January 30, 2019

Cloud Security: Not All Cloud Providers Are Created Equal!

Dennis Jolluck

Dennis Jolluck
Vice President - Applications Development & Field Product Management - Latin America Division/Oracle

Share This Post

"Now I am seeing that every single CIO and every single CEO has to have a certain level of knowledge about “security” and how it affects their business. This is no longer a function for only IT to worry about."


As Product Manager for Oracle’s Cloud Applications in Latin America, I have the opportunity to meet with many customers who want guidance in migrating to the Cloud. At the same time, I can almost anticipate their next question and visualize a “partially cloudy” bubble above their head: “How does Oracle address Security in the Cloud?”

All you have to mention is Equifax and we all feel quite vulnerable. No one feels quite safe!  According to Richard Bejtlich, the Chief Security Strategist for FireEye, Inc.:  “the amount of time a ‘bad guy’ (e.g. hacker) spends in your enterprise before somebody notices – is a median of 209 days.  And two/thirds of the time, somebody else notifies you of the breach…which is usually the FBI!”  One analyst estimates that more than 50% of Fortune 1000 firms experience an annual breach of 1,000 to 100,0000 confidential records, including records of their employees.  

Did you know that during 2015, a third of the new hacking tools discovered by security researchers at Hewlett-Packard Co. relied on exploiting a flaw in MS Windows that was discovered in 2010!!! Many organizations do not update their software as quickly as needed to protect themselves. Based on another Hewlett-Packard report sponsored with the Pomenon Institute entitled: “2015 Cost of Cyber Crime Study: Global” where 252 companies were surveyed and interviewed:

  • It was determined that 1,928 total attacks were identified and the ensued costs analyzed;
  • The average annualized cost was estimated at $7.7M (Almost a 2% increase over 2014);
  • However, small organizations incurred a significantly higher per capita cost than larger enterprise organizations ($1,388 vs. $431); and
  • Cyber attacks can get very costly if not resolved quickly. The mean number of days to resolve an attack is 46 days with a daily cost of $21K and a total cost of $973K over the period. 

During 2016, there was something like 317 million new pieces of malicious code or malware. Almost 1 million a day, which is alarming. As well, according to a 2016 Gartner Study, building managers are not addressing "Internet of Things" threats.  According to the survey:

  • 78% do not know about cybersecurity issues related to building automation systems.
  • 46% do not monitor their systems for cyber-attacks.
  • 45% do not collaborate with their IT departments to implement security measures.  
  • 71% have not taken measures to improve cyber-security.

There are many enterprise internal technology services today that lack resources, rigor or efficiencies to monitor their security on a 24/7 basis.

Over the years, personally, I have never invested a lot of time in the aspect of “security”. I just took it for granted. But that has changed, both personally (since my credit cards have been hacked, which changed the way I manage my passwords…..uppercase, lowercase, alpha-numeric, special characters) and professionally with the move to the “Cloud”. Now I am seeing that every single CIO and every single CEO has to have a certain level of knowledge about “security” and how it affects their business. This is no longer a function for only IT to worry about. This topic has moved to the Board Room level. Enterprises must have a plan.  And that includes alignment of all departments operating from the same agenda: the Board, Senior Management, the Security staff, IT, Legal, Public Relations and Communications.

Please keep in mind that not all cloud providers are equal in the security services they provide. As a first step, an enterprise needs to know their requirements and map them to a provider’s capabilities to minimize the risk as well as address any regulatory needs. In some cases, business will take into account 24/7 global support, data jurisdiction, cross-border data transfer, data location and the privacy regulations of where they are doing business.  “Privacy” and “Security” are absolutely linked! 

So when evaluating cloud providers in your move to the Cloud, there are a number of criteria you may want to consider:


Transparency of the Cloud Provider


The customer must have a clear understanding of the provider’s commitment to security, as well what responsibilities the customer retains. The vendor must be clear about what controls are in place, where the data resides, and who is managing the underlying technologies. Also, are there any third parties involved?  Is the provider outsourcing any responsibilities?  Some other important questions are:

  • Does the provider have an accountable security officer? Can you directly engage this individual?
  • Are independent audits done of the provider’s security controls?
  • Does the provider offer service options in addressing regulated data?
  • Can you have a realtime conversation or is the communication primarily chat, email?

These questions will measure the maturity and experience of the cloud provider.


Data Center Operations


A global cloud vendor should have state-of-the-art physical data center protection, as well as logical data security, and data privacy protection policies in place. As well, look for proactive security engagement and monitoring as well as leading-edge disaster recovery plans. 

Check if your cloud provider operates “embassy-grade” (e.g. exceeds the most stringent international embassy and military-grade security and force protection requirement) Cloud data centers with highly redundant infrastructures and at least 99.5 percent availability.


Risk Mitigation/Unified Access Controls


The Enterprise must understand what steps the Cloud Provider is taking to mitigate risk surrounding its service offerings. A key risk to consider is managing “end-user access”. Typically this is user provisioning permissions to view and change data. However, complexity arises when an employee leaves the company and access must be revoked.   This is easily done in an on-premise environment through the company’s internal directory server. However, if this directory is not integrated with your Cloud Services, the employee may still have access, which could be detrimental to your organization. Single Sign-on (SSO) is one solution to this problem, so you can revoke access from a centralized database. But there is a down-side here.  Some companies prefer not to pass their credentials to 3rd parties in leveraging SSO. 

Check if your cloud provider can solve this problem through “Federated Identity Technology”, which provides all of the benefits with no downside.  This is just one example when reducing risk; the Cloud may offer a more robust solution that could be built in-house.

Role-based access control (RBAC) is another control to prevent unauthorized access to confidential requirements. Users see only data that’s related to their specific job-specific duties. Note:  RBAC is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can implement either mandatory access control (MAC) or discretionary access control (DAC) to prevent unauthorized access to confidential requirements.




For some enterprises, compliance is difficult to achieve on its’ own. So it becomes even more critical to choose a cloud provider who can demonstrate and deliver the service. Security Certifications are one way to do this and it’s an easy and objective way to compare providers.    

A few customers have asked me about industry certifications, such as the SSAE16, where the compliance details should be made transparent and available.  Another critical certification is ISO 27001/2 framework (Best Practices for Information Security Management).  Why?  This demonstrates that the cloud provider continually vet’s their solution by conducting network detection intrusion tests and other penetration tests to ensure they are always providing a secure solution to our customers (Note: Audit reports should also be available for customers).    


Data Privacy/Local Data Residency


Because of the increasing number of countries that specify where data can and cannot be stored, cloud providers must be in compliance with both industry and country data standards.  This is especially true for the Government and the Financial Service Industries, where data must be stored within its border for backup and recovery purposes.   

Cloud providers can address “Data Privacy” twofold:  (1) Establishing Data Centers in targeted countries so data is processed and stored within the given country.  And to take it one step further, (2) a handful of providers have the capability to offer a hybrid solution to address Customer data privacy. For example, the most sensitive Customer Data would reside in an on-premise environment inside the customer data center (or the provider’s local data center) and the non-sensitive Customer Data can be stored on a cloud solution. As a result, the sensitive data would always reside within a countries borders. At the same time, a Sales Cloud or Service Cloud solution would process the data in one of the global data centers offered by the vendor.


Secure Data Isolation


It’s obvious when you move to the Cloud, you want to leverage shared resources across all of your cloud Assets, at the lowest possible cost, but security is still a “critical” element. With the Oracle Cloud, you share the Hardware, you share the Middleware and you share the Application.  BUT YOU DO NOT SHARE YOUR DATABASE WITH OTHER CUSTOMERS. Secure data isolation ensures privacy and performance. More importantly, by having your own private database, the customer chooses the right time for upgrading and ensuring the “noisy neighbors syndrome” (e.g. refers to a rogue virtual machine that periodically monopolizes storage I/O resources to the performance detriment of all the other VM “tenants” in the environment) can’t affect performance. Lastly, some customers do not want to upgrade over a single designated weekend, which is enforced by the cloud vendor. Customers prefer choice and flexibility in executing the upgrade and "data isolation" facilitates the upgrade process.  


Data Loss Prevention (Advanced Data Security)/Vendor Encryption


Does your cloud provider also offer advanced security services, such as full data encryption whether the data is “at rest”, “on the wire” or “at work or in processing mode.” A virtual private network (VPN) is also an option for remote access. You may also want to consider stronger controls over data and administration access to prevent unauthorized viewing or sharing of customer information. For example, inquire about database vaults, VPN capabilities and Federated SSO.


Client-Side Data Encryption


Cloud users may also desire to transfer how the encryption is controlled from the vendor’s infrastructure protection to a data-centric protection, where the encryption keys are held by the client. Client-side encryption will remain protected regardless of who handles the data, how it is handled and where it is stored. The data is protected and remains individually encrypted until the user with the keys unlocks it. As a result, all encryption, decryption and “key” management are conducted on the clients’ computer (not the vendor’s). The clients’ data will be safe from the usual risks such as hacking, concerned service providers, rogue administrators and prying governments.


Breadth of Experience & Viability


Is the Cloud Provider viable? How long is the vendor’s track record with security in the cloud? What does their balance sheet look like? Can they demonstrate experience supporting very demanding industries, such as: Retail, Government, Healthcare and Financial Services.

To summarize, when choosing a cloud service provider, security capabilities are more than likely going to be your top criteria. Cloud providers are focused to provide better security than an individual company, and more particular in the SMB segment. Small organizations are unlikely to have the following:

  • Well trained and highly skilled professional security resources in-house;
  • The infrastructure may not be fully regulated and certified by independent bodies;
  • A backup plan for data loss; and,
  • The latest threat detection technology providing real time updates against hackers.  

Do not place your organization at risk with data loss, the impending regulatory financial penalties, loss of business and more importantly the reputational damage that will result by not taking action today. So when it’s time to make that transition to the Cloud, do your due diligence of your cloud providers, and make sure your security concerns are addressed for today’s fast paced and high risk digital world. 

Comments? You can contact me directly via my AdvisoryCloud profile.

Share This Post