On the heels of Oracle’s launch of its two new cloud security products, Oracle Maximum Security Zones and Oracle Cloud Guard, Bala Chandran, VP (Software) Security, Oracle Cloud talks to Shipra Malhotra, Executive Editor, dynamicCISO about the biggest gap areas in cloud security today and how Oracle is addressing those. He also reveals Oracle’s plans around building AI/ML capabilities and how they are core to the company’s cloud security roadmap.
Shipra Malhotra: Where are some of the biggest gap areas in cloud security today?
Bala Chandran: Today organizations are not getting breached because they don’t have the tools. It’s because the tools are too complicated and fragmented to use. If you look at the cloud security landscape, there are hundreds of tools with hundreds of buttons, settings and configurations. And, all these are fragmented. That is a recipe that has not worked well.
The second gap area is automation for core configurations that can automatically either enforce ahead of time or detects and fixes the problem. Going into more sophisticated threat vectors, there is gap around correlation of data across various systems. The highly sophisticated threats and attack vectors require correlation among a lot of data and that is what allows to detect the threats.
Another challenge is that cloud security today is very layered, in the sense that organizations have different teams looking at infrastructure security, database security, application security, etc. And, then these various teams have lots of overlapping functionalities. Hence, not only do they end up with duplication but also missing things because they’re not talking to each other.
SM: How is Oracle working towards addressing these gap areas?
Bala Chandran: At Oracle we are trying to build products that address those needs – automation of simple mistakes, the complex correlation across a lot of data that requires holistic integration and vertical integration across the stack.
We started looking at the paradigm, what if we could build the entire security knowledge and IP into a set of products we can enforce and came out with two new products that we launched recently – Oracle Maximum Security Zones and Oracle Cloud Guard.(Click here for the launch report.) Maximum Security Zones activates the security policy enforcement of best practices automatically from day one so customers can prevent misconfiguration errors and deploy workloads securely. For day-to-day operations, Cloud Guard continuously monitors configurations and activities to identify threats and automatically acts to remediate them across all Oracle Cloud global regions.
The intent behind these two products is to make security simple, on by default and prescriptive. These tie into an integrated approach to security, wherein the Oracle stack – the infrastructure, databases, SaaS applications – is holistically integrated into these two products.
SM: With the nature of attacks growing in complexity and threat surface expanding rapidly, what are Oracle’s plans around AI/ML in its cloud security roadmap?
Bala Chandran: The way to automation is through algorithmic techniques. Today the threat vectors are too complex and amount of data too huge for any heuristics or rule based or human based approach to keep up, which are not scalable. So, we are investing heavily in ML and deep learning techniques and it is core to our strategy.
The amount of data that’s coming in – the flow log data from the network, correlated with vulnerability data, correlated with external threat data – there’s just so much data out there. The challenge in security is like finding a needle in the haystack. There are tons of normal events and then there’s one or two suspicious events. Hence, you have these really fine grained anomalies that you need to detect. So, we are spending a lot of time and scientific horsepower to develop algorithms that can fine-tune those anomaly detections. The ability to correlate all this data is going to be core. It’s already built into a lot of our products and it’s only going to get more and more advanced over time.
SM: Can you give some examples of correlation capabilities that you have built into your cloud security?
Bala Chandran: A great example of that is Cloud Guard, which essentially correlates the data. We have a set of detectors which go out against everything – from databases to storage hosts to compute, etc., – and collect all the information. This is then fed into a correlation engine and that’s really where the AI/ML starts to come in. This correlation engine takes all this information, de-duplicates it, figures out what is actionable and what is noise, spits out actionable problems that we then define responses to. So, not only do we define the problem but also the action, and in a lot of cases that action is taken automatically.
SM: What trends are emerging in the wake of COVID-19 pandemic and the transformation its brought about in way we work?
Bala Chandran: COVID-19 has accelerated the movement of those applications and systems to the cloud that weren’t on it before and we are seeing an increased demand for cloud services. This is an inflection point where we’re starting to see customers who were old school and resistant to cloud become much more open to it. With a lot of traffic going through the cloud environments there is increased demand for underlying cloud architectures, compliance with various government standards like GDPR, encryption and zero trust technologies among others.
But, CISOs are saying that for all these good things that I want to do give me a platform where I can enforce all these, automate it and make it simple for me. So, what we’re doing with Cloud Guard and Maximum Security Zones is building that platform and we plug zero trust, encryption, AI/ML, etc. into it neatly. So, as a security professional you have this one place where you can go and manage your environment.
SM: Any lessons or key takeaways that you would like to share with CISOs on strengthening their cloud security posture?
Bala Chandran: Complexity kills in security. Organizations have all these complex rules and policies with whitelists, blacklists and exceptions that they have built over a period time for various reasons that they thought were good at the time. But, what we found is that those are really killers. What we have realized over the years working with our customers is that it’s better for the end user, the organization and the cloud security to have simple prescriptive defaults that cannot be changed. And, that doesn’t mean that there’s no tuning of the system.
The other is the danger of getting drowned in security noise. There’s so much data and potential malicious and unintentional activity out there that could happen that there’s a danger of every possible event being turned into a potential security event. The result is the CISOs getting into an analysis paralysis mode where they can’t take any action because they’re afraid that anything they do will compromise security. So, the other lesson we have learnt is to automate the remediation of common problems and that will take care of 90% of your threat vectors. And, then you’re going to have the really advanced nation state attackers or very advanced threats that you can have highly skilled professionals go after and figure out.
So, simplicity and automation are the key. Resist the temptation to make things sophisticated and complicated in security.
(Image Courtesy: www.gcn.com)