Cloud Security Perspectives and Insights

Implementing separation of duty (SOD) and the least privilege model are basic foundations of your security strategy – what we call security hygiene.  This is applicable to not only your databases, but all your systems.  Separation of duty splits tasks between individuals so no single user has enough privileges to steal sensitive data or damage the system.  Least privilege limits the privileges the user has to just what they need for their day-to-day tasks.  The worry is not so much your trusted insiders, but malicious users who leverage stolen credentials from privileged users to mount attacks to steal data, alter information or otherwise damage the system. Separation of Duty Separation of duty (SOD) is a method to separate sensitive task roles to different people to minimize the ability for any one individual to steal or damage the system. A classic application example is to separate the task of entering vendor invoices and paying it.  Separation of duty suggests splitting this across at least two people since one malicious user can’t create a new vendor, enter a fake invoice and pay himself/herself.  In a similar way, separation of duty in a database looks at common attack vectors and separates roles to prevent the attack.  A common attack vector for the database is a malicious user leveraging stolen privileged credentials to create a new rogue account.  The malicious user escalates the privileges on the rogue user account and then logs into the rogue account to attack the system.  Separation of duty in this scenario separates the ability to create a new user and the ability to grant privileges from the privileged user account. Least Privileges In the Least privilege model, users are only given the privileges and access they need to do their jobs.  Frequently, even though users perform different tasks, users are all granted the same set of powerful privileges.  Figuring out what set of privileges each user needs is hard work and in many cases, users end up with some common set of privileges even though they have different tasks.  Even in organizations that manage privileges, users tend to accumulate privileges over time and rarely lose any privilege.  Separation of duty breaks a single process into separate tasks for different users.  Least privileges enforces the separation so users can only do their required tasks.  The enforcement of SOD is beneficial for internal control, but it also reduces the risk from malicious users who steal privileged credentials. Privilege Analysis So implementing SOD and the least privilege model is good practice, but how do you go about doing this?  Not only is it hard to analyze what privileges every user and application need, you also need to review and remove un-needed privileges. It’s not just a one-time project – but an on-going process that can be labor intensive without automation.  There are multiple tools that can tell you the roles and privileges granted to any particular account – but they don’t tell you if they ever get used – or if they’re used, why they were used. Privilege Analysis was first introduced with Oracle Database 12c and licensed as part of the Oracle Database Vault option.  Since then, Privilege Analysis has been used by many customers to reduce their attack surface area by helping them implement least privilege model.  This innovative capability created by Oracle is unique in the database world and is vastly superior to any static analysis tool. Built into the Oracle database kernel, Privilege Analysis tracks not only what privileges and roles are NOT used over a period of time, but also which privileges and roles are used – and how they are used.  Privilege Analysis is designed to minimally affect existing operations so it can safely run in your production and test environments. You typically run Privilege Analysis over a time period that captures all the use cases for either a user, groups of users, role, an application or even the entire database.  A report is generated that shows which privileges and roles were used and unused.  You may find that an account was granted the powerful SELECT ANY TABLE system privilege, but it was only used to access seven tables from the same schema.  It would be much better if the SELECT ANY privilege was replaced by direct object SELECT grants to these tables. The Unused Privileges Report lists privileges that weren’t used during the time the data was collected. You can simply revoke the user’s unused privileges if you determine the user doesn’t need them, however another option is to audit and alert on these unused privileges instead.  This gives you flexibility so the user can use the privilege without impact, but you’ll also be notified if a malicious user uses these “unused” privileges. While all database accounts can benefit from the least privilege model, application service accounts and DBA user accounts are especially well suited for this analysis. Application service accounts typically need three different types of privileges and roles.  First set is used by the application to operate on a daily basis, second for patching and upgrades, and then third to install the application schema.  Privilege Analysis can track which privileges and roles are used for day to day operations so you can limit the service account to just these privileges and roles.  They can even be grouped into an operational role to make it easier to manage.  Running Privilege Analysis on a test database during patching and updates can tell you which additional privileges and roles are needed for patching/updates.  This can be granted to the production service account before these activities take place, and then revoked afterwards.  Oracle Database DBAs are frequently just granted the out-of-the-box DBA role.  This out-of-the-box DBA role should not be granted to every DBA as it contains almost every possible privilege, including most system privileges in the database.  DBAs have different tasks to perform and least privileges dictates granted privileges should match the tasks.  Privilege Analysis can be used to implement least privileges for DBAs in a number of ways.  DBAs in the same job can be analyzed to see which privileges they need to perform their job.  Then a new role can be created (xxx_dba role) to be granted to each DBA in that job.  Or individual tasks can be run by DBAs and Privilege Analysis can capture privileges used for each task.  Task based roles can be created and DBAs can be granted the task roles they are responsible for.  Task based roles provide more flexibility as a DBA’s job changes over time. Oracle continues to be a security leader through innovative, unique security controls to protect your data. Distributing the Database Security Assessment Tool (DBSAT) for no additional license fee through Oracle support shows our commitment to help our customers understand the risk profile of their databases that manages their critical data.  In today’s world, we need tools to assess our own security before hackers analyze our weaknesses and gaps.  Privilege Analysis Included with Oracle Database Enterprise Edition Oracle recognizes the critical importance of assessing your database environment in order to better improve security.  We are pleased to announce that Privilege Analysis is now included with Oracle Database Enterprise Edition for no additional license fee.  This change applies to all supported versions of the Oracle Database. Users can refer to the Privilege Analysis documentation in the Oracle Database Vault Administration Guide.  Separate documentation for Privilege Analysis will be part of the next Database Security Guide.  Database Vault does not have to be configured or enabled to use Privilege Analysis in any version. By implementing separation of duties, least privileges and using DBSAT – you will reduce the risk of malicious users using your privileged credentials to steal or alter data.

Implementing separation of duty (SOD) and the least privilege model are basic foundations of your security strategy – what we call security hygiene.  This is applicable to not only your databases, but...

According to the 2018 Oracle and KPMG Cloud Threat Report, 90% of firms reported that more than half of their cloud data includes sensitive information. With organizations rapidly housing their most critical data in the cloud, visibility is key. The report also uncovered that 82% of cyber leaders are concerned that employees do not follow cloud security policies. How are organizations supposed to secure environments they aren't even aware of? Visibility is Critical The proliferation of threats organizations face and the release of several major compliance regulations have prompted a renewed sense of urgency for the entire business to better secure their environment. Visibility is very important, as customers purchase cloud-based infrastructure they need to be sure that the applications and data residing on top of it remain secured. Oracle's Cloud Access Security Broker (CASB) Cloud Service allows customers to gain that visibility along with threat protection, and data security for both OCI deployments and multi cloud environments. Interested in Learning More? With Oracle CASB Cloud Service for OCI, customers can monitor configuration drift, set automated controls for remediation of high risk user profiles, and an understanding of user behavior. Allowing organizations to quickly detect and act on possible threats. Please join our Cloud Platform Specialists, Gordon Trevorrow and Indranil Jha for a live demo of Oracle CASB to learn more about the ways in which Oracle CASB helps organizations better monitor, understand, and secure their OCI deployments. Virtual Workshop Register now! Secure Oracle Cloud Infrastructure with Oracle CASB December 11, 2018 10:00 am PT

According to the 2018 Oracle and KPMG Cloud Threat Report, 90% of firms reported that more than half of their cloud data includes sensitive information. With organizations rapidly housing their most...

Gartner has named Oracle a Leader both in the 2018 Gartner Magic Quadrant for Identity Governance and Administration and 2018 Gartner Magic Quadrant for Access Management, Worldwide. In response, Oracle released an announcement. The press release covers brief insights on the report and explains Oracle's security strategy, "Oracle believes this recognition further validates the strength and innovation of cloud security services Oracle has introduced over the past year and its ability to help enterprises better integrate security solutions to manage their business." According to Gartner, “IGA Leaders deliver a comprehensive toolset for governance and administration of identity and access. These vendors have successfully built a significant installed customer base and revenue stream, and have high viability ratings and robust revenue growth. Leaders also show evidence of superior vision and execution for anticipated requirements related to technology, methodology or means of delivery. Leaders typically demonstrate customer satisfaction with IGA capabilities and/or related service and support.” To learn more, access the full 2018 Gartner Magic Quadrant for Identity Governance and Administration. Within the 2018 Gartner Magic Quadrant for Access Management, Worldwide, Oracle also placed in the Leaders quadrant. Oracle's security strategy incorporates several layers of defense to enable organizations to increase their security posture across the entire cloud, including users, apps, data, and infrastructure.  By implementing Oracle's Identity and Access Management solutions in conjunction with emerging technologies and existing investments, we believe customers have the opportunity improve their security posture and enable greater innovation within their industries. Oracle's complete, integrated, next-generation identity management platform provides breakthrough scalability and enables organizations to reduce operational costs. Organizations gain the flexibility to secure sensitive applications and data - regardless of their deployment. Please be sure to download a complimentary copy of the 2018 Gartner Magic Quadrant for Identity Governance and Administration and the 2018 Gartner Magic Quadrant for Access Management,Worldwide.    Gartner Magic Quadrant for Identity Governance and Administration, Felix Gaehtgens, Kevin Kampman, Brian Iverson, 21 February 2018.   Gartner Magic Quadrant for Access Management, Worldwide, Gregg Kreizman, 18 June 2018.   This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Oracle. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.    

Gartner has named Oracle a Leader both in the 2018 Gartner Magic Quadrant for Identity Governance and Administration and 2018 Gartner Magic Quadrant for Access Management, Worldwide. In response,...

Today's world is all about the go go go. People simply do not have time to wait and as a result, organizations are tasked with producing products, applications, and services at a rapid rate. Being first to the market is no longer just a goal, it can make or break an organization. Imagine for a moment that a consumer opens up their smartphone to complete a transaction. Within a matter of minutes, they may have accessed several apps, entered highly sensitive Personally Identifiable Information (PII), and perhaps used the same login password they use for every account - including work accounts- all on a public network. Threats are everywhere and this example is just one out of thousands of ways in which personal accounts are at risk. Now translate that risk from an individual to an organization. Cybercriminals are highly funded and motivated to snatch certified credentials from end users. These stolen credentials could end up as the starting point for an attack against an organization in an attempt to collect or manipulate critical core data.  The widespread use of weak passwords, unsecured networks, and frequent occurrence of phishing attacks make organizations prime targets for attack. Compound this with the proliferation of users, applications, and devices all enabled for a fast, digital, and mobile world - the threat seems inevitable. Understanding Who is in Your Environment Organizations have long relied on strong perimeter controls and although these do well to protect the on premises environment behind the firewall, what can be said about the use of mobile devices and the increasingly common Hybrid Cloud landscape? Organizations need a solution that can leave the boundaries of the traditional firewall and provide security at every layer, as discussed in our recent Core-to-Edge blog. Organizations have invested heavily in the use of traditional Identity and Access Management solutions for on premises, but the move to the cloud has created a security mandate to consolidate identity management under one framework that extends into the cloud. In the 2018 Oracle and KPMG Cloud Threat Report, 38% of respondents reported detecting and responding to cloud security incidents as the number one cybersecurity challenge. Gaining visibility into the behavior of users and devices across an entire hybrid cloud ecosystem is crucial in determining if users have appropriate access to critical applications, if those users are abusing their access, and remediating anomalous behavior in the event privileged user credentials have been compromised. Flexibility and Choice Make the Difference Organizations have quickly realized the benefits of cloud adoption and have implemented several solutions at every layer of the stack. However, protecting an entire hybrid and multi-cloud environment under one solution can be challenging. After all, every vendor has unique shared responsibility requirements and the growing number of compliance regulations have pulled organizations in too many directions, leaving them exposed to attackers. In order to keep pace with innovation and the changing IT landscape, organizations must streamline their security controls with solutions such as Oracle Identity Cloud Service and additional cutting edge technologies, that can play an integral part in enabling organizations looking to secure their hybrid cloud environment. Learn more about the ways in which Oracle offers organizations flexibility in managing identities in a hybrid cloud and securing SaaS environments for increased visibility and control.  

Today's world is all about the go go go. People simply do not have time to wait and as a result, organizations are tasked with producing products, applications, and services at a rapid rate. Being...

Looking to learn more about Oracle Cloud? We are happy to announce six upcoming Oracle Cloud Day events in cities near you! Oracle Cloud Day offers attendees a wide array of sessions, hands-on experiences, and networking opportunities. These single day events allow you to explore new cloud technologies, best practices, and customer success stories.   Every cloud journey is unique and the Oracle Cloud Day is designed to be enable organizations at all stages of their transformation. Each event features keynotes, developer playgrounds, and networking in the Oracle Innovation Lounge. Three customized tracks designed to meet each attendee's needs - IT Experts, Architects and Integrators, and Data Professionals. Join the IT Experts track to learn more about Oracle's latest innovations in Security solutions.   Oracle Security offers organizations flexibility and choice in securing their deployment. With the overload of threats organizations face it is important to implement a layers of defense approach to security. If you are planning to attend, be sure to join our session, "Mitigating the Top Five Cloud Security Mistakes," within the IT Experts track.   Abstract: One of the most misunderstood aspects of the cloud is determining where the cloud service provider’s security responsibility ends and your responsibility begins. The Oracle and KPMG Cloud Threat Report indicates less than half of surveyed organizations could correctly identify their IaaS security responsibilities. Join this session to learn the top five cloud security mistakes organizations make, and how to mitigate them using Oracle’s security solutions. Learn how to best prevent, detect, and respond to the top risks to your hybrid cloud environment, including misconfigurations, data loss, shadow IT, and more. We’ll also share an insider’s view of the top questions to ask your cloud service provider to best protect your organization.     Register Now for a City Near You! Toronto, ON                                             Atlanta,GA December 4th, 2018                             January 17,2019   Dallas, TX                                                 Boston, MA December 6th, 2018                             January 30, 2019   New York, NY                                          Chicago, IL January 15th, 2019                               February 5, 2019      

Looking to learn more about Oracle Cloud? We are happy to announce six upcoming Oracle Cloud Day events in cities near you! Oracle Cloud Day offers attendees a wide array of sessions, hands-on...

The Gartner Identity and Access Management Summit 2018 in Las Vegas is quickly approaching! If you are attending the conference, we encourage you to catch these sessions and events. 1. Visit the Oracle Booth Oracle is a Platinum Exhibitor at the Gartner Identity and Access Management Summit 2018. We encourage you to spend some time at the Oracle Security Booth (#601) to learn more about Oracle's Security solutions in the identity management space. Additionally, connect with product management and other Oracle pecialists to discuss the ways in which Oracle has helped customers succeed in hybrid and multi cloud environments. 2. Session: Learn more about Oracle's Trust Fabric Join Oracle SVP and General Manager of Security and Identity, Eric Olden, for a session that explores today's sophisticated threats and the need for proactive and intelligent solutions that can quickly scale to meet changing IT requirements. Olden will also share how Oracle's Trust Fabric helps organizations predict, prevent, detect, and respond to threats. The session will take place Monday, December 3rd from 3:45pm- 4:30pm. 3. Create a Winning Plan The Gartner Identity and Access Management Summit offers attendees over 50 sessions, exhibit floors, and access to several peer and analyst networking opportunities. With so many options, we believe it is critical to come to the conference with a game plan. Gartner's registration page offers full abstracts for each session and can be filtered a number of ways, including by topic or track. This allows attendees to fine tune their interests and build an agenda through the registered attendee portal. 4. Understanding Your Roadmap According to the 2018 Oracle and KPMG Cloud Threat Report, 82% of cyber leaders are concerned that employees do not follow cloud security policies. This leaves organizations at risk and exposed in ways they may not even be aware of. Prior to the conference, we recommend all attendees take the time to understand their roadmap and consider assessing their environments to understand any pace gaps they may need to address. Each environment is unique and exercises like this will give attendees a fresh lens to approach each session and gain meaningful takeaways from each session they attend. 5. Continuing Support Throughout the conference, we encourage all attendees to visit @OracleSecurity on Twitter. Additionally, visit our webpage to learn about Oracle Security Solutions. About the Gartner Identity & Access Management Summit 2018 The Gartner Identity & Access Management Summit 2018 will help attendees reimagine significant elements of their IAM approach for digital age success. Gartner analysts will explain the latest tactics and best practices across IAM fundamentals to help craft and implement an IAM vision and strategy for the digital age.

The Gartner Identity and Access Management Summit 2018 in Las Vegas is quickly approaching! If you are attending the conference, we encourage you to catch these sessions and events. 1. Visit the Oracle...

Next Generation Cybersecurity The next generation cloud revolution has begun. Emerging technologies are opening doors for innovation and, unfortunately, risk as well. Technologies such as AI, Blockchain, and IoT are gaining momentum and creating new threat vectors for organizations. Security teams are struggling to keep pace, in fact, according to the Oracle and KPMG Cloud Threat Report, detecting and responding to cloud security incidents is the number one cited cyber security challenge. How can organizations address this challenge? Core-to-Edge Security The rising number of sophisticated attacks has prompted organizations to adopt a layers of defense approach- protecting their environment at the core (your data) and moving to the edge (anywhere users access data, including your applications and infrastructure). we encourage you to join us at the Gartner Identity and Access Management Summit 2018 from December 3rd-5th in Las Vegas at Caesars Palace to discuss these challenges and more. Visit Oracle at Booth #601 We encourage attendees to visit our booth to meet experts and learn more about: Oracle's Identity-based Security Operations Center (Identity SOC) which provides comprehensive monitoring, threat detection, analytics, and remediation tools to stay ahead of threats. Get insight into Oracle's Trust Fabric approach, which enables customers to better predict, prevent, detect, and respond to highly sophisticated attacks. Sign up for an Oracle Cloud Trial. Attend our Session Title: Combat Sophisticated Threats with Oracle Security Date: Monday, December 3, 2018 | 3:45 PM - 4:30 PM | Roman II Promenade Level Speaker: Eric Olden, Senior Vice President and General Manager of Security and Identity, Oracle Abstract: Today's advanced security threats require proactive and intelligent automation that can quickly scale with a rapidly changing IT environment. Learn how Oracle's Trust Fabric helps predict, prevent, detect, and respond to the overwhelming number of security events that challenge IT and security operations. Oracle's Trust Fabric is a comprehensive set of integrated solutions designed to help reduce the time required to respond to security threats. About the Gartner Identity & Access Management Summit 2018 The Gartner Identity & Access Management Summit 2018 will help attendees reimagine significant elements of their IAM approach for digital age success. Gartner analysts will explain the latest tactics and best practices across IAM fundamentals to help craft and implement an IAM vision and strategy for the digital age.  

Next Generation CybersecurityThe next generation cloud revolution has begun. Emerging technologies are opening doors for innovation and, unfortunately, risk as well. Technologies such as AI,...

Provisioning an Oracle database in Oracle Cloud Infrastructure (OCI) is quick and easy .... it takes not more than a few mouse clicks and your database is ready within minutes.  Once you've provisioned a 12.2 database (that includes all the 18c releases) in OCI, you'll notice that ...: it is always configured as a single-tenant database (root container with one pluggable database), and Transparent Data Encryption is already turned on, and the USERS tablespaces of the root container and the PDB are already encrypted. Because the 'encrypt_new_tablespaces' system parameter is set to CLOUD_ONLY by default, all new application tablespaces will be automatically encrypted with AES128, even if the "encryption" syntax is omitted from the 'create tablespace' commands. Databases in OCI are created with an auto-open wallet, but for further wallet operations, the wallet password needs to be known regardless; the default wallet password is the administrator password that you provided when completing the Web-Form to initially provision the database. In order to make the configuration of TDE complete, set the ORACLE_UNQNAME environment variable on the OS level (set in .bash_profile), and in server control (because even single instance databases in OCI run on Oracle Grid Infrastructure). In a single instance database, ORACLE_UNQNAME is usually the same as the ORACLE_SID; in RAC databases, the ORACLE_UNQNAME is equal to ORACLE_SID minus the number, for example: A 2-node RAC has FINRAC1 and FINRAC2 as ORACLE_SIDs, the ORACLE_UNQNAME should be FINRAC. How to clone a pluggable database with encrypted tablespaces: SYS:CDB$ROOT> show pdbs; CON_ID CON_NAME  OPEN MODE  RESTRICTED ------ --------- ---------- -----------      2 PDB$SEED  READ ONLY  NO      3 FINPDB    READ WRITE NO If the source database is opened READ WRITE, then the next command will create a "hot" clone, which requires local UNDO tablespaces and archive logging to be turned on.  If this is not feasible, stop and restart the source PDB as READ ONLY while it is being cloned. SYS:CDB$ROOT> create pluggable database TESTPDB from FINPDB keystore identified by "wallet-pwd"; This guarantees that your source database (which might contain sensitive data) can only be cloned by an administrator who knows the wallet password. SYS:CDB$ROOT> alter pluggable database TESTPDB open; Now the new pluggable database needs its own encryption key.  Connect to TESTPDB and execute: SYS:TESTPDB> administer key management set key force keystore identified by "wallet-pwd" with backup [container = current]; To test, select data from a table that is stored in an encrypted tablespace, or create a new tablespace which will be encrypted by default; in both cases, the cloned database will use its own master encryption key that was created in the previous step. SYS:TESTPDB> create tablespace PROTECTED datafile size 50m; Tablespace created. If you are interested learning more about other use cases, please let me know through the comment section below.  To learn more about Oracle Database Security and Oracle Cloud Infrastructure, please visit our webpages.

Provisioning an Oracle database in Oracle Cloud Infrastructure (OCI) is quick and easy .... it takes not more than a few mouse clicks and your database is ready within minutes.  Once you've...

According to the Economist, “The world’s most valuable resource is no longer oil, but data.” As organizations embrace the digital revolution and transform themselves by adapting new business models, data will be the single most valuable asset to ensure competitive advantage. Organizations have a lot of sensitive data (IP, SSN, credit card numbers), all which continue to increase exponentially. Lots of people are coming after that data ranging from internal employees, customers, competitors to nation states, criminals and activists - Organizations need to ensure their sensitive data is protected.  Due to the increasing number of data breaches, government agencies have stepped in to enforce data privacy and security mandates such as GDPR to protect privacy. No matter where you are, data privacy laws are in effect, and new regulations will be enforced every single year. While these mandates may differ on enforcement, penalties, breach notification, or scope (high level or detailed), they will all aim to accomplish the same thing: Keep people’s personal data safe and secure. It’s an asymmetric warfare! The attackers and hackers have excellent tools, time, and infrastructure to ensure they succeed. on the other hand, as defenders, organizations are highly constrained with time, people, and resources. These constraints force organizations to fight hard and fight smart. In order to take the right steps to protect data, organizations first need to fully understand their environment. Many organizations don't really know how much and what type of sensitive data they have.  They may not know how all their systems are configured - and more importantly, where those configurations introduce unnecessary risk. They need to know what users they have, their entitlements, what controls are in place, which ones are missing, etc. They must assess their current state in a comprehensive fashion, analyze and report on identified gaps, and draft a strategic plan to improve their security posture. To learn more about best practices on how to assess your IT system and risks, please join Oracle's Pedro Lopes and The Pythian Group's Simon Pane for the following webcast. Title: Assessing Risks in an IT system Date: Thursday, November 8, 2018 Time: 2:00 p.m. ET/ 11:00 a.m. PT Register here  Pedro Lopes, DBSAT and EMEA Field Product Manager, Oracle  Simon Pane,Principal Consultant, The Pythian Group

According to the Economist, “The world’s most valuable resource is no longer oil, but data.” As organizations embrace the digital revolution and transform themselves by adapting new business models,...

It’s been busy at Oracle OpenWorld this week, but I wanted to take some time to summarize some recent news. Bad news first: There isn’t any one cloud security silver bullet. Now, the good news: There are smart approaches you can take to secure your cloud environments. If you’ve made it to this blog, you’re probably facing at least one of these challenges: Your organization is eager to capitalize on the benefits that come with cloud adoption, but it doesn’t know a lot of about how to secure its information in the cloud. According to ESG research, 85% of businesses now use some form of public cloud service. That’s up from 57% just five years ago. Your company is increasingly risk aware due to the prevalence of cyberattacks and may have already been affected by an attack. In the Oracle and KPMG Cloud Threat Report 2018, two-thirds of our respondents said that they experienced a cybersecurity incident that affected business operations over the past two years. You’re trying to secure a footprint that stretches across on-premises and cloud environments. And even within your cloud footprint, you’re using multiple clouds from multiple cloud service providers—some of which you probably don’t even know about. Bottom line, it’s complicated. ESG Research also says that 81% of companies using IaaS platform services say they use services from more than one cloud service provider. During the last several weeks, my colleagues Greg Jensen (Oracle), Brian Jensen (KPMG), and I (me on Twitter) have posted a series of blogs and hosted a handful of webcasts, all examining an aspect of cloud security that will help you address these concerns. Today, I want to put it all together in a handy list (and give you a shortcut in case you’ve missed one or two of our posts). Although this is far from comprehensive, you can get much more information by downloading the Oracle and KPMG Cloud Threat Report 2018 for yourself or by viewing our latest webcast installment Enabling a Secure SaaS Experience on demand. Without further ado, here are the top seven tips for tackling your cloud security challenges. Understand the cloud service provider shared responsibility model. We did a blog about this a few months ago. In a nutshell, understanding shared responsibility means getting crystal clear on what your cloud service provider is responsible for when it comes to management and security and what you as the customer are responsible for. Sounds easy, but in our research for the Oracle and KPMG Cloud Threat Report we found that less than half of our survey respondents could identify the most common shared responsibility model for IaaS, SaaS, or PaaS. Appoint a Master of All Cloud Security. We call this a Cloud Security Architect. The CSA understands every possible security and compliance-related challenge that a line of business (LoB) owner or infrastructure, platform, or app team could run into when deploying new cloud services. And it’s the one position that has stood out as the most central and strategic in meeting security and compliance milestones. We go into detail about the Cloud Security Architect in this post. Get a single view into all data. The average cybersecurity professional has their attention split between about 46 different security products. Trying to find the signal in that amount of noise is unfair at best and disastrous at worst. Getting a single view into all the data being generated by these products is critical to making sense of it. Use artificial intelligence. A single view is critical, but it isn’t enough. Only 37% of our Cloud Threat Report survey respondents said that they can analyze a modest sample of their data (defined as 25% to 49%), and another 14% report they can only analyze small samples of their data (less than 25%). This isn’t a problem we can just throw more people at. First, they don’t exist. Current estimates suggest there will be 3.5 million open cybersecurity jobs by 2021. But even more importantly, it’s just not practical. Automated systems are much better at handling volume than humans will ever be. Address the complete threat lifecycle. Predict. Prevent. Detect. Respond. You need to be able to predict a potential threat by flagging anomalous behavior. You need to prevent cybercriminals from stealing that data. If they do, you need to be able to detect the breach, and, finally, respond automatically. Each stage is crucial. Apply these security practices across disparate organizations. The saying, “Change is the one thing you can count on” applies here. Mergers, acquisitions, and growth all come with change in the form of new applications and systems, creating the beautiful heterogeneous environment that your business uses to thrive. Finding a way to protect this environment is an absolute must. Continuously monitor. Fortunately or unfortunately, your work is never finished. You’ll need to continuously monitor and assess the environment for suspicious activity, keep up on the latest trends, and find new solutions. But, hey, that’s why you read this blog right? So, there they are, the seven tips for tackling your cloud security challenges. It’s not easy, but it’s vital, and we can help. For more information on how Oracle approaches these mandates, read my recent blog on our Core-to-Edge approach. And for a more in-depth look at reducing risks by implementing consistent security controls and governance across hybrid and multi-cloud environments, join us for our webcast: Enabling a Secure SaaS Experience – Register Here.

It’s been busy at Oracle OpenWorld this week, but I wanted to take some time to summarize some recent news. Bad news first: There isn’t any one cloud security silver bullet. Now, the good news: There...

If you’re stymied about how to protect your on premises data now, then leverage that security layer in your move to the cloud, read on. With about 2 Billion pieces of malware circulating and 1M new ones created each day, any user, asset, or application is at risk of being attacked. But databases containing sensitive information pose a significantly higher risk. This holds true for companies with on premises datacenters and self-sourced IT groups as well as those using cloud-based services or outsourcing arrangements. To make things worse, as cyberattacks become more sophisticated and IT environments more complex, detecting and responding becomes costly, often requiring many analysts, using many different tools to conduct forensic analysis, that can take weeks to complete. Forty-two percent of cybersecurity professionals say their organization ignores a significant number of security alerts because they can’t keep up. This is where the right security solution — with that perfect combination of SIEM-like features plus UEBA and IT Compliance — comes into play. With the appropriate features, this context can be accomplished in just a few clicks. Does this miracle tool exist? Let’s go through a few sample workflows and let you decide for yourself. Database Firewall Alert. Let’s start our journey toward increased database security by processing an alert from Oracle Audit Vault and Database Firewall (AVDF). In this case, Oracle has the ability to assess risks with on premises applications natively, or consuming an enhanced threat feed from AVDF. This alert, in itself, doesn’t mean you’ve got an attempted infiltration. Security Monitoring and Analytics pulls in an alert from the Audit Vault and Database Firewall application SQL Anomaly.  When we see anomalous SQL correlated concisely with the above database firewall alert, we’ve got improved context. First off, as the image below indicates, the user is in Marketing, not Finance. Yet they are accessing a Finance database. Second, they are doing a “select from a user table” command which is a form of SQL injection. Both of these points make this highly suspicious. This SQL anomaly is from a user who resides in Marketing and does not access the financial database, “FINDB” in their day-to-day work Brute Force Attack. By the time this happens we would normally engage our forensic team. But we don’t have to, because Oracle Security Monitoring and Analytics (SMA) has already done the correlations and kicked off an auto-remediation workflow. This is good news because with most companies triaging less than 50% of their alerts, most need the extra help. SMA correlates repeated login attempts over the course of a few minutes with the same high-risk user Will it be useful when I move to the cloud? The short answer is “yes”. This is where investing in a cloud service to protect your on-site assets makes sense because, instead of spending 75% of your IT budget maintaining internal systems like our friends in the healthcare sector, you’re planning ahead by lowering fixed costs. And if you’re not yet cloud-bound, chances are you will be. In a 2017 survey of 196 IT managers and leaders, 79% of respondents said they have a cloud project underway or planned. SMA consumes information from on premises or cloud applications equally well. So, as you begin to transition to the cloud, that same SMA analytics and risk assessment tool will do an equally effective job monitoring you cloud posture, incorporating alerts from — for example — Oracle’s Cloud Access Security Broker (CASB), or Identity Cloud Service. SMA reports an anomalous access to a cloud resource based on a CASB alert Finding threats is most useful if they can quickly be remediated. Fortunately — especially for those without dedicated threat-hunting teams — SMA interfaces with Oracle Configuration and Compliance to set in motion a remediation workflow. The configuration and compliance ruleset reveals that guest accounts have unexpectedly been enabled on the database, and remediates the insecure settings. To watch SMA perform these functions in action, see our SMA demo video. For product details or to start a free trial, visit our SMA web page. And be sure to catch SMA at Oracle Open World for a tech talk, hands-on-lab, or a live demo.  

If you’re stymied about how to protect your on premises data now, then leverage that security layer in your move to the cloud, read on. With about 2 Billion pieces of malware circulating and 1M new...

As OpenWorld begins to wind down, we hope you've enjoyed the sessions, events, and announcements this year. CloudFest. 18 was a great time! With such a busy week, it is time for us to grab a cup of coffee! Although the official conference is coming to an end, it is just the beginning of new innovations for Oracle Security. Stay tuned for more thought leadership blogs, announcement recaps, and deep dive information on our Oracle Security solutions throughout the year.   Here are some of the main highlights from yesterday's sessions: 1.Keynote Corner: Cyberspace is a Battlefield  We kicked off Wednesday with Mark Hurd, Oracle Chief Executive Officer,leading a panel of security intelligence thought leaders. The hour and half was filled with powerful statements on the current state of security, growing sophistication and frequency of attacks. Jeh Johnson, Former Secretary of Homeland Security, stated that, “Cybersecurity is going to get worse before it gets better,” describing the need to understand these threats and how we can better address the challenges organizations face today. The panel went on to stress that organizations need to make the right security decisions daily. To empower customers, Oracle has announced their second generation cloud with a defense in depth approach, which incorporates encryption by default. Many important topics were discussed throughout the keynote, from nation state sponsored cyber attacks to the changing cloud landscape, but the key takeaway is that organizations should prioritize security in the cloud and employ a strategy that takes into account the core-to-edge framework. To learn more around strategies and solutions your organization can adopt to create a defense in depth approach visit our Oracle security  webpage.   2.Session Alert: For Some Organizations, Breaches can be Life or Death   The day continued with the topic of security and the importance of thinking of your data (core) as a valuable, traveling asset. It is key to protect that core with several layers of defense, a concept explored further in a session this morning with Oracle's Troy Kitch. Kitch led a partner panel with representatives from Deloitte, KPMG, and PwC. Each panelist explored topics that affect companies as they progress on their journey to the cloud. The panel covered the need to implement omni-channel security solution as well as the importance of tools, such as the Oracle CASB Cloud Service, that will enable businesses to gain greater visbility into their sanctioned and unsanctioned apps.   OpenWorld isn't over yet! Please join us for a number of great security sessions today.   1. Session Alert: Getting Started with Oracle Security Monitoring and Analytics Cloud Service Marriott Marquis (Golden Gate Level) - Golden Gate A |12:00pm - 12:45pm    Join this session to learn how Oracle Security Monitoring and Analytics Cloud Service protects modern enterprises by enabling early detection of threats across on-premises and hybrid cloud assets, rapid forensics with cyberattack chain discovery and visualization, and much more.   2. Session Alert: Adaptive Security in a Hybrid Cloud World Moscone South - Room 206 | 1:00pm - 1:45pm   In this session see how the adaptive security capabilities within Oracle’s security and identity solutions enable organizations to identify and mitigate security risks in real time by analyzing user behavior and leveraging security feeds from other products and platforms. Learn how Oracle’s identity products can be used to identify risky behavior and make intelligent decisions about the types of authentication that are appropriate and required given that behavior.   3. Session Alert: Recent Database Security Innovations You Might Not Be Using, but Should Be Moscone West - Room 3006 | 1:00pm - 1:45pm   In this session learn about the new way to authenticate and authorize database users in Active Directory. Explore review recent security innovations including privilege analysis, database vault simulation mode, data redaction, online encryption, and passwordless schemas. See how to assess the security of your database with Oracle Database Security Assessment Tool. Attend this session and you'll be able take advantage of these features next week to create a more secure database environment.

As OpenWorld begins to wind down, we hope you've enjoyed the sessions, events, and announcements this year. CloudFest. 18 was a great time! With such a busy week, it is time for us to grab a cup of...

We are at the halfway point! Oracle OpenWorld 18 has not disappointed! If you are here at OpenWorld, don't forget to check the Oracle Security Twitter account for the latest session information throughout the day. Each day has brought about new highlights, catch up on what you missed Monday and Tuesday, but today is always an especially exciting day - Oracle CloudFest18 kicks off tonight!    Yesterday, we heard some exciting announcements and attended several key sessions. Here are the major points:   1. Struggling to Keep Pace at Scale? Core-To-Edge Security is the Answer This week several Oracle sessions have focused on Core-To-Edge security, which promotes a proactive approach to creating layers of defense throughout your environment - regardless of deployment (hybrid, multi-cloud, etc.). Today marked the announcement of several key Core-To-Edge Security Announcements.    2. Oracle's Empowering Customers to Disrupt the Status Quo Steve Daheb, Senior Vice President of Oracle Cloud, took to the stage today in front of a packed and eager crowd.  The session covered the most important challenges in today's organizations as well as ways Oracle is innovating it's solutions to better support customers. Security was a major focus in the presentation, as Daheb shared a stat from a Verizon Study stating that 85 percent of successful breaches were from vulnerabilities where patches were available up to a year before the attack occurred.  He continued by explaining that Oracle's solutions are designed to seamlessly integrate helping customers reduce costs, avoid breaches, and ultimately disrupt their industries with cutting edge innovations. The presentation also covered major innovations around the Oracle Autonomous Database and showcased the benefits it provides to customers running 24/7 business models. Customers are now able to reduce the risk of human error and unpatched systems, lower downtime significantly, and focus on new innovation across the enterprise. Regardless of your unique cloud journey, we encourage you to learn more about the Oracle Cloud Platform!   Now, let's take a look at some major events on the schedule for today.   1. Keynote Corner: The Role of  Security and Privacy in a Globalized Society- Threats, Implications, and Opportunities Moscone North | 9am -10:30am   Join Mark Hurd, Oracle CEO, as he discusses the future of security with several of the leading voices from some of the most highly respected intelligence positions around the world. The session will also explore how "the next security threat" might relate to the direction of technology and the adoption of cloud computing.      2. Session Alert: Tips and Tricks for Security at Scale Marriott Marquis (Golden Gate Level) - Golden Gate C2 | 11:15 am - 12:00pm   This session was highlighted in our Top 5 Things to do at OpenWorld blog - It truly is a must see! Join Oracle's Troy Kitch and representatives from PwC, KPMG, and Deloitte as they discuss the expanding threat landscape. It has become difficult for companies to effectively secure their hybrid and multicloud environments due to the growing number of internal and external threats. If you’re interested in learning about Oracle Identity Cloud Service or Oracle CASB Cloud service, this might just be at the top of your Wednesday agenda.   3. Session Alert: Oracle Database Security Assessment Tool: Know Your Security Posture Before Hackers Do Moscone West - Room 3006 | 12:30pm - 1:15 pm   This product training session will teach you about the Database Security Assessment Tool, this tool is freely available to all Oracle Database customers and is designed to help discover sensitive personal data, identify database users and their entitlements, and understand the configuration and operational security risks.   4. Celebrate Good Times: Oracle CloudFest. 18 AT&T Park (24 Willie Mays Plaza, SF) |6:30pm -11pm   After the long day you've had, you deserve a pat on the back….and a party! Attend Oracle CloudFest. 18 and celebrate with colleagues and fellow attendees. This year, the concert features live music from Beck, Portugal. The Man, and Bleachers. This event is by ticket only, these tickets are included with the full conference pass purchase!  

We are at the halfway point! Oracle OpenWorld 18 has not disappointed! If you are here at OpenWorld, don't forget to check the Oracle Security Twitter account for the latest session information...

