Oracle OpenWorld 2019 has had groundbreaking news related to cloud security that I’m tremendously excited about. We have been busy, and while security-first has been a core operating tenet for Oracle since the inception of our Generation 2 Cloud, our latest body of work introduces significant changes in the way that public clouds address protection of critical workloads.
At the forefront of our announcements is security automation. The consensus among experts and analysts is that security misconfigurations are the most common cause of breaches and data theft in cloud deployments. The big question is whether customers of the cloud are using it securely.
A simple search on “cloud misconfiguration” yields article after article with sobering statistics, such as The Scourge of Misconfiguration. The truth is that most clouds are highly resilient to attacks, but customers often lack the resources and expertise to use all the security tools and controls that cloud providers make available. Even when teams have cyberskill depth and know-how, customer security practices and configurations can drift over time, leaving systems unpatched for common vulnerabilities, and permissions to access ranging from too broad to nonexistent.
Customers want more than tooling to manage access, traffic ingress, and application use. They need security to be easier to implement and maintain. This is at the core of Oracle’s new approach to cloud security, enabled by the following brand-new offerings:
Maximum Security Zones: Enclaves within a customer’s environment where security is mandatory and always on. Maximum Security Zones provide a combination of preventative and detective controls that enforce security controls and practices to customer-defined configurations of Oracle Cloud resources. This helps customers lock down resources to known secure configurations, automatically prevent insecure configuration changes, and continuously monitor and block anomalous activities. Maximum Security Zones are enforced though the automated activation of all relevant and preconfigured security services, including application security and Cloud Guard, among others.
Oracle Cloud Guard: A unified security solution designed to provide centralized protection for a customer’s cloud assets. It analyzes data, automatically detects threats and misconfigurations, and then finds and eliminates those security threats. Oracle Cloud Guard does this proactively at all times and automatically intervenes without human intervention. Oracle Cloud Guard constantly watches and collects data from every part of the infrastructure and application stack, including audit logs, Oracle Data Safe, Oracle OS Management Service, and third-party products. Oracle Cloud Guard proactively detects and automatically stops anomalous activity, such as shutting down a malicious instance and proactively revoking user permissions when it detects anomalous user behavior.
Data Safe: Leveraging Oracle's decades of database security experience, Oracle Data Safe detects gaps in the defensive posture of database implementations and gives visibility to security issues involving data, users, and configurations. A unified database security control center, Data Safe helps automate the protection of customers’ data, including monitoring database activity, sensitive data discovery, and data masking, and provides actionable recommendations on how to mitigate security risks. Data Safe can be used with Oracle Database Cloud services, including Autonomous Database, and complements the self-securing security features of the Oracle Autonomous Database, such as always-on encryption and automated patching.
Taken together, these new services make security enforceable by default and further centralize cloud and data security posture management. No other cloud vendor has automated the enforcement of security practices and the detection and resolution of issues. It represents a complete rethinking of the cloud responsibility matrix. If a customer wants our help to secure their critical workloads, we will provide it as a clickable option that gives them the highest levels of protection available on Oracle Cloud without the human intervention required to choose individual features or maintain security settings.
And that’s not all. In total, there are over a dozen new security features, including our new Logging Service, Dedicated Autonomous Database, Dedicated VM Hosts, enhancements to the Key Management service and Identity and Access Management, as well as defense in depth with Web Application Firewall (WAF) updates, microsegmentation support in network security, and a host of security partnerships with market leaders.
We believe that we’re making Oracle Cloud the most secure place for critical enterprise workloads. We’re operating with a philosophy that cloud customers should be able to easily protect their data and applications according to automated security practices, rather than be left on their own to piece together custom security architectures, and face negative consequences from misconfiguration. To learn more, visit our comprehensive Oracle Cloud security practices page or contact us.
Future Product Disclaimer
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation.