Where's Larry? Ellison calls out sick at RSA Conference

By Dennis Fisher, Executive Editor 08 Feb 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Ellison, who was scheduled to give a keynote speech at RSA Conference 2007 Wednesday, was a no-show, thanks to what Oracle officials said was a bad case of the flu.

Ellison's speech was to be one of the highlights of the annual information security confab, as the database software giant has been under fire in recent months from security experts and others over its security response practices and patching process. It was to be Ellison's first appearance as a speaker at RSA, and many of the attendees left the keynote session when it became clear he wasn't coming. Instead of Ellison, Hasan Rizvi, Oracle's vice president of identity management and security products, took the stage.

RSA Conference 2007 Can't make it to the show? SearchSecurity.com staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.

Ellison is known as a high-energy, somewhat unpredictable speaker and is prone to taking shots at Oracle's competitors in his speeches. Rizvi conversely stuck to his script, talking about the security-related announcements Oracle made Wednesday, including the company's plan to submit its Identity Governance Framework to the Liberty Alliance for development as an open standard. Oracle also announced the Oracle Management Pack for Identity Management and said that the company's Database Vault product is now certified on PeopleSoft applications.

The IGF is designed to enable enterprises to define policies for sharing sensitive data securely. It was developed by Oracle, and is supported by a number of other vendors, including Sun Microsystems Inc., CA Inc., Hewlett-Packard Co., and Novell Inc. Database Vault is Oracle's attempt to help database administrators lock down their systems and ensure that users only get access to the resources they are authorized to see. Rizvi said it combines user access control with the ability to dictate which database operations can run when and whether users can run them remotely as well as locally.

"This is preventative control. This is not something you can work around," Rizvi said. "This is about baking in security, not bolting it on. This is about secure products, not security products."

Database security has been a hot topic of late, thanks to the daily drumbeat of stories about crackers stealing data from corporate networks. Dozens of companies, universities and government agencies have suffered serious data thefts in the last couple of years, and the attacks have not gone unnoticed by security vendors, legislators and government regulators. Oracle's lack of a cohesive security strategy has opened the door for a new crop of third-party database security vendors, including Application Security Inc., Lumigent Technologies Inc., Tizor Systems Inc. and NGS Software Ltd.

During his speech, Rizvi also talked about the company's Secure Enterprise Search, a standalone product designed to sift through all of the files, documents and database records on a network. The software has integrated single sign-on and policy enforcement capabilities that enable it to only return search results for the documents and resources that each user is authorized to see. In a demonstration of the product on stage, an Oracle employee searched for "IDM" and was presented with a Google-esque results page showing emails, documents, files and other information related to identity management.

"Clearly our focus is on information security and protecting data and the applications that access that data and doing it in a heterogeneous environment," Rizvi said.

CA chief calls for simpler security

Not surprisingly, CA President and CEO John Swainson decried the complexity of security and fragmentation of the market during his keynote Wednesday, calling for better management of IT where security is inherent in applications and services.

We have to integrate security so that it's simple and intuitive, with good user interfaces. We need to pay attention to how people use this stuff. John Swainson CA Inc.

"We're not realizing the full potential of IT," Swainson said. "We're making it too difficult and we risk losing the faith of consumers."

Swainson said today's security systems still follow models developed 30 years ago when security was not inherent in designs, but built on a physical trust model; Swainson offered the example of companies securing their financial systems by locking their ledger books away in vaults. With the advent of the Internet, incorrect assumptions were made as well that users would access only information they were entitled to.

"We're going after problems as if they had finite solutions," Swainson said. "We have to integrate security so that it's simple and intuitive, with good user interfaces. We need to pay attention to how people use this stuff." Swainson said the disconnect between security and development must go away.

"We have to evolve security services into the infrastructure and make security implicit in the operating system, network and the tools we develop," Swainson said. "Then, applications will inherit attributes of security."

In one of Wednesday's other keynotes, IBM Internet Security Systems (ISS) General Manager Thomas Noonan said security needs to move beyond a silo model to a systems approach where access is a privilege and not a right by default. Noonan was the CEO of ISS before it was acquired by IBM last October.

<< Return to our special coverage of RSA Conference 2007

Tags: Database Security Management,  Software Development Methodology,  Security Industry Market Trends, Predictions and Forecasts,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research Software Development Methodology How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Security Industry Market Trends, Predictions and Forecasts Healthcare security spending remains sluggish, report shows How to use Internet security threat reports M86 buys Web security gateway vendor Finjan Information Security Decisions 2009: Presentation downloads Bruce Schneier on outsourcing, awareness training Marcus Ranum on cyberwarfare, infosec careers McAfee survey finds faults in midmarket enterprise security Email archiving vendor sues Gartner over Magic Quadrant Information Security magazine October issue PDF Editor's Desk: Security 7 Winners Chronicle Trends That Shape The Industry Security Industry Market Trends, Predictions and Forecasts Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary