A day doesn't pass without news of a breach or complete security breakdown at a business or government institution somewhere in the world. For companies worldwide, cybercrime now accounts for an average annual loss of more than $7.7 million per company, according to Ponemon Institute. Business disruption — including lost employee productivity and outright failures — accounts for 39% of the costs associated with information loss. What's worse, IT complexity and security challenges are growing while attacks are on the rise.
There are no easy answers — and there's certainly no single strategy or solution for dealing with the problem. But there are ways to secure your IT systems without adding complexity. A best-practice approach focuses on a number of factors, including adopting state of the art security systems, optimizing IT systems and databases, instituting secure practices and providing ongoing education and training for employees and others.
At the center of this approach is the concept of building an information fortress. What exactly is this, and what does it include? How does an enterprise introduce a level of protection that helps minimize the risk of intrusions and breaches and maximize data protection?
Cracking the Code on Better Security
How can you start shifting your organization into a hardened data information fortress? Start with these three concrete steps to locking down your systems and data:
- Reducing surface area means fewer points to protect. It's simple math: Fewer entry points into systems and data equals lower risk. By consolidating systems and servers — essentially building a converged IT infrastructure — rather than allowing data to be scattered across the enterprise, it's possible to better protect assets while reducing IT administration. What's more, if there are fewer control points that are better protected, it’s easier to implement consistent security policies and streamline patching, encryption, data governance and auditing.
Your organization can also take advantage of the consolidation process to introduce advanced access controls that can reduce credential misuse, such as time-of-day and role-based access controls, and password management.
- Universally encrypt the database. You know that security shouldn't get in the way of doing business, but it's also true that business requirements — such as the need to move quickly — shouldn't get in the way of protecting critical data and intellectual property residing in enterprise IT systems.
Sound encryption methods and solutions exist, though many organizations fail to use them because either they're cumbersome, or employees perceive that they're a hassle. While everyone recognizes the need for encryption and understands that it can serve as a powerful technology for protecting against data loss, many organizations apply encryption haphazardly. It's more of a hobby than a persistent practice. Best in class organizations, on the other hand, take an integrated, consistent approach and use encryption strategically. It’s also important to protect the entire lifecycle of information, from data capture to backup, and even to deep archive.
Oracle delivers the highest set of capabilities commercially available designed to secure the Oracle Database with the Oracle Advance Security Options. This allows your enterprise to automatically encrypt all data, and when it's running on Oracle systems, you can encrypt without speed or performance penalties, and strong keyword management is built in. Similar security is also applied to the on-premise solution and in the public cloud. With Oracle, your organization can encrypt its IT infrastructure holistically: production, testing and development, QA, and more.
- Harden and protect infrastructure. The ad hoc nature of tools, solutions and strategies — both on premise and in the cloud — is killing security. The mish-mash of vendors and systems results in gaps, gulches, and even Grand Canyon-sized chasms.
But the problem doesn't stop there. Many organizations lack standards and essential processes. For instance, 74% of organizations take three months or more to patch systems, and 99.9% of 2014 exploits had patches available for more than one year (source: Verizon Data Breach Investigations Report, 2015; IIOUG Data Security Survey, 2014, Verizon’s 2015 Data Breach Investigations Report). Security leaders must ensure that an IT environment is designed for security and upgradeability.
Oracle systems are designed with security in mind, with robust operational practices to harden protection. Critical software patches are tested across the entire stack and provided quickly, which simplifies and speeds the patching process with little to no operational impact. A locked-down storage path includes de-duplication ahead of encryption, and Secure Snapshots are intended to mitigate the risk of data leakage. Oracle also provides Security Technical Implementation Guides (STIGs) to help IT professionals create operationally secure environments and offers in-depth security training, as well as a wide range of information security professional services.
Build Your Defense Mechanisms
Think of security as a conceptual fortress. Once you understand where key assets reside, it's possible to focus on building moats, walls and drawbridges where they make the most sense. It's also possible to better match risks and vulnerabilities with resources and solutions.
It is possible to achieve essential protection — from application to database, and from the chip to the cloud — through a single-vendor integrated stack that minimizes, or even eliminates, the nightmare of multiple vendors, each with their own patches and upgrades. This, in the end, breaks down the barriers to building a highly automated converged IT infrastructure that positions your organization for today's increasingly insecure business environment.
Oracle engineered systems can help you protect the entire lifecycle of information. This "encryption by default" approach delivers superior scaling, performance and total cost of ownership compared to any DIY alternative deployment choice on the market.
Register now for a live webcast, Insights in Information Security, on May 18, 11 a.m. PT covering today's new security strategies, new cybersecurity models, and how to build your own information fortress. Read the paper below: