Turn your security inside out for added agility, says Oracle

"What we see is organisations fundamentally failing in their security because what they're trying to do is to hold the wall, and the wall doesn't exist any more. We've moved stuff out into the cloud, we've moved stuff out into tablets and put it out into the wide world, but the wall doesn't exist," says John Vine Hall, Oracle's security solutions director for Australia and New Zealand.

The idea that perimeter defences are no longer the answer to information security questions shouldn't be news to anyone paying the least bit attention to the trends. The answer isn't data leakage prevention (DLP) solutions either, Vine Hall told CSO Online, although DLP is presumably still an important tool to help spot suspicious patterns of data movement.

Oracle is instead promoting the concept of "security inside out" — that an information security strategy should start with an understanding and classification of the organisation's data and its uses, that policies should be written to reflect who can access which data under what circumstances, and that defences should then be built around those policies using the tools available in the database software itself.

One of Vine Hall's examples is medical data.

A data-centric security policy could specify that a clinician's tablet could access and display a single full patient record while accessing the database via the hospital's internal wireless network, but only a subset of the data when accessing from elsewhere. Administration staff could view contact and billing information, not the clinician's notes, and medical researchers wanting to download larger datasets for analysis could only access suitably anonymised records.

Vine Hall says that a data-centric policy can help reduce the sense that the security team is holding back innovation, and reduce the temptation for other departments to pull out a credit card and deploy their own cloud-based solutions outside the organisation's security policies.

"The reason why the data breaches occur around that, and the pressure occurs around that, is 'How do I bring a new product to market rapidly now, because the business needs it?'," he said.

"If the data has a fundamental security awareness in terms of how you present that information, then we can be less concerned about the channel, and more concerned about the data. because it's presented in a way that's already secure before we start consuming it. That's where security inside out actually is a value proposition as well as a security model, because it means you can be more agile but do it in a way that is secure."

Vine Hall says Oracle's security inside out model can also help solve many of the issues raised by using third-party or public cloud services, including data sovereignty and contractual issues.

"By putting security in layers, and having context around, and having context around the security as it goes through, you can be a lot more agile about taking pieces and moving them to the cloud or moving them to some other channel without the whole thing breaking," he said.

"If you just had an encryption layer below it, so when I hand you my Oracle database ... and encrypt the date before I give it to you, then I don't really care whether your system administrator is a good person or a bad person, because it's all encrypted. Sure, the NSA can go and crack it, but for the most part I'm protected."

Join the CSO newsletter!

Error: Please check your email address.

Tags policyMedical datasecurityDLPCloudnsaOracle

More about CSODLPNSAOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stilgherrian

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place