Oracle’s Strategy for Handling the Current Security Threat Landscape
-
Posted by Harry E Fowler
- Last updated 5/28/19
- Share
In security, we’re operating in a time of unparalleled challenge. As emerging technologies redefine the cybersecurity landscape, IT decision-makers are realizing the benefits of next-generation Cloud technology used to protect and defend against security threats.
Dorian Daley, Executive Vice President and General Counsel at Oracle, and Edward Screven, Chief Corporate Architect at Oracle, spoke about the current threat landscape and Oracle’s strategy for addressing it. The pair spoke about how Oracle is enhancing the relationships with customers by adopting a service model that allows customers to shift the security burden and risk to Oracle. They also covered how Oracle has rebuilt Cloud and the Autonomous Database, so customers are fully equipped to truly protect their data and eliminate human error from the security equation.
Today’s Security Landscape
While there is undoubtedly an increasing number of security threats, there are also significant opportunities within today’s security landscape. In terms of cyber threats and cybersecurity, Edward described today’s landscape as intense, to say the least. Think about the way computing, networks, and the way people manage data has evolved over the last 20 to 30 years. Computing has moved out to the edge—into people’s pockets. There are billions of devices around the world that have network connectivity. This means that there are gigantic amounts of valuable data being generated, and it’s moving around all the time.
The information derived from this data is one of the most valuable assets for companies and government agencies, which means there is a tremendous incentive for hackers to try to access, change, or exploit that information.
Many customers recognize the importance of security in today’s landscape, which wasn’t necessarily the case a few years ago. Even one mistake can have ripple effects that drastically impact a company. A few of the effects that a cyber attack can have include:
- A damaged company reputation
- Lack of trust and confidence from customers
- Inability to perform tasks (produce goods and services)
- Inability to maintain financial stability
- Loss of privacy
Issues of data privacy and security are intertwined—two sides of the same problem. On the privacy side, there is an explosion of regulatory frameworks around the world. It started with GDPR in the EU, which established a baseline. While there has been a slightly different approach in the United States, many states are starting to institute their own privacy regimes. There is still ongoing discussion about the possibility for national privacy legislation and framework in the United States.
What Customers Are Looking For
Many customers want to offload the burden of security of environments and data, which is a reasonable request to make. Companies are beginning to look to third-party vendors for help with this problem.
There are thousands of large enterprises and governments that have important data and systems, and it’s hard for all of those enterprises to spend enough money each individually to make all systems completely secure. The nature of the security threats in today’s landscape is that there are numerous attackers that are well-funded and sophisticated, so it’s easy for them to find vulnerabilities within enterprise systems.
However, a Cloud vendor (like Oracle) manages the data of tens of thousands of customers. Vendors like Oracle have the means to spend enough to ensure that systems are completely secure, unlike enterprises on their own. It’s unrealistic to expect enterprises and governments to secure their own systems when the resources they have are dispersed elsewhere. On the other hand, third-party vendors have concentrated resources that are solely focused on and dedicated to this security problem. They can build secure systems in ways that customers simply cannot do on their own.
The Technical Approach for Addressing Risks
When Oracle developed the second-generation Cloud, the need to take an unconventional approach was realized. All of the servers that Oracle has at the Oracle Cloud Data Center do not actually have a direct network connection to any other part of the network. Instead, each server is connected to a security processor—a separate computer dedicated to that one application server.
This security processor mediates all network access in- and out-of-the-box. It also takes care of things like ensuring that the box gets a secure Image when it starts up, re-imaging the box, etc. The security code that maintains the fundamental level of security of the virtualized Cloud runs outside of the computer that is running any application code. This means that there is no way for an attackers code that is running in one of those servers to get out into the network. It cannot compromise the security code running in the security processor server. It also means that code running in the security processor to reach into the application server. The connection between the two is by Ethernet. They were intentionally designed to be separate. If a customer is concerned about Oracle looking at their data and memory, it’s important to know that that’s not possible with this setup.
This fundamental level of security is the base for everything else that Oracle has built up, including machine learning algorithms that look at network traffic for patterns of attack and the Autonomous Database that comes with automated patching with zero downtime. Patching right away is the key to security, and Oracle knew that customers wouldn’t want to patch if zero downtime patching wasn’t an option.
This idea of depth of defense makes Oracle stand out to many customers. Oracle builds every level of the stack—storage systems, computers, operating systems, virtualization software, networking software, application software, control plane, etc. This gives Oracle a more holistic view of the problem in comparison to other Cloud vendors. Security is considered at every individual level.
