Oracle has shared tips for enterprise CIOs to handle security issues.
Sundar Ram, vice president – Technology Sales Consulting, Oracle, Asia Pacific, in an interview with InfotechLead.com, says enterprises are concerned that corporate cyber-attacks are growing in number and in sophistication. He says enterprise security is becoming a business concern.
The state-run Hindustan Petroleum Corporation (HPCL), TVS Motor and Aircel are some customers who have deployed security solutions from Oracle.
Tips to enterprise CIOs
Align business strategy with security strategy: CISOs should develop a clear understanding of the assets that are most strategically important to the business. Most will fall into broad categories: customer information, employee information, corporate financial information and intellectual property. If these assets are compromised, then the entire business is compromised and its value – to customers, partners and, ultimately, shareholders – decreases. One way to identify these assets and their level of vulnerability is to examine every touch point where this information is collected, shared or displayed throughout the organization, along with who inside or outside of the organization has access to the information. This knowledge will help CSOs better understand the risk and educate their C-level peers about the importance of aligning security investments with the greatest risks in language that the business leaders can understand.
Revamp processes and privileges: An inside-out approach requires getting a firm handle on user access privileges across applications and databases. While most threats are external, cyber criminals often exploit weaknesses in internal processes, such as lax password policies or single sign-on permissions. So ensure strong identity and access management parameters.
Design for scale: Inconsistency is the enemy of a comprehensive security policy: Decentralized policies make it difficult to react quickly to network attacks and propagate patches or security enhancements across the enterprise. Criminals will find the weakest points quickly – often faster than IT can react. The challenge is particularly acute in countries like India where perimeter security may not be as advanced as in more mature markets. The rise of mobile devices in the workplace makes the need for scale even greater. Mobile identity management policies that minimize or eliminate locally stored passwords – especially those stored in plain text – should be part of any mobile application deployment strategy.
On latest challenges and opportunities
The IT landscape is changing with the emergence of cloud, mobile, BYOD and the explosion of Big Data. These trends have also meant that IT today is more pervasive and CIO’s are facing interventions from other C level executives who to some extent either understand the technology; or if not are definitely aware of the benefits of these platforms. They are pushing for the adoption of technologies like BYOD, mobile and social at work places to increase efficiency, offer work flexibility and simplify business processes. But the security aspect of these new technologies is difficult to understand foremost people.
CIOs not only need to better understand the risk associated with these new technologies, but also help the other C level executives understand the criticality of protecting sensitive business information while adopting BYOD, mobile etc. They need to revamp processes and privileges and put in place strong access controls. For example let’s take cloud. A significant number of companies are outsourcing core business functions like human resources, payroll, and corporate travel or employee benefits to public cloud. They need to put in place a system that provides secure access for employees to these services.
Many organizations also want to link their online portals and data centre applications with services offered by partners and customers to create business networks that improve efficiency and speed. So they need to authenticate access of core business applications as well as SaaS applications for external users such as partners, vendors, customers and so on.
In addition they have to provide controlled access to users who are using a myriad of different personal devices like tablets and smart phones to access and work with corporate data. Some of these users request that login be based on existing social network accounts, like Facebook or LinkedIn. A CIO thus needs to find ways to integrate support for mobile devices and for social logins as well into the company’s Identity and Access Management strategy and implementations.
On latest technology trends
According to an Oracle sponsored CSO Market Pulse survey, the corporate answer to rising threat levels is to spend more on security. But bigger budgets alone have not increased CSOs’ confidence in delivering a highly secure enterprise. While 59 percent of respondents say their IT security budgets have increased during the past 12 months, only 23 percent say their organization has a superior strategy in place across all key aspects of data security.
Much of this investment is also reactive. Organizations are not considering long term strategies to protect information assets especially the most crucial one – database. Most companies invest in perimeter and network defense because they believe database and application data are inherently safe as they lie deep within the firewall of the company. This is a dangerous assumption.
According to a 2012 Verizon report, servers were the largest category of compromised assets (64 percent) and database servers were the source of 94 percent of compromised records involved in security breaches. Network infrastructure, by comparison, accounted for less than 1 percent of compromised assets.
This is why Oracle propagates an ‘’Inside-Out’’ approach. Protecting data at the source increases confidence that security investments are aligned with the external and internal threats. Protecting data in the database would also save both time and money because most of the organization’s sensitive data resides in the database. As a result, an inside-out approach would achieve a higher return on security investments
On Oracle customers and focus areas
India is an important market for Oracle’s Security solutions and we are focusing on sectors like Telecom, BFSI and the Government in the country. These sectors own extensive classified or confidential data and are more prone to security threats. They are also guided by strong regulatory compliances that mandate the enterprises to put in place a defense in depth, multi-layered, security model that includes preventive, detective, and administrative controls that are aligned with the sensitivity of the data, its location, its environment, applicable regulations and business impact should the data be lost, stolen, or used for unauthorized purposes.
Hindustan Petroleum Corporation (HPCL), TVS Motor and Aircel are some customers who have deployed security solutions from Oracle.
Oracle Security products have helped banking and financial customers by implementing controls as required by PCI DSS Compliance and RBI Gopalakrishnan committee’s data security recommendations. Some customers have implemented backend transaction accountability among privilege users by implementing projects like Database Activity Monitoring (DAM) and privilege user’s controls.
Aircel has implemented Oracle’s Identity Management solutions. It has enabled the company to manage the end-to-end lifecycle of user identities across its various departments. The solution helped them realize significant cost savings by automating provisioning of user accounts, dramatically reducing help desk calls, streamlining compliance audit and reporting, consolidating identity silos and allowing rapid integration with enterprise applications.
On demands of enterprises
As Mobility and proliferation of BYOD find stronger adoption at the workplace, CIO’s are faced with the challenge of protecting sensitive company information. So IT heads need to put in place security measures and company policies that ensure data privacy, authorized use of corporate applications and storage of corporate data on a personal device. They also need to ensure critical information is wiped clean remotely in case the device is stolen or the employee leaves the organization.
Many customers have outsourced their IT operations to third party IT services organizations, therefore data confidentiality, integrity and availability become even more important. To mitigate data security threats, customers are demanding controls at the database level so that security of sensitive data remains intact.
Customers also demand application transparent solutions so that changes to application codes can be avoided.
Rajani Baburajan
editor@infotechlead.com
