Improving Oracle Security

Logical Apps offers granular security for Oracle databases

Logical Apps in Irvine, Calif., released AppsRules 4.0, a rules-driven, meta data-based engine that adds a separate, customizable security layer to Oracle databases. The engine can filter the records any particular user can see, audit all access and changes, and maintain a complete change history. In other words, organizations can selectively restrict access to database information or keep an eye on who changes it.

Normally, when organizations want to restrict access to sensitive information in enterprise databases (perhaps based on roles or departments or in a way so as to prevent users from updating or over-writing data), they need to custom code the alterations. Customizations can be time-intensive and costly. When the database gets upgraded, customizations also frequently break; the work needs to be redone—assuming IT has the available resources.

Restricting access is becoming more of a mantra in the aftermath of Enron and related scandals. Legislation is driving companies to create—and document—better security controls.

Unfortunately, Oracle’s built-in database security is inadequate for many organizations. “The whole fault with Oracle is it’s inflexible out of the box,” says Hollis Bischoff, vice president, Technology Research Services for consultancy Meta Group. “[It’s] one size fits none. It really is the lowest common denominator, and most companies don’t run themselves as the lowest common denominator.”

In other words, Oracle applications “give you the base functionality, or they lock you down to functionality, and what a process like this does is open up locked-down processes and put boundaries around wide open processes.”

Organizations need to give different people inside and outside the company different levels of access. A project planner, for example, needs to see lead times, but for data integrity reasons shouldn’t be able to alter delivery dates. Likewise, business partners need to see parts availability but suppliers don’t want to reveal the item’s actual cost, just its retail price. Unfortunately, in many Oracle modules security is all or nothing.

As a result, “Organizations are forced to do system surgery—go into the application and reverse-engineer it to alter it,” says Chris Capdevila, founder and CEO of Logical Apps. That surgery faces two challenges: often there’s no lasting record of what was done, and changes frequently break when the underlying application or database gets upgraded.

That was the dilemma faced by Cymer Inc., a semiconductor equipment manufacturer in San Diego, Calif., which wanted to upgrade its three-and-a-half-year old Oracle 11i implementation from 11.5.6 to 11.5.8 last summer, with a stipulation: security and business rules customizations shouldn’t break from upgrade to upgrade. After evaluating business process engines, Cymer chose AppsRules about eight months ago.

Cymer’s previous code customization process was laborious—developers spent lots of time writing, testing, then taking the SQL code live. “Once it's there, you lose visibility of it, because now it's a compiled library, and without the right tools, you're not able to see it,” notes Jeff Wolf, a Cymer business analyst.

In comparison, AppsRules let Cymer separate business logic from application code. Wolf says it installed without difficulty, and adding new rules now takes little time. “We put in a new rule last week. From inception to production-ready was about a half an hour, and it was very simple.” Before, it could take a day for developers to code, test, and migrate the changes, once they had time to tackle the project. Now users with some knowledge of Oracle basics—they don’t have to be experienced programmers—can make the changes instead. “The gist of it is, it's something that our business analysis group can maintain, rather than going through a developer cycle.”

The engine is also self-documenting, says Wolf. “I gain the visibility, I know what's been done—I can look at all the rules on one screen.” Cymer uses it for instances where “even though you might want something visible, you might not want it updateable, and this will apply to a field, or individual groups of fields. That functionality is not available in Oracle out of the box.” For example, customer service representatives can see a customer’s credit limit, but not change it, or see any more sensitive information.

AppsRules competes with other business process management tools that allow companies to specify business rules in their applications. The notable difference with Logical Apps, says Meta’s Bischoff, is that it will run with Oracle—and only Oracle—out of the box. Other tools can work with multiple applications, but then “you need to add code to stripe it for Oracle.” As a result, “I would say this is more aimed toward folks who are later adopters, because early adopters did custom code.” Logical Apps says it will expand beyond Oracle in the future.

Could such tools, rather than custom code, also help organizations better document their security controls in accordance with the Sarbanes-Oxley Act of 2002? Bischoff says, “Absolutely, because a lot of these modeling tools are self-notational.” Unlike custom coding, creating a new rule in these tools produces a recoverable record of the process—unlike custom coding.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.