X

Cloud Security Perspectives and Insights

Recent Posts

Edge Security

Enhancing EBS Security in Oracle Cloud - Part 3

Welcome to the third article in my series on “Enhancing EBS Security on OCI”. In the first article, I looked at the threats and risks associated with moving an application like EBS to the Cloud, and also discussed the first attack vector, Infrastructure Attack. The second article then looked at enhancing user security. In this article, I am going to talk about the threats to EBS itself, as an application exposed to the internet. I’ll then look at how you can apply Cloud-based security controls to minimise this risk. As I discussed in the first article in this series, there is a threat to your EBS application when you expose it to the internet. Attacks such as Distributed Denial Of Service (DDoS), cross site scripting CSS), sensitive data disclosure, all attack the application directly. Standard security controls such as firewalls, port filtering, and reverse proxies do not prevent all of these attacks. The impact of a successful attack at this level could mean that sensitive data is leaked, or that your application is taken offline, even for your authorised users. Given that EBS typically manages many of your typical enterprise processes such as source-to-settle, procure-to-pay, hire-to-fire, losing the availability of EBS (or any enterprise application) can cause severe disruption to any business. Some of these protections will be provided by your Cloud Provider as an out-of-the-box service. For example, within OCI, all customers get volumetric-based DDoS protection by nature of using OCI. However, volumetric DDoS isn’t the only type of availability-based attack that needs mitigating. Fortunately, there are controls that can mitigate these types of application attacks. Web Application Firewalls (WAF) are designed to offer these types of protections. I’ve demonstrated some of the key capabilities of Oracle’s WAF in one of my other articles here. As you can see, through its protection rules, access control, threat intelligence, and bot management, you can protect your EBS application from the types of threats we are discussing in this article. Of course, Oracle WAF isn’t the only approach you can take. It is possible to use a different cloud-based WAF (if they are able to protect any internet-facing endpoint). Alternatively, you could also deploy a WAF directly onto OCI compute, either by installing the software yourself, or by deploying an appliance from the OCI marketplace. However, Oracle WAF is a compelling solution, offering a true Cloud-based WAF, that can protect your applications deployed on OCI, or indeed on any internet-facing endpoint. Whether you use OCI’s WAF or an alternative approach, protecting your EBS application from attack is critical to maintain the availability of your application as well as the integrity and confidentiality of the data within it. A few months ago, I was working with a customer who had just completed the migration of their EBS environment to the Cloud. Within three days of their application going live, it was taken offline through a DDoS attack that would have been prevented had they deployed a WAF as part of the migration. Needless to say, they are now deploying OCI WAF to mitigate the risk of that happening again. I hope you are enjoying reading this series of articles. If you are, stay tuned. In the next article, I will look at how you monitor EBS as well as the platform it is running on to ensure that any problems are identified and rectified quickly.

Welcome to the third article in my series on “Enhancing EBS Security on OCI”. In the first article, I looked at the threats and risks associated with moving an application like EBS to the Cloud, and...

News

Oracle OpenWorld 19 Daily Report - Tuesday

Hello OpenWorld attendees! I'm writing from the field of Oracle Park with a front row view of Mission: Impossible Fallout! What an exciting event enjoying movie snacks and good company. I hope everyone had an exciting start to OpenWorld and perhaps a few of you reading this were out watching the movie with me. Don't forget to join FitFest.19 this morning to work off the pretzels and popcorn! Tuesday is full of exciting sessions you won't want to miss, but first, I wanted to point out a few of the key announcements and sessions from today! With so much going on at OpenWorld, we know it isn't possible to catch every session, so visit us here each morning for a little recap of the night before and a few key to dos for the day. A few recaps from the day: Announcing Oracle Data Safe Today was an exciting day for Oracle Database Security, the week kicked off with several sessions including Vipin Samar's session, Database Security in 2019: The Innovation Rate Accelerates where Vipin shared that data breaches are up 54% in 2019. Attacks are more pervasive than ever and over 107 countries have now implemented data privacy laws. Oracle is happy to announce Oracle Data Safe.Product Manager, Bettina Schaeumer gave us a first look at Data Safe and there is more to come. Join the Oracle Database team for their Hands-on Labs to get a first look at product hands on and join Michael Mesaros, Director, Database Security Product Management, on Thursday from 9am-9:45am in Moscone South (Espalande Ballroom) Room 155B. The session, Oracle Data Safe: Securing Databases in Oracle Cloud, covers the exciting new cloud service, which provides you with a single pane of glass to assess configuration risk and evaluate database users. We Learned That Security Can Be an Enabler to the Cloud Vice President of Product Marketing for Security, Fred Kost, sat down with a panel of customers and security professionals to hear their perspectives on moving to the cloud securely. It was a great conversation covering what it takes for organizations to move to the cloud, including getting key stakeholders to buy in, considering your compliance needs early, and dreaming big about the possibilities you have in the cloud. The participants in the panel suggested the importance of understanding the shared responsibility model, setting expectations with your cloud provider, and understand your compliance needs across your multi cloud environment. Oracle Cloud Infrastructure Gen2: Stronger Than Ever "It isn't about whether the cloud is secure….it's about how securely you are using it" Laurent Gil, Product Strategy Architect for OCI Development,. A variety of sessions covered the great work customers have been doing with the Oracle Cloud Infrastructure, as innovations continue to be made in industries around the world, Oracle continues to invest money and resources in the best and brightest personnel for the Oracle Cloud Infrastructure. Access our blog covering some of the new announcements for OCI and Oracle Security's press release. Don't miss for Tuesday: Oracle Cloud: A Path and Platform Tuesday,11:15am-12:00pm | YBCA Theater Cloud technologies are beginning to reshape how we think about and interact with the world around us. The opportunities that the cloud presents are real and present today, and they are providing the building blocks for companies to pioneer groundbreaking innovations and disrupt entire industries. Today, we’re seeing emerging technologies and automation permeate every aspect of work and life. The real opportunity of these technologies—which include AI, machine learning, IoT, blockchain, containers and serverless, and human interfaces—is to embrace these technologies on a scale we’ve never before. In this session learn how Oracle Cloud drives new innovation and real change for customers. Securing Business Critical Cloud Workloads: Threats, Implications, and Outcomes Tuesday, 3:15pm - 4pm | Moscone South - Room 209 The next security threat may be something that we have not yet imagined or even considered as a possibility. Beyond attacks against corporations and elections, what other threats exist from nation states, rogue actors, cybercriminals, and others that may threaten our institutions, economy, or way of living? In this session learn about the next security threat and how the direction of technology and the adoption of cloud computing, AI/ML, and other technologies might aid both defenders and attackers. Get a look from the perspective of cloud security and see what’s needed from cloud platforms and security services to protect business-critical workloads and applications as they migrate to cloud platforms. Looking forward to seeing you there! 

