X

Cloud Security Perspectives and Insights

Recent Posts

Cloud Access Security

Convergence is the Key to Future-Proofing Security

The whole of your security portfolio should provide significantly more value than the sum of its parts. The challenge facing security professionals seems to grow bigger and more complex by the hour. New threats and risk factors are constantly emerging while the IT landscape continuously evolves. At times, it feels like we’re patching holes on a moving target that’s endlessly shape-shifting. One of the major contributing factors to those feelings of chaos and disorder is the sheer quantity of security products that we rely on to cover our vast IT landscapes. The Oracle and KPMG Cloud Threat Report 2018 found that cybersecurity professionals manage an average of 46 different security products. 7% of respondents reported being personally responsible for managing over 100 different products. 100 different security products! I don’t imagine that those folks can possibly have a complete understanding of what’s happening across 50 or 100 different security products or what value each of those products is contributing to reducing their risk. This quantity of products alone contributes to the overall challenge in several ways, including: Product Overlap: Security products often have significant functional overlap. In an environment with several security products, it quickly becomes unclear which product will answer which questions. The result is wasted time and effort and longer delays getting critical answers. When addressing an on-going attack or a breach, the speed of the response effort is critical. The longer it takes, the broader the damage will be. Skills Shortage: Organizations spend too much time finding or developing talent across security products. It’s rare for security professionals to have the exact mix of skills and experience that an organization needs. And with an on-going skills shortage, it’s difficult to retain top talent over long periods of time. Again, not having the right expertise in place means that you’re more likely to miss the signals of developing attacks or on-going breaches and to demonstrate longer response times to security events. Delays in Addressing Gaps: Nobody likes wasted money or shelfware. When a gap is found in an organization’s security posture, security professionals are less likely to find and deploy the right solution if they have numerous other security solutions in place that may (or may not) fix the problem. Of course, without a complete understanding of where the limits are on each of those products, it could take months to sort through them and to formulate an approach. It’s the classic human response of freezing in indecision when there are too many factors to consider. When it comes to addressing information security issues, the last thing you want to do is freeze. So, what can be done and how can we address the issue? Here’s the good news: Security solutions are evolving toward cloud, toward built-in intelligence via Machine Learning, and toward unified, integrated-by-design platforms. This approach eliminates the issues of product overlap because each component is designed to leverage the others. It reduces the burden related to maintaining skills because fewer skills are needed and the system is more autonomous. And, it promotes immediate and automated response as opposed to indecision. While there may not be a single platform to replace all 50 or 100 of your disparate security products today, platforms are emerging that can address core security functions while simplifying ownership and providing open integration points to seamlessly share security intelligence across functions. For example, you know that you need an identity and access component for addressing access management needs across numerous SaaS applications and IaaS services. And you need a Cloud Access Security Broker (CASB) to scan SaaS applications and Cloud Infrastructures for insecure configurations and to monitor user activity. But, for the most part, these functions are silo’ed today. One doesn’t talk to the other. But they can. And they should. Understanding what a user is doing across cloud applications (visibility often provided by CASB) enables you to create a risk score for that user that can then be used by the Identity function to make decisions and take actions such as stepping up authentication, requesting approvals, initiating an access review, or denying access. Understanding that a target system’s configuration was modified recently or that it doesn’t conform to the organization’s security policies also increases risk. And there are numerous sources of additional risk data: identity, CASB, security configuration scanning, SIEM, UEBA, external threat feeds, session context, etc. Forward-looking security platforms will leverage hybrid cloud architecture to address hybrid cloud environments. They’re autonomous systems that operate without relying on human maintenance, patching, and monitoring. They leverage risk intelligence from across the numerous available sources. And then they rationalize that data and use Machine Learning to generate better security intelligence and feed that improved intelligence back to the decision points. And they leverage built-in integration points and orchestration functionality to automate response when appropriate. In other words, your security platform should serve as a central brain that doesn’t only import the various security data points but also makes sense of it without relying on human eyes to catch potential threats. And it adds intelligence, identifies patterns, recognizes anomalies, and responds appropriately and within seconds. This is much more advanced than the old SIEM model which simply aggregates data from numerous sources and tries to raise alerts for humans to evaluate. This is a system that thinks for you and leverages advanced analytics to make decisions across those numerous disparate systems. It’s a cloud service so you don’t need to administer and manage it. You become a user; a consumer of its benefits rather than a caretaker. And the result is much more value and further reduced risk than you’d get from the parts alone. To learn more about challenges organizations face today and how new technologies and strategies help enable innovation, register for Oracle OpenWorld 2018 and visit the Oracle Cloud Security page for more information. 

The whole of your security portfolio should provide significantly more value than the sum of its parts. The challenge facing security professionals seems to grow bigger and more complex by the hour....

Cloud Security

Today's Threat Landscape and How to Tackle It

In recent years, security has gone from cloud objection to cloud benefit. In fact, according to the Oracle and KPMG Cloud Threat Report 2018, 83 percent of respondents to the report’s survey said they believe their cloud service providers’ security is as good or better than their own. While this growing confidence bodes well for an increasingly cloud-enabled world, companies would be wise not to drop their guard when it comes to security. Bad actors of all kinds have found ways to exploit weaknesses in your security posture—most notably, in the customer’s end of the shared responsibility model. Recently, my co-author on the Oracle and KPMG Cloud Threat Report 2018, Brian Jensen from KPMG and I discussed some of the top attacks and pitfalls that companies are falling prey to. Phishing At its core, phishing in all its forms is a social engineering attack designed to create fear, uncertainty, and doubt. And even the best of us have been suckered by a phishing attack at one point or another. The main goal here is to get credentials by tricking the user into handing them over. A phishing email might say “Click here to learn about the audit problem we just discovered,” then take the user to a fake website where they have to log in. Or it might have a malicious attachment or link. But once they have those credentials, the attackers have free rein inside the system. As Brian noted during our conversation, what makes phishing so successful is that not only have we moved some of our most valuable information outside the firewall, but that many of our core business applications are similar across companies. “This leads to a one-two-three punch. Phishing is easy. The data is outside the firewall. And everything is pretty much the same. So, once I identify a pattern as a breacher, I can do it over and over and over again,” Brian said. According to the Oracle and KPMG Cloud Threat Report, 55 percent of survey respondents have experienced phishing. Malware and Ransomware Phishing can often be a vehicle to unload malware onto a system. The Oracle and KPMG Cloud Threat report noted that of all their expected security concerns during the next 24 months, four of the top five have to do with malware. One of the common forms of malware that we see is ransomware, where the victim is locked out of their system until the attacker is paid some sort of fee, usually in the form of bitcoin. This form of attack can wipe out an organization and leave it without a way to recover its information. Configuration Another way organizations put themselves at risk is by not having proper controls around cloud configurations. In fact, 45% of respondents to the Cloud Threat Report survey said they had experienced one or more incidents where the attacker exploited an unpatched vulnerability—either known or unknown. These unpatched gaps are especially dangerous because the attacker can wreak havoc on an organization (or multiple organizations using the same vulnerability) until it’s patched. The problem here, as Brian noted during our conversation, is that companies don’t have a good framework for (1) knowing that they’re using cloud, (2) categorizing the type of cloud they have, (3) having an understanding of the shared responsibility model for that cloud instance, (4) framing the configuration model, and (5) monitoring and patching it. To be fair, this is no easy task. The number of people and details involved make separating responsibilities and defining processes a real problem. But it’s a problem that needs to be solved if you want to secure your organization. Protecting Your Organization from These Pitfalls Of course we all want to protect our organizations, but buying the right tools is only a third of the answer. What it really takes is a focus on your people, your processes, and then your technology. In terms of people, organizations need to make sure their people are properly trained. All of your general users need to know the basics behind identifying a phishing attempt. But more importantly, cyber teams, email teams, and application teams need to be trained correctly on how to maintain configuration and compliance. Next, there needs to be a process behind everything. If you have a system that has stayed unpatched for the last two days, what’s your process? If you’re introducing a new cloud application, what’s your process for making sure it’s secure? This can be one of the hardest aspects because it requires communicating and establishing agreed upon actions across departments. But it’s also the most necessary. And lastly, you have technology. And that’s the part where Oracle does a really good job. We provide some excellent technologies for securing your cloud investment. At the end of the day, people’s confidence in the cloud isn’t misplaced. Organizations just need to adjust their thinking to protect themselves from evolving threats. For more on this topic, join us for our webcast Keeping Security Pace at the Speed of Emerging Technologies - Register here.

In recent years, security has gone from cloud objection to cloud benefit. In fact, according to the Oracle and KPMG Cloud Threat Report 2018, 83 percent of respondents to the report’s survey said they...

Cloud Security

IT Outsourced? Reclaim Your IT Infrastructure

Monitor and Secure Your Systems You have made the business decision to outsource database administration, including some or all of your IT organization.  Yes, you can save money, but it comes with a lot of headaches and frustration when you can’t get tasks turned around fast enough.  Contract vendors have strong SLAs for what they will and will not do. This makes troubleshooting systems that span different domains very difficult.  The DBA always says the database is fine. The system administrators say the hardware is fine. The developers say their code is fine. But for some reason authentications have slowed down by 200% in the core application that drives your business. Unfortunately, your vendors won’t give you database accounts or access to logs. What’s a DBA to do? Gain Access to All Logs To gain increased visibility, many customers turn to Oracle Management Cloud (OMC). OMC is a cloud service that can consume any log on premises or in the cloud.  OMC leverages a Big Data backend so you are not limited by the volume of data you send to your tenant.  You will have a User Interface for all logs in your ecosystem.  But that’s just the beginning.  It has a sophisticated parsing engine leveraging Machine Learning and End User and Entity Behavior Analytics (UEBA) to learn what is normal and what is not.  OMC clusters like patterns of problems across your entire ecosystem to present the health of your servers, databases, and applications in one user interface. You have 100% control to view the logs with full dashboarding and drag and drop query capabilities.  Oracle is in the unique position to perform this type of analysis as our products include Cloud Services, Hardware, Operating Systems, Databases, and Applications.  Oracle owns Java, which makes us uniquely qualified to understand Log4 J.  Working with our application teams, OMC gives intelligent views into Oracle Applications such as EBS, Seibel, Peoplesoft, and even SAP.  Remember, any log any system. The screenshot below is a summary of the different options you can enable in OMC. Application Performance Monitoring (APM):  Oracle’s APM for Peoplesoft, Java, .Net, Node JS, Ruby, Docker, and Mobile Applications including both Android and Apple platforms that will diagnose performance bottlenecks in your code and system performance in your Application Servers. Infrastructure Monitoring:  The ability to view the health of your eco-system. Log Analytics: Provides a user interface for your logs. Log Analytics has the ability to cluster errors and categorize them into common and uncommon events (which tend to be the source of problems).  It is much easier to troubleshoot when you can view the logs for the operating system, database, application and WebLogic in one user interface. IT Analytics:  IT Analytics provides the ability to look across your applications, webservers, databases, operating systems, and servers to get a comprehensive perspective on the current state of performance, availability, and utilization.  and leverages Machine Learning to forecast capacity requirements.  It answers tough questions – such as “when will I need more disk, CPU, memory, etc.” – that allows you to get ahead of potential problems and bottlenecks instead of just reacting when things go wrong. Configuration and Compliance:  The ability to baseline your configurations and if desired the ability to provision back the desired configuration.  Would you like to know if someone accidently created an unencrypted s3 bucket in Amazon Block Storage? Orchestration:  Think of it as a scheduler for your IT ecosystem.   You can also attach fix jobs to break fix events in OMC.  For example, if a database comes back with 90% storage is taken, OMC can fire a job that will increase space by 25% or maybe you want to automatically restart your WebLogic servers if they shut down.  I won’t go so far to say the database will be 100% self-healing, but it is kind of like self-driving cars - you would not have it drive you to the airport - but, helping you stay in the lane and emergency breaking is helpful.  Automation for your databases is on the way and can definitely cut down on the support tickets you create, which costs you money. Security Monitoring and Analytics (SMA): Perhaps the most important of all, SMA will help you audit your contract vendors.  Oracle now has a SIEM (Security Information and Event Management System) with machine learning and UEBA incorporated so you will have complete visibility to your IT ecosystem. SMA can leverage Identity Management, Oracle’s CASB, Audit Vault Database Firewall (AVDF) that will fulfill the complete picture to your Identity Security Operations Center (SOC) for both on premise and Cloud environments.  The Big Data backend also makes it okay to send database events to your SIEM. OMC can take the load unlike traditional SIEMs in the market! OMC is one application that provides the ability for rapid troubleshooting, application performance monitoring and the baseline for your Security Operation Center spanning both your on premises and cloud systems.  It will allow you to reclaim your systems by gaining the visibility you desire on your IT systems, so you can take advantage of the cost savings outsourcing parts of your IT organization.  And if you do not outsource your IT organization, OMC is an excellent tool to minimize downtime, learn predictable performance behavior, and bring UEBA into your SIEM and Security Operations Center. Take a moment to explore how OMC could be a great fit for your organization.         

Monitor and Secure Your Systems You have made the business decision to outsource database administration, including some or all of your IT organization.  Yes, you can save money, but it comes with...

Cloud Security

The Clock is Ticking... Register Now for Oracle OpenWorld!

It's that time of year again! Oracle OpenWorld 2018 is less than two months away. Has your organization registered for the event? Every year, more than 60,000 attendees from over 145 countries attend Oracle OpenWorld. It is a great opportunity to learn the latest and greatest news in emerging technologies, learn new feature functionalities, collaborate with partners, and share ideas with industry peers. This year a pass to Oracle OpenWorld will give you and your colleagues access to 2,200 sessions and over 300 partners. This year's event takes place at San Francisco's Moscone Center from October 22nd-25th.    If you are considering attending OpenWorld this year, but are still in the final decision making stage, here are 5 reasons why it is absolutely essential to attend: Attend 2000+ sessions focused on solving business and IT problems OpenWorld sessions cover a wide range of topics. Keynotes from Oracle executives, Technical presentations, as well as sessions featuring Oracle Customers, such as, Tips and Tricks for Security Cloud at Scale. Help your company keep pace with cloud innovations According to the recent Oracle and KPMG Cloud Threat Report, 90% of respondents say at least half of their cloud data is sensitive information. As cloud becomes commonplace in technology, it is important to fully understand every aspect of the cloud and how to make the best decisions when choosing a Cloud Service Provider (CSP). CSPs are often not clear about their security offerings and what your responsibilities are as a customer. At OpenWorld, you can gain a better understanding of emerging technologies in the cloud and which of these technologies are the right fit for your IT environment Network with your peers and share innovations Every company has a unique structure, but there is definitely something to be said about the power of collaboration. OpenWorld is a great opportunity to meet and mingle with industry peers. Learning about common technologies and strategies for strengthening security, reducing cost, or improving innovation. Enjoy all the entertainment the conference and San Francisco has to offer If the exciting technology news is not enough to convince you, consider this: there is never a dull moment at OpenWorld. Attendees have a long list of choices for activities, socializing, and exploring. Oracle, partners, and sponsors put on receptions for OpenWorld attendees each evening of the conference. This is a great opportunity to get a more in-depth view of their offerings and ask any questions you may have in a smaller setting. It is also a change to network with peers and catch up with your colleagues who may have attended different sessions. Wednesday night is CloudFest 2018, each year, customers with a ticket to this event are in for a special treat. Concert goers in the past have danced the night away to performers such as Sting, Elton John, and Maroon 5. Although the lineup for this year has not been released, it is sure to be a crowd-pleaser. Save on early registration and group rates If you are now planning to attend, be sure to register for OpenWorld early to take advantage of the $200 savings. Additionally, government employees and large group rates are available to companies looking to send large teams!   If you are curious about what you missed at OpenWorld 2017, take a look at some of the highlights and start to imagine all of the great opportunities you can explore this year. We hope to see you at OpenWorld 2018, don't forget to register early!

It's that time of year again! Oracle OpenWorld 2018 is less than two months away. Has your organization registered for the event? Every year, more than 60,000 attendees from over 145 countries...

Cloud Access Security

Dodging the Top 5 Cloud Security Mistakes

Organizations are increasing their cloud adoption, but they aren’t necessarily keeping pace with their security practices. Every year Oracle and KPMG collaborate on the Oracle and KPMG Cloud Threat Report, a survey of cybersecurity and IT professionals from private- and public-sector organizations about their public cloud usage and cybersecurity products and services. In 2013, 57 percent of our respondents said they were using public cloud services. Today, that number has jumped to 85 percent. While people are feeling more confident than ever about security in the public cloud, many organizations are putting themselves at risk by making a handful of common mistakes. I’ll outline each of the main pitfalls below, but for more detail on what’s causing these mistakes and pointers on how to remedy them, don’t miss our on-demand webcast “Sharing the Cloud Security Responsibility and Mitigating the Top 5 Risks.” Mistake #1 Lack of Responsibility When you adopt a cloud service, it’s tempting to think that they’ve got security covered. Sure, they’re probably taking care of some of it, but there are certain things that they just can’t be responsible for—like how careful your employees are with their credentials. The division between what you’re responsible for and what your cloud provider is responsible for is an important one to iron out with your cloud provider to ensure that there aren’t any gaps. In the Cloud Threat Report, we found that only 43 percent of organizations could correctly identify the most common IaaS shared responsibility model. Knowing what your responsibilities are is the first step to fulfilling them and keeping your organization protected. Mistake #2 Lack of Training One of the most common ways an organization can be breached is through the average employee. The number 1 and 2 most common attack vectors are phishing scams, and all it takes is one person making one mistake to expose your company. In this case, it’s training (and not some fancy tool) that will make the difference. Mistake #3 Lack of Automation The number 1 challenge for security organizations is being able to detect and react to cloud threats. In the Cloud Threat Report, only 14 percent of respondents said they were able to analyze all of their relevant security event and telemetry data. This lack of insight usually happens because cloud services are rolling out faster than SecOps can support them. In order to combat this problem, organizations need to remove manual processes and introduce more automated responses to risks. We’re past the point of hiring our way out of this problem. There just aren’t enough of us. We need assistance in the form of automation. Mistake #4 Lack of Compliance Organizations are struggling with not only how to meet, but also maintain their compliance requirements globally. A key distinction that companies often miss is that compliance doesn’t necessarily mean security. Compliance is primarily about data confidentiality, integrity, and making data available. You can be compliant and still get breached. Still, it’s difficult to meet your compliance goals if you don’t have an expert heading up the charge. You really need somebody who knows their stuff, can see the whole picture, and can determine how your organization can best tackle its compliance responsibilities. Mistake #5 Lack of Leadership It’s become a real struggle for security teams to rein in lines of business who think they can get their cloud services out “faster” if they skirt the security process. These projects often hit a snag when their owners realize that they have to meet the company’s security requirements. One of the reasons this happens is that lines of business don’t see how involving security operations early is actually an advantage for them. The key here is leadership. By having someone who can help internal groups see an efficient path to deployment and check all the necessary boxes, organizations can both protect themselves and get what they need sooner. Ultimately our confidence in the cloud is well placed. All we have to do is update our thinking to match our technology. For more detail on these mistakes and how to avoid making them, see our on-demand webcast “Sharing the Cloud Security Responsibility and Mitigating the Top 5 Risks.”  

Organizations are increasing their cloud adoption, but they aren’t necessarily keeping pace with their security practices. Every year Oracle and KPMG collaborate on the Oracle and KPMG Cloud Threat...

Cloud Access Security

OpenWorld Customer Panel - Will You be There?

In today’s changing threat landscape, organizations need to make smart and innovative decisions in order to stay a step ahead of cyber threats. Organizations utilizing innovative cybersecurity best practices in their hybrid environments are able to effectively keep pace with the ever changing security and compliance landscape. Oracle offers a suite of security cloud and on-premises solutions that enable customers to implement and manage consistent security policies across the hybrid data center. A challenge for one customer, UBI Banca, was complying with GDPR while maintaining excellent customer experience for their different types of clients. They selected Oracle CASB Cloud Service to enable them “to detect and respond not only to potential threats but also data leakage and to better meet [their] regulatory requirements”. This Italian banking group was able to achieve a 50% reduction in time to discover new security threats and an 80% reduction in manual investigation time for security incidents with Oracle CASB Cloud Service. For Pragmatyxs, a solution provider based in Seattle, security was a primary concern since many of their customers are in highly regulated industries. Pragmatyx opted for Oracle Identity Cloud Service (IDCS) to protect their data. With Oracle IDCS, Pragmatyxs has been able to take advantage of global SSO capabilities to manage users globally within a unified dashboard, easy integration within Oracle cloud ecosystem, and much more. Overall Pragmatyxs was able to maximize value while minimizing cost and time spent. You can learn more about how Oracle Identity Cloud Service and Oracle CASB Cloud Service helps customers secure their cloud environments at Oracle OpenWorld this year. Troy Kitch, a Sr. Principal Director for Product Marketing at Oracle, will lead a customer panel on how Oracle security helps organizations “face external cyber threats, internal fraud, and the growing complexity of regulatory compliance regulations”. You don’t want to miss this session - Customer Panel: Tips and Tricks for Security at Cloud Scale. To attend Oracle OpenWorld (and this session), register here.

In today’s changing threat landscape, organizations need to make smart and innovative decisions in order to stay a step ahead of cyber threats. Organizations utilizing innovative cybersecurity best...

Cloud Security

Augmenting Your SOC for Application Security: The Future of Robust Cybersecurity

Everyone with even a mild understanding of cybersecurity knows that the threat landscape is evolving and growing ever more complex by the day. The accessibility of the Dark Web has made advanced threats readily available to anyone with the cash and desire to steal data and inflict harm. “Set and forget” solutions and mentality will not keep an organization safe in this reality. Supplementing your in-house security team with an augmented on-demand security operations center (SOC), combined with a modern, cloud-based application security solution, is the new imperative for a robust cybersecurity posture. SOC skills in high demand  Every organization needs highly skilled cybersecurity talent, but let’s be honest, it is not an equal opportunity market. Companies like Google and Facebook can recruit top talent with attractive packages and perks, but where does that leave everyone else? Many companies now generate significant revenue streams and store large amounts of highly sensitive data that make them targets for attack. Smaller third-party organizations, which probably don’t have large security teams, act as go-betweens for larger companies that do, like production houses or law firms. No matter how small you think you are, lacking resources is not an excuse. Even if you do have the budget and in-house talent, an external, supplemental SOC provides a valuable second set of eyes on your security. Some of the largest breaches we’ve seen recently were a result of human error, such as not updating a policy or patching a server. An external team, working to provide oversight and an outsider’s perspective, combined with a cloud-based application security platform will add an extra layer of protection and supervision. Harness the latest technology The quality of a SOC is no longer measured by the number of bodies in seats but by the caliber of its technology. An external security team should be using the latest advances in technology and methods such as cloud-based solutions utilizing machine learning and automation. Many solutions, particularly those that are on-prem, require someone to come out to your site, set up the hardware and train someone on your team how to use that hardware. This process can take months, and by the time it’s completed, the solution may already be outdated and a couple months after that, the one person on your team who knows how to use it may be moving on. We believe that the solution provider should also be able to provide onboarding and continued management through an external SOC that use modern, cloud-based and agile application security solutions that scale and integrate as your company grows. Automation is key Automation is a key component for a robust external SOC. Many alerts don't need to be treated by humans. They can be treated directly by an advanced solution’s security engine, which uses machine learning and other techniques to monitor, classify, and escalate incidents. Human intervention occurs when the machines say, "Dear human, I haven't seen this one before. I need some help to understand what is happening." That way, SOC analysts can focus on these alerts rather than spending their time tuning. This also helps eliminate false positives and the draconian measures taken to avoid them. It’s really as simple as that. Automation does not have to mean complication. This is not science fiction - the machines are not going to rise up and do everything, they are an extension of the security team in the same sense as an external SOC. Because monitoring and alerting of low-level incidents is automated, the human security analysts must be of a very high caliber. When alerts come to them, they have to react quickly and treat each one as a legitimate threat. They have to discover, analyze, and respond -- and they have to do it very, very fast with the tools and knowledge to thoroughly investigate and mitigate. For these reasons, a SOC analyst is one of the most difficult people to find in cybersecurity today. A solution that provides managed services can share its analysts' expertise with customers that would otherwise be unable to recruit or retain that level of talent.  Bucking the trend  Despite these benefits, some organizations are hesitant to augment externally their SOCs or bring in outside talent to supplement their own. It goes against conventional wisdom.  Security is typically the most conservative department within an organization. Traditional thinking says if there is an attack, they are the ones who are responsible – and perhaps the only ones to know. An augmented SOC provider needs to win their trust. As the threat landscape continues to evolve, more and more organizations must embrace this approach and realize that truly strong protection includes an external extension of the SOC, with modern, automated and almost always cloud-based application security platforms.

Everyone with even a mild understanding of cybersecurity knows that the threat landscape is evolving and growing ever more complex by the day. The accessibility of the Dark Web has made...

Cloud Security

Oracle to talk Security and IT Modernization at 930gov: Will you join us?

For many government IT leaders, topics such as cybersecurity and IT modernization are front and center these days. As one of largest multi-sponsored trade shows for government technology, 930gov will tackle these and other key themes on August 28, 2018, at the Walter E. Washington Convention Center in Washington, DC. This year, presenters from Oracle will be on hand to deliver key insights on some of the most pressing issues surrounding government IT: Navigating the Cyber Landscape in Government, Hayri Tarhan, Regional Vice President, Security and Management Cloud, Oracle Public Sector In one recent study, 49 percent of technology professionals said they had slowed their cloud adoption due to lack of cybersecurity skills. The situation is especially perilous for government agencies, which often represent "ground zero" in the cyber wars; a big digital footprint with lots of potentially valuable data makes government a prime target. As spear phishing, ransomware, hacktivism, and election tampering have become full-fledged industries, conventional security approaches can no longer be trusted to secure mission-critical agency data. This session will explore the latest tools and strategies, including cloud solutions designed to be secure at every layer. A complete cloud solution offers global access controls for onboarding and offboarding employees, with the cloud provider continually investing in security at every level as part of its overall design. Rather than tackle security piecemeal, the cloud can deliver an optimized security approach at every level of the technology stack, leveraging a broad portfolio of data security and encryption products at the applications, infrastructure, and systems hardware layers. IT Modernization in Government—The Right Approach at the Right Time, Aaron Cornfeld, Group Vice President Sales Engineering, Oracle Public Sector and Higher Education A recent survey found that IT modernization remains solidly entrenched among the top priorities of senior government IT leaders, 72 percent of whom say that legacy systems still make up more than half their applications. The cost and complexity of maintaining those systems has made modernization an ever more pressing priority. Government IT managers also are under regulatory pressure to upgrade. This spring, for instance, the White House released the President’s Management Agenda, which calls for IT modernization as well as enhanced technology around data, accountability, and transparency. The Modernizing Government Technology Act, likewise, calls for sweeping improvements to government’s aging IT infrastructure. A modern IT infrastructure is, after all, foundational to every other initiative, including cybersecurity and citizen experience. Cloud services across SaaS, PaaS, and IaaS offer the clearest path for success—helping to reduce costs while delivering optimal security. A complete and integrated cloud services solution can help government agencies ensure compliance, while simultaneously offering a straightforward path for legacy IT systems transformation. In keeping with the regulatory call to modernize, the cloud enables government IT to fully leverage transformational technologies, such as machine learning and blockchain. With its inherent flexibility and scalability, the cloud empowers modernization by enabling IT leaders to quickly and easily spin up new business processes. This means technology leaders have a freer hand to innovate faster with less risk, thus easing the burden on the IT workforce while accelerating time to value. Improve Citizen Experiences—Build Trust with Modern CX Technologies, Kerry McKay, SaaS Cloud Specialist, CX, Oracle Public Sector If citizen experience lies at the heart of government IT, it’s fair to say that many government agencies still have a long row to hoe in delivering the kind of digital encounters that inspire full confidence in constituents. According to one study, fewer than 20 percent of citizens trust the federal government to do the right thing always or most of the time. With citizen confidence in government this low, it becomes incumbent upon IT leaders to take action. At the same time, citizens increasingly trust the technology in their personal lives to build relationships, buy homes, change goods and services, and much more. This opens a window of opportunity. Government IT leaders can leverage an outstanding citizen experience not just to deliver needed services, but also to build trust. Successful efforts like the cloud-supported app deployment by the city of San Jose help demonstrate the art of the possible. *** It’s clear that cloud computing will be a common theme running through the presentations at 930gov this year. This reflects a growing interest by Federal agencies. In fact, one recent study predicts that by 2020, 50 percent of new IT spending will be on cloud implementations—a sign that many are looking to a balanced cloud approach, with an emphasis on hybrid cloud strategy. While cloud may not fix all that ails government technology, a thoughtful and thorough cloud implementation does address many of IT’s most pressing concerns. Security: Cloud security can be tailored end to end, rather than managed piecemeal at various levels across the IT infrastructure. This unified and coherent approach can ease the pressure on talent-strapped IT operations, while simultaneously ensuring that the public trust is upheld. Citizen experience: By making it easier to test and deploy new apps, and by allowing for the rapid scale-up of the most heavily used sites and applications, the cloud enables government to deliver a new level of citizen experience, thus helping government to regain trust and confidence. Modernization: For government technology chiefs and agency heads eager to shed the weight and expense of legacy systems, the cloud presents a means to rapidly and affordably access new capabilities, offering a viable path for migration toward a modernized infrastructure. Join us at 930gov: visit www.930gov.com to learn how. For more information on Oracle's secure and integrated cloud services, please visit www.oracle.com/gov.

For many government IT leaders, topics such as cybersecurity and IT modernization are front and center these days. As one of largest multi-sponsored trade shows for government technology, 930gov will...

Cloud Access Security

Is the current approach to Cloud adoption weakening your security posture?

When I started working in IT security many years ago, it was a very different world to what it is today. For example, Identity and Access Management platforms were extremely new. It was back in the days when companies such as Netegrity, Oblix, and Thor were still in their early days. Centralised IAM was still a vision for many organisations. In fact, most average-sized companies hadn’t even realised they needed single sign-on, never mind actually having a plan or project to deliver it. The reality was that each application had its own user store with its own password, and roles and privileges were handled in each application silo. Remember, this was before the days of standards we have come to take for granted, like SAML. Then we moved to a more platform-based, especially around middleware. IAM as a platform started to gain adoption. Companies recognised the importance of centralising IAM, either because of internal transformation programmes, risk, or regulation. Whilst some organisations never quite reached the nirvana of a fully-integrated IAM platform, completely automating their joiners, movers, and leavers, handling certifications, and segregation of duties etc, many did (and continue) to get value from their IAM platform. I use IAM as the example but this has spanned many areas of security as companies moved from silo’d solutions to enterprise class solutions. There are well recognised benefits to moving away from silo’d solutions to more centralised, enterprise class capabilities across many areas of security. However, it seems that Cloud may be in danger of undoing much of that thinking and evolution. We know that organisations are using an average of 6 cloud providers to run their workloads (State of the Cloud – Right Scale, 2016). This fits well with the cloud model of picking the best place to run different workloads. However, the challenge is that each of these cloud providers come with their own set of security controls and capabilities. In many cases, those security tools and capabilities are specific to that cloud provider’s services. This isn’t a lack of foresight on the cloud provider, but, in most cases its by design. For example, Amazon provides IAM capabilities for managing users and their access to AWS. That isn’t an enterprise IAM capability; it is specific to AWS. As Amazon’s website states:   “Use AWS Identity and Access Management (IAM) to control users' access to AWS services. Create and manage users and groups, and grant or deny access.”   There are lots of other examples of this both within Amazon and other cloud providers. Take threat detection as another example, as Amazon states:   “Amazon GuardDuty is a managed threat detection service that provides you with a more accurate and easy way to continuously monitor and protect your AWS accounts and workloads.”   Microsoft takes the same approach for threat detection: “With Azure Security Center, you get a central view of the security state of all of your Azure resources.”    I understand their rationale for doing this, focusing on delivering capabilities for their own cloud platform, and in some cases such as IAM, it would be impossible to provide a cloud service without delivering such a capability. However, in today’s market, where organisations are taking services from multiple cloud providers, this means that companies are being forced to move back towards a silo’d aproach to security, having to configure and manage the same security capabilities separately in each cloud provider’s platform. Security is all about bringing together knowledge to gain greater insight and intelligence into threats, risks, and attacks. It’s hard to do that from multiple, silo’d platforms. That’s before we even consider the increased cost and complexity associated with managing multiple silo’d solutions. Therefore, it’s important when you are looking at security capabilities from cloud providers to understand how much coverage they give you across your entire estate, not just for that cloud provider, but across all of your cloud providers. We need to ensure that we don’t go back to individual security silos or we are making it too easy for the bads guys to win. Here at Oracle we are working hard to deliver a cloud security portfolio that is heterogeneous and will support you and your organisation in delivering security solutions which work across your multiple cloud providers, whether SaaS, PaaS, or IaaS, whilst not forgetting about your existing non-cloud estate. Head over to the Oracle Cloud Security website if you want to learn more.  

