Reports of alleged Oracle Cloud breaches have reignited concerns about the vulnerabilities inherent in third-party data management. Hosting your encryption gateway, often referred to as "Bring Your Own Encryption" (BYOE), offers a powerful solution by significantly reducing the impact of such breaches.
This blog will explore how independent security controls, like BYOE, can address the weaknesses exploited in these attacks, using the latest Oracle incident as a case study.
While multiple independent researchers and organizations have put out information supporting its occurrence and its impact, it is important to note Oracle disputes the full extent publicly.
Read more about the Reported Oracle Breach
Bring Your Own Encryption (BYOE) enables organizations to encrypt their data before it ever reaches the cloud. Unlike native approaches, where the cloud provider controls encryption and sometimes key management, BYOE puts businesses in direct control of these critical functions.
With BYOE, sensitive information is secured before it leaves the network using encryption keys that remain solely in the organization’s control, ensuring that data is protected and unreadable to anyone without access to those keys (including any third-party system the encrypted data is transmitted to.
In the Oracle breach example, the attackers stole encrypted passwords, Java Key Store (JKS) files, and encryption key files. If organizations using the Oracle services had utilized a self-hosted encryption gateway:
The threat actor attempted extortion by threatening to sell/expose data.
Hosting your encryption gateway disrupts this model because:
The breaches are said to have exploited a vulnerability in Oracle’s Fusion Middleware (CVE-2021-35587). Hosting your encryption gateway can assist because:
Oracle’s breach is reported to have impacted 140k tenants globally, highlighting shared infrastructure risks. Hosting your encryption gateway enables:
The investigation into the breach faces challenges due to the opaque breach disclosure. Moreover, compliance regulations like HIPAA and GDPR require audit logs to be maintained.
With an encryption gateway, organizations have access to audit trails that are stored separately from the cloud platform:
While hosting your encryption gateway does not prevent the initial third-party breach, it can radically reduce its consequences. As the analysis shows, the Oracle attackers focused on exploitable credentials and keys stored in Oracle’s infrastructure. This highlights that managing and controlling your encryption gateway shifts this attack surface, creating a situation where attackers need to compromise multiple independent systems, aligning with the principle of defense in depth, with independent layers of security.
See our data solutions for Salesforce, ServiceNow, SAP Business ByDesign & S/4HANA, NetSuite, and other applications.