Hello OpenWorld attendees! I'm writing from the field of Oracle Park with a front row view of Mission: Impossible Fallout! What an exciting event enjoying movie snacks and good company. I hope...

News

Oracle OpenWorld 2019 Daily Report - Monday

If you are joining us at Oracle OpenWorld today, start your week off with some of these must see sessions and activities! Each day this week, we will publish a morning report of exciting news and recaps from the previous day. To start things off, I'd like to point out a few exciting sessions that we recommend. Be sure to grab your morning coffee and enjoy the sessions!  Cloud Adoption:Getting Everyone On Board Securely  Monday, 09:00 AM - 09:45 AM | Moscone South (Esplanade Ballroom) - Room 156C Migrating applications, data, or workloads to the cloud is not usually a solitary decision, and doing it securely can definitively become a team sport. In this session examine real-world successes and failures with cloud migration from the perspectives of several different enterprise stakeholders. Learn best practices and see how the security conversation can progress in terms that all parties can understand and allow them to pursue their individual objectives and ensure a successful cloud deployment. Hear speakers from not only different functional roles, but at different stages in a cloud journey. Their shared experiences and insights can help you plan and execute a safe and smooth migration of workloads to the cloud. Database Security in 2019: The Innovation Rate Accelerates  Monday, 12:15 PM - 01:00 PM | Moscone South - Room 211 Database security is job #1 in today’s age of data breaches. Join this session to discuss the latest attacks and hear how innovations in Oracle Database security can help protect databases against adversaries. Learn about Oracle Data Safe, a new data security cloud service, and new updated releases of Oracle Key Vault, Oracle Database Security Assessment Tool, and Oracle Audit Vault and Database Firewall. See top security innovations in recent and upcoming database releases. Don’t leave Oracle OpenWorld without learning about the latest security innovations. Read more here in our recent blog.  Oracle Data Safe: Securing Databases in the Oracle Cloud  Monday, 01:45 PM - 02:05 PM | The Exchange (Moscone South) - Theater 3 Join Michael Mesaros, Director, Database Security Product Management, in a session to learn more about this exciting new cloud service. Oracle Data Safe gives you a single pane of glass to assess configuration risk, evaluate database users, manage audit settings, report on database activity, discover sensitive data, and remove sensitive data from non-production copies of the database. Oracle Cloud End-to-End Security: An Overview of Gen2 Protections  Monday, 2:45 PM - 03:30 PM | Moscone South (Esplanade Ballroom) - Room 152A Oracle Cloud Infrastructure is a showcase of Gen2 cloud architecture. This is most evident in the security implications of this evolved design, which is highly differentiated in the market. In this session gain insight to the protections built in to Oracle Cloud Infrastructure and learn about the security operations and applications used in daily defense. Learn about the architecture, its elements, and how they are deployed for tighter tenant isolation, reduced cross-host risk, and greater defense in depth than what is available in legacy clouds. Keynote: Gen2 Cloud-- Autonomous Infrastructure  Monday, 03:45 PM - 05:30 PM | Moscone North - Hall F Join Larry Ellison, Chairman of the Board and Chief Technology Officer, for the Openworld 2019 opening keynote.  If you are looking for even more security related sessions, you are in luck, there are 89 security related sessions at this year's OpenWorld. We have opportunities for customers to try out new products in our hands on labs and hear from customers in a number of panel sessions as well. We look forward to a great start to OpenWorld this year!   

If you are joining us at Oracle OpenWorld today, start your week off with some of these must see sessions and activities! Each day this week, we will publish a morning report of exciting news and...

News

Oracle OpenWorld 2019 is Here! Top 5 Things You Won't Want to Miss

On the night before OpenWorld officially begins, there is a great energy building around the Moscone center. Visitors have been flying in from across the globe and San Francisco has its usual buzzing charm. As we gear up to begin the week, take a look at the top five activities you won't want to miss at this year's Openworld. Welcome and enjoy! 1) Hear real stories from real customers Openworld provides customers the opportunity to hear about the latest product releases, updates to functionality, and most importantly- understand what businesses like them are doing to improve their organizations with Oracle technology. This year there are a variety of customers from every industry and many different countries here to share their stories of success, roadblocks they've experienced along the way, and what's next for them. Take a look at the Openworld session catalog and be sure to stop by a customer panel to catch these real stories. 2) Learn by doing with Hands-on Labs There are so many sessions to choose from each year, but for some, the best way to learn is by doing. The hands-on lab sessions give you a unique experience to try out a product with the experts who helped build it in the same room! Take a moment to join one of our Database Security Hands-on labs sessions and search up additional topics that interests you. 3) Stay connected with social media OpenWorld can often be a whirlwind week, filled with hundreds of sessions, keynotes, and social activities. Stay grounded with the latest updates on our Twitter account @OracleSecurity. We will be live tweeting key security sessions, alerting you on any changes, and unveiling very exciting release information. Also, be sure to check the Oracle Cloud Security Blog each morning as we post insights throughout the week and beyond OpenWorld. Be sure to take plenty of photos and to use #OOW19, we look forward to connecting! 4) Must see sessions Some of the top security sessions include topics surrounding new features and products as well as thought leadership and customer panels. With 89 security related sessions this year, you can't go wrong, but you can't see everything! Security is big this year, don't miss out. 5) Take some time to relax and socialize All work and no play is no fun! Be sure to mix in a few events during your time here in San Francisco. This year, OpenWorld has kicked it up a notch and is providing a lot of relaxation activities for attendees. Oracle Park will be home to several of these activities, including a movie night on Monday, FitFest.19 which offers attendees the chance to sweat it out on their field at Oracle Park in a yoga or bootcamp style class, or make a new furry friend at the "Paws and Relax" experience located in the Exchange. And of course, don’t forget to bring your dancing shoes for CloudFest.19 featuring John Mayer with Flo Rida. You can learn more about most of these events at the Oracle Park Be Well Hub around the corner from the Moscone South entrance on 3rd. Street. Or here at the event highlights page.  Whether this is your first experience at OpenWorld or you've been coming for years, there is sure to be a week full of exciting experiences, announcements, and networking. Don't forget to stay tuned for more content throughout the week and most importantly, have a great time!

