The adoption of the cloud has gathered momentum over the last few years. A recent survey showed that nearly 90 percent of companies are using software-as-a-service (SaaS) and 76 percent infrastructure-as-a-service; 50 percent expected to move all their data to the cloud in the next two years. But have they taken the necessary steps to secure their boundaries? Fred Kost, Global VP, Cross Platform, Security and Analytics, Oracle shares his views.
Could you explain why data protection and security are important for the long term sustainability of a business?
To have a sustainable future, a business needs not only the trust of its customers and employees but also the people and environments that it touches. Trust is critical; it is the foundation that allows an organization to take the responsible risks and without it, an organization’s credibility tarnished.
This means that companies have to take responsibility for all the business activities for which they are accountable. Given that today, most businesses are powered by technology and data that also extends to the protection and security of their IT systems, particularly if you consider that if business data—be it data related to financial transactions or to an organization’s customers—is lost or become unavailable, it can compromise a company’s ability to operate. Worse still, if these data fall into the wrong hands, it can be disastrous for all involved.
With this in mind, and as a leading global cloud company, the security of the technology our customers use has been a critical design consideration across Oracle for four decades. We believe security should be foundational and built-in, and customers shouldn’t be forced to make tradeoffs between security and cost. In today’s cloud era, we are increasingly responsible for the systems and data that run our customers’ operations, as well as our own.
Additionally, given the massive shift to working from home, it is also crucial for us to balance the need for protection and response while also enabling innovation and collaboration; to just lock systems down would impact the ability of a business to run.
With companies rapidly adopting the cloud, what are some of the security challenges that organizations should focus on?
Cloud consumption is certainly on the rise. Oracle KPMG Cloud Threat Report last year found that 50 percent of the companies that responded expected to move all their data to the cloud in the next two years. This was backed up by a report from Omdia, where it is additionally found that nearly one-third of organizations cite the adoption of cloud services as “significantly more important” than before the pandemic. This shows increased confidence in cloud security.
However, companies are still facing challenges around how to secure their critical infrastructure in the light of the surge in remote work, and doing so without increasing cybersecuirty attacks. In fact, cybersecurity attacks went up by 47 percent, and around 70 percent of businesses faced challenges with endpoint hygiene, which means securing connections to home computers, phones and so on.
Part of the challenge is that, according to Gartner, most enterprises previously have prioritized on-premises security over secure remote work access. Additionally, with the application of emerging technologies such as machine learning (ML), artificial intelligence (AI), and 5G, the sophistication of threats has also increased as hackers harness them for their benefit.
Another challenge is that cybersecurity workforce shortages continue – they are projected to reach 1.8 million by next year. However, it should be noted that using the cloud can help reduce some staffing needs and/or allow employees to focus on higher-value tasks with offerings like Oracle Autonomous Database. It automatically performs regular updates to the patch and respond to zero-day vulnerabilities fast while updating itself without shutting down.
Can you give us some examples of recent security-related issues that organizations can learn from, especially in a public cloud environment?
Apparently, an organization suffers a cybersecurity attack every 11 seconds; with many experts pointing out that these attacks are becoming more sophisticated.
What is interesting to note, according to a Verizon study, is that 85 percent of successful breaches were from vulnerabilities where patches were available up to a year before the attack occurred. This highlights the loopholes that exist in current risk management practices.
A key way to address this gap is the use of ‘intelligent security’ tools. These cloud services as well as AI- and ML-enabled applications go beyond malware protection. For example, modern security automation frequently offered in next-generation clouds can reduce the time and resources needed to manage user access and decrease human error manually. Furthermore, organizations can use these types of tools to integrate security across disparate cloud and on-premises, providing solutions that enable full visibility across all applications.
In enterprise cloud security, we hear about ‘shared responsibility. What is it?
In a cloud environment, responsibility for security is ‘shared’. The cloud provider, who delivers the underlying cloud infrastructure, is mainly responsible for the security ‘of the cloud’ services they offer, and the customer is responsible for securing the workloads and configuring services such as network, storage and databases that they run ‘in the cloud’.
The 2020 Oracle and KPMG Cloud Threat Report says 96 percent of IT professionals are familiar with this model. Yet, still only 8 percent fully understand the shared responsibility model for all types of cloud services. Additionally, companies with multiple infrastructure and software cloud providers face having to deal with the fact that each has their own version of the shared responsibility model.
This makes things very hard for the customer, which is why Oracle’s approach to security is different.
For example, we believe that security should always be on and that it shouldn’t be exorbitantly expensive. We also believe that customers’ systems are breached not because they don’t have enough security tools but because some vendors have made security too complex by not embedding it into their software and hardware. We believe this approach raises the bar of what should be expected from the industry.
So what is Oracle’s approach to cloud security?
Oracle’s security-first approach to the cloud is unique. It puts the responsibility of security on the cloud provider versus the customer. This is a major shift for a public cloud industry that far too often places the burden on its customers. We do this through architectecting our products to automate secuirty and having it always on. Our approach raises the bar to automatically secure customer systems and free the customer to focus on business priorities, not security hygiene.
We also believe there needs to be a multi-layered approach to security, where:
- Security must be easier, and not just for the experts – so in terms of our product innovations and approaches, we are focused on making security tools easier to adopt by, for example, being always-on, automated, and leveraging AI and ML.
- Security must be data-centric.
- A zero-trust security model is followed, complemented by essential security services to provide the required levels of security for the most business-critical workloads.
- Finally, we have created offerings, such as Oracle Dedicated Region Cloud@Customer that respond to key customer requirements, for example, giving customers full control of their cloud environment. Oracle Dedicated Region Cloud@Customer enables customers to build a mirror image of Oracle’s public cloud in their own data centers to address the most demanding data sovereignty hosting requirements.
Liked this post? Follow SwirlingOverCoffee on Facebook, YouTube, and Instagram.