By: Nishi Shah, Director Cyber Security & Privacy, PwC As I discussed in my last blog, “Security Operations: Using Artificial Intelligence to Lock Down Your Cloud,” I talked about how technology security teams can improve efficiency and incident resolution in cloud solutions with Oracle Management Cloud’s (OMC) automated artificial intelligence (AI) and machine learning capabilities. But, let’s turn our attention to the bigger picture for a moment: Technology security has become more than just an information technology (IT) issue.  As security incidents have become front page news and cost organizations billions of dollars, IT security has become a board-level issue.  Executive leadership at major enterprise organizations continue to drive their IT and Security teams to deploy the most innovative and effective security solutions available.   As the last blog pointed out, automated AI and machine learning security tools, like OMC, are a good start to make security operations teams more efficient as they manage flagged incidents.  However, there’s another technology—behavior analytics in Oracle Cloud Access Security Broker (Oracle CASB)—that can also enhance application and data security in the cloud.  We’re all familiar with the typical legacy on-premises security tools, like web gateways and firewalls.  These rules-based tools aren’t as effective in a cloud environment because a skilled adversary can bypass perimeter security solutions by stealing information from cloud endpoints using compromised access credentials.  This is where the behavior analytics functionality in Oracle CASB comes into play.  It can establish a baseline of typical behavior within an organization.  When the system detects an anomaly that doesn’t fit the company’s normal patterns, the incident is flagged for further investigation.  When used in combination with the Oracle Security Monitoring and Analytics Cloud Service, which is bundled in OMC that we discussed in the previous blog, the platform can learn which anomalies are real threats and which are false positives.  Because the functionality is automated, the solution takes the manual work effort off of the security team. Here’s an example—an employee logs into the company’s cloud ERP solution from their laptop in their Dallas office at 8:00 a.m. central time and logs off at 5:00 p.m. at the end of the work day.  At 6:00 p.m., Oracle CASB detects five failed login attempts from the same employee originating in Yemen.  The Oracle CASB solution knows that this scenario is not physically possible, and also identifies that the Yemen device does not comply with the company device policy.  Therefore, Oracle CASB would automatically force an adaptive multi-factor authentication to prevent the rogue access to the company cloud ERP solution, and it would flag the incident as suspicious activity. Along the same lines, if an HR person is processing annual salary increases for employees who were recently promoted, the behavior analytics tool may also flag this as a suspicious incident.  However, a security analyst could help the system weed out this false positive by approving the incident as acceptable.  Through machine learning functionality, the system would eventually learn that although the large annual salary increases are an anomaly, they are not a security threat.  On the other hand, if this example was actually an “inside job” where an employee is maliciously attempting to increase his or her salary, Oracle CASB can natively process Oracle Cloud ERP and Salesforce transactions in a real-time audit mode to halt the fraudulent transaction as it’s occurring.  Therefore, Oracle CASB can dramatically shift the paradigm from a reactive approach to a preventative solution. Oracle CASB offers the robust security functionality, like machine learning and behavior analytics, to help ensure that your applications and data are secure in the cloud.  Since it’s a subscription-based product, it’s easy to acquire and install.  With out-of-the-box functionality, most security operations teams can easily deploy the solution, which makes it ideal for smaller organizations.  But it also offers deep functionality that’s well-suited for large, global enterprise organizations.  This is where PwC can help—to install the solution with advanced functionality to not only detect but also to respond, remediate, and prevent potential security incidents with forensics, incident management, and orchestration. To learn more, please visit the Oracle Security webpage. 

By: Nishi Shah, Director Cyber Security & Privacy, PwC As I discussed in my last blog, “Security Operations: Using Artificial Intelligence to Lock Down Your Cloud,” I talked about how technology...

It is no doubt that data is the single most valuable asset today as organizations undergo digital transformation. Lots of people are coming after your data ranging from internal employees, customers, competitors to nation states, criminals and activists. As a result of the increasing number and sophistication of breaches, governments across the globe are enforcing data privacy and security mandates to protect citizens data. It’s a war! An asymmetric one. While attackers continue to get more sophisticated with latest technologies such as machine learning to exploit vulnerabilities and steal data, organizations continue to face challenges around limited time, few people and scarcity of resources. Yesterday at Oracle Openworld, Vipin Samar, SVP of Oracle Database Security, talked about how organizations need to protect their data from all attack vectors with multiple rings of control. You need to first assess your databases, and understand how they are configured, how users are managed, what privileges they have where sensitive data exist and how much is there. Oracle provides a free tool called the Database Security Assessment Tool (DBSAT) to help customers assess their security risk posture. To learn more about DBSAT, please attend the following session: Oracle Database Security Assessment Tool: Know Your Security Posture Before Hackers Do [TRN4107] Wednesday, Oct 24, 12:30 p.m. - 1:15 p.m. | Moscone West - Room 3006 Pedro Lopes, DBSAT and EMEA Field Product Manager, Oracle Marella Folgori, Oracle Riccardo D'Agostini, Responsabile Progettazione Data Security, Intesa Sanpaolo Next, you need to ensure you know what’s happening in your environment and can detect any inappropriate activity in the system with appropriate auditing, alerting and monitoring controls. Additionally, you need to protect your data with strong preventive controls such as encryption, data masking and data redaction to ensure sensitive data is not compromised. Oracle continues to be the leader in managing your data and one of the biggest innovations is the Oracle Autonomous Database. It offers a high degree of security in the Oracle Cloud with self-securing capabilities such as automated patching, data encryption by default, auditing and separation of duties, to keep data safe from a variety of threats.  However, security is a shared responsibility in the cloud, where its the customer's responsibility to protect their users and data. Vipin Samar gave us a quick preview on our upcoming Oracle Data Security Cloud Service which helps customers protect their data and users. It is a unified control center for managing data security in Oracle Databases in the cloud. It allows organizations to quickly discover sensitive data, evaluate configuration risks, enable auditing and detective controls, and mask data for use in test and development environments, and more. To learn more about this new service, please be sure to attend the following session: Introducing Oracle's Data Security Cloud Service for Oracle Databases [PRM4102] Tuesday, Oct 23, 12:30 p.m. - 1:15 p.m. | Moscone West - Room 3006 Vikram Pesati, Vice President, Product Development, Oracle Michael Mesaros, Director, Product Management, Oracle Corporation   Some of the other sessions that you must attend through the week are: Autonomous and beyond: Security in the age of Autonomous Databases [PRM4108] Tuesday, Oct 23, 5:45 p.m. - 6:30 p.m. | Moscone West - Room 300 Russ Lowenthal, Director, Product Management, Oracle Data Security in the GDPR Era [PRO4111] Wednesday, Oct 24, 11:15 a.m. - 12:00 p.m. | Moscone West - Room 3006 Joao Nunes, IT Senior Manager, NOS Tiago Rocha, Database Administrator, "Nos Comunicaões, Sa." Eric Lybeck, Director, PwC Recent Database Security Innovations You Might Not Be Using, but Should Be [TIP4112] Thursday, Oct 25, 1:00 p.m. - 1:45 p.m. | Moscone West - Room 3006 Alan Williams, Database Security Product Management, Oracle Russ Lowenthal, Director, Product Management, Oracle Manish Choudhary, Oracle

It is no doubt that data is the single most valuable asset today as organizations undergo digital transformation. Lots of people are coming after your data ranging from internal employees,...

For enterprise-grade organizations -- large, traditional businesses and the smaller companies that aspire to be like them -- security and multi-cloud support are paramount.  These organizations need to be able to run each of their applications where it makes the most sense to do so from a cost and performance perspective. Some applications may reside in one cloud, while some live in another. Some may remain on premises, while others require a hybrid model.  Supporting a range of platform and infrastructure services may be best for agility and functionality, but it increases complexity -- especially when it comes to security and maintaining consistency. Oracle Cloud Infrastructure features announced today at Oracle OpenWorld 2018 enhance security from the cloud to the edge of the network, protecting data and applications in an increasingly multi-cloud world.  Web application security Web applications and sites are central to online business success, so it's not surprising that web attacks have emerged to target these systems and the sensitive data they contain. In fact, web application attacks are the top cause of data breaches, according to the Verizon 2018 Data Breach Investigations Report.  Oracle Cloud Infrastructure announced new native web application firewall (WAF) capabilities to protect against these threats. The Oracle Cloud Infrastructure WAF inspects traffic to any internet-facing endpoint and enables organizations to create and enforce rules to protect against a variety of attacks, including but not limited to botnets, cross-site scripting, SQL injection and distributed denial-of-service (DDoS) attacks.  Oracle Cloud Infrastructure also announced the addition of automated DDoS attack detection and mitigation to all of its data centers. These capabilities monitor and protect against common Layer 3 and 4 DDoS attacks, such as SYN floods, user datagram protocol (UDP) floods, internet control message protocol (ICMP) floods, and network time protocol (NTP) amplification attacks. This approach helps ensure that Oracle Cloud Infrastructure network resources remain available in the event of an attack.  Cloud access security    Two additional Oracle Cloud Infrastructure security announcements focus on configuring and protecting access to cloud resources.  The Oracle Cloud Access Security Broker (CASB), which provides continuous configuration monitoring, predictive threat detection, and automated incident response, now supports Oracle Cloud Infrastructure. And the new Oracle Cloud Infrastructure Key Management service integrates with other Oracle Cloud Infrastructure services to enable customers to more easily encrypt data and manage keys and key vaults.  For more information, read the Oracle Cloud Infrastructure security press release.  

For enterprise-grade organizations -- large, traditional businesses and the smaller companies that aspire to be like them -- security and multi-cloud support are paramount.  These organizations need to...

Advancements in new and emerging technologies are opening doors for businesses what seems like every day. We’re already in the midst of a cloud revolution, but AI, machine learning, blockchain, and IoT—just to name a few technologies—are gaining momentum and fueling new opportunities. These technologies represent opportunity for businesses. But, unfortunately, they also mean opportunity for the bad guys. For one, adopting these technologies creates a larger surface area to defend. And if that weren’t enough, cybercriminals are using these same emerging technologies to wage a highly sophisticated war aimed at undermining businesses. It’s no secret that security teams at organizations of every size are struggling to keep pace with these persistent attacks. But it only takes a handful of stats to illustrate just how dire the situation is: Patching – According to a Verizon study, 85 percent of successful breaches were from vulnerabilities where patches were available up to a year before the attack occurred.  Whether it’s a lack of resources or difficulty scheduling the necessary downtime, most companies simply can’t implement their patches fast enough. Lack of Available Talent - There simply isn’t enough cybersecurity talent to handle the problem. Current estimates suggest there will be 3.5 million open cybersecurity jobs by 2021. But even if organizations could fill these open positions, it wouldn’t be enough. Cybercriminals are using sophisticated technology to scale their attacks, creating more work than humans can handle on their own. Alert Overload – According to the Oracle and KPMG Cloud Threat Report, detecting and responding to cloud security incidents is the number one cited cyber security challenge. This aligns with ESG research, which adds that 42 percent of cybersecurity professionals ignore a significant number of alerts because they can’t keep up with the volume. Security teams need to be empowered to separate the signal from the noise if they’re going to have a fighting chance. So, how do you grab hold of the incredible opportunities that cloud and emerging technologies promise without opening our businesses up to what seems like inevitable damage? The Answer Is Core-to-Edge Security Sophisticated and multifaceted attacks call for layers of defense—starting at the core (your data) and moving to the edge (all the ways in which your users access your data, including your applications and infrastructure). No one security control can prevent the many threat actors and their attacks, so it’s important to use multiple layers of defense to protect your data, the users who need it, the applications that use it, and the infrastructure that underlies it all. For example, Oracle provides layers of defense that protect: Data - Data loss prevention (DLP), at rest and in motion encryption, key management, nonproduction data masking, privileged user access controls, and online self-patching Users - Identity and access management, user and entity behavioral analytics (UEBA), multi-factor authentication, single sign-on identity governance, and risk management Applications - Web application security, API security, malware protection, data redaction, access controls, and Cloud Access Security Broker (CASB) Infrastructure – Distributed denial of service (DDoS) and botnet protection, threat detection and response, security monitoring and analytics, configuration and compliance Our most recent addition to Oracle’s core includes the Oracle Autonomous Database, which incorporates self-securing and self-repairing capabilities that help reduce risk by avoiding breaches and the possible reputational damage and revenue loss that come with them. Self-securing means automatically applying security patches with no downtime and preventing unauthorized data access with default data encryption. In addition, Oracle provides security cloud services that help customers protect their hybrid cloud environments. These security services help predict, prevent, detect, and respond to sophisticated security threats. To reduce manual processes and enable the business, we use advanced machine learning algorithms to determine anomalous user and entity behaviors, then apply an adaptive and defensive response. We provide continuous monitoring that consistently assesses suspicious activities, then alerts and reports on that activity to ensure the attack chain has been broken and remediated. All of this helps reduce mean time to detect and respond to threats. We do this with: Highly automated security, based on machine learning Support for securing and managing hybrid and multi-cloud environments A single pane of glass for security orchestration, automation and response An open and secure platform that you can integrate with your existing environment Only Oracle can protect your business from core-to-edge with this level of automation, integration, and simplicity. And we’re continuing to build our layers of defense every day. Click here to see our latest Core-to-Edge security announcements from Oracle OpenWorld.

Advancements in new and emerging technologies are opening doors for businesses what seems like every day. We’re already in the midst of a cloud revolution, but AI, machine learning, blockchain, and...

How did your day go yesterday? Ours was action packed! Great experiences and announcements all around as OpenWorld 2018 kicked off. If you weren't able to attend all of the sessions on your schedule, or if you are joining us from home - sit back, sip your coffee, and take a look at the highlights from Monday. We will even throw in a few exciting must see items for today! 1. Cloud Generation 2: Core to Edge Security In his opening keynote at OpenWorld 2018, Larry Ellison, Oracle Executive Chairman and CTO, covered many exciting innovations for the future of cloud for the enterprise. The presentation covered a variety of topics, but focused in on the importance of Oracle's Generation 2 cloud running on a single, secure platform. "Security, security, security," Larry said as he explained the importance of a core to edge approach to security. He continued by saying that security in first generation cloud models was often considered an afterthought, but with the rising numbers of breaches and the continual addition of regulatory compliance requirements - security must be a main priority for all businesses. Oracle's Gen 2 cloud has security built in, not bolted on.   2. It's All About the Data One theme rang true throughout Monday's security sessions - data is king. In both Roadmap: Innovations in Security and Compliance for Databases and Oracle's Trust Fabric: The Foundation for Identity-Centric Cybersecurity the importance of securing your data (your core) was stressed. This causes a ripple effect, because your data is so imporant to protect, organizations must be proactive in creating a layers of defense approach to security. Protecting your users, apps, data, and infrastructure is key to maintaining good security practices.  3. Security Must Keep Pace with the Cloud  We enjoyed a very interesting session with Oracle's Greg Jensen and KPMG's Brian Jensen as they emphasized the importance of security as customers move to the cloud. With the rapidly expanding cloud landscape, every organization is faced securing devices and data in new ways. This can cause a "pace gap" as cloud technologies (and the adoption of them) are outpacing the adoption of new security strategies and solutions. This and many other themes were explored in the 2018 Oracle and KPMG Cloud Threat Report.    Now that you're all caught up on Monday's big ticket security items, let's explore some of the Security sessions and events you won't want to miss today. 1. Session Alert: Introducing an Intelligent Approach to Beating Global Cybersecurity Threats Moscone South -Room 206 |12:30pm -1:15pm Security is changing rapidly and organizations need to keep pace. Incorporating AI algorithms and machine learning with traditional security methods is a must in order to protect your company from today's threats. Learn more about this session featuring Laurent Gil, Security Product Strategy Architect for Oracle Dyn, through our recent blog post. 2. Session Alert: Oracle Cloud: The Future is Autonomous The Exchange @ Moscone South - The Arena | 1:45pm - 2:30pm Companies today are tasked with modernization, innovation, and cost reduction. As these mandates become crucial drivers of success, companies are battling to satisfy all three at once. Selecting the right cloud for your business is critical, hear from industry peers as they discuss their transition to the cloud and cover some key points on reducing cost and risk. 3. Session Alert: A CISOs Path to Success in the Age of Cybersecurity Moscone South - Room 206 | 3:45pm-4:30pm This session addresses real-world customer use cases, best practices, and technology usage for how CISOs are building and maturing their information security programs to address hybrid environments, regulatory compliance, and the continually evolving threat landscape. If you are interested in hearing Oracle Security success stories directly from customers, this is the session for you!  Be sure to access our security focus on document for a complete list of must see security sessions. Don't forget to visit the vendor floor to check out interesting demos, learn about Oracle partners, and grab a free swag bag! We will be back tomorrow morning with the latest #OOW18 news.

How did your day go yesterday? Ours was action packed! Great experiences and announcements all around as OpenWorld 2018 kicked off. If you weren't able to attend all of the sessions on your schedule,...

Authored By: Christina Richmond, IDC Program VP WW Security Services for Oracle In this series of blogs, we’ve discussed hybrid IT and managed cloud security as well as managed identity. These topics beg the question, “how do I find the right managed security services provider (MSSP) to work with?” The answer is, “it depends” and in this blog we’ll pull the thread on considerations and dependencies to understand how, why and when to work with an MSSP. Basic considerations for choosing an MSSP range from evaluating the provider’s technical and resource expertise and capabilities, how they fit with your company (industry, size of company) and architecture environment (legacy architecture, cloud or hybrid), whether they can assist your organization with compliance (do they provide assessments, and can they help you remediate), cost and scalability. These are table stakes. But given the complex transformation we’re engaging in today from legacy premises tools to some SaaS, some private cloud and multiple public cloud instances MSSPs are required to do a lot more. IDC separates legacy and advanced MSSPs into a 1.0 and 2.0 definition. As seen in the graphic below, MSSP 1.0 firms will provide core services such as log monitoring, basic managed and monitored services for devices such as firewalls, intrusion detection services/intrusion prevention services, and unified threat management (and others). They provide vulnerability scanning and basic threat management. MSSP 1.0 firms are moving into delivery of some advanced services like management and monitoring of identity and access management in recent years and some may also offer advanced services such as DDoS, managed security information and event management (SIEM), and managed Security Operations Center (SOC) functions. MSSPs 2.0 deliver basic and advanced MSS plus professional/complementary services such as breach readiness, incident response, forensics, compliance services, and assessment of architecture and design. And still others provide managed security testing, application security testing, and data privacy assessment. Many are investing in mobile/IoT, cloud, threat intelligence/big data analytics, incident response/forensics, and advanced detection techniques. This last is where organizations building out their hybrid landscape need to focus greater and greater attention. It is imperative to find advanced MSSP support that includes visibility and management/monitoring in identity, mobile/IOT and cloud. This is where IT is moving and the monitoring the perimeter of old no longer suffices. Beyond these capabilities the MSSP of today will also utilize advanced threat detection and analytic techniques like big data analysis, heuristics, machine learning and artificial intelligence. IDC sees a good mix of companies doing their own inhouse advanced threat detection and outsourcing the requirement. Finally, the newest trend of endpoint detection and response (EDR) tools and managed detection and response (MDR) services is a critical defense in depth addition for MSSPs.   In the last blog, I stated that identity and data security are the new perimeter tools in this digital world. The above lists of basic to advanced capabilities are all important to consider, but the ability to detect, monitor, provide visibility into and respond to alerts on your behalf within these two areas is something that should be considered depending on your environment. If your organization is like many large organizations that are in the midst of the digital journey, it is imperative that you consider managed identity and data security services because of the complexity and dynamic nature of the environment. Consider tuning in for the Twitter Periscope with Christina Richmond, IDC Program VP and Rohit Gupta, Oracle’s GVP of Identity, to share their perspectives on the cyber challenges impacting today’s organizations as they lift and shift workloads to the cloud. Follow Christina Richmond @Xtina_Richmond Follow Rohit Gupta @Roh1 Follow Greg Jensen @GregJensen10 Oracle Security @OracleSecurity If you are attending Oracle OpenWorld in person, join us at on Tuesday, Oct 23, @4:45 pm for the session Secure Your IT Services with Oracle Managed Identity Cloud Services.

Authored By: Christina Richmond, IDC Program VP WW Security Services for Oracle In this series of blogs, we’ve discussed hybrid IT and managed cloud security as well as managed identity. These topics...

Oracle OpenWorld 2018 has officially begun! Join us each morning for a daily dose of information, announcements, and key highlights for the day ahead. Our team is out in force at OpenWorld and ready to bring you the latest information surrounding happenings at the conference! If you are in San Francisco for the week, we highly recommend that you check out some of the events we feature in these daily download blogs, we'd love to see you there! If you cannot attend, not to worry, we will also feature follow up information and blogs throughout the week and as the conference wraps up and session replays are made available. 1) Session Alert: The State of Cloud Security: Keeping Pace at Scale Marriott Marquis (Yerba Buena Level) - Nob Hill A/B 11:30am-12:15pm Join Oracle's Greg Jensen and KPMG's Brian Jensen for a session highlighting some of the top security challenges organizations face when moving to the cloud. With increased migration to the cloud, customers are faced with a "pace gap", creating more opportunities for increased risk and decreased visibility. As senior editors/contributors to the Oracle and KPMG Cloud Threat Report, this session is sure to shed light challenges all cloud security professionals face. 2) Keynote Corner: Cloud Generation 2 Moscone North - Hall D 1:45 pm- 3:00pm The Second Generation Cloud is built for the enterprise to protect your critical data; secure from core to edge; easily move apps and data from on-premises. It is built for all enterprise workloads, is designed to run in the public cloud or at customer and is simple to upgrade. Don't miss this exciting keynote session with Oracle Executive Chairman and CTO, Larry Ellison. This is sure to be a packed session, you won't want to miss!  3) Session Alert: Protect Cloud Data with Oracle CASB Cloud Service Moscone South - Room 206 4:45pm- 5:30pm Hear from Chet Sharrar, Chief Information Security Officer for Marlette Funding, as he discusses how Oracle CASB Cloud Service provides complete enterprise-grade cloud data protection with integrated user and entity behavior analytics, data loss prevention, antimalware, and encryption capabilities. 4) Join us for a Periscope Interview with IDC! Oracle and IDC will be live broadcasting a Periscope interview with Christina Richmond, IDC Program VP WW Security Services for Oracle and Rohit Gupta, GVP Product Management for Oracle. The interview will take place today at 1:45pm (PT). 5) Check Out The Exchange and Participate in a Scavenger Hunt!  Moscone South | 9:45am - 5:45pm Be sure to visit the Exchange, where you can explore Oracle technologies and understand new innovations. Stop by, network with peers, and have a T-shirt printed (booth 2501!). We love to hear from our readers! Be sure to interact with us on Twitter (@OracleSecurity) and mention Oracle OpenWorld using #OOW18. Access our Oracle Security Focus on Document for a full list of Oracle Security Sessions. Don't forget to join us as share more of the latest news in tomorrow's Daily Download.

Oracle OpenWorld 2018 has officially begun! Join us each morning for a daily dose of information, announcements, and key highlights for the day ahead. Our team is out in force at OpenWorld and...

Last week my colleague Brian Jensen published a great blog highlighting the many potential security risks you could face when moving your ERP to the cloud. To borrow his analogy from medieval times, it’s like sending your king into the countryside carrying a bag of gold. Without the protection of stout castle walls and a moat – aka your data center’s firewall – your king becomes an easy target for highway men, rogues, and bad actors of every stripe. But there are ways to protect your king – and your cloud apps – from harm. What’s more, if you do it right, you can also save money and drive business growth along the way. The key is securing and harnessing your digital identities. Let’s dig deeper. The first thing to understand is there are two types of digital identities: Enterprise Identities. These are IDs associated with employees, contractors, and temporary workers Consumer Identities. These are IDs tied to individuals and consumers outside the boundaries of the business Digital identities are multiplying exponentially. Not long ago, most people had just one or two identities. A Google or Yahoo email ID, and maybe a work ID. Now people have dozens of digital IDs: social media IDs for Twitter, Facebook and LinkedIn; IDs to purchase stuff on retail websites; IDs for your credit cards; and multiple IDs at your workplace to access different apps and systems. Your digital ID is thus a collection of many identities spanning your business, consumer and social lives. Intelligent systems can not only manage the linkages between these different identities of an individual but can also provide valuable business insight to help improve data & application security, enhance user experience and enable businesses in their desire to expose relevant capabilities & offerings to their consumers. Leveraging Digital IDs for Security Digital IDs can help protect businesses and individuals against cybercrime and fraud. An effective way to do that is by attaching restrictions to IDs. For example, you could put dollar limits on how much your finance staff can purchase based on the roles and responsibilities tied to their IDs. Smart ID systems can also help you spot suspicious behavior. Take an employee who normally executes only two or three transactions a day – and then suddenly starts executing 15. This might be an indicator of nefarious activity – or a stolen ID. By integrating analytics with digital identity systems, you can detect these unusual kinds of behavior and either block the purchase or alert management. Likewise you might have a sales rep who, day-in day-out, gathers data for just a handful of accounts in a single industry. But what if one day the rep starts pulling data for every single account in every industry? A smart monitoring system, aided by analytics, can easily flag questionable behavior like this and initiate follow-up action. Such monitoring is all the more relevant where critical systems are hosted in cloud. When flags aren’t raised, businesses can get into trouble. Take the case of a UK based stock trader, working for one of Europe's largest banks. Ten years ago the hapless junior trader managed to lose billions of dollars for his employer by executing a large number of unauthorized derivatives trades. Proper controls tied to his digital ID could have averted the gigantic loss, which sent the bank’s stock plummeting 8 percent. Instead, the bank simply learned a very expensive lesson about internal controls and digital IDs.   Another danger: People can accumulate multiple IDs over the years as they climb the organizational ladder, move to new groups, and take on new roles and responsibilities. Whenever people get ahold of more keys to the castle, security risks increase. That’s why a good ID system monitors user “lifecycles” and adjusts controls appropriately, including taking away privileges that are no longer relevant to a person’s job. Organizations practicing good digital ID governance also conduct regular “attestation” surveys in which employees and their managers confirm they still need access to various applications and systems. Unnecessary IDs can then be de-provisioned. Greater Operational Efficiency In the pre-cloud days, digital IDs were managed exclusively in the data center by IT teams that exerted tight control over what users could and couldn’t do within the walls of the enterprise. But provisioning IDs and managing access was painfully manual. At big global enterprises, teams consisting of a hundred or more labored around the clock to manage employee onboarding and system access. The cloud is simplifying that process. Automated digital ID systems powered by analytics are gradually doing away with centralized and labor-intensive access-management operations. With cloud-based digital ID platforms, most of the work is self-managed, self-provisioned and self-requested. As a result, help desk traffic has eased, along with support costs. I’ve seen clients, once they’ve put appropriate automated systems and controls in place, shrink their identity and access management teams by 80% or more. Enabling the Business As businesses move to the cloud, their digital IDs become more distributed and mobile, potentially adding to the risk of cyberattacks and data breaches. New digital ID management solutions, however, can help extend user identities to the cloud in a secure fashion, supporting rapid deployment of digital initiatives and making it easier for mobile users to gain access to the internal systems they need to get work done.   An effective digital ID system gives you a powerful tool for enabling your business. After all, you want to let friendly customers and suppliers into your castle. But you also want to screen out the bad guys and block their access to sensitive systems and data, whether they’re from inside and outside of the enterprise. By using digital IDs to expand the virtual boundaries of the castle wall, businesses can safely open new lines of communications and commerce with customers and business partners, creating opportunities for monetization and growth. Today, my team continues to help businesses build strong castle walls to fend off cyberintruders. But more and more we’re showing them the possibility of leveraging digital IDs to expand the business and drive competitive advantage. Are you using digital identities to enable and grow your business? To learn more, download the Oracle and KPMG Cloud Threat Report 2018. 

Last week my colleague Brian Jensen published a great bloghighlighting the many potential security risks you could face when moving your ERP to the cloud. To borrow his analogy from medieval times,...

With Oracle OpenWorld kicking off in a few days, we would like to invite all attendees to join us for key Oracle Database Security Sessions. There are many sessions to choose from, but we have selected a few "must see" sessions for you to attend. The Database Security team will be out in full force to bring attendees the latest news, hear customer perspectives, and showcase solutions. Here is our guide to the top 6 Database Security sessions at OpenWorld 2018. 1. Roadmap: Innovations in Security and Compliance for Databases [PRM4101] Monday, Oct 22, 10:30 a.m. - 11:15 a.m. | Moscone West - Room 3006 Vipin Samar, Senior Vice President, Database Security, Oracle Russ Lowenthal, Director, Product Management, Oracle Session Description: It's been an incredibly busy year for Oracle’s Database Security team, with the new Oracle Data Security Cloud Service, Oracle Database Security Assessment Tool, and Oracle Key Vault with multimaster support. The European Union's General Data Protection Regulation (EU-GDPR) is now in effect as well, and efforts to comply have started. In this session learn what the team is working on this year to help you comply with latest regulations, and how to secure your databases whether on-premises or on the cloud.   2. Introducing Oracle's Data Security Cloud Service for Oracle Databases [PRM4102] Tuesday, Oct 23, 12:30 p.m. - 1:15 p.m. | Moscone West - Room 3006 Vikram Pesati, Vice President, Product Development, Oracle Michael Mesaros, Director, Product Management, Oracle Session Description: Oracle Databases in the Oracle Cloud offer a high degree of security. Secure infrastructure, data encryption by default, and automated patching all help to keep data safe from a variety of threats.  However, understanding the risks associated with data, controlling access to it and monitoring its use are customer choices, making security a shared responsibility between the customer and the cloud provider. Oracle Data Security Cloud Service is a unified control center for managing data security in Oracle Databases in the cloud. It allows you to quickly understand the sensitive data in your care, evaluate configuration risks, enable auditing and detective controls, mask data for use in test and development environments, and more. This session provides an overview of the Data Security Cloud Service and takes attendees through a full end-to-end scenario of how they can protect data in Oracle Databases. No prior security experience is needed.   3. Data Security in the GDPR Era [PRO4111] Wednesday, Oct 24, 11:15 a.m. - 12:00 p.m. | Moscone West - Room 3006 Joao Nunes, IT Senior Manager, NOS Tiago Rocha, Database Administrator, "Nos Comunicaões, Sa." Eric Lybeck, Director, PwC Session Description: The European Union's General Data Protection Regulation (GDPR) has been in effect for half a year, and much has been learned about how best to protect personal privacy data in Oracle Database. In this session explore GDPR's first six months and take a tour through security by design and default in the Oracle Database. Join PWC, NOS (one of the largest media companies in Portugal), and Oracle to learn how Oracle customers are addressing GDPR challenges such as sensitive data discovery, encryption, data minimization, pseudonimization, privacy impact analysis, and more.   4. Inside the Mind of a Database Hacker [THT6814] Monday, Oct 22, 5:00 p.m. - 5:20 p.m. | The Exchange @ Moscone South - Theater 4 Mark Fallon, Chief Security Architect, Oracle Database, Oracle Russ Lowenthal, Director, Product Management, Oracle Session Description: In this session get an alternative way of thinking about how to protect enterprise data: by examining the hacker's point of view.   5. Oracle Database Security Assessment Tool: Know Your Security Posture Before Hackers Do [TRN4107] Wednesday, Oct 24, 12:30 p.m. - 1:15 p.m. | Moscone West - Room 3006 Pedro Lopes, DBSAT and EMEA Field Product Manager, Oracle Marella Folgori, Oracle Riccardo D'Agostini, Responsabile Progettazione Data Security, Intesa Sanpaolo Session Description: Before hackers map out your database users, configuration, data, and security controls to devise their strategy, use new Oracle Database Security Assessment Tool to help discover sensitive personal data, identify database users and their entitlements, and understand the configuration and operational security risks. Attend this session to learn how you can generate Oracle Database Security Assessment Tool reports to create your database security strategy or support GDPR data privacy impact assessments. No prior security experience needed. And the tool is freely available to all Oracle Database customers. 6. Recent Database Security Innovations You Might Not Be Using, but Should Be [TIP4112] Thursday, Oct 25, 1:00 p.m. - 1:45 p.m. | Moscone West - Room 3006 Alan Williams, Database Security Product Management, Oracle Russ Lowenthal, Director, Product Management, Oracle Manish Choudhary, Oracle Session Description: Recent Oracle Database releases include significant new features that streamline user administration, reduce database attack surfaces, and protect personally identifiable information, and other sensitive data. In this session learn about the new way to authenticate and authorize database users in Active Directory. Explore review recent security innovations including privilege analysis, database vault simulation mode, data redaction, online encryption, and passwordless schemas. See how to assess the security of your database with Oracle Database Security Assessment Tool. Attend this session and you'll be able take advantage of these features next week to create a more secure database environment.        

With Oracle OpenWorld kicking off in a few days, we would like to invite all attendees to join us for key Oracle Database Security Sessions. There are many sessions to choose from, but we have...

Authored By: Pedro Lopes Databases are storing all kinds of sensitive data these days.  Think for a second. Either your name, address, SSN, age, phone number, bank account information, healthcare data, employment, academic… pick one, and it is for sure stored into a database and powering a business application. Regulations are also evolving and becoming more stringent aiming to protect data by setting requirements for the way data is handled and processed. So what can you do about it? Assess the current security state with the Oracle Database Security Assessment Tool. It is simple to use, to execute and provides instant value. Its reports contain a high-level summary and details of the current security posture, details about users, their entitlements, and the sensitive data. There will be plenty of DBSAT activity this year at OOW, and for sure you will have the opportunity to learn more about it. Do not wait for tomorrow, start today! Drop by the Demo Grounds (Moscone South), the Hands-on Labs (Mon to Thu), the Teather session (Mon) or at the DBSAT session presentation (Wed) where Mr. Riccardo D’Agostini from Intesa Sanpaolo Bank, one of the major Italian banks, will be on stage sharing their experience on using DBSAT under a GDPR compliance initiative. You can’t miss it. As a summary: Database Security Assessment Tool [THT6816] Monday, Oct 22, 04:00 PM - 04:20 PM | The Exchange @ Moscone South - Theater 4 Oracle Database Security Assessment Tool: Know Your Security Posture Before Hackers Do [TRN4107] Wednesday, Oct 24, 12:30 PM - 01:15 PM | Moscone West - Room 3006 Assess Your Database Security [HOL6289] – Fully booked! Monday, Oct 22, 12:15 PM - 01:15 PM | Marriott Marquis (Yerba Buena Level) - Salon 1/2 Tuesday, Oct 23, 11:15 AM - 12:15 PM | Marriott Marquis (Yerba Buena Level) - Salon 1/2 Wednesday, Oct 24, 08:00 AM - 09:00 AM | Marriott Marquis (Yerba Buena Level) - Salon 1/2 Thursday, Oct 25, 09:00 AM - 10:00 AM | Marriott Marquis (Yerba Buena Level) - Salon 1/2   See you there! Pedro Lopes DBSAT and Field Product Manager for EMEA Oracle Database Security

Authored By: Pedro Lopes Databases are storing all kinds of sensitive data these days.  Think for a second. Either your name, address, SSN, age, phone number, bank account information, healthcare...

With Halloween approaching rapidly, a bit of trivia on US candy consumption is worth noting. Americans purchase a whopping 600 million pounds of chocolate each year during Halloween1. But that’s a fraction of the total US consumption of chocolate each year, which happens to be about 22 pounds per American. Clearly, the US towers over many other countries in its sheer appetite for chocolate. But did you know that two-thirds of the world’s cocoa production –so essential for chocolate production – comes from West Africa?  An estimated 2 million children2 are employed in the cocoa industry in West Africa – kids ranging between 5 and 15 years of age. If I’ve just killed your Halloween appetite, maybe join forces with us and invent a modern solution to this problem. Enterprises worldwide are struggling to gain insights into their supplier networks to find answers to these sorts of questions – how many of their suppliers honor ethical child labor laws? Which suppliers comply to local environment regulations? Which suppliers can companies rely on to honor anti-bribery laws with local governments? So far, the answers to these questions have been really hard to get for most companies, not because of lack of intent, but because of sheer complexity of today’s supply chain networks. Many industries rely on complex multi-tier networks with several suppliers in each tier, distributed across large geographical regions. Tracking and verifying the latest status of certifications and regulatory compliance for each supplier is an onerous and expensive task. Even if such data is painstakingly aggregated, it tends to go stale rapidly since many of these certifications are designed to expire every few years. Today, many companies are exploring blockchain as a potential solution to build modern supply chain networks that are transparent to manage across multiple organizations. Blockchain technology particularly excels at allowing organizations who may not have an explicit trust relationship between them, to mutually share information in a reliable manner. This could help in storing information about suppliers, including their various industry accreditations or certifications, all duly verified and endorsed by various validating authorities. Such a decentralized network would require suppliers, validating authorities, and relying parties that depend on the certifications to share information between each other. For Identity Management professionals, such decentralized applications pose several implementation challenges. Traditional protocols like Federation are not designed to exchange decentralized sets of attributes, attestations and entitlements between untrusted organizations. Instead, a new set of Identity Management protocols and data exchanges are required to exchange shared identities, while at the same time storing sensitive information off-ledger, protected by appropriate cryptographic keys and key management. A decentralized Identity Management implementation will help organizations with the following: Allow suppliers to manage the accuracy of their identities stored on and off-ledger in a local identity “wallet”. When information about them changes, they own the responsibility of updating the necessary information. Enable industry authorities to digitally attest the validity of supplier identities and corresponding accreditations and certifications. This would serve as proof of the certification claims to all participants authorized to read the information. Allow organizations to query the decentralized network for accurate information about suppliers meeting their desired criteria, like geographical location, size or type. Here at Oracle, we are working with several customers to build decentralized identity management on Oracle Cloud for such applications. At Oracle Open World 2018, we’ll demonstrate one such application built by a global healthcare company for their procurement risk management needs and its underlying architecture. If you are responsible for managing identities for traditional supply chain networks and would like to explore new blockchain-based solutions, be sure to come check out our session (Architecting Decentralized Identity Networks Using Blockchain on Oracle Cloud) on Wednesday, Oct 24 at 4:45 pm. Subbu Iyer, Sr. Director of Product Management for Oracle Cloud Security, and Prateek Mishra, Architect and creator of the SAML standard, will talk about architecting blockchain-based decentralized Identity Management.   1: https://visual.ly/community/infographic/food/how-much-candy-do-we-eat-halloween 2: https://ilpi.org/wp-content/uploads/2015/11/20151126-Child-labour-in-the-West-African-Cocoa-Sector-ILPI.pdf

With Halloween approaching rapidly, a bit of trivia on US candy consumption is worth noting. Americans purchase a whopping 600 million pounds of chocolate each year during Halloween1. But that’s a...

One of my favorite things about Oracle OpenWorld is the chance to learn more about how our partners and customers solve real-world business problems with the technology we develop. This year I get the chance to work with some of the best.  I've teamed up with a couple of great organizations -  NOS and PwC - to dig more into regulatory compliance and on how they are approaching the European Union’s General Data Protection Regulation (GDPR). NOS is a large media and communications company based in Portugal – NOS is a leader in content delivery, including Pay TV, broadband, mobile phone service, and cinema distribution and execution.  PwC is one of the world's largest professional services organizations, and helps customers around the world address challenging regulatory environments.   We’ve been taking a look at GDPR- from several different angles.  GDPR has been in effect for over six months now, and we’ve had a good chance to learn what works and what needs further consideration. How does a major commercial organization that manages significant amounts of personal data protect that data and satisfy their obligations under GDPR?  NOS is telling their story.  How does one of the world most respected professional services groups help clients meet their GDPR responsibilities?  PwC is telling their story.  How does the largest provider of enterprise software help our customers protect data privacy and comply with regulations – I’ll be telling that story. If you are at OpenWorld this week, stop by Moscone West, room 3006 on Wednesday, 24 October at 11:15 am.  Join Oracle, PwC, and NOS as we take you through data security in the GDPR era from all three points of view.  You’ll get a chance to see how people are solving the real-world requirements of the regulation, and have the opportunity to ask questions from our panel.  For a quick guide to the database security sessions, demos, and hands-on labs at OpenWorld this year, take a look at Focus on Database Security Hope to see you there!