On the night before OpenWorld officially begins, there is a great energy building around the Moscone center. Visitors have been flying in from across the globe and San Francisco has its usual buzzing...

News

Maximizing your time at Oracle OpenWorld with KPMG

So by now, many of you are already seeing that there is something new this year at Oracle’s OpenWorld. A new look! Oracle is venturing into a new area of our brand that extends us beyond the cold boardrooms of yesterday into a look and a message that will start to unfold next week that will allow our customers to experience the new Oracle. One filled with passion for what we do. Produce amazing solutions for our customers around the globe, across our communities and that touch many lives. We are excited for you to see this. Some things have not changed, but continue to grow and expand, and that is our commitment to relationships such as those like our partner KPMG.  With cloud deployments moving from business enablement to business critical, there is a heightened need for a coordinated, layered security strategy. If you are attending #OOW19 this year and looking to learn how to minimize risk, increase data protection, and balance both with enhanced user access and capabilities of cloud and on-premise applications, then I encourage you to register for the following sessions with KPMG. Attend The Art of Risk Aversion and Threat Mitigation in the Cloud [CAS6671] Wednesday, September 18, 04:45 PM - 05:30 PM | Moscone South - Room 151A Today’s C-suite is responsible for establishing security and privacy goals and ultimately held accountable for the impacts of policy failures. In leveraging the cloud as an enabler to your business goals and objectives, you need answers to questions like: What are the IT, security, and privacy challenges caused by this shift? How can you maximize relationships with key influencers to achieve business goals? Attend this session to learn about risk aversion and threat mitigation and gain deeper insights into challenges and leading practices you can employ in your organization. Leading this session are Greg Jensen, senior director of security, Oracle, and Brian Jensen, managing director, KPMG LLP, authors of the Oracle and KPMG Cloud Threat Report 2019. Attend Why Cloud Application Security Is So Difficult to Manage [CAS6680] Monday, September 16, 01:45 PM - 02:30 PM | Moscone West - Room 2022A Cloud technology can transform an organization and its processes, but securing the cloud in an enterprise can be complex given the number of applications involved. Attend this session to learn about a strategic risk management approach to deploy cross-application security and controls solutions, which address application risks and privacy and compliance requirements. You’ll also gain insights into leading practices that enable cloud users while protecting sensitive data and transactions. Join Brian Jensen, managing director and Nick Seeman, managing director advisory, KPMG LLP and client John Rothka, chief accounting officer, Consol Energy for the discussion.   Join KPMG for breakfast Wednesday, September 18, 07:30 AM–09:00AM | The Palace Hotel - Second floor: Twin Peaks Jump start your day with a five-star breakfast and networking with your peers and KPMG to learn and discuss how applications, risk mitigation, and compliance are a balancing act for peak business performance. You’re invited to attend. Register here. There’s more… KPMG is a proud Platinum Sponsor of Oracle OpenWorld 2019. Stop by their booth (#404) in the Oracle OpenWorld Exchange, visit them at the Palace Hotel for a demo, or request a 1:1 meeting to discuss your current technology initiatives with their team. For more information, visit KPMG at Oracle OpenWorld.

So by now, many of you are already seeing that there is something new this year at Oracle’s OpenWorld. A new look! Oracle is venturing into a new area of our brand that extends us beyond the cold...

