Why Oracle Cloud Infrastructure (OCI)? - Part 2 (Security)
On almost every cloud call I have, the customer will always ask, is their data secure, will the cloud hurt performance, and what about availability? The customer likely had a bad experience with a cloud service provider (CSP) in the past and is being extra careful this time around. These are all important questions to ask because a lack of any of these will cause your organization to be in the news in a less than flattering way. Picking a CSP can be a daunting task, as everyone is trying to position themselves as a leader, and for less mission-critical workloads, like online games, they all work mostly fine. However, for truly Enterprise workloads there are some things to consider, especially for customers that require a secure environment that is available and outperforms the current on-premises systems. Security can be complex and is one of the most important subjects, so this entire BLOG post is focused just on Security.
SECURITY CANNOT BE BOLTED ON AFTER THE FACT
I have said this before and will say it again. Security in the cloud can not be added as an afterthought. When you look at the migration to the cloud, you must plan and implement a security system from day one. Many customers have moved to the cloud, and only after they experience a large data breach (like another AWS leak this year that included passwords, private authentication tokens and private encryption keys on GitHub) do they look at securing their systems and data. This problem is not unique to just AWS; Azure has also had challenges including a leak reported earlier this year, where over 250 million Microsoft customer records were made public on Azure. If your CSP can't protect it's own systems, how will they help protect your sensitive data? At the root of this security problem, is the challenge around how security was designed in the 1st generation clouds, often added after the cloud was designed.
When you look at OCI, you will experience a different story, with many free features that improve the security of your data from day 1. There are many advantages core to OCI, like how systems on the same network subnet are protected by security technology that blocks all traffic, unless it's specially allowed, as all services by ssh are blocked by default.
The security is not just what you see as an OCI customer! OCI is built around multiple layers of security in front of your tenancy, plus levels of defense throughout the technology stack. This security is down to the physical network level with a custom-designed SmartNIC that isolates and virtualizes the network. This not only provides better network performance; it also prevents any malware within a compromised instance from moving to other customers' instances. OCI also leverages machine learning and automation to better secure OCI.
There are many more advantages, but the four I want to look at in more detail can provide the greatest impact to your organization's security posture.
DATABASE ENCRYPTION BY DEFAULT
First, there is the fact that your database is encrypted by default, out of the box per se, as it is built. Not only is the database encrypted regardless if it is Standard Edition or Enterprise Edition, but it also is encrypted with the same technology that is used with the on-premise Enterprise Databases, using the Advanced Security Option Transparent Data Encryption (TDE) encryption. This enables your DBAs to manage the encryption with no access to the security wallets from the CSP, unlike other CSPs where tech support has access to your keys if you encrypt. How secure is your data if someone from tech support can access the encryption keys? Even worse, what happens if your keys are published on Github, enabling anyone to access the keys that protect your systems!
AUTONOMOUS LINUX, AUTOMATING THE OPERATING SYSTEM
Another way OCI is more secure is that you can deploy a Linux VM that is autonomous. This automates basic security management, like patching. Autonomous Linux enables Ksplice, an Oracle tool that will patch your Linux Kernel while the system is running. Meaning no reboots of the server, enabling your kernel to be patched all the time, not just the few times a year you can schedule a reboot. This security extends beyond patching, with Ksplice enabling every system to function like a tripwire, reporting known exploits when the kernel is attacked, notifying your security teams when intruders start to look around, not weeks after the data is stolen. Best of all, Autonomous Linux works with a fully compatible Red Hat kernel, with a track record of over a decade with no compatibility bugs being logged, assuring that your Linux applications will be fully supported by your vendor. This means almost all applications can take advantage of this technology, and best of all, it is all FREE in the Oracle Cloud.
CLOUD GUARD: IF YOUR CLOUD IS NOT SECURE, YOUR DATA IS NOT SECURE
When you look back at many of the cloud security breaches, like the Microsoft one I talked about, you will find the most common cause is a misconfigured cloud. More often than not, administrators lack the visibility to triage and resolve cloud security issues. This includes issues like object stores that are visible to anyone, expiring SSL certificates, encryption done with keys accessible to the cloud provider, VMs with internet IP addresses, or even insecure ports accessible from anywhere. Not only should issues be identified, but automatic remediation with out-of-the-box security recipes to effectively scale the security operations center. Oracle's FREE, yes, FREE, Cloud Guard is a service that can not only identify these issues but also remediate the problems with a simple click of the button. A sample report from the tool looks like this.
As you can see, it easily identifies problems in the environment, ranking them by severity. Leveraging Cloud Guard, customers can secure their cloud infrastructure, and more importantly, keep it secure.
IT'S THE DATA THAT REALLY COUNTS
Finally, let's consider that regardless of how secure the Operating System is, the target of hackers is the actual data. This means the database is the true target of most hackers. Oracle addresses this with a free tool called Data Safe. 
Oracle Data Safe has five key features that work to protect your data:
- Security Assessment - This feature assesses the security of your database configuration. Analyzing database configuration, user accounts, and security controls. Reports are then available with the findings and recommendations for remediation activities.
- User Assessment - Users abusing privileges are a common source of data breaches, and this tool assesses the security of your database users, identifying high-risk users. It reviews information about your users and calculates a risk score for each user. It also provides a direct link to audit records related to each user. This can be used to identify users, their privilege levels, and risk.
- Data Discovery – This key feature will look at the data within the database, as well as its structure. It will help find sensitive data in your database. Based on your definition of what kind of data to look for, it will search your database and its structure, returning a report showing where the data may live. A common example is using it to identify social security numbers put into a note field. By default, Data Discovery can search for data like identification, biographic, IT, financial, healthcare, employment, and academic information.
- Data Masking –This allows you to mask sensitive data so users can only see part of the data. This is commonly used to populate a non-production system with production data, masking information like social security numbers, email addresses, etc. Not only can you mask data, but you can also replace the sensitive data with fictitious data.
- Activity Auditing – Oracle Database has a robust audit logging system. This feature allows the audit data to be imported into Data Safe to enable the auditing of user activity on your databases. This allows you to automatically identify unusual database activities.
If you would like to learn more about transforming your organization with Oracle Cloud Solutions from Mythics or explore our Data Security Solutions, contact us, or visit mythics.com/cloud-migration-and-support.
Erik Benner, Vice President Enterprise Transformation, Mythics