When I started working in IT security many years ago, it was a very different world to what it is today. For example, Identity and Access Management platforms were extremely new. It was back in...

Cloud Security

Cloud or on-premise: security of your data is about getting the basics right

Whether driven by regulations such as GDPR, increased scale of data breaches, industry best practice, risk assessments, or migration of sensitive data to the cloud, the topic of data security is never far from the minds of CISOs and security teams within organisations. A common topic raising lots of questions for me at the moment is how secure my sensitive data is within the Oracle Cloud when using services such as Database Cloud Service (DBCS). This sensitive data could be financial data, personnel data, patient data, or intellectual propery. Irrespective, my answer is simple. “It is at least, if not more, secure than it currently is in your on-premise database”. This surprises many people due to the continued mis-perception that the cloud is always less secure than a database sat behind an organisation’s own firewall. However, when, according to Verizon's 2018 Data Breach Investigation Report, 28% of attacks involve an insider, this still poses a significant risk. Therefore, I wanted to take a bit of time to explain the rationale behind my response and how I justify it. There is no single, silver bullet for securing your data within a database. Ask any security professional and they will tell you that there are many attack vectors and threats, requiring a range of different mitigating controls. Those controls can be a mix of technical controls or manual controls, always combined with the associated processes. For example, you can’t have encryption if you don’t have key management processes. Looking at the technical controls, they are a mix of out-of-the-box controls available within a core database system, as well as (usually chargeable) security add-ons. For example, within the Oracle Database, figure 1 below shows some of the standard security capabilities built into the Oracle database.                               Figure 1 – Standard Oracle Database Security Capabilities In addition to the above standard security features, Oracle provides a wide range of additional security options to provide a further level of mitigating security controls. These include those shown in figure 2 below. Figure 2 – Oracle Database Security Options Why is this relevant to putting sensitive data in the Oracle cloud and specifically DBCS? Simple, the Oracle database is the Oracle database. It is the same database regardless of whether you are using it on-premise or in the Oracle Cloud as DBCS. It is the same product with the same set of standard security controls and security options. You don’t have to buy a different set of products or make any changes to your database or security tools as there is no difference. Similarly, there are no new skills to master for your DBAs and security teams. What’s more, I said in my opening statement that Oracle DBCS is “at least, if not more secure”. How do I justify that? When you install the Oracle database yourself on-premise (or in another cloud provider), you have to buy all of the additional options that you identify a requirement for from figure 2. Once purchased, you have to configure them. However, within DBCS we already configure and include some of those for you. For example, regardless of which DBCS edition you choose from, at-rest encryption is enabled by default for all database instances. If you choose Enterprise, High Performance, or Extreme performance editions of DBCS, additional security options like Privileged User Control (Database Vault), Data Masking and Subsetting, and Label Security are also available to you. This means, through inclusion of capabilities like at -rest encryption by default, in many cases you will already be starting off with a more secure baseline than you have on-premise. Of course, you can have the best products with the best security tools, but if you mis-configure them, or even worse, don’t configure them at all, then you might as well not have them. I can buy the best firewall in the world, but if I put a rule allowing any source to access any destination on any port, then I’m asking for trouble (please don’t try that). Unfortunately, this is something we see far too often and are trying to educate our Oracle database customers on how to make their databases more secure. Within Oracle’s Solution Engineering team (the team I work in), we offer free of charge database security risk assessments to our customers, where we run an assessment to understand the current security status of one or more of your key databases. We then provide recommendations and an action plan to help you become more secure. One of the really interesting observations from my perspective, is that we are seeing evidence that there is often a lack of basic security. Just to be clear, this isn’t about selling as many database security options as possible, it’s about getting the basics right. More often than not, the standard database tools aren’t being used correctly, or indeed at all. Here are the most common mistakes we see over and over again: Sharing passwords No logging Poor patching No encryption Excessive privileges For more details, check out this video. Therefore, when considering security of your sensitive data in the database, make sure you have the basics right. If you need help, reach out to us. This applies equally to your on-premise databases as it does to your cloud databases. Remember, it’s the same product! Finally, if you think that your organization could benefit from a Database Security Risk Assessment, please reach out to me or your local Oracle contact. Alternatively, if you want a more lightweight approach that you can run yourself, please download the excellent, free Database Security Assessment Tool.                      

Whether driven by regulations such as GDPR, increased scale of data breaches, industry best practice, risk assessments, or migration of sensitive data to the cloud, the topic of data security is never...

Cloud Security

Discovering the Oracle Cloud Security Day Series (Event)

Back again by popular demand, Oracle is once again re-introducing the Oracle Cloud Security Day series to a location near you! Organizations are being impacted more than ever by common mistakes as they lift and shift their workloads and programs into the cloud. Answering the common question of "How secure is the cloud" is an half-day event that dives into the common mistakes organizations are making as they engage in their new cloud journey, and share some of the best practices these organizations are now taking to overcome the increased risk.  The morning session will focus on real-world, high-risk use cases, led by Oracle and KPMG Security specialists. In the afternoon session, Oracle experts will help guide you through a hands-on test drive of Oracle Security and Management cloud services against some of these high-risk scenarios.  Attendees will also gain a deeper understanding on the risks and threats to cloud, identified in this years Oracle and KPMG Cloud Threat Report. At the end of the test drive, attendees will understand basic concepts and be provided hands-on exposure to: Top 5 security threats impacting enterprise cloud Oracle Cloud Security and Management Services that prevent and remediate real world threats Hands-on test drive of Oracle Security and Management Cloud Services Find your city below for full session description, agenda and dates: Seattle, WA                  8/21/18 Houston, TX                 8/23/18 Minneapolis, MN         8/29/18 Atlanta, GA                 9/25/18 Denver, CO                  9/27/18  

Back again by popular demand, Oracle is once again re-introducing the Oracle Cloud Security Day series to a location near you! Organizations are being impacted more than ever by common mistakes as...

Cloud Access Security

Hear from Customers in a New and Interactive Oracle Security Book

It's 2018 and technology continues to evolve at a rapid pace. Unfortunately, many organizations haven't seemed to figure out how to fend off attacks and they just keep coming. As noted in the new Oracle interactive Ebook, Intelligent, Automated Security, companies are battling a relentless struggle against highly motivated adversaries. Organizations are scrambling to find new, cost effective ways to transform their business - security needs to be at the forefront of that strategy. New threats are emerging, technologies using machine learning, AI, and bots can all be used maliciously. These attacks can cost organizations millions of dollars and damage customer trust. There is a heightened sense of urgency as many IT organizations realize their traditional security solutions are no longer keeping pace with the current threat landscape. Threats continue to pour in, while organizations struggle to keep adequate expertise on hand.  For example, many teams are experiencing alert fatigue, a concept detailing missed malicious attacks due to the sheer number of false positive alerts from siloed systems. In a recent survey, 42% of respondents reported ignoring a significant number of alerts because they simply receive more than they could handle. In response to this, Oracle is taking a new approach to security. Oracle's Identity-based Security Operations Center (SOC) enables organizations to manage authentication, assign risk scores, and automate remediation across your environment. All without human intervention. Every IT organization is unique and with Oracle's comprehensive suite of technologies - you have flexibility and choice. Understanding common challenges and how organizations defend themselves is crucial. Read the new Oracle Cloud Ebook Intelligent, Automated Security,  for more information on the current threat landscape and Oracle's approach to securing hybrid clouds. This interactive book takes you on a journey through some of the most pertinent topics in cybersecurity. It is also a great opportunity to hear directly from customers and experts in your industries on how they have used Oracle Cloud to innovate their business.

It's 2018 and technology continues to evolve at a rapid pace. Unfortunately, many organizations haven't seemed to figure out how to fend off attacks and they just keep coming. As noted in the...

Cloud Access Security

Gain Visibility Into Your Environment with the Oracle Cloud Security Assessment Tool

Did you know Oracle has one of the biggest security practices in the United States?  When you think about breach remediation, your first thoughts may be FireEye or PwC, but the reality is, once you get past the network tier, Oracle takes over because our technologies are usually in place in the Web, Application and the database tiers. In the end, hackers are after data in databases.  Many times, hackers are not even attacking your systems; they are hacking your people.  Do you think your employees are up to the task to stop a cyberattack? If hackers can penetrate the most secure organizations in the world, then they no doubt circumvent your organization’s security controls to get inside of your company. As companies continue to battle against attacks, Oracle is working to provide customers with solutions to strengthen security. One valuable service Oracle provides is the Database Security Risk Assessment (DBRA) where we will ensure you are configuring your databases to reduce security risks.  We will also demonstrate how a threat actor could potentially hack your organization.  We have been providing this service for the last 7 years and it is a very mature program.  Along with the DBRA, Oracle provides the Cloud Security Assessment (CSA) which extends the DBRA into your Cloud Platform. In a Cloud Security Assessment, we will evaluate your current cloud security posture.   Leveraging our Cloud Access Security Broker (CASB) and Oracle Management Cloud (OMC), we can calculate a risk score for every user accessing your Cloud environment to give you visibility into who is accessing your Cloud environment and what actions they are taking. We can also give you insights into the health of your infrastructure and understand the patterns of your workload and what to expect in the future in terms of performance and reliability. Your security responsibilities will differ depending on your SaaS, PaaS or IaaS deployment.  Various public clouds have different security capabilities, it is important to understand what you are receiving from a cloud service provider (CSP). The following questions are important to consider when selecting a CSP and while evaluating your environment:  Does your CSP encrypt data at rest and in-flight? Do they offer both stateful and stateless firewalls? Do you have a Firewall in front of your Systems?  A Stateful Firewall?  Can you implement Network Address Transaction (NAT)?  Have you implemented multi-factor authentication?                                                        As an Oracle customer, the first step is to download the DBRA. Once enrolled, we can provide you with a report on your environment detailing the following 6 domains: data privacy, controlling access to data, systems health, user management, configuration and auditability/visibility. How do you feel about your Cloud Security Architecture?  As shown in the image above, do you think the dials of your report will be all green, indicating low risk?  If not, schedule a Cloud Security Assessment and improve your security to where it needs to be.  It's free program for Oracle customers and takes about 2 days of your time.  

Did you know Oracle has one of the biggest security practices in the United States?  When you think about breach remediation, your first thoughts may be FireEye or PwC, but the reality is, once you get...

Cloud Security

When Security Collides With Your Cloud Responsibilities

You could be forgiven for not being crystal clear about how secure your data is, or would be, in the cloud. On one hand, there’s the argument that security in the cloud has gone from being a barrier to maybe even being an incentive for moving your data and applications to the cloud. On the other, there’s a constant cadence of headlines and news spots detailing the latest security breach. At least some of this confusion comes from the perception that the cloud relieves businesses of all their prior, on-premises responsibilities. Whether it’s the cloud providers who have over promised or users that have underestimated their obligations, this set-it-and-forget-it mindset has clouded—pun not intended—our judgement when it comes to cloud security. The truth is that the cloud, in all its forms, does offer significant security advantages. For example, the Oracle Cloud can apply patches in real time, shoring up vulnerabilities that might, in an on-premises world, leave your systems exposed until you could take them offline and apply the patch yourself. Considering the number of attacks that sneak through while security patches are waiting to be implemented, this is a real advantage. But too often we mistake the fact that the cloud offers security advantages for the belief that the cloud is a security panacea and that the cloud service provider will take care of most security issues. Truth is, there’s a lot that your cloud provider can do to help, but they can’t do everything. For instance, take the employee who shares his password with another coworker or the person who has access and maybe even steals sensitive company information. There’s little that a cloud service provider can do to prevent these behaviors without input from its customers. Of course they can detect suspicious behavior around that credential once it happens. But by then, it may be too late. This is where the concept of shared responsibility comes into play. And all that really means is getting crystal clear on what your cloud service provider is responsible for when it comes to management and security and what you as the customer are responsible for. It sounds simple, but depending on how many different cloud providers you have, it can get complicated quickly. In fact, in the recent Oracle and KPMG Cloud Threat Report, we found that only 43 percent of organizations could correctly identify the most common IaaS shared responsibility model. The results were even worse for PaaS and SaaS. So, where do you start? Turns out there are some fairly simple things you can do to separate your responsibilities from your cloud service provider. 1. Read your contract and SLA. Your contract and service level agreement should clearly outline what responsibilities you own. You might discover that you’re covering many of these responsibilities already, or you might learn that there are inconsistent gaps from one cloud service provider to the next, which will require you to do additional checks and balances. The important thing is to know your role. 2. Have good conversations with your cloud provider. This won’t replace reading your contract, but it will give you a place to start and help you clarify any questions. This can also help you keep on top of your cloud provider and make sure they’re delivering what they promise. With Oracle, any customer can request full visibility audit reports that share any patch or vulnerability information to better understand if your data has ever been at risk. This is an important question to ask of any cloud service provider to find out if the same level of visibility can be provided across all services. This is key for compliance reporting in today’s organizations. 3. Appoint a cloud security quarterback. Having one person that has their thumb on what your business is responsible for is crucial to making sure all sides are living up to their end of the bargain. Plus, this position—which is often called a cloud security architect—can work with both the security team and the applications teams to make sure they know all the best practices and regulatory compliance objectives. 4. Avoid the cloud rush, and pace yourself. Many organizations are rushing applications and workloads into the cloud at a rate faster than their own SecOp teams can catch up with or respond. It is important to go about your cloud journey at pace that ensures no gap or exposure is left in the open as new services come online. At the end of the day, the benefits your cloud service provider offers you more than likely greatly outweigh the responsibility you incur as part of your relationship. The key is to identify those responsibilities and figure out how to address them. For more pointers on shared responsibility, join our upcoming webcast (Aug. 16 at 10 a.m. PT), where we’ll cover the top five cloud transition mistakes organizations make, how to mitigate them, and the top questions to ask your cloud service provider.

You could be forgiven for not being crystal clear about how secure your data is, or would be, in the cloud. On one hand, there’s the argument that security in the cloud has gone from being a barrier...

News

NEW! Oracle Database Security Assessment Tool 2.0.2 (DBSAT)

By Pedro Lopes, Product Manager, Oracle Database Security It has been a great year for Oracle Database Security Assessment Tool (DBSAT) so far. We have over 8000 customer downloads since January 2018! We are also increasingly seeing that our customers and partners are finding new use cases and expanding usage for DBSAT to gain maximum value from the tool. For instance, in order to help comply with GDPR, DBSAT Discoverer helps find personal data in several Oracle Databases. It grabs the JSON output and feeds a BI dashboard that displays sensitive data found by category. We also had a high uptake in our Oracle User Group sessions and the value is clear from the multiple new articles written by the community. Thank you! In case you have missed the announcement, we released Oracle Audit Vault and Database Firewall BP8 in June which has the ability to import data from the DBSAT Discoverer output to add sensitive data context to the new Data Privacy reports. To learn more about this functionality, please refer to “Importing Sensitive Data Into AVDF Repository” in the Oracle Audit Vault and Database Firewall Auditor's Guide. Today, we are excited to announce the release of DBSAT v2.0.2 which adds support for DBSAT Discoverer to connect to Database servers over SSL channel. DBSAT Discoverer can now connect to Exadata Express Cloud Service and Autonomous Data Warehouse Cloud. We will continue to enhance DBSAT further throughout 2H 2018. Some of the enhancements under consideration include: Update the integration of DBSAT with orachk and exachk Add new sensitive data pattern files in several European Languages DBSAT development is community driven, If you have suggestions/recommendations/requests that will help us improve DBSAT please reach out and let us know. Oracle Openworld is coming up in October 2018 in San Francisco where we will have sessions on DBSAT. If you haven’t already, please register here Learn more about DBSAT here  

By Pedro Lopes, Product Manager, Oracle Database Security It has been a great year for Oracle Database Security Assessment Tool (DBSAT) so far. We have over 8000 customer downloads since January 2018!...

Cloud Security

Security Isn't an Issue for Tomorrow, It's Important Today

87% of respondents in the recent Oracle and KPMG Cloud Threat Report (CTR) reported having a cloud-first orientation within their organization. The cloud is here to stay. However, with widespread adoption, comes an expanding list of challenges and new considerations. Customers rapidly adopting the cloud must also consider how their security solutions can keep pace. Keeping Pace The CTR goes into great depth on this concept. Traditional security procedures are no longer enough for a mobile, digital workforce. It is important to remember that cloud is all about choice and flexibility. This means that customers can retain aspects of their traditional on premises security solutions and begin to incorporate new cloud based solutions overtime. With that being said, the time to consider innovating your security posture is now. Recent data breaches have largely been attributed to human error or cloud account misconfigurations. These attacks can be fiscally devastating, ruin brand reputation, and can even mark the end of a C-level executive's time at the company. The stakes are high. Breaches and Regulations Everywhere you look there seems to be a new breach on the news, exposing sensitive personal information or company financial data. This issue is not unique to any industry and is a primary reason security has become a priority for so many organizations. Not to mention, harsh compliance regulations are continually cracking down on corporations. Organizations simply cannot afford to cut corners in today's hybrid cloud environment. What can companies do to increase their security posture and remain compliant with regulations such as GDPR? First and foremost, "Transparency is key," as Akshay Bhargava, vice president of the cloud business group at Oracle, mentions in 5 Strategic Priorities for Chief Security Officers in 2018. Bhargava later goes on to explain the importance of an incidence response plan, which can be used to quickly respond to an attack and minimize the damage. Companies should explore cloud security options that can help them better monitor their environments and protect them in the event of an attack. When working to comply with these regulations, it also important to maintain visibility into your entire cloud and on premises environment. Threats Modern businesses thrive off of fast development and lowering costs, both undoubtedly accelerated by cloud. The threat landscape has also exploded through these innovations. Overall cloud adoption has created a lack of visibility - leaving companies vulnerable to attack. The CTR explains that today's threat landscape is diverse and hackers aren't always sitting in a dark room millions of miles away. They are everywhere and they are after your data. Attacks can be brought on by nation-states, cybercriminals, and even insiders. Organizations face a wide range of threats including malware, phishing, and theft of credentials. Companies must defend themselves at every layer of their environment. They must also turn to a more Identity driven approach for cybersecurity. By shifting the focus to identity, companies have more control to isolate root cause of a breach or attack, especially those carried out by an insider or by a hacker using stolen, but authorized credentials. Tracking a user's normal behavior enables cutting edge technologies to automatically take action against anomalous behavior by sending out a Multi-Factor Authentication code to a user's phone.  Building a Defense Each organization has a unique journey to the cloud. They must also discover the security solutions that will work best to protect their environment. As cybersecurity threats continue to rise, qualified talent has not been able to scale. Simply too many alerts and not enough expertise to keep up. Companies need to shift toward intelligent solutions that can help them better predict, prevent, detect, and respond to threats. Creating an innovate security environment allows you to gain visibility and intelligence - it is a vital component in the battle of cybersecurity. For more details, please visit the Oracle Security page.

87% of respondents in the recent Oracle and KPMG Cloud Threat Report (CTR)reported having a cloud-first orientation within their organization. The cloud is here to stay. However, with...

Cloud Access Security

Is It Time for SMBs to Get Data Smart?

It’s the second year Oracle has joined forces with Inc. Media to survey leaders of America’s fastest-growing companies to find out, among other things, what they credit their success to and what their spending priorities for the year are. As you can imagine, amidst all the responses, there were some interesting findings. Like this plot twist: when asked to identify their main obstacles to growth and the biggest contributors to their success, the executives gave the same answer: scalablity, talent, and sales/customer retention. Basically, what landed them on the Inc. 5000 is also what they fear might throw them off.  For these companies, short- and long-term success relies heavily on growing sales and managing the customer relationship (47 percent of respondents named this as a leading success factor), and having and holding on to the correct talent (this came in at a close second at 42 percent). What keeps business afloat is also what can upend the entire apple cart. According to these small-to-medium business (SMB) executives, the #1 reason for success is customers (a healthy 58 percent of respondents cited customer experience as the leading driver of success). Yet those same leaders stated that managing security was their lowest spending priority. And only nine percent of the SMBs surveyed stated that data security was the most important area of investment for 2018. Keeping customers happy and offering a satisfying experience requires keeping their data safe and secure. So why is it then that data security, one of the biggest threats to the health of the customer relationship, ranked so low? Perhaps the reason is buried in misplaced fear and misunderstanding. Let’s unravel this a bit. These Companies Know What They Are Doing First, to land on the Inc. 5000 list, you have to pull off some rather impressive feats of business. The list isn’t a popularity contest, it’s a ranking based on financial statements that cover a three-year period. So yes, the people running these companies know what they’re doing. Achieving triple- and quadruple-digit growth for multiple years is not a fluke. If we dig a bit deeper into the responses, we’ll find that 42 percent of respondents stated that integration across all their cloud products was their biggest objection and obstacle in the cloud. And for 28 percent of them, their biggest objection to using cloud is data security. But this is where the goodness lies. Concerns about security and integration are one of the reasons to go toward the cloud − not away from it. The cloud shouldn’t be viewed as a barrier to success. The contrary. It should be an enabler. Here’s why: Piecing together solutions to solve problems only as they arise will result in a platform that doesn’t work well in the long term. For fast-growth companies like those on the Inc. 5000 list, a future-growth approach works best. The right cloud vendor can create a strategic plan that integrates solutions that are scalable–growth can be accommodated quickly and as needed with systems that all work together. Again, your IT infrastructure should enable growth, not constrain it.  As SMBs move more critical data to the cloud, security should scale with it to enable a secure environment beyond the firewall. Since not any one stop-gap will halt all threat factors, when data sits within the Oracle Cloud, it’s protected with multiple layers of defense built-in from the app down to the database. Among the respondents who stated that security was their most important investment area in 2018, 47 percent said improving awareness of best practices and training was a main focus. This is wise. In the recent Oracle and KPMG Cloud Threat Report, 97 percent of organizations surveyed require that all or most cloud services be approved by the IT/security team, yet 82 percent of those same organizations express concern that employees and teams are violating those policies. A cloud access security broker (CASB) solution can close the gap by monitoring cloud accounts and preventing inside fraud with better processes and more awareness. For example, Oracle’s CASB solution can look at more than fifty-thousand types of SaaS apps, (Oracle and non-), giving IT a view into what their users are accessing (shadow IT), enabling consistent security control. No matter the size of the company or whether you’re on this year’s list of the Inc. 5000 (and congratulations if you are), security should be a top priority, particularly if you want to stay in the business of growth. If you want to know more about what it takes to make it to the Inc. 5000, read the complete report.

It’s the second year Oracle has joined forces with Inc. Media to survey leaders of America’s fastest-growing companies to find out, among other things, what they credit their success to and what their...

Cloud Security

Why is Hybrid Identity and Access Management Important?

Identity and Access management (IAM) has been the main area of focus for most of my career. I have seen lots of changes over that time as trends come and go, and as you would expect, am regularly talking to customers about their IAM strategies (or lack of). Probably the biggest change around IAM in recent years has been Cloud Identity, or Identity-as-a-Service (IDaaS). I hear lots of IAM conversations from customers talking about whether they have an on-premise strategy, a cloud strategy, or a hybrid strategy.  Cloud Identity does indeed provide many benefits over on-premise IAM, but isn’t a silver bullet. It also has its limitations. I can understand some IDaaS vendors pushing customers down the Cloud Identity route. After all, as the famous saying goes “If you only have a hammer, then everything looks like a nail”, meaning that, if you only offer IDaas, then that is always going to be your answer. Whilst Cloud Identity does indeed have a lot of benefits, it’s not always the answer and very rarely the only answer for larger organisations. Some organisations can’t adopt Cloud for a number of reasons Organisations typically have lots of existing on-premise applications and infrastructure that they can’t just forget about and doesn’t always lend itself to IDaaS integration. IDaas doesn’t always provide the flexibility needed by larger, more complex organisations Even those organisations who have a commitment to move to cloud still have to work out their migration and how they manage their existing estate. In my experience it is only the smallest, simplest (from an IT perspective) companies, or the cloud native companies that can easily adopt just IDaaS. Therefore, for most companies, hybrid is the answer, taking advantage of the best of both worlds. Using IDaaS to give you the speed and agility whilst using on-premise IAM to deliver the flexibility and deep integrations needed by many applications. Some industry leader have used the term bi-modal IT and I think it applies perfectly to IAM. Delivering IAM choice and flexibility Oracle’s IAM platform is all about delivering that flexibility and choice to customers. We have the benefit of years of experience in IAM, delivering a market leading on-premise IAM platform. That is still the case today and is a key part of Oracle’s IAM strategy. Oracle also consistently appears as a leader within IAM assessments and reports from industry analysts. We also recognise the importance of Cloud Identity and deliver an IDaaS platform that, not only delivers key IAM capabilities across heterogeneous clouds for our customers, but also underpins Oracle Cloud, showing its strategic importance for Oracle. So, let’s look back at those challenges I identified earlier. Some organisations can’t adopt Cloud for a number of reasons Yes, I have talked to companies who, for whatever reason either can’t or don’t want to move to Cloud. However, that doesn’t mean that they should be left at a disadvantage. Oracle can still deliver on this bi-modal IAM vision for these customers. Our on-premise IAM platform can be delivered, well, on-premise, but we can also deliver our IDaaS platform, Identity Cloud Service, into the customer’s data centre, through our Cloud at Customer. This means that customers can get the speed and agility of IDaaS, whilst still being able to meet their most sophisticated use cases through the Oracle IAM platform, all delivered behind their firewall and in their data centres. Organisations typically have lots of existing on-premise applications and infrastructure that they can’t just forget about and doesn’t always lend itself to IDaaS integration. Again, here Oracle offers customers a choice. The Oracle IAM platform can of course address these existing applications. However, Identity Cloud Service is also constantly being updated and can now reach back into the enterprise to support non-Cloud applications. I have written an article about that recently. This choice of approaches allows customers to make their IAM journey to the cloud  at their pace and under their control. IDaas doesn’t always provide the flexibility needed by larger, more complex organisations This comes back to my earlier point around choice. IDaaS isn’t always the answer (or not always all of the answer). Oracle’s IAM platform can support those advanced use cases requiring that extra flexibility, not usually seen in IDaaS solutions. What's more, deciding you have a need to use on-premise IAM doesn't mean long, expensive projects. For example, you can deploy on Oracle Cloud (either in public cloud or using Cloud at Customer mentioned earlier). This helps you get out of the business of running physical machines. If you don't have the skills or resources to manage it, you can also look to Oracle Managed Identity Services, who can manage your Oracle IAM platform (running in Oracle Cloud) on behalf of your organisation. So, this means, a customer gets the benefits of the flexible, feature-rich capabilities on the Oracle on-premise IAM, but without the headache of installing/running/managing the platform. So, in summary, is on-premise IAM dead as the world looks to Cloud Identity and IDaaS? Absolutely, not! Certainly, within Oracle, there are strong roadmaps for both our on-premise and IDaaS platforms as both remain strategic for our customers who are still deploying both. Hybrid is not going away any time soon and Oracle is there to support you on your IAM journey, whatever flavour of deployment that looks like.      

Identity and Access management (IAM) has been the main area of focus for most of my career. I have seen lots of changes over that time as trends come and go, and as you would expect, am...

Cloud Security

Reconciling GDPR rights to Erasure and Rectification of Personal Data with Blockchain

