Just thinking about a data breach will make any IT or security professional sweat. And, for good reason. We know that the cost of a data breach goes far beyond a dollar figure. The loss of data impacts brand, customers, partnerships, and more. And, when you throw in managing data in the cloud, working with security can become even more complicated.
A recent security report from Oracle found that confusion about cloud and tenant ‘shared responsibility security models’ (SRSM) has come at a serious cost. Over a third of organizations participating in this year’s research shared that such confusion has led to the introduction of malware (34%) and a similar number of respondents (32%) noted it has exposed them to increased audit risk.
This lack of a clear understanding of the shared responsibility security model has also put data at risk, with 30% of organizations reporting that, as a result, unauthorized individuals accessed data. Additionally, 29% of respondents reported an unpatched or misconfigured system was compromised as a result of confusion, highlighting the fact that public-facing cloud infrastructure is constantly subject to botnet attacks exploiting improperly configured public services.
Remember, your cloud environment is only as secure as you design it. For example, according to recent statistics, as many as 7% of all S3 servers are completely publicly accessible without any authentication and 35% are unencrypted. And if the incidents of the past six months or so are any indication, (according to recent Risk Based Security research, in the first half of 2019 alone, 3,813 breaches were reported, exposing more than 4.1 billion records), these aren't low-value data stores.
Before we go on too much further, it’s important that you take a look at Part 1 and Part 2 of our three-part series about the Oracle Autonomous Data Warehouse. But, if you’re skipping right to security, we don’t blame you — it’s an important and timely topic.
“Data is your most critical asset, but could become your biggest liability if not properly secured,” says Vipin Samar, senior vice president of Oracle Database Security. So, what makes working with the Oracle Autonomous Data Warehouse solution so unique? Based on my observations, it’s the security aspect. The security is built into the DNA of the entire architecture. I’ll explain how.
Oracle Autonomous Data Warehouse stores all data in encrypted format. Only authenticated users and applications can access the data when they connect to the database. From there, all connections to Autonomous Data Warehouse use certificate-based authentication and Secure Sockets Layer (SSL) encryption. This ensures that there is no unauthorized access to Autonomous Data Warehouse and that communications between the client and server are fully encrypted and cannot be intercepted or altered. So, if there is a malicious attack, a man-in-the-middle attack for example, the fully encrypted communications can never be accessed, keeping Autonomous Data Warehouse operating safely.
Here’s the other really cool part: You do not need to do any manual configuration to encrypt your data and the connections to your database. Autonomous Data Warehouse does this for you – autonomously. Why is this important? Because some cloud providers don’t actually encrypt your storage repositories or buckets. As mentioned earlier, statistics by security firm Skyhigh Networks indicate that 35% of all S3 buckets are unencrypted. And that lack of security has already impacted major organizations.
Beyond autonomous encryption, Autonomous Data Warehouse uses strong password complexity rules for all users based on Oracle Cloud security standards. Believe it or not, password policies are still a problem for a lot of organizations! As a result, you see breaches that could have been prevented if users updated their passwords more frequently and created ones that are more complex. Strong password complexity rules ensure that your most critical data points never waiver from a strict security policy.
You can further restrict connections by specifying a network Access Control List (ACL). By specifying a network ACL, only a specific Autonomous Data Warehouse database accepts connections from addresses on the ACL, rejecting all other client connections. This means that malicious access attempts and even spoofing attacks won’t get through. Network Access Control Lists can granularly lock down which devices have access to the ADW database.
Aside from implementing security best practices around your data, Oracle Autonomous Data Warehouse does something else that’s unique. It self-secures your data warehouse, which if you ask me, is pretty invaluable.
We discuss this more in Part 1 and Part 2 of our Autonomous Data Warehouse blog series. But it’s important to note that there are a lot of powerful autonomous processes that the service will take care of for you.
Oracle Autonomous Data Warehouse is Self-Securing.
As the very first self-securing automated warehouse database of its kind, self-securing starts with the security of the Oracle Cloud infrastructure and database service. Within the Autonomous Data Warehouse ecosystem that is built on Oracle Cloud infrastructure, security patches are automatically applied as needed, narrowing the window of vulnerability and mitigating the risk of an unpatched system.
Furthermore, patching includes the full stack: firmware, operating system [OS], clusterware, and database. There are no steps required from the customer side. Gone are the days of needing to manually track patch releases, or tracking down multiple patches across different layers of the stack. It is exactly what the term applies: self securing.
