Build Security Around Data, Not PerimetersOracle's Pickett: Perimeter Should Not be the Organizing Principle
The idea of a perimeter is becoming a nebulous concept. This increasingly has been the case in recent years, since the advent of the internet. Even before there was cloud, the perimeter was something that was hard to delineate. Today, the challenge is even more intense.
"It is very hard to pin down where organizational boundaries are, and this is a major challenge for many organizations today," says Chris Pickett, senior director and security lead for APAC at Oracle. "Perimeter security is still important, but I think we need to de-emphasize it as an organizing principle for our security architectures."
The focus should be on data capital - data on which the business runs, and data that organizations can exploit for new business opportunities, he says. Securing this data is critical for enterprises. While some of Oracle's customers are articulating this directly, others who are still at the phase of getting a handle on the data lifecycle management explore this indirectly. But for the most part, organizations today are taking a data-outward view to security, Pickett says (see: Securing the Data Lifecycle).
On the security challenges around Digital India, Pickett believes that India has learned some good lessons in technology through its outsourcing industry over the past 20 years. A lot of the Indian technologists are quite skilled and conversant with what needs to be done, he says. "I think the major challenge with digital India is having clarity on data ownership, data processes, data stewards, data controllers - all the typical roles that are necessary for a project of this scale," he adds (see: Securing Digital India).
Sharing some pointers on cloud security, Pickett says that some basic best practices to follow are segregation of duties, on-disk encryption, data redaction and robust identity management are some of the areas he recommends cloud adopters need to focus on, in terms of security. "We need to clearly delineate the boundary between the cloud provider and the cloud consumer, because that lets both parties clearly understand their respective responsibilities," he says.
In this exclusive audio interview with Information Security Media Group (see audio link below image), Pickett shares his views on:
- The cloud security landscape in Asia;
- Recommendations for Asian practitioners from a service provider perspective;
- Security challenges for India's massive digital governance programs.
Pickett is a senior director responsible for Oracle's data security business within the Asia-Pacific region. He has 23 years of experience in the information systems industry, of which the past 10 years have been with Oracle Corp., focused on security at both a domain-specific level and security in the context of enterprise architecture.