Written By: Patrick McLaughlin, Security Architect and Oracle Fellow Introduction to the right to Erasure The EU GDPR regulation[1] provides many rights to people who are located in the EU (European Economic area in fact).  The rights are described in Section 2 ‘Information and access to personal data’ in Articles 13-22.   Some of the rights were available prior to the GDPR; with strengthened rights under the GDPR, together with, the risk of high fines and other legal-remedies under the GDPR, all organisation providing goods and services to individuals located in the EU, are taking the rights of individuals, much more seriously. An individual’s rights can be exercised against the ‘data controller’, who is the organisation who decides to collect, process or store the personal information. The rights include: the right to get access to one’s personal data, the right to rectification if the data is inaccurate, the right to get data in a portable format, rights to restrict, block or object to the processing of one’s personal data, and finally and most importantly from the point of view of this article the right to erasure.  The right to erasure is also known as the right to be forgotten and enables a person (located in the EU) to request that data belonging to them be deleted, for example, if there is no legal basis for its continued processing.  The right to be forgotten was established in 2014 by the highest court in Europe the ECJ/CJEU, as a result of the Google Spain v AEPD and Mario Costeja González case. Traditional IT systems challenges with the right to Erasure The right to erasure creates challenges across all IT systems created over the past many decades.  There has been a lot of ‘IT-sprawl’ in the past 20 years with the proliferation of application and data silos, with considerable duplication of personal data in many different systems.  IT departments had the goal of ensuring high availability of data, including the availability of reliable backups of all data, typically over indefinite periods of time. The designers of applications and backup solutions did not and could not foresee the need to be able to selectively delete, personal data of individuals upon request, across structured and unstructured systems.      Introduction to Blockchain Blockchain is a relatively new concept and technology architecture, derived from the bitcoin architecture, but having application outside of crypto-currencies in business systems requiring a high degree of trust and ‘traceability’ between interacting parties.  In the past digital signatures based on Public Key Infrastructure were deployed as a solution to (dis)trust between interacting/transacting parties.  PKI solutions work well from a technical and legal perspective but they have not come into widespread use.  Blockchain, also signature-based, is regarded as a disruptive force that can make business engagement more efficient, change the structure of markets, and enable the creation of new services. Blockchain and the GDPR right to Erasure A Blockchain works by keeping a history, of all data written onto it, in principle, forever.  Newly written data is cryptographically related to all existing data on the blockchain by including the hash-of-existing-data into the newly computed hash that includes the new data.  Blockchains inventors, like traditional IT architects, did not foresee the need to delete data from the chain and instead highlight the strength of not being able to delete data (data-immutability).  One exception is that Accenture has patented a scheme for editing a permissioned blockchain which leaves a ‘scar’ – see here. In the absence of this editing capability becoming widespread, organisation are faced with the difficulty of complying with, the GDPR right to erasure, in conjunction with, gaining benefit of using blockchain technology.  The GDPR requires organisations, who have the role of a data-controller, and are exploring the use of new technologies, that may carry high risks ‘to the rights and freedoms’ for individuals, to carry out a data protection impact assessment, and there is detailed guidance on how to make such an assessment, from the Article 29 working party – see here.  Given blockchain is a relatively new technology and if a data controller will use a blockchain to, store, process or communicate personal data, it’s very likely they should carry out such a formal data protection impact assessment, and it will have to address, the difficulty of handling the legal right to erasure and rectification of personal data.  The controller may need to consult with their Data Protection Authority and be able to explain and convince the authority about their approach. Is hashed-data still personal data? It is generally accepted that writing business and personal data directly to a blockchain is undesirable as blockchains are not performant enough (yet), and instead a hash of the dataset should be written to the blockchain. In the GDPR, personal data has a very wide definition and includes any data item that could potentially be used to identify an individual. A somewhat surprising example is that a dynamic IP address can be personal data if it can be used to help identify an individual see here.  So, with the blockchain its necessary to think about the right to erasure of data concerning an identified or identifiable person. The personal data may not be secret, but its presence in a transaction on a blockchain is what an individual may wish to have deleted.  For example, an individual may want to erase the fact that they stayed at a hotel chain at a certain time, or that they bought medication over the internet for a certain ailment. It’s also possible that hashed personal data written to a blockchain could be guessed or found out by trial and error / brute-force-attack, in the same way that dictionary-attacks work to crack passwords - the complexity of doing so, will depend on the ‘formula’ for calculating what gets hashed, and the formula could be guessed or ascertained by other means.  The result is that simply writing hashed personal data to the blockchain that cannot be overwritten or deleted is incompatible with the need to delete data under the GDPR right to erasure.  Hashed data is more akin to pseudonymised data in GDPR terms, as the data subject is at least somewhat identifiable to the data controller.  Were this not the case, one has to ask how would the data controller process the hashed personal data? The assumption must be that they have the underlying data stored off the blockchain and they know the formula to check if that data is present on the blockchain e.g. by hashing some combination of attributes – otherwise what is the purpose of having data on the blockchain! Reconciling immutability with the right to erasure The obvious solution is to not write either personal data either, in-the-clear or in hashed format to a blockchain.  Below I discuss what can be done where one needs to write hashed personal data to the blockchain. The GDPR makes it clear that anonymised data i.e. data that in no way can be related back to an individual is not personal data. There is reference to ‘data rendered anonymous in such a way that the data subject is no longer identifiable‘, which begs the question how could one anonymise data. Hashing is not sufficient; however, encryption would do the job if the encryption key is immediately deleted. Not deleting the encryption key, would mean the data could be decrypted and hence the individual would be identifiable. So, a good solution would be to only store encrypted, hashed personal data on the blockchain and if a data erasure request is accepted, reliably throw away the encryption key(s) to make the data anonymous and un-recoverable.  This is the closest to full erasure than can be done.  Storing encrypted data clearly enhances the security of the stored data and given that having appropriate data security, is another requirement of the GDPR there is an additional benefit of encryption. A key management solution would be needed that would assist with data erasure, through key deletion. People will have the right to request deletion of a subset of their data, for example, if they withdraw their consent for some very-sensitive personal data to be processed. Therefore, sophisticated use of a key management solution that enables encryption of fine-grained personal-data would be required, as an accompaniment to the blockchain. Clearly the encryption keys should not be stored on the blockchain as the blockchain would not allow their deletion!  They could be stored in a simple, 2-column KeyID and Value database (relational or non-relational).  The value would be the personal-data-item encryption-key, itself encrypted using, a ‘master’ key-encryption key.  The KeyID would be derived, for example, by hashing the data being stored together with a nonce. The master key-encryption key could be stored in a Hardware Security Module, to increase its protection.  It’s likely that other columns will be needed e.g. to record the deletion of the encryption key in response to a specific data-erasure request, received from a specific person, at a specific time. An interesting legal question arises as to whether the organisation can / should record and store the request for Erasure and the action taken on the blockchain.  The benefit would be to have an dependable (perhaps immutable) record of the activity, as part of the formal record of processing, but what if a request is then received to erase all data identifying the same individual. Data controllers, need to consult their legal representatives on whether and where, such a record of erasure should be maintained as evidence of acting appropriately, on the original individuals request. When it comes to deleting personal data, not stored on the blockchain, today organisations are trusted to simply delete the data and confirm they have done so. By extension, the same organisation storing personal data on a blockchain, could be equally trusted to delete the encryption key, associated with that individual encrypted item. A more advanced encryption-key deletion scheme Instead of relying on a single key to encrypt and decrypt hashed personal data, it’s possible to split the encryption key into 2 or more parts, so that for example the data controller has one part and the individual has the other part.  To encrypt or decrypt data, both key parts would be needed.  Requiring m of n key-shares to enable encryption or decryption, is a well-established technique, even though its uncommon in commercial systems – see here. A 3-key, key management scheme is already in use, to enable the right to erasure, in a blockchain application that enables the storage of diplomas and degrees – see here.  The scheme has the following keys. Graduate Key –  the property of the graduate, integrated into the diploma’s URL. Persistent Key –  kept by the educational establishment. When the graduate wishes to exercise his or her right to be forgotten, she only has to destroy this key. School Permanent Key –  kept by the educational establishment. If the graduate deletes her key, the system will no longer be able to decrypt the diploma and thus the diploma is effectively anonymised/deleted. The graduate does not need to rely upon and trust the school/college to delete a single encryption key. Consequence for blockchain application developer Data-protection/privacy by design and default, is a key tenet of the GDPR and this principle is expected to be applied when developing new systems. To handle the right to erasure, an application developer must leverage a key generation function and encryption library to ensure that hashed personal data is encrypted before storing on the blockchain. A better alternative would be to make the encryption transparent for the developer so she can have personal data transparently encrypted using a dynamically generated key by simply calling a function that highlights the data as ‘personal’ so it undergoes the extra processing steps before storage:                put (bloodtype, Alice, blockchainX, personal) or putPersonal (bloodtype, Alice, blockchainX) A search function should be able to locate and transparently decrypt the data                get (alice, bloodtype, personal) -> Group AB An erasure function would have the effect of transparently deleting the encryption key resulting in:                erase (alice, bloodtype, personal) -> confirmed                get (alice, bloodtype, personal) -> Not found All of these functions should be under the control of an access management system so that only the right people or entities could read, write or delete personal data on the blockchain.  This article does not address the governance needed to handle erasure requests.  All erasure request will not be accepted so an approval process will be required, for example, request to erasure records with the tax department will not be accepted. A further alternative would be to have a personal data discovery function running in the background inspecting any personal data being: written, read or deleted on the blockchain and have it, transparently do the underlying encryption, decryption or key deletion as appropriate. Such an approach would need to be 100% reliable given the maximum fines under the GDPR of €20M or 4% of global revenue, whichever is higher, for infringing individuals rights, including the right to erasure and rectification of data. A final alternative would be to use a hybrid scheme where the functions are explicitly invoked, for example by smart-contracts (programs) and a process is additionally running and checking if data being written to the blockchain is personal data.  If so the write could be rejected if the data is not encrypted or the smart personal data detector could autonomously encrypt the data: a) to make it more secure and b) to ensure that the option is there to support a data subject erasure request. What about rectification of data The right to have inaccurate data changed is also enshrined in the GDPR.  Let’s say Alice’s blood-type is not in fact AB and should be O; there is a compelling reason to ensure this data-item is rectified. The solution would be to first erase the inaccurate data as above and add the correct blood-type to the blockchain at an appropriate location:                erase (alice, bloodtype, personal) -> confirmed             put (correctbloodtype, Alice, blockchainX, personal) For personal data update, a dynamic personal data update function could transparently invoke the same two functions and even transparently verify the result:                erase (alice, bloodtype, personal) -> confirmed             put (correctbloodtype, Alice, blockchainX, personal) get (alice, bloodtype, personal) -> Group O. This could be done for all occurrences of the same attribute on the blockchain. The programmer would simply have to call an update function with or without the personal flag: update (correctbloodtype, Alice, blockchainX, [personal])   Final words This article is intended to highlight a real problem with using blockchain technology to process personal data, to propose concrete candidate solutions, that can stimulate discussion on how real the need is and to help reach conclusions among stakeholders involved in the development and adoption of blockchain technology.   [1] European Parliament and Council Regulation 2016/679 of 27 April 2016, repealing Directive 95/46/EC (General Data Protection Regulation), OJ L119/1, http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN 

Written By: Patrick McLaughlin, Security Architect and Oracle Fellow Introduction to the right to Erasure The EU GDPR regulation[1] provides many rights to people who are located in the EU (European...

Edge Security

What are the Benefits of Edge Computing Security?

As the complex functions that web applications and services perform move closer to users, there is increasing demand for the real-time processing, creation, and exchange of data. Enterprises need to perform the same types of computations at the edge that they traditionally did in the data center. With that comes the need to protect those workloads at the edge as well. Edge computing security takes traditional protections that are done on premises or in the cloud and implements them in proximity to where users interact with data and services. In this interview, Nick Deshpande, principal, product strategy at Oracle, discusses a few of the benefits of edge computing security. What is the biggest advantage of the edge security approach? One of the main benefits of edge computing security is the ability to secure a workload no matter where it is and scale with that workload no matter how big it gets. When Pokémon Go does its giant meetups, for example, users put a huge amount of strain on local networks. Edge security can scale up and down quickly with the demands of those workloads without contributing to that strain. How exactly does this approach improve security? Enterprises have visibility right up to the edge of the network. You're not waiting for the data to come back in to your data center or cloud and be processed by some server. You can deal with any potential threats upstream, where the trusted and un-trusted zones meet. Are there any benefits of edge computing security when it comes to cloud migrations? Edge security is also a great fit for the cloud lift-and-shift use case. Enterprises may be concerned that they're going to have to sacrifice one security posture for another or go without security for a certain amount of time as they get situated in a new environment. They may worry about trying to take a security profile from their on-premises data center and trying to match it to a cloud provider’s environment. How do Oracle's edge services help with that? With our edge computing security approach, enterprises can establish a security profile that moves with their applications and services, regardless of hosting environment. Users have a consistent security layer, whether it's in a hybrid, public or multi-cloud scenario. So if you've already achieved compliance, you’re not going to lose that when you move to the cloud. With some cloud providers, everything is so baked in, it can be really tough to move workloads around or out of their cloud, or to work across multiple clouds when you need to. Being agnostic is a really big benefit.

As the complex functions that web applications and services perform move closer to users, there is increasing demand for the real-time processing, creation, and exchange of data. Enterprises need to...

Cloud Security

Oracle is a Platinum Sponsor at RSA Conference in Singapore!

Next Generation Cybersecurity Organizations are losing the cyber war. They can no longer rely on manual threat detection and respond to address today's sophisticated attacks. Additionally, organizations are finding it hard to keep pace with the volume of security alerts and growing scale of users, apps, and data. In fact, 51% of organizations say that they are unable to analyze the majority of their event data, (Oracle and KPMG Cloud Threat Report 2018). Organizations need to address these challenges with autonomous security. Join us at RSA Conference 2018 from July 25-27 in Singapore at Marina Bay Sands to discuss all these topics and more.   Visit Oracle at Booth #1203, Marina Bay Sands, Sands Ballroom, Level 5 Visit us at our booth to meet our Experts and learn more about: Oracle’s World First Identity-based Security Operations Center (Identity SOC) which provides comprehensive monitoring, threat detection, analytics, and remediation tools to stay ahead of threats. Sign up for an Oracle Cloud trial! Get free giveaway from us! Learn More about the Oracle and KPMG Cloud Threat Report 2018 The Oracle and KPMG Cloud Threat Report 2018 is the inaugural global survey of cloud security challenges, threats, and insights from security practitioners and decisions makers. This report compiles the findings from organizations across the globe that center on one common theme: that the cloud has created a strategic imperative to keep pace at scale. Attend our Keynote Session The Impact of Autonomous Security in today’s Threat Landscape (DETAILS) July 26, 2018 | 2:55 pm - 3:15 pm | Marina Bay Sands, Roselle Simpor Ballroom, Level 4 Speaker: Amit Zavery, Executive Vice President, Cloud Platform Abstract: The combination of sophisticated external attacks, and insufficient security skills in the industry, has intensified the challenges that enterprises face in the race to protect their core information assets. Combined with the move to Cloud and SaaS, the status quo is just not sustainable. Join Amit Zavery, EVP, Oracle Corporation in this keynote, as he shares the findings of the Oracle and KPMG Cloud Threat Report 2018, introduces the concept of Autonomous Security, and provides insights into how enterprises can be empowered to revolutionize and re-imagine their approach to information security and safeguarding their highly sensitive data.

Next Generation Cybersecurity Organizations are losing the cyber war. They can no longer rely on manual threat detection and respond to address today's sophisticated attacks. Additionally,...

Cloud Security

Cloud Considerations: Personalizing Your Cloud Journey

Cloud adoption has become a global trend in business technology. However, security and compliance concerns are at an all-time high. Security has always been a cornerstone for IT organizations - but the increasing number cloud applications and continual pressure to lower costs have pushed the need for secure systems to the top of the list for everyone; from top level executives to everyday end users. This has left many organizations in a difficult position. They must consider how to meet their performance and cost goals, while maintaining a strong security posture. Secure technology transformation requires several considerations, but where can IT teams begin their journey? How will you choose to deploy your future environment? According to the Oracle and KPMG Cloud Threat Report, 83% of participants rated cloud security as good as or better than on-premises security. This is a testament to the growing number of organizations putting their data in the cloud and unlocking rapid business innovation. However, every organization has a unique journey to the cloud. Some opt for a hybrid strategy or elect to put new applications in the cloud as they transition to modern systems. Due to stringent data protection policies and industry standards, it is important to have options when moving to the cloud. Flexibility is key when making this transition, whether that be to private, public, or hybrid cloud deployments. Oracle Cloud at Customer is an avenue that has been widely explored by customers looking to gain speed and scalability in the cloud, while retaining control over their data. Keeping their data within the company's firewall, Cloud at Customer enables IT organizations to offload tasks such as patching, upgrades, and regular maintenance to the Oracle team, ensuring that their SaaS, PaaS, and IaaS environments are monitored around the clock. The data resides in the customer's possession, securely isolated with access only awarded to the proper administrators within their organization. Identity management that fits your environment As your cloud environment begins to grow, so does complexity in securing your deployment. Numerous applications spread across the business can often create information silos, making identity management a challenge. Ensuring that your environment is protected by a single solution to manage identities is extremely important for customers with hybrid environments. If a user profile is compromised, this can leave you vulnerable to attack.  Solutions such as Oracle Identity Cloud Service (IDCS) can block these actions by monitoring user behavior and recognizing anomalies in access times or locations. The system automatically launches Multi-Factor Authentication (MFA) actions to verify the user. Automated Machine Learning capabilities are critical to ward off stealthy attacks on sensitive data. Better yet, IDCS can be used to support your cloud journey, managing your users across public, private, and hybrid environments.   What are you looking for in a cloud service provider? Once you have determined the best plan of action for the previous two considerations. Consider one more. How can you find solutions that fit your needs and complement your existing environment? It is important to consider if a cloud service provider can integrate well with heterogeneous systems, enhance performance rather than hinder it, and promote your company's policies for compliance standards. To achieve this, look for a solution, or set of solutions, that come with inherent security features and offer you options to build out additional security functionality to suit your environment.   Striking a balance of seamless security integration across your environment along with enhanced performance and adherence to compliance policies can be a challenge. However, it is certainly attainable and unique to every customer. We encourage you to explore our Oracle Cloud at Customer and Security offerings

Cloud adoption has become a global trend in business technology. However, security and compliance concerns are at an all-time high. Security has always been a cornerstone for IT organizations -...

Cloud Access Security

2018 Oracle Cloud Platform Innovation Awards - Nominations Open

Are you transforming the way you secure and monitor your business with Oracle Cloud Security Solutions? If yes, we want to celebrate you and your success with an Oracle Excellence Award. Every year Oracle aims to recognize outstanding cloud security customers who utilize Oracle security solutions to fuel innovation and elevate their business. Winners will be awarded with a complimentary pass to Oracle OpenWorld, a speaking opportunity at OpenWorld, and acknowledgment at a special ceremony to highlight their outstanding accomplishments. Nominations are open now until July 20, 2018, so submit today.   The Oracle Cloud Platform Innovation Awards were designed to celebrate customers who are dynamically driving business innovation with one or more Oracle PaaS solutions. Organizations can be nominated for their use of Oracle Cloud Security tools including: Identity Cloud Service, CASB, Configuration and Compliance, or Security Monitoring and Analytics. To find the full list of eligible solutions and categories, visit the nomination page for more details.   This is a fantastic opportunity to showcase business innovation in security. All  security customers and partners are encouraged to submit a nomination. The 2018 Oracle Cloud Platform Innovation award winners will be announced this September. As part of the Oracle Excellence Awards, recipients will be honored at Oracle OpenWorld amongst peers and thought leaders in several industries from across the globe. Once again, nominations are now open until July 20, 2018. We look forward to recognizing our innovative customers and partners!

Are you transforming the way you secure and monitor your business with Oracle Cloud Security Solutions? If yes, we want to celebrate you and your success with an Oracle Excellence Award. Every year...

Cloud Security

The Oracle Trust Fabric – Securing the Cloud Journey

“We have to reprioritize and rethink about how we defend our information. We need new systems: it can't be our people versus their computers. We're going to lose that war. It's got to be our computers versus their computers. And make no mistake: it's a war.”  These words from Oracle’s CTO and Chairman, Larry Ellison, are consistently validated in the news with headlines of the latest cyber attack and data breach. As an industry, we face too many security alerts, using manual and error-prone processes, not enough cybersecurity talent and insufficient tools. Due to increasing data breaches, industry and governments are introducing more regulations (i.e., European Union’s GDPR) that require better security. Oracle is uniquely positioned to help customers protect hybrid and multi-cloud environments by detecting, preventing and responding to today’s sophisticated security threats with minimal burden to overwhelmed staff. I would like to introduce Oracle's Trust Fabric, which is comprised of an integrated security portfolio designed for the entire IT ecosystem that includes Oracle and third-party on-premises, SaaS, PaaS, and IaaS environments. It is designed to proactively maintain security with a unified network of trust, a set of security tools, and a methodology. Using machine learning capabilities that automate a fast response, Oracle’s secure cloud platform is designed to address your IT governance and compliance requirements while protecting all your users, apps, data, and infrastructure.  The Trust Fabric security model is built around the notion of protecting mission-critical sensitive data and consists of seven layers: Data security (encryption, masking, redaction and user access controls) Encryption key management Identity and access management Cloud visibility and data loss prevention Cloud application firewall security Cloud infrastructure security Cloud monitoring and security analytics     The Trust Fabric can be implemented using Oracle’s integrated and open product and cloud services platform. Customers can use the entire platform together, or pick and choose the solution mix that meets their requirements.  The Trust Fabric seamlessly integrates the portfolio of Oracle security and identity software and cloud services enabling security interoperability. These security and identity solutions are integrated across the Oracle cloud and application portfolio providing enhanced enterprise-class security for your Oracle investments. Oracle's Trust Fabric incorporates autonomous technology using machine learning to quickly and automatically detect and resolve threats.  This is the “computer versus computer” paradigm that is going to allow us to win this cybersecurity war. Learn more about the Oracle's Trust Fabric and Oracle Security. 

“We have to reprioritize and rethink about how we defend our information. We need new systems: it can't be our people versus their computers. We're going to lose that war. It's got to be our computers...

Cloud Security

Are CFOs Prepared For GDPR Compliance Regulations?

If there’s one aspect of GDPR that is likely to grab the attention of any CFO it is the potentially eye-watering fines organizations could be hit with if they are found to have breached the new data protection regulation. As the gatekeepers for the company finances, and often the boardroom owner of risk management, what CFO isn’t going to sit up and take notice when the sums involved could be up to €20 million or four per cent of annual revenue — whichever is larger? However, CFOs shouldn’t just be sitting in fear, hoping the day never comes when they have to pay out such a fine. There is much they should be doing to ensure their organization is prepared, starting with participation in cross-organization planning and an audit to ensure they understand the types of personal data that is being processed within their organization, where it resides, who has and needs access to it, and how their processing activities are affected by GDPR. For CFOs this process should include reviewing what data they hold, create and preside over with finance. That could include employee information such as payroll or salary data, as well as data held by suppliers, contractors and outsourcers who may report into the CFO. CFOs should be reviewing the contracts they have in place with those suppliers to ensure they are fit for GDPR. The Role of the CFO in GDPR Compliance Another key role of the CFO is ensuring the organization’s compliance efforts are properly funded and resourced. In order to do that, the CFO must understand the cost of compliance and where investment needs to be made in order to ensure it. This may well involve additional budgets for teams such as IT, which will certainly be at the sharp end of GDPR compliance, ensuring data is protected and structured in such a way that the organization can respond to requests from data subjects to provide, modify or delete data. However, to prevent the cost of compliance spiralling, CFOs will also need to ensure they understand which measures are essential and should maintain a cautious cynicism towards some of the requests for additional budget that may cross their desk. “This is needed for GDPR compliance” could be used to push through any number of purchases that may not be essential. This is all the more reason why the CFO needs to ensure they are on top of GDPR and what it means. There is still some uncertainty surrounding what will happen after the GDPR deadline of 25 May. But whatever happens, the CFO needs to be prepared. There are clear opportunities which can arise in a data-driven economy for any organization that improves its data handling and usage practises. CFOs should therefore be weighing the potential upside of GDPR and the way it could help them unlock valuable insights, improve operations, know their customers better and become more responsive to risks and opportunities. However, as a final consideration, CFOs may also choose to plan for the potential downside. For all the planning there may be some organizations who are caught out and hit with fines — or potentially law suits. While they should of course do all they can to ensure that is not their organization, some CFOs may still choose to plan for the worst and put aside funding as an insurance policy against those eye-watering fines. Learn more about how to comply with GDPR regulations.

If there’s one aspect of GDPR that is likely to grab the attention of any CFO it is the potentially eye-watering fines organizations could be hit with if they are found to have breached the new data...

Cloud Security

Oracle at Gartner Security & Risk Management Summit - 2018

By Russ Lowenthal Data is the most valuable IT asset, but if not protected can become your biggest liability. EU GDPR is now being enforced (with the first GDPR lawsuits filed the very first day of the new law), and there is a global trend toward privacy legislation that mirrors GDPR. These new data privacy laws combined with weekly revelations of significant data breaches are driving organization to focus more and more on how to protect their sensitive data. The bad guys are after your data, and they are winning far too often. Hackers exploit unpatched systems; leverage weak, default, and stolen passwords; and slurp up unencrypted data wherever they find it. One of the many lessons in this year's Verizon Data Breach Investigations Report is that databases are high value targets.  In fact, Verizon highlights databases as THE top asset involved in the most significant data breaches. It's time to turn the tide and lock down these valuable data repositories. Gartner Security & Risk Management Summit 2018 is quickly approaching. Attending the event?  Please join Vipin Samar, Oracle's Senior Vice President of Database Security on Wednesday, June 6, to discuss the latest innovations in securing databases both on-premises and in the cloud. Learn how with multiple rings of control, you can protect your data from the bad guys and ensure regulatory compliance. Title: Don't forget to cover your assets!  Oracle on Data Security Wednesday, June 6: 10:45 a.m. to 11:30 a.m. in Annapolis 1        Speaker: Vipin Samar, Senior Vice President Database Security Abstract: Data is the most valuable IT asset, but if not protected can become your biggest liability.  Join Oracle to discuss the latest innovations in securing databases both on premises and in the cloud.  Learn how preventive and detect/respond controls can secure your Oracle and non-Oracle assets, help ensure compliance to EU-GDPR and similar regulations, and simultaneously deliver a step-function improvement in your SOC efficiency. See you there!  

By Russ Lowenthal Data is the most valuable IT asset, but if not protected can become your biggest liability. EU GDPR is now being enforced (with the first GDPR lawsuits filed the very first day of the...

Cloud Access Security

Marlette Funding Increases Visibility and Control Over Their Cloud Environment

IT professionals in every industry are searching to gain higher visibility and control over the use of cloud applications within their organization. This situation is not unique to a company based on size, industry, or location. As monitoring the cloud has become a common challenge in digital transformation, some companies are taking steps to change. Marlette Funding, a financial services technology company based in Wilmington, DE, wanted to better understand the actions of their employees and their 270,000 customers. Selecting the right cloud monitoring solution was extremely important to the company's Chief Information Security Officer, Chet Sharrar, the company evaluated several cloud service providers and did a thorough evaluation of their requirements. Marlette Funding built a strong partnership with Oracle and gained greater visibility into their cloud based environment through Oracle CASB.   The journey to adopting Oracle CASB, was prompted by several challenges, including: The need for visibility into the configuration of cloud services. Limited number of staff members and consolidated tools to complete administrative tasks. Lack of evidence demonstrating effective operation.   As a financial institution, ensuring compliance with security and information movement standards was paramount. CASB enabled their limited IT staff to set configuration controls and collect actionable evidence on the effectiveness of their operations. Three years later, Marlette Funding's use of CASB has matured and grown across their cloud environment, creating visibility and peace of mind.   Watch the full video featuring Chet Sharrar and learn more about how Oracle CASB and Oracle Security can support your compliance and cloud security strategies.    

IT professionals in every industry are searching to gain higher visibility and control over the use of cloud applications within their organization. This situation is not unique to a company based on...

Cloud Access Security

Securing Multi-Cloud Infrastructure-as-a-Service (IaaS) using Oracle CASB (Webinar)

Organizations are adopting the cloud across the stack, that is, applications (SaaS), platforms (PaaS), and infrastructure (IaaS). While cloud adoption started with applications, in the past few years, adoption of cloud infrastructure has grown rapidly. For example, the recent Oracle-KPMG Cloud Threat Report, 2018, found that 51% of the respondents were actively adopting IaaS, and a vast majority of them (81%) leverage more than one cloud IaaS. In fact, RightScale’s “2018 State of the Cloud Report”, found that 35% of businesses plan to increase their spend on public cloud services by 50% or more. While these statistics are quite staggering, the security challenges that are posed by this growth can be quite significant. While there is general consensus that there is a lot more comfort and confidence about security in the cloud, the biggest challenge we have seen is how IaaS services can be configured and monitored for security. Many organizations struggle with the shared responsibility model for security in the cloud, particularly as it relates to securing IaaS. One of the challenges they face is defining what secure use of IaaS is and who is responsible for it. While the services themselves are inherently secure and provide many options to fine-tune security, these services may be misconfigured, or may not adhere to the information security team’s standards. The ephemeral nature of the services makes it harder to manage. Leveraging multiple vendor services across departments/business units adds to the complexity. While each of these IaaS solutions is secure, information security teams and SOC operators do not have to use multiple tools for managing a consistent security posture, monitoring usage and configuration changes across IaaS solutions and gaining visibility into SaaS applications. The above challenges are discussed in greater detail in an upcoming webinar. Tune in and listen to Arun Goel, Director of Product Management for Oracle’s Cloud Access Security Broker (CASB) Cloud Service, and other industry experts discuss these issues and potential solutions to address these challenges.

Organizations are adopting the cloud across the stack, that is, applications (SaaS), platforms (PaaS), and infrastructure (IaaS). While cloud adoption started with applications, in the past few years,...

Cloud Access Security

If You Are Struggling With GDPR, Then You Are Not Alone

Well, it's only 5 days to go until the infamous GDPR deadline of 25th May 2018 and you can certainly see the activity accelerating. You would have thought that with the deadline so close, most organisations would be sat back, relaxing, safe in the knowledge that they have had 2 years to prepare for GDPR, and therefore, are completely ready for it. It's true, some organisations are prepared and have spent the last 24 months working hard to meet the regulations. Sadly, there are also a significant proportion of companies who aren't quite ready. Some, because they have left it too late. Others, by choice. Earlier this week I had the pleasure of being invited to sit on a panel discussing GDPR at Equinix's Innovation through Interconnection conference in London. As with most panels, we had a very interesting discussion, talking about all aspects of GDPR including readiness, data sovereignty, healthcare, the role of Cloud, and the dreaded Brexit! I have written before about GDPR, but this time I thought I would take a bit of time to summarise three of the more interesting discussion topics from the panel, particularly areas where I feel companies are struggling. Are you including all of your personal right data? There is a clear recognition that an organisation's customer data is in scope for GDPR. Indeed, my own personal email account has been inundated with opt-in consent emails from loads of companies, many of whom I had forgotten even had my data. Clearly, companies are making sure that they are addressing GDPR for their customers. However, I think there is a general concern that some organisations are missing some of the data, especially internal data, such as that of their employees. HR data is just as important when it comes to GDPR. I see some companies paying far less attention to this area than their customer's data. Does Cloud help or hinder GDPR compliance? A lot was discussed on the panel around the use of cloud. Personally, I think that cloud can be a great enabler, taking away some of the responsibility and overhead of implementing security controls, processes, and procedures and allowing the Data Processor (the Cloud Service Provider) to bring all of their experience, skill and resources into delivering you a secure environment. Of course, the use of Cloud also changes the dynamic. As the Data Controller, an organisation still has plenty of their own responsibility, including that of the data itself. Therefore, putting your systems and data into the Cloud doesn't allow you to wash your hands of the responsibility. However, it does allow you to focus on your smaller, more focused areas of responsibility. You can read more about shared responsiblity from Oracle's CISO, Gail Coury in this article. Of course, you need to make sure you pick the right cloud service provider to partner with. I'm sure I must have mentioned before that Oracle does Cloud and does it extremely well. What are the real challenges customers are facing with GDPR? I talk to lots of customers about GDPR and my observations were acknowledged during the panel discussion. Subject access rights is causing lots of headaches. To put it simply, I think we can break GDPR down into two main areas: Information Security and Subject Access Rights. Organisations have been implementing Information Security for many years (to varying degrees), especially if they have been subject to other legislations like PCI, HIPAA, SOX etc. However, whilst the UK Data Protection Act has always had principles around data subjects, GDPR really brings that front and centre. Implementing many of the principles associated with data subjects, i.e. me and you, can mean changes to applications, implementing new processes, identifying sources of data across an organisation etc. None of this is proving simple. On a similar theme, responding to subject access rights due to this spread of data across an organisation is worrying many company service desks, concerned that come 25th May, they will be inundated with requests they cannot fulfil in a timely manner. Oh and of course, that's before you even get to paper-based and unstructured data, which is proving to be a whole new level of challenge. I could continue, but the above 3 areas are some of the main topics I am hearing over and over again with the customers I talk to. Hopefully, everyone has realised that there is no silver bullet for achieving GDPR compliance, and, for those companies who won't be ready in 5 days time, I hope you at least have a strong plan in place.

Well, it's only 5 days to go until the infamous GDPR deadline of 25th May 2018 and you can certainly see the activity accelerating. You would have thought that with the deadline so close,...

Cloud Security

Elvis has left the building! Suddenly, most of your data is in the cloud. (Replay)

Those immortal words "Elvis has left the building" struck many as the point of the night when the King of Rock would wrap his performance and leave the stage/venue.  Have you reached your own "Elvis" moment in your organization's approach to where your data resides?  Has it officially "left the building"?  Do you find more sensitive data, than ever, resides in the cloud and it's alarming to consider that fact knowing you lack some processes and controls? Unless you have been hiding under a rock over the last month, you have missed the exciting news of Oracle and KPMG jointly releasing the Oracle and KPMG Cloud Threat Report 2018.  One of the many topics we highlight in this in-depth report, is the challenges created from a more mobile workforce, coupled with broad cloud service adoption. Key findings from this report include 90% of organizations categorize half or more of their cloud-resident data as "sensitive". Compare that with the alarming statistic that 82% of cyber leaders are concerned that employees do not follow cloud security policies. We clearly need to better understand the challenges and risk, as we know Elvis isn't coming back. KPMG is hosting a replay of a very topical webcast for Oracle ERP customers that help them understand some of these challenges and how to easily overcome them with the proper people, policies and technology to ensure a more secure experience against fraud and abuse. Join this encore webcast presentation for an overview of: The cloud adoption and threat landscape Cybersecurity challenges Identity management in the new paradigm of anyone, any device, any location Leading practices and strategies in managing and remediating cloud risk Speakers for this Webcast are: Nick Seeman, Director, Oracle Security and Controls, KPMG LLP Greg Jensen, Senior Principal Director, Security - Cloud Business Group, Oracle @gregjensen10 To watch this streaming encore presentation now, click here

Those immortal words "Elvis has left the building" struck many as the point of the night when the King of Rock would wrap his performance and leave the stage/venue.  Have you reached your own "Elvis"...

Cloud Security

Not Complying with GDPR can Mean High Risks and costs for Your Business

By Vidhi Desai, Senior Principal Product Marketing Director, Cloud GTM Security, Oracle With the May 25 deadline for the European Union’s General Data Protection Regulation (GDPR) fast approaching, the reality is starting to hit home for companies of all sizes. There are hefty fines for noncompliance from the European Commission, but that is only part of the story. The ultimate toll for failing to adopt these important data security measures is arguably far greater, particularly for small- and medium-size businesses (SMBs). No Flying Under the Radar By this point, most companies, regardless of size, location or industry, have heard about GDPR. While this regulation is aimed at giving European Union (EU) citizens more control over their personal data and identifiable information, GDPR has far-reaching implications not just for large European companies and multi-nationals, but for SMBs based outside of the EU. Nevertheless, many non-EU SMBs still assume that GDPR doesn’t apply to their business – when in fact even indirect connections to EU citizens, such as an employee's spouse, put companies in the purview of this regulation. Have no mistake: The EU-U.S. cross-border connection is strong when it comes to GDPR requirements! Other misconceptions abound. One that comes up frequently, for example, is that regulators will initially focus on the largest companies, buying smaller enterprises more time to comply with GDPR requirements. The reality is that enforcement of GDPR will be coming from many different angles and include various data subjects, including individual consumers who suspect and report data security concerns. Meanwhile, any security breach would immediately raise the question of compliance. Given that cybersecurity attacks against SMBs have become more prevalent and data protection has become more important than ever, no organization should assume that it is absolved from the new EU regulation – all SMBs should be GDPR-compliant. For a more detailed overview of GDPR, download the white paper, Accelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications.   More Than a Slap on the Wrist In a global economy where data is a valuable resource, more companies have come around to the idea that GDPR compliance is more than just a regulation – it's an opportunity. Moreover, the cost of non-compliance is significant, whether infractions come to light via a routine audit of data protection, or a data breach. GDPR fines will be issued under two levels, based on the nature of the infringement, the type of data, and the history of infractions, among other criteria. The lowest level of GDPR fines will be up to €10 million, or 2% of worldwide annual revenue of the prior financial year, whichever is higher. The highest level of GDPR fines, meanwhile, can go up to €20 million, or 4% of annual revenue turnover. In addition to these penalties, EU and U.S. companies will need to contend with the cost of legal counsel, mitigation, customer relations, and public relations if they don't prepare for GDPR readiness. Finally, and perhaps most worrisome, is the potential damage to a brand’s reputation. While the impact of reputation is often impossible to quantify, it is arguably one that matters most of all. For growing SMBs, the loss of customer trust – via personal data breach, fines GDPR fines, or otherwise – could be the death knell of a business. Given everything that is at stake, updating security practices and infrastructure for GDPR before the end of May 2018 is a small price to pay for ensuring the ongoing success of your organization. To learn more about getting your organization on the path to GDPR compliance, download the paper, “Helping Address GDPR Compliance Using Oracle Security Solutions.”

