The growing number and sophistication of cybersecurity threats has seen what seems like an almost equal rise in regulation. Maintaining compliance with national and, increasingly, global standards takes significant time and resources. It’s a headache, but there are good reasons for the growing number of regulations. Enterprises process and maintain large amounts of data from their customers. With increasingly better data intelligence tools, this information can be used to provide rich new value for companies and customers alike. However, this value is matched with new security threats and privacy concerns.
In October, Cathay Pacific Airlines announced that attackers had gained access to the personal information of as many as 9.4 million customers including names, dates of birth, phone numbers, email addresses, and passport numbers. As Suparna Goswami observed in a post on Bank Info Security, Cathay Pacific has been moving away from legacy, on-premises solutions to the cloud. While it’s not clear yet how the breach happened, several experts noted the risks involved when enterprises migrate their customer data to the cloud.
We’ll take a birds-eye view of the major compliance topics impacting enterprise companies: information privacy, data access, and cybersecurity and offer tips for managing regulatory issues in each area. We’ll also look specifically at how Oracle Exadata Cloud at Customer is well-positioned to help companies remain secure and compliant.
There are multiple layers of defense, including people, process, and technology, that come with Oracle Cloud solutions (and, by extension, Cloud at Customer). Because all Oracle Cloud solutions offer the same high level of security, the choice between Oracle Cloud and Exadata Cloud at Customer is often a matter of maintaining industry-level compliance, as organizations in certain industries need to store private data behind their own firewalls. Exadata Cloud at Customer allows companies to benefit from all of the public cloud amenities while adopting the cloud within their own data center.
1. Information Privacy Protection
Under the new General Data Protection Regulation (GDPR), which impacts all companies that do business with individuals or businesses within the European Union, data privacy is a fundamental right for all individuals. The regulation includes the right to “the rectification of inaccurate personal data” and “the right to be forgotten.”
While GDPR has been on everyone’s mind lately, it’s not the only regulation around data privacy. The HIPAA Privacy Rule and the Fair Credit Reporting Act impact the healthcare and credit reporting industries, respectively, and California’s Online Privacy Protection Act is in place for anyone doing business within the state.
Many regulations around data privacy mandate external compliance audits to detect and remediate vulnerabilities and data exposure. In between these external audits, IT organizations should schedule internal reviews to maintain compliance and safeguard systems and data. These reviews should result in exhaustive reports that cover current and evolving risks, incident reports, and security recommendations.
The Cloud at Customer platform includes native tools that help audit and maintain data privacy. Chief among them is the Oracle Cloud Access Security Broker (CASB). Using Oracle CASB, users can set up policies to identify and prevent unwanted access to sensitive data. CASB monitors configuration settings established by users and alerts them in case of any changes. In order to help organizations prepare for compliance audits, it also restores the configuration settings to avoid configuration drift.
2. Data Access
A large part of maintaining the proper security and confidentiality of customer’s data is controlling who has access to it. Beyond GDPR, in certain industries, such as finance and healthcare, there are additional regulations surrounding who has access to confidential information.
Because organizations commonly share customer or patient information across servers and departments, a common issue is access drift. Access to confidential data is often determined by the roles and responsibilities of individuals within their organization. But their roles or responsibilities (and with it, the need for access to specific information) may change over time. For example, when internal employees change departments, may accidentally maintain access to confidential information they’re no longer authorized to have.
The solution is two-fold. The first part is maintaining a role-based access control (RBAC) policy that bases access control decisions on the functions a user is allowed to perform within an organization. It also ensures unauthorized users are unable to pass access permissions on to other users. A security administrator should be responsible for maintaining and enforcing this policy. Included in this role is the responsibility to stay up to date about changes to privacy regulations, and to adjust the RBAC accordingly.
The second part is using a centralized, policy-based authentication system. Oracle’s Identity Cloud Service next-generation security and identity management platform is cloud native and designed to be an integral part of the enterprise security fabric. With ICS, available to Oracle Exadata Cloud at Customer users, a security administrator can manage user identities for both cloud and on-premises applications with enterprise-grade hybrid deployments.
3. Heightened Security Requirements
Each industry is governed by governmental and industry-specific regulations, and some are necessarily stricter than others. For instance, the HIPAA Security Rule requires enhanced technical safeguards of all protected health information. Similarly, the Payment Card Industry Data Security Standard (PCI DSS) sets security protocols for any company collecting payment information from their customers, such as the retail and financial sectors.
Government and security councils continue to amend and improve these security standards, since protecting patient and customer information is an ongoing major concern. Healthcare security breaches impacted more than 5.5 million patient records in 2017. And the number of security breaches in the finance industry tripled from 2012 to 2017.
Security risks impact your company’s compliance to federal and global regulations as well as your relationships with customers. One way to reduce these risks is to minimize your potential attack surface. An attack surface comprises all of the points where an unauthorized user can attempt a breach. A simple means of minimizing attack surfaces is to cut down on the amount of code you have running at any given time.
The other security risk is configuration drift. Over time, it’s common for the configuration of servers to become out-of-date due to issues like inconsistent patching and making ad hoc changes to software and/or hardware without documenting them. Part of the solution to configuration drift is consistent configuration audits—which can be a part of your larger security audits and reports.
But not everything needs to be performed manually. For instance, via Oracle’s Patch Update Program, Exadata Cloud at Customer is maintained, patched, and upgraded by Oracle. Patches are deployed quarterly along with critical software updates.
Get at the Real Root of the Problem
Oracle believes security is not just a technology problem; it’s also a process and people problem. When companies maintain fragmented, non-standardized administrative controls across their tech stack, it creates security risks and gaps. This is true across on-premises, cloud, or hybrid architectures.
Addressing industry, national, and global compliance concerns requires an overarching compliance strategy that involves coordination between legal, human resources, IT, and other internal entities. While it starts with having a security- and compliance-minded technology stack in place, it also requires continuous security and privacy strategies, implemented from the top down.