By Mike Faden
High-profile breaches have propelled security to the top of the agenda at many organizations, as the combination of faster, more-damaging attacks, increasingly complex technology environments, and demanding regulatory requirements continues to create new security challenges.
“Today’s attacks are wide and varied,” says Vipin Samar, senior vice president of Oracle Database Security. “They range from targeting infrastructure and databases to targeting your applications and users.”
This means that to protect vital information assets, companies need controls at multiple levels across their entire environment—both in the cloud and on premises. “The hackers only need to be successful once to break in,” Samar says, “but your business needs to be successful all of the time in order to avoid a data breach. The only way to do this and keep our data safe is through defense in depth—with multiple controls, security on by default, automation, best practices, and a secure infrastructure.”
The hackers only need to be successful once to break in, but your business needs to be successful all of the time in order to avoid a data breach.”–Vipin Samar, Senior Vice President, Oracle Database Security
However, ensuring that a full range of effective controls is in place can be challenging. To address that challenge, Oracle Autonomous Database Cloud and other autonomous Oracle PaaS solutions start with built-in self-securing features. Oracle also offers database-specific security features and identity management solutions to help achieve true defense in depth.
The Secure Database
For organizations connecting their Oracle SaaS, custom SaaS, and PaaS solutions, security starts with Oracle Database cloud services. As Samar notes, hackers often target databases because that’s where the organization’s most sensitive data resides.
The protection provided by Oracle Database cloud services, including Oracle Autonomous Data Warehouse, begins with encrypting data at all times. “We encrypt your data everywhere—whether it is in SQL*Net traffic, data in tablespaces, or in backups,” Samar says. Encryption cannot be turned off, and encryption keys are managed automatically.
But while encryption is an essential tool—it prevents hackers from getting direct access to raw data—it closes off only one part of the organization’s attack surface, Samar says. If companies don’t patch on-premises systems with the latest security updates and other updates—because of downtime restrictions, patch testing requirements, or any other reason—they are still vulnerable. “For many organizations, patching is the biggest issue; that’s what they are struggling with,” he says.
With Oracle Database cloud services, security patches are automatically applied every quarter or as needed—narrowing the window of vulnerability. “By patching, we mean patching the full stack—including the firmware, the OS, clusterware, and the database,” Samar says. “By applying patches in a rolling fashion across the nodes of a cluster, there is no application downtime.” That lifts a huge burden from database administrators, who can then spend more time focusing on other aspects of security and data management. Oracle Autonomous Database Cloud services also continually monitor cloud administrator actions for any abnormal activity, and predefined policies for database auditing are turned on by default.
Locking Up the Crown Jewels
However, security is a shared responsibility, Samar says: although Oracle automates functions such as encryption and patching, organizations are still responsible for business-specific security functions such as securing users and ensuring sensitive data is appropriately protected. To facilitate those goals, Oracle provides a broad range of features and tools designed to help assess and control database security.
Among them is Oracle Database’s free Database Security Assessment Tool (DBSAT), which analyzes the database and reports findings such as the sensitive data stored, users along with roles and privileges, and configuration settings. For example, DBSAT discovers and reports sensitive healthcare and credit-card information. “Many people really don’t know how much sensitive data they have and how secure their database is,” Samar says. “It’s better that you assess your database’s security before the hackers do it for you.” Once the tool has identified potential problems, it makes recommendations for fixing them, he adds.
Multiple features in Oracle Database cloud services allow fine-grained control over data access. Data masking scrambles or masks sensitive data. For test and development, “Even if the hackers succeed, they’ll get fake crown jewels,” Samar says. Data redaction lets organizations limit who can view sensitive data such as Social Security numbers. Oracle Virtual Private Database and Oracle Label Security allow control over which users can see which rows of data. And Oracle Database Vault restricts privileged users’ access to application data—reducing the risk of insider and external threats.
Identity Is the New Perimeter
While security is more critical than ever, so is providing a seamless experience for users needing access to applications. Identity management technology can help by providing users with single-sign-on capability to multiple applications. But as organizations move to the cloud, the challenge becomes more complex.
