The million-dollar security question that has been discussed to death in recent years is: why, despite the constantly evolving market of sophisticated cybersecurity solutions and ever-increasing investments in security by businesses, the number of successful cyberattacks does not seem to be decreasing? In fact, the scale and cost of an average breach only grows each year.
The answer to this question is actually quite trivial: people making executive decisions about investments in cybersecurity do not know or care much about it. Typically, this leads either to tragically understaffed and overworked security teams or, even worse, to the proliferation of the “cargo cult of cybersecurity”, when a security solution gets purchased, but never properly deployed, operated, or monitored afterward. This is especially true for public clouds, where many customers are still struggling with the notion of “shared responsibility model”. Yes, cloud service providers usually have much more sophisticated tools and better qualified experts on their security teams, but they are not responsible for securing your applications or data – it is still entirely your problem as a customer.
What can be done to break this vicious cycle? Well, the best approach would be to redesign your entire business processes to make them more resilient to cyberattacks. If you do not collect sensitive information about your customers, it won’t be leaked by a hacker. If you enforce the Zero Trust model across your networks, the chances of a ransomware attack would be substantially reduced. A somewhat less radical solution would be to outsource your cybersecurity to a third party, making it their concern. This works really well in certain scenarios, such as processing credit card transactions, for example. In a broader sense, however, employing a managed security service provider can be quite costly and still won’t guarantee anything (people still make mistakes, after all).
Would AI perhaps improve the situation? This remains to be seen – we already know that AI solutions are creating their own, entirely new kinds of cybersecurity risks. In any case, the worst enemy of security is complexity, and thus, reducing the overall complexity of your IT infrastructure and consequently simplifying and consolidating the security controls needed to protect it, should be a primary strategic goal of every digital business. Unification of technology stacks across environments, strict and consistent enforcement of declarative security policies, and intelligent automation of security operations are major factors in achieving this goal.
Choosing the right cloud provider that can help with it is an important first step on that journey. And it doesn’t have to be one of the “big three” – today, let’s take a look at another contender, Oracle Cloud Infrastructure. Being a latecomer to the cloud service market, Oracle had an opportunity to learn from its predecessors’ mistakes and design its architecture differently in several ways.
Perhaps the most significant differentiator of OCI is its unified approach towards service delivery regardless of the offered cloud model. Whether served from the public cloud, a private Cloud@Customer deployment, a dedicated commercial or government region, a sovereign cloud compliant with local regulatory frameworks, or even offered by Oracle’s partner using the Alloy platform – the services, data models, identity and security controls, and other aspects remain the same – as opposed to other providers that cannot deliver feature parity across their public and private offerings.
This alone allows for reducing the overall complexity of hybrid deployments dramatically, but combined with the ability to provide consistent security controls across those environments simplifies protection against cyberthreats even further. Moreover, Oracle places a strong focus on “secure defaults”, meaning that customers do not have to make each decision themselves, instead relying on best practices and controls that cannot be bypassed or deactivated accidentally.
Another important differentiator is maintaining an open ecosystem with not just partners and resellers, but also with 3rd party technology providers and even direct competitors. Again, as opposed to some other providers that keep their customers locked into their infrastructures with proprietary interfaces and large egress fees, Oracle strives to make their services available in other clouds and designs services around industry standards and open protocols.
Since Oracle Database services form a major part of the company’s cloud portfolio, it is unsurprising that the company invests a lot into data protection solutions – from multiple types of encryption and data masking to numerous data security controls. This includes Oracle Data Safe, SQL Firewall, as well as more traditional tools like Audit Vault and Database Firewall. Oracle’s Autonomous Database service turns the database into a fully managed service that delegates all administrative, operational, and security controls to AI-powered automation, completely removing human mistakes as a risk factor.
Security Zones enable secure compartmentalization for customers’ resources and applications. All these controls are continuously updated and mapped across a multitude of compliance regulations for specific geographies and industries. Needless to say, these security controls are complemented by identity management, strong, passwordless authentication methods (including FIDO2 and passkeys), and access governance tools with a high degree of automation as well.
Oracle Cloud Guard provides a centralized security management and monitoring hub that has evolved from security posture management towards a complete cloud-native workload protection, threat intelligence, and security analytics platform. More importantly, however, the entire OCI cloud infrastructure has been designed from scratch to incorporate security controls at every layer, from low-level network isolation to firewalls and encryption in transit. Currently, Oracle is working on implementing the industry-wide Zero Trust Packet Routing initiative across its infrastructure to provide a truly identity-aware, data-centric, self-enforcing network security architecture.