News

When More Security is not Better Security

Do we need more security technology? Considering the multitude of industry reports that find we are overburdened with alerts, it’s apparent that we do not have enough security professionals available to fill our needs. Moreover, the “dwell time” (the time period when a hacker or malware has infiltrated an environment prior to detection)   is critically high.   Yet we see tremendous investment in cybersecurity technology and services vendors, both start-up and integrated acquisition plays.  And, our vulnerability and the potential damage still increases because the most significant weaknesses are often a result of a basic lack of current maintenance and upgrades to infrastructure. Think of security technology like protecting your home. You might know a neighbor who spent a bundle on every kind of surveillance product available.  But, he never bothered to fix that faulty lock on the patio door.  The result?  His smartphone displayed a high-def video of an intruder breaking in and nabbing electronics, jewelry, and the keys to the car that does not seem to be in the garage anymore, and no one was the wiser. More security is not necessarily better protection. In my role at Oracle, I advise both public sector and commercial customers, and witness the range of sophistication in security operations.  For example, a large global consumer  goods company has embraced security so strategically that they have acquired cybersecurity companies in order to help ensure that their manufacturing and distribution processes are not disrupted. On the other hand, others can be immobilized by the rote and time-consuming work of patching and other administrative tasks.  I remember when a state-level CISO and security architect together slowed down a project because, they explained, “if we identify risks, we will have to do something about them.”  These security leaders were not trying to avoid hard work; instead, they were focused on prioritizing the basics – patching and upgrades of critical infrastructure.  Although they could have done more with sophisticated security tools, they were simply overwhelmed with basic administration. Numerous municipalities have been attacked with ransomware over the last few years.  These organizations are often understaffed and working to maintain antiquated systems.  While only 3.4% of targeted attacks, public sector organizations pay 10 times the average ransom to retrieve their data.  The U.S .Conference of Mayors recently passed a resolution to not pay cyber ransoms in an effort to dissuade attackers.  However, without modernization of their IT services, they will continue to be highly vulnerable targets.  This past weekend, a coordinated ransomware attack targeted 23 local governments in Texas, indicating a possible escalation of cyber attacks on local government. With limited state and local resources, cybersecurity strategy and spending must be balanced with broader IT modernization efforts to deliver greater service to citizens and business.  IT vendors must deliver technology solutions that enable our public sector customers, as well as private sector, to maximize their security posture through modernization, and Oracle is doing this in a number of ways: Autonomous cloud services that are self-driving, self-securing, and self-repairing.  Oracle’s autonomous services utilize artificial intelligence and machine learning to patch, upgrade, and tune without human intervention, helping to keep  our customers’ IT environments secure while enabling IT staff to modernize their services. Oracle Cloud runs on our next-generation infrastructure that offers superior performance, availability, and manageability.  We offer service level commitments across these three metrics, a must for mission critical services.  We could not commit to these service levels without a highly secure architecture and controls. Moving workloads with confidence to an enterprise-grade cloud enables our customers to modernize without complicated architectures. Security is fundamental to the Oracle cloud strategy, enabling our customers to focus on modernization rather than maintenance and administration.   This strategy provides greater protection of users and data without greater security investment, and reduces the complexity of IT environments.  We believe this will lead to efficient, innovative, and broader services from public and private sector, alike.

Do we need more security technology? Considering the multitude of industry reports that find we are overburdened with alerts, it’s apparent that we do not have enough security professionals available...

DB Sec

How to Protect Against Simple, Human Mistakes

We talk quite a bit about the bad actors, both outside and inside your organization, who are looking to steal sensitive data. Sure, that’s part of the story, but it’s not the whole story. The good news is that most people have good intentions. The bad news is that even the most skilled and trustworthy people make mistakes. In fact, the International Association of Privacy Professionals, says that by far the greatest number of privacy incidents—96.3 percent—are unintentional. The problem is that small mistakes with highly sensitive data can have massive consequences. To make matters worse, the amount of data companies gather is growing at an exponential rate, but the number of people who secure that data is not. Cybersecurity Ventures estimates that there will be 3.5 million unfilled cybersecurity positions by 2021. Organizations need help preventing highly privileged users (and bad actors with stolen user credentials) from accessing sensitive data—but without putting any additional strain on their security teams and without making it difficult for people to do their jobs. Fortunately, there are some simple guardrails you can put in place to keep everybody on the right path. With Oracle Database Vault, you can set parameters so that even the most privileged users can only access sensitive data in specific ways. For instance, you might have a group of finance employees who use a certain application that contains salary information. With Oracle Database Vault, you can make it a rule that salary information can’t be accessed or edited by these users. Only by HR. You can also set rules that limit the hours during which data can be accessed, the IP addresses from which it can be accessed, and even make it so users need an active request tied to a ticket to access and edit specific information. Of course, these controls will also keep malicious users and cybercriminals from stealing or altering your information. If a bad actor from overseas has obtained an employee’s user credentials and that employee doesn’t have access to your most sensitive data, the cybercriminal will be stopped. If there’s an IP restriction that excludes certain countries, the cybercriminal will be stopped. Or if you set it up so that an active ticket is required to access or edit certain data, and the cybercriminal doesn’t have one, they’ll be stopped. Avoiding these mistakes and nefarious actions will not only help keep your data safe, it will save your security team the time, energy, and money it’ll take to find out why the incident happened in the first place. But users who need protected data to do their jobs can still access it without slowing their work. Are you interested in knowing more about how to increase data security without sacrificing operational efficiency? Sign up for our webcast Effectively Managing Privileged User Accounts with Oracle, September 12 at 1 p.m. ET/10 a.m. PT. See you there!  

We talk quite a bit about the bad actors, both outside and inside your organization, who are looking to steal sensitive data. Sure, that’s part of the story, but it’s not the whole story. The good...

Cloud Threat Report

Understanding the Mission of the Cloud-Centric CISO

There are not many positions in this world more sought after in the good times, but also more avoided in times of duress than that of the chief information security officer (CISO).  It’s often been joked that CISO stands for Crisis Induced Sacrificial Offering and for good reason.  In many of today’s organizations, the CISO is looked upon to help set the tone for how they ensure security, privacy and confidentiality of customer’s information…and their own.  When lapses happen, it’s understandable when the board questions the person in charge of IT security. The Mission of the Cloud-Centric CISO, takes readers deeper into the challenges and opportunities that the CISOs of today are facing in a cloud-enabled business.  The reality is, the buck does not stop with the CISO as responsibility has now shifted to the entire executive team, and in fact….they can be an enabler to your own success if you know how to engage and partner with them effectively.  This does require understanding their own priorities, their challenges and their goals.  Finding out where you both have common interests in the name of security, privacy, risk prevention, regulations, compliance, configuration management, lift and shift, architecture and planning and more….is the first step to a long and mutually beneficial partnership with your CISO. Based upon the key findings of the Oracle and KPMG Cloud Threat Report, we looked at the key challenges that CISOs in particular are experiencing around the world, and across all industries to identify trends and patterns. One of the constants that we see for the CISO is the shift of the CISO to become more focused around that of business-enablement. Today's cyber-leaders must be known less for saying "no" and more for saying "yes, and let me show you a safe way how".  They must be perceived as an agent of change. They must plan for incident prevention, detection, response AND recovery.  It is the post attack planning that sometimes gets the least bit of attention and as we have seen from the rash of ransomware attacks, recovery efforts are front and center. We cannot avoid the fact that humans still comprise the single greatest risk to operational security both as the attacker, and as those who create the conditions of risk. We have to find ways to remove these points of risk. The Mission of the Cloud-Centric CISO is designed to help every line-of-business member to know how to get the most out of their relationships with the CISO. How to partner to find joint success in risk mitigation planning, security initiatives and compliance efforts.  To learn more, you can also read on these subjects in the Oracle and KPMG Cloud Threat Report for more additional information.  

