How Oracle Cloud Customers Can Turn GDPR and CCPA Into a Business Advantage


Saswata Basu

CEO AND FOUNDER OF 0CHAIN

Enterprises face data protection and privacy liability issues based on new General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) regulations, which carry fines of up to $25M. Both regulations empower consumers with key data protection rights, including knowing how their data is being used, a right to access, and a right to opt-out of having their data sold to third parties. In light of these new protections, a staggering €500M has been fined since GDPR enforcement began in mid-2018. This problem is growing, and enterprises need a simple, automated solution.

Current Solutions

Today, several software management solutions have designed workflows to manage compliance, such as awareness, data mapping, consumer request fulfillment, cookie management, vendor risk, and incidence reports. These great tools help manage the requirement and avert fines. However, these processes typically require several people to manage the effort and are difficult to scale when customer requests and deletion rates grow exponentially. Fundamentally, the customer does not achieve real privacy and transparency, and the company is still liable for privacy breaches, regardless of compliance requirements.

A New Approach

For organizations to truly solve the privacy issue and achieve zero-liability, they must give full ownership and control of data to the customer and provide transparency of data activities. The following architecture allows you to own a storage allocation on a trusted platform to upload their data, and then share an encrypted link to the company. The business then uses this auth token to download a copy for their application, without any change to their current IT processes. In this three-step process, where you have the following capabilities:

  • Owning data and can upload, updated, delete encrypted data.
  • Sharing the authentication token to the company.
  • Allowing the company to download their data.
A graphic depicting the three-step architecture for user storage, allocation, and sharing of encrypted data.

This simple three-step process is recorded and displayed transparently to customers, without the need for complex processes that can’t scale with customer requests for access and deletion of their data. The responsibility lies with the customer, and not the company.

Shifting Liability

With user ownership, control of data, and a transparent process of securely sharing it to the company, the onus of privacy protection lies with the customer. For the hacker, it’s difficult to attack a lot of customers, because they would need to steal keys individually.

With the liability shifted to you, organizations must ensure that the data is well protected, that all activities are recorded on the ledger, and prevent any potential for breach.

Preventing Breach

Copies are inherently vulnerable because a hacker needs to attack only the most vulnerable server to get access to all customer data. One approach to prevent this attack mode is to split the data into multiple servers with different keys. Now, the attacker needs all the keys to get access. The implementation of this architecture is fairly simple as the server access keys can be distributed among teams and individuals within the organization.

A graphic depicting the separation of server access keys.

The Business Advantage

0Chain is deployable directly from Oracle Cloud Marketplace. It provides automation, liability and breach protection, immutability, transparency, and a trusted platform for the Oracle Cloud Infrastructure customers to not only abide by GDPR and CCPA regulations, but also use them to their business advantage. With 0Chain, organizations can brand themselves as a leader in privacy, gain higher usage, add revenue, and differentiate their products in the market.

You can deploy 0Chain on-premises, through cloud, or in hybrid environments. The user interface automatically creates a key and allocation and stores the key based on your password. So, only you can access you key and data. This key is registered on the platform’s blockchain and any action of uploading a new file (such as a post, image, or video), updating an existing file (such as user profile data), and deleting them are recorded on the ledger.

The files are automatically shared to the business through an auth token. So, only the business can decrypt and use it for their operations. Each time the company uses customer data, they need to make a note of the metadata on the blockchain, creating a transparent audit trail for you to instantly visualize it and have complete trust in the organization. The company can handle this process as a parallel batch operation offline, without the need to block existing inline data used by the company for their daily business activities.

Migrating customer data to this trusted platform requires a simple, phased approach. In the first phase, only new data is sent to the platform. In the second phase, older data is migrated. In subsequent phases, granular datasets can be implemented to have a higher level of precision permission settings that the company can offer the customer, perhaps with a fee to cover for development costs.

FAQ

  • How do you achieve zero liability?
    Since you own and controls the data, the company is not liable. You provide explicit permission through signed transactions, which can’t be disputed since their action is recorded on the blockchain and is immutable—something that a company can’t go back and change in their database records.
  • How do you make breach impossible?
    Since the file is split into multiple servers, a hacker needs to have keys to all of them to gain access. This configurable feature, with each server split, makes it more difficult to get hold of the keys, as long as they’re distributed across individuals and teams.
  • Does 0Chain replace the current privacy software tools?
    No. 0Chain helps you protect your data better and shift liability back to you. It can handle billions of customer privacy requests and provides instant compliance reports from ledger transactions, using integrated search tool for specific files, users, and activities that anyone can access. Through these efforts, 0Chain provides an open, trusted compliance platform.
  • How do you ensure that the enterprise aligns with your consented dataset?
    Whenever a dataset is used by the enterprise, they send a signed transaction with the metadata of the content to record the activity. If the company misuses the dataset, you can mount a challenge based on the exposed data and the consent that’s recorded in the ledger.

