"What we see is organisations fundamentally failing in their security because what they're trying to do is to hold the wall, and the wall doesn't exist any more. We've moved stuff out into the cloud, we've moved stuff out into tablets and put it out into the wide world, but the wall doesn't exist," says John Vine Hall, Oracle's security solutions director for Australia and New Zealand.
The idea that perimeter defences are no longer the answer to information security questions shouldn't be news to anyone paying the least bit attention to the trends. The answer isn't data leakage prevention (DLP) solutions either, Vine Hall told CSO Online, although DLP is presumably still an important tool to help spot suspicious patterns of data movement.
Oracle is instead promoting the concept of "security inside out" — that an information security strategy should start with an understanding and classification of the organisation's data and its uses, that policies should be written to reflect who can access which data under what circumstances, and that defences should then be built around those policies using the tools available in the database software itself.
One of Vine Hall's examples is medical data.
A data-centric security policy could specify that a clinician's tablet could access and display a single full patient record while accessing the database via the hospital's internal wireless network, but only a subset of the data when accessing from elsewhere. Administration staff could view contact and billing information, not the clinician's notes, and medical researchers wanting to download larger datasets for analysis could only access suitably anonymised records.
Vine Hall says that a data-centric policy can help reduce the sense that the security team is holding back innovation, and reduce the temptation for other departments to pull out a credit card and deploy their own cloud-based solutions outside the organisation's security policies.
"The reason why the data breaches occur around that, and the pressure occurs around that, is 'How do I bring a new product to market rapidly now, because the business needs it?'," he said.
"If the data has a fundamental security awareness in terms of how you present that information, then we can be less concerned about the channel, and more concerned about the data. because it's presented in a way that's already secure before we start consuming it. That's where security inside out actually is a value proposition as well as a security model, because it means you can be more agile but do it in a way that is secure."
Vine Hall says Oracle's security inside out model can also help solve many of the issues raised by using third-party or public cloud services, including data sovereignty and contractual issues.
"By putting security in layers, and having context around, and having context around the security as it goes through, you can be a lot more agile about taking pieces and moving them to the cloud or moving them to some other channel without the whole thing breaking," he said.
"If you just had an encryption layer below it, so when I hand you my Oracle database ... and encrypt the date before I give it to you, then I don't really care whether your system administrator is a good person or a bad person, because it's all encrypted. Sure, the NSA can go and crack it, but for the most part I'm protected."