Almost a month ago, I met Fred Kost Vice President, Product Marketing, Security, Oracle in Singapore during the Oracle Open World Asia. Fred is a thoroughbred security practitioner and has had exposure in many companies before joining Oracle recently. Among many things that Fred told, he highlighted how the security paradigm is evolving with the evolution of platforms in the shared economy. The security is now shifting to platforms and is mostly getting embedded. What does it mean? On one hand it means a lot of automation brought in by the use of technologies like AI/ML which help in bringing adaptive intelligence to detect, and respond to incidents and on the other hand it means that the users are less burdened for patching, data encryption etc. and using that time to innovate more.
Read the detailed conversation below:
DynamicCISO (DCISO): How would you define data security and privacy in the digitally transformed, exposed, and borderless world?
Fred Kost (FK): The challenge is that industry has historically been overtly focused on the outside threats and not so much on inside threats. We also try to separate the outside from the inside. However, what we need to think about and focus on is ‘what the attackers are after’ at the end of the day. The straight and simple answer to that is data. The bad actors/attackers just want to steal the data or at least try to cause disruption for malicious reasons. It has so far been about an ‘outside in’ approach. An organisation or its security team should have sufficient visibility into its security posture. Also, the CISO and his team must know what’s the core data, where it resides and what kind of protection is put in place. Another challenge to this is that we don’t have clearly defined parameters because of the advent of mobility and perimeterless enterprises. People are now accessing information from various places, using the devices of their choices. When enterprises think about security, this is what they need to be careful about.
DCISO: Oracle is not a pure-play security company, but being a database and cloud company, security automatically becomes a critical component. How does Oracle, as an organisation, look at defending the systems, the cloud?
FK: Of course, Oracle is not a pure-play security company. It never was. But I’d argue that most of the security today is moving into the platforms. In a shared economy, customers are drawing services from platforms. So, security is also moving deep into those platform services. It is good for customers too. From our perspective, we think of security at an architectural level.
Where is my core data today and how to encrypt that to keep the house in order?
Data encryption is the first step and unfortunately most organisations don’t do enough there. The second key aspect is about access privileges – who gets access to what part of information/data? The dynamic business environment that we are in today, we need to think very seriously about the identities, and access privileges to data. It could be a device, which you’ve never seen in your network and you’d want to change the authentication mechanism to stop it from accessing sensitive data. This is a huge challenge facing enterprises.
Also important is to look at the policies and user behaviour. E.g. Why is a person accessing a particular set of data too many times in a day? Are there any anomalies that need your attention and you may like to flag those? Maybe, based on the intelligence, you can change the access parameters. All this is now being tackled and embedded at a platform level. Our aim is to protect customers’ data, their privacy and therefore security is the most critical element of any of our products whether it is a cloud-based platform or an on-premise platform.
DCISO: In any enterprise, there are thousands of incidents reported every day. How many of them are really extremely critical, no one knows. How are technologies like AI/ML help protect applications/data, which is going into the cloud?
FK: You nailed it. These are massive challenges. The number of interactions in any organisation is going up. Interactions that appear malicious are also growing at a very high rate. You cannot analyse and look at all of them manually. So, you have to take help of appropriate technologies to ascertain what’s normal and what’s not. If one has to ascertain anomalies in user behaviour, like what devices does one use, what time do they use etc. you can very well know what’s normal and what’s not normal and thus prioritise that for further analysis and block the users with suspicious behaviour. That’s where automation, based on AI, becomes absolutely essential. You can automate as much as you want. You can deploy adaptive intelligence where you observe things like what is the part getting into the network and what is the part where you are getting compromised. There are technologies that can help you in such events. Indeed the environment is very noisy and organisations are getting bombarded with all kinds of false positives all the time. Instead of looking at each of the alerts, you would want to focus on just the real ones and technologies like AI/ML help you in bringing that focus.
DCISO: A typical organisation today deploys multiple security products and solutions including DLP, IDAM, CASB, SOC, Advanced Firewalls and many more. All of this leads to chaos from manageability point of view. What should be the ideal approach to handle the information security in an organisation?
FK: Back in time, the reactive defence was the only way to ensure information/cybersecurity, and all these shiny toys and objects that you just spoke about were deployed as piecemeal solutions – one challenge, one solution. Without thinking about what are we trying to do effectively from security perspective, everyone tried to imitate each other. That was the time when mostly the IT infra was on-premise. Only when the organisations started moving applications into the cloud, the security landscape started evolving and changing. With this move to the cloud, the ‘shared responsibility models’ started emerging. Whether its Infrastructure-as-a-Service, Platform-as-a-Service, or Software-as-a-Service, the responsibility of security is shared between both the technology consumer and the service provider. As we move further up the curve, most of the responsibility for cyber and data security will shift on to the platform providers, and less will have to be managed by the users. Don’t forget, we are already in the platform era and going forward, businesses will be more reliant on platforms. These platforms are built on the cloud and therefore cloud service provider will have to take the pain out of the users and manage the security. Indeed, the control of data stays with the enterprises and should always be so but most security will become embedded into applications, platforms, and so on.
DCISO: As the momentum shifts from on-premise to cloud and when we talk of platforms like Oracle Autonomous Database, how is security intertwined into this where the users don’t really have to bother about it and just focus on the core and the operations that they have to?
FK: There are two scenarios: One, the customer builds the entire IT stack and puts the database on top of it and run it. Second, buy the licences of Oracle Autonomous database. When we say autonomous, it is a hybrid approach between PaaS and SaaS. In scenario one, you have to manage all of the stack and apply patches whenever they are released and also look after the encryption of data. It could cause downtime and many other performance/security issues. In Autonomous, it is all automated and that burden is now lifted off. With autonomous, we are taking care of everything. The data is encrypted by default. Patch management is absolutely automated. We are working on other security services that we can build into it, so that the customer does not have to take the burden of security. Most of the times, the root cause of a security breach is when something is misconfigured on the database due to negligence/human errors. Due to ‘unlimited privileges’ given to DBAs, most times they bypass the security hygiene which causes a lot of risk.
As opposed to that, Oracle Autonomous database encrypts your data everywhere — be it in SQL, *Net, or backups. The security patches are automatically applied every quarter or whenever needed. It reduces the window of vulnerability.
As I said earlier, security is a shared responsibility. Although we have automated features such as encryption and patching, users are still responsible for business-specific security such as securing users and ensuring sensitive data is appropriately protected. To help users, we also provide a broad range of features and tools designed to help assess and control database security. For example our free Database Security Assessment Tool (DBSAT), which analyses the database and reports findings such as the sensitive data stored, users along with roles and privileges, and configuration settings. All of this and many more features of Oracle Autonomous database helps users reduce the risks manifold.