There are not many positions in this world more sought after in the good times, but also more avoided in times of duress than that of the chief information security officer (CISO).  It’s often been...

Hybrid-Cloud Identity

See how easily and quickly you can deploy Oracle Identity Governance (OIG) in Oracle Cloud

For those of you who haven't come across Oracle Identity Governance (OIG) before, it is a powerful, flexible and highly scalable enterprise identity management system to manage user and user access privilege lifecycle within enterprise IT resources. OIG's flexible data model allows modeling and managing user access across a very broad range of application types including ERP/CRM/HCM, LDAP, Active Directory, Databases, Mainframes and SaaS applications. OIG supports a number of essential governance use cases that include access request, provisioning, access certification, delegated administration, password management, segregation of duties and role lifecycle management. For each of these features, you can customize workflows, user interface and add business logic at various extension points and create automation for their users joining, moving and leaving your organization. One of the areas that can be a challenge for customers is quickly spinning up new environments for OIG, especially for development and testing. As an enterprise application, OIG requires a certain footprint, which includes Oracle Database and WebLogic. Starting from scratch can take some time to get an OIG installation to the point of configuration. With each version of OIG, improvements have been made to simplify the initial installation process. For example, in the latest version, 12c, there is now an integrated quick installer, which installs many of the components needed for OIG in a single installer. The post-installation process has also been simplified through the process of bootstrapping and auto-discovery. You can read more about these in the documentation here. However, we have now taken this a stage further and provided a pre-built Oracle Cloud Marketplace image.     This image allows you to deploy a single-node installation of OIG 12.2.1.3 within your Oracle Cloud tenancy. This simple process is just two steps. Use the Marketplace to deploy the image within your tenancy. Run a single command line script to automatically set up the image. The entire process, in my experience, takes about 30 minutes to complete, after which, you have an empty OIG instance that you can immediately start configuring. The image comes with a complete set of usage notes to run these two steps. If you are looking for a quick way to get the latest version (12c) of Oracle's Identity Governance platform up and running, then you have found it. Perhaps you are investigating 12c as part of an upgrade from 11g, or maybe you are looking at some of the new features of 12c. This is a great way to get quick and simple access to an environment, without having to find hardware or resources within your local environment. Oh, and don't forget, if you don't already have an Oracle Cloud account, then you can always sign up for a free trial here.    

For those of you who haven't come across Oracle Identity Governance (OIG) before, it is a powerful, flexible and highly scalable enterprise identity management system to manage user and user access...

News

Beat Them to the Punch: FireEye and Oracle Protect Customers from Malicious Email Hackers

Everyone has gotten those emails in their personal accounts, you know, the ones that ask for your Apple ID login or your bank account number. These types of phishing emails have become so common, most consumers can easily detect and avoid them. Over the years we have gotten better at spotting these phishing attempts and stopped believing the email from our family member "who is trapped in a foreign country and in need of quick cash." Unfortunately, while we were getting better, so were the hackers. Increasingly, these malicious attempts have been targeted at businesses with large amounts of sensitive data. So while we can usually detect a fake email from Aunt Betty, we can't seem to quite dial into the email from our VP of Finance or CEO asking us to make a quick change to our accounts or input our login information to update our credentials. The truth is, employees are the weakest link in an organization. A simple social engineering attack could prompt an employee to unknowingly give access to sensitive information in the company's critical business applications. Just like that, a hacker is in and stealing critical data and funds. That is unless your company has done something about it. Organizations are now trying to better detect and respond to phishing attempts. In the Oracle and KPMG Cloud Threat Report 2019, 27% of enterprise respondents named email-based phishing as the most common type of cybersecurity attack experienced. Organizations are inundated with alerts and tasks, so incorporating a machine learning component to their business just makes sense.  FireEye, a California based security company has been working with organizations on premise and in the cloud to detect attacks through email filtering, image-classification, and isolated evaluation of suspicious messages and attachments. Using Oracle Cloud Infrastructure, FireEye is helping organizations block attacks before they ever reach your inbox. Please take a look at our recent Forbes article, "The Cloud Stops Email Hackers Before Your Employees Start Clicking" to learn more.

Everyone has gotten those emails in their personal accounts, you know, the ones that ask for your Apple ID login or your bank account number. These types of phishing emails have become so common, most...