The Oracle Autonomous Data Warehouse self-securing service takes care of the security health of the infrastructure, including the database then automating the entire process, leaving nothing to chance or exposure to human error. From there, the ecosystem encrypts customer data everywhere: in motion, at rest, and in backups. The encryption keys are managed automatically, again without requiring any customer intervention. And, unlike some other data solutions in the market, encryption cannot be turned off and is set by default. In the age of rampant data breaches, your data is simply too important to be left unencrypted.
Finally, administrator activity on Oracle Autonomous Data Warehouse Cloud is logged centrally and monitored for any abnormal activities. Yes, you heard that correctly: the Autonomous Data Warehouse service will scan and evaluate abnormal behavior and anomalous user access. This means that the Autonomous Data Warehouse enables database auditing using predefined policies so that customers can view logs for any abnormal access.
As proactively and intelligently secure as the Autonomous Data Warehouse is, customers should still employ security best practices around the workloads and data they’re deploying. According to Vipin Samar, senior vice president of Oracle Database Security, “Securing databases in the cloud is a shared responsibility, with Oracle securing the infrastructure and network; monitoring the OS and network activity; applying OS and database patches and upgrades; and providing encryption, appropriate separation of duties, and various certifications.”
Samar goes on, adding, “The customer organization still needs to secure its applications, users, and data. It needs to ensure that its applications can thwart attacks targeted at the company, that its users follow security best practices, and that its sensitive data is protected using appropriate controls. In some sense, these requirements are no different from those for an organization’s current on-premises databases, except that Oracle has already handled the security infrastructure part.”
Automatically Secure, Autonomously Intelligent
The scale, speed, and ferocity of the modern threat vector will probably keep business leaders and technologies on edge for the foreseeable future. However, the automated security technologies included as part of the Oracle Autonomous Data Warehouse solution and cloud-based identity management can help organizations manage the risks.
Attacks against your data and infrastructure can come in many forms. Malicious actors like nation states, advanced persistent threats, organized crime, and even accidental (or disgruntled) insider threats can all have major repercussions on your business. They could attack your infrastructure, operating systems, applications, users, and certainly your databases.
As data sets grow and become even more valuable, now is the time to take a step back and really understand your databases and how you leverage data.
Believe it or not, in a data-driven world, many organizations still don’t really know how secure their databases are, where their sensitive data is located, or how much data they actually have. If you’re in that boat, don’t try to navigate the sea of data on your own.
For example, Oracle recently released the Oracle Database Security Assessment Tool feature of Oracle Autonomous Database, which lets organizations answer these questions. The tool looks at various security configuration parameters, identifies gaps, and discovers missing security patches. It checks whether security measures such as encryption, auditing, and access control are deployed, and how those controls compare against best practices.
The Assessment Tool helps organizations discover where their sensitive data is located and how much data they have. Oracle Database Security Assessment Tool searches database metadata for more than 50 types of sensitive data, including personally identifiable information, job data, health data, financial data, and information technology data. This helps businesses to understand the security risks for that data.
Finally, for those global organizations, the assessment tool also highlights findings and provides recommendations to assist with regulatory compliance. The findings and recommendations support both the European Union General Data Protection Regulation (EU GDPR) and the Center for Internet Security (CIS) benchmark.
When it comes to keeping your data (and reputation) secure, a great way to start your data security journey is by asking the right questions, knowing how your data is being used, and leveraging smart, autonomous solutions to revolutionize the way you manage data and approach a digital market. Remember, getting started means having a good awareness of your own data requirements. This means knowing things like:
These are just a few of the questions you can ask to help identify the right kind of data-driven architecture. With Oracle Autonomous Data Warehouse, you take a lot of the guesswork out of the equation. The self-driving, self-repairing, and even self-securing features are all designed to help you get the absolute most out of your data warehouse.
As I wrote about in post one, data is the lifeblood of your business. So is security. It’s simply too important to take any shortcuts. Most of all, don't let a legacy architecture drag you down. When environments become complex and fragmented, they're not only harder to manage, they pose even greater security risk. In fact, 85% of the time that a breach occurs, there's a patch available that could have prevented it. Solutions like the Oracle Autonomous Data Warehouse, and the underlying self-securing architecture remove these kinds of threats and allow you to focus on what’s truly valuable – your users, your business, and your data.