One of my favorite things about Oracle OpenWorld is the chance to learn more about how our partners and customers solve real-world business problems with the technology we develop. This year I get the...

An enterprise can receive up to 17,000 security alerts each week but investigate only a fraction of them. Companies are finding it nearly impossible for their security teams to keep up, and they’ve realized that throwing more people at the problem isn’t the answer. Companies want security that’s built into their cloud products so that they can rest assured that their security is strong enough. While a Gartner study estimates that more than half of all enterprises will implement an all-in-cloud strategy by 2025, not all companies are ready or able to move to a public cloud environment. For instance, many companies need to maintain data in their own data center for regulatory or latency issues. For these businesses, the traditional public cloud is not the only option. Oracle’s Cloud at Customer portfolio is a unique cloud delivery model that offers the benefits and built-in security processes, expertise, and technology of Oracle’s public cloud while allowing you to stay in control of data security behind your own firewall. Among the most important benefits of any Oracle Cloud deployment is data security. Oracle Cloud operates under a shared responsibility model that builds security in at every layer. All cloud solutions come with extensive, continual security measures so that you can focus on extracting value from your cloud-based data instead of how to protect that data. With all Oracle Cloud platforms providing the same security assurances and continued protections, Cloud at Customer users realize the same level of security as the public Oracle Cloud customers. Let’s look at some of the security measures you should consider if you’re planning a move to the cloud, and how Oracle approaches cloud security to maintain the highest level of protection—for private and public cloud users alike. Your First Layer of Defense: Keep Patches Up to Date Without the Upkeep With so many security alerts, it’s little wonder internal security teams are struggling. In our own research on cloud threats, we found that 86% of firms felt unable to “collect and analyze” the vast majority of their security event data at scale. As a result, 85% of security breaches occur where a patch was available but not implemented. Security teams need a patching strategy that ensures patches are implemented on a regular basis. Because of Oracle’s shared responsibility approach, via our Patch Update Program, Cloud at Customer is maintained, patched, and upgraded by Oracle. We deploy patches quarterly along with critical software updates. Your Second Layer of Defense: Take a Hybrid Approach to Your Security Solutions When it comes to cloud deployments, enterprises are increasingly maintaining a mix of public cloud, private cloud, and on-premises infrastructure for their databases, applications, and workloads. But all these workloads must be able to communicate with each other and be protected as one integrated system. Oracle Cloud Security Solutions allow you to manage your hybrid environment under one security umbrella. This  suite of four tools that prevent, detect, respond to, and predict threats across public and private cloud and on-premises databases: Cloud Access Security Broker (CASB) is a cloud-based security broker and automation tool that works across your entire technology stack to provide increased visibility, detect threats, and automate responses to enhance the security of corporate data. Oracle’s Identity Cloud Service offers a secure single sign-on solution for on-premises, Oracle Cloud, and Cloud at Customer networks. Our Security Monitoring and Analytics (SMA) cloud service works 24/7 to detect, investigate, and remediate security threats across your networks. Configuration and Compliance Service is especially useful for Cloud at Customer users to monitor and address compliance issues using industry benchmarks and your own compliance rules. Available as separate products or as a suite, these solutions work alongside the native security functions built into all Oracle applications and infrastructure solutions. Your Third Layer of Defense: Take a Holistic Approach to Cloud Security At Oracle, we believe security should be a holistic and continuous process involving four tiers: physical, technical, process, and people. Physical and Access Control: One of the benefits of Cloud at Customer is that you control your data’s location and physical security within your own data center. But this isn’t the end of the story for physical cloud security. Because Cloud at Customer is an extension of Oracle’s public cloud, the cloud operations are managed the same way as in the Oracle data center, but remotely. Therefore, it is important that cloud environments like Oracle’s undergo regular maintenance of their security configurations. A well-managed environment ensures that authorized people have access to sensitive data, and unauthorized people do not. As a Cloud at Customer user, you benefit from the remote Oracle Cloud Operations team’s physical security access, as well as your ability to control security in your own data center.  Technology: Security can’t be an afterthought when designing a database or application. All technology that touches the cloud needs to be built thoughtfully to safeguard against common security loopholes. Like the rest of Oracle Cloud, Cloud at Customer was built using strict secure coding standards designed to push security down your stack across your IaaS, PaaS, and SaaS tools. It can all be connected under a single dashboard by integrating your current systems with Oracle Security solutions. Process: Cloud security isn’t just about configuring a database or designing a tool—it’s a continuous process. With more cyberattacks occurring each year, security monitoring is a rising issue for most enterprises. We help you protect your data using continuous security measures, such as scheduled patching and 24/7 monitoring. People: One of the most common causes of security breaches is a lack of training on cybersecurity issues. In our most recent cyber threats survey, we discovered that only 43% of organizations could identify the most common IaaS shared responsibility model. At Oracle, all of our cloud service employees are certified through OSSA and use industry-specific best practices to develop and maintain our solutions. But we can also train your employees to be OSSA certified. Choosing between on-premises and public cloud infrastructures shouldn’t be a matter of security. Oracle builds all of its products so that you can focus on the benefits of each solution instead of how to protect it. The security available with Oracle’s Cloud at Customer offerings allows you to adopt all the security best practices of Oracle Cloud while maintaining the security within your own data center.  Discover more about how Oracle Cloud at Customer and Oracle Cloud Security Solutions give you security and control. And follow us at @Infrastructure, @Exadata, and @OracleSecurity for all the latest announcements and insights.

An enterprise can receive up to 17,000 security alerts each week but investigate only a fraction of them. Companies are finding it nearly impossible for their security teams to keep up, and they’ve...

  1. Hear about real stories from real customers By attending customer case study sessions at this year’s Oracle OpenWorld, you’ll be able to hear from real companies on how Oracle helped them protect their users, apps, data, and infrastructure. Customers such as Marlette Funding and Wells Fargo, will walk you through how Oracle Security products helped with data loss prevention, antimalware, and more. 2. Learn by doing with hands-on labs Although there are many great sessions, the best way to retain all the information is by doing. The hands-on sessions give you a unique experience and they touch on a range of topics. Learn how to detect advanced threats, enhance the security of your SaaS solutions, secure information in your cloud services, and much more. 3. Get social The week can get very hectic with hundreds of different session, labs, keynotes, etc. to choose from, but you can follow @OracleSecurity on Twitter to keep updated throughout the week. We will be live tweeting certain sessions, alerting you on any changes, and much more. Also, the Oracle Security Blog will be posting insights throughout the week and even after OpenWorld. Be sure to take lots of photos and use #OOW18, we look forward to connecting! 4. Stop by Be sure to stop by the demo booths featuring the different security products. In the security section we have demos of data security, such as encryption, masking, access controls, etc. If you are more interested in learning how you can monitor your mission-critical apps, visit the Oracle CASB Cloud Service demo booth. For even more, visit the Oracle Cloud Infrastructure area to learn how Oracle thinks about security from the core of infrastructure to the edge of the cloud. Visit the Demo List for more information and a booth map. 5. Must see Some of the top security sessions include topics surrounding securing hybrid and multi-cloud environments at the Tips and Tricks for Security at Cloud Scale session [CAS3773] and the Oracle and KPMG Cloud Threat Report at The State of Cloud Security: Keeping Pace at Scale [BUS3774]. To go even beyond security, make sure to attend the Oracle Cloud: The Future is Autonomous session [GEN1229] for insight on how Oracle Cloud Platform can help your organization modernize, innovate, and cut costs.   Visit our Focus on Document for more information on all of the sessions and events around DBSec, Identity, OMC, CASB, Dyn, and Keynote sessions at OpenWorld.

  1. Hear about real stories from real customers By attending customer case study sessions at this year’s Oracle OpenWorld, you’ll be able to hear from real companies on how Oracle helped them protect...

By Nishi Shah, Director Cyber Security & Privacy, PwC and Soumya Banerjee, Director Cyber Security & Privacy, PwC A mid-sized company with about 5,000 employees gets approximately 1,000 to 2,000 security incidents per day.  This equates to nearly 60,000 threat incidents per month and as many as 720,000 per year.  That number has increased dramatically because of automated security attacks using bots.  According to The Cybersecurity Intelligence Report from Oracle + Dyn “over 50% of internet traffic is bots.  [And,] some of these bots are probing your site for vulnerabilities.”  With these huge numbers, there are just too many threat incidents for the typical security operations team to manage with any level of precision.  Various niche security products help to flag these 1,000-2,000 incidents each day, which is a step in the right direction as more potential threats are identified.  However, the next step in the usual security operations process requires a person to review each of the incidents and make a judgement call about whether the threat is real or a false positive.  It’s a very manual process, and needless to say, there are a lot of security tickets to sift through each day. So how does a security operations center (SOC) manage that massive amount of data?  How can the security team automate the manual process to review flagged incidents?  The answer is artificial intelligence (AI) or machine learning.  Consider this example:  An employee is sending a 9-digit number to an external partner.  The email is flagged as a possible threat incident because the 9-digit number is recognized by a security monitoring tool as a social security number, which could imply a theft of personally identifiable information.  However, the flagged incident is really a false positive because the 9-digit number is a P.O. number, which is acceptable information for an employee to email to a partner. Oracle Management Cloud (OMC) is a suite of autonomous management services that automate processes and eliminate the human effort associated with traditional solutions for monitoring, managing, and securing applications and infrastructure.  OMC leverages machine learning and big data techniques across the full breadth of the operational data set to help drive innovation while removing cost and risk from operational processes. Let’s go back to our example and assume that 20% of the typical 1,000 to 2,000 daily incidents fall into this 9-digit number scenario.  That means approximately 200-400 incidents are false positives.  OMC, with its ability to collect data from many discrete sources (i.e., cloud applications, on-premise applications, infrastructure components), has built-in machine learning functionality with strong data visualization capabilities.  The solution evaluates each incident in the context of user behavior and helps the security team eliminate the false positives. While OMC will flag all emails matching with 9-digit pattern, once the security analyst identifies the incidents as false positive, OMC would remember the email pattern along with other contextual user information to automatically segregate the emails into a potential false-positive category.  This automated process allows the SOC to focus on critical incidents and review the potential false positives as a lower priority. As the threat of cyber-attacks continues to escalate, from thieves, rouge entities, or aggressive governments, enterprise organizations need to invest in automation so to improve depth and scale for their current monitoring and incident management capabilities. PwC has helped many customers establish an SOC transformation strategy that intelligently automates manual monitoring and incident resolution processes.  The strategy also measures the value of the automation program.   If you’d like to have further discussion on transforming your security operations team with automated efficiencies from AI and machine learning, give PwC a call and visit the Oracle Cloud Security page. 

By Nishi Shah, Director Cyber Security & Privacy, PwC and Soumya Banerjee, Director Cyber Security & Privacy, PwC A mid-sized company with about 5,000 employees gets approximately 1,000 to 2,000...

Authored By: Christina Richmond, IDC Program VP WW Security Services In the previous two blogs, we looked at the challenges of securing hybrid IT and how managed cloud security can benefit the organization. In this blog, we’re going to drill down into managed identity and access management, which in today’s digital world is key to security survival. Let’s face it, the network perimeter has become identity- and data-based, and no longer locked down by firewalls and intrusion-detection appliances. Moreover, the challenges of securing identity are legendary. Add to this that we now have computing environments spanning on-premises, cloud, and multicloud environments. Given this new complexity, existing security controls such as authentication, authorization, and identity management must work in both the private and public cloud. When handling identity security internally within an enterprise, there are two options for integrating hybrid security protocols: 1) replicate controls in both public and private clouds and keep security data synchronized, or 2) use an identity management service that provides a single service to systems running in either cloud. Be sure to allow time during the planning and implementation phases to address what could be complex integration issues. But if you don’t want to go solo, managed identity can assist with planning and integration, as well as the operational efficacy of an identity and access management program. Escalating numbers of internet-facing applications and services expose the business to greater risk. Securing the data at rest and in motion is only one piece of the equation; effective identity management is the other. A key component of identity and access management (IAM) is making sure users are minimally impacted and that solutions are tailored to the organization’s needs. The last – but by no means the least – necessity is visibility into regulatory compliance controls. To bring these requirements into one solution, it must have the following basic components: Single sign-on (SSO) and visibility into authentication Centralized identity management Threat and anomalous behavior alerts Admin-friendly management dashboard User account management Compliance reporting Simplified identity management across the entire lifecycle Today, 40% of respondents in the IDC Cybersecurity Pulse Survey outsource their IAM to a service provider and another 22% are evaluating their future investment (see chart). And, nearly 40% will increase their spending on IAM and another 50% will keep their budget about the same, but not decrease it. When we look specifically at managed cloud security services, over 21% of respondents would require IAM to be included in an engagement for cloud security. But interestingly, one of the very reasons you might consider outsourcing IAM is also an inhibitor—assistance with regulatory controls. Over 22% of respondents in IDC’s Managed CloudView survey are concerned about provider governance and management capabilities, and possible inability to meet SLAs. Sometimes management is opposed to outsourcing (22.8%). Just under 22% of respondents state that regulatory factors are an impediment. However, given the complexities of today’s IT infrastructure, it’s exceedingly difficult to gain compliance visibility across all platforms. This is exactly why outsourcing could help solve the regulatory conundrum. In our next blog we’ll discuss how to choose the right MSS partner to use. To learn more about Oracle Managed Security Services and how MSS can help you, visit our website. Monday, October 22nd @1:45pm PST, we will be live from Oracle OpenWorld with IDC's Christina Richmond and Oracle's Rohit Gupta to hear their perspectives about the security challenges Oracle's customers are dealing with as they shift their workloads to the cloud. Follow both Christina, Rohit, @OracleSecurity and Greg below to stay on top of the latest information related to this IDC live Periscope interview.  Follow Christina Richmond @Xtina_Richmond Follow Rohit Gupta @Roh1 Follow Greg Jensen @GregJensen10 Oracle Security @OracleSecurity If you are attending Oracle OpenWorld in person, join us at on Tuesday, Oct 23, @4:45 pm for the session Secure Your IT Services with Oracle Managed Identity Cloud Services.

Authored By: Christina Richmond, IDC Program VP WW Security Services In the previous two blogs, we looked at the challenges of securing hybrid IT and how managed cloud security can benefit...

By Brian Jensen, Director, KPMG According to a 2018 Cloud  Threat Report commissioned by Oracle and KPMG, 83% of companies believe cloud security is as good as or better than on premises security. It is true, cloud security is very strong; but you can’t just go marching into the cloud and operate the way you did in an on-premises environment. You have to change your mindset. You could be asking for trouble if you don’t go into the cloud with a strong cloud security plan that is aligned with the cloud shared responsibility model requirements Before cloud computing, enterprise security was an addressable challenge. It was analogous to the Middle Ages, when kings built big castles to protect against invaders. They erected high walls and guard towers, dug moats, and posted sentries who scanned the horizon for threats. In the same way, businesses in the pre-cloud era built security layers around their data centers to keep out cyber invaders. Enterprise systems and data – like the king and his treasure – were secured behind the barricades in an effort to prevent attacks. In today’s cloud environment, businesses can be exposed to a whole host of new cyber threats that did not exist in the pre-cloud computing era. Moving to the cloud can expose companies to these new cyber threats if they do not take proper precautions and build out mitigating capabilities to address their portion of the shared responsibility model. What we are seeing in our security practice, and what our recent Cyber Threat Report confirmed, is that cloud agility - which enables rapid deployment of cloud applications – is causing a pace gap between how fast business are scaling up in the cloud and their ability to keep up with commensurate security measures.  Let’s review some of the most common cyber threats.   Rogue Employees There are many documented cases of disgruntled “rogue” employees committing fraud and disrupting businesses. Their favorite method is to hijack or create fake user IDs to delete data and wreak other kinds of havoc, whether out of spite or for financial gain. When IT systems were on-premises, these individuals had to sneak around and be very cautious in what they were doing. Today the cloud makes their job easier because no one is looking over their shoulder. They can access cloud from anywhere, any device and any time and alter company data while sitting on a beach in Belize, for example. Cyber Breaches Looking for Cash / Stealing Cash Cloud-based ERP systems are prime targets for hackers who can target  cloud-enabled transactions with the goal of  siphoning off cash. For example, “Spearphishers” – fraudsters who use clever emails to trick employees into revealing their logins – have become adept at hijacking accounts and redirecting payments intended for legitimate vendors. Data Theft Hackers aren’t just stealing cash. They’re also on the prowl for data, which can be just as valuable. There are plenty of ways hackers can steal data. Take an employee on vacation who wants to squeeze in some work on the hotel computer. He or she might innocently download a company report to the machine, where it’s saved in a temp folder. If that report contains sensitive company data, someone can easily access that information and use it to commit fraud. A less innocent employee might download data at home with the express purpose of selling it. Recently, an ill-intentioned employee at a major technology company downloaded plans for a new leading edge product to his personal computer. Luckily, he was stopped at the airport before he could fly to China to and exploit the stolen information. Incidentally, failing to protect data can also cost millions of dollars in fines. A massive data breach can be a game changer for an industry, especially if the data theft involves Personally Identifiable Information (PII)  such as driver’s license numbers or Social Security numbers. Prosecutors and regulators see these types of company blunders as a serious failure of fiduciary responsibility worthy of steep fines, often in the hundreds of millions of dollars. Protecting Cloud Apps / Beyond Compliance The common refrain that “the auditors aren’t asking about it” is hardly an excuse for not building a solid cloud security strategy. Remember, the auditor’s job is simply to state that your financial records are accurate – not to prevent risk. You need to conduct a comprehensive security risk assessment that documents all your operational, financial, performance, and technology risks. And be honest: Just because it hasn't happened before doesn't mean it’s not going to happen in the future. Once you understand your risk profile, then you can build a “controls-in-depth” (CID) strategy to mitigate that risk. An effective cloud security strategy can include: Smart cloud application controls. These are procedures you can put in place to short circuit cybercrime. For example, hackers love to break into ERP systems and reroute employee paychecks to phony bank accounts. Yet simple controls such as sending an email to the employee whenever their direct deposit is changed, or making sure their first check is always a physical one, can stop scam artists in their tracks. You can also check if multiple employees share the same deposit account – a sure sign something’s not right. Tiered roles and logins. By using concepts like least privileged access and segregation of duties you can limit what people can see and do on your cloud platform. You can also employ adaptive authentication to “tier” access based on risk. So for harmless activities – like looking up vacation days – a simple user ID and password would be enough to get you through the castle gate. But if you’re changing where your paycheck goes, tougher authentication would be required. Vigilant user administration. When you kick someone out of the castle, you don’t want them tunneling back in. But that’s exactly what can happen in cloud environments when you terminate someone and forget to revoke their access. They could literally sit out in the parking lot and create fake expense reports – or worse. You can see why smart user lifecycle management is critical to cybersecurity.  Ongoing Security Testing. The great thing about the cloud applications is that they are constantly updated and “modern.” But every update or patch can be a weak point for new cyber-attacks. To stay safe, make sure your security operations team – or a trusted partner – evaluates each update and checks for new vulnerabilities that might have been introduced. Don’t forget that managing risk in the cloud is a shared responsibility between the provider and the customer. Typically the provider is on the hook for things like power, data center security, backup and recovery, patching, and data at rest encryption. But the client has their own responsibilities, such as controlling user access, configuring the cloud applications, and managing the data the goes in and out of the cloud. If the provider falls down on any of its duties, they are vulnerable to law suits. But if the customer fails to mitigate the risk on their side of the cloud shared responsibility model, they won’t have anybody to blame. For continuing information, explore the key findings uncovered in the annual Oracle and KPMG Cloud Threat Report 2018.  Brian Jensen is Managing Director in KPMG’s Oracle Risk Consulting practice. He  is a business development and solution delivery executive specializing in ERP, large-scale business transformations, security & controls, and identity management. Brian has a successful track record of building innovative, effective risk management solutions for large and midsized organizations.

By Brian Jensen, Director, KPMG According to a 2018 Cloud  Threat Report commissioned by Oracle and KPMG, 83% of companies believe cloud security is as good as or better than on premises security. It...

We're happy to announce the availability of Audit Vault and Database Firewall (AVDF) Release 12.2 Bundle Patch Nine (BP9). AVDF 12.2 BP9 enhances security and gives our customers greater control in protecting internal communications, allowing customer selection of the TLS level used between different components and establishing a baseline of TLS 1.2 for all new installations.  AVDF 12.2 BP9 is available via MyOracleSupport as patch 28188074.  For new installations of AVDF 12.2, an updated installation media pack that already includes BP9 is available at https://edelivery.oracle.com. AVDF provides a first line of defense for databases and consolidates audit data from databases, operating systems, and directories to support monitoring and compliance reporting.  A highly accurate SQL grammar-based engine monitors unauthorized SQL traffic before it reaches the database.  Audit records from on-premises and cloud databases are collected for centralized management and provide monitoring, reporting, and alerting of anomalous activity across databases.  AVDF helps reduce the costs of regulatory compliance while giving administrators enhanced visibility into their IT operations. AVDF 12.2 BP9 is a mandatory prerequisite for upgrading to next year’s AVDF 19.1 release. Existing AVDF installations must upgrade to at least 12.2 BP9 prior to performing the AVDF 19.1 upgrade. AVDF 12.2 BP9 establishes a new minimum security baseline for Audit Vault and Database Firewall.  We’ve not only changed the default inter-component communications protocol to TLS 1.2, we’ve also desupported older java versions, requiring that Audit Vault agents now use Java 8 in preparation for the upgrade to Java 11 support next year. A complete list of the features and capabilities of this release, along with detailed installation instructions, are available in the patch release notes. To learn more about Audit Vault and Database Firewall, check out our AVDF Product Page on the Oracle Technology Network (OTN). Get the latest details on installing BP9, including how to install the pre-upgrade agent patch, with MOS note 2457374.1 - Details for Applying The Mandatory BP9 Pre-upgrade Patch. You should also review MOS note 15363801.1 - Oracle Audit Vault and Database Firewall Platform Support - this note includes instructions on upgrading the AVDF agent's Java version to Java 8. Learn more about Oracle Database Security Solutions Download Audit Vault and Database Firewall Release 12.2 Bundle Patch Nine now!  Visit My Oracle Support and search for patch 28188074.

We're happy to announce the availability of Audit Vault and Database Firewall (AVDF) Release 12.2 Bundle Patch Nine (BP9). AVDF 12.2 BP9 enhances security and gives our customers greater control in...

Going into OpenWorld 2018 I am reminded how I have often cited the great data migration as “Elvis has Left the Building”, while my colleague Brian Jensen, from KPMG has often called it “The King has Left the Castle”.  Either way, the point is this.  Organizations often get to a point where they realize that their data is now outside their control.  How they respond to this risk and threat is what ensures organizational success or failure. A significant step in preparedness is awareness in the risks and threats, which is what Brian and I have done in the development of a groundbreaking report called The Oracle and KPMG Cloud Threat Report 2018.  This report is based on a detailed survey of 450 global security practitioners who are focused on cloud security and driving the security requirements around cloud initiatives. Oracle and KPMG have collected the key challenges that these respondents are dealing with and using the combined research from both of Oracle and KPMG’s collective cyber research organizations to provide advance analysis around these challenges.  We then provide a best practice approach to preparing the organization for these lift and shift projects to ensure success. It is inevitable that Elvis is going to leave the building, and that the king will leave the castle, but it’s also possible to do this in a secure and a risk averse manner with proper controls in depth.  Download the 2018 report to learn better how to prepare your organization today. If you are attending Oracle OpenWorld 2018 this year, we encourage you to join us as we present the key findings of this highly successful report on Monday at our session “The State of Cloud Security: Keeping Pace at Scale”.   You can also follow me on Twitter @GregJensen10 for more information about the IDC Periscope interview on Monday October 22nd live from OpenWorld that I will share more information on later this week. #OOW18

Going into OpenWorld 2018 I am reminded how I have often cited the great data migration as “Elvis has Left the Building”, while my colleague Brian Jensen, from KPMG has often called it “The King has...

We’re all guilty of thinking myopically at times. It’s easy to get caught up thinking about the objects in our foreground and to lose our sense of depth. We forget about the environment and the context and we focus too narrowly on some singular subject. It’s not always a bad thing. Often, we need to focus very specifically to take on challenges that would otherwise be too big to address. For example, security professionals spend a lot of time thinking about specific attack vectors (or security product categories). And each one perhaps necessarily requires a deep level of focus and expertise. I’m not arguing against that. But I’d like to suggest that someone on the team should expand their focus to think about the broader environment in which cyberattacks and security breaches take place. When you do, I suspect that you’ll find that there are data points from outside of the typical security realm that, if leveraged correctly, will dramatically improve your ability to respond to threats within that realm. I posted recently about the importance of convergence (of security functionality). I noted that “Security solutions are evolving toward cloud, toward built-in intelligence via Machine Learning, and toward unified, integrated-by-design platforms.” I went on to suggest that forward-looking security platforms are autonomous and operate with minimal human intervention. I believe that’s where we’re heading. But to better enable machine learning and autonomous security, we need to feed as much relevant data as possible into the system. We need to feed the machine from an expanding trough of data. And with Internet scale as an enabler, we shouldn’t limit our security data to what has traditionally been in-scope for security discussions. As an example, I’m going to talk about how understanding Application Topology (and feeding that knowledge into the security trough) can help reduce risk and improve your security posture. What is Application Topology? As you likely know, modern applications are typically architected into logical layers or tiers. With web and mobile applications, we’ve traditionally seen a presentation layer, an application or middleware tier, and a backend data tier. With serverless compute and cloud microservice architectures, an application’s workload may be even more widely distributed. It’s even common to see core application functions being outsourced to third parties via the use of APIs and open standards. Application Topology understands all the various parts of an application and how they’re interrelated. Understanding the App Topology means that you can track and correlate activity across components that may reside in several different clouds. How does Application Topology impact security? Consider an application that serves a package delivery service. It has web, mobile, and API interfaces that serve business line owners, delivery drivers, corporate accounts, and consumer customers. It’s core application logic runs on one popular cloud platform while the data storage backend runs on another. The application leverages an identity cloud service using several authentication techniques for the several audiences. It calls out to a third-party service that feeds traffic & weather information and interacts with other internal applications and databases that provide data points such as current pricing based on regional gas prices, capacity planning, and more. Think about what it means to secure an application like this. Many popular security tools focus only on one layer or one component. A tool may scan the web application or the mobile app but probably not both. An app like this might have a few different security products that focus on securing APIs and a few others that focus on securing databases. Even if all components feed their security events into a common stream, there’s not likely a unified view of the risk posture for the application as a whole. None of the security tools are likely to understand the full application topology. If the app owner asked for a security report for the entire application, would you be able to provide it? How many different security products would you need to leverage? Would you be able to quantify the impact of a single security configuration issue on the application as a whole? If a security solution fully understands the application topology and incorporates that knowledge, here are a few of the benefits: You can generate a holistic report on the application to the app owner that covers all components whether on-premises, in the cloud, or via third-parties. You can monitor user activity at one tier and understand how that impacts your risk posture across other tiers. You can monitor for security configuration changes at all components via a unified service and automatically adjust risk scores accordingly. In other words, a deep understanding of the IT infrastructure underneath the application yields a more robust understanding of security issues and an increased ability to respond quickly and automatically. Summary Challenge yourself to expand the scope of which data points might be useful for improving security. Are security appliance event logs and threat feeds enough? As we enter an era dominated by AI and Machine Learning, we need to add as much high-value data as possible into the security trough. ML performs better as it incorporates more information. And as Larry Ellison famously said, the threats are becoming increasingly more sophisticated. “It can't be our people versus their computers. We're going to lose that war. It's got to be our computers versus their computers.” We must rely on Machine Learning and we have to feed it with as much intelligence from as many sources as possible. Oracle Cloud Security solutions are built on Oracle Management Cloud (OMC) so they fully understand the application topology, application performance metrics, and configuration. Oracle’s built-in Machine Learning leverages this data to make better security decisions and to remediate issues through OMC’s Orchestration service. Learn more about how Oracle helps customers modernize their security solutions with Machine Learning adaptive intelligence at Oracle OpenWorld this month!  

We’re all guilty of thinking myopically at times. It’s easy to get caught up thinking about the objects in our foreground and to lose our sense of depth. We forget about the environment and...

Software vendors like to throw around industry buzzwords like artificial intelligence (AI) and machine learning (ML). But when it comes to web application security, it's important to look beyond the buzzwords and realize that AI and ML are really all about automating the response to incoming cyberthreats, according to Laurent Gil, Security Product Strategy Architect at Oracle Dyn.  That's one of the messages Gil will deliver during an Oracle OpenWorld 2018 session,  Introducing an Intelligent Approach to Beating Cybersecurity Threats. Gil will lead the session along with Rodrigo Balan, Director of IT operations at IdentityMind, a regulatory technology company that uses AI as part of its web application security strategy, and Terence Chong, principal product manager at Oracle Dyn.  In this Q&A, Gil—the co-founder of security company Zenedge, which was acquired by Oracle in March—previews the Oracle OpenWorld 2018 session and shares his insights on the effects that AI and ML are having in the IT security market.   Why is it important for today's businesses to incorporate AI and ML as part of their web application security strategies?   Laurent Gil: It's not really that they need AI or ML. The point is they need to use tools that are truly automated. The traditional way of doing web application security is to set up some rules to test the validity of incoming traffic. These rules are very rigid and sometimes create a lot of false positives. While false positives are to be expected, they may generate so many alerts that administrators stop looking at them. If you stop looking at them, the hackers have won.   What AI, ML, and related techniques do is allow you to automate the response to security events as much as possible, so you don't even need to look at them. Instead, you trust the machine to block incoming traffic when necessary, and you only need to look at true anomalies or corner cases.   How do AI and ML ensure an automated response to incoming web application security threats?  Gil: ML technologies examine similarities found in different types of web traffic. They collect all sorts of information that taken together allow for the classifier to decide which traffic is valid and which traffic may be a threat. The techniques we use must also have a very strong feedback loop, so the platform becomes better as you are using it. Once you identify the corner cases, for example, you should not need to identify any more. The machine will then know what to do. That's the goal that we all have in the industry.   What are the major types of web application security threats that businesses need to guard against today?  Gil: You can classify these into two categories. The first category is what I call background noise. This means that there is a small percentage of traffic that is poking around your applications to see if there are any weaknesses due to, for example, a patch that you forgot to install. So, the background noise is there to automatically identify vulnerabilities. If a vulnerability is found, the hackers will launch the real attack—one that can severely damage the application.  The second type of attack is the tough one. This is when hackers have identified the vulnerability and they are going to exploit it. Sometimes the vulnerability is that you are not able to identify bot traffic. If they see this, they will program bots to attack and steal information, crawl your site, and wreak havoc.  Organizations need tools to defend against both types of attack. They need to block the background noise as much as possible, so the bad guys will see that they are fully protected. And they need to be ready to defend against the second attack, which is a greater challenge because, by definition, the bad guys already know what to do.   Why did you invite Rodrigo Balan from IdentityMind to join your discussion?  Gil: IdentityMind is a great example of the right way to do web application security. Like many companies, they have their own data center. But they wanted to move their software as a service (SaaS) application to the cloud. They looked at Amazon Web Services, Microsoft Azure, and other cloud providers and ultimately chose Oracle Cloud Infrastructure. They selected Oracle in part because we are able to provide tools that de-risk the move to the cloud. We started by installing our Web Application Firewall (WAF) on their on-premises applications. This eliminated the web app security concerns related to migrating to the cloud. Using our WAF, their SaaS application was secure before the migration, during the migration, and after the migration. In other words, Oracle WAF enabled them to peacefully lift and shift their application to the cloud. What advice do you have for companies that want to start down the road to securing web applications with AI and ML?  Gil: First, don't trust your vendor (laughs). By that I mean, do not select a software company because it uses words like 'machine learning' and 'artificial intelligence.' Instead, do an actual proof of concept (POC), because that's the only way to find out what works and what doesn't. The second thing is that you shouldn't focus on AI or ML. Focus on automation. Verify that the tool uses automated systems for detection and mitigation and enables you to reduce the number of false positives. You can verify all of this when you do the POC.      

Software vendors like to throw around industry buzzwords like artificial intelligence (AI) and machine learning (ML). But when it comes to web application security, it's important to look beyond the...

All my customer demo databases always have Database Vault configured and enabled, and that fact requires a few extra gymnastics when patching, especially in 12.1.0.2 with root container and PDBs. If Database Vault is selected during DB installation of a multi-tenant (MTA) database via DBCA (Database Configuration Assistant), you are prompted to create two common users, let's call them C##SEC_ADMIN_OWEN (this user will be the Database Vault 'Owner'), and C##ACCTS_ADMIN_ACE, the DBVault Account Manager; the Oracle Installer will grant the common roles DV_OWNER and DV_ACCT_MNGR to them, but the grant command is executed without the 'CONTAINER = ALL' clause, which means C##SEC_ADMIN_OWEN and C##ACCTS_ADMIN_ACE exist in all present and future PDBs, but their DBVault specific roles are only granted to them in the root container. First, confirm that Database Vault is correctly setup; run this in the root container and all PDBs: SQL> select * from dba_ols_status order by 2 desc; NAME                  STATUS  DESCRIPTION --------------------- ------- -------------------------------------- OLS_CONFIGURE_STATUS  TRUE    Determines if OLS is configured OLS_ENABLE_STATUS     TRUE    Determines if OLS is enabled OLS_DIRECTORY_STATUS  FALSE   Determines if OID is enabled with OLS Only the OLS_CONFIGURE_STATUS and OLS_ENABLE_STATUS rows need to be TRUE. The fact that OLS policies can be stored in Oracle Internet Directory is irrelevant in the context of DBVault. SQL> select * from dba_dv_status; NAME                      STATUS ------------------------- ------- DV_CONFIGURE_STATUS       TRUE DV_ENABLE_STATUS          TRUE Most likely you see TRUE in the root container, and FALSE in the PDBs.  If this is the case, execute the following in all PDBs: SQL> EXEC LBACSYS.CONFIGURE_OLS; SQL> EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS; That turns on Oracle Label Security in so far as it is used by Oracle Database Vault internally. Confirm with: SQL> select * from dba_ols_status order by 2 desc; Then, turn on Database Vault; execute in all PDBs: SQL> GRANT CREATE SESSION, SET CONTAINER TO C##SEC_ADMIN_ROOT, C##ACCTS_ADMIN_ROOT CONTAINER = CURRENT; SQL> exec dvsys.configure_dv('C##SEC_ADMIN_ROOT', 'C##ACCTS_ADMIN_ROOT'); SQL> @?/rdbms/admin/utlrp.sql C##SEC_ADMIN_ROOT> EXEC DBMS_MACADM.ENABLE_DV; Confirm with: SQL> select * from dba_dv_status; For patching, we don't need to turn off, or disable, Database Vault anymore; instead, the DV Owner executes: C##SEC_ADMIN_OWEN:CDB$ROOT> grant DV_PATCH_ADMIN to SYS container = ALL; That would allow the changed SQL to be applied to the root container and all open PDBs. But, DV Owner doesn't have the proper privilege as I explained earlier. To confirm in the root container: SYS:CDB$ROOT> SELECT granted_role, username FROM USER_ROLE_PRIVS where granted_role like '%PATCH%'; GRANTED_ROLE    USERNAME --------------- --------- DV_PATCH_ADMIN  SYS Confirm in the PDBs: SYS:FINPDB> SELECT granted_role, username FROM USER_ROLE_PRIVS where granted_role like '%PATCH%'; no rows selected C##SEC_ADMIN_OWEN:FINPDB> grant DV_PATCH_ADMIN to sys container = current; You would need to execute that step in all PDBs across the container.  Of course the 'container = current' part of the command is not needed as this is the default when executed in a PDB, I added it here for clarity. Confirm: SYS:FINPDB> SELECT granted_role, username FROM USER_ROLE_PRIVS where granted_role like '%PATCH%'; GRANTED_ROLE    USERNAME --------------- --------- DV_PATCH_ADMIN  SYS Voilà, now you can run 'opatchauto' or 'datapatch' and the changed SQL will be applied to root container and all open PDBs. After successful patching, you would revoke the granted patching privilege from SYS (execute in root container and all PDBs): C##SEC_ADMIN_OWEN:CDB$ROOT> revoke DV_PATCH_ADMIN from sys container = current; C##SEC_ADMIN_OWEN:FINPDB> revoke DV_PATCH_ADMIN from sys [container = current]; But there is more ... you want to audit what SYS is doing with that new privilege; is it only used for patching, or will that user do something else while s/he has the extra powers? Find out with: C##SEC_ADMIN_OWEN:CDB$ROOT> EXEC DBMS_MACADM.ENABLE_DV_PATCH_ADMIN_AUDIT; in the root container and C##SEC_ADMIN_OWEN:FINPDB> EXEC DBMS_MACADM.ENABLE_DV_PATCH_ADMIN_AUDIT; in all PDBs. The audit events are written to dvsys.audit_trail$. When you are done patching, you can turn auditing off, but I would leave it running for the next patch cycle. Happy patching, Peter

All my customer demo databases always have Database Vault configured and enabled, and that fact requires a few extra gymnastics when patching, especially in 12.1.0.2 with root container and PDBs. If...

It’s no secret that cloud adoption is growing—and at an incredible rate. This year’s Oracle and KPMG Cloud Threat Report survey showed that 87% of responding organizations now have cloud-first orientations. Organizations, initially concerned about a lack of security in the cloud, have clearly decided that cloud benefits outweigh the risks—at least for some parts of their businesses. But, like any transformational change, cloud adoption also comes with its own unique set of challenges, especially when it comes to security. The dirty secret is that cloud adoption has led to the creation of a multidimensional data center, where new technologies run alongside traditional solutions. And all of it is managed and secured using islands of disconnected tools and process—at least for now. The unintended consequence is that security teams have a metaphorical hand tied behind their back when it comes to detecting and responding to security incidents in their cloud environments. In fact, it was the most frequently mentioned concern by far, cited by 38% of respondents to our survey. The root of this problem lies in the fundamental difference between securing on-premises infrastructure and cloud services. But one of the key issues is that these disparate and still expanding number of systems have buried security teams in a landslide of telemetry data. Only 37% of survey respondents said that they can analyze a modest sample of their data (defined as 25% to 49%), and another 14% report they can only analyze small samples of their data (less than 25%). Not only is the amount of data a problem, but to really understand what’s coming in, security teams have to be able to see the correlations between different data points. Unfortunately, the average cybersecurity professional has their attention split between about 46 different security products, making it hard to focus on any one thing for too long. It’s as if we buried our security teams in that landslide of data, handed them spoons, and told them to dig themselves out before they’re crushed. It’s just not humanly possible. Cybercriminals figured out the answer to this problem a while back. It used to be that if you logged on to an unsecure Wi-Fi connection, some nefarious character could be hanging out there and start probing your system within a few minutes. It was a manual process. Today, it’s automatic. You connect to the network, and the automated systems are at your machine immediately. What cybercriminals figured out—and what we have to learn—is that automated systems are much better at handling volume than humans. So, what we need to do is equip our security teams with the same basic technologies that the criminals already have. Security teams are already using machine learning to find zero-day threats. Now, teams can use that same technology to automate the analysis of all that security event data. It used to be that IT and security professionals were uncomfortable with handing such an important task over to automated tools. Now, it’s a necessity. In fact, more than a third of survey respondents said their organizations are actively investing in automated solutions. And almost another half are considering it. With automation, security teams can go from distraction to being better able to hone in on the issues that matter most and get on a more level playing field with cybercriminals. For more information on this topic, join us for our webcast: Enabling a Secure SaaS Experience  – Register Here.