News

Uncovering the CSA Top Threats to Cloud Computing w/ Jim Reavis

For the few that attend this year’s BlackHat conference kicking off this week in Las Vegas, many will walk away with an in depth understanding and knowledge on risk as well as actionable understandings on how they can work to implement new strategies to defend against attacks. For the many others who don’t attend, Cloud Security Alliance has once again developed their CSA Top Threats to Cloud Computing: The Egregious 11. I recently sat down with the CEO and founder of CSA, Jim Reavis, to gain a deeper understanding on what leaders and practitioners can learn from this year’s report that covers the top 11 threats to cloud computing - The Egregious 11. (Greg) Jim, for those who have never seen this, what is the CSA Top Threats to Cloud report and who is your target reader? (Jim) The CSA Top Threats to Cloud Computing is a research report that is periodically updated by our research team and working group of volunteers to identify high priority cloud security risks, threats and vulnerabilities to enable organizations to optimize risk management decisions related to securing their cloud usage.  The Top Threats report is intended to be a companion to CSA's Security Guidance and Cloud Controls Matrix best practices documents by providing context around important threats in order to prioritize the deployment of security capabilities to the issues that really matter. Our Top Threats research is compiled via industry surveys as well as through qualitative analysis from leading industry experts.  This research is among CSA's most popular downloads and has spawned several translations and companion research documents that investigate cloud penetration testing and real world cloud incidents.  Top Threats research is applicable to the security practitioner seeking to protect assets, executives needing to validate broader security strategies and any others wanting to understand how cloud threats may impact their organization.  We make every effort to relate the potential pitfalls of cloud to practical steps that can be taken to mitigate these risks. (Greg) Were there any findings in the Top Threats report that really stood out for you? (Jim) Virtually all of the security issues we have articulated impact all different types of cloud.  This is important as we find a lot of practitioners who may narrow their cloud security focus on either Infrastructure as a Service (IaaS) or Software as a Service (SaaS), depending upon their own responsibilities or biases.  The cloud framework is a layered model, starting with physical infrastructure with layers of abstraction built on top of it.  SaaS is essentially the business application layer built upon some form of IaaS, so the threats are applicable no matter what type of cloud one uses.  Poor identity management practices, such as a failure to implement strong authentication, sticks out to me as a critical and eminently solvable issue.  I think the increased velocity of the "on demand" characteristic of cloud finds its way into the threat of insufficient due diligence and problems of insecure APIs.  The fastest way to implement cloud is to implement it securely the first time.  (Greg) What do you think are some of the overarching trends you've noticed throughout the last 3 iterations of the report? (Jim) What has been consistent is that the highest impact threats are primarily the responsibility of the cloud user.  To put a bit of nuance around this as the definition of a "cloud user" can be tricky, I like to think of this in three categories: a commercial SaaS provider, an enterprise building its own "private SaaS" applications on top of IaaS or a customer integrating a large number of SaaS applications have the bulk of the technical security responsibilities.  So much of the real world threats that these cloud users grapple with are improper configuration, poor secure software development practices and insufficient identity and access management strategies. (Greg) Are you seeing any trends that show there is increasing trust in cloud services, as well as the CSP working more effectively around Shared Responsibility Security Model? (Jim) The market growth in cloud is a highly quantifiable indicator that cloud is becoming more trusted.  "Cloud first" is a common policy we see for organizations evaluating new IT solutions, and it hasn't yet caused an explosion of cloud incidents, although I fear we must see an inevitable increase in breaches as it becomes the default platform. We have been at this for over 10 years at CSA and have seen a lot of maturation in cloud during that time.  One of the biggest contributions we have seen from the CSPs over that time is the amount of telemetry they make available to their customers.  The amount and diversity of logfile information customers have today does not compare to the relative "blackbox" that existed when we started this journey more than a decade ago. Going back to the layered model of cloud yet again, CSPs understand that most of the interesting applications customers build are a mashup of technologies.  Sophisticated CSPs understand this shared responsibility for security and have doubled down on educational programs for customers.  Also, I have to say that one of the most rewarding aspects of being in the security industry is observing the collegial nature among competing CSPs to share threat intelligence and best practices to improve the security of the entire cloud ecosystem. One of the initiatives CSA developed that helps promulgate shared responsibility is the CSA Security, Trust, Assurance & Risk (STAR) Registry.  We publish the answers CSPs provide to our assessment questionnaire so consumers can objectively evaluate a CSP's best practices and understand the line of demarcation and where their responsibility begins. (Greg) How does the perception of threats, risks and vulnerabilities help to guide an organization’s decision making & strategy? (Jim) This is an example of why it is so important to have a comprehensive body of knowledge of cloud security best practices and to be able to relate it to Top Threats.  A practitioner must be able to evaluate using any risk management strategy for a given threat, e.g. risk avoidance, risk mitigation, risk acceptance, etc.  If one understand the threats but not the best practices, one will almost always choose to avoid the risk, which may end up being a poor business decision.  Although the security industry has gotten much better over the years, we still fight the reputation of being overly conservative and obstructing new business opportunities over concerns about security threats.  While being paranoid has sometimes served us well, threat research should be one of a portfolio of tools that helps us embrace innovation.   (Greg) What are some of the security issues that are currently brewing/underrated that you think might become more relevant in the near future? (Jim) I think it is important to understand that malicious attackers will take the easy route and if they can phish your cloud credentials, they won't need to leverage more sophisticated attacks.  I don't spend a lot of time worrying about sophisticated CSP infrastructure attacks like the Rowhammer direct random access memory (DRAM) leaks, although a good security practitioner worries a little bit about everything. I try to think about fast moving technology areas that are manipulated by the customer, because there are far more customers than CSPs.  For example, I get concerned about the billions of IoT devices that get hooked into the cloud and what kinds of security hardening they have.  I also don't think we have done enough research into how blackhats can attack machine learning systems to avoid next generation security systems. Our Israeli chapter recently published a fantastic research document on the 12 Most Critical Risks for Serverless Applications.  Containerization and Serverless computing are very exciting developments and ultimately will improve security as they reduce the amount of resource management considerations for the developer and shrink the attack surface.  However, these technologies may seem foreign to security practitioners used to a virtualized operating system and it is an open question how well our tools and legacy best practices address these areas. The future will be a combination of old threats made new and exploiting fast moving new technology.  CSA will continue to call them as we see them and try to educate the industry before these threats are fully realized. (Greg) Jim, it’s been great hearing from you today on this new Top Threats to Cloud report. Hats off to the team and the contributors for this year’s report. Has been great working with them all! (Jim) Thanks Greg! To learn more about this, or to download a copy of the report, visit us at www.cloudsecurityalliance.com

For the few that attend this year’s BlackHat conference kicking off this week in Las Vegas, many will walk away with an in depth understanding and knowledge on risk as well as...

