By Minda Zetlin
In the confusing world of enterprise security, one thing is certain: the potential for devastating attacks is higher than it’s ever been. “Ten or fifteen years ago, there were security concerns on the internet, but nothing like what we’ve seen in the last couple of years,” says Rohit Gupta, group vice president of cloud security products at Oracle. “Back then, these were considered annoyances—where someone would deface a website, for example. Now it’s highly orchestrated and highly funded. Many attacks are nation-sponsored. Businesses have to be vigilant like they’ve never had to in their histories.”
Compounding the problem is the fact that security is a constantly moving target, with new threats appearing as quickly as known threats are dealt with. “We use the term arms race,” says Douglas C. Schmidt, professor of engineering, computer science, and computer engineering at Vanderbilt University. “There’s a race between people trying to protect themselves and the bad guys and bad gals who are trying to break in. The adversaries are getting more and more talented. It’s really hard to keep up.”
To help enterprises cope with the ongoing menace, Oracle’s new group of security products is designed to protect data in the hybrid cloud environment used at most large organizations these days. Here’s a look at some of the most pressing security-related business problems enterprises face and how emerging technologies can address them.
Problem: The Disappearing Perimeter
Solution: Hybrid Cloud Security
In the past, the best way to keep a company’s data safe was to build a wall around its internal network that was as impenetrable as possible. “In the past, the entire organization’s electronic access was completely cordoned off,” says Prakash Ramamurthy, senior vice president and general manager, systems management and security, Oracle Cloud. “You couldn’t bring a random home machine and do something with it, and you couldn’t be outside your organization’s network, sitting at home or in a coffee shop, and get access. You had to go through a virtual private network, which inherently provided a greater level of control.”
Many IT departments still use this approach to security, but it’s grown less and less effective.
“Enterprise functions in the cloud are driving the dissolution of the network perimeter,” says Adina Simu, vice president of product management, Oracle CASB Cloud Service. “As users are connecting from anywhere using both managed and unmanaged devices, the approaches used to secure the old network perimeter are no longer really relevant.” Instead, she says, users themselves represent the new perimeter. This will only become more true as applications and data migrate to the cloud.
To meet this challenge, a range of new cloud-based security solutions has emerged, Simu explains, such as those built into Oracle Cloud. The best course of action is to rely on these new security solutions, which can protect an enterprise’s data and processes wherever users may be and which offer consistent security features across hybrid deployments.
“This move to the cloud, it’s not rip-and-replace,” says Darren Calman, vice president of product management, Oracle identity management and security. “People have invested time and money in developing their on-premises assets. So you have some on premises and some in the cloud, and you need a single pane of glass to manage both. That’s where hybrid security comes in.”
Problem: Shadow IT and Multiple Cloud Vendors
Solution: A Cloud Access Security Broker
While IT leaders might talk about moving to “the cloud,” the fact is they’re usually moving to several clouds. Indeed, Simu says the cloud is not just SaaS [software as a service]—a lot of workloads are moving into platform as a service [PaaS] and infrastructure as a service [IaaS] creating a heterogeneous cloud environment within the enterprise. "The average enterprise will use six different cloud providers just to run its workloads,” she says.
Customers share responsibility for security to varying degrees in each of these cloud engagements, so managing different cloud deployments can lead to confusion. A key danger is “configuration drift,” in which cloud accounts wind up with inappropriate security.
“People are setting things up with the wrong configurations,” says Jules White, assistant professor of computer science at Vanderbilt University. In one recent case a defense contractor stored personal data for job applicants—some of it classified as top secret—in an Amazon Web Services S3 bucket configured to allow public access. There have been other similar incidents with other cloud providers. With perhaps thousands of different configuration combinations available for some cloud systems, it’s all too easy to make a mistake.
As users are connecting from anywhere using both managed and unmanaged devices, the approaches used to secure the old network perimeter are no longer really relevant.”–Adina Simu, Vice President of Product Management, Oracle CASB Cloud Service
A cloud access security broker such as Oracle CASB Cloud Service can take the guesswork and errors out of configuring cloud accounts, and it can give IT departments visibility into all their cloud-based data. “CASBs include big data analytics and deliver surgical insight for forensic analysis,” Simu says. “Gartner says CASBs will soon be what firewalls used to be in the on-premises world.”
A CASB with machine learning monitors user behavior and looks for abnormal usage patterns of cloud applications. Such a service offers the added benefit of giving you insight into—and perhaps control of—shadow IT, especially because the CASB can scan many of the most commonly used cloud-based applications such as Dropbox, Box, Evernote, and Microsoft Office 365.
Using one can be eye-opening. “Ask an IT organization how many applications its company has that access the cloud. For a small or midsize organization, they’ll say 10,” says Troy Kitch, senior director of Oracle cloud security. “Then you run a CASB and it will turn out to be 300. In a large organization they may say 100, and in reality it will be 3,000.”
Problems: The Security Skills Gap and the Need for Speed
Solution: Identity Management
By 2019, there will be at least 2 million unfilled security jobs worldwide, according to the House of Lords Digital Skills Committee in the UK. “We tell students that this is one of those eternal problems,” Vanderbilt's Schmidt says. “There will never be a time when security expertise will not be a valuable skill.”
Automating as many processes as possible is the only viable solution to the skills shortage, experts agree. So Oracle has introduced orchestration and remediation solutions that leverage context and automation principles. “We can deliver both supervised automation, making changes only with human approval, and unsupervised automation, which makes changes automatically,” Gupta says. Sensitive data that’s unencrypted is a good example of how unsupervised automation can be useful, he adds. “Guess what? That’s black and white. It’s unencrypted, and that’s wrong. It should be encrypted. Turn encryption on.”
