As mission-critical resources are being hosted in the cloud, the security of those resources is very important, no matter where they are hosted.
Since the architecture of the cloud is different from the traditional networks, enterprises need to develop expertise around cloud security for respective cloud platforms and the security technologies around it.
The opportunity that the cloud presents also brings in challenges.
As the number of security threats and data breaches increases, it is very difficult for any human to deal with the volume of risks, not to mention the shortage of relevant skills.
The Capital One breach, a customer of Amazon Web Services (AWS), exposed personal information such as transaction data, credit scores, payment history, balances, and for some linked bank accounts, social security numbers of 106 million people across the US and Canada.
According to FireEye’s Mandiant Incident Response, most of the AWS intrusions encountered began with compromised credentials, usually in the form of an AWS access key or an identity and access management user password.
An AWS access key consists of a unique public identifier and a corresponding private (secret) key, which is, analogous to a username and password respectively. Used together, a user can perform an application program interface (API) requests against AWS services or access the AWS environment via the AWS command-line interface (CLI).
The CLI allows a user to modify and manage resources. Since the keys are designed to enable applications to access an AWS environment, organisations typically do not enforce multi-factor authentication.
In one Mandiant Incident Response case, AWS access keys were compromised from a GitHub repository and leveraged to access the victim’s AWS environment.
“If Capital One was in the Oracle Gen 2 cloud infrastructure, the breach would not have happened. From an Oracle standpoint, we take the vast majority of that risk away with the deployment of autonomous capabilities of our database,” Steve Daheb, Senior Vice-President for Cloud and PaaS at Oracle, told TechRadar Pro Middle East in an exclusive interview.
An autonomous database is a cloud database that eliminates complexity, human error and manual management associated with database tuning, security, backups and updates; tasks traditionally performed by the database administrators.
Daheb said that most of the cloud providers are in the “first-generation cloud technology” while Oracle has moved one step ahead into the second generation cloud technology and architecture.
What differentiates Oracle from AWS and others, he said is that it self-patches, self-manages and eliminates human error.
According to Gartner, through 2023, at least 99% of cloud security failures will be the customer’s fault.
“We believe that it is the role of the technology provider to do the integration work, whether that is through automation or services and support,” Daheb said.
Advantages of Gen 2 cloud
The key differences between the Generation 1 and Generation 2 cloud are that Generation 1 cloud places user code and data on the same computer as the cloud control code with shared CPU, memory, and storage, so, the cloud providers can see user’s data while Generation 2 cloud puts customer code, data, and resources on a bare-metal computer, while cloud control code lives on a separate computer with a different architecture.
“We have architected our Gen 2 cloud to have isolation of workloads and autonomous operations.
Isolation of workload means you have separate computers that control the user data and a completely separate set of control computers that does the processing which means that Oracle cannot see the users’ data and no user can access the control data. So, there won’t be any noisy neighbours,” he said.
Moreover, he said that a lot of breaches happened as the system was not patched with the latest updates.
“We have deployed machine learning which can automatically detect and respond to potential threats. AWS infrastructure was architected a long time ago and we were able to take a fresh approach on that. When compared to AWS, we have the highest performance, scalability [scaling up or down without rebooting the system] and security.
Everything encrypted by default
“Wherever security, scalability or performance is concerned, we win. We are more than 50% cheaper than other cloud providers. We never allow oversubscription. We are the only company that provide networking performance service-level agreements [SLAs] and block storage performance SLAs,” Daheb said.
Rajpreet Kaur, Principal Analyst at Gartner, said that security is always a shared responsibility.
“Only a part of the infrastructure is managed by the cloud. The decision on how to make the data/applications/assets hosted on the cloud is the decision and responsibility of the client,” she said.
Daheb also echoed on the same tone that security is a shared responsibility and based on service-level agreements.
“There are some things which the customers have to manage and other things which we can fill and, at the same time, we also offer managed services which can take care of the customers’ faults also. We shipped everything encrypted by default when compared to others. The point of having autonomous is to reduce human error and that is what other cloud providers don’t offer it today,” he said.
Oracle’s competitors offer the ability to automate scaling and backups, but what Oracle is offering is an intelligent and self-managing database that utilizes the power of artificial intelligence and machine learning to bring a high degree of automation to routine administrative tasks.
Currently, to do patching, Daheb said that customers need to bring down the apps, then the database and after patching, they need to reboot the OS, restart the database and the apps.
“From a practical point of view, a company has to hire a project manager. He has to contact the apps people whether they will agree for the downtime and then he has to talk to the database folks,” he said.
As a result, the whole schedule of patching by an individual company is really expensive, and also presents various security issues. By comparison, Oracle has an IP that allows it to patch the OS in eight microseconds without bringing down the system.
Patching without downtime
“It is really important to do patching without downtime. Oracle does it for the customer and not as an add-on. When it comes to security, Oracle has a different approach,” Daheb said.
When selecting a cloud provider, Daheb said that customers have to look at the structure of the cloud setup, performance, security process, isolation, how do they automate core processing and guidelines of SLAs.
Kaur said that cloud adoption requires making several decisions along the way that must be regulated by previously agreed-upon principles and policies.
“Such decisions include, which applications are good candidates for public cloud environments, which cloud provider (or providers) to use, which migration strategies for existing workloads or which environments to prioritise for new projects,” she said.
The effective use of public cloud services requires the cooperation of multiple specialists in the enterprise; she said and added that it is incumbent on the security team to work with the compliance, privacy and other related risk domains to develop the organisational approval process for this increasingly ubiquitous computing model.
“Risk-triage approach that right sizes the assessment effort can only succeed with executive support, and an agreed-on policy. The alternative is the unrealistic expectation that the security team will always extend an exhaustive level of effort, and will provide impossibly precise answers,” she said.
Moreover, she said that enterprises should focus on enabling native cloud security controls first and select cloud security technologies such as cloud access security broker (CASB), cloud security posture management (CSPM) and/or cloud workload protection platforms (CWPP) vendor that covers hybrid cloud deployments or any remaining security gaps that native cloud security tools do not cover.
According to KuppingerCole Analysts AG, Oracle has been named as an overall leader in database and big data security in 2019.