Hybrid-Cloud Identity

Use Multiple Identity Instances with Oracle Identity Cloud Service

            To effectively run an enterprise Identity Management program, more than one instance of your identity solution is often required. Whether you are separating a testing environment from production or isolating administrators and users for 2 separate use cases in your organization, you need fully isolated identity environments. This is why Oracle Identity Cloud Service supports multiple Identity Cloud Service Instances. It only takes a few minutes for a customer to create an entirely new, isolated identity instance within their Oracle cloud account. Let’s take a look at 2 of the most common use cases for multiple identity instances.   Production and Testing Environments Whether it’s a policy change, a new custom sign-in page, an update to MFA settings or a call to a new API, we want to know exactly how changes to our identity management settings will work before unleashing them on our user population. Multiple Identity Instances allow you to try these settings out before implementing them in your production environment. In addition, the people you want to access all these settings are likely different in a test environment vs production. Separate identity instances make sure you can maintain different sets of admins and users allows you to keep production environment in compliance while a different group of people are allowed to test.   Multiple IDCS Instances – Prod/Dev/QA Example   Separate User Populations When trying to protect resources for different user populations, everything can be different including administrators, users, access policies, and the sign-in experience. By leveraging multiple identity instances you can create the separation needed for each of these requirements. In addition, the license structure may be different from one population to the other. For example, if you have a set of consumers and a set of employees, you can create each identity instance with the appropriate license to fit the user type.   Multiple IDCS Instances – Employees/Customers Example Oracle Identity Cloud Service multiple instance capabilities will support you in either of these scenarios. For details on how to use this capability and understand the limits here are a few useful resources. Product Documentation Many thanks for contributing on this blog post to Jason Oeltjen, Director of Product Management, IDM Cloud Services for Oracle.

            To effectively run an enterprise Identity Management program, more than one instance of your identity solution is often required. Whether you are separating a testing environment from production...

Edge Security

Five Reasons Why You Need a Cloud-Based Web Application Firewall for Your Business

I've embraced online banking, e-payments, and 3rd party payment systems like Paypal and Venmo.   They have become part of my day-to-day life, and I take for granted that the website where I am handling my money is safe.  Of course, that’s not always the case.  Malicious ‘bad actors’, like bots, DDoS attacks, and web server vulnerability exploits, means the web applications that we all rely on are particularly vulnerable.  Last year’s Backswap malware attacked six major Spanish banks’ websites.  The malware inserted trojan JavaScript to create a classic man-in-the-browser attack, seemingly transparent to the end user.  However, if the banking customer tried to transfer money to a new account, the malware would instead create a false destination account to receive the money, thus stealing the funds from the consumer. Web application firewalls (WAF) are a powerful way to protect your business from harmful malware to protect your business-critical web applications.  Historically, WAFs were typically deployed with an on-premise appliance-based solution.  However, with more applications and information being deployed on a cloud scale, it’s critical that the WAF technology continues to keep up.  Today’s best WAF solutions are deployed to support hybrid and multi-cloud environments. Here are five reasons why organizations like yours should consider a cloud-based WAF solution: They scale with your business, leveraging the power and scalability of cloud networks to isolate your endpoints from incoming threats. They block attacks outside your perimeter even before it reaches your network. They provide the best security for multiple web application hosting environments, including on-premise, cloud, hybrid, and multi-clouds. Managed services can ease your burden with a team of experienced internet security experts who monitor your environment and recommend proven threat mitigation steps. They have a low total cost of ownership without major investments in resources or ongoing costs related to maintenance, hardware replacement, and software upgrades. Oracle’s Web Application Firewall, part of the Oracle Cloud Infrastructure and a key part of the Oracle Security portfolio, is a cloud based WAF which will protect the hybrid or multi-cloud environment, regardless of where internet-facing applications are hosted.  Learn more about Oracle Cloud Infrastructure Web Application Firewall, in our latest brochure and datasheet. 

I've embraced online banking, e-payments, and 3rdparty payment systems like Paypal and Venmo.   They have become part of my day-to-day life, and I take for granted that the website where I am handling...

