There is an incredible transformation we are all experiencing with cloud computing. The cloud truly is changing everything. It’s changing how businesses run and people work; it’s creating new categories, disrupting existing categories, and it’s changing how we communicate and share. It’s changing the economics of business forever. It’s happening at a speed no one ever imagined and it means a new way of thinking for security practitioners.
When we look at the enterprise, we see that on every level, there are transformations that are encouraging a fluidity of boundaries.
The Extended Enterprise is about the always-on expectation from users, about a corporate environment that is no longer limited to the four walls of the enterprise. Essentially, the Internet has become the corporate network; a coffee shop has become the corporate office. Work is no longer a place…it’s wherever you get inspiration.
Within that corporate network, applications that used to be selected, deployed and maintained by IT are increasingly giving way to applications that employees introduce into the network themselves. Often this is to increase productivity, or solve a problem that can’t be addressed by existing tools. For example, when files get too large for emailing, users may be tempted to use unsanctioned software as a service like Dropbox, or YouSendIt/Hightail in order to distribute information. This can cause challenges with internal IT teams that are enforcing corporate processes designed to lock down sensitive corporate data and keep it from showing up on shadow IT sites where they have no control.
The growing use of social collaboration and sharing regardless of location; the rising adoption of cloud computing; the proliferation of mobile devices; these are creating a fundamental shift within the enterprise that are breaking down the traditional four walls that have constrained IT to the corporate network and private WAN. This begs the questions, “where did the perimeter go?"
The Perimeter has Evolved
We’re moving fast and it’s difficult to run a business with the expectation that we can prevent perimeter network penetration. The perimeter has evolved and we must assume the perimeter will be breached and deploy solutions that protect our assets, starting with the most valuable. Now, enterprises face a boundless future where the four walls of the enterprise are fluid. They extend to the cloud. And follow users from network to network, device to device. These need to be addressed within the context of rapid evolution in the threat landscape. This heightened risk comes at a time when users are increasingly leaving the safety of the corporate network, yet are still trying to access corporate assets – now from anywhere in the world as we embrace mobile and cloud.
In fact, according to a CSO MarketPulse
survey we find that the allocation of resources are not appropriately aligned with the most vulnerable areas of attack.
Sixty-seven percent of the 200+ CSOs indicated they are allocating most of their resources to the network layer, and only 15% were allocating most of their resources to the database layer. And yet, when asked what IT layers were most vulnerable to an attack, more than half (52%) said their databases.
Let me be clear, I am not saying that securing the perimeter is a bad idea. However, we need to augment where we’re placing our resources—now more than ever. The challenge is that for most enterprises, the network has become so large--encompassing multiple countries across the globe, outsourced data centers, and cloud computing--that it is harder and harder to secure the traditional perimeter from attack.
This is even more important when we consider how to secure on premises and cloud based assets in a boundless world. It’s how you secure everything from your perimeters to your networks to your software and even your hardware. To help businesses achieve that, we will need to change.
Turning Security from an Inhibitor to an Enabler of Cloud
How many of you believe security is actually an inhibitor to Cloud adoption? In Oracle's eleven critical cloud predictions to take into 2016
, Oracle CIO Mark Sunday says, “Today, the #1 reason organizations are not moving to the cloud is security. However, tomorrow, security will be one of the most important drivers to move to the cloud.”
The article goes on to explain, "A survey by Harvard Business Review Analytic Services
(sponsored by Oracle) found that 62 percent of respondents thought security issues were by far the biggest barriers to expanding cloud adoption at their companies. Nearly half said data security is harder in the cloud.
But those very same concerns will soon drive organizations to the cloud. Established cloud vendors with a solid security track record have the expertise and resources to deploy layers of defense that many companies can’t hope to duplicate in-house."
So, How Do We Do It?
Oracle secures every layer of both on premises and the cloud. By owning best in class SaaS, PaaS, and IaaS, our goal is to protect each and every aspect of your on premises, private, and public cloud environments.
[Disclaimer: Not all technologies identified here are available for all Oracle Cloud Services.]
To build a secure cloud, it starts with the underlying infrastructure—a secure cloud must be built on a foundation that is securely designed and developed from the outset.
Oracle starts with defensive layers of defense. This is how we’ve built our solutions to work together and be more secure through seamless integration and layers of security. Then we add a comprehensive set of security controls across these solutions in order to protect the entire environment, from physical to logical security controls.
These include preventive controls that protect against bad guys getting to the data, and if they do, it would be rendered useless. This includes detective security controls that detect suspicious activity in process and can raise an alert. This is what I like to call our forensics capabilities. Finally, it includes the administrative process and procedures we follow to build security in to our cloud environment. Let's look at both of these in more detail: Security and Control.
Layered Security Defense
When looking at security, it’s important to provide layered security, also known as defense-in-depth, because no one control can mitigate all threats. Oracle is working to provide multiple layers of security in our cloud. So, whether on premise or cloud, these are the requirements for a secure IT environment.
[Disclaimer: Not all technologies identified here are available for all Oracle Cloud Services.]
First, you want to integrate security into the foundation of the software. From the underlying silicon to the firmware that is built into the silicon, to the operating systems and applications.
