Future State - The Oracle Consulting Blog

What Does Security Mean in the Digital World?

Guest Author

By Marcel Rizcallah, Senior Director, Security Domain Leader, EMEA Oracle Consulting

Digital transformation is changing our world today. Cars and homes are connected and can be controlled remotely. People are connected through social
networks and can share ideas, services and goods. Organizations are providing services on customers’ mobile devices such as online banking or taxi
bookings. These are only few real-life examples of how digital transformation is changing the way we consume services and interact with each other. In a
few years, most services will be digitalized including healthcare, government services for citizens, online shopping, and more.

But can we imagine those services without protecting all private data handled by the service providers? Or without complying with EU data privacy
regulations? What does security means in a digital solution? Is it enough to enforce strong passwords when users enroll to the system? Is it enough to
encrypt data exchanged between the user, the device and the service? Not at all – this is only the visible part of the iceberg. In this blog, I’ll explain:

  • Why security is important in any digital solution

  • What needs to be secured

  • How to proceed in a phased approach to minimize impact on legacy systems and organizations

Why security is important?

First of all, security is about trust and trust is the major enabler for a successful digital transformation.

TRUST is like the air we breathe. When it’s present, nobody really notices. But when it’s absent, everybody notices.” - Warren Buffet.

What will happen if connected cars that can be remotely started and stopped with a smartphone or geo-localized with a web browser, are hacked or stolen?
What will happen if home smart devices such as energy boxes or connected cameras to cable networks are attacked and hackers start controlling the devices
from the outside? What will become of the company providing the service? And what will happen if this same company is attacked from the inside and the
customers’ data is stolen, including history of locations, credit cards, customers’ mail and phones, and more?

Second, security is becoming mandatory by law, and not simply an option or a recommendation. The reasons are multiple: if security is not
implemented by design in a new system, organizations expose not only their own data but their customers’ personal data, which do not belong to the service provider, to security breaches from day 1. In addition, implementing security by design will significantly
reduce associated costs as opposed to adding security on a running system or on legacy applications.

The EU is working on a regulation that will apply to European businesses that process personal data. This means that compliance to the regulation will be
mandatory and there will be significant fines for companies that do not comply with the proposed regulation of up to 5% of annual worldwide turnover, or
€100m, with the possibility for individuals and associations, acting in the public interest, to bring claims for non-compliance. The regulation includes
compliance procedures and policies, including adopting privacy by design or appointing a data protection officer (DPO) when sensitive data such as health
information is handled by the service provider.

What needs to be secured?

My answer would be everything! But what do we mean by everything? Let’s have a look first at the major components of a digital solution.

What Does Security Mean in the Digital World

A digital solution generally includes people information (customers, partners, etc.), mobile devices or Internet of things devices - IoT (such as connected
cars, home energy boxes or healthcare devices), on premises applications, cloud applications, structured data stored in databases and unstructured data
stored in big data systems or flat files.

Securing all those components means the following:

  • Managing people identities life cycle in a secure way, including their personal data (name, geo-location, mail, phone, and credit
    cards), credentials (login, password, certificate, social network federation links, etc.)

  • Managing mobile devices and IoT devices life cycle, including their fingerprints and credentials. Actually those
    devices will need to interact with the users and the central services. For example, a connected car may communicate its location if requested by the
    end user from his smartphone, or a home fire device may alert you on rising levels of CO. The identity and credentials of the device must be securely
    managed to avoid any “identity” usurpation, exactly like for end-users. In addition, data at rest on the device must be protected and encrypted as it
    may contain personal information such user geo-location or health data.

  • Protecting data exchanged in the air between the users and the devices, and the devices and the systems. Because this data will most
    likely use wireless network such as Bluetooth or WiFi, and because personal data may transit through this channel, it is mandatory to encrypt any data

  • Protecting data exchanged between on premise applications and Cloud services, as this may include exchanging customers’ information.

  • Protecting data in databases or in big data, residing on premise systems and in the Cloud. Typical vulnerabilities are related to
    database administrators, contractors or third party providers who can usually access sensitive data in the production systems with privileged accounts.
    But vulnerabilities are also related to application and operating systems credentials needed to read and write in databases, generally stored in files,
    never changed or not enforced with strong password policies, and that can be accessed by users to connect to the storage systems directly.

How to proceed?

Let’s give first some basic recommendations on how to proceed to define the security requirements, and prioritize solutions.

  1. Understand security drivers including regulations you have to comply with including EU data privacy, PCI DSS, HIPAA, etc.

  2. Understand legacy systems vulnerabilities that will be exposed or integrated with digital services, and analyze risks before starting
    any implementation.

  3. Include security and privacy by design in any new solution.

  4. Define a security reference architecture providing end-to-end security including all the layers of your IT system from the end-user
    interface to the database, and including all applications and environments such as development, integration, pre-production and production.

  5. Secure applications and systems with high risks first, while implementing the security reference architecture in a phased approach.

Finally, you will need to select the right product for each requirement and implement the solution while taking into account technical and organizational
impacts with quick wins. This is where Oracle Consulting can help you
implementing Oracle Security products in your environment.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.