A Shift in the Mindset About Cloud
There has been a perceptible shift in the way customers think of the Cloud. When Cloud first came into the picture, many customers viewed it as a threat to the security of their data. Nowadays, it is the solution to security risks that many are looking for. Customers are beginning to understand that third-party Cloud vendors like Oracle can provide a much more secure environment for them than they can create on their own. However, many customers do have constraints, but Oracle can help them tackles these obstacles.
Benefits of Moving to Cloud
There are more benefits for customers than just having a third-party take over the burden of security risks. Whether customers are moving to the Cloud, Oracle Cloud Infrastructure, Oracle Autonomous Database, SaaS applications, etc., they are given a chance to focus on adding value to their organization.
Instead of focusing on administrative work and keeping the lights on, employees can focus more on helping the business model data, allow data and analytics to drive business decisions, etc. Using automation through Cloud helps companies better manage their information, make better decisions, and provide opportunities for employees to contribute value to the organization.
It can be hard for customers to find the right transition path to the Cloud. They have to figure out how to get from where they are now to where they want to go and need to be. In addition to the security benefits of Cloud, another benefit is that any piece of software, operating system, hypervisor, etc. in the Cloud. That makes it a lot easier for customers to pick up existing workloads and move them into Cloud because there is less that needs to change. Not to say that it’s simple or easy, but Oracle is working hard to overcome any obstacles that might come up when making the move to Cloud.
Potential Barriers to Cloud Adoption
The area where Cloud adoption is slower is where there are perceived or actual regulatory constraints. Some customers find it hard to comply with regulation if, for example, the data isn’t in their data center. Oracle is addressing that issue through a solution known as Cloud at Customer. This allows Oracle to take a piece of the Cloud and run it in someone else’s data center.
One popular option is Exadata Cloud at Customer, which allows customers to take the same Exadata service that is run in the Oracle Public Cloud and put it in their data center. Oracle still administers, monitors, and manages it using the same automated tools as in their own Cloud. In fact, customers using this solution have a connection from their machine back to the Oracle Cloud Infrastructure while having the data in their own data center. This has helped a lot of customers overcome some of the regulatory barriers that they are facing. It also helps provide integration between internal systems that companies don’t plan to move anytime soon and the Exadata Cloud. There are communication advantages to having the Exadata Cloud close to applications instead of having it remote in an Oracle data center.
Where to Make Investments
While many customers are focused on the benefits of new technologies, there is still a learning curve when it comes to knowing how to best secure frameworks and where to make investments in order to get the biggest bang for your buck. While many executives and policymakers know that investments in IT and security infrastructure are critical, the larger amount of investments still go toward other areas like human capital management. There is a perception that the biggest threat is humans.
However, Dorian and Edward discussed the importance of investing first in technology. This allows companies to get ahead of threats, including human errors, and scale them reliably. If the source of many of your security problems is human error, hiring more humans doesn’t make sense as the best logical solution. Automation, Cloud, and other technologies can help secure your system. It’s important to leverage the right technology first. Companies need to minimize their attack surface and focus on defending that small area instead of continuously hiring more and more people—expanding the room for error. You can’t simply hire more people to manage the same mess. You need to focus on cleaning up the mess first.
One question to ask when you are thinking of making the move to the Cloud is, “Who needs to part of the discussions about moving to the Cloud?” Is it CEOs, CFOs, the head of HR, functional teams, IT, or all of the above? Edwards explained that conversations should typically take place with two classes of people.
- High-level executives (CEOs, CFOs, CHROs, etc.)
- Developers—the people who will be building the applications
Having these conversations will help ensure that all stakeholders understand how Cloud can help address security threats and provide a secure place for data that attackers can’t get to. It’s important to get all stakeholders on board with the move and make them understand how it will provide long-lasting benefits.
Conclusion
There is not going to be an end to the threats that companies are facing in today’s landscape. If anything, attackers will only become bolder and more sophisticated. So, what’s the future for addressing cyber risks? The answer is Cloud. There are many benefits, both for security and cost-saving, to moving data into the Cloud. Resources will be dedicated to protecting enterprise systems and that data that they hold. Data will be safe because there will be no vulnerabilities within systems for attackers to take advantage of.
To hear Dorian and Edward’s full discussion about today’s security landscape and how Oracle Cloud can help customers secure and defend their enterprise system against potential risks, check out the video below.