The Insider's Guide to Business and IT Agility
By David A. Kelly, Analyst, ebizQ , 08/10/2006
Print this article
Email this article
Talk Back!
Write to Editor
Protecting your corporate data takes more than simply securing your network or locking down your database. With a range of security issues facing organizations today, ensuring adequate data security requires a holistic and broad security strategy that goes beyond traditional, technically-focused AAA procedures (authentication, authorization and access control). Especially in light of new regulatory and compliance drivers like Sarbanes-Oxley or Gramm-Leach-Bliley.
Of course, an organization’s data is a critical component of an appropriate security strategy. But it’s not just the protection of data that’s important these days, but the integrity of data—everything from the data in the databases to the data in the system logs to even the data that resides in non-relational systems. This aspect of integrity becomes even more important when faced with compliance requirements. When an auditor is examining the integrity of the financials, the trail pretty quickly leads back to the systems of record and the underlying databases—not only what’s in them, but who had access to them when and who might have changed what.
For the past few years, a lot of focus in the security area has been on confidentiality and the security of data, especially with regulations like HIPAA that require organizations to provide greater control over the confidentiality of specific personal data. But as we’re exploring here, it’s not just confidentiality that’s important—data integrity is also critical for ensuring an appropriate (and auditable!) data security strategy.
For example, a primary concern of auditors (and of vigilant IT managers) is the possibility that authorized users (say, database DBAs) typically have access not just to the database architecture and database settings, but to the data itself. What’s to stop a database administrator from copying off a bunch of phone numbers or credit card numbers or other corporate data?
One approach to solving this type of data access by privileged users problem is to encrypt the data to prevent the DBA from ever being able to do that, since the encryption keys for that data could be held by another person. Such a solution would require that the DBA plus the other person would have to work together to obtain access to that data, providing some additional assurance on top of traditional approaches.
Alternatively, some database vendors, such as Oracle, are offering additional data protection in the form of database realms. Database realms are essentially like areas of the database that can be surrounded and locked down without the typical overhead of the encryption requirements found in the first solution. Oracle’s Database Vault gives organizations a way to restrict access to super users (DBAs and privelaged users) via the definition of realm (or database territory) and a set of appropriate rules and conditions. For example, a database realm could be defined that would only allow DBAs to access or change database settings or content from specific IP addresses (preventing any changes from external sources, for instance), or only between certain hours (say between 9am and 5pm Monday through Friday). In effect, these database realms provide organizations with more granular access over the control of who can see what in a database, who can change what in the database, and when and where those changes can be made.
1
ROUNDTABLE: Stretch Your Budget with smart SOA Governance-A Look at Successful Case Studies
ROUNDTABLE: Open Source Market Update
Insurance: Explore how SOA & BPM are driving down expenses and improving ROI
BPM VIEWPOINT: Are You Asking Yourself the Hard Questions about BPM in Today's Economy? 
BPM VIEWPOINT: Does Oracle/Sun Mean It's a Horse Race for BPM?
Managing Case Management Within BPM
Insurance Industry Update: Why Standards Are Essential
BPM VIEWPOINT: How Do You Look at BPM?
ebizQ is very interested in what you have to say. To contribute an article, an opinion, or to become a blogger, please contact Peter Schooff.
You need Adobe Flash Player 9 to view this widget.
June 3, 2009
One of the most compelling trends in the enterprise business technology space over the past year has been the emergence of cloud computing. In ebizQ’s upcoming Qcamp virtual un-conference, leading industry experts and practitioners will explore the role of service-oriented architecture (SOA) and business process management (BPM) in supporting cloud-computing initiatives. Additionally, the new skills that developers and IT managers need for successful cloud development will be discussed.Register
Date: Aug 26, 2009
Time: 12:00 PM
ET- (16:00 GMT)
Date: Sep 30, 2009
Time: 12:00 PM
ET- (16:00 GMT)
Date:Aug 26, 2009
Time:12:00 PM
ET- (16:00 GMT)
Date:Sep 30, 2009
Time:12:00 PM
ET- (16:00 GMT)
One of the compelling stories in open source is the potential for bringing SOA to unserved and underserved markets -- such as smaller businesses and...
Download Now
In part two of Joe McKendrick's recent podcast with Miko Matsumura, chief strategist for Software AG, they talk about how SOA and IT systems need to change and grow and adapt with the organization around it.
Listen Now
Phil Wainewright interviews David Vap, VP of products at RightNow Technologies, and finds out how sharing best practices can help businesses understand how best to engage with online communities.
Listen Now
Scott Hebner, Vice President of Marketing and Strategy for IBM Rational, discusses a topic on the top of every company's mind today: getting the most from IT investments.
Listen Now
In BI, this tough economy and the increasing role of Web 2.0 and MDM are certainly topics on people's minds today. WiseAnalytics' Lyndsay Wise addresses each of them in this informative podcast.
Listen Now
Deepak Singh, President and CTO of Adeptia, joins ebizQ's Dennis Byron in a podcast that gets its hand around the trend of industry-specific BPM.
Listen Now
From Dennis Byron: For BPM to fit at the top of the stack, it can't merely support workflow or integration. It needs to integrate the BI aspects of the stack, too. Learn More
In the insurance industry, companies have accepted that systems, strategies and data all developed in silos are making it difficult for them to grow and adjust to today’s market demands. The obstacles imposed by siloed approaches are painfully obvious to companies as they try to gain a better understanding of their customers and meet the growing constraints imposed by compliance and regulatory requirements. Leveraging industry standards with full data integration is one was to tackle this challenge. Learn More
From Dennis Byron: Is it better to choose one strain of BPM over another? The answer is unique to your organization. Learn More
Can decision management really deliver costs savings, agility and happy customers on a consistent basis? Learn More
From Dennis Byron: BPM products optimized for case management might be the products that bridge the extremes in my view of the BPM spectrum. Learn More
Integrating BPM and CEP gives you intelligent business processes that can react to rapidly changing business conditions with continuous visibility. Learn More
Insurers need to think about creating "true linkage," which means linking business strategy to process to IT investments and thereby setting the foundation for true change. Learn More
To be effective, business intelligence technology must work behind the scenes to deliver relevant information when, where, and how it's needed. Learn More
A lot of people are talking about Enterprise 2.0 as being the business application of Web 2.0 technology. However, there's still some debate on exactly what this technology entails, how it applies to today's business models, and which components bring true value. Some use the term Enterprise 2.0 exclusively to describe the use of social networking technologies in the enterprise, while others use it to describe a web economy platform, or the technological framework behind such a platform. Still others say that Enterprise 2.0 is all of these things. Learn More
Smart event processing can help your company run smarter and faster. This comprehensive guide helps you research the basics of complex event processing (CEP) and learn how to get started on the right foot with your CEP project using EDA, RFID, SOA, SCADA and other relevant technologies. Learn More
To Michael: To select what has to be improved (e.g. automated), a...
Hi Johan,
thank you for such prompt response.
I...
Phil,
It appears that Google is looking at the world...
I believe work has been done in this area privately for some time....
I wonder if BPM has become more popular because many solutions...
We are looking for a FileNET admin/developer in Houston, TX. The...
As we see more companies consider the cloud we should be...
Scott,
I agree that process management is good way for...
|
|
|
|
