In recent times, the insider threat has emerged as a major concern for organizations. While some companies are still ignorant about its implications, others like Indian refinery and marketing major Hindustan Petroleum Corporation Ltd (HPCL) believe in restraining the monster at the foundation itself.
As a result of this thought process, when HPCL decided to develop a crude oil import tender (COIT) application, the security and privacy of bidders (as well as their bid information) became a key priority. This electronic tendering application was going to handle extremely sensitive and high-value transactions worth millions of dollars. There was also the fear of leakage of bid information among the bidders, which raised alarms about security at database levels. "The traditional design of applications would have involved data storage in an ordinary database, which could easily be accessed by custodians of the database such as system administrators and database administrators (DBA). We wanted to address this risk using security at database levels before we moved the crude oil tendering
process on to an electronic platform," explains S T Sathiavageeswaran, the general manager of information systems for HPCL.
The COIT application is essentially a Web-based application developed in-house. Whenever there is a requirement for crude oil, the company announces online tenders. Bidders are requested to log in and submit their bids. This application is built in such a way that no bid can be opened before the date and time fixed for opening that particular tender. The e-tendering application has smoothened bidding processes, and helped HPCL to procure the right quality of crude oil at the optimum time and price.
It was critical for HPCL to protect sensitive bid information stored in the application database even from privileged users such as the DBA and system administrator. After a little research, the company realized that none of the leading database vendors other than Oracle offered such functionality when it comes to security for databases. HPCL, which had been an Oracle customer for long, therefore decided to address the security of its database with Oracle's Database Vault and Audit Vault solutions.
According to Sathiavageeswaran, the Database Vault helped them to precisely define user access to application components, improving database security. Only the application owners—business users (rather than technical users like the DBA)—can decide access rights for various application components. The database security solution essentially provides privileged user access controls, separation of duty, along with the ability to control access to applications, data and databases. It prevents privileged users (such as the DBA) from accessing application data by simply defining a realm around sensitive schemas and objects. It also offers multi-factor policies which control access based on factors such as time of day, IP address, application name, and authentication method. For example, the DBA will not be able to access any bid information captured by the application unless the application owner allows him to do so.
Still, what happens to security at database levels if the application owner decides to give access to an unauthorized individual? Sathiavageeswaran explains that the Audit Vault, another database security solution adopted by them, essentially helps addressing such issues by monitoring database activities within the vault. It basically enables HPCL to audit and monitor all database activity, as well as automates audit data collection and consolidation from all database servers.
The company decided to use a combination of these two products in order to provide security for its database, due to features that offer added protection. While the Database Vault helps to create roles and access rights around application data, the Audit Vault helps monitor adherence to rules and policies.
HPCL started using these database security solutions with the e-tendering application around a year back. The company did not face many challenges in implementation of security at database levels, but since these are fairly new products for India, the HPCL team had to work closely with technical experts from Oracle to get things exactly the way they wanted.
Sathiavageeswaran informs that at present these database security solutions work only with Oracle databases; they do not support the databases of other vendors. He feels that awareness of and sensitivity about the security of a database is very low among Indian enterprises and even among technology providers. "After implementing security at database levels, we are now looking at a number of other business use cases where sensitive data can be put under the vault to assure business users of its safety."
As the second phase of these rollouts, HPCL is planning to implement additional security by having digital signatures (public key infrastructure) on the bids. The company is in talks with certified authorities (CAs) in India to discuss how they can provide digital signatures to foreign vendors. For digital signatures to be valid in India, they have to be issued by an Indian CA; however, Indian CAs currently don't issue digital signatures to foreign nationals. Once this issue is sorted out, HPCL will start using digital signatures as well—and further improve the security of its database.