Automatic encryption and patching are a solid beginning to the cloud database security journey.
By Tom Haunert
May 21, 2018
“Data is your most critical asset, but could become your biggest liability if not properly secured,” says Vipin Samar, senior vice president of Oracle Database Security, in the video Security for the Autonomous Warehouse Database Cloud. At what point is data properly secured? Oracle Magazine sat down with Samar to talk about data assets and liabilities, appropriate security for databases in the cloud, and more.
Oracle Magazine: How is the cloud changing the database security conversation?
Samar: When organizations make the decision to move to the cloud, their first questions are often about security. Is the cloud secure? Can they limit Oracle administrator access to their data in the cloud? Can they meet their compliance requirements in the cloud? These are typically the top three questions I hear.
Oracle Magazine: Oracle Database Cloud services all run with their data encrypted. Is that enough to keep data safe in the cloud?
Samar: We use encryption by default in Oracle Database Cloud services so that hackers do not get access to the raw data.
Encryption closes one particular part of the attack surface—where the hacker gets access to data blocks directly. But hackers can try many other techniques without access to the data blocks.
Hackers can impersonate users, they can steal an end user’s password, or they can exploit weaknesses in database applications. And they can do more—it’s a long list.
So encryption is one necessary tool, but it doesn’t address all possible security risks.
Oracle Magazine: How can organizations determine whether their databases are secure?
Samar: Many organizations don’t really know how secure their databases are, where their sensitive data is located, or how much data they have.
Oracle recently released the Oracle Database Security Assessment Tool feature of Oracle Database, which lets organizations answer these questions. The tool looks at various security configuration parameters, identifies gaps, and discovers missing security patches. It checks whether security measures such as encryption, auditing, and access control are deployed, and how those controls compare against best practices.
We take care of the security of the infrastructure including the database, and we automate it—leaving nothing to chance or human error.”
Additionally, it helps them discover where their sensitive data is located and how much data they have. Oracle Database Security Assessment Tool searches database metadata for more than 50 types of sensitive data including personally identifiable information, job data, health data, financial data, and information technology data. This helps businesses to understand the security risks for that data.
It also highlights findings and provides recommendations to assist with regulatory compliance. The findings and recommendations support both the European Union General Data Protection Regulation (EU GDPR) and the Center for Internet Security (CIS) benchmark.
Oracle Magazine: Oracle Autonomous Data Warehouse Cloud is described as the world’s first self-securing database cloud service. What does self-securing mean for this service?
Samar: Self-securing starts with the security of the Oracle Cloud infrastructure and database service. Security patches are automatically applied every quarter or as needed, narrowing the window of vulnerability. Patching includes the full stack: firmware, operating system [OS], clusterware, and database. There are no steps required from the customer side. We take care of the security of the infrastructure including the database, and we automate it—leaving nothing to chance or human error.
Next, we encrypt customer data everywhere: in motion, at rest, and in backups. The encryption keys are managed automatically, without requiring any customer intervention. And encryption cannot be turned off.
Administrator activity on Oracle Autonomous Data Warehouse Cloud is logged centrally and monitored for any abnormal activities. We have enabled database auditing using predefined policies so that customers can view logs for any abnormal access.
Oracle Magazine: What’s needed to protect other attack surfaces?
Samar: Securing databases in the cloud is a shared responsibility, with Oracle securing the infrastructure and network; monitoring the OS and network activity; applying OS and database patches and upgrades; and providing encryption, appropriate separation of duties, and various certifications.
The customer organization still needs to secure its applications, users, and data. It needs to ensure that its applications can thwart attacks targeted at the company, that its users follow security best practices, and that its sensitive data is protected using appropriate controls. In some sense, these requirements are no different from those for an organization’s current on-premises databases, except that Oracle has already handled the security infrastructure part.
LEARN more about Oracle Database Security Assessment Tool.
DOWNLOAD Oracle Database Security Assessment Tool.
Photography by Lui Peng, Unsplash