While the Oracle OpenWorld Asia 2019 was mainly focused on the future of technology, there was also a large emphasis on growing issues or concerns that come hand in hand with technological advancements, especially those related to cybersecurity, compliance and privacy. The cloud, especially, for all of the benefits that it has brought such as the unprecedented accessibility to data, has made enterprise security more complex than ever.
To understand Oracle’s perspective on the matter of cloud security and how the company is tackling these very relevant issues for many ASEAN organisations, CSA reached out to Eran Feigenbaum, Chief Security Officer, Oracle Cloud Infrastructure, for answers.
|Eran Feigenbaum, Chief Security Officer, Oracle Cloud Infrastructure|
Below is the full transcript of the email interview:
The most critical threats are coming from the cyber threat landscape, and they are proliferating and rapidly outstripping current risk management practices. In fact, cybercrime is the 21st century’s equivalent of organised crime, with both nation states and organised criminals using new approaches to wage a highly sophisticated and potentially costly war. It’s estimated that cybercrimes will cost the global economy more than $2 trillion by 2021 and will represent one of the greatest threats to global companies (source).
But it’s not just on the outside that companies are facing critical issues. We are now at a stage where we are producing vast amounts of data daily. By 2020, analysts estimate that every person on earth will generate 1.7MB of data per second. That’s equivalent to 8 billion novels!
This quantity has exceeded the limit at which it can be analysed and managed by people alone. For instance, businesses receive an average of 17,000 alerts per week. No wonder only 4% get investigated, according to the second annual Oracle and KPMG Cloud Threat Report 2019.
The challenge is also exacerbated by the lack of cybersecurity talent. Current estimates predict that there will be 3.5 million open cybersecurity jobs by 2021. It should then come as no surprise that tasks, even critical ones like patching, are missed or put on hold – and this has consequences. According to a study, 85% of successful breaches were from vulnerabilities where patches were available up to a year before the attack occurred.
The first thing to recognise is that securing IT systems is no easy task, so even after years of investment and experience businesses still struggle to consistently practice even basic cyber hygiene. And remember, attackers need only find one weakness while defenders have to protect the entire attack surface at all times.
Nevertheless, companies are definitely taking security very seriously, and many are looking to cloud to help them with the overarching task as they recognise that cloud lets them lower the cost, reduce the risk, and get better and predictive insights into the challenges faced. No wonder that, according to the second annual Oracle and KPMG Cloud Threat Report 2019, 72% of respondents feel the public cloud is more secure than what they can deliver in their own data centre.
Certainly, the cloud as an underlying platform really changes the playing field in cyberwar. Complexity is the enemy of security and this is where terrestrial networks have a disadvantage in that they host security architectures made up of many products added over decades. Our cloud is built with simple, innovative and pervasive controls that make it easier to administer security across our operating regions and allow us to spot risk faster. Cloud tool gives us new capabilities that are built for the cloud and leverage machine learning and AI. AI can be applied to safeguard data, spot anomalous activities and system issues, and it can help remove some of the burden of administrative tasks and complexity around patching, which in turn free up staff to focus on innovation and higher order tasks requiring human expertise and discernment.
That said, while technology is a critical component in warding off malicious actors, to rely on it alone is not enough. There is also the ongoing need for continued reassessment of their approach to things like trust and their perimeter, as well as training, policy and engagement.
A “security-first” approach to us means that security is integrated into the entire business - products, operations and culture - right from the start; it is not bolted on as an afterthought.
So in terms of applying a “security-first” approach to cloud, what that means to Oracle is that our Gen2 Cloud has been newly built as a fully-fledged enterprise class cloud, designed from the ground up for mission critical workloads. It isolates the network virtualisation and cloud control layer from customer workloads, which means blocking threats from proliferating across cloud tenancies. Security is baked in, and consequently it will be a game changer in security.
Additionally, Oracle’s Gen2 Cloud makes use of machine learning and AI to spot anomalous activities, such as an administrator suddenly changing permissions, privileges, or configuration settings with atypical frequency. By leveraging ML and AI, the processes by which to detect, to respond, even predict sophisticated security threats become more automated and expedient, mitigating risks from the ‘core’ where data resides all the way to the ‘edge’ of the network.
Coupled with Oracle Autonomous Database, for protection of data itself, the Oracle Cloud becomes a highly secure enterprise platform for harnessing the power of data. Autonomous Database is a showcase in innovation with security features like:
For over 40 years, Oracle has been dominating the market in database. In fact, the company and its original database were named after the CIA project that led to the foundation of the organisation. Today, as back then, Oracle takes security no less seriously and, as outlined above, takes a “security-first” approach, meaning that it is integrated into the entire business - products, operations and culture - right from development, to deployment and beyond.