Want to Know More?

To learn more, visit our website and trial our product for free through Oracle Cloud Marketplace.

Original em: https://blogs.oracle.com/cloud-infrastructure/how-oracle-cloud-customers-can-turn-gdpr-and-ccpa-into-a-business-advantage

How Oracle is Helping You Maintain a Strong Security Posture in the Cloud


Paul Toal

DISTINGUISHED SOLUTION ENGINEER – CYBER SECURITY

This is a syndicated post, view the original post here

So, you’ve just signed up to a shiny new cloud provider. It’s exciting when you realise that you not only have an almost unlimited supply of Infrastructure-as-a-Service (IaaS) at your fingertips, but you also have a plethora of various platform services just waiting for you to use. However, before you get carried away spinning up compute and uploading your files into storage, you need to realise that you have a shared responsibility for security, as shown in Figure 1.

Figure 1 – Security is not just the job of the Cloud Service Provider

Sure, the Cloud Service Provider (CSP) has a set of security responsibilities, but so do you. At a minimum, irrespective of whether you are using Software, Platform, or Infrastructure as-a-service, you will always be responsible for your data, your users, and to some extent, your configuration. As you move away from SaaS towards IaaS, your responsibilities grow as you become responsible for software, operating systems, patching etc.

It seems that, whilst we have talked for a long time as an industry about the cloud security shared responsibility model, there is still plenty of confusion out there. The two statistics in Figure 1 come from the Oracle and KPMG Cloud Threat Report 2019, and reviewing the figures from the recently released report for 2020, the situation isn’t any better. Only 8% of this year’s respondents stated that they fully understand the cloud security shared responsibility model. I’ve discussed this topic before when looking at how “Security must be easier and not just for the experts”.

In this article, I want to look at Cloud Security Posture Management (CSPM) and some of the use cases that come to mind, as well as those that I am hearing from customers. I’ll discuss a number of use cases, why they are important, and how Oracle Cloud Infrastructure (OCI) is helping you to meet and address your shared responsibilities. So, if you are ready, let’s get started.

Before we can look at use cases, we need to understand what we mean by Cloud Security Posture Management. Simply put, it is looking at how you ensure that your cloud environment is configured in a secure manner, that it remains secure over time, and that configuration changes or activities don’t weaken that posture. Gaining that secure position, never mind maintaining it can be difficult, due to a number of factors, including:

  1. Larger exposure due to incredible rate of growth of cloud resources
  2. More Cloud services mean more complexity and more settings to manage
  3. Fewer experts caused by a large IT security skills shortage

Let’s examine some use cases that we need to address with CSPM and then we’ll discuss how Oracle can help you to meet your security responsibilities in this area.

Use Case 1 – Data exposure through public buckets

No doubt you will have seen plenty of data breach stories in the media where sensitive data was found on object storage buckets that had public visibility. There may be valid use cases where a bucket should be public, however this should be on a very tightly controlled exception basis.

In OCI, it’s difficult to create a public object storage bucket by mistake. First you create the bucket, then you change its visibility to make it public.

This may be an intentional change in visibility of the bucket, but this also could have been a temporary change, such as for debugging or testing.

While the bucket is public and if it contains sensitive data, you are at risk of a data breach. The attacker just needs to find the bucket on the internet, and believe me, there are plenty of people looking for them.

Use Case 2 – Ensuring only approved OS types and versions are used for compute
Another common use case is looking at the images that should be used when creating new compute instances. OCI provides a wide variety of images that can be used, including:

  • Platform images, e.g. Windows Server, Ubuntu, Linux etc.
  • Oracle Images, e.g. E-Business Suite, Enterprise Manager etc.
  • Partner Images, e.g. Next generation firewalls, GPU machines etc.

You can also bring your own images as well as using existing boot volumes. Now, imagine you have a standard, approved OS type that your compute instances must be built with, or you have a custom image that you want to ensure is used as a gold build for all instances. This image may have your corporate standard IT tools on it such as anti-virus, and corporately approved packages. It may also have a number of services removed or hardening policies applied.

As part of enforcing your security policy, you need to ensure that all compute instances are using the approved OS types and versions, or are using your gold build images.