It’s no secret that cloud adoption is growing—and at an incredible rate. This year’s Oracle and KPMG Cloud Threat Reportsurvey showed that 87% of responding organizations now have cloud-first...

Roughly half of the traffic on the internet now is bot traffic: Bits of code created for tasks both good and not-so-good. Bots index content for search engines, making it easier for customers to find your business. But bots can also exploit vulnerabilities, expose data, shut down entire websites, or even steal your intellectual property.   Bot management and mitigation are both crucial parts of modern website security. Bot attacks can be as subtle as activity that mirrors what humans do on your site, or as blatant as a swarm of bots that takes your entire site offline.  Oracle Cloud Infrastructure architect Laurent Gil is a pioneer in bot management. Gil co-founded Zenedge, a cybersecurity company focused on WAF and DDoS protection with an advanced bot solution. Zenedge was acquired by Oracle this year.   We sat down with Gil for a wide-ranging Q&A that covers the essentials of bot management.   Oracle Dyn:   How would you define bot management, in simple terms?   Laurent:  Bot management is a feature of an application security platform that is trying to identify whether the requests that come into a website or to a mobile application are coming from a human or from a machine. That’s the simple definition.   Now, there are some machines that are fine, like Google’s bots. You obviously want Google bots to go and access every one of your pages. But you don’t want other bots — malicious bots or unknown bots — trying to access your site. Your site is supposed to be designed for humans.  Our task is to classify incoming requests into the human bucket or the good bot bucket. And anything that is not a good bot would be classified as a malicious bot or unknown. In our world, unknown is the same as malicious. You can’t afford to assume something unknown has good intent.   Now when it is a good bot, or a human, it doesn’t mean that there is no attack payload inside this request. That is what a web application firewall (WAF) would look for. So, this is the reason why a bot management layer of application security must be part of a bigger platform that will vet every request that comes in.    Oracle Dyn:   What are the different types of bot attacks we should be aware of and prepared for?  Laurent:  There are four major types of attack we have to deal with:  #1: Finding and Exploiting Vulnerability  First, it’s important to realize that any site or any application that creates a website is vulnerable. They have lots of exposed surface area, lots of vulnerabilities. There have been patches for these vulnerabilities and there are decades of patching available. But every so often, a person may forget to patch one part of their site.   This is the first type of attack. It’s scanning of applications looking for vulnerabilities, almost like a background noise that you can see on the internet, where hackers are consistently poking every site to see if they forgot to patch.   This background noise is all run by machines. So, there is a small percentage of traffic on the internet today that is run by botnets, and this traffic’s only objective is to poke every site for vulnerabilities.  A bot manager will identify this request and will prevent it from going to the web server. But the bot manager will also tell the sender of this request that the page was not found. So, we are sending two messages there: We are preventing any of this poking from reaching the web servers of our customers, and we are also misleading the hacker by having them believe that these pages do not exist.   #2: Traditional Layer 3 and 4 Volumetric DDoS Attacks  The second type of bot traffic we see is what we call DDoS (distributed denial of service) attacks. The traditional DDoS is what you may hear in the news, which are these very large -- hundreds of gigabits per second — surges of traffic to a host or web server. Traditionally, there is a large industry of DDoS vendors that would mitigate a DDoS attack. We call these attacks the Layer 3 and Layer 4 volumetric attack.  These are pure network attacks. They are sending garbage traffic to an IP or to a data center and they hope that the garbage traffic is so big that it will fill up the internet pipe of that data center. And therefore, all the legitimate traffic has little space to come in. They are not trying to do a data breach. They are just trying to keep users from accessing the asset.  Such an attack can focus on web servers, email servers, databases, even an entire data center. A few years ago, there was a data center in Northern Europe that went offline. The whole data center became offline just because there was one gaming company using this data center that had a DDoS attack so large, it was bigger than the size of the internet pipe of the entire data center. And so, half of a country went down because of this.   It is now rare that hackers are successful, unless the attack is really, really large. There are a number of DDoS providers that are able to mitigate using cloud-based techniques where you have almost limitless capability to divert and clean this traffic.   #3: Application Layer DDoS Attack  The other type of DDoS attack is much harder to catch and much more difficult to guard against. It’s what we call the Application Layer DDoS attack. This is an attack directly on a website. I’ll give you an example: Imagine you go to a website’s search bar and make a search. The issue is, almost every search is unique based on the phrase that you are typing, based on the keywords you’re looking for. So, the results won’t be in the cache; they must come from the server.  Hackers use bots to input keywords that have nothing to do with one another. They could put the entire dictionary into that field, one word at a time. The immediate impact is they utilize all the web server resources. The web server is busy trying to process all the malicious requests and becomes unavailable to the legitimate user.  These attacks are much harder to identify, because they’re using the same interface that a human would. This is where bot management is crucial. By using sophisticated techniques to identify whether the user is a bot or a human, we can divert and block all this garbage bot traffic and stop it before it reaches the web server.  #4: Fraudulent Site Activity  The fourth use of bots that a manager must detect and mitigate, one that is almost criminal in nature, is also very, very hard to catch and to protect against: it’s the simulation of a human transaction.   For example: we had a client, an airline, that was under a bot attack. It is an airline in Asia, and suddenly they started to see a lot of tickets being booked from China. They knew it’s from China because of the incoming IP address. So, more tickets were being booked from China than usual, but almost all of these tickets were cancelled within 24 hours of the acquisition.    You see, a lot of airlines allow for a full refund within 24 hours. So, these bots would simulate human traffic: They would go on the site, select the city fare, as well as the class of travel, put a real credit card number, buy the ticket. The next day, the same bot will come to the site and cancel the reservation and request for a full refund. They were using real credit card numbers, they were behaving as humans behave by selecting the city and buying the ticket. This is a criminal utilization and fraud. We have now seen similar behaviors from bots that would stop short of entering a credit card number, but that would create a temporary reservation, usually for a few minutes.  We suspect that some other airline was paying hackers in China to do this. You see, as the bot buys tickets, the plane gets full. And the airline site sees the rise in demand and adjusts prices; the remaining seats become more expensive. As they become more expensive, the competition is able to sell tickets to the same city for cheaper. The tickets will be canceled the next day, and our customer would have lost business because the actual humans would have bought a plane ticket on a cheaper airline.  So, the impact there is real fraud that has a direct impact on our customer’s business. Thankfully, we were able to identify some irregularities in their behavior that indicated these users were not human.   We see also bots that are doing content scraping. For example, they are going to a directory company site and copying all the content on the site. This is what the Google bot does as well, but Google does it for a good purpose. Malicious bots do it so that they can resell the content to third parties. For the directory company, the content is the value of the site. So, this is another type of criminal or fraudulent utilization of an application.  Oracle Dyn:  This goes deeper than good bots and bad bots though, right? Are there situations where you would want to identify and block a benign bot?  Laurent:   Even when the bot traffic is not malicious, there are times when a site might want to prioritize human traffic over bot traffic. Bot management helps with that as well. We have a customer that is a rental car company. This customer has good bot traffic coming to their site from travel agencies. Travel agencies just want to check prices, so they can show them to their customers, and when the customer is ready to buy, obviously, our client makes money.   Our customer wanted to prioritize human traffic. Because obviously, a human coming in to rent a car has direct impact versus just a travel agent that is just looking for pricing from other rental agencies as well. So here, the idea is “we are fine with traffic from bots, but we want human traffic to be first”. And, if the web server is still available, then we will serve the bot traffic.    It’s a two-part process. First the bot management software identifies which traffic is from bots, then it can take an action based on what the traffic is trying to do and what you want it to be allowed to do.    Oracle Dyn: In broad terms, how does bot management software classify traffic?  Laurent:  Well, there are a few different levels of sophistication for identifying bots versus humans. The simplest technique is linked to the type of browser the end-user is using. When a person is using a browser such as Safari, Chrome, or Edge, we know that browser has a JavaScript engine and other specific features that are necessary for almost any application today.   If the end-user browser doesn’t have a JavaScript engine and the likes, then there is an almost certainty that the end-user is a bot. So, some of the techniques we use to prevent or to identify bots are just based on the type of devices and features that you have and the capability of that machine.   This bot mitigation techniques are very efficient because it’s expensive for hackers to simulate a full internet browser. Especially when they launch a DDoS attack, because it’s relatively expensive to run full internet browser simulations inside of a botnet. However, though it’s expensive, it’s not impossible. So, we needed to evolve.  The second generation of bot management is much more sophisticated. We analyze the behavior of the user, and based on its behavior, we can identify whether the user is human or not human.   The third generation uses even more sophisticated machine learning techniques towards an artificial intelligence engine that is making this classification. And this is where we are today with some of our most sophisticated customers. And a lot of these are actually custom made for a particular customer. That’s why they are very high end. We do use some machine learning techniques for the second generation to look at the behavior analysis. But some of our most sophisticated customers use a platform that is being trained to recognize the bot based on their specific application.  Oracle Dyn:   How can businesses get started with bot management? What’s the first step?  Laurent:  Business should look for a good bot management vendor. Very often, we start with proof of concepts with our customers. During POCs, we typically show all the bots that are identified by the platform. Sometimes, it is a bit of a surprise, and clients see for the very first time that their sites and mobile apps get quite a lot of weird bot traffic.   So, it is almost like you try it, before you buy it, but try it with the full extent and full power of the platform, which sometimes provides very interesting results. A lot of the time customers are not aware of what is happening to their applications and so having visibility into it is an eye opener to these clients. I mean, you’ll be surprised at the things we find. For example, this poking that I was talking about before, this background noise, sometimes customers are not even aware that this is happening.   This is something people can’t do soon enough. 

Roughly half of the traffic on the internet now is bot traffic: Bits of code created for tasks both good and not-so-good. Bots index content for search engines, making it easier for customers to find...

Authored By: Christina Richmond, IDC Program VP WW Security Services for Oracle  Adoption to the cloud is no longer stymied by security concerns as it once was. If anything, companies believe too fully in the security of the cloud service provider (CSP) these days. This belief may exist because security teams are understaffed, overburdened or because of true security competency within the cloud provider. But at the end of the day, the organization is on the hook for protecting its data in motion and at rest. CSPs are not responsible for the ingress and egress of data but rather only what resides within its data center. And even that is shared responsibility. One might say the new security perimeter is identity and data which are the underpinnings of every action taken in this digital world. To secure this new perimeter a deep understanding of data inventory and classification is required. The other side of this coin is knowing the identify and privileges of the user and which data they have access to. However, these requirements are not easily satisfied. With digital transformation comes an explosion of applications, APIs and delivery methods. “Cloud” can be private, public, as a Service and part of a many-cloud or “multicloud” approach. IT staff is still burdened with legacy security tools and lines of business are increasingly engaging in platform solutions which impact security. While these new platforms fuel digital growth and customer engagement they also complicate security visibility because they are outside the purview of the security staff. Managed security services (MSS) have existed for decades and they, too, are evolving to embrace the cloud ecosystem. Traditionally, MSS providers (MSSPs) managed and monitored the on-premise security appliances for a customer. Today we are seeing a rapid buildout of tools which provide MSSPs the ability to visual the customer’s entire architecture from on premise to SaaS-based including single and multicloud. Gaining visibility allows the MSSP to then quantify vulnerabilities against the threat landscape which in turn provides a view into risk.   According to an IDC study conducted last year we see that the MSSP purchasing form factor is shifting from predominately on-premises to hosted and SaaS based (see chart below). Adoption of MSS which once was an ROI-based decision swapping Capex for Opex cost is now one of imminent necessity if for no other reason than to provide visibility. We can’t protect what we can’t see. We can’t thwart what lurks in the shadows and we can’t respond if we don’t know what and where the danger is. With more and more of the architecture in cloud and multicloud the challenge of finding, tracking and combatting an adversary is compounded. MSS provide the “eyes on screen” of a Security Operations Center (SOC), advanced detection capabilities and increasingly they provide automated detection and response.  It’s no surprise then that advanced detection and analytic techniques are called out by nearly 40% of respondents as “required as part of a managed cloud services engagement.” Visibility is the one aspect of security that will in the end “right the ship.” When a SOC analyst receives an alert and discovers it to be an actual incident the advanced detection tools and threat intelligence the MSS provider (MSSP) possesses can vastly improves the analyst’s ability to see within a hybrid environment where the attack is and when it first entered. Today the Band-Aid approach of “look, alert, combat…repeat” is becoming more and more automated with the use of machine learning and big data analytics; meanwhile the skills of the MSSP provide the glue to keep the enterprise safe. The market is demanding greater cloud security capabilities and cloud providers are responding with enhanced visibility and response tools but remember that their responsibility stops at the door to their data center and the organization is ultimately responsible for the data outside. In our next blog we’ll diver deeper into addressing identity and access management challenges in MSS. To learn more about Oracle Managed Security Services and how MSS can help you, visit our website. Follow Christina Richmond @Xtina_richmond Follow Greg Jensen @GregJensen10

Authored By: Christina Richmond, IDC Program VP WW Security Services for Oracle  Adoption to the cloud is no longer stymied by security concerns as it once was. If anything, companies believe too fully...

Recently, Mike Faden wrote a stellar article in Oracle Magazine that highlights the issues and challenges that organizations are faced with around the attack surface that is leading to breaches.  Responding to this is a new wave of sophisticated technologies and methodologies that Mike has highlighted after interviewing some of Oracle's security leadership.  What Mike has learned is that there are some new and sophisticated approaches in the area of Identity Management, Database Security and more, that are helping to reduce the attack surface and help to reign in the risk and exposure that organizations are dealing with today. Read this amazing article from Oracle Magazine and Mike Faden today, and if when you are ready to learn more about Oracle's security solutions, check out our solution page for the latest information.

Recently, Mike Faden wrote a stellar article in Oracle Magazine that highlights the issues and challenges that organizations are faced with around the attack surface that is leading to breaches.  Respon...

Authored By: Christina Richmond, IDC Program VP WW Security Services for Oracle As discussed in previous blogs, the market is increasingly willing to move to the cloud. In fact, adoption is reaching an inflection point, with 80% of cloud budgets focusing above and beyond the cloud infrastructure (now only 20% of budget) to engage adjacent emerging services for cloud acceleration and enhanced management.1 However, obstacles still exist: inconsistent cloud configuration leaves security vulnerability gaps; detection, response and remediation visibility in the cloud environment is difficult—and hybrid IT multiplies this difficulty many times. Many more challenges exist which have been discussed in an earlier blog, Today's Threat Landscape and How to Tackle It, to which organizations are finding solutions in managed security services (MSS).                                     Source: IDC Managed CloudView September 2018 As you can see in the above graphic, drivers of managed cloud security adoption are many, ranging from the inability to keep pace with the rapid evolution of security technologies, lack of resources and talent, the need to lower cost and re-focus the business to core initiatives, and the desire for access to new security capabilities. But the most significant of these is the need for support across multiple types of delivery models, or what is commonly called “hybrid IT.” Hybrid IT is a mix of on-premises and public and/or private cloud workloads. An ideal future hybrid IT state, according to 400 enterprises in the U.S., would be roughly 25% in the public cloud, 48% in a private cloud and 27% non-cloud or on-premises, shown in the below graphic.2Source: IDC's Cloud and AI Adoption Survey, 2018 We all know that the security perimeter is a thing of the past. And we know that hybrid IT complicates all aspects of securing an organization’s data. Today’s security challenges are widely known but solutions are still evolving. In any massive transformation era such as the digital transformation of today we see increased need for professional services to help the organization get a grasp on strategy, policies, architecture design. And these services are in full use today. Adoption of managed security services, once an ROI-based decision swapping capex for opex cost, is now an imminent necessity if for no other reason than to provide visibility. When we double-click into the most significant of drivers of MSS in cloud and hybrid IT, we discover specific vulnerabilities that haunt the security team managing hybrid environments. Six of the 11 attacks and/or vulnerabilities are called out by over 40% of respondents in the below graphic as areas requiring additional support because they occur across multiple delivery models such as private, public, and hybrid workloads.   Source: IDC Managed CloudView September 2018 We can’t protect what we can’t see. We can’t thwart what lurks in the shadows, and we can’t respond if we don’t know what and where the danger is. Hybrid IT magnifies the challenge of finding, tracking, and combating an adversary that is better funded and faster than most IT departments. Many managed security services providers tout the drivers listed above, but MSSPs that focus on providing visibility into and security of the hybrid environment provide organizations with a 360-degree view into their full architecture across all workloads no matter where they reside. In addition, they bolster the agility of the enterprise as it transforms itself into a digital company. Finally, these services can consolidate the “eyes on screen” of a security operations center (SOC) team, which today typically works across multiple platforms for the same insights. This in turn naturally saves time and expense. Please be sure to check back to read the next blog in our series on “Securing your data in the cloud using MSS.” To learn more about Oracle Managed Security Services and how MSS can help you, visit our website.   Additional Source: 1, 2. IDC’s Cloud and AI Adoption Survey, January 2018 3. IDC Managed CloudView September 2018  

Authored By: Christina Richmond, IDC Program VP WW Security Services for Oracle As discussed in previous blogs, the market is increasingly willing to move to the cloud. In fact, adoption is reaching...

As a parent, I have pretty simple rules for my kids: Clean your rooms. Pick up your stuff. Don’t speed in the car. But as I’m writing this blog, I know that at least two out of my three kids are breaking those rules. They don’t quite comprehend that these rules aren’t just for my good. They’re for them too. Similarly, we found out in our 2018 Oracle and KPMG Cloud Threat Report that 97 percent of respondents say their organizations have defined cloud-approval policies. But we also found that 82 percent of those respondents felt those rules were being ignored. It’s a common scenario, and even an understandable one: Some line of business or another needs to get an application up to achieve a goal. They find or develop an application that will achieve that goal or put them on the cutting edge, and they decide they want to get it out quickly. “We’ll put it together, push it out, meet our goal, and ask for forgiveness later,” the thinking goes. The problem is that this road leads to disappointment at the very least and disaster at the very worst. Say the security team is brought in at the very end, and they’re told, “We’re launching this app in a month. Let’s do what we need to do.” The security team has a series of minor heart attacks as they figure out how they’re going to fit four months of work into a month, and they bring the project to a grinding halt. Eventually, the app is brought up to compliance and proper configuration standards and is accepted as a “sanctioned” application. Or let’s say that the line of business goes ahead and launches the app without checking the proper boxes with security at all. Now, security doesn’t have any visibility into what’s happening with that app, can’t adequately protect it, and the organization gets breached. This is what we call, an “unsanctioned” application. In these scenarios, the difference between a line of business’ timeline for rolling out an application and security’s ability to secure it in that timeline is called the “Pace Gap.” It’s a real problem, but it’s also a problem with a solution.             The line of business and security team both have goals. The line of business wants to accomplish things quickly, and security wants to keep the organization safe. People often see these goals as being at odds with each other, but they don’t have to be. Security can actually help lines of business get their projects done faster, but they have to be involved from the beginning.                                                                  For instance, if you look at a traditional ERP application, it can take up to six months for a large enterprise to fully roll out that platform with the right entitlements and credentials. But if you’re able to port over all your on-premises identities to any new cloud application with a product like Oracle Identity Management Cloud, you can cut a significant amount of time off the project timeline—and satisfy both sides. That’s the carrot. Here’s the stick. Even in the absence of a shortcut that shaves time off the schedule, folks need to slow their roll. Yes, that’s a technical term. If an organization gets breached, asking for forgiveness might not be an option. People are going to lose their jobs—even at the executive level. So, folks shouldn’t just be incentivized to work with security teams. It should be mandated. One person needs to be in charge of understanding shared responsibility models, regulatory compliance issues, and all of the organization’s security needs and standards. That same person should be empowered and given full visibility and the support of the organization to either approve an application’s deployment or to halt it. If you’re an avid reader of this blog, you’ll know that we’re big advocates for having a cloud security architect, but really, organizations just need to have somebody with the right knowledge who can act as a gatekeeper for the company. And with that person’s guidance, the organization can start forming best practices that accomplish both goals—a timely release of a much needed application and the right security measures in place to keep it protected. Once this becomes common practice and the pace gap is closed, all parties can rest a bit easier knowing that their needs are being taken care of. For more on this topic, see our webcast Keeping Security Pace at the Speed of Emerging Technologies - Register Here.

As a parent, I have pretty simple rules for my kids: Clean your rooms. Pick up your stuff. Don’t speed in the car. But as I’m writing this blog, I know that at least two out of my three kids are...

The lead up to Oracle OpenWorld and Code One 2018 is starting to fire up. With just about a month to go, we would like to encourage attendees to access the Oracle OpenWorld Schedule Builder. As in previous years, the Schedule Builder will allow attendees to create a personalized schedule and lock in spots to key sessions. Visitors can reserve a spot for a particular session by logging in and selecting the star icon to the right of each session description.  Customers attending OpenWorld this year will be treated to a number of sessions covering every topic from ongoing system upgrades to cutting edge technology releases. The Schedule Builder is an interactive tool that provides information including session times, locations, and abstracts all centralized in one place - making it a one stop destination to schedule out the entire week. In addition, attendees have access to our Oracle Security Focus On Document. We encourage all security professionals attending to look over the Security Focus On Document for a comprehensive list of essential security sessions and keynotes!  Once again, we encourage any customer attending Oracle OpenWorld and Code One to use the Schedule Builder! Haven't registered yet? It's not too late, register prior to the event to save!

The lead up to Oracle OpenWorld and Code One 2018 is starting to fire up. With just about a month to go, we would like to encourage attendees to access the Oracle OpenWorld Schedule Builder. As in...

By Pedro Lopes Thanks for attending last week DBSAT webcast. In case  you have missed it, you can watch it now on demand here. We had over 900 registrations and engaged customers attending the webcast and received over a 100 questions. Due to the time constraint, we could not answer all your questions, but wanted to follow up to clarify all your doubts. The key categories of questions that came up were: Does it run on the Cloud? Does it run for multiple databases? Performance impact of running DBSAT How does DBSAT Discoverer know which data is sensitive? Does it work on (ODA, Linux, Windows, Amazon RDS, 18c, Salesforce, Oracle Point of Sales)? Regulatory Compliance - Can it help me with SOX compliance? Apps - Any EBS/Retails/xStore/RMS specific checks? Does it have any Integration with OEM? Let me address those questions. Running DBSAT on the Cloud Since this is a pretty broad question, let’s address the easiest use cases first. In IaaS, you’ll have full control so, yes. You can install it on IaaS or run it against a database deployed on IaaS. On SaaS, as you won’t have direct access to the database, so no. On PaaS offerings, DBSAT can discover sensitive data as long it can connect to the database using JDBC. For the Security Assessment part (Collector and Reporter), typically we ask for the collector to on the database server and if you can do that, yes. That you to collect both database and operating system information.   SaaS IaaS DB EE/HP/EP ADW Exadata Express CS Collector   No Yes Yes No No Reporter   No Yes Yes No No Discoverer   No                Yes           Yes Yes          Yes Table: DBSAT components per Cloud targets Performance Impact DBSAT relies on data dictionary views and statistics for row counts. The impact should be negligible, as it does not execute anything different from queries that a DBA on daily activities. How does DBSAT Discoverer know what data is sensitive? DBSAT ships a configuration file with Sensitive Categories and Risk Levels and a Sensitive Pattern file that includes several Sensitive Types that look for matches on metadata based on regular expressions. We have used as a knowledge base our own Oracle Apps sensitive data medatada information and years of field experience and bundled it in the pattern file. There might be some false positives and DBSAT might miss some tables/columns holding sensitive data, but it provides a great start. As a best practice, DBSAT results should be reviewed carefully. DBSAT also provides several parameters/input files to help reduce false positives and make the final result more accurate. Does it work on (ODA, Linux, Windows, Amazon RDS, 18c, Salesforce, Oracle Point of Sales) DBSAT runs on Linux, Windows, Solaris, HP-UX, AIX. So it runs on Oracle Database Appliance. It runs on Oracle Databases (10g up to 18c). Regulatory Compliance - Can it help me with SOX compliance? It will help regulatory compliance initiatives. It will help to understand the current security posture, the gap the best practice, give and highlight technical controls that might help. Regulatory compliance is typically a mix of having the right Organization (People), Processes and Technology in place. DBSAT helps on the technology side. Apps - Any EBS/Retails/xStore/RMS specific checks? No. However, most recommendations will apply. The best practice is to check your specific Oracle App security best practices as well. If there’s a conflict, Oracle App security recommendation shall prevail. Any Integration with OEM While there’s no out-of-the-box integration, have customers that have integrated DBSAT into OEM and other 3rd party tools successfully either leveraging the fact that DBSAT is mainly a shell script and the JSON/CSV output. Hope it helps. Please reach out to me (pedro.lopes@oracle.com) in case of any additional questions/doubts/ideas or just meet me at #OOW. Database Security focused sessions at Oracle Open World: https://events.rainfocus.com/widget/oracle/oow18/1536064610966001SVrg

By Pedro Lopes Thanks for attending last week DBSAT webcast. In case  you have missed it, you can watch it now on demand here. We had over 900 registrations and engaged customers attending the webcast...

Gartner named Oracle a "Visionary" in its 2018 Magic Quadrant for Web Application Firewalls (WAFs). This post will spotlight the Oracle WAF's visionary use of machine learning to assign risk scores to incoming web traffic. Traditional web application security works in the same way as antivirus software, using a rule-based approach. It looks for signatures of known attacks and, as long as you have a good database of signatures, identifies attacks based on that information. Example of a rule-based approach to web application security The problem with rule-based security is that it is only able to identify what it knows, and the definition of what it knows is very rigid. It doesn't work when an attack is similar but not identical to what was seen before. It also doesn't work for all of the attacks that are not known yet -- zero-day vulnerabilities. Supervised machine learning techniques are completely different. They can recognize similarities, even when an attack is not exactly the same. We train an engine on what types of traffic are appropriate for a website or application and what types of traffic are not appropriate. And the engine is able to flag requests based on similarities to what it has learned. It can say, "I have seen something that looks like this request in the past, and that request was malicious, so I am going to flag this request as malicious as well." Example of WAF machine learning training  The Oracle WAF takes this approach a step further by analyzing how closely an unknown request resembles a known request and expressing that in a numeric value known as a risk score. The risk scoring scale goes from 0 (legitimate) to 100 (malicious). When a request's score exceeds certain thresholds, the WAF can either generate an alert to a security analyst or automatically block that traffic. We typically perform automatic blocks at 80 to 85, depending on the application. Example of risk scoring before training Example of risk scoring after training In the screenshots above, note that telnet.exe was part of the training, hence a score of 100%, but telnet and ftp were not, and they were still flagged, correctly, as malicious with 80% scores. So, what happens when the WAF sees a completely new request, as in the case of a zero-day attack, and says, "I'm not sure if this is good or bad?" The machine learning engine is able to flag this traffic and alert an analyst to make a decision on what it is. And after the analyst makes that decision, the next time the request happens, the WAF will know what to do, because it has learned. Organizations typically have to manually configure their WAF to recognize and respond to newly identified threats -- a process known as WAF tuning. Machine learning makes this process much more efficient and effective. The Oracle WAF has more advanced capabilities than others in the market when it comes to anomaly detection and scoring. We analyze information in request headers, the IP address, content and language of requests, and other factors in determining risk scores. Additionally, the machine learning engine considers data from our classic rule-based WAF; if a request does not appear to be malicious based on the engine's learnings, but similar requests resulted in rule-based alerts in the past, that could increase the request's risk score. Example of a malicious application attack (legitimate traffic in green, attack traffic in red), flagged by the Oracle WAF The training of machine learning engines is extremely important. If, by mistake, you tell the engine that a specific attack is good, it will always identify that attack as good and not block it. You must also train the engine to recognize good and bad traffic for each particular application, because what looks like suspicious activity for one application may be completely normal behavior for another. This training is done on an individual customer basis at the time of deployment. Large enterprises and other organizations with strict security and compliance requirements are typically the customers that take advantage of these capabilities today, but we expect others to follow suit as web attacks become more prevalent, more varied, and more malicious. Gartner, Magic Quadrant for Web Application Firewalls, Jeremy D'Hoinne, Adam Hils, Ayal Tirosh, Claudio Neiva, 29 August 2018 Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner named Oracle a "Visionary" in its 2018 Magic Quadrant for Web Application Firewalls (WAFs). This post will spotlight the Oracle WAF's visionary use of machine learning to assign risk scores to...

The whole of your security portfolio should provide significantly more value than the sum of its parts. The challenge facing security professionals seems to grow bigger and more complex by the hour. New threats and risk factors are constantly emerging while the IT landscape continuously evolves. At times, it feels like we’re patching holes on a moving target that’s endlessly shape-shifting. One of the major contributing factors to those feelings of chaos and disorder is the sheer quantity of security products that we rely on to cover our vast IT landscapes. The Oracle and KPMG Cloud Threat Report 2018 found that cybersecurity professionals manage an average of 46 different security products. 7% of respondents reported being personally responsible for managing over 100 different products. 100 different security products! I don’t imagine that those folks can possibly have a complete understanding of what’s happening across 50 or 100 different security products or what value each of those products is contributing to reducing their risk. This quantity of products alone contributes to the overall challenge in several ways, including: Product Overlap: Security products often have significant functional overlap. In an environment with several security products, it quickly becomes unclear which product will answer which questions. The result is wasted time and effort and longer delays getting critical answers. When addressing an on-going attack or a breach, the speed of the response effort is critical. The longer it takes, the broader the damage will be. Skills Shortage: Organizations spend too much time finding or developing talent across security products. It’s rare for security professionals to have the exact mix of skills and experience that an organization needs. And with an on-going skills shortage, it’s difficult to retain top talent over long periods of time. Again, not having the right expertise in place means that you’re more likely to miss the signals of developing attacks or on-going breaches and to demonstrate longer response times to security events. Delays in Addressing Gaps: Nobody likes wasted money or shelfware. When a gap is found in an organization’s security posture, security professionals are less likely to find and deploy the right solution if they have numerous other security solutions in place that may (or may not) fix the problem. Of course, without a complete understanding of where the limits are on each of those products, it could take months to sort through them and to formulate an approach. It’s the classic human response of freezing in indecision when there are too many factors to consider. When it comes to addressing information security issues, the last thing you want to do is freeze. So, what can be done and how can we address the issue? Here’s the good news: Security solutions are evolving toward cloud, toward built-in intelligence via Machine Learning, and toward unified, integrated-by-design platforms. This approach eliminates the issues of product overlap because each component is designed to leverage the others. It reduces the burden related to maintaining skills because fewer skills are needed and the system is more autonomous. And, it promotes immediate and automated response as opposed to indecision. While there may not be a single platform to replace all 50 or 100 of your disparate security products today, platforms are emerging that can address core security functions while simplifying ownership and providing open integration points to seamlessly share security intelligence across functions. For example, you know that you need an identity and access component for addressing access management needs across numerous SaaS applications and IaaS services. And you need a Cloud Access Security Broker (CASB) to scan SaaS applications and Cloud Infrastructures for insecure configurations and to monitor user activity. But, for the most part, these functions are silo’ed today. One doesn’t talk to the other. But they can. And they should. Understanding what a user is doing across cloud applications (visibility often provided by CASB) enables you to create a risk score for that user that can then be used by the Identity function to make decisions and take actions such as stepping up authentication, requesting approvals, initiating an access review, or denying access. Understanding that a target system’s configuration was modified recently or that it doesn’t conform to the organization’s security policies also increases risk. And there are numerous sources of additional risk data: identity, CASB, security configuration scanning, SIEM, UEBA, external threat feeds, session context, etc. Forward-looking security platforms will leverage hybrid cloud architecture to address hybrid cloud environments. They’re autonomous systems that operate without relying on human maintenance, patching, and monitoring. They leverage risk intelligence from across the numerous available sources. And then they rationalize that data and use Machine Learning to generate better security intelligence and feed that improved intelligence back to the decision points. And they leverage built-in integration points and orchestration functionality to automate response when appropriate. In other words, your security platform should serve as a central brain that doesn’t only import the various security data points but also makes sense of it without relying on human eyes to catch potential threats. And it adds intelligence, identifies patterns, recognizes anomalies, and responds appropriately and within seconds. This is much more advanced than the old SIEM model which simply aggregates data from numerous sources and tries to raise alerts for humans to evaluate. This is a system that thinks for you and leverages advanced analytics to make decisions across those numerous disparate systems. It’s a cloud service so you don’t need to administer and manage it. You become a user; a consumer of its benefits rather than a caretaker. And the result is much more value and further reduced risk than you’d get from the parts alone. To learn more about challenges organizations face today and how new technologies and strategies help enable innovation, register for Oracle OpenWorld 2018 and visit the Oracle Cloud Security page for more information. 

The whole of your security portfolio should provide significantly more value than the sum of its parts. The challenge facing security professionals seems to grow bigger and more complex by the hour....

In recent years, security has gone from cloud objection to cloud benefit. In fact, according to the Oracle and KPMG Cloud Threat Report 2018, 83 percent of respondents to the report’s survey said they believe their cloud service providers’ security is as good or better than their own. While this growing confidence bodes well for an increasingly cloud-enabled world, companies would be wise not to drop their guard when it comes to security. Bad actors of all kinds have found ways to exploit weaknesses in your security posture—most notably, in the customer’s end of the shared responsibility model. Recently, my co-author on the Oracle and KPMG Cloud Threat Report 2018, Brian Jensen from KPMG and I discussed some of the top attacks and pitfalls that companies are falling prey to. Phishing At its core, phishing in all its forms is a social engineering attack designed to create fear, uncertainty, and doubt. And even the best of us have been suckered by a phishing attack at one point or another. The main goal here is to get credentials by tricking the user into handing them over. A phishing email might say “Click here to learn about the audit problem we just discovered,” then take the user to a fake website where they have to log in. Or it might have a malicious attachment or link. But once they have those credentials, the attackers have free rein inside the system. As Brian noted during our conversation, what makes phishing so successful is that not only have we moved some of our most valuable information outside the firewall, but that many of our core business applications are similar across companies. “This leads to a one-two-three punch. Phishing is easy. The data is outside the firewall. And everything is pretty much the same. So, once I identify a pattern as a breacher, I can do it over and over and over again,” Brian said. According to the Oracle and KPMG Cloud Threat Report, 55 percent of survey respondents have experienced phishing. Malware and Ransomware Phishing can often be a vehicle to unload malware onto a system. The Oracle and KPMG Cloud Threat report noted that of all their expected security concerns during the next 24 months, four of the top five have to do with malware. One of the common forms of malware that we see is ransomware, where the victim is locked out of their system until the attacker is paid some sort of fee, usually in the form of bitcoin. This form of attack can wipe out an organization and leave it without a way to recover its information. Configuration Another way organizations put themselves at risk is by not having proper controls around cloud configurations. In fact, 45% of respondents to the Cloud Threat Report survey said they had experienced one or more incidents where the attacker exploited an unpatched vulnerability—either known or unknown. These unpatched gaps are especially dangerous because the attacker can wreak havoc on an organization (or multiple organizations using the same vulnerability) until it’s patched. The problem here, as Brian noted during our conversation, is that companies don’t have a good framework for (1) knowing that they’re using cloud, (2) categorizing the type of cloud they have, (3) having an understanding of the shared responsibility model for that cloud instance, (4) framing the configuration model, and (5) monitoring and patching it. To be fair, this is no easy task. The number of people and details involved make separating responsibilities and defining processes a real problem. But it’s a problem that needs to be solved if you want to secure your organization. Protecting Your Organization from These Pitfalls Of course we all want to protect our organizations, but buying the right tools is only a third of the answer. What it really takes is a focus on your people, your processes, and then your technology. In terms of people, organizations need to make sure their people are properly trained. All of your general users need to know the basics behind identifying a phishing attempt. But more importantly, cyber teams, email teams, and application teams need to be trained correctly on how to maintain configuration and compliance. Next, there needs to be a process behind everything. If you have a system that has stayed unpatched for the last two days, what’s your process? If you’re introducing a new cloud application, what’s your process for making sure it’s secure? This can be one of the hardest aspects because it requires communicating and establishing agreed upon actions across departments. But it’s also the most necessary. And lastly, you have technology. And that’s the part where Oracle does a really good job. We provide some excellent technologies for securing your cloud investment. At the end of the day, people’s confidence in the cloud isn’t misplaced. Organizations just need to adjust their thinking to protect themselves from evolving threats. For more on this topic, join us for our webcast Keeping Security Pace at the Speed of Emerging Technologies - Register here.

In recent years, security has gone from cloud objection to cloud benefit. In fact, according to the Oracle and KPMG Cloud Threat Report 2018, 83 percent of respondents to the report’s survey said they...

