Back in 2017 I attended InfoSec Europe in London, doing my stand duty on the Oracle stand. Afterwards, I wrote an expressing the surprise I was hearing when attendees were coming to the Oracle stand and asking “Why is a database company at InfoSec?”. I waxed lyrical in that article about how Oracle has been a security company for over 40 years and cited some of the areas where we focus our security efforts, i.e. OS security, data security, Identity and access management, application security, edge security etc.
In 2018, I was there again, on the Oracle stand. This time the questions had changed. Attendees were recognising the work that Oracle is doing in security, and many of the interest was around the Oracle Cloud and its security. However, that’s not the focus on this article specifically.
Whilst I was looking around at InfoSec, both in 2017 and 2018, it got me thinking. With all of the products, tools, services and innovations in IT security, why are we still seeing so many breaches and successful attacks against organisations? Of course, anyone working in this field will know the answer. You don’t have to be a rocket scientist to know why. Security is hard! But why?
First, let’s briefly look at the state of the security landscape, so we are all on the same level playing field. In the constant battle of cat and mouse between cyber attackers and defenders, we see the odds are stacked strongly in favour of the attacker. It’s asymmetric warfare!
In the attacker’s corner, you have well-resourced attackers. They aren’t in a rush and have all the time in the world. They have a plethora of tools and toolkits available to them, both commercial ones and open source. Even if they don’t have strong skills themselves, the Cloud model also serves the attacker community with services like DDoS as-a-service, or cryto-locking-as-a-service, all available for hire. Counter that with many IT Security Departments. There is never enough time, not enough people, and budgets never allow you to implement all of the security projects on your list. In addition to this, we can’t forget that the attacker only has to be successful once, the defender has to be successful 100% of the time. To prove the point, we see data breach stories in the media all the time, demonstrating that the battle is being won by the attackers.
We know that technology advances rapidly and there are some great tools on the market from a wide range of security vendors, both old and new. Many of these technologies are using, or in some cases, over-using (at least in their marketing messages) innovative technologies like AI and ML. So, with all these advances, why aren’t the defenders winning?
If you do have a well-resourced IT security department, there are plenty of products, tools and services out there to enable secure solutions to be delivered, but the bar is very high. If you want to secure data in a database, you need some very skilled DBAs and Security Consultants to correctly configure the different capabilities that will protect your organisation from the sorts of threats and attacks we are seeing. The same goes for any area, whether you are locking down servers, segmenting and hardening your network, or securing endpoints. And of course, your estate doesn’t help. You have 1000s of applications, utilising many different technologies, and more recently, you have your data and applications spread across many different Cloud providers and no longer just behind your own firewall perimeter. So, you also have the battle of meeting your security responsibilities in each and every one of the different Cloud providers you use.
All of the security products and services you put in place need configuring, which is no small challenge. It feels to me that it is not good enough to build the latest and greatest security software alone. It must be easy to use. As vendors, we must take the burden away from IT Security teams and users of security tools, so that a company’s security posture is more secure by default, problems are identified and fixed automatically, and there are a smaller number of usable tools, not hundreds of different, siloed, complex ones.
If you look at Oracle’s security portfolio, we have a fantastic set of mature capabilities, providing defense-in-depth through layered security, from securing the data, through to the users, platforms, and applications. We have worked hard to provide market leading products and tools in all of the areas that we operate, and continue to do so. However, we must also look forward and not just look at the existing challenges, but the new challenges that customers are facing and how we can help. This is where we are focussing a lot of time, effort, and resources.
What we are doing within Oracle is:
Let me explain what I mean…….
Oracle Cloud Infrastructure (OCI) – 2nd generation Cloud
OCI is the best place to run Oracle workloads for the enterprise. However, we recognise that those workloads typically contain your organisation’s most sensitive data. Data that is held in your business-critical Oracle Databases, or in your Oracle Applications such as HCM, ERP, & CRM. Therefore, we have taken learnings from the weaknesses of Gen-1 clouds and built a more secure Cloud from the ground up, with focus on lowering the trust in key vulnerable areas like servers, hypervisors, and tenancies. Security has been at the forefront of the design of OCI.
Here are a few examples to demonstrate what I mean and why OCI is really driving better security within the Clouds for enterprises.
Isolated Network Virtualisation
We are taking a really different and innovative approach to the Cloud infrastructure by implementing physically separate hardware and software for the Cloud network to segregate it from the hypervisor. This trust boundary minimises the risk of an attack against a Cloud server gaining a foothold on the server and using it for lateral movement. This is a core design principle and implemented on all servers across OCI in every data centre. You can read more about .
