Sunday Dec 15, 2024
Wednesday, 14 March 2018 00:00 - - {{hitsCtrl.values.hits}}
Global giant and leader Oracle’s Director of Product Management for Database Security, focused on database encryption, access control, audit, and monitoring, Russ Lowenthal was in Sri Lanka recently as part of an Asian markets visit to meet with customers and partners to understand their challenges and future needs.
Russ is based in Orlando, Florida, USA and has been with Oracle for over nineteen years. Leveraging close to thirty years of experience in IT including database, UNIX systems and network administration, he now advises Oracle’s customers on secure implementations of information systems technology.
Certified as an Information System Security Professional (CISSP), Information Systems Auditor (CISA), Information Systems Manager (CISM), Oracle Master (OCM), Microsoft Systems Engineer (MCSE) and Technical Trainer (CTT), Russ is highly qualified and experienced. The Daily FT met up with Russ to gain some key new insights to the challenge of cybersecurity at enterprise and national level and how Oracle is helping with innovative solutions. In this interview, Russ also shares a host of valuable recommendations for both companies and Government. Here are excerpts:
By Nisthar Cassim
Q: What brings you to Sri Lanka?
A: To meet clients and partners to get an input from them on what they want Oracle to do as we develop new versions of our products. This is very valuable to my development organisation to bring back from real customers to real deployments as to what they need to better secure their enterprises. Here it has been a real opportunity to collect information that is going to shape the development of future Oracle products.
Q: Do you see that the requirements are different from country to country?
A: I do. They are different, often because of regulations. They are different often because of the business needs of the communities within a country. For example in Sri Lanka, you have a much higher concentration of financial services and third party service providers – those who are servicing customers in other markets. The general business drivers do tend to be either you’re responding to regulations or to threats and the way you combat a threat. This can be fairly problematic if you are going to encrypt data, control or monitor access to your data. That’s the same anywhere that you go but how you apply it and what you decide to do first differs from country to country.
Q: Is listening to customers and partners part of Oracle’s strategy when developing new products?
A: I think most of our product development work this way. I’ve been in Oracle for 19 years but I’ve always been data-based and certainly from the that perspective we drive the majority of our product innovations based upon customer requirements. Obviously we do have some organic ideas but if you are going to develop enterprise software you need to develop what enterprises need. So who better tell you that, than the companies themselves.
Q: What are the specific issues you learnt during your interaction with financial services industry, telecom and IT sectors which is very concerned about security?
A: One of the big challenges I think not just here but globally is a shortage of trained cybersecurity talent. We need more people to operate the systems, people to maintain them and Sri Lanka is no different from anywhere else. So we’ve heard of a greater need for automation and the need for relieving humans doing tasks and shifting to machine learning and Artificial Intelligence.
During our customer summit and partner summit we had a whole room of people focused on the security solutions and this was a really good session because it was not just from the customers telling us what they need, it was from the people implementing it to telling us where the rough places are and how we can smooth things out. It was also our opportunity to talk about where these implementers and system integrators could better utilise the capabilities of the software that their customers already have to meet their business requirements. I think we have found a lot of areas where customers can leverage the existing investment in Oracle and solutions to do more with what they already own and that’s always a win-win situation for us and our customers.
Q: What do you foresee as challenges in the security domain for enterprises? Is the challenge growing to be more complex when managing security?
A: Absolutely. In fact if I were to write a book about it, that would be my opening paragraph. It’s not going to get any easier and it’s not going to be any less of a problem. The problems are going to continue to grow.
There is a large and growing community of thieves whose daily job is to break in to your system and steal your data. These people are going to continue doing this because they are continuing to make money doing this and as long as there is profit to be made there is going to be someone who seeks that profit. And our job as custodians of data is to counter these thieves who are trying to steal data. The tools that hackers use continue to become more sophisticated and therefore our tools that we use to protect the data have to continue to become more sophisticated and have to get better all the time. I don’t love this analogy but it is like an arms race. You have one side that keeps building up their weapons and the other side does the same. Hopefully it’s us who wins.
Q: In the ladder of risk that companies are facing, is cybersecurity overall on the top?
A: My view point here is illuminated by my own focus. In my view point cybersecurity is the number one risk. In terms of business market it’s probably not number one because profitability, resource shortages may be at the top but if you look at cybersecurity as a business risk, the level of risk continues to grow and you have the risk of data theft which means the Intellectual Property walks out of the door or more potential customers walk out of the door. You have the risk of regulatory fines which is really growing especially as when European regulations – the General Data Protection Regulation (GDPR) and you have an increase risk of profit seeking lawsuits. We are seeing this globally, where people who allege they have been harmed by data breach seeking legal means to win compensation. I think it’s going to continue to grow as a business risk.