Monitor and Secure Your Systems You have made the business decision to outsource database administration, including some or all of your IT organization.  Yes, you can save money, but it comes with a lot of headaches and frustration when you can’t get tasks turned around fast enough.  Contract vendors have strong SLAs for what they will and will not do. This makes troubleshooting systems that span different domains very difficult.  The DBA always says the database is fine. The system administrators say the hardware is fine. The developers say their code is fine. But for some reason authentications have slowed down by 200% in the core application that drives your business. Unfortunately, your vendors won’t give you database accounts or access to logs. What’s a DBA to do? Gain Access to All Logs To gain increased visibility, many customers turn to Oracle Management Cloud (OMC). OMC is a cloud service that can consume any log on premises or in the cloud.  OMC leverages a Big Data backend so you are not limited by the volume of data you send to your tenant.  You will have a User Interface for all logs in your ecosystem.  But that’s just the beginning.  It has a sophisticated parsing engine leveraging Machine Learning and End User and Entity Behavior Analytics (UEBA) to learn what is normal and what is not.  OMC clusters like patterns of problems across your entire ecosystem to present the health of your servers, databases, and applications in one user interface. You have 100% control to view the logs with full dashboarding and drag and drop query capabilities.  Oracle is in the unique position to perform this type of analysis as our products include Cloud Services, Hardware, Operating Systems, Databases, and Applications.  Oracle owns Java, which makes us uniquely qualified to understand Log4 J.  Working with our application teams, OMC gives intelligent views into Oracle Applications such as EBS, Seibel, Peoplesoft, and even SAP.  Remember, any log any system. The screenshot below is a summary of the different options you can enable in OMC. Application Performance Monitoring (APM):  Oracle’s APM for Peoplesoft, Java, .Net, Node JS, Ruby, Docker, and Mobile Applications including both Android and Apple platforms that will diagnose performance bottlenecks in your code and system performance in your Application Servers. Infrastructure Monitoring:  The ability to view the health of your eco-system. Log Analytics: Provides a user interface for your logs. Log Analytics has the ability to cluster errors and categorize them into common and uncommon events (which tend to be the source of problems).  It is much easier to troubleshoot when you can view the logs for the operating system, database, application and WebLogic in one user interface. IT Analytics:  IT Analytics provides the ability to look across your applications, webservers, databases, operating systems, and servers to get a comprehensive perspective on the current state of performance, availability, and utilization.  and leverages Machine Learning to forecast capacity requirements.  It answers tough questions – such as “when will I need more disk, CPU, memory, etc.” – that allows you to get ahead of potential problems and bottlenecks instead of just reacting when things go wrong. Configuration and Compliance:  The ability to baseline your configurations and if desired the ability to provision back the desired configuration.  Would you like to know if someone accidently created an unencrypted s3 bucket in Amazon Block Storage? Orchestration:  Think of it as a scheduler for your IT ecosystem.   You can also attach fix jobs to break fix events in OMC.  For example, if a database comes back with 90% storage is taken, OMC can fire a job that will increase space by 25% or maybe you want to automatically restart your WebLogic servers if they shut down.  I won’t go so far to say the database will be 100% self-healing, but it is kind of like self-driving cars - you would not have it drive you to the airport - but, helping you stay in the lane and emergency breaking is helpful.  Automation for your databases is on the way and can definitely cut down on the support tickets you create, which costs you money. Security Monitoring and Analytics (SMA): Perhaps the most important of all, SMA will help you audit your contract vendors.  Oracle now has a SIEM (Security Information and Event Management System) with machine learning and UEBA incorporated so you will have complete visibility to your IT ecosystem. SMA can leverage Identity Management, Oracle’s CASB, Audit Vault Database Firewall (AVDF) that will fulfill the complete picture to your Identity Security Operations Center (SOC) for both on premise and Cloud environments.  The Big Data backend also makes it okay to send database events to your SIEM. OMC can take the load unlike traditional SIEMs in the market! OMC is one application that provides the ability for rapid troubleshooting, application performance monitoring and the baseline for your Security Operation Center spanning both your on premises and cloud systems.  It will allow you to reclaim your systems by gaining the visibility you desire on your IT systems, so you can take advantage of the cost savings outsourcing parts of your IT organization.  And if you do not outsource your IT organization, OMC is an excellent tool to minimize downtime, learn predictable performance behavior, and bring UEBA into your SIEM and Security Operations Center. Take a moment to explore how OMC could be a great fit for your organization.         

Monitor and Secure Your Systems You have made the business decision to outsource database administration, including some or all of your IT organization.  Yes, you can save money, but it comes with...

It's that time of year again! Oracle OpenWorld 2018 is less than two months away. Has your organization registered for the event? Every year, more than 60,000 attendees from over 145 countries attend Oracle OpenWorld. It is a great opportunity to learn the latest and greatest news in emerging technologies, learn new feature functionalities, collaborate with partners, and share ideas with industry peers. This year a pass to Oracle OpenWorld will give you and your colleagues access to 2,200 sessions and over 300 partners. This year's event takes place at San Francisco's Moscone Center from October 22nd-25th.    If you are considering attending OpenWorld this year, but are still in the final decision making stage, here are 5 reasons why it is absolutely essential to attend: Attend 2000+ sessions focused on solving business and IT problems OpenWorld sessions cover a wide range of topics. Keynotes from Oracle executives, Technical presentations, as well as sessions featuring Oracle Customers, such as, Tips and Tricks for Security Cloud at Scale. Help your company keep pace with cloud innovations According to the recent Oracle and KPMG Cloud Threat Report, 90% of respondents say at least half of their cloud data is sensitive information. As cloud becomes commonplace in technology, it is important to fully understand every aspect of the cloud and how to make the best decisions when choosing a Cloud Service Provider (CSP). CSPs are often not clear about their security offerings and what your responsibilities are as a customer. At OpenWorld, you can gain a better understanding of emerging technologies in the cloud and which of these technologies are the right fit for your IT environment Network with your peers and share innovations Every company has a unique structure, but there is definitely something to be said about the power of collaboration. OpenWorld is a great opportunity to meet and mingle with industry peers. Learning about common technologies and strategies for strengthening security, reducing cost, or improving innovation. Enjoy all the entertainment the conference and San Francisco has to offer If the exciting technology news is not enough to convince you, consider this: there is never a dull moment at OpenWorld. Attendees have a long list of choices for activities, socializing, and exploring. Oracle, partners, and sponsors put on receptions for OpenWorld attendees each evening of the conference. This is a great opportunity to get a more in-depth view of their offerings and ask any questions you may have in a smaller setting. It is also a change to network with peers and catch up with your colleagues who may have attended different sessions. Wednesday night is CloudFest 2018, each year, customers with a ticket to this event are in for a special treat. Concert goers in the past have danced the night away to performers such as Sting, Elton John, and Maroon 5. Although the lineup for this year has not been released, it is sure to be a crowd-pleaser. Save on early registration and group rates If you are now planning to attend, be sure to register for OpenWorld early to take advantage of the $200 savings. Additionally, government employees and large group rates are available to companies looking to send large teams!   If you are curious about what you missed at OpenWorld 2017, take a look at some of the highlights and start to imagine all of the great opportunities you can explore this year. We hope to see you at OpenWorld 2018, don't forget to register early!

It's that time of year again! Oracle OpenWorld 2018 is less than two months away. Has your organization registered for the event? Every year, more than 60,000 attendees from over 145 countries...

Organizations are increasing their cloud adoption, but they aren’t necessarily keeping pace with their security practices. Every year Oracle and KPMG collaborate on the Oracle and KPMG Cloud Threat Report, a survey of cybersecurity and IT professionals from private- and public-sector organizations about their public cloud usage and cybersecurity products and services. In 2013, 57 percent of our respondents said they were using public cloud services. Today, that number has jumped to 85 percent. While people are feeling more confident than ever about security in the public cloud, many organizations are putting themselves at risk by making a handful of common mistakes. I’ll outline each of the main pitfalls below, but for more detail on what’s causing these mistakes and pointers on how to remedy them, don’t miss our on-demand webcast “Sharing the Cloud Security Responsibility and Mitigating the Top 5 Risks.” Mistake #1 Lack of Responsibility When you adopt a cloud service, it’s tempting to think that they’ve got security covered. Sure, they’re probably taking care of some of it, but there are certain things that they just can’t be responsible for—like how careful your employees are with their credentials. The division between what you’re responsible for and what your cloud provider is responsible for is an important one to iron out with your cloud provider to ensure that there aren’t any gaps. In the Cloud Threat Report, we found that only 43 percent of organizations could correctly identify the most common IaaS shared responsibility model. Knowing what your responsibilities are is the first step to fulfilling them and keeping your organization protected. Mistake #2 Lack of Training One of the most common ways an organization can be breached is through the average employee. The number 1 and 2 most common attack vectors are phishing scams, and all it takes is one person making one mistake to expose your company. In this case, it’s training (and not some fancy tool) that will make the difference. Mistake #3 Lack of Automation The number 1 challenge for security organizations is being able to detect and react to cloud threats. In the Cloud Threat Report, only 14 percent of respondents said they were able to analyze all of their relevant security event and telemetry data. This lack of insight usually happens because cloud services are rolling out faster than SecOps can support them. In order to combat this problem, organizations need to remove manual processes and introduce more automated responses to risks. We’re past the point of hiring our way out of this problem. There just aren’t enough of us. We need assistance in the form of automation. Mistake #4 Lack of Compliance Organizations are struggling with not only how to meet, but also maintain their compliance requirements globally. A key distinction that companies often miss is that compliance doesn’t necessarily mean security. Compliance is primarily about data confidentiality, integrity, and making data available. You can be compliant and still get breached. Still, it’s difficult to meet your compliance goals if you don’t have an expert heading up the charge. You really need somebody who knows their stuff, can see the whole picture, and can determine how your organization can best tackle its compliance responsibilities. Mistake #5 Lack of Leadership It’s become a real struggle for security teams to rein in lines of business who think they can get their cloud services out “faster” if they skirt the security process. These projects often hit a snag when their owners realize that they have to meet the company’s security requirements. One of the reasons this happens is that lines of business don’t see how involving security operations early is actually an advantage for them. The key here is leadership. By having someone who can help internal groups see an efficient path to deployment and check all the necessary boxes, organizations can both protect themselves and get what they need sooner. Ultimately our confidence in the cloud is well placed. All we have to do is update our thinking to match our technology. For more detail on these mistakes and how to avoid making them, see our on-demand webcast “Sharing the Cloud Security Responsibility and Mitigating the Top 5 Risks.”  

Organizations are increasing their cloud adoption, but they aren’t necessarily keeping pace with their security practices. Every year Oracle and KPMG collaborate on the Oracle and KPMG Cloud Threat...

In today’s changing threat landscape, organizations need to make smart and innovative decisions in order to stay a step ahead of cyber threats. Organizations utilizing innovative cybersecurity best practices in their hybrid environments are able to effectively keep pace with the ever changing security and compliance landscape. Oracle offers a suite of security cloud and on-premises solutions that enable customers to implement and manage consistent security policies across the hybrid data center. A challenge for one customer, UBI Banca, was complying with GDPR while maintaining excellent customer experience for their different types of clients. They selected Oracle CASB Cloud Service to enable them “to detect and respond not only to potential threats but also data leakage and to better meet [their] regulatory requirements”. This Italian banking group was able to achieve a 50% reduction in time to discover new security threats and an 80% reduction in manual investigation time for security incidents with Oracle CASB Cloud Service. For Pragmatyxs, a solution provider based in Seattle, security was a primary concern since many of their customers are in highly regulated industries. Pragmatyx opted for Oracle Identity Cloud Service (IDCS) to protect their data. With Oracle IDCS, Pragmatyxs has been able to take advantage of global SSO capabilities to manage users globally within a unified dashboard, easy integration within Oracle cloud ecosystem, and much more. Overall Pragmatyxs was able to maximize value while minimizing cost and time spent. You can learn more about how Oracle Identity Cloud Service and Oracle CASB Cloud Service helps customers secure their cloud environments at Oracle OpenWorld this year. Troy Kitch, a Sr. Principal Director for Product Marketing at Oracle, will lead a customer panel on how Oracle security helps organizations “face external cyber threats, internal fraud, and the growing complexity of regulatory compliance regulations”. You don’t want to miss this session - Customer Panel: Tips and Tricks for Security at Cloud Scale. To attend Oracle OpenWorld (and this session), register here.

In today’s changing threat landscape, organizations need to make smart and innovative decisions in order to stay a step ahead of cyber threats. Organizations utilizing innovative cybersecurity best...

Everyone with even a mild understanding of cybersecurity knows that the threat landscape is evolving and growing ever more complex by the day. The accessibility of the Dark Web has made advanced threats readily available to anyone with the cash and desire to steal data and inflict harm. “Set and forget” solutions and mentality will not keep an organization safe in this reality. Supplementing your in-house security team with an augmented on-demand security operations center (SOC), combined with a modern, cloud-based application security solution, is the new imperative for a robust cybersecurity posture. SOC skills in high demand  Every organization needs highly skilled cybersecurity talent, but let’s be honest, it is not an equal opportunity market. Companies like Google and Facebook can recruit top talent with attractive packages and perks, but where does that leave everyone else? Many companies now generate significant revenue streams and store large amounts of highly sensitive data that make them targets for attack. Smaller third-party organizations, which probably don’t have large security teams, act as go-betweens for larger companies that do, like production houses or law firms. No matter how small you think you are, lacking resources is not an excuse. Even if you do have the budget and in-house talent, an external, supplemental SOC provides a valuable second set of eyes on your security. Some of the largest breaches we’ve seen recently were a result of human error, such as not updating a policy or patching a server. An external team, working to provide oversight and an outsider’s perspective, combined with a cloud-based application security platform will add an extra layer of protection and supervision. Harness the latest technology The quality of a SOC is no longer measured by the number of bodies in seats but by the caliber of its technology. An external security team should be using the latest advances in technology and methods such as cloud-based solutions utilizing machine learning and automation. Many solutions, particularly those that are on-prem, require someone to come out to your site, set up the hardware and train someone on your team how to use that hardware. This process can take months, and by the time it’s completed, the solution may already be outdated and a couple months after that, the one person on your team who knows how to use it may be moving on. We believe that the solution provider should also be able to provide onboarding and continued management through an external SOC that use modern, cloud-based and agile application security solutions that scale and integrate as your company grows. Automation is key Automation is a key component for a robust external SOC. Many alerts don't need to be treated by humans. They can be treated directly by an advanced solution’s security engine, which uses machine learning and other techniques to monitor, classify, and escalate incidents. Human intervention occurs when the machines say, "Dear human, I haven't seen this one before. I need some help to understand what is happening." That way, SOC analysts can focus on these alerts rather than spending their time tuning. This also helps eliminate false positives and the draconian measures taken to avoid them. It’s really as simple as that. Automation does not have to mean complication. This is not science fiction - the machines are not going to rise up and do everything, they are an extension of the security team in the same sense as an external SOC. Because monitoring and alerting of low-level incidents is automated, the human security analysts must be of a very high caliber. When alerts come to them, they have to react quickly and treat each one as a legitimate threat. They have to discover, analyze, and respond -- and they have to do it very, very fast with the tools and knowledge to thoroughly investigate and mitigate. For these reasons, a SOC analyst is one of the most difficult people to find in cybersecurity today. A solution that provides managed services can share its analysts' expertise with customers that would otherwise be unable to recruit or retain that level of talent.  Bucking the trend  Despite these benefits, some organizations are hesitant to augment externally their SOCs or bring in outside talent to supplement their own. It goes against conventional wisdom.  Security is typically the most conservative department within an organization. Traditional thinking says if there is an attack, they are the ones who are responsible – and perhaps the only ones to know. An augmented SOC provider needs to win their trust. As the threat landscape continues to evolve, more and more organizations must embrace this approach and realize that truly strong protection includes an external extension of the SOC, with modern, automated and almost always cloud-based application security platforms.

Everyone with even a mild understanding of cybersecurity knows that the threat landscape is evolving and growing ever more complex by the day. The accessibility of the Dark Web has made...

For many government IT leaders, topics such as cybersecurity and IT modernization are front and center these days. As one of largest multi-sponsored trade shows for government technology, 930gov will tackle these and other key themes on August 28, 2018, at the Walter E. Washington Convention Center in Washington, DC. This year, presenters from Oracle will be on hand to deliver key insights on some of the most pressing issues surrounding government IT: Navigating the Cyber Landscape in Government, Hayri Tarhan, Regional Vice President, Security and Management Cloud, Oracle Public Sector In one recent study, 49 percent of technology professionals said they had slowed their cloud adoption due to lack of cybersecurity skills. The situation is especially perilous for government agencies, which often represent "ground zero" in the cyber wars; a big digital footprint with lots of potentially valuable data makes government a prime target. As spear phishing, ransomware, hacktivism, and election tampering have become full-fledged industries, conventional security approaches can no longer be trusted to secure mission-critical agency data. This session will explore the latest tools and strategies, including cloud solutions designed to be secure at every layer. A complete cloud solution offers global access controls for onboarding and offboarding employees, with the cloud provider continually investing in security at every level as part of its overall design. Rather than tackle security piecemeal, the cloud can deliver an optimized security approach at every level of the technology stack, leveraging a broad portfolio of data security and encryption products at the applications, infrastructure, and systems hardware layers. IT Modernization in Government—The Right Approach at the Right Time, Aaron Cornfeld, Group Vice President Sales Engineering, Oracle Public Sector and Higher Education A recent survey found that IT modernization remains solidly entrenched among the top priorities of senior government IT leaders, 72 percent of whom say that legacy systems still make up more than half their applications. The cost and complexity of maintaining those systems has made modernization an ever more pressing priority. Government IT managers also are under regulatory pressure to upgrade. This spring, for instance, the White House released the President’s Management Agenda, which calls for IT modernization as well as enhanced technology around data, accountability, and transparency. The Modernizing Government Technology Act, likewise, calls for sweeping improvements to government’s aging IT infrastructure. A modern IT infrastructure is, after all, foundational to every other initiative, including cybersecurity and citizen experience. Cloud services across SaaS, PaaS, and IaaS offer the clearest path for success—helping to reduce costs while delivering optimal security. A complete and integrated cloud services solution can help government agencies ensure compliance, while simultaneously offering a straightforward path for legacy IT systems transformation. In keeping with the regulatory call to modernize, the cloud enables government IT to fully leverage transformational technologies, such as machine learning and blockchain. With its inherent flexibility and scalability, the cloud empowers modernization by enabling IT leaders to quickly and easily spin up new business processes. This means technology leaders have a freer hand to innovate faster with less risk, thus easing the burden on the IT workforce while accelerating time to value. Improve Citizen Experiences—Build Trust with Modern CX Technologies, Kerry McKay, SaaS Cloud Specialist, CX, Oracle Public Sector If citizen experience lies at the heart of government IT, it’s fair to say that many government agencies still have a long row to hoe in delivering the kind of digital encounters that inspire full confidence in constituents. According to one study, fewer than 20 percent of citizens trust the federal government to do the right thing always or most of the time. With citizen confidence in government this low, it becomes incumbent upon IT leaders to take action. At the same time, citizens increasingly trust the technology in their personal lives to build relationships, buy homes, change goods and services, and much more. This opens a window of opportunity. Government IT leaders can leverage an outstanding citizen experience not just to deliver needed services, but also to build trust. Successful efforts like the cloud-supported app deployment by the city of San Jose help demonstrate the art of the possible. *** It’s clear that cloud computing will be a common theme running through the presentations at 930gov this year. This reflects a growing interest by Federal agencies. In fact, one recent study predicts that by 2020, 50 percent of new IT spending will be on cloud implementations—a sign that many are looking to a balanced cloud approach, with an emphasis on hybrid cloud strategy. While cloud may not fix all that ails government technology, a thoughtful and thorough cloud implementation does address many of IT’s most pressing concerns. Security: Cloud security can be tailored end to end, rather than managed piecemeal at various levels across the IT infrastructure. This unified and coherent approach can ease the pressure on talent-strapped IT operations, while simultaneously ensuring that the public trust is upheld. Citizen experience: By making it easier to test and deploy new apps, and by allowing for the rapid scale-up of the most heavily used sites and applications, the cloud enables government to deliver a new level of citizen experience, thus helping government to regain trust and confidence. Modernization: For government technology chiefs and agency heads eager to shed the weight and expense of legacy systems, the cloud presents a means to rapidly and affordably access new capabilities, offering a viable path for migration toward a modernized infrastructure. Join us at 930gov: visit www.930gov.com to learn how. For more information on Oracle's secure and integrated cloud services, please visit www.oracle.com/gov.

For many government IT leaders, topics such as cybersecurity and IT modernization are front and center these days. As one of largest multi-sponsored trade shows for government technology, 930gov will...

When I started working in IT security many years ago, it was a very different world to what it is today. For example, Identity and Access Management platforms were extremely new. It was back in the days when companies such as Netegrity, Oblix, and Thor were still in their early days. Centralised IAM was still a vision for many organisations. In fact, most average-sized companies hadn’t even realised they needed single sign-on, never mind actually having a plan or project to deliver it. The reality was that each application had its own user store with its own password, and roles and privileges were handled in each application silo. Remember, this was before the days of standards we have come to take for granted, like SAML. Then we moved to a more platform-based, especially around middleware. IAM as a platform started to gain adoption. Companies recognised the importance of centralising IAM, either because of internal transformation programmes, risk, or regulation. Whilst some organisations never quite reached the nirvana of a fully-integrated IAM platform, completely automating their joiners, movers, and leavers, handling certifications, and segregation of duties etc, many did (and continue) to get value from their IAM platform. I use IAM as the example but this has spanned many areas of security as companies moved from silo’d solutions to enterprise class solutions. There are well recognised benefits to moving away from silo’d solutions to more centralised, enterprise class capabilities across many areas of security. However, it seems that Cloud may be in danger of undoing much of that thinking and evolution. We know that organisations are using an average of 6 cloud providers to run their workloads (State of the Cloud – Right Scale, 2016). This fits well with the cloud model of picking the best place to run different workloads. However, the challenge is that each of these cloud providers come with their own set of security controls and capabilities. In many cases, those security tools and capabilities are specific to that cloud provider’s services. This isn’t a lack of foresight on the cloud provider, but, in most cases its by design. For example, Amazon provides IAM capabilities for managing users and their access to AWS. That isn’t an enterprise IAM capability; it is specific to AWS. As Amazon’s website states:   “Use AWS Identity and Access Management (IAM) to control users' access to AWS services. Create and manage users and groups, and grant or deny access.”   There are lots of other examples of this both within Amazon and other cloud providers. Take threat detection as another example, as Amazon states:   “Amazon GuardDuty is a managed threat detection service that provides you with a more accurate and easy way to continuously monitor and protect your AWS accounts and workloads.”   Microsoft takes the same approach for threat detection: “With Azure Security Center, you get a central view of the security state of all of your Azure resources.”    I understand their rationale for doing this, focusing on delivering capabilities for their own cloud platform, and in some cases such as IAM, it would be impossible to provide a cloud service without delivering such a capability. However, in today’s market, where organisations are taking services from multiple cloud providers, this means that companies are being forced to move back towards a silo’d aproach to security, having to configure and manage the same security capabilities separately in each cloud provider’s platform. Security is all about bringing together knowledge to gain greater insight and intelligence into threats, risks, and attacks. It’s hard to do that from multiple, silo’d platforms. That’s before we even consider the increased cost and complexity associated with managing multiple silo’d solutions. Therefore, it’s important when you are looking at security capabilities from cloud providers to understand how much coverage they give you across your entire estate, not just for that cloud provider, but across all of your cloud providers. We need to ensure that we don’t go back to individual security silos or we are making it too easy for the bads guys to win. Here at Oracle we are working hard to deliver a cloud security portfolio that is heterogeneous and will support you and your organisation in delivering security solutions which work across your multiple cloud providers, whether SaaS, PaaS, or IaaS, whilst not forgetting about your existing non-cloud estate. Head over to the Oracle Cloud Security website if you want to learn more.  

When I started working in IT security many years ago, it was a very different world to what it is today. For example, Identity and Access Management platforms were extremely new. It was back in...

Whether driven by regulations such as GDPR, increased scale of data breaches, industry best practice, risk assessments, or migration of sensitive data to the cloud, the topic of data security is never far from the minds of CISOs and security teams within organisations. A common topic raising lots of questions for me at the moment is how secure my sensitive data is within the Oracle Cloud when using services such as Database Cloud Service (DBCS). This sensitive data could be financial data, personnel data, patient data, or intellectual propery. Irrespective, my answer is simple. “It is at least, if not more, secure than it currently is in your on-premise database”. This surprises many people due to the continued mis-perception that the cloud is always less secure than a database sat behind an organisation’s own firewall. However, when, according to Verizon's 2018 Data Breach Investigation Report, 28% of attacks involve an insider, this still poses a significant risk. Therefore, I wanted to take a bit of time to explain the rationale behind my response and how I justify it. There is no single, silver bullet for securing your data within a database. Ask any security professional and they will tell you that there are many attack vectors and threats, requiring a range of different mitigating controls. Those controls can be a mix of technical controls or manual controls, always combined with the associated processes. For example, you can’t have encryption if you don’t have key management processes. Looking at the technical controls, they are a mix of out-of-the-box controls available within a core database system, as well as (usually chargeable) security add-ons. For example, within the Oracle Database, figure 1 below shows some of the standard security capabilities built into the Oracle database.                               Figure 1 – Standard Oracle Database Security Capabilities In addition to the above standard security features, Oracle provides a wide range of additional security options to provide a further level of mitigating security controls. These include those shown in figure 2 below. Figure 2 – Oracle Database Security Options Why is this relevant to putting sensitive data in the Oracle cloud and specifically DBCS? Simple, the Oracle database is the Oracle database. It is the same database regardless of whether you are using it on-premise or in the Oracle Cloud as DBCS. It is the same product with the same set of standard security controls and security options. You don’t have to buy a different set of products or make any changes to your database or security tools as there is no difference. Similarly, there are no new skills to master for your DBAs and security teams. What’s more, I said in my opening statement that Oracle DBCS is “at least, if not more secure”. How do I justify that? When you install the Oracle database yourself on-premise (or in another cloud provider), you have to buy all of the additional options that you identify a requirement for from figure 2. Once purchased, you have to configure them. However, within DBCS we already configure and include some of those for you. For example, regardless of which DBCS edition you choose from, at-rest encryption is enabled by default for all database instances. If you choose Enterprise, High Performance, or Extreme performance editions of DBCS, additional security options like Privileged User Control (Database Vault), Data Masking and Subsetting, and Label Security are also available to you. This means, through inclusion of capabilities like at -rest encryption by default, in many cases you will already be starting off with a more secure baseline than you have on-premise. Of course, you can have the best products with the best security tools, but if you mis-configure them, or even worse, don’t configure them at all, then you might as well not have them. I can buy the best firewall in the world, but if I put a rule allowing any source to access any destination on any port, then I’m asking for trouble (please don’t try that). Unfortunately, this is something we see far too often and are trying to educate our Oracle database customers on how to make their databases more secure. Within Oracle’s Solution Engineering team (the team I work in), we offer free of charge database security risk assessments to our customers, where we run an assessment to understand the current security status of one or more of your key databases. We then provide recommendations and an action plan to help you become more secure. One of the really interesting observations from my perspective, is that we are seeing evidence that there is often a lack of basic security. Just to be clear, this isn’t about selling as many database security options as possible, it’s about getting the basics right. More often than not, the standard database tools aren’t being used correctly, or indeed at all. Here are the most common mistakes we see over and over again: Sharing passwords No logging Poor patching No encryption Excessive privileges For more details, check out this video. Therefore, when considering security of your sensitive data in the database, make sure you have the basics right. If you need help, reach out to us. This applies equally to your on-premise databases as it does to your cloud databases. Remember, it’s the same product! Finally, if you think that your organization could benefit from a Database Security Risk Assessment, please reach out to me or your local Oracle contact. Alternatively, if you want a more lightweight approach that you can run yourself, please download the excellent, free Database Security Assessment Tool.                      

Whether driven by regulations such as GDPR, increased scale of data breaches, industry best practice, risk assessments, or migration of sensitive data to the cloud, the topic of data security is never...

Back again by popular demand, Oracle is once again re-introducing the Oracle Cloud Security Day series to a location near you! Organizations are being impacted more than ever by common mistakes as they lift and shift their workloads and programs into the cloud. Answering the common question of "How secure is the cloud" is an half-day event that dives into the common mistakes organizations are making as they engage in their new cloud journey, and share some of the best practices these organizations are now taking to overcome the increased risk.  The morning session will focus on real-world, high-risk use cases, led by Oracle and KPMG Security specialists. In the afternoon session, Oracle experts will help guide you through a hands-on test drive of Oracle Security and Management cloud services against some of these high-risk scenarios.  Attendees will also gain a deeper understanding on the risks and threats to cloud, identified in this years Oracle and KPMG Cloud Threat Report. At the end of the test drive, attendees will understand basic concepts and be provided hands-on exposure to: Top 5 security threats impacting enterprise cloud Oracle Cloud Security and Management Services that prevent and remediate real world threats Hands-on test drive of Oracle Security and Management Cloud Services Find your city below for full session description, agenda and dates: Seattle, WA                  8/21/18 Houston, TX                 8/23/18 Minneapolis, MN         8/29/18 Atlanta, GA                 9/25/18 Denver, CO                  9/27/18  

Back again by popular demand, Oracle is once again re-introducing the Oracle Cloud Security Day series to a location near you! Organizations are being impacted more than ever by common mistakes as...

It's 2018 and technology continues to evolve at a rapid pace. Unfortunately, many organizations haven't seemed to figure out how to fend off attacks and they just keep coming. As noted in the new Oracle interactive Ebook, Intelligent, Automated Security, companies are battling a relentless struggle against highly motivated adversaries. Organizations are scrambling to find new, cost effective ways to transform their business - security needs to be at the forefront of that strategy. New threats are emerging, technologies using machine learning, AI, and bots can all be used maliciously. These attacks can cost organizations millions of dollars and damage customer trust. There is a heightened sense of urgency as many IT organizations realize their traditional security solutions are no longer keeping pace with the current threat landscape. Threats continue to pour in, while organizations struggle to keep adequate expertise on hand.  For example, many teams are experiencing alert fatigue, a concept detailing missed malicious attacks due to the sheer number of false positive alerts from siloed systems. In a recent survey, 42% of respondents reported ignoring a significant number of alerts because they simply receive more than they could handle. In response to this, Oracle is taking a new approach to security. Oracle's Identity-based Security Operations Center (SOC) enables organizations to manage authentication, assign risk scores, and automate remediation across your environment. All without human intervention. Every IT organization is unique and with Oracle's comprehensive suite of technologies - you have flexibility and choice. Understanding common challenges and how organizations defend themselves is crucial. Read the new Oracle Cloud Ebook Intelligent, Automated Security,  for more information on the current threat landscape and Oracle's approach to securing hybrid clouds. This interactive book takes you on a journey through some of the most pertinent topics in cybersecurity. It is also a great opportunity to hear directly from customers and experts in your industries on how they have used Oracle Cloud to innovate their business.

It's 2018 and technology continues to evolve at a rapid pace. Unfortunately, many organizations haven't seemed to figure out how to fend off attacks and they just keep coming. As noted in the...

Did you know Oracle has one of the biggest security practices in the United States?  When you think about breach remediation, your first thoughts may be FireEye or PwC, but the reality is, once you get past the network tier, Oracle takes over because our technologies are usually in place in the Web, Application and the database tiers. In the end, hackers are after data in databases.  Many times, hackers are not even attacking your systems; they are hacking your people.  Do you think your employees are up to the task to stop a cyberattack? If hackers can penetrate the most secure organizations in the world, then they no doubt circumvent your organization’s security controls to get inside of your company. As companies continue to battle against attacks, Oracle is working to provide customers with solutions to strengthen security. One valuable service Oracle provides is the Database Security Risk Assessment (DBRA) where we will ensure you are configuring your databases to reduce security risks.  We will also demonstrate how a threat actor could potentially hack your organization.  We have been providing this service for the last 7 years and it is a very mature program.  Along with the DBRA, Oracle provides the Cloud Security Assessment (CSA) which extends the DBRA into your Cloud Platform. In a Cloud Security Assessment, we will evaluate your current cloud security posture.   Leveraging our Cloud Access Security Broker (CASB) and Oracle Management Cloud (OMC), we can calculate a risk score for every user accessing your Cloud environment to give you visibility into who is accessing your Cloud environment and what actions they are taking. We can also give you insights into the health of your infrastructure and understand the patterns of your workload and what to expect in the future in terms of performance and reliability. Your security responsibilities will differ depending on your SaaS, PaaS or IaaS deployment.  Various public clouds have different security capabilities, it is important to understand what you are receiving from a cloud service provider (CSP). The following questions are important to consider when selecting a CSP and while evaluating your environment:  Does your CSP encrypt data at rest and in-flight? Do they offer both stateful and stateless firewalls? Do you have a Firewall in front of your Systems?  A Stateful Firewall?  Can you implement Network Address Transaction (NAT)?  Have you implemented multi-factor authentication?                                                        As an Oracle customer, the first step is to download the DBRA. Once enrolled, we can provide you with a report on your environment detailing the following 6 domains: data privacy, controlling access to data, systems health, user management, configuration and auditability/visibility. How do you feel about your Cloud Security Architecture?  As shown in the image above, do you think the dials of your report will be all green, indicating low risk?  If not, schedule a Cloud Security Assessment and improve your security to where it needs to be.  It's free program for Oracle customers and takes about 2 days of your time.  

Did you know Oracle has one of the biggest security practices in the United States?  When you think about breach remediation, your first thoughts may be FireEye or PwC, but the reality is, once you get...

You could be forgiven for not being crystal clear about how secure your data is, or would be, in the cloud. On one hand, there’s the argument that security in the cloud has gone from being a barrier to maybe even being an incentive for moving your data and applications to the cloud. On the other, there’s a constant cadence of headlines and news spots detailing the latest security breach. At least some of this confusion comes from the perception that the cloud relieves businesses of all their prior, on-premises responsibilities. Whether it’s the cloud providers who have over promised or users that have underestimated their obligations, this set-it-and-forget-it mindset has clouded—pun not intended—our judgement when it comes to cloud security. The truth is that the cloud, in all its forms, does offer significant security advantages. For example, the Oracle Cloud can apply patches in real time, shoring up vulnerabilities that might, in an on-premises world, leave your systems exposed until you could take them offline and apply the patch yourself. Considering the number of attacks that sneak through while security patches are waiting to be implemented, this is a real advantage. But too often we mistake the fact that the cloud offers security advantages for the belief that the cloud is a security panacea and that the cloud service provider will take care of most security issues. Truth is, there’s a lot that your cloud provider can do to help, but they can’t do everything. For instance, take the employee who shares his password with another coworker or the person who has access and maybe even steals sensitive company information. There’s little that a cloud service provider can do to prevent these behaviors without input from its customers. Of course they can detect suspicious behavior around that credential once it happens. But by then, it may be too late. This is where the concept of shared responsibility comes into play. And all that really means is getting crystal clear on what your cloud service provider is responsible for when it comes to management and security and what you as the customer are responsible for. It sounds simple, but depending on how many different cloud providers you have, it can get complicated quickly. In fact, in the recent Oracle and KPMG Cloud Threat Report, we found that only 43 percent of organizations could correctly identify the most common IaaS shared responsibility model. The results were even worse for PaaS and SaaS. So, where do you start? Turns out there are some fairly simple things you can do to separate your responsibilities from your cloud service provider. 1. Read your contract and SLA. Your contract and service level agreement should clearly outline what responsibilities you own. You might discover that you’re covering many of these responsibilities already, or you might learn that there are inconsistent gaps from one cloud service provider to the next, which will require you to do additional checks and balances. The important thing is to know your role. 2. Have good conversations with your cloud provider. This won’t replace reading your contract, but it will give you a place to start and help you clarify any questions. This can also help you keep on top of your cloud provider and make sure they’re delivering what they promise. With Oracle, any customer can request full visibility audit reports that share any patch or vulnerability information to better understand if your data has ever been at risk. This is an important question to ask of any cloud service provider to find out if the same level of visibility can be provided across all services. This is key for compliance reporting in today’s organizations. 3. Appoint a cloud security quarterback. Having one person that has their thumb on what your business is responsible for is crucial to making sure all sides are living up to their end of the bargain. Plus, this position—which is often called a cloud security architect—can work with both the security team and the applications teams to make sure they know all the best practices and regulatory compliance objectives. 4. Avoid the cloud rush, and pace yourself. Many organizations are rushing applications and workloads into the cloud at a rate faster than their own SecOp teams can catch up with or respond. It is important to go about your cloud journey at pace that ensures no gap or exposure is left in the open as new services come online. At the end of the day, the benefits your cloud service provider offers you more than likely greatly outweigh the responsibility you incur as part of your relationship. The key is to identify those responsibilities and figure out how to address them. For more pointers on shared responsibility, join our upcoming webcast (Aug. 16 at 10 a.m. PT), where we’ll cover the top five cloud transition mistakes organizations make, how to mitigate them, and the top questions to ask your cloud service provider.

You could be forgiven for not being crystal clear about how secure your data is, or would be, in the cloud. On one hand, there’s the argument that security in the cloud has gone from being a barrier...

By Pedro Lopes, Product Manager, Oracle Database Security It has been a great year for Oracle Database Security Assessment Tool (DBSAT) so far. We have over 8000 customer downloads since January 2018! We are also increasingly seeing that our customers and partners are finding new use cases and expanding usage for DBSAT to gain maximum value from the tool. For instance, in order to help comply with GDPR, DBSAT Discoverer helps find personal data in several Oracle Databases. It grabs the JSON output and feeds a BI dashboard that displays sensitive data found by category. We also had a high uptake in our Oracle User Group sessions and the value is clear from the multiple new articles written by the community. Thank you! In case you have missed the announcement, we released Oracle Audit Vault and Database Firewall BP8 in June which has the ability to import data from the DBSAT Discoverer output to add sensitive data context to the new Data Privacy reports. To learn more about this functionality, please refer to “Importing Sensitive Data Into AVDF Repository” in the Oracle Audit Vault and Database Firewall Auditor's Guide. Today, we are excited to announce the release of DBSAT v2.0.2 which adds support for DBSAT Discoverer to connect to Database servers over SSL channel. DBSAT Discoverer can now connect to Exadata Express Cloud Service and Autonomous Data Warehouse Cloud. We will continue to enhance DBSAT further throughout 2H 2018. Some of the enhancements under consideration include: Update the integration of DBSAT with orachk and exachk Add new sensitive data pattern files in several European Languages DBSAT development is community driven, If you have suggestions/recommendations/requests that will help us improve DBSAT please reach out and let us know. Oracle Openworld is coming up in October 2018 in San Francisco where we will have sessions on DBSAT. If you haven’t already, please register here Learn more about DBSAT here  

By Pedro Lopes, Product Manager, Oracle Database Security It has been a great year for Oracle Database Security Assessment Tool (DBSAT) so far. We have over 8000 customer downloads since January 2018!...

87% of respondents in the recent Oracle and KPMG Cloud Threat Report (CTR) reported having a cloud-first orientation within their organization. The cloud is here to stay. However, with widespread adoption, comes an expanding list of challenges and new considerations. Customers rapidly adopting the cloud must also consider how their security solutions can keep pace. Keeping Pace The CTR goes into great depth on this concept. Traditional security procedures are no longer enough for a mobile, digital workforce. It is important to remember that cloud is all about choice and flexibility. This means that customers can retain aspects of their traditional on premises security solutions and begin to incorporate new cloud based solutions overtime. With that being said, the time to consider innovating your security posture is now. Recent data breaches have largely been attributed to human error or cloud account misconfigurations. These attacks can be fiscally devastating, ruin brand reputation, and can even mark the end of a C-level executive's time at the company. The stakes are high. Breaches and Regulations Everywhere you look there seems to be a new breach on the news, exposing sensitive personal information or company financial data. This issue is not unique to any industry and is a primary reason security has become a priority for so many organizations. Not to mention, harsh compliance regulations are continually cracking down on corporations. Organizations simply cannot afford to cut corners in today's hybrid cloud environment. What can companies do to increase their security posture and remain compliant with regulations such as GDPR? First and foremost, "Transparency is key," as Akshay Bhargava, vice president of the cloud business group at Oracle, mentions in 5 Strategic Priorities for Chief Security Officers in 2018. Bhargava later goes on to explain the importance of an incidence response plan, which can be used to quickly respond to an attack and minimize the damage. Companies should explore cloud security options that can help them better monitor their environments and protect them in the event of an attack. When working to comply with these regulations, it also important to maintain visibility into your entire cloud and on premises environment. Threats Modern businesses thrive off of fast development and lowering costs, both undoubtedly accelerated by cloud. The threat landscape has also exploded through these innovations. Overall cloud adoption has created a lack of visibility - leaving companies vulnerable to attack. The CTR explains that today's threat landscape is diverse and hackers aren't always sitting in a dark room millions of miles away. They are everywhere and they are after your data. Attacks can be brought on by nation-states, cybercriminals, and even insiders. Organizations face a wide range of threats including malware, phishing, and theft of credentials. Companies must defend themselves at every layer of their environment. They must also turn to a more Identity driven approach for cybersecurity. By shifting the focus to identity, companies have more control to isolate root cause of a breach or attack, especially those carried out by an insider or by a hacker using stolen, but authorized credentials. Tracking a user's normal behavior enables cutting edge technologies to automatically take action against anomalous behavior by sending out a Multi-Factor Authentication code to a user's phone.  Building a Defense Each organization has a unique journey to the cloud. They must also discover the security solutions that will work best to protect their environment. As cybersecurity threats continue to rise, qualified talent has not been able to scale. Simply too many alerts and not enough expertise to keep up. Companies need to shift toward intelligent solutions that can help them better predict, prevent, detect, and respond to threats. Creating an innovate security environment allows you to gain visibility and intelligence - it is a vital component in the battle of cybersecurity. For more details, please visit the Oracle Security page.