Hardware Root of Trust
Reducing the level of trust of the servers running customer workloads in the Cloud is paramount. Our hardware root of trust is designed to ensure that all firmware on servers can be restored to a pristine state between customers, reducing the risk of malicious firmware surviving between allocations of servers to customer’s tenancies. You can find out more about it here.
For a long time, we have had the most comprehensive set of security controls of any database. This range of tools provides a mix of preventative, detective, administrative, and data-driven controls. By the very nature of the protection they provide, some of these tools are easier to implement than others. Again, we wanted to lower the barrier of entry for customers. consolidates a number of database security controls into one, easy to use Cloud-based console. You don’t have to be a database security expert to use Data Safe, and, being a Cloud service, it doesn’t require any infrastructure, installation, or maintenance. What’s more, Data Safe is free for customers subscribing to Oracle Database Cloud Services.
at Oracle OpenWorld 2019, Cloud Guard will collate all of the logs from the various OCI Services and analyse them for threats, taking automated, corrective action should an issue be found. Not relying on a security analyst with hundreds of other security alerts on his dashboard to spot it and action it, risks will be mitigated quicker and more efficiently.
Maximum Security Zones
All too often we see breaches in the media as a result of mis-configuration. Maximum Security Zones, also announced at OpenWorld 2019, will enable you to deploy resources into a zone within OCI that has a pre-defined security policy enforced, designed to ensure that, for example, storage buckets cannot be public, or servers cannot have public IP addresses etc. This won’t just alert you if there is an action outside of the policy, it will actively prevent that change from being made, or a resource being deployed that doesn’t meet the policy. This takes the risk of mis-configuration of your cloud security controls away from the admin users.
Autonomous Linux and OS Management
There are some well published statistics showing that a high proportion of successful attacks could have been prevented with existing security patches, but they hadn’t been applied. For example, InfoSecurity Magazine £265M in data breach costs could have been avoided. Perhaps more worryingly, another found that 80% of discovered breaches occurred due to patches pending for more than 10 day. Often this is due to system criticality not allowing for sufficient downtime, or, just the amount of time it takes to schedule patching operations. OCI OS Management and Autonomous Linux take care of that for you by automatically applying patches to the operating systems on your OCI-based IaaS systems. What’s more, for Oracle Autonomous Linux, through the use of K-Splice, these patches (including kernel patches) can be deployed with ZERO downtime. No need to reboot the server.
Database Encryption at-rest and in-transit
You have had the ability to encrypt data at-rest in the Oracle database for years (through a licensable security option). You have also been able to enable network encryption to your database for free. However, even a simple change like enabling encryption often doesn’t get implemented by organisations. However, we think it should be enabled and therefore EVERY Oracle Cloud Database Service within Oracle Cloud has encryption at rest and in-transit enabled, by default, at no cost. That includes DB Cloud Service, Autonomous DB, and ExaData Cloud Service. This is irrespective of which edition of the Database Cloud Service offering you are using, including Standard Edition (which you can’t encrypt on-premise). N.B. For MySQL Cloud Service, all enterprise edition features, including encryption, are available for you to use.
In a similar way to database, object storage, archive storage, block storage, boot volumes, and file storage is all encrypted at rest BY DEFAULT. Whether you leave Oracle to manage the keys or you manage them yourself through OCI’s Key Management Service, utilising FIPS 140-2 Level 3 compliant Hardware Security Modules (HSMs), the choice is yours.
Intra and Inter-Region Traffic
Another encryption capability is for traffic between our data centres. Whether you are looking at traffic between our Availability Domains within a region, or traffic between regions, it is all encrypted as standard, even over the Oracle backbone.
Above are just some of the ways we are improving the security baseline for our customers. This list of services and capabilities is by no means exhaustive. On top of that, we also have our other Cloud Security Services and capabilities, like Key Management, Identity, Management, Logging, Auditing, CASB, WAF, DNS etc. All of these can help you meet your security responsibilities in the Cloud.
In my view, Oracle is doing the right thing. We are transitioning from a security company to a secure company. We are working tirelessly to improve the baseline of security for all our customers, large and small. We are lowering the barrier of entry for security. No longer do you have to be a FTSE-100 company with largest budgets and big IT departments to take advantage of some of the latest innovations in security. Oracle is bringing strong security to all organisations in a way that is always-on, easy-to-use, and automated.
If you want to understand more, have a look at the , or the links I have provided throughout this post.