Q: What’s your understanding about this part of the world, Asia in particular; is it happening the same way and are lawsuits coming up?
A: I don’t believe so. I’ve not seen the same level of law suits, partially because the legal system in Asia is a little bit more rational in terms of personal responsibility. I think perhaps some countries have gone a little over board in terms of trying to relieve the individual of any responsibility of their own actions. But remember we were talking about differences in the Sri Lankan economy and the third party service providers. If I am a provider of services a company in France and someone sues the company in France and also sues the company in Sri Lanka, then all of a sudden we will Sri Lankan companies seeing cybersecurity as a global risk in addition to a local issue.
Q: What’s your advice to enterprises on how to approach these risks?
A: I think when you approach any business risk you need to look at the risks, you need to look at what is the potential cost of the risks and what are the cost of controls to counter compensation if there are breaches. In terms of data risk, the protection is actually fairly very simple to implement. The controls have become fairly mature and I think if you hold data for example in an Oracle database and you have not taken steps to control access to that data, then this is really the time to do it. Because if you don’t, I can guarantee that someone is going to steal that data.
Q: Do you feel that data theft is the most growing risk at present?
A: I think that data theft gets the most attention and from a commercial risk we tend to focus on that. Globally I think the use of information by nation states maybe a more serious issue. But it doesn’t receive the same amount of attention perhaps because a company is not losing money. Instead the country is losing competitive advantage by losing the ability to compete with some other countries. My employment prior to work with Oracle was within the military sector, and I think nation state activity in terms of cybersecurity is not a visible concern but it an important one.
Q: We have certain enterprises such as the banks, software development and knowledge process outsourcing companies and high value exporters to the West who may be more vulnerable to cybersecurity infringements. How responsive are they?
A: Yes we have as our customers a host of such companies who make a significant contribution to the Sri Lankan economy in terms of employment and foreign exchange earnings. But when they do this they operate in a risk environment that is global itself. So if I am an exporter, I need to be familiar with data protection rules in Europe, North or South America to ensure the right cybersecurity strategy. So when you look at the cybersecurity picture you can’t just look at Sri Lanka you have to look at what Sri Lankan companies are doing around the world. You provide products or services to countries globally bigger than your country and population. Therefore these factors should drive most of your cybersecurity needs and measures. We have seen several progressive Sri Lankan companies doing the right thing to protect their data and enterprises.
Q: So what you’re stressing is that for companies which have business and customers globally, it makes it paramount to focus on cyber security?
A: Absolutely, because without that they lose their competitive advantage, lose their ability to operate in the global market place.
Q: Given the growing concern and interest on cybersecurity among customers, is Oracle stepping up its own defences within and in terms of solutions to customers?
A: As a global company and to remain competitive we have to up our game. We do this in a number of ways. Internally we have to secure are own data, we are a third party service provider to the world, so we have to be very secure. We are also a provider of solutions to other people’s use. If you take my own group within Oracle, recently we released a new solution – the Database Security Assessment Tool – that allows any Oracle customer to quickly survey their databases and identify areas where they are not configured the way they should be, change their configurations, identify areas where they forgot to encrypt something that should have been and even simple things like password policies. This is such an area of importance that when we created this tool we chose not to charge for it because we believe that this is an entry requirement to the business world today.
If you are providing solutions, you have to provide your customers the ability to secure those solutions. The database security assessment tool may sound a boring name but it is a really great utility. I was very pleased that at my very first customer meeting in Sri Lanka the customer was looking at the database security assessment tool output and had already run it and was already developing plans to act upon the recommendations. When you come to a country and for the very first meeting the customer is using it, is a pretty a nice thing.
Oracle is also working on what is known as the “Autonomous Database Service” which is a response to customer needs around security. One can’t keep up with patches, you can’t keep everything locked down manually. Rather ideally it has to happen automatically and that is what the proposed Autonomous Database Service does for clients. It patches in the background automatically and you don’t see it happening as a customer or the customer doesn’t have to do anything. This is driving a significant part of our development.
Let me just give you one more example. I don’t think any conversation on technology is complete without the mention of cloud. So if we talk about Oracle Cloud, as we create our database servers we actually change our code in our database to automatically encrypt. It used to be something you had control of at “on-premise” solution but if you place your database on Oracle cloud we won’t let you create a database that isn’t encrypted. We won’t let you create a database that is configured in such a way that you expose yourself to risk unnecessarily and thereby also expose Oracle to risk.
Q: Do you think this Autonomous Database Service will be a game changer in the security solutions segment?
