It’s hard to escape the myth of Achilles when reading the news these days. In the myth, Achilles' mother, Thetis, dipped him in the river Styx to make him invincible. However, she held him by his heel, leaving that one spot vulnerable. This small mistake led to his downfall when an adversary shot an arrow into that unprotected area.
This ancient tale serves as a powerful allegory for today’s cybersecurity landscape. Just as Achilles had a single weak point that sealed his fate, organizations today have vulnerabilities that bad actors can discover and exploit. A seemingly minor flaw can lead to the “downfall” of your sensitive data.
Unfortunately, in real life, there can be not one but many such Achilles heels. Attacks can originate from external hackers, outsiders masquerading as trustworthy employees, or even malicious insiders. Often, well-meaning people make mistakes and accidentally misconfigure their systems opening them up for attacks. That’s why organizations need robust and comprehensive security that is both simple to use and automated, enabling them to protect their data easily and quickly.
Even with the best detective and preventive defenses in place, organizations must be prepared for the possibility of a breach or ransomware attack. The key is to minimize the loss of critical data even if the attack succeeds. Additionally, rapid recovery from breaches or ransomware attacks is essential to minimize disruption to the business.
Case Study: The Cloud Database Breach
Take a recent case of a cloud database provider. It’s always difficult to know the details of a breach without direct involvement, but reports suggest that the breach started with customer accounts lacking multi-factor authentication. The attackers exploited stolen usernames and passwords to access and extract vast amounts of sensitive data. Recent reports indicate that over half of adult Americans have been impacted by this breach.
Though the attackers exploited the lack of multi-factor authentication (because it was optional), there were limited controls in place from the cloud vendor to help the customers minimize potential losses in the event of a breach:
Implementing these practices before they copied data into their warehouse could have helped mitigate risks and protected them from devastating losses. In addition, many other basic security controls were also missing:
To cope with today’s threat environment, organizations are adopting a zero-trust mindset. They approach each interaction between humans and systems or between systems as if they were potentially compromised and then apply corresponding security controls to minimize risk.
Oracle has decades of experience protecting much of the world’s most sensitive data at many of the world’s most important banks, telecoms, health providers, governments, and retailers. As one of the four largest cloud hyperscalers, Oracle is probably best known for our flagship Oracle Database. Let’s “zero” in on Oracle’s cloud database offerings and discuss how we build security from the ground up, along with high-value advanced security tools and capabilities to enable zero-trust principles.
Databases are prime targets for attackers because they are concentrated repositories of highly valuable data designed to be easily searched, analyzed, and monetized. To protect these critical assets, adopting a Zero-Trust approach is essential—this means treating every interaction with a database as potentially hostile.
At a fundamental level, the basic security measures include security patching, strong authentication including multi-factor, encryption for data both at rest and in transit, and activity monitoring. These security mechanisms should be integral to the database service and must always be included.
These measures check off important boxes, but they are not sufficient to thwart modern-day attacks and other attack paths targeting databases, users, backups, and applications. Attackers usually try the easiest path first, followed by progressively complex attacks. We need to close as many avenues as possible.
Oracle includes the following critical security capabilities at no additional cost in cloud databases:
Beyond basic configuration and user management, securing your database requires a full understanding of your data's sensitivity, and strategies to minimize losses in the event of a breach. To address these concerns, Oracle cloud databases include the following differentiated features—at no additional cost:
Before organizations make copies of data, they can use Oracle Data Masking and Subsetting (which is included with Autonomous Database at no extra cost) to subset their data based on parameters such as time, location, type, and size, helping minimize collateral damage in case of a successful attack.
