Rising security threats, expanding compliance requirements, consolidation, and cloud computing are just a few of the reasons why data security has become critical. Stolen client devices, including tablets and Smartphone’s, have the potential to easily expose sensitive information as users move beyond the laptop. Outsourcing, off-shoring, corporate mergers, and nearly continuous organizational change create additional risks by making it easier for malicious insiders to obtain sensitive data and for outside hackers to gain access to servers using social engineering attacks. In an interaction with DQChannels, Sundar Ram, Vice President, Technology Sales Consulting Oracle Corporation, Asia Pacific explains why centralized and efficient protection of sensitive data regardless of the applications being used is more important than ever.
How can enterprises prevent fraudulent people working within organization getting access to privileged data?
Various studies and surveys have concluded that a sizeable percentage of data breaches have been perpetrated using insider credentials, typically one with elevated access to systems and its data. If a user’s password is guessed, a device is compromised, or a session is hijacked, then fraudulent activity may occur. Likewise, if a privileged user has, or gains, “back door access” to IT systems, then traditional data security access controls may be bypassed.
Examination of numerous security incidents has shown that timely examination of audit data could have helped detect unauthorized activity early and reduced the resulting financial impact. Hence we recommend deployment of solutions that ensure effective auditing inside the database. For example Oracle Database 12c introduces policy based conditional auditing. An audit policy can be defined to audit all actions outside a specific IP address and username.
Fraud conditions may also be related to a set of ordinary activities that are suspicious when viewed together in a given sequence. In the financial sector this may apply to a pattern of financial transactions that could resemble money laundering. In such cases the system may suspend accounts and send alerts when such potential violations are detected.
Detective controls may also be applied as another measure of security. They provide the ability to perform audits and analysis based on ad-hoc criteria. They can be used to perform “what-if” analysis, look for specific trends, investigate the actions of suspicious users, etc. The administrative audit and analysis capabilities provide a backstop for fraud detection that either has not yet been defined or has not yet been codified into a purely run-time preventative security control.
Is there any price factor as to why companies are delaying this much needed security measure?
It’s not that enterprises are not investing in security. In fact according to an Oracle sponsored CSO Market Pulse survey, the corporate answer to rising threat levels is to spend more on security. But bigger budgets alone have not increased CSOs’ confidence in delivering a highly secure enterprise. While 59% of respondents say their IT security budgets have increased, only 23% say their organization has a superior strategy in place across all key aspects of data security.
Much of this investment is also reactive. Organizations are not considering long term strategies to protect information assets especially the most crucial one – database. Most companies invest in perimeter and network defense because they believe database and application data are inherently safe as they lie deep within the firewall of the company. This is a dangerous assumption. Enterprises today have to re-engineer their thoughts to understand the right approach to secure information assets. In the new world, sensitive corporate data is stored and accessed from beyond the company’s direct control.
For this reason, instead of focusing on more complex network security policy, IT organizations should focus on how users access applications and data. When criminals breach a network, they target weak user access controls as a means to acquiring valuable information assets. While an ideal mix of security spending will vary from organisation to organisation and their threat exposure what we would recommend is that IT managers should align security budgets with their organization’s most valuable assets – the information stored in databases, applications and servers. CSOs and CISOs need to rebalance security resources to protect corporate information from the inside out.
What is Oracle’s contribution in the application and data security space?
From hardware infrastructure to database, middleware, application, and cloud environments, only we offer end-to-end, unfragmented monitoring, controls, change management, and reporting. We offer the industry’s most advanced technology to safeguard data where it lives—in the database. Our comprehensive portfolio of database security solutions including Oracle Audit Vault and Database Firewall, Database Vault and Data Masking and Subsetting solutions ensure data privacy, protect against insider threats, and enable regulatory compliance.
In addition our complete, best-of-breed identity management solution set enables enterprises secure critical applications and sensitive data, lower operational costs, and comply with regulatory requirements. It secures sensitive applications and data regardless of whether they are hosted on-premises or in a cloud. Built on a uniquely integrated modern architecture, Oracle Access Management software gives customers the flexibility to deploy a comprehensive solution delivering authentication, single sign-on, authorization, federation, mobile and social sign-on, identity propagation, and risk-based authentication and authorization at the network perimeter. Oracle Identity Governance empowers user self-service, simplifies account administration, and streamlines audit tasks resulting in a lower overall total cost of ownership for managing identities.
We also provide the industry’s most complete, end-to-end offering aimed at reducing the risks associated with smart mobile devices. With a complete set of security-focused capabilities—including access and authentication, single sign-on, application containerization, corporate application store, and more—Oracle Mobile Security enables organizations to rapidly adopt and deploy new mobile technologies and applications, and segregate and manage corporate data and applications without interfering with mobile users’ personal data and applications.