87% of respondents in the recent Oracle and KPMG Cloud Threat Report (CTR)reported having a cloud-first orientation within their organization. The cloud is here to stay. However, with...

It’s the second year Oracle has joined forces with Inc. Media to survey leaders of America’s fastest-growing companies to find out, among other things, what they credit their success to and what their spending priorities for the year are. As you can imagine, amidst all the responses, there were some interesting findings. Like this plot twist: when asked to identify their main obstacles to growth and the biggest contributors to their success, the executives gave the same answer: scalablity, talent, and sales/customer retention. Basically, what landed them on the Inc. 5000 is also what they fear might throw them off.  For these companies, short- and long-term success relies heavily on growing sales and managing the customer relationship (47 percent of respondents named this as a leading success factor), and having and holding on to the correct talent (this came in at a close second at 42 percent). What keeps business afloat is also what can upend the entire apple cart. According to these small-to-medium business (SMB) executives, the #1 reason for success is customers (a healthy 58 percent of respondents cited customer experience as the leading driver of success). Yet those same leaders stated that managing security was their lowest spending priority. And only nine percent of the SMBs surveyed stated that data security was the most important area of investment for 2018. Keeping customers happy and offering a satisfying experience requires keeping their data safe and secure. So why is it then that data security, one of the biggest threats to the health of the customer relationship, ranked so low? Perhaps the reason is buried in misplaced fear and misunderstanding. Let’s unravel this a bit. These Companies Know What They Are Doing First, to land on the Inc. 5000 list, you have to pull off some rather impressive feats of business. The list isn’t a popularity contest, it’s a ranking based on financial statements that cover a three-year period. So yes, the people running these companies know what they’re doing. Achieving triple- and quadruple-digit growth for multiple years is not a fluke. If we dig a bit deeper into the responses, we’ll find that 42 percent of respondents stated that integration across all their cloud products was their biggest objection and obstacle in the cloud. And for 28 percent of them, their biggest objection to using cloud is data security. But this is where the goodness lies. Concerns about security and integration are one of the reasons to go toward the cloud − not away from it. The cloud shouldn’t be viewed as a barrier to success. The contrary. It should be an enabler. Here’s why: Piecing together solutions to solve problems only as they arise will result in a platform that doesn’t work well in the long term. For fast-growth companies like those on the Inc. 5000 list, a future-growth approach works best. The right cloud vendor can create a strategic plan that integrates solutions that are scalable–growth can be accommodated quickly and as needed with systems that all work together. Again, your IT infrastructure should enable growth, not constrain it.  As SMBs move more critical data to the cloud, security should scale with it to enable a secure environment beyond the firewall. Since not any one stop-gap will halt all threat factors, when data sits within the Oracle Cloud, it’s protected with multiple layers of defense built-in from the app down to the database. Among the respondents who stated that security was their most important investment area in 2018, 47 percent said improving awareness of best practices and training was a main focus. This is wise. In the recent Oracle and KPMG Cloud Threat Report, 97 percent of organizations surveyed require that all or most cloud services be approved by the IT/security team, yet 82 percent of those same organizations express concern that employees and teams are violating those policies. A cloud access security broker (CASB) solution can close the gap by monitoring cloud accounts and preventing inside fraud with better processes and more awareness. For example, Oracle’s CASB solution can look at more than fifty-thousand types of SaaS apps, (Oracle and non-), giving IT a view into what their users are accessing (shadow IT), enabling consistent security control. No matter the size of the company or whether you’re on this year’s list of the Inc. 5000 (and congratulations if you are), security should be a top priority, particularly if you want to stay in the business of growth. If you want to know more about what it takes to make it to the Inc. 5000, read the complete report.

It’s the second year Oracle has joined forces with Inc. Media to survey leaders of America’s fastest-growing companies to find out, among other things, what they credit their success to and what their...

Identity and Access management (IAM) has been the main area of focus for most of my career. I have seen lots of changes over that time as trends come and go, and as you would expect, am regularly talking to customers about their IAM strategies (or lack of). Probably the biggest change around IAM in recent years has been Cloud Identity, or Identity-as-a-Service (IDaaS). I hear lots of IAM conversations from customers talking about whether they have an on-premise strategy, a cloud strategy, or a hybrid strategy.  Cloud Identity does indeed provide many benefits over on-premise IAM, but isn’t a silver bullet. It also has its limitations. I can understand some IDaaS vendors pushing customers down the Cloud Identity route. After all, as the famous saying goes “If you only have a hammer, then everything looks like a nail”, meaning that, if you only offer IDaas, then that is always going to be your answer. Whilst Cloud Identity does indeed have a lot of benefits, it’s not always the answer and very rarely the only answer for larger organisations. Some organisations can’t adopt Cloud for a number of reasons Organisations typically have lots of existing on-premise applications and infrastructure that they can’t just forget about and doesn’t always lend itself to IDaaS integration. IDaas doesn’t always provide the flexibility needed by larger, more complex organisations Even those organisations who have a commitment to move to cloud still have to work out their migration and how they manage their existing estate. In my experience it is only the smallest, simplest (from an IT perspective) companies, or the cloud native companies that can easily adopt just IDaaS. Therefore, for most companies, hybrid is the answer, taking advantage of the best of both worlds. Using IDaaS to give you the speed and agility whilst using on-premise IAM to deliver the flexibility and deep integrations needed by many applications. Some industry leader have used the term bi-modal IT and I think it applies perfectly to IAM. Delivering IAM choice and flexibility Oracle’s IAM platform is all about delivering that flexibility and choice to customers. We have the benefit of years of experience in IAM, delivering a market leading on-premise IAM platform. That is still the case today and is a key part of Oracle’s IAM strategy. Oracle also consistently appears as a leader within IAM assessments and reports from industry analysts. We also recognise the importance of Cloud Identity and deliver an IDaaS platform that, not only delivers key IAM capabilities across heterogeneous clouds for our customers, but also underpins Oracle Cloud, showing its strategic importance for Oracle. So, let’s look back at those challenges I identified earlier. Some organisations can’t adopt Cloud for a number of reasons Yes, I have talked to companies who, for whatever reason either can’t or don’t want to move to Cloud. However, that doesn’t mean that they should be left at a disadvantage. Oracle can still deliver on this bi-modal IAM vision for these customers. Our on-premise IAM platform can be delivered, well, on-premise, but we can also deliver our IDaaS platform, Identity Cloud Service, into the customer’s data centre, through our Cloud at Customer. This means that customers can get the speed and agility of IDaaS, whilst still being able to meet their most sophisticated use cases through the Oracle IAM platform, all delivered behind their firewall and in their data centres. Organisations typically have lots of existing on-premise applications and infrastructure that they can’t just forget about and doesn’t always lend itself to IDaaS integration. Again, here Oracle offers customers a choice. The Oracle IAM platform can of course address these existing applications. However, Identity Cloud Service is also constantly being updated and can now reach back into the enterprise to support non-Cloud applications. I have written an article about that recently. This choice of approaches allows customers to make their IAM journey to the cloud  at their pace and under their control. IDaas doesn’t always provide the flexibility needed by larger, more complex organisations This comes back to my earlier point around choice. IDaaS isn’t always the answer (or not always all of the answer). Oracle’s IAM platform can support those advanced use cases requiring that extra flexibility, not usually seen in IDaaS solutions. What's more, deciding you have a need to use on-premise IAM doesn't mean long, expensive projects. For example, you can deploy on Oracle Cloud (either in public cloud or using Cloud at Customer mentioned earlier). This helps you get out of the business of running physical machines. If you don't have the skills or resources to manage it, you can also look to Oracle Managed Identity Services, who can manage your Oracle IAM platform (running in Oracle Cloud) on behalf of your organisation. So, this means, a customer gets the benefits of the flexible, feature-rich capabilities on the Oracle on-premise IAM, but without the headache of installing/running/managing the platform. So, in summary, is on-premise IAM dead as the world looks to Cloud Identity and IDaaS? Absolutely, not! Certainly, within Oracle, there are strong roadmaps for both our on-premise and IDaaS platforms as both remain strategic for our customers who are still deploying both. Hybrid is not going away any time soon and Oracle is there to support you on your IAM journey, whatever flavour of deployment that looks like.      

Identity and Access management (IAM) has been the main area of focus for most of my career. I have seen lots of changes over that time as trends come and go, and as you would expect, am...

Written By: Patrick McLaughlin, Security Architect and Oracle Fellow Introduction to the right to Erasure The EU GDPR regulation[1] provides many rights to people who are located in the EU (European Economic area in fact).  The rights are described in Section 2 ‘Information and access to personal data’ in Articles 13-22.   Some of the rights were available prior to the GDPR; with strengthened rights under the GDPR, together with, the risk of high fines and other legal-remedies under the GDPR, all organisation providing goods and services to individuals located in the EU, are taking the rights of individuals, much more seriously. An individual’s rights can be exercised against the ‘data controller’, who is the organisation who decides to collect, process or store the personal information. The rights include: the right to get access to one’s personal data, the right to rectification if the data is inaccurate, the right to get data in a portable format, rights to restrict, block or object to the processing of one’s personal data, and finally and most importantly from the point of view of this article the right to erasure.  The right to erasure is also known as the right to be forgotten and enables a person (located in the EU) to request that data belonging to them be deleted, for example, if there is no legal basis for its continued processing.  The right to be forgotten was established in 2014 by the highest court in Europe the ECJ/CJEU, as a result of the Google Spain v AEPD and Mario Costeja González case. Traditional IT systems challenges with the right to Erasure The right to erasure creates challenges across all IT systems created over the past many decades.  There has been a lot of ‘IT-sprawl’ in the past 20 years with the proliferation of application and data silos, with considerable duplication of personal data in many different systems.  IT departments had the goal of ensuring high availability of data, including the availability of reliable backups of all data, typically over indefinite periods of time. The designers of applications and backup solutions did not and could not foresee the need to be able to selectively delete, personal data of individuals upon request, across structured and unstructured systems.      Introduction to Blockchain Blockchain is a relatively new concept and technology architecture, derived from the bitcoin architecture, but having application outside of crypto-currencies in business systems requiring a high degree of trust and ‘traceability’ between interacting parties.  In the past digital signatures based on Public Key Infrastructure were deployed as a solution to (dis)trust between interacting/transacting parties.  PKI solutions work well from a technical and legal perspective but they have not come into widespread use.  Blockchain, also signature-based, is regarded as a disruptive force that can make business engagement more efficient, change the structure of markets, and enable the creation of new services. Blockchain and the GDPR right to Erasure A Blockchain works by keeping a history, of all data written onto it, in principle, forever.  Newly written data is cryptographically related to all existing data on the blockchain by including the hash-of-existing-data into the newly computed hash that includes the new data.  Blockchains inventors, like traditional IT architects, did not foresee the need to delete data from the chain and instead highlight the strength of not being able to delete data (data-immutability).  One exception is that Accenture has patented a scheme for editing a permissioned blockchain which leaves a ‘scar’ – see here. In the absence of this editing capability becoming widespread, organisation are faced with the difficulty of complying with, the GDPR right to erasure, in conjunction with, gaining benefit of using blockchain technology.  The GDPR requires organisations, who have the role of a data-controller, and are exploring the use of new technologies, that may carry high risks ‘to the rights and freedoms’ for individuals, to carry out a data protection impact assessment, and there is detailed guidance on how to make such an assessment, from the Article 29 working party – see here.  Given blockchain is a relatively new technology and if a data controller will use a blockchain to, store, process or communicate personal data, it’s very likely they should carry out such a formal data protection impact assessment, and it will have to address, the difficulty of handling the legal right to erasure and rectification of personal data.  The controller may need to consult with their Data Protection Authority and be able to explain and convince the authority about their approach. Is hashed-data still personal data? It is generally accepted that writing business and personal data directly to a blockchain is undesirable as blockchains are not performant enough (yet), and instead a hash of the dataset should be written to the blockchain. In the GDPR, personal data has a very wide definition and includes any data item that could potentially be used to identify an individual. A somewhat surprising example is that a dynamic IP address can be personal data if it can be used to help identify an individual see here.  So, with the blockchain its necessary to think about the right to erasure of data concerning an identified or identifiable person. The personal data may not be secret, but its presence in a transaction on a blockchain is what an individual may wish to have deleted.  For example, an individual may want to erase the fact that they stayed at a hotel chain at a certain time, or that they bought medication over the internet for a certain ailment. It’s also possible that hashed personal data written to a blockchain could be guessed or found out by trial and error / brute-force-attack, in the same way that dictionary-attacks work to crack passwords - the complexity of doing so, will depend on the ‘formula’ for calculating what gets hashed, and the formula could be guessed or ascertained by other means.  The result is that simply writing hashed personal data to the blockchain that cannot be overwritten or deleted is incompatible with the need to delete data under the GDPR right to erasure.  Hashed data is more akin to pseudonymised data in GDPR terms, as the data subject is at least somewhat identifiable to the data controller.  Were this not the case, one has to ask how would the data controller process the hashed personal data? The assumption must be that they have the underlying data stored off the blockchain and they know the formula to check if that data is present on the blockchain e.g. by hashing some combination of attributes – otherwise what is the purpose of having data on the blockchain! Reconciling immutability with the right to erasure The obvious solution is to not write either personal data either, in-the-clear or in hashed format to a blockchain.  Below I discuss what can be done where one needs to write hashed personal data to the blockchain. The GDPR makes it clear that anonymised data i.e. data that in no way can be related back to an individual is not personal data. There is reference to ‘data rendered anonymous in such a way that the data subject is no longer identifiable‘, which begs the question how could one anonymise data. Hashing is not sufficient; however, encryption would do the job if the encryption key is immediately deleted. Not deleting the encryption key, would mean the data could be decrypted and hence the individual would be identifiable. So, a good solution would be to only store encrypted, hashed personal data on the blockchain and if a data erasure request is accepted, reliably throw away the encryption key(s) to make the data anonymous and un-recoverable.  This is the closest to full erasure than can be done.  Storing encrypted data clearly enhances the security of the stored data and given that having appropriate data security, is another requirement of the GDPR there is an additional benefit of encryption. A key management solution would be needed that would assist with data erasure, through key deletion. People will have the right to request deletion of a subset of their data, for example, if they withdraw their consent for some very-sensitive personal data to be processed. Therefore, sophisticated use of a key management solution that enables encryption of fine-grained personal-data would be required, as an accompaniment to the blockchain. Clearly the encryption keys should not be stored on the blockchain as the blockchain would not allow their deletion!  They could be stored in a simple, 2-column KeyID and Value database (relational or non-relational).  The value would be the personal-data-item encryption-key, itself encrypted using, a ‘master’ key-encryption key.  The KeyID would be derived, for example, by hashing the data being stored together with a nonce. The master key-encryption key could be stored in a Hardware Security Module, to increase its protection.  It’s likely that other columns will be needed e.g. to record the deletion of the encryption key in response to a specific data-erasure request, received from a specific person, at a specific time. An interesting legal question arises as to whether the organisation can / should record and store the request for Erasure and the action taken on the blockchain.  The benefit would be to have an dependable (perhaps immutable) record of the activity, as part of the formal record of processing, but what if a request is then received to erase all data identifying the same individual. Data controllers, need to consult their legal representatives on whether and where, such a record of erasure should be maintained as evidence of acting appropriately, on the original individuals request. When it comes to deleting personal data, not stored on the blockchain, today organisations are trusted to simply delete the data and confirm they have done so. By extension, the same organisation storing personal data on a blockchain, could be equally trusted to delete the encryption key, associated with that individual encrypted item. A more advanced encryption-key deletion scheme Instead of relying on a single key to encrypt and decrypt hashed personal data, it’s possible to split the encryption key into 2 or more parts, so that for example the data controller has one part and the individual has the other part.  To encrypt or decrypt data, both key parts would be needed.  Requiring m of n key-shares to enable encryption or decryption, is a well-established technique, even though its uncommon in commercial systems – see here. A 3-key, key management scheme is already in use, to enable the right to erasure, in a blockchain application that enables the storage of diplomas and degrees – see here.  The scheme has the following keys. Graduate Key –  the property of the graduate, integrated into the diploma’s URL. Persistent Key –  kept by the educational establishment. When the graduate wishes to exercise his or her right to be forgotten, she only has to destroy this key. School Permanent Key –  kept by the educational establishment. If the graduate deletes her key, the system will no longer be able to decrypt the diploma and thus the diploma is effectively anonymised/deleted. The graduate does not need to rely upon and trust the school/college to delete a single encryption key. Consequence for blockchain application developer Data-protection/privacy by design and default, is a key tenet of the GDPR and this principle is expected to be applied when developing new systems. To handle the right to erasure, an application developer must leverage a key generation function and encryption library to ensure that hashed personal data is encrypted before storing on the blockchain. A better alternative would be to make the encryption transparent for the developer so she can have personal data transparently encrypted using a dynamically generated key by simply calling a function that highlights the data as ‘personal’ so it undergoes the extra processing steps before storage:                put (bloodtype, Alice, blockchainX, personal) or putPersonal (bloodtype, Alice, blockchainX) A search function should be able to locate and transparently decrypt the data                get (alice, bloodtype, personal) -> Group AB An erasure function would have the effect of transparently deleting the encryption key resulting in:                erase (alice, bloodtype, personal) -> confirmed                get (alice, bloodtype, personal) -> Not found All of these functions should be under the control of an access management system so that only the right people or entities could read, write or delete personal data on the blockchain.  This article does not address the governance needed to handle erasure requests.  All erasure request will not be accepted so an approval process will be required, for example, request to erasure records with the tax department will not be accepted. A further alternative would be to have a personal data discovery function running in the background inspecting any personal data being: written, read or deleted on the blockchain and have it, transparently do the underlying encryption, decryption or key deletion as appropriate. Such an approach would need to be 100% reliable given the maximum fines under the GDPR of €20M or 4% of global revenue, whichever is higher, for infringing individuals rights, including the right to erasure and rectification of data. A final alternative would be to use a hybrid scheme where the functions are explicitly invoked, for example by smart-contracts (programs) and a process is additionally running and checking if data being written to the blockchain is personal data.  If so the write could be rejected if the data is not encrypted or the smart personal data detector could autonomously encrypt the data: a) to make it more secure and b) to ensure that the option is there to support a data subject erasure request. What about rectification of data The right to have inaccurate data changed is also enshrined in the GDPR.  Let’s say Alice’s blood-type is not in fact AB and should be O; there is a compelling reason to ensure this data-item is rectified. The solution would be to first erase the inaccurate data as above and add the correct blood-type to the blockchain at an appropriate location:                erase (alice, bloodtype, personal) -> confirmed             put (correctbloodtype, Alice, blockchainX, personal) For personal data update, a dynamic personal data update function could transparently invoke the same two functions and even transparently verify the result:                erase (alice, bloodtype, personal) -> confirmed             put (correctbloodtype, Alice, blockchainX, personal) get (alice, bloodtype, personal) -> Group O. This could be done for all occurrences of the same attribute on the blockchain. The programmer would simply have to call an update function with or without the personal flag: update (correctbloodtype, Alice, blockchainX, [personal])   Final words This article is intended to highlight a real problem with using blockchain technology to process personal data, to propose concrete candidate solutions, that can stimulate discussion on how real the need is and to help reach conclusions among stakeholders involved in the development and adoption of blockchain technology.   [1] European Parliament and Council Regulation 2016/679 of 27 April 2016, repealing Directive 95/46/EC (General Data Protection Regulation), OJ L119/1, http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN 

Written By: Patrick McLaughlin, Security Architect and Oracle Fellow Introduction to the right to Erasure The EU GDPR regulation[1] provides many rights to people who are located in the EU (European...

As the complex functions that web applications and services perform move closer to users, there is increasing demand for the real-time processing, creation, and exchange of data. Enterprises need to perform the same types of computations at the edge that they traditionally did in the data center. With that comes the need to protect those workloads at the edge as well. Edge computing security takes traditional protections that are done on premises or in the cloud and implements them in proximity to where users interact with data and services. In this interview, Nick Deshpande, principal, product strategy at Oracle, discusses a few of the benefits of edge computing security. What is the biggest advantage of the edge security approach? One of the main benefits of edge computing security is the ability to secure a workload no matter where it is and scale with that workload no matter how big it gets. When Pokémon Go does its giant meetups, for example, users put a huge amount of strain on local networks. Edge security can scale up and down quickly with the demands of those workloads without contributing to that strain. How exactly does this approach improve security? Enterprises have visibility right up to the edge of the network. You're not waiting for the data to come back in to your data center or cloud and be processed by some server. You can deal with any potential threats upstream, where the trusted and un-trusted zones meet. Are there any benefits of edge computing security when it comes to cloud migrations? Edge security is also a great fit for the cloud lift-and-shift use case. Enterprises may be concerned that they're going to have to sacrifice one security posture for another or go without security for a certain amount of time as they get situated in a new environment. They may worry about trying to take a security profile from their on-premises data center and trying to match it to a cloud provider’s environment. How do Oracle's edge services help with that? With our edge computing security approach, enterprises can establish a security profile that moves with their applications and services, regardless of hosting environment. Users have a consistent security layer, whether it's in a hybrid, public or multi-cloud scenario. So if you've already achieved compliance, you’re not going to lose that when you move to the cloud. With some cloud providers, everything is so baked in, it can be really tough to move workloads around or out of their cloud, or to work across multiple clouds when you need to. Being agnostic is a really big benefit.

As the complex functions that web applications and services perform move closer to users, there is increasing demand for the real-time processing, creation, and exchange of data. Enterprises need to...

Next Generation Cybersecurity Organizations are losing the cyber war. They can no longer rely on manual threat detection and respond to address today's sophisticated attacks. Additionally, organizations are finding it hard to keep pace with the volume of security alerts and growing scale of users, apps, and data. In fact, 51% of organizations say that they are unable to analyze the majority of their event data, (Oracle and KPMG Cloud Threat Report 2018). Organizations need to address these challenges with autonomous security. Join us at RSA Conference 2018 from July 25-27 in Singapore at Marina Bay Sands to discuss all these topics and more.   Visit Oracle at Booth #1203, Marina Bay Sands, Sands Ballroom, Level 5 Visit us at our booth to meet our Experts and learn more about: Oracle’s World First Identity-based Security Operations Center (Identity SOC) which provides comprehensive monitoring, threat detection, analytics, and remediation tools to stay ahead of threats. Sign up for an Oracle Cloud trial! Get free giveaway from us! Learn More about the Oracle and KPMG Cloud Threat Report 2018 The Oracle and KPMG Cloud Threat Report 2018 is the inaugural global survey of cloud security challenges, threats, and insights from security practitioners and decisions makers. This report compiles the findings from organizations across the globe that center on one common theme: that the cloud has created a strategic imperative to keep pace at scale. Attend our Keynote Session The Impact of Autonomous Security in today’s Threat Landscape (DETAILS) July 26, 2018 | 2:55 pm - 3:15 pm | Marina Bay Sands, Roselle Simpor Ballroom, Level 4 Speaker: Amit Zavery, Executive Vice President, Cloud Platform Abstract: The combination of sophisticated external attacks, and insufficient security skills in the industry, has intensified the challenges that enterprises face in the race to protect their core information assets. Combined with the move to Cloud and SaaS, the status quo is just not sustainable. Join Amit Zavery, EVP, Oracle Corporation in this keynote, as he shares the findings of the Oracle and KPMG Cloud Threat Report 2018, introduces the concept of Autonomous Security, and provides insights into how enterprises can be empowered to revolutionize and re-imagine their approach to information security and safeguarding their highly sensitive data.

Next Generation Cybersecurity Organizations are losing the cyber war. They can no longer rely on manual threat detection and respond to address today's sophisticated attacks. Additionally,...

Cloud adoption has become a global trend in business technology. However, security and compliance concerns are at an all-time high. Security has always been a cornerstone for IT organizations - but the increasing number cloud applications and continual pressure to lower costs have pushed the need for secure systems to the top of the list for everyone; from top level executives to everyday end users. This has left many organizations in a difficult position. They must consider how to meet their performance and cost goals, while maintaining a strong security posture. Secure technology transformation requires several considerations, but where can IT teams begin their journey? How will you choose to deploy your future environment? According to the Oracle and KPMG Cloud Threat Report, 83% of participants rated cloud security as good as or better than on-premises security. This is a testament to the growing number of organizations putting their data in the cloud and unlocking rapid business innovation. However, every organization has a unique journey to the cloud. Some opt for a hybrid strategy or elect to put new applications in the cloud as they transition to modern systems. Due to stringent data protection policies and industry standards, it is important to have options when moving to the cloud. Flexibility is key when making this transition, whether that be to private, public, or hybrid cloud deployments. Oracle Cloud at Customer is an avenue that has been widely explored by customers looking to gain speed and scalability in the cloud, while retaining control over their data. Keeping their data within the company's firewall, Cloud at Customer enables IT organizations to offload tasks such as patching, upgrades, and regular maintenance to the Oracle team, ensuring that their SaaS, PaaS, and IaaS environments are monitored around the clock. The data resides in the customer's possession, securely isolated with access only awarded to the proper administrators within their organization. Identity management that fits your environment As your cloud environment begins to grow, so does complexity in securing your deployment. Numerous applications spread across the business can often create information silos, making identity management a challenge. Ensuring that your environment is protected by a single solution to manage identities is extremely important for customers with hybrid environments. If a user profile is compromised, this can leave you vulnerable to attack.  Solutions such as Oracle Identity Cloud Service (IDCS) can block these actions by monitoring user behavior and recognizing anomalies in access times or locations. The system automatically launches Multi-Factor Authentication (MFA) actions to verify the user. Automated Machine Learning capabilities are critical to ward off stealthy attacks on sensitive data. Better yet, IDCS can be used to support your cloud journey, managing your users across public, private, and hybrid environments.   What are you looking for in a cloud service provider? Once you have determined the best plan of action for the previous two considerations. Consider one more. How can you find solutions that fit your needs and complement your existing environment? It is important to consider if a cloud service provider can integrate well with heterogeneous systems, enhance performance rather than hinder it, and promote your company's policies for compliance standards. To achieve this, look for a solution, or set of solutions, that come with inherent security features and offer you options to build out additional security functionality to suit your environment.   Striking a balance of seamless security integration across your environment along with enhanced performance and adherence to compliance policies can be a challenge. However, it is certainly attainable and unique to every customer. We encourage you to explore our Oracle Cloud at Customer and Security offerings

Cloud adoption has become a global trend in business technology. However, security and compliance concerns are at an all-time high. Security has always been a cornerstone for IT organizations -...

By Pedro Lopes, Product Manager, Oracle Database Security It has been a great year for Oracle Database Security Assessment Tool (DBSAT) so far. We have over 8000 customer downloads since January 2018! We are also increasingly seeing that our customers and partners are finding new use cases and expanding usage for DBSAT to gain maximum value from the tool. For instance, in order to help comply with GDPR, DBSAT Discoverer helps find personal data in several Oracle Databases. It grabs the JSON output and feeds a BI dashboard that displays sensitive data found by category. We also had a high uptake in our Oracle User Group sessions and the value is clear from the multiple new articles written by the community. Thank you! In case you have missed the announcement, we released Oracle Audit Vault and Database Firewall BP8 in June which has the ability to import data from the DBSAT Discoverer output to add sensitive data context to the new Data Privacy reports. To learn more about this functionality, please refer to “Importing Sensitive Data Into AVDF Repository” in the Oracle Audit Vault and Database Firewall Auditor's Guide. Today, we are excited to announce the release of DBSAT v2.0.2 which adds support for DBSAT Discoverer to connect to Database servers over SSL channel. DBSAT Discoverer can now connect to Exadata Express Cloud Service and Autonomous Data Warehouse Cloud. We will continue to enhance DBSAT further throughout 2H 2018. Some of the enhancements under consideration include: Update the integration of DBSAT with orachk and exachk Add new sensitive data pattern files in several European Languages DBSAT development is community driven, If you have suggestions/recommendations/requests that will help us improve DBSAT please reach out and let us know. Oracle Openworld is coming up in October 2018 in San Francisco where we will have sessions on DBSAT. If you haven’t already, please register here Learn more about DBSAT here  

By Pedro Lopes, Product Manager, Oracle Database Security It has been a great year for Oracle Database Security Assessment Tool (DBSAT) so far. We have over 8000 customer downloads since January 2018!...

Are you transforming the way you secure and monitor your business with Oracle Cloud Security Solutions? If yes, we want to celebrate you and your success with an Oracle Excellence Award. Every year Oracle aims to recognize outstanding cloud security customers who utilize Oracle security solutions to fuel innovation and elevate their business. Winners will be awarded with a complimentary pass to Oracle OpenWorld, a speaking opportunity at OpenWorld, and acknowledgment at a special ceremony to highlight their outstanding accomplishments. Nominations are open now until July 20, 2018, so submit today.   The Oracle Cloud Platform Innovation Awards were designed to celebrate customers who are dynamically driving business innovation with one or more Oracle PaaS solutions. Organizations can be nominated for their use of Oracle Cloud Security tools including: Identity Cloud Service, CASB, Configuration and Compliance, or Security Monitoring and Analytics. To find the full list of eligible solutions and categories, visit the nomination page for more details.   This is a fantastic opportunity to showcase business innovation in security. All  security customers and partners are encouraged to submit a nomination. The 2018 Oracle Cloud Platform Innovation award winners will be announced this September. As part of the Oracle Excellence Awards, recipients will be honored at Oracle OpenWorld amongst peers and thought leaders in several industries from across the globe. Once again, nominations are now open until July 20, 2018. We look forward to recognizing our innovative customers and partners!

Are you transforming the way you secure and monitor your business with Oracle Cloud Security Solutions? If yes, we want to celebrate you and your success with an Oracle Excellence Award. Every year...

“We have to reprioritize and rethink about how we defend our information. We need new systems: it can't be our people versus their computers. We're going to lose that war. It's got to be our computers versus their computers. And make no mistake: it's a war.”  These words from Oracle’s CTO and Chairman, Larry Ellison, are consistently validated in the news with headlines of the latest cyber attack and data breach. As an industry, we face too many security alerts, using manual and error-prone processes, not enough cybersecurity talent and insufficient tools. Due to increasing data breaches, industry and governments are introducing more regulations (i.e., European Union’s GDPR) that require better security. Oracle is uniquely positioned to help customers protect hybrid and multi-cloud environments by detecting, preventing and responding to today’s sophisticated security threats with minimal burden to overwhelmed staff. I would like to introduce Oracle's Trust Fabric, which is comprised of an integrated security portfolio designed for the entire IT ecosystem that includes Oracle and third-party on-premises, SaaS, PaaS, and IaaS environments. It is designed to proactively maintain security with a unified network of trust, a set of security tools, and a methodology. Using machine learning capabilities that automate a fast response, Oracle’s secure cloud platform is designed to address your IT governance and compliance requirements while protecting all your users, apps, data, and infrastructure.  The Trust Fabric security model is built around the notion of protecting mission-critical sensitive data and consists of seven layers: Data security (encryption, masking, redaction and user access controls) Encryption key management Identity and access management Cloud visibility and data loss prevention Cloud application firewall security Cloud infrastructure security Cloud monitoring and security analytics     The Trust Fabric can be implemented using Oracle’s integrated and open product and cloud services platform. Customers can use the entire platform together, or pick and choose the solution mix that meets their requirements.  The Trust Fabric seamlessly integrates the portfolio of Oracle security and identity software and cloud services enabling security interoperability. These security and identity solutions are integrated across the Oracle cloud and application portfolio providing enhanced enterprise-class security for your Oracle investments. Oracle's Trust Fabric incorporates autonomous technology using machine learning to quickly and automatically detect and resolve threats.  This is the “computer versus computer” paradigm that is going to allow us to win this cybersecurity war. Learn more about the Oracle's Trust Fabric and Oracle Security. 

“We have to reprioritize and rethink about how we defend our information. We need new systems: it can't be our people versus their computers. We're going to lose that war. It's got to be our computers...

By George Csaba Director, Product Management, Oracle Database Security   This month Oracle released Audit Vault and Database Firewall (AVDF) Release 12.2 Bundle Patch 8. This release includes new Data Privacy Reports to help users comply with privacy regulations such as GDPR. AVDF provides a first line of defense for databases and consolidates audit data from databases, operating systems, and directories to support monitoring and compliance reporting.  A highly accurate SQL grammar-based engine monitors unauthorized SQL traffic before it reaches the database.  Audit records from on-premises and cloud databases are collected for centralized management and provide monitoring, reporting, and alerting of anomalous activity across databases.  AVDF helps reduce the costs of regulatory compliance while giving administrators enhanced visibility into their IT operations. The new Data Privacy Reports in AVDF leverage sensitive data discovery results to set object level audit policies on data. These can be generated using either Oracle Enterprise Manager or Oracle Database Security Assessment Tool to run a data discovery job to search for sensitive data in Oracle Database secured targets. The sensitive data file is then imported into the AVDF repository and the Audit Vault Server GUI is used to view the related Data Privacy Reports. The reports provide information such as which users have access rights to sensitive data, as well as details of activity on sensitive data by all users, including privileged users. Here are some screenshots of the reports:   Some of the other new features introduced with this release of AVDF include: Collection of audit data from Autonomous Data Warehouse Cloud using AVDF’s hybrid cloud capability Support for UEFI boot mode installation enabling installation on Oracle Server X7-2 Incorporation of April 2018 Bundle Patch for Oracle Database 12.1.0.2, which includes the latest security fixes A complete list of the features and capabilities of this release is available in the release notes. To learn more about Audit Vault and Database Firewall, check out our AVDF Product Page on OTN. Learn more about Oracle Database Security Solutions  

By George Csaba Director, Product Management, Oracle Database Security   This month Oracle released Audit Vault and Database Firewall (AVDF) Release 12.2 Bundle Patch 8. This release includes new Data...

"As part of our business expansion, we were acquiring an increasing amount of group companies. To integrate the systems, we build a system that could immediately be deployed globally. We chose Oracle Identity Cloud Service and Oracle CASB Cloud Service to enhance security and monitor user activity. " - Kinji Manabe, General Manager, Business Management Department  Outsourcing Inc., headquartered in Tokyo,Japan, specializes in outsourcing for IT, manufacturing, and engineering companies. Managing 60,129  employees is not a simple task. The company was looking to monitor their user activity from multiple sources and integrate users across disparate systems. They were looking for a solution that could quickly scale and offer a user friendly experience. Outsourcing Inc. began their evaluation of Oracle Security cloud services following the acquisition of several new subsidiaries. Ease of use and increased visibility were some of the key benefits Outsourcing Inc. gained from the implementation of Oracle Identity Cloud Service (IDCS) and Oracle CASB Cloud Service.   Hear directly from Outsouring Inc. Learn more about IDCS and CASB.   

"As part of our business expansion, we were acquiring an increasing amount of group companies. To integrate the systems, we build a system that could immediately be deployed globally. We chose Oracle...

If there’s one aspect of GDPR that is likely to grab the attention of any CFO it is the potentially eye-watering fines organizations could be hit with if they are found to have breached the new data protection regulation. As the gatekeepers for the company finances, and often the boardroom owner of risk management, what CFO isn’t going to sit up and take notice when the sums involved could be up to €20 million or four per cent of annual revenue — whichever is larger? However, CFOs shouldn’t just be sitting in fear, hoping the day never comes when they have to pay out such a fine. There is much they should be doing to ensure their organization is prepared, starting with participation in cross-organization planning and an audit to ensure they understand the types of personal data that is being processed within their organization, where it resides, who has and needs access to it, and how their processing activities are affected by GDPR. For CFOs this process should include reviewing what data they hold, create and preside over with finance. That could include employee information such as payroll or salary data, as well as data held by suppliers, contractors and outsourcers who may report into the CFO. CFOs should be reviewing the contracts they have in place with those suppliers to ensure they are fit for GDPR. The Role of the CFO in GDPR Compliance Another key role of the CFO is ensuring the organization’s compliance efforts are properly funded and resourced. In order to do that, the CFO must understand the cost of compliance and where investment needs to be made in order to ensure it. This may well involve additional budgets for teams such as IT, which will certainly be at the sharp end of GDPR compliance, ensuring data is protected and structured in such a way that the organization can respond to requests from data subjects to provide, modify or delete data. However, to prevent the cost of compliance spiralling, CFOs will also need to ensure they understand which measures are essential and should maintain a cautious cynicism towards some of the requests for additional budget that may cross their desk. “This is needed for GDPR compliance” could be used to push through any number of purchases that may not be essential. This is all the more reason why the CFO needs to ensure they are on top of GDPR and what it means. There is still some uncertainty surrounding what will happen after the GDPR deadline of 25 May. But whatever happens, the CFO needs to be prepared. There are clear opportunities which can arise in a data-driven economy for any organization that improves its data handling and usage practises. CFOs should therefore be weighing the potential upside of GDPR and the way it could help them unlock valuable insights, improve operations, know their customers better and become more responsive to risks and opportunities. However, as a final consideration, CFOs may also choose to plan for the potential downside. For all the planning there may be some organizations who are caught out and hit with fines — or potentially law suits. While they should of course do all they can to ensure that is not their organization, some CFOs may still choose to plan for the worst and put aside funding as an insurance policy against those eye-watering fines. Learn more about how to comply with GDPR regulations.

If there’s one aspect of GDPR that is likely to grab the attention of any CFO it is the potentially eye-watering fines organizations could be hit with if they are found to have breached the new data...

