but you'd think by now that more RDBMS vendors (especially given the recent breaches) would pay more attention to row, and column level encryption and overall database security. You'd think that the industry would have learned their lesson!

It's up to us, the customers, to present a rallying cry to embed security at the RDBMS management level, make it seamless - and assist us in managing it real-time with alerts, audit tracking, and highly sophisticated software, and of course - partner with the best of breed - please don't write your own.

One other thing crosses my mind in this: VLDB - the larger the consolidated data sets get, the harder they become to secure (as an afterthought). Architecture is paramount in a VLDB/VLDW, and if integrated within these massive information stores we might stand a chance of fending off hackers once they reach "the motherload". With the advent of SOA now reaching directly from the web into the RDBMS back-ends one has to wonder, how will this all be managed?

Thoughts?

  Posted by Dan Linstedt on July 12, 2005 10:36 PM |

Post a comment