- Chief Corporate Architect Edward Screven details the company’s efforts to address cloud concerns

By Charindra Chandrasena Last year, US tech giant Oracle commissioned technology sector researchers Paradoxes Inc. to field targeted research to understand perceptions of C-Suite executives, policy makers and the general public on the current state of cybersecurity. The survey sample consisted of 775 respondents based in the US, including 341 C-Suite executives, 110 government policy influencers and 324 members of the technologically-engaged public. The survey revealed that both C-Suite executives and government policy influencers rank human error as the top cybersecurity risk for their organizations. As a result, the report found, they invest in training staff and hiring new people to improve security, instead of security-advancing technology such as new software, infrastructure, and artificial intelligence (AI) and machine learning (ML), even though these have the ability to significantly minimize or even eliminate human error. Oracle’s Chief Corporate Architect Edward Screven finds this ironic. “On the one hand organisations say the source of their security issues is human error and to solve this problem let’s hire more humans. That doesn’t really make sense,” he told international media, including The Sunday Morning Business, at a forum held recently at Oracle Headquarters in San Francisco, USA. He argues that what organisations need to secure its systems is more sophisticated technology and a shrinking of the attack surface. The attack surface of a software environment is the sum of the different points where an unauthorized user can try to enter data to or extract data from an environment. Keeping the attack surface as small as possible makes the job of the attacker much harder and is a basic security measure. How does Oracle ensure a smaller attack surface? It stems from automation. In contrast to a customer environment, the operation of a cloud vendor’s data centre is nearly fully automated due to the heavy workloads and multiple servers it manages. This automation obviously results in minimal human involvement, virtually eliminating the potential for human error. However, the other less obvious benefit automation offers is the far greater uniformity of hardware and software employed at the cloud data centre compared to a customer environment. This homogeneity in turn results in a smaller attack surface. “We do not have to worry about nine different flavours of operating systems, three different kinds of hypervisors and 17 different types of vendors for switches. We have a very small attack surface that we can spend a lot of money on protecting. That is what customers need to do. They need to minimize their attack surface. Hiring more people to manage the same mess is not going to do it,” said Screven.   Dedicated and autonomous He went on to detail the technology approach that Oracle adopts which differentiates it from other cloud vendors, which is the heightened security and privacy it provides customer data through isolation and access restriction. “No server sitting in a rack at Oracle cloud data centres has a direct number connection to any other part of the network. Instead, it is connected to a security processor, a separate computer dedicated to that one application server that mediates all network access in and out of that box.” Therefore, Screven explained, a customer who has concerns about cloud storage out of fear that Oracle, or an outsider, may access their data can rest assured that it is not just unlikely but impossible for the company, let alone a third party, to access the data due to this architectural safeguard. Another unique aspect of the security promise of Oracle is contained in its pioneering Autonomous Database, which was introduced over a year ago. This is the world's first autonomous data management in the cloud to deliver automated patching, upgrades, and tuning without human intervention. Therefore the security patches and upgrades take place with zero downtime, eliminating the dangers associated with customers delaying patching to convenient times to avoid system disruptions. “One thing that is essential for security is patching right away. We knew that if we did not provide zero downtime patching customers would not want to patch because they want to keep their systems going,” said Screven. He believes that these two elements, namely separating the in-application server from the security processor and zero downtime patching are the fundamental aspects which set Oracle apart from other cloud vendors. In fact, Screven said customers who are with other cloud vendors may be unwittingly taking on added risks due to the lack of a solution based on a 'bare-metal server' or a single-tenant physical server which is not shared between customers. “If you are running an Oracle Cloud bare metal server you are not sharing that box with anyone else. You are not even sharing that box with Oracle software. Your code is the only thing running there. That just speaks of the importance of the architectural choices we make.”   The cost component The computerization of offices around the world has resulted in a massive amount of data being generated every second which is also moved around quite often due to the network connectivity provided by mobile devices. For most companies and governments data is of paramount importance, which means there is tremendous incentive for rival businesses and governments to gain access to it, be it for commercial or geopolitical reasons. In fact, a Thomson Reuters study earlier this year found that private sector enterprises in diverse sectors – not just government and military organizations – are being increasingly targeted by states or state-sponsored entities in cyber-attacks. These networks and computers which are constantly under threat are managed by IT professionals who face the daunting task of keeping highly sophisticated cyber attackers at bay, and one IT admin making a mistake could cause irreparable damage. However, with a globally recognized cloud vendor such as Oracle, these organisations do not have to invest heavily on the recruitment of IT professionals and the expansion of IT teams to protect their data, which in any event would not provide the level of security offered by Oracle. Therefore, for cost conscious businesses and governmental bodies in Sri Lanka and elsewhere, cloud migration makes economic sense too. “Attackers are numerous, well-funded and sophisticated. How can individual enterprises spend so much on labour to make their systems secure? It is just not possible. However, Oracle manages the data of tens of thousands of customers every day. We can definitely afford to spend enough to make those systems secure. It’s about economies of scale. We can build systems in ways customers can never dream of doing themselves,” Screven said.   The migration conundrum In spite of all the above benefits, organization have been somewhat sluggish in moving their data to the cloud the world over, and this is mainly down to two concerns. One is the belief that the transition would hurt continuity as the software and operating systems they deploy would not be compatible with the cloud. Oracle has an innovative solution to this issue. “Customers question how they would go from where they are, which for large customers can mean hundreds of bespoke applications deployed on an incredibly heterogeneous environment, to running on cloud. That is why we have the bare metal solution. Apart from the obvious security benefit, another benefit is that you can run any piece of software, any operating system or any hypervisor on that server. That makes it much easier for our customers to pick up and move to Oracle Cloud,” noted Screven. The second concern has to do with regulation. The sectors where cloud adoption is slower are usually those with perceived or real regulatory constraints, such as the banking and financial services industry. The most obvious example of laws and regulations on data protection is the General Data Protection Regulation 2016/679 (GDPR). The GDPR provides regulation on data protection and privacy for all individuals citizens of the EU and the European Economic Area (EEA) and also addresses the export of personal data outside the EU and EEA areas. To address these regulatory issues, both in the EU and in other parts of the world, Oracle offers a hybrid model. “Something we offer to help address these issues is called a ‘Cloud at Customer’. This is where we take a piece of our cloud and land it in somebody else’s data centre,” said Screven. Therefore the Oracle database cloud is delivered securely on premises behind the customer’s firewall, allowing customers to stay in control of their data while Oracle delivers and manages the services based on how they want to operate via a flexible subscription model. The most popular version of this hybrid model is Oracle Exadata Cloud at Customer, which combines the agility of the hybrid model with Exadata, a database machine designed by Oracle to provide users with optimised functionality. Exadata Cloud at Customer has been designed specifically for customers who want the ‘best of both worlds’, or cloud benefits without moving their databases to the public cloud, for whatever reasons including sovereignty laws, industry regulations, corporate policies, security requirements or network latency. It is believed that most organisations, both government and private, will move their data to cloud data centres over the next decade. Therefore, resources of the world which is concerned with protecting data will be concentrated in a smaller number of places. With all these innovative solutions and novel approaches offered by Oracle, is the company confident about the future of cybersecurity and the protection of data against ever growing and ever enhancing threats? Screven believes that while protecting such vast amounts of data seems like a daunting prospect, it is a challenge the global tech industry, and Oracle in particular, is up to due to the nature of cloud environments. “The homogeneity that comes with cloud allows us to find technical solutions as we have in our cloud to provide a robust defence against these attackers. We can defend all this data. I am optimistic. The good guys are going to win.”