An identity-centered approach is the best way to manage security in the cloud, Kitch says. “A lot of security tools in particular were not created with cloud in mind,” he says. As a result, most enterprise customers believe the security tools they already have are not appropriate for a hybrid cloud environment. And that concern might be holding back cloud adoption. In a survey last year by consulting firm Baker McKenzie, 88 percent of respondents cited security as the primary reason they were hesitant to move to cloud. Putting identity at the center of it all, Kitch adds, is the best method for protecting data.
False positives are as much a problem for enterprises as not finding the real issue.”–Prakash Ramamurthy, Senior Vice President and General Manager, Systems Management and Security, Oracle Cloud
And while the skills gap puts added pressure on IT departments and their mandate to keep vital data secure, these teams are also under pressure to deploy new technology at an unprecedented pace. For many veteran IT professionals, the obvious solution is to lock everything down, presuming that all users and processes are guilty until proven innocent. But that doesn’t work in today’s world. “There is business pressure not to say no to innovation,” says Dan Koloski, vice president of product management at Oracle. “People in the business want to spin faster and demand more flexibility out of IT. Saying no is not an option, so we have to continuously update our security posture at the speed of business.”
The best way to accomplish this is to harness the power of artificial intelligence. Prior to the availability of solutions such as Oracle Management Cloud, existing tools depended on operators to ask the right questions, according to Ramamurthy. “We decided to use artificial intelligence to understand what normal behavior was. And when things deviate from that learned normal behavior, we give intelligent information back to the customer,” he says.
Over time, the service creates a profile of a user’s typical behavior, he explains. So if a user accesses only marketing systems and emails from the United States 99 percent of the time, and the service sees that same user’s credentials logging in from a new geographic location and accessing the company’s finance database, that might trigger an automatic response.
That response might simply be that the next time the user logs in, he or she is required to use two-factor authentication and enter a five-digit code that has been texted to a mobile phone. “The odds that someone who compromised your credentials also has your phone are pretty low,” Ramamurthy explains. “We don’t need to create a five-alarm fire around this, because false positives are as much a problem for enterprises as not finding the real issue.” If a security system generates too many false positives, users and IT staff will simply start assuming that every alarm is unwarranted. Worse, if false alarms prove too much of an inconvenience, users might start looking for ways to circumvent security altogether.
An identity-centric approach also helps enterprises respond to threats without unduly inconveniencing users. “You can surgically remediate a specific user or users rather than having to shut down an entire application,” Simu explains. At the same time, you can limit that user’s ability to do harm. “Depending on what a user is doing, you can say, ‘OK, this is malicious enough,’ and remediate with actions that affect not only that application but also other applications the user is accessing.”
And when time is of the essence, automation makes all the difference. “Remediation needs to happen in real time,” Simu adds. “In many cases, these attacks are carried out by bots and tools, and they don’t wait a lot. When they find a vulnerability, they move very quickly to the next level.”
Problem: Maintaining Compliance in a Shifting Landscape
Solution: Oracle Security Solutions for GDPR
In May 2018, the European Union’s General Data Protection Regulation (GDPR) takes effect. Many enterprise IT and security leaders are scrambling to get ready. “GDPR has many organizations concerned because a meaningful 4 percent of your revenues could be fined,” Ramamurthy says. “That’s very, very tangible.”
GDPR, which aims to protect the privacy and personal data of EU citizens, is merely the newest compliance challenge for companies already coping with Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS). Most IT organizations are also responsible for complying with internal and external audit rules, as well as partner and customer agreements. Because Oracle customers have had these responsibilities for years or sometimes decades, Oracle is well equipped to help them stay compliant with GDPR as well.
“GDPR is fundamentally about protecting personally identifiable information,” Koloski says. “Among other things, the regulations expect enterprises to demonstrate that they have control and they know who has access and that they can respond when they find violations.” Unfortunately, he says, most enterprises don’t have that visibility or the capability to respond because of their outdated security approaches.
People in the business want to spin faster and demand more flexibility out of IT. Saying no is not an option, so we have to continuously update our security posture at the speed of business.”–Dan Koloski, Vice President of Product Management, Oracle
Oracle solutions, including Oracle Advanced Security and Oracle’s security-focused cloud services, can help. “To help achieve regulatory compliance, organizations should encrypt data both at rest and in transit,” Simu says. “They should be able to collect system logs, maintain least privilege and separation of duties, and control user access.” This is especially important in the case of production databases involved in the daily processing of transactions.
“Our solutions are data collection capabilities, machine learning, AI-powered analytics, and automation, all in an integrated suite,” Ramamurthy says. “If you don’t have all of those pieces, you won’t be able to automate as much as you need to. Enterprises are struggling to come to grips with the automated security challenge, because for the past 30 years, they haven’t needed to do that.”
Oracle is in a unique position to help because of its history, he says. “We understand what it is to deal with huge amounts of data. We also have compute horsepower.” And because Oracle has for years offered products that work across complex IT environments, both on premises and in cloud, the company understands how to provide security and remediation across a hybrid cloud, he adds. “We’re one of the few vendors qualified to address these next-generation security challenges.”
Illustration by Wes Rowell
Minda Zetlin is coauthor, with Bill Pfleging, of The Geek Gap: Why Business and Technology Professionals Don’t Understand Each Other and Why They Need Each Other to Survive (Prometheus Books, 2006).