It’s better that you assess your database’s security before the hackers do it for you.”–Vipin Samar, Senior Vice President, Oracle Database Security
Today, it’s not only the organization’s applications and data that are moving outside a company’s firewall, says Eric Olden, senior vice president and general manager at Oracle; the users are, too. “It’s very common with SaaS applications, for example, to have people accessing them from their mobile phones from anywhere in the world, including a Starbucks or an internet access point in an airport,” he says. “This user location change has driven a new level of requirement around how we defend the perimeter without the classic perimeter defenses of firewalls and network defenses.”
That, in turn, is driving the idea that identity has become the new perimeter—placing identity management in a new, more central role in cloud environments. In addition, to truly deliver single-sign-on capability to applications, identity management technology must include both on-premises and cloud applications. “You really want this identity management infrastructure to be able to bridge these two worlds and allow you to build new applications and new experiences seamlessly across the on-premises and the cloud worlds,” Olden says.
Oracle Identity Cloud Service is designed to achieve that goal. The cloud-based technology enables organizations to manage user access to enterprise applications in the cloud and on premises. It’s also used across all Oracle SaaS, PaaS, and IaaS cloud services, and it supports federated identity with other applications via the SAML and OAuth standards. “The service includes single sign-on, so instead of having 10 passwords for 10 applications, you have 1 password, and it’s securely integrated into 10 applications,” Olden says.
One company that’s using Oracle Identity Cloud Service in its cloud migration is Milan, Italy–based Siram S.p.a., part of the Veolia Group. Siram’s approximately 2,500 employees provide energy management services including heating and air-conditioning for private- and public-sector organizations throughout Italy.
Siram is moving to the cloud as part of a broader digital transformation of its business. In the short term, it is aiming to achieve higher efficiency, free up IT resources, and ensure high service levels.
A core aspect of the migration is the transition from Oracle Enterprise Resource Planning (Oracle ERP) on-premises applications to Oracle ERP cloud services. At the same time, the company is seeking to simplify user access by reducing the number of identities and passwords, according to Davide Benedetto, chief IT architect at Siram. So the company is planning to use Oracle Identity Cloud Service to provide users with single-sign-on access to cloud applications—and also to key on-premises applications. “We decided to have only one user credential to access our most important applications, and Oracle Identity Cloud Service is helping us reach that goal,” he says.
Oracle Identity Cloud Service is already enabling integration between Oracle ERP Cloud and Siram’s third-party email service. “Configuration with Oracle Identity Cloud Service was very simple,” Benedetto says. And the single sign-on also provides access to applications such as Oracle Fusion Expenses, making it easier and faster to file expense reports. Siram also plans to use Oracle Identity Cloud Service to enable single-sign-on capability to a business-critical on-premises application used throughout the company and to Oracle on-premises applications including Oracle WebLogic. Siram is also using Oracle Identity Cloud Service to integrate the on-premises Oracle ERP applications, facilitating a smooth migration to the cloud and uploading of information to the cloud when necessary.
Benedetto says that Oracle Identity Cloud Service, together with Oracle Cloud Access Security Broker Cloud Service (Oracle CASB Cloud Service), may also assist with compliance for regulations such as the EU’s General Data Protection Regulation. For example, Oracle Identity Cloud Service provides additional options for granting specific administrative privileges to other IT staff, while Oracle CASB Cloud Service tracks intrusions and other indicators of abnormal activity.
As the scale and speed of attacks continue to increase, security is set to remain at the top of the corporate agenda. The automated security technologies in Oracle Autonomous Database Cloud and cloud-based identity management with Oracle Identity Cloud Service can help organizations manage the risks. As Oracle’s Samar observes, attackers may be nation states, organized crime, or even disgruntled insiders: “They come from different angles—they could attack your infrastructure, operating systems, applications, users, and certainly your databases,” he says. “Data is your most critical asset, but it could become your biggest liability if not properly secured.”
WATCH more about Security for the Autonomous Warehouse Database Cloud.
DOWNLOAD Oracle Database Security Assessment Tool.
Illustration by Pedro Murteira, photography by Albert Alessandro/The Verbatim Agency
Mike Faden is a principal at Content Marketing Partners. He has covered business, technology, and science for more than 30 years as a writer, editor, consultant, and analyst. Faden is based in Portland, Oregon.