By Vidhi Desai, Senior Principal Product Marketing Director, Cloud GTM Security, Oracle With the May 25 deadline for the European Union’s General Data Protection Regulation (GDPR) fast approaching,...

Cloud Access Security

FBI Tips: Building a Cybersecurity Emergency Plan

Written By: Tansy Brook  Director of Product Marketing  Facebook LinkedIn Twitter Google Plus Email Comment No one wants to think that their business will be the target of a ransomware attack or cybersecurity breach. But, with more than 4,000 ransomware attacks reported daily since the start of 2016 the odds are not in your small-to-medium-sized business’ (SMB) favor. The question isn’t if, but when. However, while it may be impossible to fully prevent a network attack, you can be prepared. Creating an incident response plan and then practicing it before anything ever goes wrong ensures that your SMB knows what to do if you become a victim. “You don’t want to wait until you are in the middle of an incident, running in emergency mode, to figure out how to react,” says Jay Patel, supervisory special agent with the Federal Bureau of Investigation’s Cyber Division. By having a security plan ready, your SMB can act quickly to remedy the situation—and hopefully, reduce the damage. When Do You Need to Build a Plan? (Answer: Yesterday) As soon as you have more than a couple of employees, and more than one software system, you should probably create an incident response plan. That’s because, from ransomware threats to business email compromise scams, cyberattacks aren’t just inconvenient—they can put your entire business at risk. “If you think it’s important enough to have a business, you should also think it’s important enough to protect it,” Patel says. Creating an incident response plan gives you the chance to think through and address multiple important issues. Not all businesses and data are equal. As the value and pace of data creation accelerates, the layers of complexity have grown exponentially. One of the biggest challenges is determining the amount of resources to allocate to a cybersecurity plan, through quantifying the costs associated with the risks to the business. “These are hard, but important, discussions,” Patel says. “You definitely want to have them before an event takes place.” As part of the process, your SMB leadership team must identify its sensitive information as well as the networks and files critical to the business function; they will need to discuss the hard costs, the potential impact on the brand, and disruption to the business. Cybersecurity spending is on the rise, “89 percent surveyed expect their organization to increase cybersecurity investments in the next fiscal year,” according to a recent Oracle and KPMG Cloud report.  Find out what the FBI recommends you do to protect your business from cyberattacks.   The Key Ingredients Every SMB’s cyber incident response plan is unique. However, most plans include some common security components. These include: Business critical information As noted previously, your plan will outline the operating systems and information that the business needs to function. This can include customer information, intellectual property, employee information, etc. In addition, understanding the value of the data shouldn’t be limited to one person. If they depart the business, it’s immediately at risk. Detection and containment methods Unfortunately, planning to 100% prevent a cyber attack isn’t really possible. Instead, an incident response plan will determine whether your SMB will detect an access breach or attack, and then how it will contain the security threat. Internal and external stakeholders Response plans also map out who may be affected by an attack, both within and also outside the organization and network. The security plan then denotes how you should notify these stakeholders. Outside vendors should be a part of a successful security plan. Often smaller companies will use Security-as-a-Service system. Circle of trust Ensure your vendors are trusted technology partners. The USA is a trust-based country, where companies and citizens take for granted that businesses are held to national security standards. But, the internet easily crosses borders, so it’s important to know where the vendor protecting your data is based.  SMBs should be wary accepting cybersecurity services from foreign or lesser-known companies, especially for penetration testing.  Fight bad tech with good tech The bad guys only need to get it right once, the good guys have to get it right all of the time. Each team member needs to be an amplifier of response, which can only be done by leveraging technology and making security part of a company’s DNA. Invest in advanced technology that automates event analysis and response, freeing up the human capital to focus on more complex issues. Cybersecurity is a growing area where technology and people can complement each other. Also, ensure that all of your systems are always-up-to-date. Cyberthreats are continuously evolving and your systems need to as well. Recovery and mitigation strategies A comprehensive incident response plan will prepare your SMB to recover lost files and information from the network, and lay out a plan for how to resume business after a cybercrime. Patel notes that plans should also address how to preserve evidence along the way, so that law enforcement can investigate what happened and who was behind the security attack.  Fortunately, you don’t need to create a cybersecurity plan from scratch. Both the National Institutes of Standards and Technology and the ISO 270001 provide frameworks that organizations can use to prepare an access incident response plan for computer systems. “Even a small business with five employees can utilize these guidelines,” Patel says. Plan, Practice, Repeat Incident response plans can’t be relegated just to your SMB’s information systems or one IT employee. For your plan to be effective, Patel notes that the organization’s senior leadership need to not only support the plan but also participate in its creation. “This is a business issue, and the business needs to be involved,” he says. In fact, Patel recommends that IT meet with their senior leadership regularly to discuss critical technology issues, network security, and educate the business side about what IT does and its resources. That way, when it comes time to create or update your incident response plan, non-technical leaders aren’t overwhelmed by the information. Once you’ve created your plan, the FBI suggests that SMBs practice it at least once a year as a general protocol. You may take your team offsite or find ways to make it fun. But ultimately, you want to run through the document to see what the response looks like in real life. Experiment with role-playing. That way you can identify holes in the security plan and discover what works and what doesn’t. Get in touch with your local FBI office to participate in local security events or host an information security day. The FBI has a number of resources to support SMB's. Build a relationship with them as part of your education and emergency plan, so you know who to go to in case of an emergency.  “Most organizations that practice a plan realize that many of their components fail,” Patel says. As part of your drill, your SMB should also preemptively reach out to your local FBI division to introduce your business and make sure you know whom to contact if something goes awry or a data breach arises. A cybersecurity incident response plan is a living file—one that requires at least annual review and updating. Take the time to make one, practice your emergency security plan and keep it current. If you do this, your SMB will be prepared for a cyberattack that hopefully never happens. For more information on the FBI's cybersecurity efforts, read their brochure, Addressing Threats to the Nation's Cybersecurity. Source: FBI.gov  

Written By: Tansy Brook  Director of Product Marketing  Facebook LinkedIn Twitter Google Plus Email Comment No one wants to think that their business will be the target of a ransomware attack or...

Cloud Access Security

FBI Tips: Recommendations for Protecting Your SMB From an Attack

Written By: Tansy Brook  Director of Product Marketing For small and medium size businesses (SMBs), the risk of a cyberattack is no small matter. In fact, the average total financial impact of a data breach to SMBs is $117,000. The damages include everything from extra staff time and the hiring of outside consultants to lost business, personal information and public relations to help remedy the trouble. The far-reaching implications of a security incident can leave an SMB reeling. That’s why Trent Teyema, Chief of Cyber Readiness at the Federal Bureau of Investigation, says the most forward-looking small businesses not only focus on being prepared for an attack but also integrate that readiness into the fabric of their business. Today, cyberattacks aren’t a matter of if, but when. There are two types of businesses – proactive and reactive. Historically, cybersecurity followed a castle with a moat approach. We put the security around the technology, and nothing went in or out. But in today's, everything-connected world where systems are increasingly decentralized, cybersecurity needs to continuously evolve and be a top of mind consideration for everyone within an organization. Business leaders must constantly be weighing the risks and costs (both financially and loss of convenience) associated with their security plan. Here’s how you can make cybersecurity part of your SMB’s DNA: 1. Make information security a company priority. Gone are the days when your SMB’s cybersecurity efforts could be relegated to the IT team. With the threats multiplying, the most successful businesses now recognize that reducing the risk of cyberattacks is an operating effort that spans teams and encompasses the whole company. “You can’t think of security as a cost center anymore,” Teyema says. “Instead it’s about protecting the integrity of your brand—it’s an investment in your company’s future.” A recent Oracle and KPMG Cloud Threat Report 2018 found that 90 percent of information security professionals classify more than half of their cloud data as sensitive. Furthermore, 97 percent have defined cloud-approval policies, however, the vast majority (82 percent) noted they are concerned about employees following these policies. So what does that look like exactly? Teyema notes that different companies take different approaches. But broadly, he recommends identifying positions in the business that are specifically responsible for information security, and then also creating cross-functional teams—including people from marketing and legal—who are also involved in security efforts. Because the brand is ultimately at stake, Teyema says some SMBs are even housing their cybersecurity initiatives under the Chief Marketing Officer. The takeaway: Cybersecurity can’t be an afterthought, but instead requires proactive action and attention from multiple teams and systems. Ironically, as technology accelerates, people become more important. This is a situation where technology and people can truly complement each other. An increasing number of organizations are creating positions within the line of business to help bridge business expertise with IT. For example, companies using SaaS ERP and EPM applications, are beginning to create positions within the finance function that support the CFO and manage the evolving financial planning needs of the business as the finance function evolves to a more strategic partner within the business. Learn about the Top 6 security tips for SMB’s.     2. Train up young talent. New opportunities.  The tiny silver lining: The rise of cybercrime is actually generating jobs in the tech field. In one recent survey, IT professionals from across North America and Europe cited cybersecurity as the biggest area of skills shortage at their organization. SMBs may not have the budget or resources to compete for lots of high-level cybersecurity talent with bigger organizations. But Teyema says training up less experienced people can also help fill the need. “You want to do a little of both,” he says. “Hire one senior individual who has done this before, and then find some less experienced people who you are willing to invest in.” New programs are developing to meet the talent shortage. For example, at the new Merritt College cybersecurity program faculty includes industry CIO’s who instruct students using interactive scenarios built on virtual infrastructures and compete in National Cyber League events. These activities reflect the direct experience and collaborative mentality required to address the ever-evolving cyber risks. Additionally, through private, academic and public partnerships the school has established programs with the county that may help supplement internship costs, benefiting both students and business. Graduates often have previous work experience in private business or military training which helps them to identify what assets need to be protected and prioritize security spending; effectively bridging the evolving business and technology security needs. By growing your own talent, you’ll eventually end up with a mature information security team that deeply understands not just the cybersecurity landscape, but also the inner workings of your business. 3. Get creative to get to fill your cybersecurity needs. The number of people that your SMB can afford to dedicate to cybersecurity and attacks may likely be in the single digits. However, Teyema says that doesn’t mean that has to be the extent of your security efforts. SMBs working on a budget can supplement their own internal security efforts by hiring a cybersecurity consultant or firm. Such Security-as-a-Service companies can provide a range of assistance, from providing ongoing training for your staff to identifying network vulnerabilities to being on-call for incident response. In some cases, Teyema says that SMBs choose to use Security-as-a-Service for the vast majority of their cybersecurity needs. 4. Identify your sensitive data—and protect it. Creating a wide-reaching cybersecurity plan can be overwhelming. Get your arms around the issue by first identifying the sensitive data that your SMB is handling on a regular basis. As noted, a network security firm can help with this task. Such data might include your customer information, intellectual property, payment or billing data, employee tax information and more. “You protect the most sensitive data first, then broaden the circles out to protect more as you can,” Teyema says. In addition to your own team and outside consultants, your SMB software can play a key role in protecting this data as well. Cloud-based software products can offer smaller businesses access to enterprise-level security expertise and protocols. These systems have built on capabilities that leverage emerging technologies such as artificial intelligence, machine learning, and blockchain, to keep users always up to date on the most recent strategies to combat hacking.  As you investigate software products, ask the vendor what technologies they use to secure client data and computer systems, how many of their employees work exclusively on security and whether you’ll have access to security audits and reports.  5. Understand the cybersecurity ecosystem. There are many players in the world of cybersecurity. Understanding the resources available can ensure that your SMB has access to knowledge, education and help when you need it. For instance, consider becoming part of information security or certification associations. Such organizations typically provide access to cybersecurity research and trainings to their members. Cybersecurity training companies can provide similar benefits. Also keep up with the research coming out of academia about cyber threats, how they’re handled and who is affected. Teyema recommends that every business connect with the cyber units of the local and federal law enforcement in their area. Connect with the FBI's cyber squad in the field office nearest you. An outreach coordinator can outline what the agency is doing to protect businesses, threats you should be aware of and how to respond if your suffer a breach. “Establish that contact proactively, then you’ll know who to call when an event happens—and it will.” The agency is also regularly distributing cybersecurity information on its website. You can also go to this site to find out how to contact your local office.  The threat of a cyber attack isn't something that just affects your IT team. It's a threat to your brand, your business and the existence of your SMB. Incorporate cybersecurity efforts into the core of what you do, your social engineering and who you hire, and you'll ensure that you're ready for whatever cyber threat comes your way. Learn the key findings of cloud security challenges, threats, and insights in the Oracle and KPMG Cloud Threat Report 2018.

Written By: Tansy Brook  Director of Product Marketing For small and medium size businesses (SMBs), the risk of a cyberattack is no small matter. In fact, the average total financial impact of a data...

Cloud Security

Five Critical Success Factors When Moving Identity to the Cloud

Moving your enterprise identity management to the cloud is a smart move. There are than a few compelling reasons to do so (better TCO, reduced resource costs, time to value, ease of implementation, access to innovation), but before you do, make sure you’ve addressed these five critical success factors. If you’re the eager sort, watch the webinar Five Critical Success Factors for Identity When Moving to the Cloud and find out how Oracle’s autonomous and integrated approach to cloud security and identity can help. Access control and authorization.  How do you manage cloud access when your enterprise is an extended one? Your employees and customers are using apps at much greater scale than ever before (including just yesterday and again, come tomorrow) that are mingling with data distributed all over the cloud. Access control and authorization has become much more complicated than a has/has-not situation: ‘Becky in HR has access and Ron in marketing does not.’ The answer to healthy access control is scalability in the form of federation.   Authentication. Once upon the time of firewalls and passwords that lived in local directories, it was pretty easy to verify across apps and domains that people were who they said they were. Back then, the enterprise either controlled or owned everything, from identities to apps. No more. Anywhere access is key to growth if not survival - but it must occur in a manner that is secure and that does not impede innovation. See above for the three S’s that underpin authentication at scale.          3. User account management and provisioning.        When the average enterprise relies on no fewer than six clouds, managing the disparate silos of user data and accounts across disparate SaaS, PaaS and IaaS entities can become a bit of a juggling act. The single-most important success factor for secure user account management? Standards-based with a focus on integration and automation.   Auditing and compliance. The opportunity of the cloud – accessibility – can also be its challenge, particularly when it comes to compliance. Data, apps, users, logs, activity; it’s all distributed. Vulnerabilities and laws (GDPR, HIPPA, etc.,) require data security compliance show up in demonstrable, manageable and enforceable ways. It’s a natural progression then that auditing and compliance begs for moving beyond simple, historical reporting to analytics. And when you can turn to machine learning for predictive and automated monitoring and analysis, you can model problems to prevent problems.   Cloud platform architecture. Now that apps have moved off prem and literally ‘left the building’ as SaaS, so have users and the devices they access them on. For 24x7 availability and growth at scale, interoperability is critical. The most reliable way to accomplish this is to create a seamless computing fabric. Open technologies that are standards-based, and that incorporate built-in security and trust to scale from the get go (like SAML), accomplish this.   Want to learn more about moving identity management to the cloud? Catch the replay of this SANS-sponsored webcast: Five Critical Success Factors for Identity When Moving to the Cloud. You may also be interested in Oracle and KPMG Cloud Threat Report.  

Moving your enterprise identity management to the cloud is a smart move. There are than a few compelling reasons to do so (better TCO, reduced resource costs, time to value, ease of implementation,...

Cloud Security

Simplified SSO Experience Using Custom Secure Form-Fill Applications in Oracle Identity Cloud Service

 By: Abhishek Juneja Oracle Identity Cloud Service provides Single Sign-On capabilities for SaaS and On-premise applications, which support Federated SSO using SAML2.0 or OAuth-OIDC protocols. However, a large chunk of web applications do not support these open-standard protocols for federated SSO. Oracle Identity Cloud Service provides Single Sign-On to these applications using Secure Form Fill (also known as Password Vaulting or Screen Scraping) phenomenon. Oracle Identity Cloud Service Application Catalog provides an extensive set of pre-integrated SAML and Secure Form Fill applications across various categories including HCM, ERP, CRM, Security, etc. The simplified and intuitive interfaces of the Application Catalog improve administrative efficiency in configuring new applications. If you do not find the secure form fill application that you need in the app catalog or you simply want to create your own, you can do so with Oracle Identity Cloud Service. Define your own secure form fill configuration using the ESSO Admin Console, export the configuration, and then import that configuration into your secure form fill app in Oracle Identity Cloud Service. On activating the application, you can assign it to Users or Groups. As an end-user, you can access that application as an end-user from MyApps portal of Oracle Identity Cloud Service or from Secure Form Fill Browser Plugin. When you launch the application for the first time, the browser plugin prompts you to provide username and password of the applications; Oracle Secure Form Fill Browser Plugin stores your application credentials in a user wallet. For consecutive application launches, the plugin is able to determine which app you are trying to access, and then the plugin retrieves the application credentials, submits those to the web page and logs the user in. The end user’s credentials are stored in an end-user specific encrypted artifact that is safe and protected from the outside world; the browser plugin retrieves the user credentials from this artifact prior to submission in the application. In addition, user credentials are neither stored nor cached in the browser or the user’s device. Let us see how easily and swiftly you can create and configure an application as a Secure Form Fill application in Oracle Identity Cloud Service (IDCS) and enable your users to get SSO experience. Install the Secure Form Fill Admin Client IDCS Administrators can download the Secure Form Fill admin client from IDCS Downloads page   Create a Secure Form Fill Configuration file Launch Secure Form Fill Admin Client Select ‘Applications’ to create a ‘New Web App’                                  In the consecutive screens, enter the name of the Application and select ‘Logon’ as the form type.                 Enter the Web Application URL in the Address field and select GO.                Using the web page fields in the bottom of the screen, Select the User name field, right-click, and choose Username/ID. Select the Password field, right-click, and choose Password. Select the Submit button, right-click, and choose Submit.         Click OK and SAVE the file. Export the file in .ini format by clicking File, Export option. More details on how to create a Secure Form Fill configuration file are available here Create a Custom Secure Form Fill App in Oracle Identity Cloud Service After creating the application configuration file, create a Secure Form fill app in IDCS In the Administrator’s console of Oracle Identity Cloud Service, go to Applications, select ‘Add an Application’, select ‘Application Catalog.'              In the Application Catalog, select ‘Generic Secure Form Fill App Template’. Enter the Application name and Description, upload the Application Logo and enter the Application URL. In the Display settings, you can select the ‘Display in My Apps’ and ‘User can request access’ options. Click Add and create the application.                          Click Import and import the Secure Form fill configuration file, which you created.            You can activate the application and assign it to the Users and Groups. More details are available here Running the Secure Form Fill application from IDCS MyApps Console Oracle Secure Form Fill Plugin allows end user to login into the applications. It’s a pre-requisite to run Secure Form Fill applications. The end user can see the application tile on the MyApps console. When user selects to run it for the first time, Enter credentials box pops up in which user enters the application credentials and select Login                        IDCS launches the application in another browser tab, it automatically enters the user’s credentials and selects Submit button.                           The user logins into the application.                  For consecutive logins, the credentials box does not pop up to collect user credentials. The user can update the credentials by selecting the Update Credentials link, which is available in the application tile.        More information on creating custom Secure Form Fill application in Oracle Identity Cloud Service is available here.                                

 By: Abhishek Juneja Oracle Identity Cloud Service provides Single Sign-On capabilities for SaaS and On-premise applications, which support Federated SSO using SAML2.0 or OAuth-OIDC protocols. However,...

Cloud Access Security

FBI Cybersecurity: How SMBs Can Prevent The Next Ransomware Attack

From WannaCry to NotPetya to Bad Rabbit to LeakerLocker, it can seem like new ransomware attacks make the news weekly. In fact, those four represent just a sliver of the widespread ransomware attacks that happened last year. What is ransomware, you may ask? It is malware that typically locks up sensitive data and systems via encryption, and then demands money—ransom—for users to get it back.  The FBI estimates that more than 4,000 ransomware attacks have occurred daily since the beginning of 2016. That’s a 300% increase from the previous year. This is due in part to the thriving sector of “ransomware-as-a-service.” Individuals don’t need to possess a certain skillset, rather malware developers advertise their ransomware on the dark web to be distributed by less sophisticated attackers, and then the developers/advertisers take their cut from the ransom amount paid. The cyber criminals behind these attacks aren’t necessarily picky; they target big companies, small businesses, government entities and individuals. But the damage they cause to small and medium-size businesses (SMBs) is particularly alarming. A recent report by a security firm last year noted that 22% of SMBs affected by ransomware had to cease operations immediately. One-third had suffered a ransomware attack in the previous year. “If you haven’t been a victim of ransomware or any other type of computer attack, you have to operate as if it’s just a matter of time before you are—and take the steps to protect yourself and mitigate the resulting damage or loss,” says Sheraun Howard, supervisory special agent with the FBI’s Cyber Division in Washington, D.C. The Ransomware Landscape  The FBI notes that ransomware is the fastest growing malware threat. While the names, details, and entry points of each attack vary, the concept remains the same. First, the bad actors deliver the ransomware. This is often done by spearphishing emails— targeted phishing emails aimed at specific employees and containing personal details to perpetuate the fraud. These emails or email attachments will contain an exploit for a particular software application vulnerability that provides the attacker access to your computer.  After the attacker has access to your computer, they then typically use additional malware to propagate throughout your network and drop their ransomware on to your environment, as was the case with the WannaCry and Petya/NotPetya attacks last year. Those malware took advantage of a vulnerability in Microsoft’s OS to spread throughout organizations’ computers. Howard notes that Microsoft had released a patch for the particular vulnerability exploited in those attacks. In other cases, criminals gain access through brute force attacks against open remote desktop protocol (RDP) ports. Once the ransomware has been delivered in one way or another, it then prevents the targeted user from accessing their data or systems by encrypting their files. The targets receive an email, text file, or screen message demanding that they pay a ransom in order to regain that access. While blanket attacks across many organizations are common, ransomware incidents can also be very targeted to specific companies, Howard says. Cyber criminals sometimes gain access to a business’ network days or months earlier to gather financial information. Then use that insight to tailor the ransom note to the company. The resulting malware attacks, though, are not stealthy and you’ll know immediately when you’re in trouble. “It’s very in your face,” Howard says. “The purpose is to alert the victim that you’ve been compromised and by then it’s too late.” Defending Your SMB  Given the prevalence of ransomware threats and attacks, Howard and the FBI advise that SMBs take preventative measures to reduce their risk of becoming a victim. Here’s how: Educate your employees. Ensure that your employees are aware of the risks of ransomware and how it infects small businesses. Encourage them to never click on links in unsolicited emails and input their information, or to open unknown attachments. The FBI notes that you can also test your employees’ knowledge with simulated emails that look like phishing scams. Only download software from sites you know and trust. Keep your systems patched and updated. Because criminals often target vulnerabilities in existing systems, develop a regular plan for updating, encrypting, and patching your software and firmware on any company devices. The FBI recommends that companies consider using a centralized patch management system to streamline this process. Take a quick quiz to see how at risk you are.     Create a security incident response plan. These plans include steps for how your organization will respond to a ransom demand and ensure the continuity of your business. Such a plan may include isolating an infected computer, contacting law enforcement, collecting available portions of important files that still exist, securing backup systems and changing account passwords. Manage privileged accounts. SMBs need to be aware of who has access to what when it comes to their software applications and operating systems, Howard says. No users should be granted administrative access unless they really need it. He also recommends changing the default passwords on all administrative accounts, which tend to be weak and easily brute forced. Be aware of the external applications your employees are connecting to with their computers by implementing a Cloud Access Security Broker (CASB). Audit user access. “One of the most common things we see is companies not auditing themselves properly,” Howard says. For instance, be sure to remove old user accounts for software and other systems created for employees who no longer work at your company. Keeping your list user accounts up-to-date is good practice for preventing data breaches or malware infections in general. Employ firewalls, spam filters and anti-virus programs. All of these tools are aimed at identifying, and then protecting your organization from potentially malicious emails and attacks. Setting up firewalls and filters, for instance, provides an easy way to reduce the risk of less-sophisticated ransomware. Respond and Recover If you’ve been a victim of a ransomware attack, contact the FBI to report the incident. Law enforcement may be able to use legal authorities and tools that are not available to most organizations. This can increase the odds of apprehending the criminal, thereby preventing future losses. Cyber attacker communities are growing and reporting an incident helps law enforcement fight ongoing threats and protect other businesses. Pay it forward. If your business does fall victim to a ransomware attack, Howard says the FBI does not support victims paying the ransom. There is no guarantee the decryption keys will be provided after the ransom is paid and there have been cases where businesses were extorted for additional money after payment. While the FBI does not support paying the ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers. If you’re prepared, ideally you’ll have backups of your systems and data. Howard says that after contacting law enforcement, the next step is to wipe your system and rebuild it. Take the time to learn as much as you can about how your system was compromised and how you can protect your SMB going forward.  How SMBs Can Reduce the Ransomware Risk Ransomware attacks have been on the rise, and small businesses often suffer the most damage. The FBI recommends SMBs take the following steps to reduce their risk of a ransomware attack. Educate your employees about the risks. Create a security incident response plan. Update and patch software and firmware. Manage privileged accounts. Audit user access to your systems. Use firewalls, spam filters and anti-virus programs. Ransomware attacks are a disruptive, malicious reality of running an SMB in the modern era. But take the right steps to prevent attacks, and you’ll reduce risk and suffer less damage if you do face a security breach. Download the FBIs full guide to learn more. Source: IC3.gov

From WannaCry to NotPetya to Bad Rabbit to LeakerLocker, it can seem like new ransomware attacks make the news weekly. In fact, those four represent just a sliver of the widespread ransomware attacks...

Cloud Security

Key Takeaways from RSAC 2018

It has been a week since the largest cyber security conference ended, where thousands of attendees got together to discuss the latest on cyber threats, security, and solutions. With hundreds of sessions and events, it’s hard to consolidate all the different ideas, but here are three key takeaways:                           Skill Shortage With millions of cybersecurity openings globally, this skill shortage was definitely a topic of discussion throughout the week. It is clear that there are two main issues: Hiring and retaining top security professionals Too many security alerts Not only are there not enough cyber security talent who truly understand the current security landscape, but even if a company was able to hire someone, there are so many alerts that it is not humanly possible to look at all of them. Throughout the week multiple keynotes mentioned the need to train more cyber security professionals in order to have enough talent to stop the increasing number of cyber attacks. In addition, vendors are offering solutions that assist with the vast amount of alerts.   Automation Automation is at the forefront of the cybersecurity world. It helps address many of the issues that we are currently seeing, such as the skill shortage. It is important to take a proactive approach, such as automatically detect and automatically prevent, in order to take on the sophisticated challenges that we are seeing today. For example, if the previous paragraph I mentioned how an organization receives too many alerts, but an automated system can help overcome that issue. We are depending on our computers more and more to make our security decisions and vendors are embracing the need to remove human error with automated solutions.   The Cloud Not only was migrating to the cloud a reoccurring topic throughout the week, but embracing cloud security was also an important theme. Every year, more and more companies are acknowledging the benefits of the cloud and decide to adopt cloud technology, which means that they must also adopt new cyber security solutions. To ensure their cloud is secure, companies must include two-factor authentication, identity access management, encryption, etc. If companies don’t do their part to secure their cloud, then they leave themselves vulnerable to threats. This year, cloud security was also embraced. By using cloud native security solutions, companies have an alternative to the traditional siloed products that constantly need updates.   For information on how Oracle can address your company’s cyber security issues please visit our Cloud Security page.

It has been a week since the largest cyber security conference ended, where thousands of attendees got together to discuss the latest on cyber threats, security, and solutions. With hundreds...

Cloud Access Security

New Cloud Security for Dummies Book

90% of organizations participating in the recent Oracle and KPMG Cloud Threat Report state that at least half of their cloud data includes some form of sensitive information. Rapid shifts to the cloud are encouraging and exciting, but for security professionals, also raise questions about securing a new age of technology. Security used to be considered an inhibitor to the cloud, but has now become one of the driving factors for cloud adoption. Understanding some of the common trends, terms, and challenges of securing your data in the cloud is important to all organizations looking to enhance digital innovation. The Cloud Security for Dummies, Oracle special edition covers just that.     The book is an enjoyable read covering several cloud topics including: - Maintaining continuous compliance - The importance of the shared responsibility model - Best practices for detecting and responding to threats. - Use of automation to enhance security   This is a great guide for IT professionals looking to manage security alert overload, address security skill shortages, and use machine learning in threat detection.    Get the Cloud Security for Dummies Book today  Moving to the cloud requires a lot of consideration and security should be a priority for organizations of every size. To learn more about securing your users, apps, and data, read Cloud Security for Dummies.

90% of organizations participating in the recent Oracle and KPMG Cloud Threat Report state that at least half of their cloud data includes some form of sensitive information. Rapid shifts to the cloud...

Cloud Security

Understanding Your Cybersecurity Challenges and Strengths

What are the biggest cybersecurity challenges your organization experiences today? As the 2018 RSA Conference (RSAC) came to a close in San Francisco last Friday. IT professionals from around the world are returning to their offices with several new ideas, interest in new products, and some great prizes as well. To begin taking the next step towards purchasing a product you learned about at RSAC - Consider evaluating your current cybersecurity challenges and strengths. Throughout the week, Oracle conducted a series of thought provoking poll questions via Twitter. All questions were pointed at cybersecurity professionals and helped provide insight into the thoughts of RSAC attendees and your industry peers. Many of these insights related to the great findings in the Oracle and KPMG Cloud Threat Report. When asked their biggest cybersecurity challenges, detecting security threats was selected by 41% of twitter poll respondents. This was followed by 33% stating lack of security training. These two responses shed light on two extremely relevant challenges within the cybersecurity space. 41% of participants claim detecting a threat is their primary challenge. This challenge is not unique to any industry and companies of all sizes are at risk of an attack. Companies are looking to protect their environments from intrusions, but in the case of an attack, immediately respond and resolve the issue. Many recent attacks have slipped under the radar due to siloed monitoring tools within organizations. According to the Cloud Threat Report, organizations have an average of 46 security tools, there are simply too many tools that don't communicate with each other.The report also found that 38% of cybersecurity professionals consider detecting and responding to cloud security incidents as their main challenge - accurately mirroring our twitter poll results. Companies should evaluate solutions that employ adaptive intelligence techniques to better detect anomalous patterns that might not be obvious to the human eye.                                               Cybersecurity practices are strongest when they involve people, process, and technology. With 33% of twitter poll responses pointing to lack of training, organizations must invest in properly training existing employees. Hiring qualified candidates and creating a continuous training plan will enable employees to work with technology and better protect your organization. Oracle's Software Security Assurance Program (OSSA) aims to support this movement of securely developing, deploying, and maintaining technologies to improve security and performance at every layer of the stack. To learn more about the biggest challenges companies are facing, read the Oracle and KPMG Cloud Threat Report and visit the Oracle Cloud Security page. 

What are the biggest cybersecurity challenges your organization experiences today? As the 2018 RSA Conference (RSAC) came to a close in San Francisco last Friday. IT professionals from around the...

Cloud Security

A Practical Path to AI Podcast Series: Podcast #9 – How AI and Cloud are Fighting Cyberthreats and Attacks

By: Kellsey Ruppel | Principal Product Marketing Director For the ninth podcast in our "Practical Path to AI" podcast series, I was joined in the studio by Sridhar Karnam, Senior Principal Product Marketing Director at Oracle. This was another podcast in our "Practical Path to AI" podcast series where we've been covering how Artificial Intelligence (AI) is reshaping the business landscape and helping you better understand how to get on the path to AI adoption. Attacker's machines are fighting against our humans and we are losing the cyber war. Attackers are collaborating and creating sophisticated bots and malware to attack. Security vendors are competing and working in silos. We need machine learning algorithms to correlate, find, hunt, and remediate threats autonomously. When we have these algorithms fighting against attacks and threats, we may see better results with combating modern threats. Manual and legacy point solutions are no longer protecting cyberattacks. Only Cloud helps algorithms to be updated continuously helping machine learning deal with new attack vectors and zero day attacks, which Sri and I discussed in depth in this podcast.  Please listen to “How AI and Cloud are Fighting Cyberthreats and Attacks” to learn why Sri thinks Artificial intelligence and security were – in many ways – made for each other, and the modern approaches of machine learning seem to be arriving just in time to fill in the gaps of previous rule-based data security systems. Did you miss a podcast in the series? Don’t worry! You can access “A Practical Path to AI” podcast series here!

