Fusion, security and a sated hunger
Thursday, April 06, 2006 11:39 AM
Oracle's raft of acquisitions over the past year or so have taught it some important lessons about security procedures, and it plans to keep tightening things up
Billions of dollars worth of acquisitions have bought Oracle a perhaps unexpected bonus: security lessons.
Last year, the database firm bought more than a dozen companies. Now it's picking up tips from those operations and using them in a major overhaul of its business applications software, an initiative called Project Fusion. Other products and processes are benefiting, too.
In return, Oracle is teaching its new employees something about security--literally. The company found that none of the companies it bought required security-specific training for staff. But Oracle does. So employees brought in from PeopleSoft, JD Edwards, Retek and Oblix purchases, among others, are learning the ropes.
All in all, Oracle hopes the security sum will be greater than its parts.
"To make the merged organisation successful, we take the best of what they did and the best of what we do, and make it what the combined company does," Mary Ann Davidson, Oracle's chief security officer, said in an interview last week.
Security has been a bugbear for the database specialist, which has drawn criticism for the time it takes to fix flaws and the quality of its patches. Experts will be watching closely to see what comes of any new effort. Moreover, Fusion is a hefty undertaking, with the aim of incorporating the technology of companies Oracle has acquired.
And security is only one element of Fusion. Oracle's president, Charles Phillips, recently said the company, one year into the project, is already half done with its work on the next generation of its applications. Yet, Phillips said, the first Fusion applications won't be ready until 2008--a schedule that falls in line with previous promises.
Oracle isn't saying much about security in Fusion or in any of its other products, but in meetings with Builder UK sister site CNET News.com last week, company representatives lifted the veil on the software maker's endeavours to get all its security eggs into one basket.
One lesson Oracle has learned from PeopleSoft is that less customisation equals fewer security risks. While Oracle has historically allowed developers to program on top of its applications, PeopleSoft took a more limited approach. Its software was mainly set up to let customers analyse their business processes, then build upon its applications.
"What you can do from a security perspective in PeopleSoft is limited, while Oracle is more fine-grained and more customisable," said John Heimann, director of security programme management at Oracle. "Sometimes simplicity is good for security, because you can sometimes code yourself into a hole."
Oracle allows developers to define security roles with a lot of flexibility, increasing the risk of mistakes and thus the introduction of flaws. For example, it is possible to restrict which user can access a specific part of an application based on very detailed rules, Heimann said. PeopleSoft doesn't provide the same level of flexibility, he said.
"We're going to try and combine the simplicity and declarative nature of PeopleSoft and PeopleTools with the extensibility and flexibility of the Oracle applications framework," Heimann said.
As an indication of that, Oracle executives said a key person working on security for Fusion is Robert Armstrong, a former PeopleSoft security chief.
Another lesson partially learned from PeopleSoft is to ship products that have a high level of security out of the box, or at least provide an easy way to increase the security level--something Oracle calls the Secure Configuration Initiative. "In the past, our products have tended to be developer-friendly out of the box," Heimann said. "There were accounts with easy-to-remember passwords like 'Welcome1', demo code, and things were set with permissions that were wide open."
Oracle's 10g database products, which shipped in 2004, delivered on some of the "secure by default" approach, Heimann said. Customers should see more of it in future products, including the next generation of the database family, he added.
"It will be there to a much greater extent in 11g, and it is a focus for Fusion," he said. "That is the future: Security by default, and delivering it so you don't have to be a sophisticated developer to implement security rules."
For example, Oracle is thinking of allowing a system administrator to change security settings using a simple user interface or with drag-and-drop capabilities, Heimann said.
Play video
There are currently no comments for this post.