Vipin Samar is the Senior Vice President of development for Oracle Database security. He leads teams responsible for all aspects of database security including encryption, redaction, masking, Oracle Database Vault, Oracle Key Vault, Oracle Audit Vault, and Oracle Database Firewall.
Prior to joining Oracle, Samar worked at Sun Microsystems and was the Founder and CEO of a startup that developed enterprise application integration and mobile platforms. Since joining Oracle in 2005, he has held various positions in product development related to data security.
Samar holds a bachelor’s degree in electrical and electronics engineering from Birla Institute of Technology and Science (BITS), Pilani, India. He also holds a master’s degree in computer science from the State University of New York at Stony Brook and has 12 patents in the areas of security and information retrieval.
In an email interview with Brian Pereira of CISO MAG, Samar talks about information security in the digital economy, Oracle’s approach towards data security, and how the organization has embedded security technologies and capabilities into the Oracle Database.
Why is there a change in attitude towards Security? Earlier, it was just the regulated industries that took security seriously.
In the digital economy, information security is industry/vertical (or for that matter organization) agnostic. If we look at the scenario, 10 years ago, it was mainly government and the banking sector that took security seriously, but now, information security has become a business prerequisite for every organization. Given the data explosion, organizations are facing an enormous challenge to safeguard their data from cyber theft.
Looking at the kind of hacks that have happened last year, these hacks were not just about the credit card data; but about everything — from your location, email, address — to healthcare records, etc. Once they got your PII (personally identifiable information), they have it forever and can access it whenever they want to. Therefore, security is no longer an afterthought especially after the introduction of regulations like GDPR. Now, almost 125 countries have passed, or are in the process of passing similar laws.
At the start of this year, CCPA was introduced in the State of California. What has been the impact so far?
In the U.S., every state is passing its own laws. Specific to CCPA, this is the first year of its introduction, so we’ll have to wait and see.
And what do you observe in India, regarding companies being compliant to security standards?
There are a bunch of processes to be followed which are audited regularly, with technical controls in place. Many of our customers in the banking and financial services sector are all compliant with the GDPR guidelines and it is quite amazing to see the adoption of different standards, for encryption, auditing, and access control.
Once the proposed Personal Data Protection Act comes into force, a lot of things will change. In India, the volume of data is so high (like China). With data privacy concerns on the rise and stringent regulatory requirements coming into force, organizations have no choice but to redefine the way they approach data management. A good first step would be to put in place a cohesive IT architecture, with systems and applications built to work as an integrated unit. The data can then be organized in such a way that it’s easier to change, transfer, find, erase and comply with regulatory requirements. Security and proper access processes are critical – assess, prevent and detect should be the key mantras.
What is Oracle’s approach to data security? How is it embedding security in its products?
Oracle’s approach to security is in protecting the world’s most mission-critical systems and data. Our Gen 2 Cloud has put the security of critical workloads at the forefront of its cloud design. For customers running security-sensitive workloads such as financial applications or citizen data accessibility, Oracle Cloud Infrastructure (OCI) has built a cloud with technology to reduce risk by isolating customers from the parts of the cloud-controlled by other tenants and even Oracle personnel. The security-first design approach led to innovations like isolated network virtualization and pristine physical host deployment, which give customers a higher level of security than first-generation clouds. Simply put, security is not bolted on, whether it is encryption, access control, auditing – all this is built inside. That is what gives us scale and performance. We are moving towards “always-on” security, and you can’t turn it off on the cloud. We have to move towards this space of “business-on” by default. There is no “off” switch.
For example, Oracle Autonomous Database is a generational innovation that redefines data management. It automatically encrypts all data whether it’s at rest or in flight. It also prevents any administrators from snooping on sensitive application data. From a security perspective, with self-securing capabilities, Oracle Autonomous Database ensures the automatic application of the latest security updates with no downtime, eliminating cyberattack vulnerabilities. It also offers protection from all types of downtime, including system failures, maintenance, user errors, and changes to the application data model.
Can you tell us about some of Oracle’s data security innovations?
An organization’s success and failure depend on how it uses and secures its data. Organizations need to be a step ahead of hackers, who are ready to exploit any weakness, whether in databases, or applications or the infrastructure.
That is the reason, we have multiple security technologies for protecting data at the source – within the database. We have focused on all pillars of security: evaluating the risk posture, minimizing the attack surface, preventing the attacks, and detecting and alerting any malicious behavior in databases.
We have embedded security technologies and capabilities into the Oracle Database to enable our customers to deploy and maintain a highly secure database environment all by themselves. With Oracle Data Safe, critical functionalities for securing databases in the cloud are now under a simple click-and-secure interface. The most common security tasks can be completed without requiring any deep security expertise. Data Safe helps all customers, big or small, keep their data safe and has made security an enabler for many organizations to move to the cloud.
Oracle takes a multi-layered approach to security. Can you explain that?
There isn’t a single thing you can do to make your database secure. You have to think from the perspective of the hackers, who are attacking from all sides: network, infrastructure, database, applications. They could attack the weakest link and there isn’t a single solution. So, businesses need different solutions to protect all this. Therefore, we need to embed security as close to the data as possible and keep it secure.
Oracle Advanced Security provides two preventive controls to protect sensitive data at the source: encryption and redaction. Together, these two controls form the foundation of Oracle’s defense-in-depth, multi-layered database security solution. Multi-layered security includes controls to evaluate risks, prevent unauthorized data disclosure, detect and report on database activities, and enforce data access controls in the database with data-driven security. Capabilities such as online and off-line tablespace migration options provide flexibility while deploying encryption, while database privilege analysis helps reduce an application’s attack surface.
How is Oracle helping organizations with compliance and regulation? Do you have a product or service specifically for that?
Every regulation has multiple aspects like encryption, auditing, access control, security assessment, etc. For example, if we talk about GDPR, it talks about data anonymization, data masking, etc. We map our solutions to every regulation, like GDPR for instance. Oracle security includes a full set of hybrid cloud solutions, from the chip to applications that help prevent, predict, detect and respond to security threats.
What is the industry sentiment towards cloud security? How is Oracle responding?
Cloud has changed the rules of the game. Earlier, many were hesitant to move to the cloud because they were concerned about weak security. Now they move to the cloud because it is more secure than traditional/legacy on-premise setups.
In the digital era, hacks are increasing in complexity, variety and impact, so CISOs can’t afford to let their guard down even for one second – because the attack surface has expanded unimaginably spanning multiple threat vectors. Add to this the shortage of top-quality cyber-talent and increasing regulatory/compliance requirements – you have the CISOs literally in the hot seat at any given point in time. We do not see enough professionals with security as their focus area. At the same time, the organizations depending more on humans will face immense challenges as hackers are getting tech savvier every day. Hence, we feel that businesses need to gather and strike a fine balance between the deployment of machines and humans to counter security threats. As the future war for security will be a machine vs machine combat.
We’ve purpose-built our second-generation cloud from the ground up to meet the requirements of large enterprises and complicated workloads. Oracle is opening more regions across the world, including India to comply with data residency mandates and data sovereignty requirements.
For Oracle, simplicity is a pre-requisite for any solution and that’s why we created Data Safe. It takes the responsibility of the user component of that whole equation and automates that completely. So, this is about simplicity and not about requiring security expertise. So, we have made security simple and easy to use.
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article