A: Absolutely. Security is almost never a goal in itself, security is something that enables business. Security is not your goal but the goal is to better serve your customers, your goal is to better your ability to provide goods and services. By automating tasks involved with data storage, data management and data retrieval which is what the Autonomous Database Service does. We enable clients to use scarce human resources to think about things that actually improve business than deploy them for routine tasks that can be automated. If I’ve got a highly-paid IT professional who is spending his or her time thinking about how I employ a patch, that is a waste of talent. I want that person to be thinking about how do I better provide service to my customers and how do I better produce goods.
That is what Autonomous Database Service does. It frees up intelligent people to do intelligent work. It is a game changer. The Oracle innovation is built out of decades of experience - everything from our clustering capabilities to our ability to handle rapid failover systems to what we have learnt from hundreds and thousands of customer engagements. I don’t think anybody else is going to be able to match it and when it is released to the market, our Cloud customers, it is going to change the world when it comes to data storage.
Q: Will your Autonomous Database Service make firms and professionals to lay less emphasis or focus on the importance of security?
A: No. Firms or IT professionals won’t forget about security. Right now what happens is time devoted to patching, ensure data is encrypted, devote time to auditing and monitoring. But what will happen going forward with Oracle Autonomous Database Service is time being spent on new things such as machine learning, use the systems to analyse what is going on, look for any anomalies, trying to detect attacks earlier than after an attack or a breach has happened. If I can relieve 50% of my IT workforce from doing minimal value-add activities that is just keeping operations going and put them onto true security detection and avoidance, that is huge fillip for an organisation, when it comes to trying to stop a security breach either immediately or before it happens. This is what automation is helping enterprises.
For example, Oracle’s log analytics and security and monitoring analytics help firms to manage tons of data coming in identifying security-relevant data via machine learning and Artificial Intelligence (AI) to try and find patterns in those. So the one who was spending all the time doing patching is now working with AI and machine learning to identify any threats early and quickly to prevent any breach or anyone attempting to steal data.
Q: Does this innovation of Autonomous Database Service enhances the value proposition for more enterprises to embrace Cloud technology?
A: I think it absolutely does. For companies which are cloud shy they can begin to adopt the ‘Cloud at Customer’ option (based on regulatory requirements or internal rules) and as the confidence and trust levels improve can enhances the deployment to Oracle Cloud. We feel that the Autonomous Database Service given its unique benefits will accelerate migration to Cloud by enterprises. How could you not want to reduce the chances of human error, improve security, and improve performance?
Q: Is or was security a major deterrent for enterprises from migrating to Cloud technology?
A: I think it was. If you go back a couple of years ago, there was a lot of commercial resistance to the Cloud because they saw it as less secure. But now people are coming to the realisation that the Cloud is more secure. All of the major Cloud services and more importantly Oracle Cloud, have dedicated people doing security and the same things over and over again and we are very regimented in how we handle security. Most of the Cloud savvy enterprises will vouch that Cloud is more secure. Recently we announced yesterday that Oracle is adding 12 more Data Centres to our Cloud and six or 50% of such Data Centres will be based in Asia reinforcing the importance placed on Asia by Oracle.
Q: With an impressive suite of innovative solutions at Oracle what are the most preferred solutions for enterprises?
A: I think as you sell to enterprise you have to have functional capability and Oracle is very good on that. You also have to come in at a price affordable for that function capability to give the enterprise the value that they need. We never think of Oracle as the cheapest vendor but we are the cheapest vendor for Cloud infrastructure mostly because we started without the lot of baggage which most others had. From a corporate point we are the biggest or most preferred supplier in the database and Cloud market.
Q: Cybersecurity is also becoming a national/country issue. Given your experience and expertise is there anything that you like to suggest in terms of what countries and communities needs to do?
A: There are. At the national level I think it is very important for the government to provide guidance to their companies around what should be done to secure data. Rules around data privacy are very important because they provide a baseline and an assurance for competing in the marketplace. When I look at Sri Lanka I am not aware that there is a data privacy law here and data privacy laws are very important in a common place throughout the world. In the absence of a data privacy law, in some ways may inhibit Sri Lanka’s companies from doing business globally. I think it would be helpful to have a cybersecurity policy that is multinational.
Another thing the country can do is to recommend standards. These could be as simple as saying these are the types of data we think are important hence must be protected. They can be as complex as Europe’s General Data Protection Law which specifies standards on how data must be protected, or they can be done collaboratively within Asia setting region-wide cybersecurity standards or governments can provide guidance to what should be done and how.
Q: What is your assessment of corporate board level responsibility and leadership on cyber security?
A: Obviously. This stems from my earlier observation that cybersecurity is a major corporate risk. It is the job of the board to handle this risk. As cybersecurity has become recognised as a growing business risk, boards are really stepping up oversight and leadership efforts. I engage with CEOs of many countries on a regular basis and I am told that boards are increasingly receiving advice from legal firms on cybersecurity risk and regulations, etc. So a board-level conversation of cybersecurity is an absolute must.