INSIDE ORACLE
PRODUCTS.BUSINESS.RESULTS.
Secure Foundations
PROTECTING ENTERPRISE NETWORKS FROM CORPORATE INTELLECTUAL PROPERTY THEFT
hen it comes to security threats
and cyber attacks, issues such as
“The real money these days is in intel-
lectual property theft,” says Mary Ann
Davidson, chief security officer at Oracle.
“It’s industrial espionage. When you
read news accounts of corporate systems
breaches, it’s not all things like credit
card information. People are walking off
with major trade secrets worth millions
of dollars. After all, why put the capital
into inventing or designing something if
you can steal that information?”
With the stakes so high, the security
of enterprise systems is a top priority in
the boardroom, not just the IT depart-
ment. Safeguarding data requires a
layered approach, including a detailed
evaluation of how thoroughly protection
is embedded within IT’s foundation—the
infrastructure. “How do people typically
break security?” asks Davidson. “Not
through the front door—they find a hole
in the foundation and tunnel through.”
In order to build that intrusion-proof
foundation, business leaders need to
bring the security discussion to the earli-
est phases of technology evaluation by
requiring that infrastructural components
are developed securely, and that the
vendors supplying these components
have strong security practices. “Your
vendors’ security assurance practices can
impact corporate security, so you need to
look at the security assurance methodolo-
gies in use,” says Davidson.
Davidson and her group design and
deliver the practices that give bite to
Oracle Software Security Assurance meth-
odology, and she strongly emphasizes the
need to make security an integral part of
the design process of technology prod-
ucts. “With a company as big as Oracle,
we need to make sure that people have
tools and techniques embedded into the
process—we can’t be looking over their
shoulders as they code,” says Davidson.
group for security, and they create a community around that within the group,”
says Davidson. Her group also requires
that developers use automated tools
that look for exploitable security vulner-abilities during the development process.
Finally, her group holds every line of
business accountable for adherence to
the assurance process. “We actually score
every line of business according to how
they do against our required assurance
practices, so their performance is very
clearly measured,” says Davidson.
Another aspect to look for is how
secure products are by default—in other
words, how secure is the product out
of the box? Can the product be easily
configured for stronger security beyond
that default position? “You want highly
configurable software, but as a customer,
you should expect that there are certain
things that will work securely right out of
the box,” says Davidson. “You don’t want
to have to tweak things across 50 servers
to make it secure.”
Proof of Oracle’s commitment to secu-
rity can be found in its compliance with
ISO/IEC 15408—the Common Criteria,
an international standard that validates
software security. “Customers have a right
to know that their vendors take this seri-
ously and have internal practices that they
can validate,” says Davidson. “You want
them to be able to prove that they don’t
ship products with holes big enough to
slip a cruise ship through.”
And as a company that uses these
same products to protect its own intel-
lectual property, Oracle has more than
just its reputation on the line. “At Oracle,
we can say that we treat your secrets like
they are ours, because we are running the
same software,” says Davidson. “If we do
a bad job with security, we put our own
company at risk.” <>