By: Kellsey Ruppel | Principal Product Marketing Director For the ninth podcast in our "Practical Path to AI" podcast series, I was joined in the studio by Sridhar Karnam, Senior Principal Product...

Cloud Security

FireEye Email Security Powered by Oracle Cloud

By: Bonnie Donovan | Principal Product Manager   Nothing compromises trust in an organization more than a data breach. A data breach potentially places an organization's customers, their information, and their data at risk. Such breaches also disrupt daily business and tarnish the organization’s reputation. Email remains the primary vector for initiating an advanced attack or delivering ransomware because it can be targeted and personalized, which increase the odds of a threat’s success. Having an email security solution is critical for any organization. Oracle is excited to be partnering with FireEye, an industry leader with a comprehensive portfolio of solutions that combine best-of-breed technologies with 360-degree threat intelligence and expertise. To prevent spam campaigns, ransomware, spear-phishing, and impersonation attacks, an email security solution needs to evolve quickly to adapt to the threat landscape. It must provide threat protection that meets the following requirements: Detects without relying on signatures Identifies critical threats with minimal false positives  Blocks inline to keep threats such as ransomware out of the environment  Uses cyber threat intelligence gained from the front lines to respond quickly to protect the organization  FireEye meets all these requirements. It collects extensive threat intelligence on adversaries, conducting first-hand breach investigations through millions of sensor feeds on the internet. FireEye Email Security draws on real evidence and contextual intelligence about attacks and attackers to prioritize alerts and block threats in real time – before they hit your inbox. FireEye Email Security delivers dynamic defense to detect attacks from the first time they're seen and blocks the most dangerous cyber threats, including malware-laden attachments and URLs, credential phishing sites, and business email compromise attacks. FireEye Email Security customers can now experience the benefits of FireEye and the power of Oracle Cloud together. Oracle Cloud Infrastructure was created to provide an infrastructure that matches and surpasses the performance, security, control, and governance of enterprise data centers, while delivering the scale, elasticity, and cost-savings of public clouds. As a result, Oracle Cloud Infrastructure is built from the ground up to be an Enterprise Cloud easily capable of running traditional multi-tiered enterprise applications and high-performance workloads like FireEye’s Email Security offering. You can experience our joint offering immediately via FireEye’s free Jump Start lab environment. In this Jump Start lab, users can follow a step-by-step guide and experience a sample of FireEye’s Email Security offering.

By: Bonnie Donovan | Principal Product Manager   Nothing compromises trust in an organization more than a data breach. A data breach potentially places an organization's customers, their information,...

Cloud Security

Extending SSO beyond your cloud apps: Quickly and Easily

In my previous post I talked about how Oracle Identity Cloud Service (IDCS) can be used to simplify single sign-on to E-Business Suite (EBS) through the use of the IDCS Asserter. This really makes a huge impact on organizations who are looking at reducing cost and complexity, whilst maintaining a good, positive user experience for their end users. So, now we have SSO for EBS as an on-premise, enterprise application, why stop there? Introducing the IDCS App Gate We agree and have therefore released the IDCS App Gate to help you further simplify your access management infrastructure and integrations. Let's take a look at the current approach in use by many organizations today and some of the challenges that brings. Figure 1 - A typical access management deployment today As can be seen in Figure 1 above, the current approach used for most on-premise access management solutions is to use a combination of Policy Enforcement Points (PEPs), all connected to a central Policy Decision Point (PDP). The PEPs are usually a combination of reverse proxies and/or agent-based modules, and the PDP is usually connected to one or more LDAP directories for users and a database for storing policy, audit, metadata etc. Architecturally, there is very little difference whether you are using Oracle Access Management or another vendor. The challenge with this approach is back to the point made in my previous post. The PDP is critical in this model. It must be running with a high SLA and therefore built with HA/DR in mind. It also needs infrastructure (including the database), all of which need purchasing, deploying, installing, configuring, patching, scaling, maintaining, backing up etc. Of course, you can move some of that into the Cloud and put it on IaaS. However, that has only removed the need to buy and manage the hardware. You are still managing the installation, deployment etc of all the software on top of it. Just lifting and shifting your access management platform onto IaaS doesn't make it a cloud solution as you aren't reaping the benefits of cloud. That is one of the main reasons why organizations are moving to cloud-based identity platforms such as IDCS, as it removes so much of that overhead. However, one of the challenges that is faced today is that cloud-based identity has typically focused on identity management for cloud services. Enterprise, on-prem (dare I say, legacy) apps didn't fit well in that model as they don't always support the identity open standards necessary to enable simple integration. You can get around this problem partly using a form-fill approach, where the identity platform is storing an individual's credentials for each application and replaying those to an app's login page. Whilst this is possible today (indeed IDCS supports it), it has long been recognized within the identity industry that this approach is not ideal. After all, avoiding the need to manage password all over the place is one of the main reasons why standards such as SAML were invented. So, if we don't want to be storing and passing passwords there has to be a better approach. This is where the IDCS App Gate comes in. The App Gate replaces the traditional on-premise reverse proxies (PEPs). It protects your applications in the same way but instead of pointing to your on-premise access management platform, it uses IDCS as its PDP. Integration with your on-premise web apps is using the same tried and tested integration techniques that have been used within your existing access management platforms for a long time. However, this approach simplifies your architecture and footprint. Let's take a look at what our new architecture looks like.   Figure 2 - A simplified approach using the IDCS App Gate As you can see in Figure 2, this approach, which is very similar to the IDCS Asserter, requires only the App Gate installed on-premise. All access management capabilities are then delegated to IDCS such as SSO, authentication, multi-factor authentication, self-service etc. All of a sudden you no longer have to manage that on-premise access management platform and all of the non-functional requirements that go along with it. The App Gate itself is delivered as a software appliance, so deploy it, give it an IP address and away you go. Both the App Gate and the EBS Asserter are available to download now for all existing IDCS customers, directly from the IDCS admin console.   Identity Management is and always has been a complex problem. Moving from an existing on-premise solution (or more likely multiple solutions) to a cloud-based identity platform is not a big bang. It is a journey and it's through capabilities like the App Gate that enables customers to plan and stage that journey in a phased and manageable way. I like to think of it as volume controls representing capabilities. As you move through your journey to migrate your identity management to the cloud, you are turning down the volume on your on-premise solution(s) and turning up the volume on your cloud-based identity platform.                        

In my previous post I talked about how Oracle Identity Cloud Service (IDCS) can be used to simplify single sign-on to E-Business Suite (EBS) through the use of the IDCS Asserter. This really makes a...

The Rise of the Cloud Security Architect

The Rise of the Cloud Security Architect Greg Jensen, Sr. Principal Director - Security - Cloud Business Group, Oracle Corp. Organizations often look for where they can make the single greatest impact to improve their organization’s security posture. As organizations are adjusting their priorities around a cloud-centric strategy, one position has stood out as one of the most central and strategic in meeting security and compliance milestones—the Cloud Security Architect (CSA). So, what are CSAs, and how do they compare to a security architect? Traditional security architects often focus on broad-reaching security topics that impact the on-premises, mobile, and even cloud world. Over the years, this role has become a bit of a “Jack of all trades” role. The CSA was created to be the “master of cloud security” who understands every possible security and compliance related challenge that a line of business (LoB) owner or infrastructure, platform, or app team could run into when deploying new cloud services. This has led us to a point where we are seeing the role of the CSA surpass the security architect in popularity, according to the new Oracle and KPMG Cloud Threat Report, 2018. In the most generalist terms, an architect plans, designs, and constructs structures. In Information Technology terms, it is very similar when applied to cloud security. The CSA is responsible for: • Reviewing the security posture of all SaaS, PaaS, and IaaS projects for industry best practices. • Identifying risks where security requirements cannot be fully addressed in the time frame of a project. • Looking for opportunities where security can be optimized and enhanced. • Ensuring policies and mechanisms are in place to meet compliance requirements across the cloud. CSAs are facing increased pressure to balance LoB requirements with corporate security guidelines, and those goals often clash due to time pressure, resources, or budget. Organizations are in a rush to roll out more applications and workloads to the cloud, often with multiple cloud service providers, each with their own SLAs. Every cloud service provider responds to vulnerabilities and incidents differently. The CSA can play an important role in identifying shortcomings from each vendor to understand points of risk, and then develop plans to address them with the provider or internal teams. One of the key challenges is balancing the security and compliance needs between an organization’s hybrid and multi-cloud environments. One approach that some organizations are focused on is the single vendor model that uses a tightly integrated framework across the full stack of cloud services (DaaS, SaaS, PaaS, and IaaS), which many argue reduces risk and points of exposure. The single vendor approach often lends itself to the challenges of securing an organization once, and enabling them to scale as they need. Key criteria CSAs should look for in a cloud service provider include: • Comprehensive – Secure users, apps, data, and infrastructure across the full cloud stack (DaaS, SaaS, PaaS, and IaaS). • Automated – Detect, prevent, predict, and respond to the latest security threats with AI and machine learning. • Data-centric – Control access to sensitive, regulated data using encryption, masking, and user access controls. • Unified – Collect security and operational data in a single data set to correlate and analyze cyber threats. • Integrated – Developed, architected, deployed, and maintained to securely work together. The role of the CSA is as strategic as the cloud vendors chosen to underpin and secure that cloud architecture. Oracle and KPMG have a longstanding history of supporting our customers with solutions that meet the very challenges facing today’s CSA. For more information on Oracle security solutions, please visit www.oracle.com/security and to learn more about the latest challenges and options organizations are faced with as they migrate workloads and data to the cloud, download your free copy of the new Oracle and KPMG Cloud Threat Report 2018.

The Rise of the Cloud Security Architect Greg Jensen, Sr. Principal Director - Security - Cloud Business Group, Oracle Corp. Organizations often look for where they can make the single greatest impact...

Cloud Access Security

How Complying with GDPR Will Help Your SMB

The European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. For many companies – particularly those based in or doing significant business in the EU – it has created a sense of urgency that might rival that of Y2K. Put simply, GDPR seeks to give European Union citizens more control over their personal data and requires that companies adopt appropriate security measures designed to protect EU citizens whose data is being collected and to help mitigate the risk of a data breach. It applies to any personal information that can be directly or indirectly tied back to an individual; that includes everything from biometrics to credit card numbers, photographs and device IDs, to name a handful of examples. GDPR is focused on shoring up privacy and security for consumers, but the upshot is better digital business. After all, data breaches and data loss can negatively impact digital businesses. For a more detailed overview of GDPR, download the white paper, Accelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications.       Though it is rooted in Europe, GDPR can have far-reaching implications on how organizations, government agencies and companies globally – regardless of size – handle personal data. In addition to impacting companies operating in Europe, it extends to entities providing goods or services to European citizens.  For example, a US-based company that sells goods online to services to EU citizens could fall under the purview of GDPR. The cost of non-compliance? In addition to potential fines of up to 4% of annual revenue turnover, organizations that don’t comply also risk facing legal fees as well as indirect costs, such as negative publicity. While many larger enterprises outside of the EU have been grappling with this new data protection regulation, more small and medium-sized businesses (SMBs) around the world are also taking note. In the most recent Oracle and KPMG Cloud Threat Report 2018, 38% of SMBs surveyed indicated that they are required to comply with GDPR. Among that group, 48% indicated that the regulation materially impacts their cloud strategy and cloud service provider (CSP) evaluation process; a full 25% noted that it significantly impacts their strategy and evaluation. Safeguarding a Key Asset To be sure, organizations of all sizes and across all industries are dealing with increasing amounts of personal data and data security issues. So pervasive is data that, according to The Economist, its global value has surpassed that of oil. With the rise of data comes a whole new level of responsibility for companies to comply with and protect this precious resource. GDPR aims to do this by promoting the use of best practices and well-established security concepts. It requires “controllers” (such as a customer contracting for services) and “processors” (such as cloud services providers) to adopt appropriate security measures designed to ensure a level of security appropriate to the level of risk that might affect the rights and freedoms of the individuals whose data is being collected and used by the controller (“data subjects”). There are many facets to GDPR, which contains 99 articles and 173 recitals, but the IT systems that are used to collect, store and handle personal data are the foundation of data protection. Among other things, organizations need to know where data resides, understand their risk exposure, know when it is necessary to modify existing applications, and integrate security into their IT architecture. As with any new regulation, GDPR has its share of complexities and ambiguities. Nevertheless, the benefits of adopting strong data protection go beyond protecting individuals. In the long-run, SMBs that embrace good security practices are less vulnerable to cyber security incidents, such as espionage, organized crime and insider-related breaches. GDPR is aimed squarely at protecting personal data, but organizations that take steps to shore up their security and rethink their other data security practices and policies to address their GDPR compliance needs may ultimately come out ahead. To learn more about getting your organization on the path to GDPR security compliance, download the paper, “Helping Address GDPR Compliance Using Oracle Security Solutions.”

The European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. For many companies – particularly those based in or doing significant business in the EU – it has...

Cloud Access Security

FBI Cybersecurity: Tips for Protecting Your SMB from Email Impersonation

Written By: Tansy Brook  Director of Product Marketing Share Facebook LinkedIn Twitter Google Plus Email Comment We’ve all received an email that seemed a little suspicious or made an unusual request for financial or personal information. Most consumers know to delete these emails right away because they’re likely a scam. But what if you received an email from your CEO or CFO, and it sounded just like them? What if they asked you do something you were expecting to do anyway—such as pay a bill? What if they mentioned their children’s names and other personal details? Welcome to the new world of Business Email Compromise (BEC). In this growing form of cybercrime, fraudsters impersonate a business email—usually someone in an executive position—and then contact an employee to ask for a wire transfer or employee information. These phishing scams increased an astounding 2,370% between 2015 and 2016, and caused $5.3 billion in losses, according to the FBI.  “The group at largest risk are small-to medium-size businesses (SMBs),” says Cary Scardina, a supervisory special agent with the Federal Bureau of Investigation’s Cyber Division in Washington, D.C. “I’ve seen small businesses get hit with losses from $45,000 to several million; it can be devastating, depending on the size of the company.” Fortunately, there are steps businesses can take to reduce their risk of becoming a BEC victim—and the work starts with simply being aware. Beyond the Usual Threats  When Scardina describes BEC, he narrows the crime down to one word: Impersonation. At the core of the scam, cybercriminals are simply impersonating an employee’s boss or company finance executive. “But it’s now of a higher quality than in years past,” Scardina says. These are not emails from far-away royalty who need your employees’ help. Instead, BEC fraudsters are hacking into employee email accounts and then conducting sophisticated surveillance, sometimes for weeks or more. The attacker will track email traffic to learn how a person talks, how wire transfers and other requests are made—even what nicknames employees might use for each other.  When it comes time to conduct the actual crime, a fraudulent email may come from either an authentic or spoofed account. With a spoofed account the domain is slightly off. For example, a business name may contain an extra letter or an email might add a period between the first and last name. The attackers then ask the recipient to make a wire transfer payment—and include instructions for how to do so. Learn about the Top 6 security tips for SMB’s.     SMBs are Prime Targets Increasingly, the cybercriminals are phishing for company W-2 information, which they use to file fraudulent tax returns. The IRS noted that more than 200 companies—which translates to hundreds of thousands of employees—were compromised by such scams last year. Scardina says that SMBs are prime candidates for business email compromise wire transfer and W-2 email fraud. “That’s where you can have the intersection of high-dollar amounts and lower IT security,” he says. The real estate industry has witnessed much of the BEC activity, largely because of the transactions realtors and others involved are conducting. But the criminals aren’t picky. Scardina has also seen medical offices, law firms and even pig farms targeted by these spoofed email schemes. In many cases, the companies don’t catch the fraudulent transfer for a few days. These issues are time-sensitive: And by then, it can be hard to reverse the transfer or trace the money before it is broken up and divided into multiple overseas accounts.  Get Ahead of Scammers So how do you keep your SMB safe from BEC scams? As with many things, the best defense is a good offense. Scardina and the FBI offered the following guidance for reducing your risk of becoming a BEC victim: 1. Verify money transfer requests.  Institute a company policy that requires employees to verify requests for wire transfers—ideally with a phone call authentication. This is especially vital if the transfer request is deemed urgent by the email sender, Scardina says. In addition, advise employees to not discuss the details of wire transfers or bank accounts over email and to confirm any changes in the process with the bank or vendor. 2. Implement detection systems.  Task your IT team with creating a system that flags emails from domains that are similar to your own and could be used to create a look-alike domain. Other helpful tips include adding a rule in your email account that automatically flags emails in which the reply address is different from the “from” address. Also, be aware of the external applications your employees are connecting to with their computers by implementing a Cloud Access Security Broker (CASB)  application. 3. Educate your employees.  Execute some social engineering, and ensure that your employees are aware of BEC warning signs. Red flags that an email may be fraudulent include: Any email that provides wire information or requests changes to existing information, requests for expedited payments, asks for W-2 information. “Flagging these should just be automatic,” Scardina says. “Employers should have a policy for how to do so.”   If you do suspect you’ve been a victim of BEC, Scardina says the first thing to do is to call the financial institution that sent the wire. In some cases, the bank can initiate a recall of the funds. Then call the FBI and file a report at IC3.gov. That way the FBI can track the details of your case. Lastly, have your employees change their passwords to their email and any other company networks. 4. Adopt a passphrase.   Using longer passwords and changing them on a regular basis seems like a given. But, the traditional standards for passwords encourage people to use a single, difficult to remember password across all of their accounts. Great news! New research shows that rather than having a complicated mixture of special characters, numerals and capitalizations, using a passphrase is more secure and easer to remember. Longer passwords containing multiple upper and lower-case words are more secure. Consider choosing something relevant to you (like a book title) that wouldn’t be public knowledge. This lightens the “memory burden” on users, making them more inclined to follow this security best practice.  Change your passphrases on a regular basis. The new version can be similar to the previous phrase, for example from “thesunalsorisesinJAN” to “thesunalsorisesinFEB.” Business email compromise remains on the rise—and the cyber criminals are only getting smarter. Take these precautions to educate your employees against threats and prevent your business from losing time, money and more to an email scam.  4 Ways to Protect Your SMB from BEC Business email compromise scams are on the rise, costing $5.3 billion in losses since 2013. To reduce your risk: Verify email wire transfers and PII requests, even from people you know. Create fraudulent email detection systems if you have an IT security team. Educate your employees. Use long passwords, change them routinely, and do not reuse them for multiple accounts. Source: IC3.gov

Written By: Tansy Brook  Director of Product Marketing Share Facebook LinkedIn Twitter Google Plus Email Comment We’ve all received an email that seemed a little suspicious or made an unusual request...

RSA Conference 2018 kicks off to address cyber threat challenges

RSA Conference is the world's largest cyber security conference with over 30,000 attendees taking over the city of San Francisco for a week to discuss, debate, and solve the cyber security challenge. RSA kicks off with Atlanta being under siege, 911 calls being stopped in Baltimore, Facebook being questioned by the Congress for the privacy issues, Uber, Grindr, Boeing disclosed data breaches, attacks on US grid, US tax filing vendor software, and 40,000 other data breach disclosures. More importantly, it is the Russian meddling of US elections and making fun of democracy through cyber war has rocked the world. Cambridge Analytica has made every internet user in the world nervous with their disclosure about the Facebook data breach. So, don't worry if this all sounds sad. This is exactly why 1800+ vendors, security thought leaders, CISOs, and all of us, who have the moral responsibility to provide the privacy of individuals will discuss, debate, exhibit, research, and share how to save your city, law & order, your power grid, democracy, your privacy, and everything around your life. Oracle is sure to represent itself on how it is securing the cloud, the database, apps, and developer tools to half a million customers that we have. Oracle is not only securing its core products and infrastructure but also showcasing how you can build a SOC for your cloud and hybrid environment. Follow this blog on all the sessions, booth, demos, parties, and meetings that Oracle is doing.  Oracle this year at RSA 2018 is focusing on two things: An autonomous cloud platform with AI and machine learning for security use cases, and a cloud-based SOC for the Oracle cloud, multi-cloud, and hybrid cloud environment. We are all losing the cyber war. It is time for all of to collaborate and make our machines smarter so that the battle is truly between attacker's machines vs. our machines and not our users. 

RSA Conference is the world's largest cyber security conference with over 30,000 attendees taking over the city of San Francisco for a week to discuss, debate, and solve the cyber security challenge. RS...

Cloud Security

Introducing the Oracle and KPMG Cloud Threat Report

Today’s organizations are under increasing pressures to look for efficient ways to leverage the cloud.They are looking for the undeniable opportunities that present themselves when rolling out new cloud services and mobile applications to gain a competitive advantage.After all, the cloud is enabling organizations to realize the ease of maintaining and supporting a more diverse and mobile workforce, partner and customer base. However, the speed and agility benefits of the cloud are creating an imperative around keeping pace at scale where organizational security is not keeping up with the demand for new cloud services. This is the findings of the new global security report from Oracle and KPMG.The Oracle and KPMG Cloud Threat Report 2018 looks at organizational attitudes and confidence in the cloud, the challenges and risk, and a look at how security operation teams are leveraging people, process and technology to secure the cloud journey. This survey-based report focuses on interviews from 450 global participants.Respondents who were key decision makers, architects, planners, auditors and analysts tied to security initiatives around the cloud journey.We heard from LoB owners, DBAs, C-level and more, from SMB to the Enterprise and from over 21 key industries. What we learned in this year’s report is that as organizations add new users, applications, data and infrastructure, combined with the more sophisticated threats and cyberstaff challenges, SecOp teams are seeing a pace gap appear.This pace gap is most evident with the high adoption rate of these new services, yet security operation teams are still stating that their #1 challenge in cloud security is analyzing and responding to security events from the cloud.So while applications themselves are being successfully deployed, the organizations ability to monitor for anomalous behaviors across the hybrid cloud is being further challenged. In fact, only 51% stated they are unable to analyze the majority of their event telemetry data, and respond. This year’s Oracle and KPMG Cloud Threat Report 2018 is leveraging key analysis by cybersecurity experts at both Oracle and KPMG to deliver prescriptive best practices based upon what organizations are being impacted with today.We encourage you to download this groundbreaking report, learn how your own organization may be impacted by some of these challenges, and how you can apply these lessons to your own security planning. Oracle and KPMG also encourage you to meet with us this week at the 2018 RSA Conference in San Francisco.Oracle’s booth is #1115, and you can come visit us to learn more about this new report, or any of the Oracle Cloud Security solutions. For more information on this report, visit us HERE.For more information on Oracle security solutions, visit our solution page.

Today’s organizations are under increasing pressures to look for efficient ways to leverage the cloud.They are looking for the undeniable opportunities that present themselves when rolling out new...

Cloud Security

Cloud Security and Compliance Is a Shared Responsibility

By Gail Coury, Chief Information Security Officer, Oracle Cloud Organizations around the world are ramping up to comply with the European Union’s General Data Protection Regulation (GDPR), which will be enforced beginning on May 25, 2018, and each must have the right people, processes and technology in place to comply or else potentially face litigation and heavy fines. The drive for more regulations is in large part  the direct consequence of the rise in data breaches and cyber security incidents. In an effort to protect data privacy, governments are stepping in and demanding greater transparency in how organizations handle sensitive personal data. GDPR is just one such privacy mandate that will affect organizations globally and impact the lifeblood of their operations. Many have spent countless hours already preparing for the deadline, while others are just getting started. Organizations are rapidly embracing cloud services to gain agility and thrive in today’s digital economy. This has created a strategic imperative to better manage cybersecurity risk and ensure compliance while keeping pace at scale as firms move critical apps to the cloud. According to the Oracle and KPMG Cloud Threat Report, 2018, 87 percent of organizations have a cloud-first orientation. The conventional mindset—that security is an obstacle to cloud adoption—is rapidly losing relevance. Enterprises in highly regulated industries are becoming more confident putting sensitive data in the cloud. Ninety percent of organizations say that more than half of their cloud data is sensitive information, according to the same report. Although customers are confident in their cloud service provider’s (CSP) security, they should vet their cybersecurity programs vigorously, and conduct a comprehensive review assessment of their security and compliance posture. Trust has always been important in business and paramount when choosing a cloud partner. GDPR is top of mind for a lot of organizations because it’s a people, process and technology challenge and requires a coordinated strategy that incorporates different organizational entities versus a single technology solution. It is a complicated law and introduces intricate new regulations and requirements for handling personal data. In fact, 95 percent of firms affected by GDPR say that the regulation will impact their cloud strategies and CSP choices, based on findings published by Oracle and KPMG. One of the central considerations would be movement of sensitive data between CSP data centers. Organizations need to understand and clarify how their CSPs employ essential data protection controls and standards to meet GDPR requirements because every cloud platform and vendor has unique cybersecurity standards. As you may know by now, cloud security and compliance is a shared responsibility, where the cloud provider and the tenant each have a role to play. Although it sounds relatively simple, customers are often not clear where their provider’s role ends and their obligations start, creating gaps. Knowing what security controls the vendor provides allows the business to take steps to secure their own cloudenvironment and ensure compliance. Almost every organization today has more than one regulation with which they need to comply and they increase the complexity with each cloud service they add. As organizations continue to lift and shift their apps to the cloud, they need to keep pace with scale and ensure security and compliance is maintained. I am excited to explore these topics with other industry experts at the Cloud Compliance Zeitgeist panel on April 16 (12:50 p.m. – 1:35 p.m.), at the Cloud Security Alliance Summit at the RSA Conference 2018. Also, my colleague, Mary Ann Davidson, Oracle’s Chief Security Officer, will lead the panel Getting to Mission Critical with Cloud. You will hear directly from some large complex global enterprises about their journey to the cloud, cybersecurity challenges and their complex compliance mandates. We look forward to seeing you there! Source: Cloud Security Alliance 

By Gail Coury, Chief Information Security Officer, Oracle Cloud Organizations around the world are ramping up to comply with the European Union’s General Data Protection Regulation (GDPR), which will...

Cloud Security

Oracle at RSA Conference 2018

Next week, the RSA Conference (RSAC) will take place in the tech capital of the world. Top security professionals will get together for an exciting week packed with keynotes, hands-on sessions, and learn about the latest and most innovative technologies in the security world. The RSA Conference is a great place to interact and learn, but it can also be a lot to take in. With over 600 booths to visit, over 550 sessions to attend, and a number of great events, this 5 day conference can get very overwhelming. Here are 4 tips to help you get the best out of your RSAC experience:   Download the RSA Conference Mobile App This useful app will be available soon with directions on their website. With the app you’ll be able to: View agenda and explore sessions Build your personal schedule Access speaker profiles, exhibitor and sponsor information View interactive maps of the RSAC Campus Get session and event details – including dates, times, locations and speakers Notifications – get a list of updates and informative notices Planning ahead will help you get the most out of all the valuable content that is presented over the week. To learn more about Oracle Cloud Security, don’t forget to visit the Oracle Booth in the South Hall: #1115.  Come Prepared The RSA Conference will be held at the Moscone Center and the Marriot Marquis. This expansive space means there’s more room for networking, sessions, and events but it also means there will be a lot of walking. The Moscone Center is two million square feet alone and you don’t want to have to call it quits in the middle of the day because of uncomfortable shoes. Also, you’ll be constantly checking your phone for updates on sessions, the latest tweets from security professionals that are attending RSAC, and texts from your colleagues which means the battery will drain quickly. In order to stay connected you should remember to bring a charger, preferably portable so you don’t have to search for an outlet. RSA Events RSAC is also famous for the amazing events that are held throughout the week. Not only are they fun, but they are great networking opportunities. Many different vendors host receptions, parties, happy hours, and dinners throughout the week. Take advantage of these opportunities to get familiar with their product, build relationships, and have fun! Most events are by invitation only, so request access via the company’s website.  You can register for Oracle’s Executive Reception at RSA here, for an evening of cocktails, networking, and spectacular views of the City and the Bay. Beat the Crowds Last year there were over 45,000 attendees, so if there is a certain session or keynote you want to attend make sure you get there a little early. There is also an option to reserve a seat for certain sessions. Don’t miss these two Oracle panels at the CSA Summit on April 16th: Gail Coury, CISO, Oracle – Cloud Compliance Zeitgeist – 12:50 PM to 1:35 PM Mary Ann Davidson, CSO, Oracle – Getting to Mission Critical with Cloud – 3:15PM to 4:00 PM The RSA Conference is a great place to learn about the most important and current issues in security and we hope these tips help you navigate through this year's conference. 

Next week, the RSA Conference (RSAC) will take place in the tech capital of the world. Top security professionals will get together for an exciting week packed with keynotes, hands-on sessions,...

Cloud Security

Protect Customer Data - Your Brand Reputation Depends on it

Customer data has become one of the most valuable resources for companies in many industries. Being able to understand your customers in a multidimensional way is critical to successfully marketing to them. Analyzing their habits, emotions, and most importantly - where they will spend their money. Corporations in the retail, financial, and telecommunications industries are constantly collecting data through loyalty programs, credit statements, and subscriptions. Customers are sharing their information with companies and expecting it to be protected. As one of these corporations, it is important to recognize the trust customers have when sharing data. How are you working to safeguard it? Increasing data breach numbers have proven damaging monetarily and often wreak havoc on a brand's image. A recent attack on a popular retailer left over 5 million customer's credit or debit card information exposed. These breaches are common and only gaining speed as hackers pick off the world's largest brands. Companies must fight back and proactively search for ways to strengthen their security posture. Here are some avenues to explore when strengthening your environment: Defense in Depth:  Creating a security plan that incorporates every aspect of your company is key. This includes people, process, and technology - a core principle of the Oracle Software Security Assurance Methodology (OSSA). The aim of OSSA is to incorporate security at every stage of the development process. Security at the Board-Level: Security breaches affect the entire company. Security concerns and strategy should be in discussions at every level, from IT to the executive level. To navigate this conversation with your board-level executives - read Cybersecurity and the CEO: A Board-Level Conversation. In this article, Akshay Bhargava, vice president of the cloud business group at Oracle explains key points to incorporate during these critical conversations.  Adaptive Intelligence: The average Security Operations Center (SOC) receives over 17,000 alerts per week. There is simply not enough time in the day to manually investigate each threat. Consider Machine Learning and AI technologies as a necessity rather than a bonus feature within your solutions.  Intelligent solutions using capabilities like multi-factor authentication create an extra layer of defense; and solidify the value of  adaptive intelligence within cybersecurity. Safeguard Your Users:  Employees are working from home, international cities, and even the beach; security has to evolve. Focus on protecting users through identity management solutions enables you to protect your environment in the cloud and on premises. Understand more about how user authentication can protect your SaaS applications utilizing the Oracle Identity Cloud Service. Continuous Monitoring and Compliance: Significant data loss across several industries has prompted stiff regulations. The creation of the European Union General Data Protection Regulation, or GDPR, is a prime example of the importance governments are placing on protecting data. Executive management should be involved in ensuring solutions are in place to monitor their environment and prevent vulnerabilities. Reporting on your data protection policies will be critical in the future of cybersecurity.  Customer data protection will continue to be a hot topic, but the attacks will continue as well. Brand reputation is key to customer loyalty and retention. In the case of an attack, it is important for each company to have a plan in place to respond quickly and reassure customers that protecting their data is a top priority. To minimize this risk, consider the above points and learn more about Oracle Cloud Security.

Customer data has become one of the most valuable resources for companies in many industries. Being able to understand your customers in a multidimensional way is critical to successfully marketing to...

News

Pragmatyxs Ensures Data Security in the Cloud with Oracle

Author: Vidhi Desai, Sr. Principal Product Marketing Director, Oracle Pragmatyxs is a leading technology consultant and systems integrator based in Seattle. They provide product tracking and labeling solutions to medical device, pharmaceutical, and food & beverage companies to help them meet their market and compliance requirements. Last year at Oracle Openworld 2017, I had the opportunity to speak with Paul Van Hout, CEO and founder of Pragmatyxs, about their key challenges and journey to the cloud. Being a small organization, one of their biggest challenges was to provide maximum value to their clients while minimizing administrative costs and focus on value delivery.  Additionally, since their customers are in very highly regulated industries (FDA regulations etc.) data protection is very critical. He stressed that security has to be a very important element of all their solutions and they need to not only incorporate it in everything they do but continuously to evolve their security strategy. Data security and putting sensitive data in the cloud, still remains one of their key concerns while moving to the cloud. One of the first questions they get asked when they move their client data to the cloud is “how will you secure my data?”  Pragmatyxs chose Oracle Cloud over multiple other choices because of the security that it provides by default, for instance, with Oracle Database Cloud Service, transparent data encryption is provided by default. This helps them give their customers the confidence they need in putting their sensitive data in the cloud. Here is one of his quotes from our conversation: “One of the key benefits of moving to the Oracle Database Cloud Service was transparent data encryption—we could ensure our customers that, right out of the gate, their data was secure, and the risk of compromise was minimum.” –Paul Vanhout, CEO & Founder, Pragmatyx Pragmatyxs has been a partner of Oracle since the company was founded 22 years ago. Watch this video to learn more about why Pragmatyxs chose Oracle Cloud how they help their clients reduce risks and ensure compliance with better data security in the cloud. Learn more about Oracle Database Security Learn more about Oracle Security

Author: Vidhi Desai, Sr. Principal Product Marketing Director, Oracle Pragmatyxs is a leading technology consultant and systems integrator based in Seattle. They provide product tracking and labeling...

