Historically money and valuables have been locked away in safes to keep them secure and prevent theft. When the valuables are out of the safe, such as being used or transferred, risk of loss goes up. In the 1800’s when stagecoaches were used in the United States to transport gold, silver and cash, they had a person “riding shotgun” to help protect the valuables outside of the safe.
Encryption in today’s world is a well-established way to help keep data secure, especially when “at rest” or stored. However, to unlock the real value of data, businesses need to use it and “interact” with it in some way. This is where the operational risk can arise such as someone leaving the door open, abusing data access privileges, or not knowing where and what kind of data is being accessed. To help customers protect data and reduce this operational risk, Oracle recently introduced which you might say allows them to “ride shotgun” on their cloud databases.
I spoke recently with Vipin Samar who is in charge of database security for Oracle. He’s an expert on database security and has been working to protect some of the world’s most sensitive information. He recently launched Oracle Data Safe, a new cloud security service that helps customers automate security for their cloud databases.
Fred: What are some of the challenges that companies face considering that they have valuable and sensitive data that must be used in their business yet face potential liability and financial loss if any of this data is breached?
Vipin: Data is now recognized as one of the most valuable assets businesses have. But when its security is compromised, it can become a great liability, as we’ve seen in some of the recent and very public data breaches. Organizations are in a catch-22 situation as they have to use their sensitive data to operate their business, but they must reduce the risk of that data being breached or misused.
Fred: When it comes to understanding threats and risks with cloud databases, what are customers most concerned about? Is it with the cloud infrastructure, the cloud provider, the database, or something else?
Vipin: When I talk with customers about moving their databases to the cloud, I hear several concerns. First, they express concern about the underlying infrastructure with network, virtual images, operating systems, and databases. Oracle addresses these concerns with next generation cloud infrastructure along with automated security patching, and always on data encryption. The next concern is protection from the cloud provider — obviously that’s us. We address this with strong separation of duties for our cloud administrators and activity monitoring. Their last big area of concern is about how they can secure their own data, users, and configurations, something that only they can do. They are worried about privileged users with broad access to all data, not knowing where their sensitive data is, lack of clarity regarding security policies for their data, and maintaining secure configuration.
Fred: People working on cloud security are becoming familiar with the shared responsibility model which distinguishes who is responsible for what in the context of cloud security yet there remains confusion. What can a cloud provider do to help customers in those areas of security where the customer has responsibility?
Vipin: At some level, we can all empathize with what is happening. It is difficult for cloud customers to detect all security gaps and understand how to turn all the security knobs and levers with their own data and users. Note that they often turned to the cloud because they didn’t have time or expertise in the first place. The motivation for Data Safe was to provide automated and integrated security capabilities so that the customers can more easily meet their share of the security responsibilities.