By Anita Salinas Healthcare organizations sit in a tough spot when it comes to embracing cloud benefits. On one hand, the cloud offers the cost savings and flexibility necessary for improving patient care. On the other, healthcare organizations have a duty and a regulatory responsibility to keep patients’ protected health information (PHI) safe. Fortunately for Oracle customers—and all those looking to realize the benefits of Oracle Cloud—that tough spot just got a whole lot more comfortable. Oracle recently achieved a series of HIPAA attestations for its Infrastructure as a Service and Platform as a Service offerings. These attestations are in addition to already HIPAA-attested Oracle Software as a Service solutions as well as Service Organization Controls (SOC) 1 and SOC 2 audits/reports for Oracle Cloud. Together, these attestations and audits open the door for healthcare organizations to confidently run mission-critical workloads containing PHI in Oracle Cloud—whether hosted by Oracle or behind the organization’s firewall with Cloud@Customer. For forward-thinking healthcare organizations looking to lower costs while improving patient care, here are three benefits that can be realized by adopting Oracle Cloud. 1. Planning for Peak Periods Few industries outside of healthcare can more clearly draw a line between resource conservation and customer benefit. Lowering costs, saving time, and alleviating the demand on staff all lead to better patient care. Trouble is that while some high-demand periods are predictable (open enrollment, for example), others (a late flu season, an epidemic, or just a particularly busy time) can put an unexpected strain on resources. With Oracle Cloud, healthcare organizations can glide through usage spikes knowing that supply will always meet, but not exceed, demand and that they’ll only pay for what they use. Plus, with Oracle’s unprecedented scale, performance, reliability, and autonomous features, healthcare companies can rest assured that their workloads running on Oracle Cloud can handle the busiest times. In fact, a very large healthcare organization is projecting a 37 percent decrease in total cost of ownership and $17 million in savings over three years by running its TriZetto Facets Claims workload on Oracle Cloud. 2. Embracing New Technology Wearables and IoT offer an unprecedented opportunity for healthcare organizations to understand patient needs, make personalized recommendations, and reward positive behavior—all of which can improve care and outcomes. But the tidal wave of PHI associated with these devices is enough to make most run for cover. With Oracle Cloud and its recent HIPAA attestations, healthcare organizations can now embrace these cognitive technologies knowing that protected health information is just that—protected. Plus, the reduced cost of storing data, extreme scale, and Oracle Cloud performance make this former patient-care dream a potential reality. 3. Actionable Insights with Predictive Analytics In the healthcare industry, highly trained professionals make medical miracles happen every day. But even with all the training in the world, you’d be hard pressed to find a clinician who wouldn’t welcome even just a little more information if it meant a better diagnosis, treatment, or outcome. Payers can also benefit from a better handle on determining whether the effectiveness of a specific treatment justifies its cost. Predictive analytics can assist in making these important decisions. But there are challenges. Not only do the sheer amounts of protected data make it difficult, but the number of different kinds of data—both structured and unstructured—stand in the way. Oracle Cloud, backed by recent HIPAA attestations, can help here as well. For example, one healthcare organization is analyzing massive amounts of data about cancer drugs and treatments and correlating those with patient outcomes to determine more effective treatment protocols. Bottom line, modernizing health IT in the cloud accelerates speed to market, reduces cost, and improves patient care and outcomes. Oracle Cloud, offering a broad range of HIPAA-attested cloud services, makes cloud benefits accessible to forward-thinking healthcare organizations. And with enterprise-class performance, scalability, reliability, and end-to-end security baked in, all kinds of healthcare organizations can run their most mission-critical workloads in the Oracle Cloud with complete confidence.  To learn more about what Oracle Cloud can do for your business, join us for our webcast on June 21, where we’ll discuss how healthcare organizations are succeeding with Oracle Cloud. Editorial contribution by Amanda Dyer.  

By Anita Salinas Healthcare organizations sit in a tough spot when it comes to embracing cloud benefits. On one hand, the cloud offers the cost savings and flexibility necessary for improving patient...

By Russ Lowenthal Data is the most valuable IT asset, but if not protected can become your biggest liability. EU GDPR is now being enforced (with the first GDPR lawsuits filed the very first day of the new law), and there is a global trend toward privacy legislation that mirrors GDPR. These new data privacy laws combined with weekly revelations of significant data breaches are driving organization to focus more and more on how to protect their sensitive data. The bad guys are after your data, and they are winning far too often. Hackers exploit unpatched systems; leverage weak, default, and stolen passwords; and slurp up unencrypted data wherever they find it. One of the many lessons in this year's Verizon Data Breach Investigations Report is that databases are high value targets.  In fact, Verizon highlights databases as THE top asset involved in the most significant data breaches. It's time to turn the tide and lock down these valuable data repositories. Gartner Security & Risk Management Summit 2018 is quickly approaching. Attending the event?  Please join Vipin Samar, Oracle's Senior Vice President of Database Security on Wednesday, June 6, to discuss the latest innovations in securing databases both on-premises and in the cloud. Learn how with multiple rings of control, you can protect your data from the bad guys and ensure regulatory compliance. Title: Don't forget to cover your assets!  Oracle on Data Security Wednesday, June 6: 10:45 a.m. to 11:30 a.m. in Annapolis 1        Speaker: Vipin Samar, Senior Vice President Database Security Abstract: Data is the most valuable IT asset, but if not protected can become your biggest liability.  Join Oracle to discuss the latest innovations in securing databases both on premises and in the cloud.  Learn how preventive and detect/respond controls can secure your Oracle and non-Oracle assets, help ensure compliance to EU-GDPR and similar regulations, and simultaneously deliver a step-function improvement in your SOC efficiency. See you there!  

By Russ Lowenthal Data is the most valuable IT asset, but if not protected can become your biggest liability. EU GDPR is now being enforced (with the first GDPR lawsuits filed the very first day of the...

By Russ Lowenthal Data is the most valuable IT asset, but if not protected can become your biggest liability. EU GDPR is now being enforced (with the first GDPR lawsuits filed the very first day of the new law), and there is a global trend toward privacy legislation that mirrors GDPR. These new data privacy laws combined with weekly revelations of significant data breaches are driving organization to focus more and more on how to protect their sensitive data. The bad guys are after your data, and they are winning far too often. Hackers exploit unpatched systems; leverage weak, default, and stolen passwords; and slurp up unencrypted data wherever they find it. One of the many lessons in this year's Verizon Data Breach Investigations Report is that databases are high value targets.  In fact, Verizon highlights databases as THE top asset involved in the most significant data breaches. It's time to turn the tide and lock down these valuable data repositories. Gartner Security & Risk Management Summit 2018 is quickly approaching. Attending the event?  Please join Vipin Samar, Oracle's Senior Vice President of Database Security on Wednesday, June 6, to discuss the latest innovations in securing databases both on-premises and in the cloud. Learn how with multiple rings of control, you can protect your data from the bad guys and ensure regulatory compliance. Title: Don't forget to cover your assets!  Oracle on Data Security Wednesday, June 6: 10:45 a.m. to 11:30 a.m. in Annapolis 1        Speaker: Vipin Samar, Senior Vice President Database Security Abstract: Data is the most valuable IT asset, but if not protected can become your biggest liability.  Join Oracle to discuss the latest innovations in securing databases both on premises and in the cloud.  Learn how preventive and detect/respond controls can secure your Oracle and non-Oracle assets, help ensure compliance to EU-GDPR and similar regulations, and simultaneously deliver a step-function improvement in your SOC efficiency. See you there!  

By Russ Lowenthal Data is the most valuable IT asset, but if not protected can become your biggest liability. EU GDPR is now being enforced (with the first GDPR lawsuits filed the very first day of the...

IT professionals in every industry are searching to gain higher visibility and control over the use of cloud applications within their organization. This situation is not unique to a company based on size, industry, or location. As monitoring the cloud has become a common challenge in digital transformation, some companies are taking steps to change. Marlette Funding, a financial services technology company based in Wilmington, DE, wanted to better understand the actions of their employees and their 270,000 customers. Selecting the right cloud monitoring solution was extremely important to the company's Chief Information Security Officer, Chet Sharrar, the company evaluated several cloud service providers and did a thorough evaluation of their requirements. Marlette Funding built a strong partnership with Oracle and gained greater visibility into their cloud based environment through Oracle CASB.   The journey to adopting Oracle CASB, was prompted by several challenges, including: The need for visibility into the configuration of cloud services. Limited number of staff members and consolidated tools to complete administrative tasks. Lack of evidence demonstrating effective operation.   As a financial institution, ensuring compliance with security and information movement standards was paramount. CASB enabled their limited IT staff to set configuration controls and collect actionable evidence on the effectiveness of their operations. Three years later, Marlette Funding's use of CASB has matured and grown across their cloud environment, creating visibility and peace of mind.   Watch the full video featuring Chet Sharrar and learn more about how Oracle CASB and Oracle Security can support your compliance and cloud security strategies.    

IT professionals in every industry are searching to gain higher visibility and control over the use of cloud applications within their organization. This situation is not unique to a company based on...

Organizations are adopting the cloud across the stack, that is, applications (SaaS), platforms (PaaS), and infrastructure (IaaS). While cloud adoption started with applications, in the past few years, adoption of cloud infrastructure has grown rapidly. For example, the recent Oracle-KPMG Cloud Threat Report, 2018, found that 51% of the respondents were actively adopting IaaS, and a vast majority of them (81%) leverage more than one cloud IaaS. In fact, RightScale’s “2018 State of the Cloud Report”, found that 35% of businesses plan to increase their spend on public cloud services by 50% or more. While these statistics are quite staggering, the security challenges that are posed by this growth can be quite significant. While there is general consensus that there is a lot more comfort and confidence about security in the cloud, the biggest challenge we have seen is how IaaS services can be configured and monitored for security. Many organizations struggle with the shared responsibility model for security in the cloud, particularly as it relates to securing IaaS. One of the challenges they face is defining what secure use of IaaS is and who is responsible for it. While the services themselves are inherently secure and provide many options to fine-tune security, these services may be misconfigured, or may not adhere to the information security team’s standards. The ephemeral nature of the services makes it harder to manage. Leveraging multiple vendor services across departments/business units adds to the complexity. While each of these IaaS solutions is secure, information security teams and SOC operators do not have to use multiple tools for managing a consistent security posture, monitoring usage and configuration changes across IaaS solutions and gaining visibility into SaaS applications. The above challenges are discussed in greater detail in an upcoming webinar. Tune in and listen to Arun Goel, Director of Product Management for Oracle’s Cloud Access Security Broker (CASB) Cloud Service, and other industry experts discuss these issues and potential solutions to address these challenges.

Organizations are adopting the cloud across the stack, that is, applications (SaaS), platforms (PaaS), and infrastructure (IaaS). While cloud adoption started with applications, in the past few years,...

Well, it's only 5 days to go until the infamous GDPR deadline of 25th May 2018 and you can certainly see the activity accelerating. You would have thought that with the deadline so close, most organisations would be sat back, relaxing, safe in the knowledge that they have had 2 years to prepare for GDPR, and therefore, are completely ready for it. It's true, some organisations are prepared and have spent the last 24 months working hard to meet the regulations. Sadly, there are also a significant proportion of companies who aren't quite ready. Some, because they have left it too late. Others, by choice. Earlier this week I had the pleasure of being invited to sit on a panel discussing GDPR at Equinix's Innovation through Interconnection conference in London. As with most panels, we had a very interesting discussion, talking about all aspects of GDPR including readiness, data sovereignty, healthcare, the role of Cloud, and the dreaded Brexit! I have written before about GDPR, but this time I thought I would take a bit of time to summarise three of the more interesting discussion topics from the panel, particularly areas where I feel companies are struggling. Are you including all of your personal right data? There is a clear recognition that an organisation's customer data is in scope for GDPR. Indeed, my own personal email account has been inundated with opt-in consent emails from loads of companies, many of whom I had forgotten even had my data. Clearly, companies are making sure that they are addressing GDPR for their customers. However, I think there is a general concern that some organisations are missing some of the data, especially internal data, such as that of their employees. HR data is just as important when it comes to GDPR. I see some companies paying far less attention to this area than their customer's data. Does Cloud help or hinder GDPR compliance? A lot was discussed on the panel around the use of cloud. Personally, I think that cloud can be a great enabler, taking away some of the responsibility and overhead of implementing security controls, processes, and procedures and allowing the Data Processor (the Cloud Service Provider) to bring all of their experience, skill and resources into delivering you a secure environment. Of course, the use of Cloud also changes the dynamic. As the Data Controller, an organisation still has plenty of their own responsibility, including that of the data itself. Therefore, putting your systems and data into the Cloud doesn't allow you to wash your hands of the responsibility. However, it does allow you to focus on your smaller, more focused areas of responsibility. You can read more about shared responsiblity from Oracle's CISO, Gail Coury in this article. Of course, you need to make sure you pick the right cloud service provider to partner with. I'm sure I must have mentioned before that Oracle does Cloud and does it extremely well. What are the real challenges customers are facing with GDPR? I talk to lots of customers about GDPR and my observations were acknowledged during the panel discussion. Subject access rights is causing lots of headaches. To put it simply, I think we can break GDPR down into two main areas: Information Security and Subject Access Rights. Organisations have been implementing Information Security for many years (to varying degrees), especially if they have been subject to other legislations like PCI, HIPAA, SOX etc. However, whilst the UK Data Protection Act has always had principles around data subjects, GDPR really brings that front and centre. Implementing many of the principles associated with data subjects, i.e. me and you, can mean changes to applications, implementing new processes, identifying sources of data across an organisation etc. None of this is proving simple. On a similar theme, responding to subject access rights due to this spread of data across an organisation is worrying many company service desks, concerned that come 25th May, they will be inundated with requests they cannot fulfil in a timely manner. Oh and of course, that's before you even get to paper-based and unstructured data, which is proving to be a whole new level of challenge. I could continue, but the above 3 areas are some of the main topics I am hearing over and over again with the customers I talk to. Hopefully, everyone has realised that there is no silver bullet for achieving GDPR compliance, and, for those companies who won't be ready in 5 days time, I hope you at least have a strong plan in place.

Well, it's only 5 days to go until the infamous GDPR deadline of 25th May 2018 and you can certainly see the activity accelerating. You would have thought that with the deadline so close,...

Those immortal words "Elvis has left the building" struck many as the point of the night when the King of Rock would wrap his performance and leave the stage/venue.  Have you reached your own "Elvis" moment in your organization's approach to where your data resides?  Has it officially "left the building"?  Do you find more sensitive data, than ever, resides in the cloud and it's alarming to consider that fact knowing you lack some processes and controls? Unless you have been hiding under a rock over the last month, you have missed the exciting news of Oracle and KPMG jointly releasing the Oracle and KPMG Cloud Threat Report 2018.  One of the many topics we highlight in this in-depth report, is the challenges created from a more mobile workforce, coupled with broad cloud service adoption. Key findings from this report include 90% of organizations categorize half or more of their cloud-resident data as "sensitive". Compare that with the alarming statistic that 82% of cyber leaders are concerned that employees do not follow cloud security policies. We clearly need to better understand the challenges and risk, as we know Elvis isn't coming back. KPMG is hosting a replay of a very topical webcast for Oracle ERP customers that help them understand some of these challenges and how to easily overcome them with the proper people, policies and technology to ensure a more secure experience against fraud and abuse. Join this encore webcast presentation for an overview of: The cloud adoption and threat landscape Cybersecurity challenges Identity management in the new paradigm of anyone, any device, any location Leading practices and strategies in managing and remediating cloud risk Speakers for this Webcast are: Nick Seeman, Director, Oracle Security and Controls, KPMG LLP Greg Jensen, Senior Principal Director, Security - Cloud Business Group, Oracle @gregjensen10 To watch this streaming encore presentation now, click here

Those immortal words "Elvis has left the building" struck many as the point of the night when the King of Rock would wrap his performance and leave the stage/venue.  Have you reached your own "Elvis"...

By Vidhi Desai, Senior Principal Product Marketing Director, Cloud GTM Security, Oracle With the May 25 deadline for the European Union’s General Data Protection Regulation (GDPR) fast approaching, the reality is starting to hit home for companies of all sizes. There are hefty fines for noncompliance from the European Commission, but that is only part of the story. The ultimate toll for failing to adopt these important data security measures is arguably far greater, particularly for small- and medium-size businesses (SMBs). No Flying Under the Radar By this point, most companies, regardless of size, location or industry, have heard about GDPR. While this regulation is aimed at giving European Union (EU) citizens more control over their personal data and identifiable information, GDPR has far-reaching implications not just for large European companies and multi-nationals, but for SMBs based outside of the EU. Nevertheless, many non-EU SMBs still assume that GDPR doesn’t apply to their business – when in fact even indirect connections to EU citizens, such as an employee's spouse, put companies in the purview of this regulation. Have no mistake: The EU-U.S. cross-border connection is strong when it comes to GDPR requirements! Other misconceptions abound. One that comes up frequently, for example, is that regulators will initially focus on the largest companies, buying smaller enterprises more time to comply with GDPR requirements. The reality is that enforcement of GDPR will be coming from many different angles and include various data subjects, including individual consumers who suspect and report data security concerns. Meanwhile, any security breach would immediately raise the question of compliance. Given that cybersecurity attacks against SMBs have become more prevalent and data protection has become more important than ever, no organization should assume that it is absolved from the new EU regulation – all SMBs should be GDPR-compliant. For a more detailed overview of GDPR, download the white paper, Accelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications.   More Than a Slap on the Wrist In a global economy where data is a valuable resource, more companies have come around to the idea that GDPR compliance is more than just a regulation – it's an opportunity. Moreover, the cost of non-compliance is significant, whether infractions come to light via a routine audit of data protection, or a data breach. GDPR fines will be issued under two levels, based on the nature of the infringement, the type of data, and the history of infractions, among other criteria. The lowest level of GDPR fines will be up to €10 million, or 2% of worldwide annual revenue of the prior financial year, whichever is higher. The highest level of GDPR fines, meanwhile, can go up to €20 million, or 4% of annual revenue turnover. In addition to these penalties, EU and U.S. companies will need to contend with the cost of legal counsel, mitigation, customer relations, and public relations if they don't prepare for GDPR readiness. Finally, and perhaps most worrisome, is the potential damage to a brand’s reputation. While the impact of reputation is often impossible to quantify, it is arguably one that matters most of all. For growing SMBs, the loss of customer trust – via personal data breach, fines GDPR fines, or otherwise – could be the death knell of a business. Given everything that is at stake, updating security practices and infrastructure for GDPR before the end of May 2018 is a small price to pay for ensuring the ongoing success of your organization. To learn more about getting your organization on the path to GDPR compliance, download the paper, “Helping Address GDPR Compliance Using Oracle Security Solutions.”

By Vidhi Desai, Senior Principal Product Marketing Director, Cloud GTM Security, Oracle With the May 25 deadline for the European Union’s General Data Protection Regulation (GDPR) fast approaching,...

Written By: Tansy Brook  Director of Product Marketing  Facebook LinkedIn Twitter Google Plus Email Comment No one wants to think that their business will be the target of a ransomware attack or cybersecurity breach. But, with more than 4,000 ransomware attacks reported daily since the start of 2016 the odds are not in your small-to-medium-sized business’ (SMB) favor. The question isn’t if, but when. However, while it may be impossible to fully prevent a network attack, you can be prepared. Creating an incident response plan and then practicing it before anything ever goes wrong ensures that your SMB knows what to do if you become a victim. “You don’t want to wait until you are in the middle of an incident, running in emergency mode, to figure out how to react,” says Jay Patel, supervisory special agent with the Federal Bureau of Investigation’s Cyber Division. By having a security plan ready, your SMB can act quickly to remedy the situation—and hopefully, reduce the damage. When Do You Need to Build a Plan? (Answer: Yesterday) As soon as you have more than a couple of employees, and more than one software system, you should probably create an incident response plan. That’s because, from ransomware threats to business email compromise scams, cyberattacks aren’t just inconvenient—they can put your entire business at risk. “If you think it’s important enough to have a business, you should also think it’s important enough to protect it,” Patel says. Creating an incident response plan gives you the chance to think through and address multiple important issues. Not all businesses and data are equal. As the value and pace of data creation accelerates, the layers of complexity have grown exponentially. One of the biggest challenges is determining the amount of resources to allocate to a cybersecurity plan, through quantifying the costs associated with the risks to the business. “These are hard, but important, discussions,” Patel says. “You definitely want to have them before an event takes place.” As part of the process, your SMB leadership team must identify its sensitive information as well as the networks and files critical to the business function; they will need to discuss the hard costs, the potential impact on the brand, and disruption to the business. Cybersecurity spending is on the rise, “89 percent surveyed expect their organization to increase cybersecurity investments in the next fiscal year,” according to a recent Oracle and KPMG Cloud report.  Find out what the FBI recommends you do to protect your business from cyberattacks.   The Key Ingredients Every SMB’s cyber incident response plan is unique. However, most plans include some common security components. These include: Business critical information As noted previously, your plan will outline the operating systems and information that the business needs to function. This can include customer information, intellectual property, employee information, etc. In addition, understanding the value of the data shouldn’t be limited to one person. If they depart the business, it’s immediately at risk. Detection and containment methods Unfortunately, planning to 100% prevent a cyber attack isn’t really possible. Instead, an incident response plan will determine whether your SMB will detect an access breach or attack, and then how it will contain the security threat. Internal and external stakeholders Response plans also map out who may be affected by an attack, both within and also outside the organization and network. The security plan then denotes how you should notify these stakeholders. Outside vendors should be a part of a successful security plan. Often smaller companies will use Security-as-a-Service system. Circle of trust Ensure your vendors are trusted technology partners. The USA is a trust-based country, where companies and citizens take for granted that businesses are held to national security standards. But, the internet easily crosses borders, so it’s important to know where the vendor protecting your data is based.  SMBs should be wary accepting cybersecurity services from foreign or lesser-known companies, especially for penetration testing.  Fight bad tech with good tech The bad guys only need to get it right once, the good guys have to get it right all of the time. Each team member needs to be an amplifier of response, which can only be done by leveraging technology and making security part of a company’s DNA. Invest in advanced technology that automates event analysis and response, freeing up the human capital to focus on more complex issues. Cybersecurity is a growing area where technology and people can complement each other. Also, ensure that all of your systems are always-up-to-date. Cyberthreats are continuously evolving and your systems need to as well. Recovery and mitigation strategies A comprehensive incident response plan will prepare your SMB to recover lost files and information from the network, and lay out a plan for how to resume business after a cybercrime. Patel notes that plans should also address how to preserve evidence along the way, so that law enforcement can investigate what happened and who was behind the security attack.  Fortunately, you don’t need to create a cybersecurity plan from scratch. Both the National Institutes of Standards and Technology and the ISO 270001 provide frameworks that organizations can use to prepare an access incident response plan for computer systems. “Even a small business with five employees can utilize these guidelines,” Patel says. Plan, Practice, Repeat Incident response plans can’t be relegated just to your SMB’s information systems or one IT employee. For your plan to be effective, Patel notes that the organization’s senior leadership need to not only support the plan but also participate in its creation. “This is a business issue, and the business needs to be involved,” he says. In fact, Patel recommends that IT meet with their senior leadership regularly to discuss critical technology issues, network security, and educate the business side about what IT does and its resources. That way, when it comes time to create or update your incident response plan, non-technical leaders aren’t overwhelmed by the information. Once you’ve created your plan, the FBI suggests that SMBs practice it at least once a year as a general protocol. You may take your team offsite or find ways to make it fun. But ultimately, you want to run through the document to see what the response looks like in real life. Experiment with role-playing. That way you can identify holes in the security plan and discover what works and what doesn’t. Get in touch with your local FBI office to participate in local security events or host an information security day. The FBI has a number of resources to support SMB's. Build a relationship with them as part of your education and emergency plan, so you know who to go to in case of an emergency.  “Most organizations that practice a plan realize that many of their components fail,” Patel says. As part of your drill, your SMB should also preemptively reach out to your local FBI division to introduce your business and make sure you know whom to contact if something goes awry or a data breach arises. A cybersecurity incident response plan is a living file—one that requires at least annual review and updating. Take the time to make one, practice your emergency security plan and keep it current. If you do this, your SMB will be prepared for a cyberattack that hopefully never happens. For more information on the FBI's cybersecurity efforts, read their brochure, Addressing Threats to the Nation's Cybersecurity. Source: FBI.gov  

Written By: Tansy Brook  Director of Product Marketing  Facebook LinkedIn Twitter Google Plus Email Comment No one wants to think that their business will be the target of a ransomware attack or...

Written By: Tansy Brook  Director of Product Marketing For small and medium size businesses (SMBs), the risk of a cyberattack is no small matter. In fact, the average total financial impact of a data breach to SMBs is $117,000. The damages include everything from extra staff time and the hiring of outside consultants to lost business, personal information and public relations to help remedy the trouble. The far-reaching implications of a security incident can leave an SMB reeling. That’s why Trent Teyema, Chief of Cyber Readiness at the Federal Bureau of Investigation, says the most forward-looking small businesses not only focus on being prepared for an attack but also integrate that readiness into the fabric of their business. Today, cyberattacks aren’t a matter of if, but when. There are two types of businesses – proactive and reactive. Historically, cybersecurity followed a castle with a moat approach. We put the security around the technology, and nothing went in or out. But in today's, everything-connected world where systems are increasingly decentralized, cybersecurity needs to continuously evolve and be a top of mind consideration for everyone within an organization. Business leaders must constantly be weighing the risks and costs (both financially and loss of convenience) associated with their security plan. Here’s how you can make cybersecurity part of your SMB’s DNA: 1. Make information security a company priority. Gone are the days when your SMB’s cybersecurity efforts could be relegated to the IT team. With the threats multiplying, the most successful businesses now recognize that reducing the risk of cyberattacks is an operating effort that spans teams and encompasses the whole company. “You can’t think of security as a cost center anymore,” Teyema says. “Instead it’s about protecting the integrity of your brand—it’s an investment in your company’s future.” A recent Oracle and KPMG Cloud Threat Report 2018 found that 90 percent of information security professionals classify more than half of their cloud data as sensitive. Furthermore, 97 percent have defined cloud-approval policies, however, the vast majority (82 percent) noted they are concerned about employees following these policies. So what does that look like exactly? Teyema notes that different companies take different approaches. But broadly, he recommends identifying positions in the business that are specifically responsible for information security, and then also creating cross-functional teams—including people from marketing and legal—who are also involved in security efforts. Because the brand is ultimately at stake, Teyema says some SMBs are even housing their cybersecurity initiatives under the Chief Marketing Officer. The takeaway: Cybersecurity can’t be an afterthought, but instead requires proactive action and attention from multiple teams and systems. Ironically, as technology accelerates, people become more important. This is a situation where technology and people can truly complement each other. An increasing number of organizations are creating positions within the line of business to help bridge business expertise with IT. For example, companies using SaaS ERP and EPM applications, are beginning to create positions within the finance function that support the CFO and manage the evolving financial planning needs of the business as the finance function evolves to a more strategic partner within the business. Learn about the Top 6 security tips for SMB’s.     2. Train up young talent. New opportunities.  The tiny silver lining: The rise of cybercrime is actually generating jobs in the tech field. In one recent survey, IT professionals from across North America and Europe cited cybersecurity as the biggest area of skills shortage at their organization. SMBs may not have the budget or resources to compete for lots of high-level cybersecurity talent with bigger organizations. But Teyema says training up less experienced people can also help fill the need. “You want to do a little of both,” he says. “Hire one senior individual who has done this before, and then find some less experienced people who you are willing to invest in.” New programs are developing to meet the talent shortage. For example, at the new Merritt College cybersecurity program faculty includes industry CIO’s who instruct students using interactive scenarios built on virtual infrastructures and compete in National Cyber League events. These activities reflect the direct experience and collaborative mentality required to address the ever-evolving cyber risks. Additionally, through private, academic and public partnerships the school has established programs with the county that may help supplement internship costs, benefiting both students and business. Graduates often have previous work experience in private business or military training which helps them to identify what assets need to be protected and prioritize security spending; effectively bridging the evolving business and technology security needs. By growing your own talent, you’ll eventually end up with a mature information security team that deeply understands not just the cybersecurity landscape, but also the inner workings of your business. 3. Get creative to get to fill your cybersecurity needs. The number of people that your SMB can afford to dedicate to cybersecurity and attacks may likely be in the single digits. However, Teyema says that doesn’t mean that has to be the extent of your security efforts. SMBs working on a budget can supplement their own internal security efforts by hiring a cybersecurity consultant or firm. Such Security-as-a-Service companies can provide a range of assistance, from providing ongoing training for your staff to identifying network vulnerabilities to being on-call for incident response. In some cases, Teyema says that SMBs choose to use Security-as-a-Service for the vast majority of their cybersecurity needs. 4. Identify your sensitive data—and protect it. Creating a wide-reaching cybersecurity plan can be overwhelming. Get your arms around the issue by first identifying the sensitive data that your SMB is handling on a regular basis. As noted, a network security firm can help with this task. Such data might include your customer information, intellectual property, payment or billing data, employee tax information and more. “You protect the most sensitive data first, then broaden the circles out to protect more as you can,” Teyema says. In addition to your own team and outside consultants, your SMB software can play a key role in protecting this data as well. Cloud-based software products can offer smaller businesses access to enterprise-level security expertise and protocols. These systems have built on capabilities that leverage emerging technologies such as artificial intelligence, machine learning, and blockchain, to keep users always up to date on the most recent strategies to combat hacking.  As you investigate software products, ask the vendor what technologies they use to secure client data and computer systems, how many of their employees work exclusively on security and whether you’ll have access to security audits and reports.  5. Understand the cybersecurity ecosystem. There are many players in the world of cybersecurity. Understanding the resources available can ensure that your SMB has access to knowledge, education and help when you need it. For instance, consider becoming part of information security or certification associations. Such organizations typically provide access to cybersecurity research and trainings to their members. Cybersecurity training companies can provide similar benefits. Also keep up with the research coming out of academia about cyber threats, how they’re handled and who is affected. Teyema recommends that every business connect with the cyber units of the local and federal law enforcement in their area. Connect with the FBI's cyber squad in the field office nearest you. An outreach coordinator can outline what the agency is doing to protect businesses, threats you should be aware of and how to respond if your suffer a breach. “Establish that contact proactively, then you’ll know who to call when an event happens—and it will.” The agency is also regularly distributing cybersecurity information on its website. You can also go to this site to find out how to contact your local office.  The threat of a cyber attack isn't something that just affects your IT team. It's a threat to your brand, your business and the existence of your SMB. Incorporate cybersecurity efforts into the core of what you do, your social engineering and who you hire, and you'll ensure that you're ready for whatever cyber threat comes your way. Learn the key findings of cloud security challenges, threats, and insights in the Oracle and KPMG Cloud Threat Report 2018.

Written By: Tansy Brook  Director of Product Marketing For small and medium size businesses (SMBs), the risk of a cyberattack is no small matter. In fact, the average total financial impact of a data...

Moving your enterprise identity management to the cloud is a smart move. There are than a few compelling reasons to do so (better TCO, reduced resource costs, time to value, ease of implementation, access to innovation), but before you do, make sure you’ve addressed these five critical success factors. If you’re the eager sort, watch the webinar Five Critical Success Factors for Identity When Moving to the Cloud and find out how Oracle’s autonomous and integrated approach to cloud security and identity can help. Access control and authorization.  How do you manage cloud access when your enterprise is an extended one? Your employees and customers are using apps at much greater scale than ever before (including just yesterday and again, come tomorrow) that are mingling with data distributed all over the cloud. Access control and authorization has become much more complicated than a has/has-not situation: ‘Becky in HR has access and Ron in marketing does not.’ The answer to healthy access control is scalability in the form of federation.   Authentication. Once upon the time of firewalls and passwords that lived in local directories, it was pretty easy to verify across apps and domains that people were who they said they were. Back then, the enterprise either controlled or owned everything, from identities to apps. No more. Anywhere access is key to growth if not survival - but it must occur in a manner that is secure and that does not impede innovation. See above for the three S’s that underpin authentication at scale.          3. User account management and provisioning.        When the average enterprise relies on no fewer than six clouds, managing the disparate silos of user data and accounts across disparate SaaS, PaaS and IaaS entities can become a bit of a juggling act. The single-most important success factor for secure user account management? Standards-based with a focus on integration and automation.   Auditing and compliance. The opportunity of the cloud – accessibility – can also be its challenge, particularly when it comes to compliance. Data, apps, users, logs, activity; it’s all distributed. Vulnerabilities and laws (GDPR, HIPPA, etc.,) require data security compliance show up in demonstrable, manageable and enforceable ways. It’s a natural progression then that auditing and compliance begs for moving beyond simple, historical reporting to analytics. And when you can turn to machine learning for predictive and automated monitoring and analysis, you can model problems to prevent problems.   Cloud platform architecture. Now that apps have moved off prem and literally ‘left the building’ as SaaS, so have users and the devices they access them on. For 24x7 availability and growth at scale, interoperability is critical. The most reliable way to accomplish this is to create a seamless computing fabric. Open technologies that are standards-based, and that incorporate built-in security and trust to scale from the get go (like SAML), accomplish this.   Want to learn more about moving identity management to the cloud? Catch the replay of this SANS-sponsored webcast: Five Critical Success Factors for Identity When Moving to the Cloud. You may also be interested in Oracle and KPMG Cloud Threat Report.  

Moving your enterprise identity management to the cloud is a smart move. There are than a few compelling reasons to do so (better TCO, reduced resource costs, time to value, ease of implementation,...

 By: Abhishek Juneja Oracle Identity Cloud Service provides Single Sign-On capabilities for SaaS and On-premise applications, which support Federated SSO using SAML2.0 or OAuth-OIDC protocols. However, a large chunk of web applications do not support these open-standard protocols for federated SSO. Oracle Identity Cloud Service provides Single Sign-On to these applications using Secure Form Fill (also known as Password Vaulting or Screen Scraping) phenomenon. Oracle Identity Cloud Service Application Catalog provides an extensive set of pre-integrated SAML and Secure Form Fill applications across various categories including HCM, ERP, CRM, Security, etc. The simplified and intuitive interfaces of the Application Catalog improve administrative efficiency in configuring new applications. If you do not find the secure form fill application that you need in the app catalog or you simply want to create your own, you can do so with Oracle Identity Cloud Service. Define your own secure form fill configuration using the ESSO Admin Console, export the configuration, and then import that configuration into your secure form fill app in Oracle Identity Cloud Service. On activating the application, you can assign it to Users or Groups. As an end-user, you can access that application as an end-user from MyApps portal of Oracle Identity Cloud Service or from Secure Form Fill Browser Plugin. When you launch the application for the first time, the browser plugin prompts you to provide username and password of the applications; Oracle Secure Form Fill Browser Plugin stores your application credentials in a user wallet. For consecutive application launches, the plugin is able to determine which app you are trying to access, and then the plugin retrieves the application credentials, submits those to the web page and logs the user in. The end user’s credentials are stored in an end-user specific encrypted artifact that is safe and protected from the outside world; the browser plugin retrieves the user credentials from this artifact prior to submission in the application. In addition, user credentials are neither stored nor cached in the browser or the user’s device. Let us see how easily and swiftly you can create and configure an application as a Secure Form Fill application in Oracle Identity Cloud Service (IDCS) and enable your users to get SSO experience. Install the Secure Form Fill Admin Client IDCS Administrators can download the Secure Form Fill admin client from IDCS Downloads page   Create a Secure Form Fill Configuration file Launch Secure Form Fill Admin Client Select ‘Applications’ to create a ‘New Web App’                                  In the consecutive screens, enter the name of the Application and select ‘Logon’ as the form type.                 Enter the Web Application URL in the Address field and select GO.                Using the web page fields in the bottom of the screen, Select the User name field, right-click, and choose Username/ID. Select the Password field, right-click, and choose Password. Select the Submit button, right-click, and choose Submit.         Click OK and SAVE the file. Export the file in .ini format by clicking File, Export option. More details on how to create a Secure Form Fill configuration file are available here Create a Custom Secure Form Fill App in Oracle Identity Cloud Service After creating the application configuration file, create a Secure Form fill app in IDCS In the Administrator’s console of Oracle Identity Cloud Service, go to Applications, select ‘Add an Application’, select ‘Application Catalog.'              In the Application Catalog, select ‘Generic Secure Form Fill App Template’. Enter the Application name and Description, upload the Application Logo and enter the Application URL. In the Display settings, you can select the ‘Display in My Apps’ and ‘User can request access’ options. Click Add and create the application.                          Click Import and import the Secure Form fill configuration file, which you created.            You can activate the application and assign it to the Users and Groups. More details are available here Running the Secure Form Fill application from IDCS MyApps Console Oracle Secure Form Fill Plugin allows end user to login into the applications. It’s a pre-requisite to run Secure Form Fill applications. The end user can see the application tile on the MyApps console. When user selects to run it for the first time, Enter credentials box pops up in which user enters the application credentials and select Login                        IDCS launches the application in another browser tab, it automatically enters the user’s credentials and selects Submit button.                           The user logins into the application.                  For consecutive logins, the credentials box does not pop up to collect user credentials. The user can update the credentials by selecting the Update Credentials link, which is available in the application tile.        More information on creating custom Secure Form Fill application in Oracle Identity Cloud Service is available here.                                

 By: Abhishek Juneja Oracle Identity Cloud Service provides Single Sign-On capabilities for SaaS and On-premise applications, which support Federated SSO using SAML2.0 or OAuth-OIDC protocols. However,...

