SAN FRANCISCO -- Oracle Corp. CEO Larry Ellison likes to boast that his company's products are unbreakable, but he apparently is not.
Ellison, who was scheduled to give a keynote speech at RSA Conference 2007 Wednesday, was a no-show, thanks to what Oracle officials said was a bad case of the flu.
Ellison's speech was to be one of the highlights of the annual information security confab, as the database software giant has been under fire in recent months from security experts and others over its security response practices and patching process. It was to be Ellison's first appearance as a speaker at RSA, and many of the attendees left the keynote session when it became clear he wasn't coming. Instead of Ellison, Hasan Rizvi, Oracle's vice president of identity management and security products, took the stage.
The IGF is designed to enable enterprises to define policies for sharing sensitive data securely. It was developed by Oracle, and is supported by a number of other vendors, including Sun Microsystems Inc., CA Inc., Hewlett-Packard Co., and Novell Inc. Database Vault is Oracle's attempt to help database administrators lock down their systems and ensure that users only get access to the resources they are authorized to see. Rizvi said it combines user access control with the ability to dictate which database operations can run when and whether users can run them remotely as well as locally.
"This is preventative control. This is not something you can work around," Rizvi said. "This is about baking in security, not bolting it on. This is about secure products, not security products."
Database security has been a hot topic of late, thanks to the daily drumbeat of stories about crackers stealing data from corporate networks. Dozens of companies, universities and government agencies have suffered serious data thefts in the last couple of years, and the attacks have not gone unnoticed by security vendors, legislators and government regulators. Oracle's lack of a cohesive security strategy has opened the door for a new crop of third-party database security vendors, including Application Security Inc., Lumigent Technologies Inc., Tizor Systems Inc. and NGS Software Ltd.
During his speech, Rizvi also talked about the company's Secure Enterprise Search, a standalone product designed to sift through all of the files, documents and database records on a network. The software has integrated single sign-on and policy enforcement capabilities that enable it to only return search results for the documents and resources that each user is authorized to see. In a demonstration of the product on stage, an Oracle employee searched for "IDM" and was presented with a Google-esque results page showing emails, documents, files and other information related to identity management.
"Clearly our focus is on information security and protecting data and the applications that access that data and doing it in a heterogeneous environment," Rizvi said.
CA chief calls for simpler security
Not surprisingly, CA President and CEO John Swainson decried the complexity of security and fragmentation of the market during his keynote Wednesday, calling for better management of IT where security is inherent in applications and services.
Swainson said today's security systems still follow models developed 30 years ago when security was not inherent in designs, but built on a physical trust model; Swainson offered the example of companies securing their financial systems by locking their ledger books away in vaults. With the advent of the Internet, incorrect assumptions were made as well that users would access only information they were entitled to.
"We're going after problems as if they had finite solutions," Swainson said. "We have to integrate security so that it's simple and intuitive, with good user interfaces. We need to pay attention to how people use this stuff." Swainson said the disconnect between security and development must go away.
"We have to evolve security services into the infrastructure and make security implicit in the operating system, network and the tools we develop," Swainson said. "Then, applications will inherit attributes of security."
In one of Wednesday's other keynotes, IBM Internet Security Systems (ISS) General Manager Thomas Noonan said security needs to move beyond a silo model to a systems approach where access is a privilege and not a right by default. Noonan was the CEO of ISS before it was acquired by IBM last October.