Let’s start with the Silicon layer and work our way up to the applications layer:
Ultimately, security should be enabled at multiple layers and pushed down the stack as far as you can go. For example, security at the database layer is preferable to security at the application layer. When you encrypt data in the database, all applications that are connected to that database gain the encryption capability. Otherwise, you would have to code encryption into each of those applications, which would take a long time and is error prone. If you push security down into the silicon layer, then the software that is built on that silicon inherits that security. You need to be able to secure data in memory from corruption and attack through unauthorized access or buffer over-runs, because if someone can control your systems at the chip layer, then they can potentially own all the software that sits on top.
At the infrastructure layer
, Oracle provides storage and will soon be offering elastic compute so that our customers can run any workload in the cloud. For our storage service, we provide backup of your sensitive data and can encrypt it all for you.
When our elastic compute service is ready, organizations will enable unrestricted, and yet secure communications between selected VMs. By creating dynamic firewalls, also known as security lists, and adding your VMs to that list, the VMs can communicate with each other in the same list over any protocol and port. This is a secure way to communicate between known virtual machines. By default, the VMs in a security list are isolated from hosts outside the security list.
At any time, to block access— permanently or temporarily—to all VMs in a security list, delete or disable the relevant security rules. To block access to specific VMs rather than to the entire security list, remove those VMs from the security list. What you ultimately get is the ability to have fine grained network access control over your compute environment.
At the database layer, Oracle Database as a Service
includes tightly integrated Oracle Advanced Security
with transparent data encryption to secure data at rest on disk and on database backups. Our same on premise data encryption technology is built into our database as a service and is transparent to users and applications because the encryption takes place at the kernel layer.
This extends up into the application layer, so that when applications make calls to the database, we can redact, or remove sensitive data from the application layer, on the fly, so that unauthorized users are unable to see sensitive data. This data redaction is part of our Advanced Security solution. And again, is built into the kernel, which avoids tampering methods and provides better security.
In order to prevent privileged users (ours in the cloud or yours on premise) from gaining unfettered access across the entire database, Oracle Database Vault
can restrict credentials to a least privilege state, so that administrators can only perform the tasks necessary to do their jobs, and no more. So for example, they can maybe administrate backups, but not necessarily be able to read or write into that database.
Throughout many of our Oracle cloud services (Fusion Apps, PaaS, and IaaS) when a user registers, the account and credential information is stored in Oracle Internet Directory. When a user wants to authenticate and gain access to several services, the single sign-on is handled by Oracle Access Manager. When a user account is disabled, it can be disabled across multiple services. Each of these capabilities is enabled by Oracle Identity Management, and we’ve been providing these services for some time now.
Oracle has put a great deal of effort into developing powerful, robust security mechanisms within its products and within our cloud, and we want to make sure that customers are fully leveraging these security features.
Finally, at the top of our stack you want to provide Single Sign-On
across multiple applications because the least amount of user names and passwords you manage, the better. Oracle provides integrated access controls that are dependent on your role. And I mentioned the ability to remove or redact sensitive data from applications by way of the database kernel; application developers do not have to do complete development rewrites in the application code in order to redact data. Instead, DBAs can implement redaction policies within the database and cover multiple applications.
From the chip level up, we have thought through layered security defenses built into the cloud. This strategy is not dependent on a single security tactic or approach. It provides multiple layers of protection.
Comprehensive Security Controls for the Cloud
From physical security in and around our datacenters, to applying security controls at the application, network, and logical access layers, you can see why Oracle can provide as good as, or dare I say better security, than you can obtain on premise.
As we drill down into each layer you can see security is baked into both physical and logical access.
For physical access, we have multiple security zones that our IT staff must pass through in order to gain clearance throughout the datacenter, including a reception desk, access cards, biometrics in the way of keypads or retina scanners. All of this is under video surveillance, plus more.
We carry this practice of depth in defense to Logical Access layer. We mandate encryption on all staff computers, implement personal firewalls, two-factor authentication, and layers of role based privilege access controls. This helps mitigate stolen username and password threat vectors. All of this is managed by Oracle Identity Management, the same suite that many of you use to gain access to corporate systems.
And for detective security controls, we apply forensics – looking for security vulnerabilities. We monitor access and conduct monthly reviews. And the layers of defense continue; we also deploy security controls using vendors that we do not directly compete with in order to cover the gaps where Oracle doesn’t play.
Security is no longer a reason to not move to the cloud, but in fact a reason to move to the cloud. Security is an enabler: Just as Oracle helps reduce costs associated with system deployments, maintenance and tuning, it’s is even more difficult to find qualified staff to secure your environments. Oracle has the resources and knowledge to secure your deployments in the Oracle Cloud.
Securing the Hybrid Cloud
Security has also enabled you with a choice of how you deploy, as well as a transition from on premise to the cloud.
You see, now you can maintain existing on premises deployments and connect to your public cloud. This provides comprehensive security for a hybrid deployment. This also provides flexibility and choice because we’ve integrated many of our technologies.
Security is an enabler: You now have a common set of security controls that address regulatory compliance requirements, a common set of security policies that extend across on premise and cloud, and multiple security layers that are integrated and built in from the infrastructure up.