From WannaCry to NotPetya to Bad Rabbit to LeakerLocker, it can seem like new ransomware attacks make the news weekly. In fact, those four represent just a sliver of the widespread ransomware attacks that happened last year. What is ransomware, you may ask? It is malware that typically locks up sensitive data and systems via encryption, and then demands money—ransom—for users to get it back.  The FBI estimates that more than 4,000 ransomware attacks have occurred daily since the beginning of 2016. That’s a 300% increase from the previous year. This is due in part to the thriving sector of “ransomware-as-a-service.” Individuals don’t need to possess a certain skillset, rather malware developers advertise their ransomware on the dark web to be distributed by less sophisticated attackers, and then the developers/advertisers take their cut from the ransom amount paid. The cyber criminals behind these attacks aren’t necessarily picky; they target big companies, small businesses, government entities and individuals. But the damage they cause to small and medium-size businesses (SMBs) is particularly alarming. A recent report by a security firm last year noted that 22% of SMBs affected by ransomware had to cease operations immediately. One-third had suffered a ransomware attack in the previous year. “If you haven’t been a victim of ransomware or any other type of computer attack, you have to operate as if it’s just a matter of time before you are—and take the steps to protect yourself and mitigate the resulting damage or loss,” says Sheraun Howard, supervisory special agent with the FBI’s Cyber Division in Washington, D.C. The Ransomware Landscape  The FBI notes that ransomware is the fastest growing malware threat. While the names, details, and entry points of each attack vary, the concept remains the same. First, the bad actors deliver the ransomware. This is often done by spearphishing emails— targeted phishing emails aimed at specific employees and containing personal details to perpetuate the fraud. These emails or email attachments will contain an exploit for a particular software application vulnerability that provides the attacker access to your computer.  After the attacker has access to your computer, they then typically use additional malware to propagate throughout your network and drop their ransomware on to your environment, as was the case with the WannaCry and Petya/NotPetya attacks last year. Those malware took advantage of a vulnerability in Microsoft’s OS to spread throughout organizations’ computers. Howard notes that Microsoft had released a patch for the particular vulnerability exploited in those attacks. In other cases, criminals gain access through brute force attacks against open remote desktop protocol (RDP) ports. Once the ransomware has been delivered in one way or another, it then prevents the targeted user from accessing their data or systems by encrypting their files. The targets receive an email, text file, or screen message demanding that they pay a ransom in order to regain that access. While blanket attacks across many organizations are common, ransomware incidents can also be very targeted to specific companies, Howard says. Cyber criminals sometimes gain access to a business’ network days or months earlier to gather financial information. Then use that insight to tailor the ransom note to the company. The resulting malware attacks, though, are not stealthy and you’ll know immediately when you’re in trouble. “It’s very in your face,” Howard says. “The purpose is to alert the victim that you’ve been compromised and by then it’s too late.” Defending Your SMB  Given the prevalence of ransomware threats and attacks, Howard and the FBI advise that SMBs take preventative measures to reduce their risk of becoming a victim. Here’s how: Educate your employees. Ensure that your employees are aware of the risks of ransomware and how it infects small businesses. Encourage them to never click on links in unsolicited emails and input their information, or to open unknown attachments. The FBI notes that you can also test your employees’ knowledge with simulated emails that look like phishing scams. Only download software from sites you know and trust. Keep your systems patched and updated. Because criminals often target vulnerabilities in existing systems, develop a regular plan for updating, encrypting, and patching your software and firmware on any company devices. The FBI recommends that companies consider using a centralized patch management system to streamline this process. Take a quick quiz to see how at risk you are.     Create a security incident response plan. These plans include steps for how your organization will respond to a ransom demand and ensure the continuity of your business. Such a plan may include isolating an infected computer, contacting law enforcement, collecting available portions of important files that still exist, securing backup systems and changing account passwords. Manage privileged accounts. SMBs need to be aware of who has access to what when it comes to their software applications and operating systems, Howard says. No users should be granted administrative access unless they really need it. He also recommends changing the default passwords on all administrative accounts, which tend to be weak and easily brute forced. Be aware of the external applications your employees are connecting to with their computers by implementing a Cloud Access Security Broker (CASB). Audit user access. “One of the most common things we see is companies not auditing themselves properly,” Howard says. For instance, be sure to remove old user accounts for software and other systems created for employees who no longer work at your company. Keeping your list user accounts up-to-date is good practice for preventing data breaches or malware infections in general. Employ firewalls, spam filters and anti-virus programs. All of these tools are aimed at identifying, and then protecting your organization from potentially malicious emails and attacks. Setting up firewalls and filters, for instance, provides an easy way to reduce the risk of less-sophisticated ransomware. Respond and Recover If you’ve been a victim of a ransomware attack, contact the FBI to report the incident. Law enforcement may be able to use legal authorities and tools that are not available to most organizations. This can increase the odds of apprehending the criminal, thereby preventing future losses. Cyber attacker communities are growing and reporting an incident helps law enforcement fight ongoing threats and protect other businesses. Pay it forward. If your business does fall victim to a ransomware attack, Howard says the FBI does not support victims paying the ransom. There is no guarantee the decryption keys will be provided after the ransom is paid and there have been cases where businesses were extorted for additional money after payment. While the FBI does not support paying the ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers. If you’re prepared, ideally you’ll have backups of your systems and data. Howard says that after contacting law enforcement, the next step is to wipe your system and rebuild it. Take the time to learn as much as you can about how your system was compromised and how you can protect your SMB going forward.  How SMBs Can Reduce the Ransomware Risk Ransomware attacks have been on the rise, and small businesses often suffer the most damage. The FBI recommends SMBs take the following steps to reduce their risk of a ransomware attack. Educate your employees about the risks. Create a security incident response plan. Update and patch software and firmware. Manage privileged accounts. Audit user access to your systems. Use firewalls, spam filters and anti-virus programs. Ransomware attacks are a disruptive, malicious reality of running an SMB in the modern era. But take the right steps to prevent attacks, and you’ll reduce risk and suffer less damage if you do face a security breach. Download the FBIs full guide to learn more. Source: IC3.gov

From WannaCry to NotPetya to Bad Rabbit to LeakerLocker, it can seem like new ransomware attacks make the news weekly. In fact, those four represent just a sliver of the widespread ransomware attacks...

It has been a week since the largest cyber security conference ended, where thousands of attendees got together to discuss the latest on cyber threats, security, and solutions. With hundreds of sessions and events, it’s hard to consolidate all the different ideas, but here are three key takeaways:                           Skill Shortage With millions of cybersecurity openings globally, this skill shortage was definitely a topic of discussion throughout the week. It is clear that there are two main issues: Hiring and retaining top security professionals Too many security alerts Not only are there not enough cyber security talent who truly understand the current security landscape, but even if a company was able to hire someone, there are so many alerts that it is not humanly possible to look at all of them. Throughout the week multiple keynotes mentioned the need to train more cyber security professionals in order to have enough talent to stop the increasing number of cyber attacks. In addition, vendors are offering solutions that assist with the vast amount of alerts.   Automation Automation is at the forefront of the cybersecurity world. It helps address many of the issues that we are currently seeing, such as the skill shortage. It is important to take a proactive approach, such as automatically detect and automatically prevent, in order to take on the sophisticated challenges that we are seeing today. For example, if the previous paragraph I mentioned how an organization receives too many alerts, but an automated system can help overcome that issue. We are depending on our computers more and more to make our security decisions and vendors are embracing the need to remove human error with automated solutions.   The Cloud Not only was migrating to the cloud a reoccurring topic throughout the week, but embracing cloud security was also an important theme. Every year, more and more companies are acknowledging the benefits of the cloud and decide to adopt cloud technology, which means that they must also adopt new cyber security solutions. To ensure their cloud is secure, companies must include two-factor authentication, identity access management, encryption, etc. If companies don’t do their part to secure their cloud, then they leave themselves vulnerable to threats. This year, cloud security was also embraced. By using cloud native security solutions, companies have an alternative to the traditional siloed products that constantly need updates.   For information on how Oracle can address your company’s cyber security issues please visit our Cloud Security page.

It has been a week since the largest cyber security conference ended, where thousands of attendees got together to discuss the latest on cyber threats, security, and solutions. With hundreds...

90% of organizations participating in the recent Oracle and KPMG Cloud Threat Report state that at least half of their cloud data includes some form of sensitive information. Rapid shifts to the cloud are encouraging and exciting, but for security professionals, also raise questions about securing a new age of technology. Security used to be considered an inhibitor to the cloud, but has now become one of the driving factors for cloud adoption. Understanding some of the common trends, terms, and challenges of securing your data in the cloud is important to all organizations looking to enhance digital innovation. The Cloud Security for Dummies, Oracle special edition covers just that.     The book is an enjoyable read covering several cloud topics including: - Maintaining continuous compliance - The importance of the shared responsibility model - Best practices for detecting and responding to threats. - Use of automation to enhance security   This is a great guide for IT professionals looking to manage security alert overload, address security skill shortages, and use machine learning in threat detection.    Get the Cloud Security for Dummies Book today  Moving to the cloud requires a lot of consideration and security should be a priority for organizations of every size. To learn more about securing your users, apps, and data, read Cloud Security for Dummies.

90% of organizations participating in the recent Oracle and KPMG Cloud Threat Report state that at least half of their cloud data includes some form of sensitive information. Rapid shifts to the cloud...

What are the biggest cybersecurity challenges your organization experiences today? As the 2018 RSA Conference (RSAC) came to a close in San Francisco last Friday. IT professionals from around the world are returning to their offices with several new ideas, interest in new products, and some great prizes as well. To begin taking the next step towards purchasing a product you learned about at RSAC - Consider evaluating your current cybersecurity challenges and strengths. Throughout the week, Oracle conducted a series of thought provoking poll questions via Twitter. All questions were pointed at cybersecurity professionals and helped provide insight into the thoughts of RSAC attendees and your industry peers. Many of these insights related to the great findings in the Oracle and KPMG Cloud Threat Report. When asked their biggest cybersecurity challenges, detecting security threats was selected by 41% of twitter poll respondents. This was followed by 33% stating lack of security training. These two responses shed light on two extremely relevant challenges within the cybersecurity space. 41% of participants claim detecting a threat is their primary challenge. This challenge is not unique to any industry and companies of all sizes are at risk of an attack. Companies are looking to protect their environments from intrusions, but in the case of an attack, immediately respond and resolve the issue. Many recent attacks have slipped under the radar due to siloed monitoring tools within organizations. According to the Cloud Threat Report, organizations have an average of 46 security tools, there are simply too many tools that don't communicate with each other.The report also found that 38% of cybersecurity professionals consider detecting and responding to cloud security incidents as their main challenge - accurately mirroring our twitter poll results. Companies should evaluate solutions that employ adaptive intelligence techniques to better detect anomalous patterns that might not be obvious to the human eye.                                               Cybersecurity practices are strongest when they involve people, process, and technology. With 33% of twitter poll responses pointing to lack of training, organizations must invest in properly training existing employees. Hiring qualified candidates and creating a continuous training plan will enable employees to work with technology and better protect your organization. Oracle's Software Security Assurance Program (OSSA) aims to support this movement of securely developing, deploying, and maintaining technologies to improve security and performance at every layer of the stack. To learn more about the biggest challenges companies are facing, read the Oracle and KPMG Cloud Threat Report and visit the Oracle Cloud Security page. 

What are the biggest cybersecurity challenges your organization experiences today? As the 2018 RSA Conference (RSAC) came to a close in San Francisco last Friday. IT professionals from around the...

COLLABORATE 18 April 22-26, 2018 Mandalay Bay Resort & Casino Las Vegas, NV USA   With unprotected assets in plain sight, it's no wonder hackers seek to steal sensitive data from databases. Exploiting common vulnerabilities such as unpatched systems, over-privileged accounts, insecure database configurations, stolen passwords, and unencrypted data is a quick place to start. However, knowing the mind of a hacker can better help create a blueprint for protecting your database. Attend the following session at COLLABORATE this week to get into the mind of a cybercriminal adept at exploiting vulnerabilities to access sensitive data stored in databases, and then discusses ways to stop them. ATTEND THIS SESSION Inside the Head of a Database Hacker  (Session ID: 1694) Apr 25, 2018,   4:15 PM–5:15 PM Banyan B Speaker: Russ Lowenthal, Product Manager, Database Security   About COLLABORATE COLLABORATE 18: Technology and Applications Forum for the Oracle Community is where Oracle power users and IT decision makers find practical solutions for today and strategies for tomorrow. This conference empowers users of Oracle business applications and database software to gain greater value from their Oracle investments through real-world education and networking. Created by and for users, COLLABORATE provides a personalized experience alongside functional and technical insight from other experienced professionals, whether your organization seeks to maximize its on-premises solutions, evaluate a path to the cloud, or optimize your business in the cloud. Participants can expand their community and gain direct access to Oracle. COLLABORATE is jointly presented by the Independent Oracle Users Group (IOUG), the Oracle Applications Users Group (OAUG) and Quest International Users Group (Quest).  

COLLABORATE 18 April 22-26, 2018 Mandalay Bay Resort & Casino Las Vegas, NV USA   With unprotected assets in plain sight, it's no wonder hackers seek to steal sensitive data from databases. Exploiting...

By: Kellsey Ruppel | Principal Product Marketing Director For the ninth podcast in our "Practical Path to AI" podcast series, I was joined in the studio by Sridhar Karnam, Senior Principal Product Marketing Director at Oracle. This was another podcast in our "Practical Path to AI" podcast series where we've been covering how Artificial Intelligence (AI) is reshaping the business landscape and helping you better understand how to get on the path to AI adoption. Attacker's machines are fighting against our humans and we are losing the cyber war. Attackers are collaborating and creating sophisticated bots and malware to attack. Security vendors are competing and working in silos. We need machine learning algorithms to correlate, find, hunt, and remediate threats autonomously. When we have these algorithms fighting against attacks and threats, we may see better results with combating modern threats. Manual and legacy point solutions are no longer protecting cyberattacks. Only Cloud helps algorithms to be updated continuously helping machine learning deal with new attack vectors and zero day attacks, which Sri and I discussed in depth in this podcast.  Please listen to “How AI and Cloud are Fighting Cyberthreats and Attacks” to learn why Sri thinks Artificial intelligence and security were – in many ways – made for each other, and the modern approaches of machine learning seem to be arriving just in time to fill in the gaps of previous rule-based data security systems. Did you miss a podcast in the series? Don’t worry! You can access “A Practical Path to AI” podcast series here!

By: Kellsey Ruppel | Principal Product Marketing Director For the ninth podcast in our "Practical Path to AI" podcast series, I was joined in the studio by Sridhar Karnam, Senior Principal Product...

By: Bonnie Donovan | Principal Product Manager   Nothing compromises trust in an organization more than a data breach. A data breach potentially places an organization's customers, their information, and their data at risk. Such breaches also disrupt daily business and tarnish the organization’s reputation. Email remains the primary vector for initiating an advanced attack or delivering ransomware because it can be targeted and personalized, which increase the odds of a threat’s success. Having an email security solution is critical for any organization. Oracle is excited to be partnering with FireEye, an industry leader with a comprehensive portfolio of solutions that combine best-of-breed technologies with 360-degree threat intelligence and expertise. To prevent spam campaigns, ransomware, spear-phishing, and impersonation attacks, an email security solution needs to evolve quickly to adapt to the threat landscape. It must provide threat protection that meets the following requirements: Detects without relying on signatures Identifies critical threats with minimal false positives  Blocks inline to keep threats such as ransomware out of the environment  Uses cyber threat intelligence gained from the front lines to respond quickly to protect the organization  FireEye meets all these requirements. It collects extensive threat intelligence on adversaries, conducting first-hand breach investigations through millions of sensor feeds on the internet. FireEye Email Security draws on real evidence and contextual intelligence about attacks and attackers to prioritize alerts and block threats in real time – before they hit your inbox. FireEye Email Security delivers dynamic defense to detect attacks from the first time they're seen and blocks the most dangerous cyber threats, including malware-laden attachments and URLs, credential phishing sites, and business email compromise attacks. FireEye Email Security customers can now experience the benefits of FireEye and the power of Oracle Cloud together. Oracle Cloud Infrastructure was created to provide an infrastructure that matches and surpasses the performance, security, control, and governance of enterprise data centers, while delivering the scale, elasticity, and cost-savings of public clouds. As a result, Oracle Cloud Infrastructure is built from the ground up to be an Enterprise Cloud easily capable of running traditional multi-tiered enterprise applications and high-performance workloads like FireEye’s Email Security offering. You can experience our joint offering immediately via FireEye’s free Jump Start lab environment. In this Jump Start lab, users can follow a step-by-step guide and experience a sample of FireEye’s Email Security offering.

By: Bonnie Donovan | Principal Product Manager   Nothing compromises trust in an organization more than a data breach. A data breach potentially places an organization's customers, their information,...

In my previous post I talked about how Oracle Identity Cloud Service (IDCS) can be used to simplify single sign-on to E-Business Suite (EBS) through the use of the IDCS Asserter. This really makes a huge impact on organizations who are looking at reducing cost and complexity, whilst maintaining a good, positive user experience for their end users. So, now we have SSO for EBS as an on-premise, enterprise application, why stop there? Introducing the IDCS App Gate We agree and have therefore released the IDCS App Gate to help you further simplify your access management infrastructure and integrations. Let's take a look at the current approach in use by many organizations today and some of the challenges that brings. Figure 1 - A typical access management deployment today As can be seen in Figure 1 above, the current approach used for most on-premise access management solutions is to use a combination of Policy Enforcement Points (PEPs), all connected to a central Policy Decision Point (PDP). The PEPs are usually a combination of reverse proxies and/or agent-based modules, and the PDP is usually connected to one or more LDAP directories for users and a database for storing policy, audit, metadata etc. Architecturally, there is very little difference whether you are using Oracle Access Management or another vendor. The challenge with this approach is back to the point made in my previous post. The PDP is critical in this model. It must be running with a high SLA and therefore built with HA/DR in mind. It also needs infrastructure (including the database), all of which need purchasing, deploying, installing, configuring, patching, scaling, maintaining, backing up etc. Of course, you can move some of that into the Cloud and put it on IaaS. However, that has only removed the need to buy and manage the hardware. You are still managing the installation, deployment etc of all the software on top of it. Just lifting and shifting your access management platform onto IaaS doesn't make it a cloud solution as you aren't reaping the benefits of cloud. That is one of the main reasons why organizations are moving to cloud-based identity platforms such as IDCS, as it removes so much of that overhead. However, one of the challenges that is faced today is that cloud-based identity has typically focused on identity management for cloud services. Enterprise, on-prem (dare I say, legacy) apps didn't fit well in that model as they don't always support the identity open standards necessary to enable simple integration. You can get around this problem partly using a form-fill approach, where the identity platform is storing an individual's credentials for each application and replaying those to an app's login page. Whilst this is possible today (indeed IDCS supports it), it has long been recognized within the identity industry that this approach is not ideal. After all, avoiding the need to manage password all over the place is one of the main reasons why standards such as SAML were invented. So, if we don't want to be storing and passing passwords there has to be a better approach. This is where the IDCS App Gate comes in. The App Gate replaces the traditional on-premise reverse proxies (PEPs). It protects your applications in the same way but instead of pointing to your on-premise access management platform, it uses IDCS as its PDP. Integration with your on-premise web apps is using the same tried and tested integration techniques that have been used within your existing access management platforms for a long time. However, this approach simplifies your architecture and footprint. Let's take a look at what our new architecture looks like.   Figure 2 - A simplified approach using the IDCS App Gate As you can see in Figure 2, this approach, which is very similar to the IDCS Asserter, requires only the App Gate installed on-premise. All access management capabilities are then delegated to IDCS such as SSO, authentication, multi-factor authentication, self-service etc. All of a sudden you no longer have to manage that on-premise access management platform and all of the non-functional requirements that go along with it. The App Gate itself is delivered as a software appliance, so deploy it, give it an IP address and away you go. Both the App Gate and the EBS Asserter are available to download now for all existing IDCS customers, directly from the IDCS admin console.   Identity Management is and always has been a complex problem. Moving from an existing on-premise solution (or more likely multiple solutions) to a cloud-based identity platform is not a big bang. It is a journey and it's through capabilities like the App Gate that enables customers to plan and stage that journey in a phased and manageable way. I like to think of it as volume controls representing capabilities. As you move through your journey to migrate your identity management to the cloud, you are turning down the volume on your on-premise solution(s) and turning up the volume on your cloud-based identity platform.                        

In my previous post I talked about how Oracle Identity Cloud Service (IDCS) can be used to simplify single sign-on to E-Business Suite (EBS) through the use of the IDCS Asserter. This really makes a...

The Rise of the Cloud Security Architect Greg Jensen, Sr. Principal Director - Security - Cloud Business Group, Oracle Corp. Organizations often look for where they can make the single greatest impact to improve their organization’s security posture. As organizations are adjusting their priorities around a cloud-centric strategy, one position has stood out as one of the most central and strategic in meeting security and compliance milestones—the Cloud Security Architect (CSA). So, what are CSAs, and how do they compare to a security architect? Traditional security architects often focus on broad-reaching security topics that impact the on-premises, mobile, and even cloud world. Over the years, this role has become a bit of a “Jack of all trades” role. The CSA was created to be the “master of cloud security” who understands every possible security and compliance related challenge that a line of business (LoB) owner or infrastructure, platform, or app team could run into when deploying new cloud services. This has led us to a point where we are seeing the role of the CSA surpass the security architect in popularity, according to the new Oracle and KPMG Cloud Threat Report, 2018. In the most generalist terms, an architect plans, designs, and constructs structures. In Information Technology terms, it is very similar when applied to cloud security. The CSA is responsible for: • Reviewing the security posture of all SaaS, PaaS, and IaaS projects for industry best practices. • Identifying risks where security requirements cannot be fully addressed in the time frame of a project. • Looking for opportunities where security can be optimized and enhanced. • Ensuring policies and mechanisms are in place to meet compliance requirements across the cloud. CSAs are facing increased pressure to balance LoB requirements with corporate security guidelines, and those goals often clash due to time pressure, resources, or budget. Organizations are in a rush to roll out more applications and workloads to the cloud, often with multiple cloud service providers, each with their own SLAs. Every cloud service provider responds to vulnerabilities and incidents differently. The CSA can play an important role in identifying shortcomings from each vendor to understand points of risk, and then develop plans to address them with the provider or internal teams. One of the key challenges is balancing the security and compliance needs between an organization’s hybrid and multi-cloud environments. One approach that some organizations are focused on is the single vendor model that uses a tightly integrated framework across the full stack of cloud services (DaaS, SaaS, PaaS, and IaaS), which many argue reduces risk and points of exposure. The single vendor approach often lends itself to the challenges of securing an organization once, and enabling them to scale as they need. Key criteria CSAs should look for in a cloud service provider include: • Comprehensive – Secure users, apps, data, and infrastructure across the full cloud stack (DaaS, SaaS, PaaS, and IaaS). • Automated – Detect, prevent, predict, and respond to the latest security threats with AI and machine learning. • Data-centric – Control access to sensitive, regulated data using encryption, masking, and user access controls. • Unified – Collect security and operational data in a single data set to correlate and analyze cyber threats. • Integrated – Developed, architected, deployed, and maintained to securely work together. The role of the CSA is as strategic as the cloud vendors chosen to underpin and secure that cloud architecture. Oracle and KPMG have a longstanding history of supporting our customers with solutions that meet the very challenges facing today’s CSA. For more information on Oracle security solutions, please visit www.oracle.com/security and to learn more about the latest challenges and options organizations are faced with as they migrate workloads and data to the cloud, download your free copy of the new Oracle and KPMG Cloud Threat Report 2018.

The Rise of the Cloud Security Architect Greg Jensen, Sr. Principal Director - Security - Cloud Business Group, Oracle Corp. Organizations often look for where they can make the single greatest impact...

The European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. For many companies – particularly those based in or doing significant business in the EU – it has created a sense of urgency that might rival that of Y2K. Put simply, GDPR seeks to give European Union citizens more control over their personal data and requires that companies adopt appropriate security measures designed to protect EU citizens whose data is being collected and to help mitigate the risk of a data breach. It applies to any personal information that can be directly or indirectly tied back to an individual; that includes everything from biometrics to credit card numbers, photographs and device IDs, to name a handful of examples. GDPR is focused on shoring up privacy and security for consumers, but the upshot is better digital business. After all, data breaches and data loss can negatively impact digital businesses. For a more detailed overview of GDPR, download the white paper, Accelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications.       Though it is rooted in Europe, GDPR can have far-reaching implications on how organizations, government agencies and companies globally – regardless of size – handle personal data. In addition to impacting companies operating in Europe, it extends to entities providing goods or services to European citizens.  For example, a US-based company that sells goods online to services to EU citizens could fall under the purview of GDPR. The cost of non-compliance? In addition to potential fines of up to 4% of annual revenue turnover, organizations that don’t comply also risk facing legal fees as well as indirect costs, such as negative publicity. While many larger enterprises outside of the EU have been grappling with this new data protection regulation, more small and medium-sized businesses (SMBs) around the world are also taking note. In the most recent Oracle and KPMG Cloud Threat Report 2018, 38% of SMBs surveyed indicated that they are required to comply with GDPR. Among that group, 48% indicated that the regulation materially impacts their cloud strategy and cloud service provider (CSP) evaluation process; a full 25% noted that it significantly impacts their strategy and evaluation. Safeguarding a Key Asset To be sure, organizations of all sizes and across all industries are dealing with increasing amounts of personal data and data security issues. So pervasive is data that, according to The Economist, its global value has surpassed that of oil. With the rise of data comes a whole new level of responsibility for companies to comply with and protect this precious resource. GDPR aims to do this by promoting the use of best practices and well-established security concepts. It requires “controllers” (such as a customer contracting for services) and “processors” (such as cloud services providers) to adopt appropriate security measures designed to ensure a level of security appropriate to the level of risk that might affect the rights and freedoms of the individuals whose data is being collected and used by the controller (“data subjects”). There are many facets to GDPR, which contains 99 articles and 173 recitals, but the IT systems that are used to collect, store and handle personal data are the foundation of data protection. Among other things, organizations need to know where data resides, understand their risk exposure, know when it is necessary to modify existing applications, and integrate security into their IT architecture. As with any new regulation, GDPR has its share of complexities and ambiguities. Nevertheless, the benefits of adopting strong data protection go beyond protecting individuals. In the long-run, SMBs that embrace good security practices are less vulnerable to cyber security incidents, such as espionage, organized crime and insider-related breaches. GDPR is aimed squarely at protecting personal data, but organizations that take steps to shore up their security and rethink their other data security practices and policies to address their GDPR compliance needs may ultimately come out ahead. To learn more about getting your organization on the path to GDPR security compliance, download the paper, “Helping Address GDPR Compliance Using Oracle Security Solutions.”

The European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. For many companies – particularly those based in or doing significant business in the EU – it has...

By Pedro Lopes We have crossed over 5,000 downloads of our popular Oracle Database Security Assessment Tool. Since the release of DBSAT v 2.0.1 in mid-January, we have seen an increasing demand and have been getting very positive feedback. DBSAT is the go-to tool to evaluate your current Database Security posture today because of the following reasons: It’s simple and doesn't require prior security experience. Just extract to install and get easy to read reports. It provides immediate value. It not only reports on overall configuration and operational security risks, but also on database users and their entitlements. To better understand what is at stake, DBSAT also helps discover sensitive personal data. Helps address GDPR Compliance: To help bridge the gap between GDPR and technical controls, it highlights related findings and provides recommendations on what security controls could help.  The tool also highlights findings that relate to Oracle Database CIS Benchmark recommendations. With GDPR deadline approaching on May 25th 2018, and Verizon new 2018 Data Breach Investigations Report [1] confirming that Databases are at the top assets breached (in Information vertical; ~20%), ahead of webservers and desktops, it is urgent that you take action to assess your current database security state before hackers do it for you! Want to see DBSAT in action? Join us at the RSA Conference 2018 at Oracle Booth #1115 Moscone South to learn more.    [1] http://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf

By Pedro Lopes We have crossed over 5,000 downloads of our popular Oracle Database Security Assessment Tool. Since the release of DBSAT v 2.0.1 in mid-January, we have seen an increasing demand and...

Written By: Tansy Brook  Director of Product Marketing Share Facebook LinkedIn Twitter Google Plus Email Comment We’ve all received an email that seemed a little suspicious or made an unusual request for financial or personal information. Most consumers know to delete these emails right away because they’re likely a scam. But what if you received an email from your CEO or CFO, and it sounded just like them? What if they asked you do something you were expecting to do anyway—such as pay a bill? What if they mentioned their children’s names and other personal details? Welcome to the new world of Business Email Compromise (BEC). In this growing form of cybercrime, fraudsters impersonate a business email—usually someone in an executive position—and then contact an employee to ask for a wire transfer or employee information. These phishing scams increased an astounding 2,370% between 2015 and 2016, and caused $5.3 billion in losses, according to the FBI.  “The group at largest risk are small-to medium-size businesses (SMBs),” says Cary Scardina, a supervisory special agent with the Federal Bureau of Investigation’s Cyber Division in Washington, D.C. “I’ve seen small businesses get hit with losses from $45,000 to several million; it can be devastating, depending on the size of the company.” Fortunately, there are steps businesses can take to reduce their risk of becoming a BEC victim—and the work starts with simply being aware. Beyond the Usual Threats  When Scardina describes BEC, he narrows the crime down to one word: Impersonation. At the core of the scam, cybercriminals are simply impersonating an employee’s boss or company finance executive. “But it’s now of a higher quality than in years past,” Scardina says. These are not emails from far-away royalty who need your employees’ help. Instead, BEC fraudsters are hacking into employee email accounts and then conducting sophisticated surveillance, sometimes for weeks or more. The attacker will track email traffic to learn how a person talks, how wire transfers and other requests are made—even what nicknames employees might use for each other.  When it comes time to conduct the actual crime, a fraudulent email may come from either an authentic or spoofed account. With a spoofed account the domain is slightly off. For example, a business name may contain an extra letter or an email might add a period between the first and last name. The attackers then ask the recipient to make a wire transfer payment—and include instructions for how to do so. Learn about the Top 6 security tips for SMB’s.     SMBs are Prime Targets Increasingly, the cybercriminals are phishing for company W-2 information, which they use to file fraudulent tax returns. The IRS noted that more than 200 companies—which translates to hundreds of thousands of employees—were compromised by such scams last year. Scardina says that SMBs are prime candidates for business email compromise wire transfer and W-2 email fraud. “That’s where you can have the intersection of high-dollar amounts and lower IT security,” he says. The real estate industry has witnessed much of the BEC activity, largely because of the transactions realtors and others involved are conducting. But the criminals aren’t picky. Scardina has also seen medical offices, law firms and even pig farms targeted by these spoofed email schemes. In many cases, the companies don’t catch the fraudulent transfer for a few days. These issues are time-sensitive: And by then, it can be hard to reverse the transfer or trace the money before it is broken up and divided into multiple overseas accounts.  Get Ahead of Scammers So how do you keep your SMB safe from BEC scams? As with many things, the best defense is a good offense. Scardina and the FBI offered the following guidance for reducing your risk of becoming a BEC victim: 1. Verify money transfer requests.  Institute a company policy that requires employees to verify requests for wire transfers—ideally with a phone call authentication. This is especially vital if the transfer request is deemed urgent by the email sender, Scardina says. In addition, advise employees to not discuss the details of wire transfers or bank accounts over email and to confirm any changes in the process with the bank or vendor. 2. Implement detection systems.  Task your IT team with creating a system that flags emails from domains that are similar to your own and could be used to create a look-alike domain. Other helpful tips include adding a rule in your email account that automatically flags emails in which the reply address is different from the “from” address. Also, be aware of the external applications your employees are connecting to with their computers by implementing a Cloud Access Security Broker (CASB)  application. 3. Educate your employees.  Execute some social engineering, and ensure that your employees are aware of BEC warning signs. Red flags that an email may be fraudulent include: Any email that provides wire information or requests changes to existing information, requests for expedited payments, asks for W-2 information. “Flagging these should just be automatic,” Scardina says. “Employers should have a policy for how to do so.”   If you do suspect you’ve been a victim of BEC, Scardina says the first thing to do is to call the financial institution that sent the wire. In some cases, the bank can initiate a recall of the funds. Then call the FBI and file a report at IC3.gov. That way the FBI can track the details of your case. Lastly, have your employees change their passwords to their email and any other company networks. 4. Adopt a passphrase.   Using longer passwords and changing them on a regular basis seems like a given. But, the traditional standards for passwords encourage people to use a single, difficult to remember password across all of their accounts. Great news! New research shows that rather than having a complicated mixture of special characters, numerals and capitalizations, using a passphrase is more secure and easer to remember. Longer passwords containing multiple upper and lower-case words are more secure. Consider choosing something relevant to you (like a book title) that wouldn’t be public knowledge. This lightens the “memory burden” on users, making them more inclined to follow this security best practice.  Change your passphrases on a regular basis. The new version can be similar to the previous phrase, for example from “thesunalsorisesinJAN” to “thesunalsorisesinFEB.” Business email compromise remains on the rise—and the cyber criminals are only getting smarter. Take these precautions to educate your employees against threats and prevent your business from losing time, money and more to an email scam.  4 Ways to Protect Your SMB from BEC Business email compromise scams are on the rise, costing $5.3 billion in losses since 2013. To reduce your risk: Verify email wire transfers and PII requests, even from people you know. Create fraudulent email detection systems if you have an IT security team. Educate your employees. Use long passwords, change them routinely, and do not reuse them for multiple accounts. Source: IC3.gov

Written By: Tansy Brook  Director of Product Marketing Share Facebook LinkedIn Twitter Google Plus Email Comment We’ve all received an email that seemed a little suspicious or made an unusual request...

RSA Conference is the world's largest cyber security conference with over 30,000 attendees taking over the city of San Francisco for a week to discuss, debate, and solve the cyber security challenge. RSA kicks off with Atlanta being under siege, 911 calls being stopped in Baltimore, Facebook being questioned by the Congress for the privacy issues, Uber, Grindr, Boeing disclosed data breaches, attacks on US grid, US tax filing vendor software, and 40,000 other data breach disclosures. More importantly, it is the Russian meddling of US elections and making fun of democracy through cyber war has rocked the world. Cambridge Analytica has made every internet user in the world nervous with their disclosure about the Facebook data breach. So, don't worry if this all sounds sad. This is exactly why 1800+ vendors, security thought leaders, CISOs, and all of us, who have the moral responsibility to provide the privacy of individuals will discuss, debate, exhibit, research, and share how to save your city, law & order, your power grid, democracy, your privacy, and everything around your life. Oracle is sure to represent itself on how it is securing the cloud, the database, apps, and developer tools to half a million customers that we have. Oracle is not only securing its core products and infrastructure but also showcasing how you can build a SOC for your cloud and hybrid environment. Follow this blog on all the sessions, booth, demos, parties, and meetings that Oracle is doing.  Oracle this year at RSA 2018 is focusing on two things: An autonomous cloud platform with AI and machine learning for security use cases, and a cloud-based SOC for the Oracle cloud, multi-cloud, and hybrid cloud environment. We are all losing the cyber war. It is time for all of to collaborate and make our machines smarter so that the battle is truly between attacker's machines vs. our machines and not our users. 

RSA Conference is the world's largest cyber security conference with over 30,000 attendees taking over the city of San Francisco for a week to discuss, debate, and solve the cyber security challenge. RS...

Today’s organizations are under increasing pressures to look for efficient ways to leverage the cloud.They are looking for the undeniable opportunities that present themselves when rolling out new cloud services and mobile applications to gain a competitive advantage.After all, the cloud is enabling organizations to realize the ease of maintaining and supporting a more diverse and mobile workforce, partner and customer base. However, the speed and agility benefits of the cloud are creating an imperative around keeping pace at scale where organizational security is not keeping up with the demand for new cloud services. This is the findings of the new global security report from Oracle and KPMG.The Oracle and KPMG Cloud Threat Report 2018 looks at organizational attitudes and confidence in the cloud, the challenges and risk, and a look at how security operation teams are leveraging people, process and technology to secure the cloud journey. This survey-based report focuses on interviews from 450 global participants.Respondents who were key decision makers, architects, planners, auditors and analysts tied to security initiatives around the cloud journey.We heard from LoB owners, DBAs, C-level and more, from SMB to the Enterprise and from over 21 key industries. What we learned in this year’s report is that as organizations add new users, applications, data and infrastructure, combined with the more sophisticated threats and cyberstaff challenges, SecOp teams are seeing a pace gap appear.This pace gap is most evident with the high adoption rate of these new services, yet security operation teams are still stating that their #1 challenge in cloud security is analyzing and responding to security events from the cloud.So while applications themselves are being successfully deployed, the organizations ability to monitor for anomalous behaviors across the hybrid cloud is being further challenged. In fact, only 51% stated they are unable to analyze the majority of their event telemetry data, and respond. This year’s Oracle and KPMG Cloud Threat Report 2018 is leveraging key analysis by cybersecurity experts at both Oracle and KPMG to deliver prescriptive best practices based upon what organizations are being impacted with today.We encourage you to download this groundbreaking report, learn how your own organization may be impacted by some of these challenges, and how you can apply these lessons to your own security planning. Oracle and KPMG also encourage you to meet with us this week at the 2018 RSA Conference in San Francisco.Oracle’s booth is #1115, and you can come visit us to learn more about this new report, or any of the Oracle Cloud Security solutions. For more information on this report, visit us HERE.For more information on Oracle security solutions, visit our solution page.

Today’s organizations are under increasing pressures to look for efficient ways to leverage the cloud.They are looking for the undeniable opportunities that present themselves when rolling out new...

  Next Generation Cybersecurity Organizations are losing the cyber war. They can no longer rely on manual threat detection and respond to address today's sophisticated attacks. Additionally, organizations are finding it hard to keep pace with the volume of security alerts and growing scale of users, apps, and data. In fact, 51% of organizations say that they are unable to analyze the majority of their event data, (Oracle and KPMG Cloud Threat Report 2018). Organizations need to address these challenges with autonomous security. Join us at RSA Conference 2018 from April 16-20 in San Francisco to discuss all these topics and more.   Visit Oracle at Booth #1115, Moscone South Visit us at our booth to learn more about: Oracle’s first Autonomous Database Cloud and how it leverages artificial intelligence, and machine learning to revolutionize data security. Oracle’s Identity-based Security Operations Center (Identity SOC) which provides comprehensive monitoring, threat detection, analytics, and remediation tools to stay ahead of threats. Sign up for an Oracle Cloud trial! Get free SWAG from us at the #OracleatRSA giveaway! Learn More about the Oracle and KPMG Cloud Threat Report, 2018 The Oracle and KPMG Cloud Threat Report 2018 is the inaugural global survey of cloud security challenges, threats, and insights from security practitioners and decisions makers. This report compiles the findings from organizations across the globe that center on one common theme: that the cloud has created a strategic imperative to keep pace at scale. Attend our Session Monty Python and the Holy RFP April 18, 2018 | 3:00 pm - 3:45 pm | Moscone West 2022 Speaker: Mary Ann Davidson, Oracle CSO Abstract: Ever been asked to conduct a pen test—with a herring? Provide a secure shrubbery: “not too big?” Been confronted with “Ni” “Peng” or “Nee-wom” in response to your security practices? Welcome to the Monty Python-esque world of RFPs and security attestations. Learn to decipher what the real security concern is and get to “yes” (and determine if it’s a cute little bunny rabbit…or a vicious killer). Oracle at Cloud Security Alliance (CSA) Summit at RSA   Join us in the panel discussion at the Cloud Security Alliance Summit at RSA Panel: Cloud Compliance Zeitgeist April 16, 2018 | 12:50 pm - 1:35 pm Panelist: Gail Coury, Oracle CISO Abstract: The clock will strike midnight for the General Data Protection Regulation (GDPR) in a month from the CSA Summit. This broad mandate for privacy joins an increasing number of mandates that can mean life or death for businesses and hold their officers personally accountable for security failures. In this expert panel, we will explore the major compliance mandates enterprises are facing today in the cloud. Are the regulations adequate or unreasonable? Do regulatory bodies understand the shared security responsibilities between tenant and provider and is this reflected in their guidance? What is the future role of security certifications in asserting compliance with a myriad of evolving requirements. How can compliance evolve in an era of DevOps continuous deployment? What are the practical and actionable steps organizations can take to make sure their cloud providers maintain robust security programs and how can this evidence be communicated with regulatory bodies? What are the emerging tools and strategies to harmonize governance and risk management and achieve compliance in time and at scale? Panel: Getting to Mission Critical with Cloud April 16, 2018 | 3:15 pm - 4:00 pm Panel Moderator: Mary Ann Davidson, Oracle CSO Abstract: Once again, the CSA Summit will bring together a panel discussion of some of the largest and most complex enterprises from within the Global 2000 to gain perspective on their journey to the cloud and their security lessons learned. Global enterprises with massive legacy IT infrastructure have the most to gain and the biggest challenge in making the journey to the cloud. Security is the key enabler to secure cloud adoption. How do they maintain strong Enterprise Risk Management oversight with often indirect access to cloud systems? Are you able to deploy high availability applications in the cloud? What compliance mandates do they struggle with? How are regulators adjusting to the cloud reality? Will the government need to designate cloud as critical infrastructure? What are the unexpected security benefits of cloud? What are the attacks they predict for the next year? What tools and technologies are showing the most promise to improve cloud security? Learn more about our presence at RSA at: Oracle at RSA Conference

  Next Generation Cybersecurity Organizations are losing the cyber war. They can no longer rely on manual threat detection and respond to address today's sophisticated attacks. Additionally,...