This means you need to identify any compute instances that don’t use the approved images. Furthermore, you may also want to automatically shutdown any instances violating that policy, or even terminate them. In some cases, you may also disable the account of the administrator who is creating these non-approved compute instances.

Use Case 3 – Adding internet-based routes to your Virtual Cloud Network
The next use case is addressing network access to your cloud environment. One common design pattern for cloud deployments is as an expansion to your existing data centre. In these cases, it is common for a VPN or private connection (called FastConnect in OCI) to be deployed between your data centre and your cloud environment. All access to those cloud services are directed down this connection and there is no direct access over the internet.

Now, let’s take the scenario where a network administrator makes a change to your virtual cloud network (VCN). They add an internet gateway and change the routing rules for this new gateway. In our use case here, neither of those actions should be performed on this particular VCN. It might be that the administrator has changed the wrong VCN by mistake, or it could be something more nefarious. Either way, the change needs to be identified quickly and fixed to ensure that any the security risk is minimised.

Use Case 4 – Key Rotation
For our final use case, let’s think about key management. Cryptographic keys are used in lots of places, whether as the basis for in-transit encryption, or for encryption at rest. Many organisations have IT security policies governing the lifecycle and use of keys, including how often keys must be changed.

Within OCI, Oracle will manage keys for you where you have no policy stipulating that you must manage your own. Any time you create a storage device (e.g. object storage bucket, boot volume, block volume, file storage), then it will be encrypted with an Oracle-managed key. However, we also provide you the ability to manage your own keys, through OCI Vault, a service backed by highly-available FIPS 140-2 Level 3 Hardware Security Modules (HSMs).

If you do choose to manage your own keys, you will likely need to rotate them periodically to ensure the amount of data encrypted by any one key is not too great.

Therefore, being able to identify keys that you manage that haven’t been rotated in-line with your security policy is important. Even better would be automatically rotating those keys to help ensure you’re meeting all of your regulatory compliance needs and industry best practices.

Now, we’ve talked about a number of use cases, we understand the problem. So, how is Oracle helping in this area?

Back at Oracle OpenWorld 2019, our vision for OCI security was announced and it was focused on making security easier, more automated, and always-on. To deliver that vision, a number of capabilities were announced including Oracle Cloud Guard. Some of the key design principles of Cloud Guard include:

One of the most interesting design principles is our use of Embedded Expertise. What this means is that Oracle knows OCI best. We know what security controls are available and how best to apply them at scale. We also know what problems to look for and how to apply security features to mitigate those problems. By applying all of our own embedded expertise we are taking the burden away from you and removing the need for you to build all of these policies yourself.

Let’s take one of our use cases above as an example and look at how Cloud Guard would address a security risk such as a public bucket.

Within Cloud Guard, Oracle uses our own embedded expertise to create out-of-the-box rules to identify common problems, including, in this case, the detection of any buckets that are public. Of course, you can tune the rules to add various conditions. For example, in this particular rule, we can tune it to exclude any buckets that are authorised to be public.

In my scenario, I have created two buckets and made them both public. As my very inventive names suggests, one of my buckets is allowed to be public and therefore shouldn’t trigger any alerts.

Within Cloud Guard I am using the out-of-the-box rules but have tuned the detector rule for public bucket detection to exclude the bucket named authorised-public-bucket.

Now, Cloud Guard will identify any issues it finds within OCI as Problem, but we can see that in this scenario, it only identifies the unauthorised-public-bucket as a Problem.

Note also, how Cloud Guard also recognised that we are using the default, Oracle-managed keys for the encryption of these buckets rather than our own customer-managed keys through OCI-Vault.

If configured to do so, Cloud Guard can automatically remediate the problem, in this case, by changing the bucket back to private, which is has done here.

It can also send notifications. In my case, I am sending all Critical notifications to Slack, and all non-critical notifications to email. However, I could just as easily send them to PagerDuty, a custom HTTPs URL, or even call a serverless function using OCI functions ( by writing a function using the opensource fn project):

As you can see, Cloud Guard has not only identified a problem with my object storage buckets, but it has informed me about it as well as provided, automated closed-loop remediation to remove the security risk.

Cloud Guard is currently in Limited Availability, due to be released later this year. Therefore, don’t forget to refer to Oracle’s Safe Harbor statement below:

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation.

Original em: https://blogs.oracle.com/cloud-infrastructure/how-oracle-is-helping-you-maintain-a-strong-security-posture-in-the-cloud-v2