Unfortunately, cyber breaches often look like normal, authorized user activities. To address this, we offer advanced security features at no extra cost:
As attackers (especially ransomware) now routinely target backups, our approach extends beyond static and runtime protection:
Zero-trust dictates that we trust no one, including our own people and our cloud administrators. To help customers protect their data from unauthorized administrative access or tampering, Oracle provides:
In the new world where AI-generated SQL is going to be used by Apps, it’s going to create new security vulnerabilities unless user privileges to data are directly enforced by the database. Along with privilege analysis to implement the least-privilege model, Oracle provides multiple technologies to implement fine-grained row/column-level access control:
The lesson is clear: even a single “hole” in your defense—a vulnerability akin to Achilles' heel—can lead to significant disruption and damage. Adopting a zero-trust approach is essential to effectively securing your infrastructure and data. Equally important is to implement zero trust with low touch through automation and default policies. It's important to have tools that secure not only one database but your entire fleet. Oracle aims to provide unique full fleet security assurance for all your Oracle databases, whether on any cloud or on-premises.
To protect your data from organized criminals and nation-states armed with advanced tools, you need comprehensive and automated security tools for configuration assessment, administrator controls, user assessment, data anonymization, data minimization, data masking, tamper protection, SQL firewall, data encryption, cyber-secure backups, and rapid recovery.
Getting to specifics, Oracle Database supports all major data types, workloads, and development styles in a single database platform. We call this a Converged Database. Converged data type and workload support minimize the number of databases needed to implement an application. Minimizing databases reduces risky data copies and avoids introducing disparate databases, each with different security models, functionality, limitations, and vulnerabilities. For example, if you need to move data from a transactional database to an analytical database to run queries on your latest data, that’s an unnecessary trip that only increases surface area exposures. This is further amplified when adding separate, isolated databases for graph, spatial, blockchain, time series, documents, and more. Let’s be realistic – every new data platform you adopt comes with a requirement for trained administrators, security controls and baselines, and activity monitoring. Using a converged platform for all of the different modes and workloads reduces your overall burden, lowers your total cost to operate, and lets you more effectively reduce the risk of data theft or destruction.
Oracle Autonomous Database comprehensively enforces strong security and access controls while automating most security functions, including data and network encryption, hardened security configuration, network access control, privilege user control, comprehensive logging and auditing, and cloud operator control.
Oracle Data Safe empowers organizations to implement and monitor security controls, evaluate data risks, mask sensitive data, assess user security, monitor user activity, and manage Oracle Database 23ai SQL Firewall—all in a single, unified console. These advanced security technologies and automation capabilities help to manage the day-to-day security and compliance requirements of Oracle Databases, both on-premises and in the cloud.
And, as highlighted earlier, Oracle Zero Data Loss Autonomous Recovery Service, with its unique, automated capabilities, protects Oracle Database changes in real-time, validateds backups without production database overhead, and enables fast, predictable recover to any point in time.
Unlike providers that leave gaps and require you to piece together disparate security technologies, Oracle offers a defense-in-depth strategy with a suite of best-in-class, integrated security components that aim to support you in seamlessly protecting your data everywhere.
Security starts with an understanding of your current state and risks
The first step in any security program is to know where you are starting from: what sensitive data you need to protect, who your users are, what privileges they have, and how they are accessing your data. Oracle includes the tools you need to assess all of these and more.
If your Oracle Databases are running as a database service in the Oracle Cloud Infrastructure, Oracle Cloud@Customer, Oracle DB@Azure, or Oracle DB@GCP you should register those databases with Oracle Data Safe (it’s free – already included in your database cloud subscription). If your Oracle Databases are not running as an Oracle Database cloud service, you can choose to subscribe to Oracle Data Safe, or download the Oracle Database Security Assessment Tool (DBSAT) from My Oracle Support (DBSAT is included for ALL Oracle Databases).
Vipin Samar is the Senior Vice President of Development for Database Security at Oracle.
Russ Lowenthal is the Vice President for Database Security, focused on database encryption, access control, audit, and monitoring.
Russ is based in Greenville, North Carolina, USA and has been with Oracle for over twenty-five years. Leveraging over thirty-five years of experience in IT including database, UNIX systems and network administration, he now advises Oracle's customers on secure implementations of information systems technology.
Russ' certifications include Certified Information System Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Systems Manager (CISM), Oracle Certified Master (OCM), Microsoft Certified Systems Engineer (MCSE) and Certified Technical Trainer (CTT).
Previous Post
Next Post