Hybrid-Cloud Identity

Oracle Identity Cloud Service Accelerates Implementation at Pragmatyxs

Implementing a solution that supports your company in the present and can scale to enable your future is crucial for digital innovation.  For Pragmatyxs, a Seattle based consulting and solutions provider, selecting the right identity management solution was critical to their continued success with customers. Pragmatyxs works with customers in highly regulated industries such as - aerospace, food and beverage, medical devices, and manufacturing. They evaluated several Identity solutions and ultimately opted for the Oracle Identity Cloud Service. To cater to cloud and on premises requirements, Pragmatyxs employs a hybrid cloud strategy.   According to CEO and Founder, Paul Van Hout, the Identity Cloud Service was a clear choice due to Oracle's ability to easily integrate with the entire Oracle ecosystem and offer strong back end support to reduce implementation time from months to days. Pragmatyxs and Oracle have been working together for more than 22 years and the long standing relationship contributed to a quick fit. After only 90 days, Pragmatyxs had a successful working prototype. They were searching for a cloud based tool that offered flexibility to support a range of scenarios and compatibility to scale with their future development. According to Van Hout, the Oracle Identity Cloud Service offered the enterprise level deployment they were searching for in the cloud. Watch the full video featuring Paul Van Hout and learn more about how  Oracle security can support growth, protection, and innovation within your organization.                     

Implementing a solution that supports your company in the present and can scale to enable your future is crucial for digital innovation.  For Pragmatyxs, a Seattle based consulting and solutions...

Cloud Security

Oracle Cloud Security Days lands in Redwood Shores (April 4)

It has been one of the most talked about Oracle security event in years, and it has arrived in the "bay area" for April 4th!  Oracle Cloud Security Days has been crossing the nation and Wednesday April 4th we will see this event at Oracle's own headquarters in Redwood Shores, CA.  Have you registered?  There is still time left to do so! As this event has crossed from New York, to Texas, to California, the feedback has been consistent.  Attendees are raving about the format of networking with fellow colleagues in the security/cloud space who are dealing with some of the same challenges as themselves. Hearing from experts at both Oracle and KPMG as they share real world examples of lessons learned from those who have dealt with the risk and exposure of a breach, and faced the realities of implementing change.  We sum this up with concrete best practices and then take you into the afternoon sessions where you get to test drive technology yourself in hands on labs that are designed to show you just how easy today's generation of cloud solutions can be to use, when securing some of the leading solutions you already use today. Register today, come and join us tomorrow (April 4th) and hear from experts in the field of cloud security.  This is an event tailored for the highly technical up to the executive decision makers, as there is a conversation and experience here for all.  For those not in the Bay Area, make sure you check out where we are stopping next on our tour, and register in advance!  See you at Oracle Cloud Security Day - Redwood Shores!  

It has been one of the most talked about Oracle security event in years, and it has arrived in the "bay area" for April 4th!  Oracle Cloud Security Days has been crossing the nation and Wednesday...

Cloud Access Security

Cloud to accelerate compliance by 3x, improve performance of IT ops by 2x, and stop cyberattacks by 3x

A report from an independent global survey of 730 IT professionals demonstrates how cloud disrupts management, security, and compliance. Click here to read the full report. This gives you a great insight into how a cloud is changing systems management and security in the hybrid IT world. Negin Aminian who runs the product marketing security at Oracle says that “Cloud is the solution for these 5 major themes”. She adds that “We have a better together story with management and security, and security is at the forefront of how a cloud is disrupting the hybrid IT”. Let’s look at the 5 major themes: 1. Better Together: Security and Management Survey analysis reveals that advanced cloud-based technologies help prevent attacks. This is opposite of what typically companies say that cloud migration exposes the new surface area for attacks. 2. The Regulation Imperative: The survey shows clearly that cloud customers are clearly ahead of non-cloud in accelerating towards GDPR. Although we hear that a number of organizations have not even started preparing for GDPR. Cloud eases that stress of starting problem and navigating problem in achieving your goal. 3. Continuous Compliance: With huge amounts of sensitive data at stake, organizations need to ensure continuous compliance (not just GDPR). Cloud platforms help organizations maintain compliance with government and industry regulations. Compliance is not just about packaged reports. It starts with IT hygiene and works through configuration, data security, zoning, network/ user/ apps security, and more. 4. Systems and Data Management: Machine data is very valuable and important, therefore it needs to stay secure. Only about 0.5% of machine data is analyzed for security and operations today. Purpose built machine learning analytics tools such as OMC from Oracle can leverage this machine data for various use cases such as IT Ops, DevOps, SecOps, etc. in an effective and unified data model. You need an elastic capability to accommodate all the valuable data that is being collected, then utilize the data in order gain greater visibility and increase security. 5. Security at the Forefront: As cyber-attacks are becoming more frequent and impactful, organizations need to develop both prevention and detection capabilities. This is only possible with the latest cloud solutions, powered by machine learning and data analytics. Cloud security allows you to look deep into cloud systems, workloads, data, and other APIs to monitor sensitive data, controls, and configurations. For a detailed report, please visit here or visit www.oracle.com/security.  

A report from an independent global survey of 730 IT professionals demonstrates how cloud disrupts management, security, and compliance. Click here to read the full report. This gives you a...

Oracle at Secure Rail in Orlando, FL - April 24-25, 2018

  The global railway industry is big business; you get a sense of how big when looking at this world's largest railway companies chart. The market is expected to grow at a compound annual growth rate of 2.6 percent to reach an average annual value of 230 billion USD ($185 B Euros) between 2019 and 2021. When you combine the entire transportation industry--including ships, trucks, trains, boats, and planes--it's an interconnected global web that impacts everyone, everywhere.  In preparing for my talk at the Secure Rail Conference in Orlando Florida on April 24, 25, I have been researching some of the more recent attacks on major railways. The transportation industry is like any other industry when it comes having to deal with today's sophisticated cyberattacks.  This conference is hyper focused on "protecting and managing the security of rail technology, assets  and  people," and I plan to share the important security requirements that organizations should consider when choosing a Cloud Service Provider.  Attendees to my talk, There's Better Security in the Cloud, But Are You Using It Securely, will hear how successful organizations large and small have implemented and manage consistent security policies to identify threats with automation, analytics, and intelligent technologies across the hybrid data center. Broadly, I will be covering: The importance of knowing about your shared security responsibility The top cloud threats facing organizations today How to best prevent, detect, respond to, and predict today's innovative threats I look forward to speaking at Secure Rail and learning more about the rail industry's threat landscape and most pressing cyber security challenges. If you are planning on attending, stop by and say "hi".  

  The global railway industry is big business; you get a sense of how big when looking at this world's largest railway companies chart. The market is expected to grow at a compound annual growth rate...

Cloud Security

How to Simplify SSO to Oracle eBusiness Suite in Just 3 Steps

Oracle E-Business Suite (EBS) is in use by thousands of customers worldwide today. Many of those customers have implemented single sign-on (SSO) to ensure a smooth user experience. From my experience with customers, the most common use case is to deliver a transparent sign-on experience from the user's desktop through to EBS. The Current Approach The traditional, certified approach for achieving this is through the deployment and integration with Oracle Access Manager and either Oracle Internet Directory (OID) or Oracle Unified Directory (OUD), as described by my colleague Steven Chan in this blog post. A good summary of this approach is shown in the diagram below. Figure 1 - The traditional approach for E-Business Suite SSO   Whilst this approach is well understood and documented, it introduces a number of additional components and additional complexity to your EBS deployment. For SSO you need to deploy Access Manager, a Directory, a WebGate, an AccessGate, and configure each to integrate with EBS. All of these additional components need to be fed and watered, patched and updated. For some customers, this additional complexity has led to not implementing SSO, resulting in the user experience suffering. A New Approach However, fear not, there is now a simpler option available which will still enable that streamlined user experience you require, without the need to deploy and manage all of the above components, and without the need to make significant configuration changes within EBS, such as configuring the integration with OID or OUD. Oracle Identity Cloud Service is Oracle's cloud-based Identity platform, which now enables SSO to a standard installation of EBS through its EBS Asserter. The figure below shows this simplified integration, with existing components shown in grey and the new components shown in red. Figure 2 - A simplified architecture with IDCS As a cloud-based Identity platform, IDCS requires no installation. In addition all of the key non-functional requirements such as HA, DR, scaling, backup and restore, patching, and upgrading are all taken care of by Oracle as part of the cloud service. The only component that requires deployment is the EBS Asserter. This acts as the interface between an identity token being issued by IDCS and a user's session being created in EBS.   So coming back to the title of this blog post, how you can achieve this simplification in 3 steps? Easy..... Populate IDCS with users and groups by setting up synchronization between your AD and IDCS (tutorial) Configure SSO between your on-premise Identity Provider (typically ADFS) and IDCS (tutorial) Deploy the EBS Asserter and configure integration with EBS and IDCS (tutorial) As you can see, this approach is considerably simpler than the previous approach. It also means that once you have this integration in place, it is easy to extend the use of IDCS to other web-based applications and cloud-based applications. You can also take advantage of some of the advanced capabilities of IDCS such as multi-factor authentication to add an extra level of security over the user authentication process. I've covered some of this in a previous blog post (Three Reasons Why Identity Management Should Be On Your Radar For SaaS).   In summary, whether you have an existing EBS deployment already integrated with Access Manager today and are looking to simplify your footprint, or whether you don't have SSO enabled today, using IDCS to deliver SSO to EBS can greatly enhance the user experience whilst at the same time simplifying your overall topology and administration.      

Oracle E-Business Suite (EBS) is in use by thousands of customers worldwide today. Many of those customers have implemented single sign-on (SSO) to ensure a smooth user experience. From my experience...

Cloud Access Security

Changing Perceptions on Cloud Security

Change is often prompted by events. People tend to stick to their usual routines because it is comfortable. Every morning people drive the same route to work, stop to order the same cappuccino, and continually purchase from the same brands. Change is generally met with resistance, but it opens up new opportunities. We are currently in a transition that requires great flexibility and innovation, yet heavy resistance persists in the form of security concerns. Cloud creates many opportunities to effectively secure and manage all hybrid environments.   It's time to shift the perceptions around cloud adoption and approach it as an additional defense mechanism in the world of security and management. Understanding that cloud technologies can support predictive capabilities that allow customers to anticipate attacks before they hit core systems. Regulatory compliance is a key component changing the dynamic of how we view the cloud. A new survey by Longitude Research found that a considerable correlation can be drawn between companies that are more mature in their cloud adoption with their readiness for GDPR compliance. These cloud mature companies lead the charge in compliance and site a close working relationship with cloud vendors to better protect their users, apps, and data. Compliance regulations are put in place to protect users at a time when data is a hot target for attackers. These guidelines, and laws, are designed to empower users' awareness of what is being done with their data and hold businesses accountable for their protection practices. Interested in learning more about compliance?    It is now apparent that machine learning and artificial intelligence are here to stay. The level of sophisticated attacks has increased exponentially over the years - and with limited resources - it is challenging for the most robust IT teams to keep pace. Utilizing these cutting edge technologies will help enterprises stay ahead on defense and understand more about their environments through pattern monitoring.    Cloud adoption means change for IT organizations, but with anything, we build off of past standards and improve them for the future. Most companies are not fully operated in the cloud. They instead maintain a hybrid cloud environment, complete with on-premises and cloud technologies that may or may not be designed to work together. This is where strong security capabilities are crucial. The need for a system that can span the entire hybrid environment can mean the difference between a breach that goes undetected or lessen the crucial time needed to resolve an error. Cloud security solutions, such as the Oracle CASB Cloud Service or Oracle Identity Cloud Service, work in conjunction with other solutions to protect your entire environment regardless of where it resides.   Innovation requires strong performance. Predictive capabilities broaden the reach of machine intelligence like never before.  Change is coming, are you ready?

Change is often prompted by events. People tend to stick to their usual routines because it is comfortable. Every morning people drive the same route to work, stop to order the same cappuccino,...

Cloud Access Security

The deadline for GDPR compliance is approaching. Are you prepared?

Written by Stephanie G. Hlavin, Senior Content Strategist Integrated Marketing, Cloud Technology, Oracle Imagine if compliance with the General Data Protection Regulation (GDPR) – a set of strict requirements that protect data of all individuals; how it’s used and collected –was as simple as writing a privacy statement and posting it on your organization’s website. If only. It’s not 1995 anymore – which is the year the current Data Protection Directive was put in place and that, come May 25, 2018, the GDPR will replace. Twenty-three years ago, the stipulations were sufficient. It was a much different world, a mostly non-digital one. For context, consider: In 1997, 68% of U.S. households had no internet, and the top website was AOL. Up until 2003 when it was at its peak, you listened to music on CDs. In 1999, 56% of Americans had no cell phone (true definition of cell phone here, not smartphone).  Today, it’s digital everything. Whether shopping for socks and groceries to health insurance; to banking and all forms of entertainment, these tasks happen online and with enormous amounts of personal data given. That’s where the GDPR comes in. It aims to increase the accountability of controllers (the organization that collects data) and processors (an organization that processes data on behalf of the data controller e.g., a cloud service provider, like Oracle) and give persons more control over how their personal data is collected and what’s done with it. So what does GDPR mean for you? Nothing, since you’re not a European company? Unfortunately, not so. Although it’s an EU initiative, GDPR crosses the pond. If any or your customers or employees (even just one) are located inside the EU, you must comply. Nor is it limited to only certain-sized organizations. Small, mid-size and large enterprises are all held to the same requirements. Hefty fines and loss of brand confidence, if not class-action lawsuits (think Equifax) loom large if not. Keep in mind that GDPR is not a punishment! It’s intended to make possible digital transformation that will benefit everyone: enable organizations to carry on digitally while they have the trust of their customers, partners and their own employees. And according to Troy Kitch, Sr. Director of Security Product Marketing at Oracle, “The only way economies can flourish is to provide that trust through protective mechanisms.” Kitch recently hosted a webcast, “Addressing GDPR compliance: Implementing a security framework,” that you can catch on replay. If GDPR is on your radar (or should be), the webcast is just under an hour and packed with information to consider as you work on meeting the May 2018 deadline. Within the hour-long webcast, you’ll hear about the key tenets of good security practices; common mistakes to avoid when it comes to security; and most critical, the best way to achieve an appropriate level of security based on the level of risk to data and the cost and implementation to do so. The webcast also includes slides with an expanded set of information not covered in the hour.                                                   Find more information about GDPR and how you can prepare for compliance. 

Written by Stephanie G. Hlavin, Senior Content Strategist Integrated Marketing, Cloud Technology, Oracle Imagine if compliance with the General Data Protection Regulation (GDPR) – a set of...

Cloud Security

Register Now for Oracle Cloud Security Day - New York City - March 15th

Based in the New York City area? Looking to gain insights into the threats and risks impacting your journey to the cloud and gain some hands on experiences how to remediate? Register today for the Oracle Cloud Security Day event in New York City, March 15th. Introduction the Oracle Cloud Security Day series.  Designed by those who most commonly interface with those who engage with the technical evaluate and the security management teams, Oracle has created an event series that is designed to appeal to all. We start with key presentations from our key partner, KPMG, on a case-study analysis of recent scenarios where there have been missed opportunities to mitigate or secure before the big data breach.  With KPMG's analysis, we then take a detailed look at each case study to dive into what are the lessons learned and today's best practices that can provide a defense in depth model across these applications as customers are lifting and shifting their workloads to the cloud. Oracle then shares their insights into the application of cloud security in today's cloud landscape in these use cases. After lunch, we give the more technically inclined, an opportunity to take lead in sharing their direct experiences by applying the lessons learned throughout the day, and with the help of Oracle instructors, to walk through each of the use cases shared, and secure each of the case study examples in our hands-on labs using the latest Oracle Cloud Security technology. So this is an opportunity for customers to hear lessons learned, the latest offerings and services that can address this, and then to move forward and apply this knowledge in a hands-on lab setting.  For all the details on this, pleas see the registration page now, as seating is limited. •New York City, NY – March 15, 2018 •Dallas, Tx – March 27, 2018 •Redwood City, CA – April 4, 2018 •Chicago, IL – April 12, 2018 •Mississauga, Ontario – May 1, 2018 •Reston, VA – May 10, 2018

Based in the New York City area? Looking to gain insights into the threats and risks impacting your journey to the cloud and gain some hands on experiences how to remediate? Register today for the...

Cloud Security

2018 – Autonomy vs Automation

At OpenWorld 2017 last year (it still seems strange saying last year), Oracle announced“The world’s first Autonomous Database”. The marketing literature states:  “Oracle Autonomous Database Cloud eliminates complexity, human error, and manual management, helping to ensure higher reliability, security, and more operational efficiency at the lowest cost.” When I first heard about the autonomous database, I didn’t quite get it. I’m no database expert but I thought that we had database management well in hand. I know DBAs with decades of experience who can manage databases with their eyes shut, usually using lots of scripts and automation. So, what’s different about the new Oracle Autonomous Database? The penny dropped for me when I realised the differencet between automation and autonomy. A common misunderstanding is that Oracle has just automated the database. That is not the case. Automation refers to a set of sequential steps that are executed in order, usually using a script. Think of an unattended installer. You give it the settings and it executes a number of predefined steps to install your piece of software with the settings you define. Another example might be a DBA who has written a script to automate the patching of a server. The script will run through a series of steps, such as, connect to the server, upload the patch, execute the patch, verify the patch, then, restart the server. Both of these are examples of automation, not autonomy.   When Oracle talks about the Autonomous Database, they aren’t saying that they have just written a number of scripts to automate several steps, they are talking about autonomy, i.e. self-management. What this means is that, as the administrator, you will define the parameters within which the database must operate and the database will take care of that for you. For example, you will define the service level you need, or the information retention policy you must enforce. Then, the database will do the rest, under the covers to meet that requirement. No more setting up RAC or DataGuard to configure HA and DR.    From a security perspective, the Autonomous Database also reduces the risks associated with manually managed databases. Yes, we have some very clever and experienced DBAs with mature scripts, but, in today’s world of increasing cyberattacks and more data breaches than ever before, against larger and more sensitive data, we need to remove as much of the manual processes associated with security as possible. There will, of course, always be a need for some manual intervention, but the security posture in any organisation, and the response to any threat needs to be more rapid than waiting for an overworked DBA or SOC Analyst to get around to dealing with it. For example, the Autonomous Database will patch itself regularly with the latest patches and always enable encryption, so you don’t inadvertently leave data stored in the clear. At the moment, industry is losing the cat and mouse game against the cyber criminals. Looking beyond databases, I can see lots of other places where autonomy, underpinned by capabilities such as machine learning, will play a crucial role in the cyber war in the near future.  There is a long way to go, but it’s an exciting time at Oracle, seeing the emergence of technologies such as the Autonomous Database, as well as our newly designed Identity SOC, really looking at how they address this changing threat landscape using the latest and greatest innovations. 2018 is going to be an exciting year.

At OpenWorld 2017 last year (it still seems strange saying last year), Oracle announced“The world’s first Autonomous Database”. The marketing literature states:  “Oracle Autonomous Database Cloud...

Hybrid-Cloud Identity

Three Reasons Why Identity Management Should Be On Your Radar For SaaS

Many of Oracle’s (and 3rd party) SaaS applications support key identity management capabilities, which enables them to integrate with an enterprise to deliver capabilities such as single sign-on. However, there are some use cases where a more robust identity management platform is required, to meet more demanding business requirements. Identity Cloud Service is Oracle’s strategic platform for delivering both identity management services for our customers to utilise, as well as delivering the identity management platform that underpins our IaaS and PaaS cloud services. Here are 3 key use cases where integration of SaaS with IDCS can provide additional value for a SaaS customer.   Reducing Risk through stronger authentication Many SaaS applications contains a customer’s most sensitive information and therefore there is often a requirement to strengthen the level of authentication required when accessing these applications, especially by users with high levels of privileges within the SaaS application. Identity Cloud Service can add a low-cost, stronger level of authentication to your sign-in process. This is similar, for example, to how your bank might authenticate a user. There is flexibility and choice for a user in deciding how they want to provide a stronger authentication, i.e.: Memorable questions and answers Regularly changing, one-time use passcode Prompting a user on their smart device for approval Text message Backup codes can also be downloaded by the user for times when none of the above mechanisms are available to them at the time of authentication. The IDCS Administrator configures a policy to determine which users the additional authentication applies to and under what conditions it applies, such as their current location.    Simplifying access from multiple organisations Identity federation has long been the de facto approach for enabling a user to seamlessly access different applications, cloud-based or otherwise, using their organisation’s credentials, instead of maintaining multiple different usernames and passwords across lots of different services. Most SaaS applications today support identity federation. However, a common limitation is the ability to only configure this trusted relationship with one organisation. In my experience, many organisations today have loosely couple IT, typically with many discrete partners, or sub-organisation, who all manage their own IT. This can lead to user data that is stored in a number of different places, each owned and mastered within those smaller entities. When this happens, organisations often cannot federate all of these different entities with their SaaS applications. Instead they need the ability to configure multiple trust relationships between their different entities and the SaaS applications they are using. IDCS can help by supporting multiple trust relationships, meaning that each separate entity within your organisation can be configured as a trusted provider, enabling users seamless access into their SaaS applications, whether Oracle or 3rd party, irrespective of which entity they are coming from. Embracing Consumers Whilst many SaaS applications are geared towards enterprise services such as Human Capital Management (HCM) and Enterprise Resource Planning (ERP), there is sometimes a need to engage consumers and allow them to interact with the application. Whilst registration pages can be provided for users to ‘sign-up’, this doesn’t provide a good user experience for your end-users. Instead, it is common practice to enable registration and subsequent authentication through social platforms such as Facebook, LinkedIn, and Google. Not all SaaS applications support these integrations today. Identity Cloud Service supports social authentication with a number of the common social providers as well as providing a general, standards-based integration for additional social platforms, not provided out-of-the-box. Identity Cloud Service handles the associated capabilities such as linking a user to their various social profiles and enabling user controls, such use consent and the ability to forget their link between their IDCS identity and their social accounts. Utilising Identity Cloud Service to deliver social platform integration can significantly lower the development and integration effort required to maintain this capability across all of your chosen social providers.   These three identity management enhancements for SaaS are areas where I am regularly having discussions with customers. However, we shouldn't forget, what I call the "bread and butter" IAM, and that is the fundamental processes of making sure you have appropriate controls and procedures in place to provision/de-provision users and their roles into your SaaS applications, so that you are maintaining the right level of governance around your cloud accounts, and not just your existing on-premise applications. Of course, IDCS can help here as well, but that's the discussion for another post.

Many of Oracle’s (and 3rd party) SaaS applications support key identity management capabilities, which enables them to integrate with an enterprise to deliver capabilities such as single sign-on....

Cloud Security

2020 Future Predictions: A Look At Today's Transformative Technologies

  Technology providers are always progressing, evolving, and transforming solutions to better suit the needs of a modern business. The future shows no signs of slowing this trend as the Oracle Cloud Predictions for 2018 point out, by 2020 many of the cutting-edge technologies we see today will likely be adopted as standards for the future. This is a pivotal moment as intelligent technologies enable businesses to reduce cost, increase efficiency, and explore data to create deeper insights. Requirements are increasing for faster development cycles, implementation of intelligent solutions, and mobile capabilities for employees on the go. Security is coming to the forefront of importance as IT battles thousands of threat alerts daily and shadow IT departments are purchasing cloud subscriptions without security approvals. These factors, coupled with the alarming rate of cyberattacks will prompt executives to prioritize security and compliance.   Automation is slated to become a necessary component for solutions in order to reduce the risk of human error and detect anomalies that are not as obvious to the human eye. Automation of routine tasks will free up time for security professionals to focus on innovation, business growth, and preventing a cyberattack. AI and Machine Learning are powerful tools that can help businesses interpret and protect the data that we collect. Data is valuable and incorporating adaptive intelligence capabilities creates an additional wall of defense. It is predicted that by 2020, on-premises environments will present the greatest risk to your data. The cloud adoption trends indicate that even highly regulated industries must consider a move to the cloud as a measure against cybercriminals. Cloud-based technologies are more widely accepted, prompting compliance laws to take effect. The European Union GDPR (General Data Protection Regulation) compliance deadline is approaching and is a strong indication that the need for stringent security and management guidelines are more important than ever. Read more about how industry trends and developments will change cloud computing in the next few years.

  Technology providers are always progressing, evolving, and transforming solutions to better suit the needs of a modern business. The future shows no signs of slowing this trend as the Oracle Cloud...

Cloud Access Security

Register Now: Oracle Cloud Security Day series near you!

One of the hardest objectives for customers is to find conferences that they can bring multiple members of the security team to and gain an overall perspective of the trends, challenges and potential solutions.  We hear often from customers "our director wants to bring his technical evaluator, but is afraid he will be bored by the content unless there is a hands on component".  We hear from the technical evaluators that upper management won't attend the same events because it is too technical and doesn't appeal to the business drivers, real world use cases and more that they deal with.  Both are right, but what if they could be found at the same event?  What if there was one security event that a customer could bring both their security leadership, as well as technical evaluators/architects to for a full look at the issues impacting today's organizations? Introduction the Oracle Cloud Security Day series.  Designed by those who most commonly interface with those who engage with the technical evaluate and the security management teams, Oracle has created an event series that is designed to appeal to all. We start with key presentations from our key partner, KPMG, on a case-study analysis of recent scenarios where there have been missed opportunities to mitigate or secure before the big data breach.  With KPMG's analysis, we then take a detailed look at each case study to dive into what are the lessons learned and today's best practices that can provide a defense in depth model across these applications as customers are lifting and shifting their workloads to the cloud. Oracle then shares their insights into the application of cloud security in today's cloud landscape in these use cases. After lunch, we give the more technically inclined, an opportunity to take lead in sharing their direct experiences by applying the lessons learned throughout the day, and with the help of Oracle instructors, to walk through each of the use cases shared, and secure each of the case study examples in our hands-on labs using the latest Oracle Cloud Security technology. So this is an opportunity for customers to hear lessons learned, the latest offerings and services that can address this, and then to move forward and apply this knowledge in a hands-on lab setting.  For all the details on this, pleas see the registration page now, as seating is limited. •New York City, NY – March 15, 2018 •Dallas, Tx – March 27, 2018 •Redwood City, CA – April 4, 2018 •Chicago, IL – April 12, 2018 •Mississauga, Ontario – May 1, 2018 •Reston, VA – May 10, 2018  

One of the hardest objectives for customers is to find conferences that they can bring multiple members of the security team to and gain an overall perspective of the trends, challenges and potential...

Cloud Security

Strategic Priorities for 2018 - Chief Security Officers

“Hope for the best, plan for the worst,” says Akshay Bhargava, vice president of the cloud business group at Oracle.With the rising risk of a breach, this is currently the reality for Chief Security Officers (CSO) today. In a recent Forbes article, 5 Strategic Priorities For Chief Security Officers In 2018, Bhargava talks about the key areas CSOs should focus on to strengthen their IT environment and mitigate risk. Bhargava explains major shifts in modern business processes and emphasizes the importance of security practices to evolve alongside. Bhargava states, “Be proactive and define appropriate technologies, processes, and developer training that ensures security is embedded throughout the development lifecycle.”  The need for automated monitoring solutions continues the theme of proactivity within the article. Security Operations Centers (SOC) receive nearly 17,000 alerts per week. CSOs must bring in automated technologies with machine learning capabilities to prevent attacks. Bhargava goes on to explain the importance of clear communication within the business, by incorporating both business users and executives. Planning for the worst means putting together a plan of action in the event of a breach. However, hoping for the best can be safeguarded by taking proactive steps to protect your environment.To learn more, read 5 Strategic Priorities For Chief Security Officers In 2018.  

“Hope for the best, plan for the worst,” says Akshay Bhargava, vice president of the cloud business group at Oracle.With the rising risk of a breach, this is currently the reality for Chief Security...

News

Oracle Releases Database Security Assessment Tool: A New Weapon in the War to Protect Your Data

LinkedIn Twitter Google Plus Email Comment Evaluate your database security before hackers do it for you! Vipin Samar, Senior Vice President, Oracle Data is a treasure. And in my last 20 years of working in security, I’ve found that hackers have understood this better than many of the organizations that own and process the data. Attackers are relentless in their pursuit of data, but many organizations ignore database security, focusing only on network and endpoint security. When I ask the leaders responsible for securing their data why this is so, the most frequent answers I hear are: Our databases are protected by multiple firewalls and therefore must be secure. Our databases have had no obvious breaches so far, so whatever we have been doing must be working. Our databases do not have anything sensitive, so there is no need to secure them. And yet, when they see the results from our field-driven security assessment, the same organizations backtrack. They admit that their databases do, in fact, have sensitive data, and while there may be firewalls, there are very limited security measures in place to directly protect the databases. They are even unsure how secure their databases are, or if they have ever been hacked. Given the high volume of breaches, they realize that they must get ready to face attacks, but don’t  know where to start. Assessing database security is a good first step but it can be quite an arduous task. It involves finding holes from various angles including different points of entry, analyzing the data found, and then prioritizing next steps.  With DBAs focused on database availability and performance, spending the time to run security assessments or to develop database security expertise is often not a priority. Hackers, on the other hand, are motivated to attack and find the fastest way in, and then the fastest way out.  They map out the target databases, looking for vulnerabilities in database configuration and over privileged users, run automated tools to quickly penetrate systems, and then exfiltrate sensitive data without leaving behind much of a trail.   If this were a war between organizations and hackers, it would be an asymmetric one. In such situations, assessing your own weaknesses and determining vulnerable points of attack becomes very critical. Assess First I am excited to announce availability of the Oracle Database Security Assessment Tool (DBSAT). DBSAT helps organizations assess the security configuration of their databases, identify sensitive data, and evaluate database users for risk exposure.  Hackers take similar steps during their reconnaissance, but now organizations can do the same – and do it first. DBSAT is a simple, lightweight, and free tool that helps Oracle customers quickly assess their databases.  Designed to be used by all Oracle database customers in small or large organizations, DBSAT has no dependency on other tools or infrastructure and needs no special expertise.  DBAs can download DBSAT and get actionable reports in as little as 10 minutes. What can you expect DBSAT to find?  Based upon decades of Oracle’s field experience in securing databases against common threats, DBSAT looks at various configuration parameters, identifies gaps, discovers missing security patches, and suggests remediation. It checks whether security measures such as encryption, auditing, and access control are deployed, and how they compare against best practices.  It evaluates user accounts, roles, and associated security policies, determining who can access the database, whether they have highly sensitive privileges, and how those users should be secured. Finally, DBSAT searches your database metadata for more than 50 types of sensitive data including personally identifiable information, job data, health data, financial data, and information technology data. You can also customize the search patterns to look for sensitive data specific to your organization or industry.  DBSAT helps you not only discover how much sensitive data you have, but also which schemas and tables have them. With easy-to-understand summary tables and detailed findings, organizations can quickly assess their risk exposure and plan mitigation steps.  And all of this can be accomplished in a few minutes, without overloading valuable DBAs or requiring them to take special training. Reviewing your DBSAT assessment report may be surprising – and in some cases, shocking – but the suggested remediation steps can improve your security dramatically.  Privacy Regulations and Compliance DBSAT also helps provide recommendations to assist you with regulatory compliance. This includes the European Union General Data Protection Regulation (EU GDPR) that calls for impact assessments and other enhanced privacy protections.  Additionally, DBSAT highlights findings that are applicable to EU GDPR and the Center for Internet Security (CIS) benchmark. Nothing could be Easier Oracle is a leader in preventive and detective controls for databases, and now with the introduction of DBSAT, security assessment is available to all Oracle Database customers. I urge you to download and try DBSAT – after all, it’s better that you assess your database’s security before the hackers do it for you!

LinkedIn Twitter Google Plus Email Comment Evaluate your database security before hackers do it for you! Vipin Samar, Senior Vice President, Oracle Data is a treasure. And in my last 20 years of...

