Oracle on Tuesday said it plans to form an industry consortium to design a new open standard for network and data security that will help organizations better protect their data as they migrate to the cloud.
The issue of data security across the network as companies migrate to the cloud has become an important issue for Oracle because so many organizations have historically depended on Oracle databases, yet want to migrate to the cloud in a cost effective — and in a secure fashion. As many organizations can attest, migrating to the cloud can become complex and more expensive than IT staffs anticipated.
To support this new initiative, Oracle plans to release the Oracle Zero-Trust Packet Routing Platform based on the new standard. The new zero-trust platform aims to help organizations prevent unauthorized access or use of their data without adding extra hurdles for legitimate activities. Oracle will collaborate with Applied Invention, other major technology providers, and other leading organizations from across industries, including global consultant Nomura Research Institute.
“Organizations need a way to describe their data security policies in one place where they can be easily understood and audited, and they need a way to ensure those policies are enforced across their entire computing infrastructure, including their clouds,” said Mahesh Thiagarajan, executive vice president, security and developer platforms, Oracle Cloud Infrastructure.
Writing cloud-specific policies requires expertise and knowledge of hundreds — if not thousands — of lines of policies, said Thiagarajan, adding that one of the core tenets of the Zero-Trust Packet Routing Platform is to make security policies easier to read and enforceable.
Dave McCarthy, research vice president for cloud and edge infrastructure services at IDC, explained that when designing a secure cybersecurity system, the more checkpoints and restrictions the organization puts in place, the safer the data stored in that system.
“The tradeoff is that those restrictions can cause major inefficiencies as they often create time-consuming obstacles for users with a legitimate need to access and manipulate data,” said McCarthy. “The new standard Oracle is helping develop has the potential to change all of that by adding a unified layer of security on top of existing solutions. Building data protection policies into the network itself will help users get the access they need while ensuring the data remains secure behind the scenes.”
John Bambenek, principal threat hunter at Netenrich, added that Oracle’s move attempts to solve an enterprise problem in which there are strict guidelines on who can access what. Applying this to the network level greatly reduces the scope of exploits, misuse, and accidents, said Bambenek.
“It’s best to take a new view on protecting data to where it actually is and putting network controls around that,” said Bambenek. “Ever since we have left the on-premises world, we are struggling to keep up with how to secure cloud environments, and this framework provides both the tools to controlling access, and the ability to generate logs and telemetry, that allow for data analytics and behavioral analytics to find misuse by authorized users. The problem is that it caters to only the most sophisticated enterprises that have the time, tooling, and staffing to operate the complexity of rules in an infrastructure that this would require.”
Claude Mandy, chief evangelist, data security at Symmetry Systems, said Oracle aims to wrap a common language to describe how these security and networking policies are enforced, regardless of the location of the data in a cloud environment. Fixing the problem of scale and complexity is not simple, but starts with visibility: Mandy said organizations need to produce an accurate up-to-date view of the sensitivity of data, the access permissions to it down to the individual data object level and an understanding of the flow of data across the clouds.
“We are, of course, supportive of any industrywide initiative that makes it easier for organizations and customers to improve their data security posture holistically across the hybrid cloud, and reduce unauthorized data leakage,” said Mandy. “But, until other major cloud service providers agree on the same standard and take active steps to standardize, initiatives are most likely to result in simply another standard.”
