Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: tough choices

Re: tough choices

From: Buck Nuggets <bucknuggets_at_yahoo.com>
Date: 26 Jun 2004 13:36:19 -0700
Message-ID: <66a61715.0406261236.4440bfb3@posting.google.com> 





Mark Townsend <markbtownsend_at_comcast.net> wrote in message news:<Y2gDc.120188$0y.88598_at_attbi_s03>...


> Buck Nuggets wrote:

> 

> > I've got an application that has implemented some very complex

> > security policies like this in the application layer and it is a

> > maintenance nightmare.  

> 

> Doing it once in the database reduces this maintenance nightmare.




Well, it certainly would have some advantages - like the ability to
apply to any application that connects.  But I was actually wondering
about management functionality that would allow you to easily audit
the rules - to know what is covered and what isn't.  That need exists
regardless of which platforms security is implemented on.



> If you are willing to express your security policies via access labels, 

> then Oracle has a packaged solutiuon, called Oracle Label Security, that 

> will automate the generation and maintenance of your policies for you.




cool, i'll check this out.



> > Of course, that brings up the other potential

> > challenge with policies like these - can they be implemented as easily

> > on the BI (data warehousing, data mart, olap) side as they are on the

> > OLTP side?  Or is the best practice implementation for those very high

> > security apps that don't ever allow the data out of a single

> > centralized repository?

> 

> People use this stuff A LOT for Data Warehouses, often to remove the 

> need to proliferate multiple downstream data marts. A classic is a bank 

> that increases the privacy of customer information internally, the more 

> money the customer has. Generally, I guess they would tend to see a 

> secure, single centralized repository as a good thing, not a bad thing.




Not me.  I've seen *far* too many warehouse projects killed due to
slow construction and adaptation speed.  Over-centralization is often
one of the causes.  Additionally, there are cost and scalability
issues as well.  I'd prefer to see multiple databases communicate
these policies between one another via an ldap service, etc.



If I've got to centralize all my data on a single database in order to
take advantage of a security option then it forces me to accept
another major risk factor.  Not to say that there aren't times when
this isn't best, just not often in my opinion.



buck
Received on Sat Jun 26 2004 - 15:36:19 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US