Oracle, IBM zero in on database security

Security is an area that both Oracle Corp. and IBM are focusing on as they develop their next-generation database products.

Security is an area that both Oracle Corp. and IBM are focusing on as they develop their next-generation database products.

Oracle, leveraging research it has done for the U.S. government, this week announced a security option called Oracle Label Security for the current Oracle 8i product and the upcoming Oracle 9i. The labeling feature gives IT managers the ability to tag data down in the row level of a database, enabling them to control who has read-and-write access to specific information.

"We consider this a high- or military-level type of security," said LouAnna Notargiacomo, manager of security database technology at Trusted Computer Solutions, in Herndon, Virginia. "It allows you to control access to the database on a record-by-record basis. It provides a strong mechanism for who can see what. You can tag information based on its sensitivity."

For example, the Oracle Label Security tool could be particularly useful to application service providers when they have a service that is shared among multiple companies. They could tag rows of data so only one company has access to that information.

"In the past, you had to use things like views, and they are not a strong mechanism," said Notargiacomo. "Views are more defined by tables, where this is defined by rows."

With Oracle Label Security, data rows can be tagged not only to give the right person access but to allow access during certain parts of the day and from specific locations. When data is accessed, the database then compares its labels with the labels in the directory.

"The level of access can get very sophisticated, if you want it to," said Bob Shimp, Oracle's senior director for Oracle 9i marketing.

The Redwood Shores, Calif., company is expected to announce more security features for its Oracle 9i database next week.

Big Blue branches out

For its part, IBM in the coming months plans to introduce a new version of its DB2 database with encryption and decryption features that work with the Windows 2000 and Unix operating systems. Currently, DB2 has hardware-assisted encryption that works with the mainframe.

"We are working on it now [for Windows and Unix]," said Jeff Jones, senior program manager for IBM's data management solutions. " It's under development. This will be a DB2 capability that will be there as a simple-to-use function. It's going to see the light of day soon, probably in the next few months."

The Armonk, N.Y., company is also bringing to market a data mining software tool called the Intrusion Detection System that it has used internally. (It will be sold through IBM Global Services.) The Intrusion Detection System tracks patterns of abnormal traffic on the network, reporting activity it deems an attack on the system.

"The tools studies the normal network patterns and gets familiar with it," said Jones. "When it sees alarming traffic patterns that it does not recognize, it then digs deeper to see if it should alert the authorities."

The bottom line: Security is not just a matter of building firewalls.

"Security is not something you can put into a little corner," Jones said. "It should be an element in your network, in your hardware, in your applications. Security is like water. It should be in everything you do."