Cloud Security

New World, New Rules: Securing the Future State

While chasing down a domestic terrorist, FBI Agent Will Brody found himself in an unfamiliar and dangerous environment. (Brody is the protagonist in Marcus Sakey's 2017 novel Afterlife.) To survive in its perilous conditions, its residents commit to two simple rules: (1) pull your own weight and (2) only kill in self-defense. These rules have kept them safe from the obvious imminent threats around them for decades. But Brody sees a change happening in the environment that others don't yet see and warns his new community: "If you never change tactics, you lose the moment the enemy changes theirs." His mantra becomes "New World, New Rules." In other words, you must adapt to changing threats or face the consequences. As Information Security professionals, we find ourselves in a similar situation. Our environment is transforming rapidly. The assets we're protecting today look very different than they did just a few years ago. In addition to owned data centers, our workloads are being spread across multiple cloud platforms and services. Users are more mobile than ever. And we don’t have control over the networks, devices, or applications where our data is being accessed. It’s a vastly distributed environment where there’s no single, connected, and controlled network. Line-of-Business managers purchase compute power and SaaS applications with minimal initial investment and no oversight. And end-users access company data via consumer-oriented services from their personal devices. It's grown increasingly difficult to tell where company data resides, who is using it, and ultimately where new risks are emerging. This transformation is on-going and the threats we’re facing are morphing and evolving to take advantage of the inherent lack of visibility. Organizations are in varying stages of migration toward this future state of IT where we have massive distribution and where visibility is elusive. But we all seem to be moving in the same direction. So, we simply can't live by the same old rules. We can’t rely on old security techniques. New World, New Rules. Traditionally, security professionals have relied heavily on SIEM (Security Information and Event Management) solutions to track activity in their environments. The SIEMs resided somewhere on the network and collected logs and event information from other network-connected systems and devices. SIEMs measured themselves by their ability to ingest data from anything and everything on the network. But SIEM users have struggled to translate that event data into actionable intelligence. In many cases, because of the enormous quantity of event data and the inability to parse it quickly and efficiently, SIEM solutions became forensic tools; used after-the-fact to research what may have happened after a breach was detected. The old SIEM approach won't suffice in the future state. Although many organizations report struggling with the complexity and cost of SIEM solutions, the SIEM market continues to expand. This is because the need for visibility has only grown more urgent with increasing regulations and more aggressive and sophisticated attack techniques. But you want more. Traditional SIEM approaches aren't enough. There simply aren't enough hands-on-deck to rely on manual processes for investigating event data or identifying on-going attacks. Here's the good news: The technologies that have exacerbated the problem can also be used to address it. On-premises SIEM solutions based on appliance technology may not have the reach required to address today's IT landscape. But, an integrated SIEM+UEBA designed from the ground up to run as a cloud service and to address the massively distributed hybrid cloud environment can leverage technologies like machine learning and threat intelligence to provide the visibility and intelligence that is so urgently needed. Machine Learning (ML) mitigates the complexity of understanding what's actually happening and of sifting through massive amounts of activity that may otherwise appear to humans as normal. Modern attacks leverage distributed compute power and ML-based intelligence. So, countering those attacks requires a security solution with equal amounts of intelligence and compute power. As Larry Ellison recently said, "It can't be our people versus their computers. We're going to lose that war. It's got to be our computers versus their computers." But to effectively secure the future state, you need more than a SIEM designed for cloud. Here are a few other innovations that we should demand from our security platform: Application Topology Awareness: Detect multi-tier application attacks and lateral movement indicators. Alert application owners not server administrators. Threat Stage Awareness: Map potential and in-progress threats to well understood attack stages to provide better contextual data on how to respond. See developing threats before they happen. Data-Deep Visibility: Detect data access anomalies for any user, database or application. Broad Data Capture: Don't rely solely on security logs. Leverage operational logs, threat feeds, embedded reputation data, and more. User Attribution: Report the identity even if the user context is missing via composite identity awareness and rich user baselines. Configuration Change Awareness: Inject configuration drift context into threat detection. Orchestration: Respond to threats immediately and with precision via REST, scripts, or 3rd party automation frameworks. Obviously, we're writing about this for a reason. These features are built into Oracle's Security Monitoring and Analytics service (SMA). When we say that our SIEM was designed from the ground up for cloud, we're not just talking about the product architecture. We're talking about its features and functionality. It was designed to address the complexity and peril of distributed cloud environments. It was designed to secure the future state; to be the new rules for the new world. SMA is built on Oracle’s unified platform for future-state security that also includes Identity, CASB, and Configuration Compliance. It was built 100% in the cloud to address the security needs of hybrid, multi-cloud environments. Traditional SIEMs lack Identity, CASB, and Configuration Compliance functions. And they typically only layer UEBA on top of their legacy SIEM architecture. They lack advanced features like data-deep visibility, user attribution, orchestration, and awareness of threat stages and application topology. Leveraging these innovations, Oracle's approach enables shorter investigations and faster response times while accommodating for all the complexity of the future state. And, to top it off, Oracle's security services are built on Oracle Management Cloud which, in addition to security, provides a single pane of glass for IT monitoring, management, and analytics. Oracle simplifies management and security for the future state, reducing cost and effort, and providing richer intelligence across increasingly complex environments. Learn more about how Oracle is addressing these security concerns and incorporating machine learning into adaptive intelligence by reading our whitepaper, "Machine Learning-Based Adaptive Intelligence: The Future of Cybersecurity."

While chasing down a domestic terrorist, FBI Agent Will Brody found himself in an unfamiliar and dangerous environment. (Brody is the protagonist in Marcus Sakey's 2017 novel Afterlife.) To survive...

Cloud Security

Machines Vs. Machines - How Adaptive Intelligence Can Save You From a Breach

As we begin a new year, transitioning to hybrid environments is a top priority for many companies. While there are many questions surrounding the cloud transformation process, cloud security is a major topic. Many IT professionals want to understand how transformative solutions can provide an intelligent look at their environment at a rapid pace. How do companies with thousands of servers, countless solutions, and a growing amount of cloud vendors plan to handle this changing landscape? A key challenge is managing and securing data by taking an identity-based approach rather than the traditional rules based perimeter. The threat is real, Security Operations Centers (SOC) are inundated with nearly 17,000 alerts per week. Their goal is to incorporate transparent solutions to detect any vulnerabilities and utilize automated remediation tactics. Business users look for solutions designed for ease of use; this often prompts them to invest in cloud solutions without the approval of central IT. By 2021, there will be an expected 3.5 million cybersecurity jobs left unfilled. Due to the limited security expertise within companies, the struggle to properly investigate security threats has increased the possibility of a breach slipping through. The average data breach at a large enterprise takes 100-120 days to resolve, as explained in the 2015 Kenna Security Gap Report. This is often caused by the number of disparate monitoring systems designed to track specific information, but not optimized to combine and make actionable decisions with that data. In a 2016 Spotlight Report, 86% of participants did not trust traditional security solutions to fully manage security across the cloud. To adapt to these growing threats, Oracle has incorporated machine learning and artificial intelligence into the Oracle Identity SOC. A suite of products that utilize machine learning to detect and resolve issues without human intervention, a concept referred to as adaptive response. Oracle's Identity SOC is built to meet the needs of a modern digital business. It’s use of machine learning continuously adapts to your environment as data is entered and helps security professionals more effectively monitor behavior.  To learn more about Oracle’s intelligent security operations center, read the new whitepaper, "Machine Learning-Based Adaptive Intelligence: The Future of Cybersecurity." 

As we begin a new year, transitioning to hybrid environments is a top priority for many companies. While there are many questions surrounding the cloud transformation process, cloud security is...

Cloud Access Security

Oracle Product Rollout Underscores Need for Trust in the Cloud

On the heals of our big news at this year's Gartner IAM Summit in Vegas, DarkReading's Kelly Sheridan sat down with Oracle's Vice President of Oracle Identity Cloud, Rohit Gupta, to gain insights into this week's Press Release, the major announcements within and to learn more about the vendor who continues to make waves in the Identity space.  With this Press Release, Oracle announced that it is expanding its security portfolio and unveiling a new partner program. The Oracle Identity SOC portfolio now includes new capabilities to help enterprises manage and certify user identities, applications, and confidential data more securely and through a richer, consumerized user experience. Additionally, the new partner program will help improve collaboration with security vendors and simplify customer adoption. First unveiled at Oracle OpenWorld 2017, Oracle’s integrated suites—Oracle Identity Security Operations Center (SOC) portfolio of services and Oracle Management Cloud—are designed to help enterprises forecast, reduce, detect, and resolve security threats and assist in efforts to remediate application and infrastructure performance issues.  Leveraging artificial intelligence to analyze a unified data set consisting of the full breadth of security and operational telemetry, as well as provide automated remediation, Oracle’s integrated suite is designed to enable customers to quickly adapt their security and operational posture as their risk landscape changes. This application of machine learning can potentially help thwart attacks, reduce the detection window from months to minutes, and more quickly address security breaches and performance outages. To learn more from this week's Press Release To read this week's DarkReading article "Oracle Product Rollout Underscores Need for Trust in the Cloud"  

On the heals of our big news at this year's Gartner IAM Summit in Vegas, DarkReading's Kelly Sheridan sat down with Oracle's Vice President of Oracle Identity Cloud, Rohit Gupta, to gain insights...

Not Everything Scary Yells "BOO!"

While we celebrate Halloween, it is hard not to extrapolate some of the spookiness to what we encounter in real-life cybersecurity scenarios. Check out the blog below by our CASB PM, Karl Miller, on some frightful findings we recently encountered with some cloud application deployments! Thankfully enough, Oracle CASB Cloud Service was able to get these customers right back on track so these spooky secrets got addressed promptly!  Halloween is one of my favorite holidays. It has always been because I can make it as fun, creepy, silly or scary as I want. Cloud security is not always quite so silly, but it can be creepy or downright scary. However, like any good haunted house, the scariest things aren't always what you think they are or jump our screaming to get your attention.  Recently, I've had a few interactions with organizations that had some rather scary issues, but didn't jump out screaming "Boo". Before we jump in, let me point out that each of these organizations have truly fantastic security teams and great practices. Seriously. These chilling tales are just a reminder that as we move into clouds, we need better ways to keep an eye on everything that happens. As one of my friends used to say "In God we trust, but He's still going to be monitored".    A la "Scooby DooTM"[1], here are some short case notes. A Kooky Case of an Eavesdropping Admin While we all remain concerned about the nefarious attacker compromising network security layers and stealing data, that outside attacker is not the only risk. A recent regulated financial institution using one of our products (minor plug: Oracle CASB Cloud Service) with their Microsoft Office 365 rollout was alerted to activities by an entry-level email support administrator. Upon investigating, we learned that this 3rd-party administrator working with Exchange was using a perfectly legitimate feature of Office 365 to monitor the email folders of the organization's board of directors and several officers and then performing stock trades on the information. The customer asked why features like this exist in services, but there are scenarios where this type of capability may be required (e.g. legal discovery of a person’s misbehavior in their email inbox); however, I’m not going to cover all these types of discussions here in my “case notes”. While this case is now moving through legal resolutions, clearly, not a fun surprise. Fear of the Phantom Files This financial organization was greatly surprised by missing data from their sanctioned enterprise Box environment. This organization routinely examined Box user activities and data volumes via their perimeter and were quite content. Unfortunately, when we started looking inside their enterprise Box account, only six (yes, SIX!) users were using that service instance while HUNDREDS of others were using other Box accounts (some personal, some departmental, etc.) without the knowledge of information security. Data was leaving the corporate network and going to a sanctioned cloud (InfoSec had monitored that for months), but no other service or staff had put all the data about network activity and sanctioned service usage (or absence of usage) together to reveal a problem. Their perimeter was still completely intact; users and data were going to an approved service, just not in the way they expected. Merely deploying a productivity app in the cloud isn’t enough – monitoring it for usage and adoption is equally important, like this organization learnt the hard way.  Secrets of the Slippery Service Another organization with well-established security and compliance processes was quite startled when Oracle CASB revealed a tremendous amount of activity in their Salesforce environment from an odd location. With them, we performed some forensic examination and discovered that an external service not approved by their InfoSec team was accessing their enterprise Salesforce data (which includes very sensitive customer information) using OAuth approvals by some of the organization's senior sales leaders. This external service was connecting directly to Salesforce via the service’s APIs and was not subject to IP restrictions for accessing the data, was operating with complete administrative control of the environment, and not being monitored at all. Digging a bit further, we found this service was also using the organization's production Salesforce environment to test Alpha and Beta versions of their cloud without any approvals by information security or the audit teams. To return to compliance, this organization had to update their Salesforce configuration to include restrictions on accessing data. They also use Oracle CASB Cloud Service to monitor and assess Salesforce activities by end-users, administrators, and external services, and also alert InfoSec of any configuration shifts to prevent the introduction of new risks.  So, before we head into the night looking for treats and creepy tales, make sure you take a moment to wonder who may not be jumping from the bushes to frighten you. About the Author: Karl Miller is an experienced security professional with extensive experience across Identity Management, Access Management, Directory Services and Cloud Security. He currently works with the Oracle Cloud Security offerings as a Senior Principal Product Manager for Oracle CASB Cloud Service.  [1]SCOOBY-DOO and all related characters and elements are trademarks of © Hanna-Barbera.    

While we celebrate Halloween, it is hard not to extrapolate some of the spookiness to what we encounter in real-life cybersecurity scenarios. Check out the blog below by our CASB PM, Karl Miller, on...

OpenWorld '17 Security At a Glance - Wednesday

Oracle OpenWorld really started to kick into high gear on Tuesday as excitement started to build for Larry’s afternoon address on CyberSecurity.  Attendees were sharing some great feedback on the strategy details and specific solution information they were seeking around all of the Oracle Security products regardless if it was in The Exchange, or in the many sessions provided. Some of the highlights included Dan Koloski, VP, Product Management (Oracle) leading a session on “Machine-Learning-Based Analysis to Manage Cybersecurity Risks”.  For some in this session, this was their first introduction to DevOps, and for others, it was a detailed overview of how Oracle has developed a suite of solutions that map directly to the DevOps / SecOps / IT Ops customers on a single-unified platform that leverages the ML and AI technology that Larry has spoken so often about this week. Another great session was from Ansh Patnaik, VP, Product Management (Oracle) leading a session on “Early Detection of Ransomware In Modern IT Landscapes”.  This one is of particular interest to many as of the recent impacts globally that have taken down organizations. Ansh shared how the new Oracle Security Monitoring and Analytics Cloud Service, which Larry highlighted, is able to inject itself into the middle of the attack chain and provide automated remediation against this growing threat. Customers always love hearing from fellow customers and the session “Why Oracle Cloud Access Security Broker Cloud Service Is #1 Security Tech” didn’t disappoint as it was led by Chief Security Architect, Steve Zalewski, from Levi Strauss. In addition, members from Marlette Funding and Ooyala joined the team to share their perspectives on what business and security challenges they were each facing, why a CASB was the solution…and why Oracle’s CASB. However the highlight of the day had to be from Larry Ellison himself from the highly anticipated 2nd keynote “A More Secure Cloud”.  Those at the show, and online were able to hear Larry’s announcement of several new solutions 1) Oracle Security Monitoring and Analytics Cloud Service  2) Oracle Configuration and Compliance Cloud Service which are all part of a broader integrated set of unified security technologies called Oracle Identity SOC (Security Operations Center).  As Larry has pointed out this week, the focus of these offerings, and many others is through the advancements and investments Oracle has made in machine learning, artificial intelligence and adaptive security technologies.  These combined enable customers to secure their organization proactively rather than the reactive “cleanup/restore” model. For more information on these amazing new technologies, we encourage you to drop by the Oracle Security booth in The Exchange, or read up on yesterday’s press release announcing the availability of these offerings. Wednesday is a day to start finalizing the sessions and topics you have not had a chance to fit in until today. Great topics are those related to yesterday’s announcements to get more details on the new security strategies. Few recommendations below. Wednesday At a Glance 9:45 – 10:45am  Security and Compliance for Hybrid Clouds with Oracle Management Cloud [HOL7821] | Hilton San Francisco Union Square (Ballroom Level) - Continental Ballroom 7 12 – 12:45pm   Unify Compliance Auditing of Oracle Technology Across Hybrid Cloud Enviorments [CON7063] | Marriott Marquis (Yerba Buena Level) - Salon 12 5:30 – 6:15pm   Customers Deploy Oracle Identity Management in Record Time [CON7087] | Moscone West - Room 3003 Demo:  Security Monitoring and Analytics for Hybrid Cloud Environments with Oracle Management Cloud  | The Exchange – Workstation SOA-071 Demo:  Take Your SOC from Manual and Static to Intelligent, AI-Based Identity SOC | The Exchange – Workstation SOA-069 Have a great Wednesday!

Oracle OpenWorld really started to kick into high gear on Tuesday as excitement started to build for Larry’s afternoon address on CyberSecurity.  Attendees were sharing some great feedback on the...

Cloud Access Security

The Shift to Secure Data in the Cloud with CASB

Last year, we shared an IDC Whitepaper “Identity-as-a-Service on the Journey to the Cloud” that highlighted the characteristics of these 4 “journeys”.  Organizations are now rapidly adopting IDaaS technologies to help smooth this transition to the cloud but this works in a model where we have a clear delineation of user roles spelled out.   With this journey to the cloud, organizations are also dealing with the challenge of “structured” vs “unstructured” data repositories, how to monitor, manage and restrict access. This often begs the question, “what is structured/unstructured data?”  In simple terms, structured data is any data that placed in a searchable and common structure that is searchable.  This could be a spreadsheet, csv file, SQL database or other.  Unstructured data is often strings of notes that is “text heavy” and does not follow a common format making it difficult to perform searches. The Cisco Global Cloud Index reports that by2018, 58% of all cloud workloads will be SaaS. With this in mind, customers are currently struggling today with how to shift this structured/unstructured data into the cloud while still maintaining control and preventing a compromise.   While the risks are real and growing, they can be mitigated.  In fact, the Cloud Security Alliance recently published their list of the Terrible 12 threats to cloud computing, and in this list, they predicted that a CASB would resolve 9 out of the 12 threats.  Oracle CASB Cloud Service uses machine learning, AI and automation to provide a critical control point for the secure and compliant use of cloud services across multiple cloud service providers (CSPs) such as Microsoft, Google, Oracle, Salesforce and more.  The latest enhancements announced this week, expand the Oracle CASB Cloud Service with capabilities to address the structured/unstructured data issue with data-loss prevention capabilities to manage the flow of confidential, proprietary and privacy driven information in and out of the cloud applications that it identifies.  The granularity of a CASB allows it to identify authorized and unauthorized applications and cloud services to help give you the visibility and control and enable you to build out a DLP driven enforcement policy across all services for users.  In addition, Oracle has expanded the capabilities of the solution to manage the influx of malicious code (malware) that is overwhelming today’s infrastructures and rendering current platforms incapable of addressing as they scale into the cloud.  This also provides the ability to defend against ransomware type attacks to ensure users, systems and data are not taken out or held hostage for political/financial gain. For the full details on the latest version of Oracle’s CASB Cloud Service, we encourage you to come by and visit us at the Oracle Security booth at OpenWorld or follow us @OracleSecurity

Last year, we shared an IDC Whitepaper “Identity-as-a-Service on the Journey to the Cloud” that highlighted the characteristics of these 4 “journeys”.  Organizations are now rapidly adopting IDaaS...

Oracle Announces: Industry’s First Intelligent Security and Management Suite

Today at Oracle OpenWorld, Larry Ellison spoke to attendees about two new cloud security solutions that we are officially announcing in today’s Press Release summarized below.  As Larry has highlighted, the competitive landscape has simply not addressed the growing complexity of threats, the speed and scale of threats, the scale and response time to analyze and with the efficiency and ROI needed for businesses to maintain.  Attacks and threat statistics have followed the hockey stick model.  As long as the frequency of attacks are “on the stick”, we can manage it by throwing more man-power at the problem and hope that human error does not cause a greater issue.  The problem with this mentality is, globally speaking, we have been operating well within “the blade” for the last several years, as the rate of attacks and threats have skyrocketed beyond our ability to analyze and respond.  Oracle recognized this is not a human challenge anymore.  “Building on its multi-year investment to define and provide the next generation of cyber security and systems management solutions, Oracle today announced the availability of the industry’s first cloud-native, intelligent security and management suite. This new set of integrated suites -- Oracle Identity Security Operations Center (SOC) portfolio of services and Oracle Management Cloud -- will help enterprises forecast, reduce, detect, and resolve cybersecurity threats and assist in efforts to remediate application and infrastructure performance issues.” This has resulted in the launch of two new security cloud services - Oracle Security Monitoring and Analytics Cloud Service, as well as the Oracle Configuration and Compliance Cloud Service.  Each of these services are powered by Machine Learning, Artificial Intelligence and automation to address many of today's biggest challenges that are sourced to the inability of security teams to effectively analyze, and assess while keeping up with today's configuration and compliance requirements - at scale. Oracle is also announcing major updates to Oracle CASB Cloud Service that add threat detection and data protection capabilities for our customers. Oracle CASB Cloud Service now offers enhanced data security for both structured and unstructured data with new built in Data Loss Prevention features, improved threat prevention with new anti-malware and anti-ransomware capabilities and the ability to share its analytic conclusions across Oracle’s Identity SOC portfolio. For the FULL PRESS RELEASE and to learn more about Oracle’s Cloud Security offerings, click here.

Today at Oracle OpenWorld, Larry Ellison spoke to attendees about two new cloud security solutions that we are officially announcing in today’s Press Release summarized below.  As Larry...

Cloud Security

OpenWorld '17 Security At a Glance - Tuesday

Monday got off to a tremendous start as many of the attendees got their first new look at the expanded Moscone Center.  Oracle’s new expo hall “The Exchange” opened up with tremendous excitement as attendees were able to rapidly identify key subject areas such as Security and Management and engage with key knowledge experts and leaders to understand some of the new exciting technologies on hand, such as Oracle’s new Identity SOC. The Keynotes also proved to be a source of real talking points over the course of the day as Larry’s Sunday address continued to create waves of excitement as it builds to his keynote today (see info below) where he will focus on the exciting new ways Oracle is addressing today’s cybersecurity challenges. If you thought Sunday’s address was noteworthy, strap in for today’s! After it is over, we encourage you to make your way to the Oracle Security booth in The Exchange as well as follow us online. Mark Hurd also took time in his keynote and in multiple interviews to highlight the growing challenges ahead and how Oracle’s cloud strategy is addressing these needs, starting with a more secure, elastic, on-demand model that is more cost effective for customers.  Security is a major theme this year, and there will be more to come starting today with Larry’s keynote! Peter Barker, Akshay Bhargava and Dan Koloski all had tremendous sessions that touched on Oracle’s new cloud security strategies with details on some of the new services we have been rolling out under our Identity SOC framework since last year. Each shared some amazing sessions but attendees walked away learning a great deal more about Oracle's future in Machine Learning and use of AI in security.  As one attendee put it "It's a brave new world, and Oracle is in the driver's seat".  To get more details on all of our sessions, drop by the demonstration booth (downstairs) where we are showing off our Identity SOC (Security Operations Center) Solution and the cloud services that make up this solution.   Tuesday will be our busiest day yet with keynotes, news and sessions, so we encourage you to plan ahead and check back here over the day, regardless if you are at OpenWorld or not. For complete session listing for security, click HERE. Monday At a Glance 9 – 11am   Thomas Kurian "Oracle's Integrated Cloud Platform....for Business" (Highlights Replay) | Moscone Center, Lower North, Hall D 2 – 3pm   Larry Ellison Keynote “A More Secure Cloud” (Replay) | Moscone Center, Lower North, Hall D 11:30 – 12:15pm   Machine-Learning-Based Analysis to Manage Cybersecurity Risks [CON7064] | Marriott Marquis (Yerba Buena Level) - Salon 12 12:45 – 1:30pm  Early Detection of Ransomware in Modern IT Landscapes [CON7062] | Marriott Marquis (Yerba Buena Level) - Salon 12 12:45 – 1:30pm  Why Oracle Cloud Access Security Broker Cloud Service is #1 Security Tech [CON7067] | Moscone West - Room 3007 3:45 – 4:30pm  Keep Structured and Unstructured Data Secure in the Cloud [CON7075] | Moscone West - Room 3007 Have a great Tuesday, and enjoy Larry’s keynote!

Monday got off to a tremendous start as many of the attendees got their first new look at the expanded Moscone Center.  Oracle’s new expo hall “The Exchange” opened up with tremendous excitement as...

Cloud Security

OpenWorld '17 Security At a Glance - Monday

It was an exciting Sunday to kick off Oracle OpenWorld 2017.  Thousands came together to see the newly revamped Moscone Center and to check in for their OpenWorld experience this week.  Some key highlights from Sunday included the OPN (Oracle PartnerNetwork Keynote) for Oracle's key partners, that was delivered by Mark Hurd, Dave Donatelli and Penny Philpot.   This was a time for our security partners to learn more about many of the key offerings and initiatives we are announcing to address key business challenges and needs. The real show stopper for Sunday was the keynote from Oracle's Executive Chairman, Larry Ellison himself "Oracle Cloud and the Future of Data".  Replay is available HERE. In a way only Larry can only do, he threw down the Gauntlet at Amazon, showed the audience the performance, pricing and security benefits of Oracle over Amazon, and gave some teasers for what he has in store for his Tuesday Keynote. Make sure you don't miss this very exciting Tuesday Keynote at 2pm PST.    Monday At a Glance ·9 - 10:15am  The Cloud: Transformational. Innovative. Foundational | Moscone Center, Lower North, Hall D 11 – 11:45am   Oracle’s Identity and Security Vision: Powering Next Gen Digital Transformation [CON6973] | Moscone West - Room 3007 12:15 – 1pm  Why Identity Security Operations Centers Are Required in the Cloud Era [CON6976] | Moscone West – Room 3007 2:15 – 3pm  There’s Better Security in the Cloud, but Are You Using Clouds Securely? [CON6445] | Moscone West - Room 3022    

It was an exciting Sunday to kick off Oracle OpenWorld 2017.  Thousands came together to see the newly revamped Moscone Center and to check in for their OpenWorld experience this week.  Some key...

Cloud Security

Oracle's machine learning to detect and remediate misconfigurations and violations

Let's not worry about North Korea, China, or Russian NationState hackers until you got your basic security configurations right. Verizon's DBIR 2017 report says that 76% of the attacks were caused by misconfiguration alone. Gartner recommended in 2011 that a security configuration is a must-have tool. SANS Institute recommends that its #3, #4, and #11 critical security controls, in their version 6.0 (2017), are the configuration of end-devices, vulnerability assessments, and configurations of network respectively.   Although, in theory, we all agree that for the last 15 years, security configuration is critical, why is it still a major cause of the data breach? According to a recent InformationWeek survey of 900 professionals, enforcing security configurations were the 2nd most difficult task to achieve, beating even vulnerability patch management.     In the new IT world of cloud and DevOps, relying on a gold build that we maintain to build critical systems, is not working. Users are using shadow IT or just need to be more productive with new innovations. It is better to align your security configurations and policy management with your fast pace of DevOps, IT, and overall business.   Oracle is announcing a major update to its Management Cloud portfolio, which unifies IT Ops, DevOps with Security Operations. Oracle Configuration and Compliance solution is one of the critical components of this unified platform. The update adds a strong configuration layer to our existing strong platforms that delivers IT ops, SecOps, DevOps, APM use cases. We have built these cloud-based solutions based on our learning and expertise from 40,000 customers that use our management platforms.     Top use cases of Oracle's cloud-based security configuration solution: Configure  and monitor user access and authentication Remove unused accounts Close unused ports Enforce configurations and other policies Remove unwanted services Detect and patch vulnerabilities   This is a cloud-based service leveraging a new way of consuming cloud service through Universal Credit. Oracle with its new product, new business model, is the most comprehensive security configuration management for both your new and old IT. It is also the most affordable solution in the market that covers your old, current, and future IT, including cloud, on-prem, hybrid, and everything in-between.   Oracle's approach to security configuration management is unique: Integrated platform for DevOps, APM, IT ops, and SecOps Machine learning based review system Automated remediation and adaptive response Cloud-based solution for both old and new IT Rapid deployment and no learning cycles Dynamic assessment of all your assets, users, and data  Lear more here: https://www.oracle.com/cloud/configuration-compliance.html   ​

Let's not worry about North Korea, China, or Russian NationState hackers until you got your basic security configurations right. Verizon's DBIR 2017 report says that 76% of the attacks were caused...

Cloud Security

Welcome to Oracle OpenWorld 2017

  Welcome to Oracle OpenWorld 2017!  There has never been a more exciting time for Oracle’s customers to hear from our leadership, solution experts and partners about the current and future strategies of Oracle Cloud Security.  It’s not too late to register for over 50 security sessions, hands-on-labs and demos, as well as sign up for one-on-one meetings with product leadership.  For complete session listing, click HERE. Oracle also introduces a new expo hall experience we call The Exchange, which provides a more engaging learning environment for Oracle’s solutions.   Many organizations are looking to bring back key information to help address the growing risks and threats that they face.   Some of the key issues include the upcoming GDPR deadline, increasing data breaches, growing personal and corporate data theft, and too many alerts for current teams to address.  Most often, the solution has been to hire our way out of the problem, placing additional staff in the Security Operations Center to analyze the mountains of events to find the needle in a haystack.   “Chief Security Officers are increasingly concerned about the human factor of moving to the cloud. Cyberattacks continue to become more prevalent while security organizations struggle to protect their growing attack surface amidst a severe cybersecurity talent gap,” says Akshay Bhargava, Product Executive – Oracle Security. “Organizations need more intelligent security solutions that can automatically detect, prevent, respond, and even predict future threats before they do devastating damage.”   Oracle will be spending considerable time this week showing our intelligent security solutions that include new cloud security services that were recently launched, as well as major keynotes from Oracle leadership.   The event kicks off today with Larry Ellison’s opening keynote, streamed live here. We encourage you to make the time this year to attend a key executive keynotes and sessions focused on security: Monday Peter Barker’s Keynote “Oracle’s Identity and Security Vision: Powering Next-Gen Digital Transformation” Oct 02, 11:00 - 11:45 am | Moscone West - Room 3007 Akshay Bhargava “There Better Security in the Cloud, but Are You Using Clouds Securely?” Oct 02, 2:15 - 3:00 pm | Moscone West - Room 3022 Prakash Ramamurthy “Manage and Secure Hybrid Cloud at Scale using Artificial Intelligence” Oct 02, 3:15 - 4:00 pm | Moscone South - The Arena @ The Exchange Tuesday Larry Ellison’s Keynote “A More Secure Cloud” on Tuesday, Oct 03, 2:00 – 3:00pm | Moscone Lower North, Hall D And there are many more events, executive briefings, sessions, hands on labs and demos….. here For the latest in what is happening this week and beyond with Oracle Security, follow us on Facebook and Twitter, on Oracle.com and here on our CloudSecurity Blog page where we will be keeping you up to date on the latest information.    

  Welcome to Oracle OpenWorld 2017!  There has never been a more exciting time for Oracle’s customers to hear from our leadership, solution experts and partners about the current and future strategies...

Configuration & Compliance

Watch Oracle's BIG security session at OpenWorld 2017

Oracle's big commitment to security is here. We have a complete portfolio of cloud-based security solutions to secure both your old and new IT. It is built on a strong Oracle Management Cloud platform, which has thousands of customers both large and small, and industry's best-unsupervised machine learning and adaptive security. Don't miss to watch this session on Monday by Prakash Ramamurthy, SVP of Oracle. Details: General Session: Manage and Secure Hybrid Cloud at Scale Using Artificial Intelligence Monday, Oct 2, 3:15 p.m. - 4:00 p.m. | Moscone South - The Arena @ The Exchange Session code: GEN7487   We have some interesting gifts for people who join in early and also a big prize in the end.     New technologies applying artificial intelligence and machine learning are revolutionizing the way organizations handle security and application performance challenges. Escalating threat landscapes and rapidly changing web and mobile application environments are key factors fueling this trend.   Join us for an engaging general session at Oracle OpenWorld to hear case studies highlighting how organizations are dramatically improving their application performance and security posture. You will see Oracle’s roadmap for investment in next-generation security and management capabilities including a demonstration. This session also covers the advantages Oracle Enterprise Manager users gain by incorporating AI-based technology to manage their databases and applications.

Oracle's big commitment to security is here. We have a complete portfolio of cloud-based security solutions to secure both your old and new IT. It is built on a strong Oracle Management Cloud...

