Gotcha! Implementing Security Layers - Applied SOA Patterns on the Oracle Platform

Database Reference

In-Depth Information

Where are we now?

We would like to start with a quote from a security report based on research of 110 com-

panies from industries including financial services, the government, and IT. The quote is

quite long but really interesting:

• More than two-thirds of IT security resources remain allocated to protecting the

network layer, while less than one-third of the staff and budget resources were al-

located to protecting core infrastructure such as databases and applications.

• When comparing the potential damage caused by breaches, most enterprises be-

lieved that a database breach would be the most severe.

• Nearly 66 percent of respondents said they apply a security inside out strategy,

whereas 35 percent base their strategy on endpoint protection.

• Even with this fundamental belief in strategy, spending does not truly align as

more than 67 percent of IT security resources—including budget and staff

time—remain allocated to protecting the network layer and less than 23 percent of

resources were allocated to protecting core systems like servers, applications, and

databases.

• 44 percent believed that databases were safe because they were installed deep in-

side the perimeter.

How old do you think this report is? Twenty years, maybe ten? Not at all. The results of

this survey ( http://www.oracle.com/us/corporate/press/1972875 ) were published in mid

2013. Take a look at the Oracle SOA development roadmap table ( Chapter 2 , An Introduc-

tion to Oracle Fusion - a Solid Foundation for Service Inventory ). Basic Security Profile

Version 1.1 was published in 2009 and this profile de facto has finalized all security stand-

ards developed for more than 10 years. You do not have to be a pentester to understand that

something is wrong here. The question is, how bad?

No, this is not bad, because the word bad is not capable enough to describe how horrible

the actual situation is! It simply means that in at least 66 percent of cases, vital information

about your clients, financial transactions, planned merges/acquisitions, employees' private

data, and strategic development/products is already in the caring hands of your diligently

watchful competitor(s). It also means that this information in two-thirds of cases can be ac-

quired within two days without significant investments into complex sniffing equipment.

Yet again, in most cases, it's in the best interest of intruders to keep your data intact and

hide all evidence of the security breach.

Search WWH ::

Custom Search

Home