Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Usenet -> c.d.o.server -> Re: tough choices

Re: tough choices

From: Buck Nuggets <>
Date: 26 Jun 2004 13:36:19 -0700
Message-ID: <>

Mark Townsend <> wrote in message news:<Y2gDc.120188$0y.88598_at_attbi_s03>...
> Buck Nuggets wrote:
> > I've got an application that has implemented some very complex
> > security policies like this in the application layer and it is a
> > maintenance nightmare.
> Doing it once in the database reduces this maintenance nightmare.

Well, it certainly would have some advantages - like the ability to apply to any application that connects. But I was actually wondering about management functionality that would allow you to easily audit the rules - to know what is covered and what isn't. That need exists regardless of which platforms security is implemented on.

> If you are willing to express your security policies via access labels,
> then Oracle has a packaged solutiuon, called Oracle Label Security, that
> will automate the generation and maintenance of your policies for you.

cool, i'll check this out.

> > Of course, that brings up the other potential
> > challenge with policies like these - can they be implemented as easily
> > on the BI (data warehousing, data mart, olap) side as they are on the
> > OLTP side? Or is the best practice implementation for those very high
> > security apps that don't ever allow the data out of a single
> > centralized repository?
> People use this stuff A LOT for Data Warehouses, often to remove the
> need to proliferate multiple downstream data marts. A classic is a bank
> that increases the privacy of customer information internally, the more
> money the customer has. Generally, I guess they would tend to see a
> secure, single centralized repository as a good thing, not a bad thing.

Not me. I've seen *far* too many warehouse projects killed due to slow construction and adaptation speed. Over-centralization is often one of the causes. Additionally, there are cost and scalability issues as well. I'd prefer to see multiple databases communicate these policies between one another via an ldap service, etc.

If I've got to centralize all my data on a single database in order to take advantage of a security option then it forces me to accept another major risk factor. Not to say that there aren't times when this isn't best, just not often in my opinion.

buck Received on Sat Jun 26 2004 - 15:36:19 CDT

Original text of this message