Cloud Access Security

Oracle is BIG on security this year at OpenWorld 2017

Oracle OpenWorld 2017 is right around the corner. It is bigger and better than ever before and Oracle is going all in on Security this year.  Oracle has announced some major updates to security portfolio and is now in a position to secure the entire cloud platform (IaaS, PaaS, and SaaS) effectively. Check out these executive sessions and top activities to understand how Oracle is committed to securing both the old and new IT from the cloud. Top SECURITY activities at Oracle OpenWorld 2017: Join Larry J Ellison's keynote on Tuesday morning to listen to our BIG commitment to securing our 400,000 customers and beyond Cloud Systems Management and Security by Prakash Ramamurthy, SVP, Oracle, Monday at 3:15p (GEN 7487) Security vision for digital transformation by Peter Barker, SVP, Oracle, Monday at 11a (CON 6973) Cloud Platform Roadmap by Amit Zavery, SVP, Oracle, Monday at 1:15p (GEN 7119) Data security and compliance is business critical by Vipin Samar, SVP, Oracle, Monday at 1:15p (CON 6571) Cloud adoption strategies by Don Johnson, SVP, Oracle, Tuesday at 11a (GEN 7215) A platform and a path to cloud journey by Steve Daheb, SVP, Oracle, Monday at 4:30p (Gen 1799) Demo and Hands-on labs: Demos for CASB, Oracle IaaS and SaaS security, Bare metal security Security Monitoring & Analytics, Configuration & Compliance Identity SOC, Identity Governance Database encryption, key management, backup, recovery, and GDPR Security-related events: Customer appreciation event @ Luck Strike Bowling on Monday at 6:30p Cloud platform innovation awards @ Four Seasons on Monday at 6:30p Customer advisory board meeting @ Grand Hyatt on Wednesday at 1:30p Security happy hour @ OneMarket on Wednesday at 4p Customer appreciation concert (all customers) @ AT&T on Wednesday at 6:30p Register today for Oracle OpenWorld 2017. See you all on Oct 1, 2017.

Oracle OpenWorld 2017 is right around the corner. It is bigger and better than ever before and Oracle is going all in on Security this year.  Oracle has announced some major updates to security...

Cloud Security

GDPR – it’s all about technology and fines, isn’t it? by Paul Toal

Unless you are new to my blog posts, you will know that I spend most of my time talking to organizations about security, whether that is data security, cloud security, people security, or application security. If you are new to my blog posts, then welcome. I hope you enjoy them and find them useful and informative. For the last 12-18 months, a fair amount of my work and many of my conversations have been in relation to GDPR. I personally think that GDPR is a great step forward for privacy and security. It does a good job of ‘encouraging’ organizations to put more thought and control into how they use and protect personal and sensitive data. However, this post isn’t about how great GDPR is. Watching the security news and market trends in security, I have seen a lot of different marketing messages and approaches from different IT vendors and consulting companies on the best ways to address GDPR. Unsurprisingly, from the consultants, it’s all about business transformation and process change, whilst the IT vendors pontificate about how much you need their technologies and how their products are the answer to GDPR. In most cases, much of the marketing has been around the, now much quoted fines. Having worked in security for a long time, I have regularly seen security products marketed based on FUD (Fear, Uncertainty, and Doubt), usually generated by alarming statistics. From a fines point of view, you don’t get much more alarmist than  “4% of global annual turnover” (many quoted stats failing to mention the “up to” in front of that) This scaremongering annoys me and it’s not just me. In a recent blog post, the UK ICO, Elizabeth Denham clearly has the same frustrations. Don’t get me wrong, the fines are important and are a key factor in how seriously organizations are taking GDPR. However, there are other ramifications of not following the GDPR, which also play key factors for any organizational program to address it. So, how do I think the industry should be talking to organizations about GDPR? It’s simple, they should be helping them, not scaring them? Here are some observations I have made over the last few months. Be Honest Lay out the facts of the regulation, not some biased interpretation that suits your product. If the conversation does include a discussion around fines, then talk about the fact that fines are tiered and that article 83 talks about ‘taking into account technical and organizational measures’ when deciding whether to impose administrative fines. Also, talk about the other punitive measures and potential outcomes of a data breach. Revolution vs Evolution How revolutionary really is GDPR? We have had many regulations covering various elements of information security for a long time. You will all have heard of, or be familiar with SOX, DPA, PCI-DSS, HIPAA, FedRAMP etc (I could go on). Many of these regulations cover similar themes such as data encryption, authentication, authorization, patching etc. Therefore, for many organizations, some of the processes and controls necessary for GDPR will already be place. Of course, there are elements of GDPR, which are posing more of a challenge than others, especially around the data privacy elements. These should not be under-estimated. Don’t Oversell or be oversold to If your company sells a product or solution that can help an organization address a certain element of GDPR, don’t oversell it as a way of ‘solving GDPR’. As an organization battling with GDPR, be wary of any companies that claim that their solution will ‘make you GDPR compliant’. I have seen software vendors as well as cloud vendors claim this. There is a lot of work to do for GDPR. I don’t see how any vendor can claim to make you GDPR compliant. If, for example, you put your data into a cloud provider, they will be the data processor but the organization will still be the data controller and therefore have their own responsibilities. As an organization, you should understand where any potential vendor or provider could help, what parts of GDPR it can help with and the limits of that solution. Identify Quick Wins GDPR is a business transformation program. It will require business/process/technical changes and those will take time. However, there are things that can be done in parallel. An organization should be looking at quick wins that can help start taking baby steps towards their end goal, rather than waiting until all of the upfront ‘consulting’ work is completed. For example, this could be to start using technology to help find personal and sensitive data within systems, or to start enabling encryption to secure personal data at rest. This gives two benefits. Firstly, when May 2018 arrives, it shows that an organization is making real progress in relation to GDPR. Secondly, we are all seeing the frequency and scale of data breaches in the press. Ignoring GDPR for a moment, just having appropriate controls in place to protect sensitive data (whatever it is), all helps towards mitigating potential exposure. GDPR Fatigue 12 months ago, I would go in, mention GDPR, and get many blank faces. However, today, most organizations I talk to understand what GDPR is and have a program in place. The maturity of that program varies dramatically, but, at least they have taken the first steps, if not, are nicely heading along their journey. Therefore, covering the basics of GDPR at every session isn’t always necessary. I have seen people present an overview of GDPR to the head of an organization’s GDPR program. If you are a vendor or supplier, be aware of your audience’s existing knowledge.   When I talk to organizations about GDPR, I always try to follow my own advice. Whether I am talking about how Oracle can help with technology controls for managing and monitoring user access or data security, or if I am talking about how moving workloads to Oracle Cloud can enhance security, I am always conscious that I follow my own rules, be as honest as possible and don’t oversell, or incorrectly position anything we do. I hope others do too and that organizations recognize when they are being oversold.

Unless you are new to my blog posts, you will know that I spend most of my time talking to organizations about security, whether that is data security, cloud security, people security, or application...

Cloud Security

Oracle OpenWorld 2017 to Showcase the Largest Number of Security Sessions

Security pros will have no shortage of new technologies and information to explore at Oracle OpenWorld 2017, from behavior analytics (BA) and machine learning (ML) to artificial intelligence (AI) and secure automation.  Never before have Oracle customers been in such a position to be as well enabled on their journey to the cloud as they are today, and to do so with capabilities that facilitate a more secure on-boarding of users and applications, and the ability to meet the continuous compliance goals organizations are now chartered to meet. This year, security pros will find this balance of cutting-edge emerging technology and practical, expert-rendered advice at Oracle OpenWorld 2017, October 1 to 5 in San Francisco. Here’s just a sample of the numerous sessions on tap focused on security: Registration for Oracle OpenWorld 2017 can be found HERE, while the complete listing of all security focused sessions, demos and hands on labs can be located HERE Session Highlights: Monday Why Identity Security Operation Centers Are Required in the Cloud Era [CON6976] Dan Koloski, Oracle Andy Smith, Senior Director of Product Management for Identity & Security, Oracle Fabio Gianotti, Chief Security Officer, UBI BANCA Cybersecurity and Compliance in 2017: Database Security is Business-Critical [CON6571] Vipin Samar, Senior Vice President, Database Security, Oracle   Tuesday Data Management and Security in the GDPR Era [CON6573] Russ Lowenthal, Oracle Franck Hourdin, Oracle Mike Turner, Global COO Cybersecurity, Capgemini Machine-Learning-Based Analysis to Manage Cybersecurity Risks [CON7064] Dan Koloski, Oracle Ganesh Kirti, Oracle Why Oracle Cloud Access Security Broker Cloud Service is #1 Security Tech [CON7067] Steve Zalewski, Levi Strauss & Co. Adina Simu, Sr. Dir of Product Management, Oracle Alice Wang, Oracle Chet Sharrar, Sr. Director Security and Infrastructure, Marlette Funding, LLC Bill Billings, CISO, Ooyala   Wednesday Identity Governance as a Service: What is Your Path [CON7078] Ravi Erukulla, Director of Product Management, Oracle Hiren Parikh, Identity Engineer, Qualcomm Inc Saurabh Sharma, Kapstone Technologies Unify Compliance Auditing of Oracle Technology Across Hybrid Cloud Environments [CON7063] Perren Walker, Oracle David Wolf, Oracle Sneak Preview: Oracle Data Security Cloud Service [CON7053] Vikram Pesati, Oracle Michael Mesaros, Oracle   And many more sessions…..here   To stay on top of the latest security news at OOW 2017, follow us here on the Oracle Cloud Security blog, as well as on Twitter (@OracleSecurity) and Facebook (www.facebook.com/oraclesecurity).  Make sure you do register ASAP, and sign up for the security focused sessions as demand for these sessions is high.

Security pros will have no shortage of new technologies and information to explore at Oracle OpenWorld 2017, from behavior analytics (BA) and machine learning (ML) to artificial intelligence (AI) and...

Cloud Security

Can you trust your cloud provider?

by Paul Toal “Trust is like the air we breathe-when it’s present, nobody really notices; when it’s absent, everybody notices.” This quote from Warren Buffett is particularly relevant in today’s world of the cloud. As I explained in my previous post, whenever you use a cloud provider you are entering into a shared responsibility model where the cloud provider will be responsible for the security of the cloud and you are responsible for the security in the cloud. However, when you are considering a cloud provider you must think carefully about trust. For example, do you trust your cloud provider not to look at your data, do you trust the effectiveness of their security controls, not just externally but including their own operations staff, and are you confident they would inform you if they suffered a breach? With the advent of cloud computing, the barrier of entry for budding, small software companies has never been lower. As a result, we are constantly seeing new start-ups, especially in the fast-paced world of security. However, security is hard to get right and designing your software in a secure manner requires experience and skills. Unfortunately, vendors don’t always get it right. Don’t worry, this post isn’t a witch hunt against small vendors who have got it wrong. Read on and i’ll explain. We all know that data breaches happen on an almost daily basis as they are constantly in the news. Take the most recent story last week about Verizon and the loss of data from their cloud provider’s storage services. I could go on and list many more attacks but that’s not the purpose of this article. When considering cloud providers you need to ask yourself whether you can trust that provider. Even if you do, I belief that you should still work on the assumption that your data will be breached. Yes, you heard me correctly. No matter what controls you or your cloud provider have in in place, if you make the assumption of a data breach, it will allow you to think about your security controls and your response to any breach in a different light. If we continue with that working assumption, then we should be asking ourselves two key questions.  1)     Is my provider building secure software and platforms? If security were easy then we wouldn’t see as many successful attacks in the news as we do. Unfortunately, even with the best intentions, cloud providers don’t always get it right. Take the recent example of the OneLogin attack last month, when, according to reports, an attacker was able to get access to some AWS keys and start exfiltrating sensitive data from the database. Should the keys with such powerful access have even been in an internet-facing location? If not, then was this a mistake or a design flaw? Is this the fault of the cloud provider or the software company? Whatever the answers to these questions, it was clearly an issue which led to a breach. This comes back to security assurance and solid design and implementation throughout the software development lifecycle. As a security-focused company, security is something Oracle has always taken seriously. We have a well-established software security assurance framework, which, as the above link states its intention is: “Encompassing every phase of the product development lifecycle, Oracle Software Security Assurance (OSSA) is Oracle’s methodology for building security into the design, build, testing, and maintenance of its products” Anyone who has worked in security for any length of time knows that security isn’t a one-off event, but, is something which has to be built into your overall development lifecycle from start to finish. This leads us to our second question. 2)     How well does my provider respond to a data breach or security issue? Even with the best will in the world and the best QA processes, mistakes do happen, either through bugs or poor design choices. Therefore, how a company responds to any issues is of paramount importance. Since I used a cloud-based SSO provider in my previous example, why not do the same again, this time LastPass. They have been plagued by a number of security issues recently as Tavis Ormandy from Google’s Project Zero has been digging into their service. However, as a responsible cloud provider, they have been extremely responsive in responding to, and fixing the issues quickly. This is what we need and have to expect from cloud providers in this world where our data is always online and typically accessible over the internet. For all of your cloud providers, do trust that they would notify you in the event of a data breach? Within what timescales would they notify you? As for Oracle, we document our response to security breaches and our notification policy in our Data Processing Agreement. We want customers to have the confidence that we know what we are doing and that we have built an enterprise cloud platform, providing a secure set of services underpinned by a secure platform, with all the necessary governance, policies and procedure in place to ensure that we minimize any risk but also, identify, and respond to any incidents that may occur.

by Paul Toal “Trust is like the air we breathe-when it’s present, nobody really notices; when it’s absent, everybody notices.” This quote from Warren Buffett is particularly relevant in today’s world of...

Prevent the next big cloud mis-configuration data breach with CASB technology

Many enterprises today use cloud-based Infrastructure-as-a-Service and Platform-as-a-Service platforms to host their important business applications and corporate data. Many cloud providers provide data storage services as well that are used by businesses to facilitate a more agile, productive work environment. Employees and contractors use these data storage services to conduct day-to-day business in a more productive and collaborative manner. To help ensure that corporate data remains secure in such IaaS and PaaS environments that are outside the corporate perimeter, here are some best practices for you to consider.  p.p1 {margin: 0.0px 0.0px 13.0px 0.0px; line-height: 15.0px; font: 13.0px Helvetica; color: #333333; -webkit-text-stroke: #333333} span.s1 {font-kerning: none}   1. Enable Encryption Enable encryption for each data storage bucket. This is simple out-of-the-box configuration available from most cloud providers that encrypts data at rest so data cannot be accessed without providing appropriate decryption keys. Ensure that for every new storage bucket created, a set of benchmark policies, including encryption, is enabled immediately.  2. Enforce Granular Access Control Configure access control policies, which enforce appropriate granular read/write access into the storage bucket. Using either an external Identity Management solution like the Oracle Identity Cloud Service or the native IAM provided by the cloud provider, enforce that only authorized users have access to read data from the bucket and write data into the bucket. Advanced access control policies including Multi-Factor Authentication, Risk-based policy control, and Role-based access control may be enforced as needed, depending upon the sensitivity of the data in the bucket. The more sensitive the expected data in the bucket, the stronger you want to make the access control policy.  3. Enable Visibility Additionally, enable Visibility controls for your cloud storage environment such that every time a new bucket is created by anyone on your team, or if configuration for an existing bucket is modified, the changes are immediately visible and flagged for your attention. This allows you to monitor changes as soon as they’re made, so you can analyze the context and reasons behind the changes. If at all a bucket is created and configured with a policy not compliant with your reference configuration, have the CASB flag it immediately for your attention.  4. Monitor and Remediate Rapidly Finally, Oracle CASB uniquely allows administrators to mark certain data storage assets as monitoring targets, which allows these to be included in Oracle’s Machine Learning-based Behavioral Analytics algorithms. From that point onwards, any out-of-the-ordinary access to the marked data are flagged for admin attention. This real-time monitoring based on advanced Machine Learning allows you to track suspicious and potentially malicious usage the moment it starts happening, versus hours or days later. 5. How Oracle Can Help Verizon’s DBIR report of 2016 flagged average data breach detection times as being in the order of weeks, not hours or minutes. Oracle’s CASB enables you to significantly shorten detection times for non-compliant cloud configuration and data risks to the order or minutes or seconds.  Oracle’s Identity SOC solution allows events gathered from CASB to be fed into a real-time SIEM, including Oracle’s Security Monitoring and Analytics Cloud Service, for immediate and prompt attention in the intelligent SOC. This allows the SOC analysts to detect and respond to such events flagged in real-time. For more info, reach out to your Oracle Sales Representative or check out the collateral on our CASB product page.  p.p1 {margin: 0.0px 0.0px 13.0px 0.0px; line-height: 15.0px; font: 13.0px Helvetica; color: #333333; -webkit-text-stroke: #333333} span.s1 {font-kerning: none} p.p1 {margin: 0.0px 0.0px 13.0px 0.0px; line-height: 15.0px; font: 13.0px Helvetica; color: #333333; -webkit-text-stroke: #333333} span.s1 {font-kerning: none} p.p1 {margin: 0.0px 0.0px 13.0px 0.0px; line-height: 15.0px; font: 13.0px Helvetica; color: #333333; -webkit-text-stroke: #333333} span.s1 {font-kerning: none}

Many enterprises today use cloud-based Infrastructure-as-a-Service and Platform-as-a-Service platforms to host their important business applications and corporate data. Many cloud providers provide...

Leverage, Extend, Innovate: A journey to managing identities in the cloud

One of the early adopters of our Identity Cloud Service is a leading telecom provider in Asia-Pacific, operating the largest mobile, fixed line and broadband networks in their country. They made significant investments in Digital Transformation during 2016 to improve the productivity of their employees and to deliver new services to their customers.  One of their key business drivers to pursue Digital Transformation was to bring new apps to market faster while ensuring that employees and external users have secure, role-based access to these applications. Editor's Note: Check out the blog below by Sanjay Sadarangani, Principal Product Manager for the Identity Cloud Service, about how Oracle enabled this customer for success in their Digital Transformation.  Over the past several years, this customer had procured a large number of SaaS and on-premises business applications. Most of these applications had already been integrated with Single Sign On (SSO) with their existing Oracle Identity and Access Management (IAM) deployment. But they had several applications which were disconnected from their central IAM system and were being managed as silos, often by individual lines of businesses (LOB). Some of these applications could not be integrated with their IAM as either they did not provide standard interfaces for SSO, or the respective LOB did not have the time or budget to SSO-enable these applications. The result was that users of these disconnected and silo’ed applications were being forced to manage multiple sets of credentials. This is a fairly typical conundrum that we find several customers in, after years of procurement of disparate SaaS applications from different vendors. Oracle’s Identity Cloud Service helped this customer overcome these challenges and implement centralized SSO and provisioning to all their applications.  The implemented solution enabled: Users to authenticate to cloud applications using their passwords stored in on-premises Oracle IAM. No more silos, and no more managing multiple sets of username-password pairs!  Administrators to enable real time synchronization of users between on-premises AD and Identity Cloud Service without any manual intervention. Password reset support costs have dropped by over 70% since deployment.  Admins to deploy new applications rapidly by choosing from a large set of pre-built application SSO integrations using SAML or Secure Form Fill. The LOB’s love IT now since they now roll out new apps much faster than ever before! The speed and simplicity with which they could extend their on-premises IAM to a cloud platform and enable SSO for all their cloud applications was the key factor in selecting Oracle's Identity Cloud Service.  What’s Next? After starting with leveraging their on-premises IAM to extend identities to the cloud, the customer is now focused on innovating with additional capabilities to further strengthen the security of their applications and further reduce their operational costs. In the fairly near term, they plan to:   Enable risk-based access policies to certain SaaS applications that contain sensitive corporate data. Migrate access management of on-premises applications such as Oracle EBS and PeopleSoft to the cloud as well. About the Author: Sanjay Sadarangani is an experienced Security professional who has over a decade of experience across identity management, access management directory service, mobile security and database security. In his current role he is responsible for driving Oracle's Multi-factor and Access Management strategy.

One of the early adopters of our Identity Cloud Service is a leading telecom provider in Asia-Pacific, operating the largest mobile, fixed line and broadband networks in their country. They made...

Cloud Security

The SOC Is Dead…Long Live the SOC by Dan Koloski

The traditional security operations center can't deal with present reality. We must rethink the concept in a way that prepares for the future. I recently moderated a CISO panel that featured security leaders from a diverse set of industries. A group of hardworking, knowledgeable, professional experts in the field of cyber-security (most with decades of experience) discussed how difficult their jobs have become and how vulnerable they felt their organizations were despite their best efforts. Listening to the discussion, I was struck by how much of their efforts depended on hiring and retaining extremely scarce expert personnel. It got me thinking about how we may be in one of those difficult moments when our own history impedes our ability to adapt for the future. Here's a rundown on some of the key takeaways from our chat. We need to redefine the perimeter. Our collective security efforts in the past mainly focused on keeping bad actors out — that is, drawing a logical box around what needs to be protected and making efforts to build fortified walls. Unfortunately, drawing that box has become much more complicated in a world of cloud, software-as-a-service (SaaS), bring-your-own-device policies, and mobility. Much of what needs to be protected is no longer under our direct control; indeed, much of it may be living in systems and managed by teams we aren't even aware of. We need to reframe our thinking and define the perimeter, given that enterprise networks now extend across these various systems and teams.   To continue to the rest of this Dark Reading article, click HERE

The traditional security operations center can't deal with present reality. We must rethink the concept in a way that prepares for the future. I recently moderated a CISO panel that featured security...

Cloud Security

Take Responsibility For Your Cloud Data Before An Attacker Does - by Paul Toal

As I have mentioned in previous blog posts, I spend a significant amount of my time talking to customers about their Cloud strategy, explaining to them about security controls they should consider when moving to Cloud, and, how Oracle addresses security within its own Cloud. One area that still surprises me in my discussions with organizations is the common mis-conception that a Cloud Provider is solely responsible for the security of their data within the Cloud. Even before the looming threat of GDPR compliance and fines, Cloud has always been a model of shared responsibility. Gartner discussed this in a report back in April 2016. Their summary explains this concept well: “While public cloud providers typically have strong control attestations, numerous compliance certifications and their own security features, CSPs cannot offer complete security. CISOs and security leaders must understand the scope of their responsibilities for security in the cloud.” The way I like to explain it is that Oracle (as a Cloud Provider) is responsible for security of the cloud, whilst you, the customer, are responsible for the security in the cloud. You might think that this is just semantics but the differentiation is important. There are a couple of ways to look at this:   At a high level, you can see that whilst the Cloud Provider has some responsibilities, actually, the customer also has a significant number of areas where the control either is wholly theirs, or shared with the Cloud Provider. Even in the red area above, there is still shared responsibility. The wedge shows how this differs depending on the type of Cloud service a customer is using.   As you can see from the diagram above, the customer responsibility for security can be a significant undertaking, especially if adopting IaaS. This is often why customers will choose to adopt PaaS or SaaS offering. Whilst the higher up the ‘as-a-service’ stack you go, the less flexibility you get, you also get less responsibility for security and less to operationally manage. One point of interest in the graphic above is that the common customer responsibilities across all three services are the data and the service configuration. Think about it, if you subscribe to Database-as-a-Service, you will be provisioned a secure instance of database (at least in Oracle Cloud you will). For Oracle, that instance will have a number of security controls already in place and enabled by default, such as encryption at rest, SSH access with key-based authentication, configured but disabled firewall rules etc. Beyond that, Oracle will also be securing the infrastructure itself, everything from the data center, up to the instance, providing a range of technology, people, and process controls (the bits in red in the diagram). However, if, as part of the your service configuration, you decide to open up all ports on the firewall to that instance, upload you production data, and enable a powerful DBA-level account with a simple password, the chances are, your data will be compromised. I hope that illustrates why shared responsibility is so important and, as a customer, you must be clear on what you are responsible for and what the Cloud Provider is responsible for, recognizing that this will be different across IaaS, PaaS, and SaaS. So, what does this mean for your cloud services? You need to ensure that you have sufficient controls in place to protect your cloud services. Some of these controls will be provided by the Cloud Provider, but managed by you, e.g. user management, whilst others are additional controls that you should be implementing as part of your overall security strategy. Below are three key considerations you should be thinking about. User Management – For any cloud service you subscribe to you will have to manage the users who have access and the level of access they have. As your number of cloud services increase as well as the number of Cloud Providers you use also increases, this is re-introducing the whole problem of Identity Management (IDM), which organizations have been addressing on-premise for a long time. What makes Cloud different is that you may well be opening up services to new user bases such as customers and partners. When looking at IDM in the cloud, it is imperative that it isn’t treated in isolation. You must ensure you have the same controls and governance over your cloud services as you do for existing, on-premise systems. This may mean extending your existing IDM to cover your cloud services, integrating a cloud-based IDM platform with your on-premise, or moving your IDM to a pure cloud IDM platform. Oracle is ideally placed to support you in all three scenarios with our most comprehensive IAM platform, combining a market-leading IAM on-premise platform, with a modern, new, cloud IAM platform. You can find more details here. Network Access – When using a Cloud Provider, the default access is over the internet. For many customers, this is ideal as it removes technology constraints for their users accessing the services. However, in some cases, this may not be good enough. Therefore, you must carefully consider how you will integrate with your Cloud Provider. Most providers include a number of private connection options. For Oracle, there are a number of options ranging from VPNs, through to Fast Connect and MPLS connections, depending on your requirements. User/Service Monitoring – This is not an area that is usually thought about by organizations, but with the modern, sophisticated, low and slow attacks, understanding how users are using your cloud services and building up profiles of normal vs anomalous behavior is hugely important in identifying threats. Also, understanding how a cloud service is configured and whether that configuration has changed is important. You may have done your due diligence when setting up your cloud service, e.g. Office 365, but how often do you go back and check the configuration is still secure and hasn’t change? As with IDM, user/service monitoring should not be done in isolation but should feed into your existing monitoring capabilities. I would argue that monitoring of your cloud services is actually more important that monitoring those systems buried deep behind firewalls in your internal network. Why, because typically cloud services are accessible over the internet 24x7x365. I briefly talked last time about the concept of an Identity Security Operations Center (SOC) framework, which brings cloud-optimized capabilities such as Cloud Access Security Broker (CASB) and uses it as a component, monitoring your user’s activity and service configuration and feeding into your overall monitoring platform, adding identity context along the way. This does also raise the question as to the suitability of your monitoring platform against today’s threats and challenges. I talk to organizations who have very mature SOCs, using a multitude of tools, but they are having challenges in knitting together all of these tools or realizing the true value of their SOC as their analysts have got many different tools and consoles to use to find the real threats. Maybe it’s time to re-visit your SOC requirements and see what services like Oracle’s Security Monitoring and Analytics Cloud Service can do for you. Above are just three key areas where I see organizations tripping up or missing capabilities today. There are, of course, plenty of other security considerations but we would be here until Christmas if I tried to list them all.

As I have mentioned in previous blog posts, I spend a significant amount of my time talking to customers about their Cloud strategy, explaining to them about security controls they should consider...

Cloud Security

Oracle, a security company? - InfoSec Europe 2017 - by Paul Toal

A couple of weeks ago I spent 3 days exhibiting at InfoSec Europe 2017 in London, an event I have been attending as either an exhibitor or visitor for a number of years. This year definitely seemed to be the busiest I have seen with a good mix of your usual, large vendors, as well as some great presence from the smaller security companies, clearly spending their annual marketing budgets getting their name out there with big, shiny stands. So, what was Oracle doing at a security conference I hear you ask? Don’t worry, you are not alone! During the course of the event, a number of the visitors to the Oracle stand asked me that same question. Questions such as: “What does Oracle do in the security space?” and, of course, my favorite, “You’re just a database company, right?” Yes, it’s true, Oracle is a database company and has been for nearly 40 years. However, in case you have been living under a rock for the last couple of decades, that is by no means all that we do. As the 2nd largest software company in the world, database is only one string of our considerable bow. In the security space, specifically around software, Oracle has strong security credentials at all layers of the stack from applications to disk. In fact, if you search on the history of Oracle you will find some interesting information related to the name “Oracle”, its history, and our first customer. So, what were we talking about on the Oracle stand to demonstrate our credentials and to show that, actually, whilst we aren’t just a database company, we do have a market leading experience in this area which is extremely relevant to today’s security conversation?  1.      EU GDPR (Well, wasn’t everyone?) Whether you like it or not, GDPR is coming and surveys show that the UK is woefully unprepared for it. It seemed that GDPR was this year’s buzzword at InfoSec with most stands relating their solutions to GDPR, even when the link seemed tenuous at best. However, unlike some vendors, Oracle was not proposing to make you “GDPR compliant” or to solve all of your GDPR challenges. We know our strengths and where we can help customers. Think about it, where is most of your personal, digital data, which is relevant to GDPR stored? Yes, you guessed it, in a database, and as the market leader, for many visitors to InfoSec, that is the Oracle database. We understand data and furthermore, know how to secure it at source. The Oracle database has a wide range of security controls, both built-in and as additional options, which can help mitigate a number of risks identified within GDPR. This is the same whether you are using the database on-premise or in the cloud. Whilst we have technological controls, many of my conversations with customers on this topic identify the initial GDPR challenge as finding out where their sensitive data is, before they can even think about securing it. Therefore, we also had Oracle Consulting on the stand sharing their invaluable insight with visitors on what they are seeing on their projects and how they are helping customers with a pre-packaged GDPR engagement.  2.      Identity Security Operations Centre (SOC) Identity management has had a chequered history at InfoSec. Some years, most of the Gartner MQ vendors are exhibiting, whilst other years, not so much. Why do I think that is? Well, for me it’s quite simple, I don’t see traditional IDM as a security problem. Yes, when done properly, IDM can reduce risk, but I see IDM as a business-driven project. However, I think the role of IDM is changing. Identity can no longer be treated as a standalone project. Looking at the bigger security challenges, Identity forms a crucial part of broader security monitoring and enforcement solutions. On Thursday at the event, we had Oracle’s Group Vice President for Security, Rohit Gupta, introduce Oracle’s Identity Centric SOC, looking at how we re-think traditional security monitoring tools by putting Identity at the centre and using Identity to drive security decisions and responses across all platforms, both on-premise and in the cloud. The Identity SOC framework is Oracle’s answer to delivering the next generation of SOCs, addressing the shortfalls of traditional SOCs using the latest technological innovations such as machine learning.  3.      Cloud Security Following on from the previous theme of Identity SOC, many customers have solutions in place for monitoring and controlling usage of on-premise applications, however, the same controls don’t exist for cloud-based services. I spend most of my time talking to customers about their cloud strategies. We know most organizations are already on the cloud journey, whether dipping their toe in the water, or already adopting a full cloud-first strategy. However, we also know that security in the cloud is still one of the main concerns of C-level executives. We were talking about our Cloud Access Security Broker, how it can deliver against a new set of cloud security requirements, and how it forms a key part of the previously mentioned Identity SOC framework.  4.      Oracle Cloud Security Probably the biggest surprise for many of the visitors to the Oracle stand is that Oracle has a Cloud. Unbeknown to some of the visitors I spoke to, Oracle actually has the most complete cloud on the market, with the broadest range of services covering Data, Software, Platform, and Infrastructure as-a-Service. Just go to cloud.oracle.com to see the breadth of our capabilities. N.B. If you are interested in trying Oracle Cloud, we are currently offering $300 of free credits. As mentioned previously, security of the cloud is one of the major concerns of C-level executives. This is the same irrespective of which cloud vendor you are using. Therefore, we spent a lot of time at InfoSec talking to visitors about how Oracle has a secure, enterprise cloud, giving them the confidence that, in many cases, the Oracle Cloud is actually more secure than their existing on-premise systems.   So, hopefully, I will have broadened your mind around Oracle’s capabilities. Of course, I haven't even touched on some of the other security areas which are key for Oracle, such as the security innovations within our latest SPARC processors. That can be for another day. Yes, Oracle is a database company and proud of it, but we do SO MUCH more. I wonder what the ‘buzzword’ will be at next years InfoSec?

A couple of weeks ago I spent 3 days exhibiting at InfoSec Europe 2017 in London, an event I have been attending as either an exhibitor or visitor for a number of years. This year definitely seemed to...

Cloud Security

Press Release: Oracle Continues Innovation and Expansion of Cloud Security Offerings

Building on the positive response to its Identity-based Security Operation Center (SOC) cloud services, Oracle today announced a series of developments that enhance the portfolio’s sophisticated machine learning, artificial intelligence and contextual awareness technologies. This includes introducing the new Adaptive Access capabilities into Oracle Identity Cloud Service intended for dynamic application access controls, advancing market-leading risk monitoring leveraging machine learning engines, and the expansion of Oracle CASB Cloud Service to help support Oracle SaaS solutions with automated threat detection. “We are making a large investment in providing comprehensive security solutions that can help enterprises adapt, manage and strengthen their security posture against external and internal risks,” said Peter Barker, senior vice president, Identity and Security at Oracle. “Our expertise in data science and machine learning enable Oracle to bring unique, scalable and dependable security services to customers transitioning workloads to the Oracle Cloud or third party clouds.” To learn more on this, please read the Press Release, or visit us this week at Infosec in London where we will be sharing these new features first hand.

Building on the positive response to its Identity-based Security Operation Center (SOC) cloud services, Oracle today announced a series of developments that enhance the portfolio’s sophisticated...

Oracle

Integrated Cloud Applications & Platform Services