DB Sec

Database Security Hygiene 101: Five Best Practices

Co-authored by Alan Williams, Senior Principal Product Manager, Security and Sean Cahill, Senior Product Marketing Manager, Security -- Database security may seem like a complex task and achieving the desired maximal security architecture to protect sensitive data does admittedly take time, people, and often budget. That said, there are certain foundational best practices that every organization, small to large and across industries, should be implementing. In fact, these basic security practices should be in place before spending resources on additional security measures. Make sure you make a practice of locking your front door before you consider buying an expensive home security system with cameras and alarms.  Carefully considering how administrative privileges are provisioned to database users can save an organization major headaches down the road, including mitigating the risk of a costly data breach. While you probably trust your DBAs, cybercriminals often use spear-phishing attacks and other means to target privileged users in an organization, leveraging their accounts for malicious use including exfiltrating sensitive data. For example, if a hacker is successful in compromising a DBA account with the SELECT ANY TABLE privilege, he or she would be able to access almost any data on the database, including social security numbers, payment card numbers, and intellectual property. Start by running the Oracle Database Security Assessment Tool to pinpoint potential weaknesses in your database configuration. Then, be sure to adopt the following five best practices, including the least privilege model and separation of duties, to strike the right balance between the need for users to do their jobs and the need for database security. You’ll minimize the risk from compromised accounts and improve your organization’s overall security posture. 1. Separation of Duties The concept of separation of duties (SOD) dictates that administration tasks should be divided among several users rather than a single, all-powerful individual. Dividing up duties like administration, security, and, operations makes it less likely for users to abuse their privileges and also further reduces the attack surface area for compromised accounts. For example, rather than using the all-powerful SYSDBA privilege, grant targeted privileges like SYSBACKUP, SYSDG, SYSRAC and, SYSKM for the specific tasks of database backup, Data Guard administration, RAC management, and key management, respectively. 2. Named Users Administrators should never share accounts for convenience (or any reason, for that matter). Shared accounts remove accountability, increase risk and make auditing user activity essentially impossible. Each user in an organization should have an individual named account that explicitly spells out their name – Bob Jones, for example, would have an account name like Bob_Jones or Robert_Jones. Each named account is then tied to tailored privileges, curated for that person’s job role. Policy-based audit logging rules can be set and user activity can be individually audited. 3. SYSDBA Account Management The SYS database owner account (SYSDBA) is an administrative privilege that provides unfettered access to the database, like a ROOT account for OS administration. This is simply too much power for any user to have in perpetuity. In fact, many database administrators themselves feel that being granted SYSDBA privileges puts them in an undesirable position of potential liability, should anything go wrong.  As such, use of this account and privilege should be closely managed and monitored, and limited to only when it is absolutely necessary, like during database upgrades and patching. Leverage a privilege account management system along with a change management system and assign a specified window for use in order to closely manage the SYSDBA privilege. Use of compensating security controls is recommended when SYS/SYSDBA is used. One example of such a control is requiring secondary approval workflows (the two-person rule). To audit administrative users like SYSDBA, create named unified audit policies and then apply the policies to the administrative user, the same way you would for non-administrative users. Furthermore, you can build granular conditions and exclusions into your policies or choose to audit all top-level statements by administrative users. In the case of traditional audit, AUDIT_SYS_OPERATIONS enables or disables the auditing of top-level operations, which are SQL statements directly issued by users when connecting with the SYSASM, SYSBACKUP, SYSDBA, SYSDG, SYSKM, or SYSOPER privileges. 4. Least Privilege Separation of Duties (SOD) separates people, processes, and accounts, but you can’t enforce it if all users and accounts have every privilege. Once you have implemented SOD, enforcing the principle of least privilege limits each user and account to only the privileges that he or she needs for day to day operations.  In short, it recommends that users be granted only the minimum set of privileges needed to accomplish their job-related tasks, and NO MORE. To achieve the appropriate level of granularity, grant the specific object privileges that are needed rather than broad system privileges – and remember to remove those privileges when they are no longer needed. Create task-specific roles rather than granting all-powerful roles like the built-in SYSDBA role. The least privilege model reduces the attack surface area for the database by limiting what an attacker could do even if the credentials are somehow compromised. 5. Audit Protection Audit logs are needed for compliance reporting and for forensics in the case of a breach or other adverse event. Capture an irrefutable record of actions taken by named accounts including CREATE USER, CREATE ANY TABLE, ALTER SYSTEM and, ALTER SESSION, coupled with contextual information like IP address and event time. Audit logs will help an organization identify risky users, streamline audits, and simplify compliance. Oracle provides predefined unified audit policies (default audit options for traditional audit) that cover commonly used security-relevant audit settings like log-in failures, database configuration parameter changes and user account and privilege management. Some of these predefined audit policies are enabled by default. Enable or disable the relevant ones based on your own audit needs and desired security posture. Additionally, one can create named unified audit policies. Build selective and effective unified audit policies by adding various conditions including SYS_CONTEXT and Application Context values. Oracle also provides the ability to do fine grained auditing, triggering auditing when specific conditions are met, like selecting a specific column, or accessing a table during specific times.  Next Steps Adopt these best practices, including separation of duties and the principle of least privilege, to strike the right balance between the need for users to do their jobs and the need for database security. You’ll minimize the risk from compromised accounts and improve your organization’s overall security posture. Also consider running the Oracle Database Security Assessment Tool today to identify potential areas for improvement in your database configuration. These best practices aren’t anything revolutionary, but, unfortunately, they are overlooked by a staggering number of organizations. None of the aforementioned methods require any additional investment. Don’t be ‘low hanging fruit’ for cybercriminals. Reduce your organizations attack surface area today by carefully considering user privileges.

Co-authored by Alan Williams, Senior Principal Product Manager, Security and Sean Cahill, Senior Product Marketing Manager, Security -- Database security may seem like a complex task and achieving...

Cloud Threat Report

Intelligent Automation: New Tactics to Protect the Kingdom

Organizations are thinking differently about the cloud. In fact, nearly half of respondents from the Oracle and KPMG Cloud Threat Report 2019 expect to store the majority of their data in the public cloud by 2020. The trouble is, that organizations must also start to think differently about IT security. Companies are being inundated with alerts and the sheer number of cloud applications being deployed within organizations has left many teams struggling to keep pace with securing their business critical data. So what does this have to do with protecting a kingdom? Good question. In a previous blog, Brian Jensen, Application Risk Consulting Sales Leader at KPMG, uses this analogy in great detail to explain that organizations no longer have the same layers of protection provided by the large castle walls of their on-premise past. They need to protect their critical data(the keep) regardless of where it resides. Jensen says, "Now there is no castle- every application and associated database has to stand alone and be protected on its own." In a new Oracle report, “Thinking Autonomous: IT Security and Risk”, we begin to explore the ways in which the cloud presents different challenges and threats as well as the benefits of incorporating autonomous technologies to better prevent and detect these threats. IT teams are stretched thin trying to maintain security, manage patches, and mitigate risk from shadow IT across their entire environment. During the interview highlighted in this report, I shared that, "Organizations face 3.2 billion events per month. Out of that 3.2 billion today, on average only 31 are actual security threats." Understanding which events are legitimate threats has become a significant hardship for IT team. Unfortunately, companies can’t hire their way out of this problem, there simply aren't enough resources to manually meet the demand. So organizations need to think smarter about this new world of IT. I believe that, "machine learning and artificial intelligence reduce false positives and get to the real threats and reduce mean time to response." By including intelligent automation, organizations can better address security risks in the cloud. "Fast-forward to databases supporting a number of different applications in a corporate environment owned by multiple divisions or locations, autonomous security is the key," says Brian Jensen. As increased cloud adoption continues, implementing automated technologies can help your organization reach new levels of efficiency, while supporting strong security practices. If you're interested in thinking differently about securing your data in the cloud, read our new paper, Thinking Autonomous: IT Security and Risk, to learn more about some of the risks organizations are facing and understand ways in which intelligent automation can help ease the burden.

Organizations are thinking differently about the cloud. In fact, nearly half of respondents from the Oracle and KPMG Cloud Threat Report 2019expect to store the majority of their data in the public...

Edge Security

CaterXpress Cooks Up Powerful Web Application Security

Written By: Mark Brunelli  Catering software company CaterXpress is protecting its web application from distributed denial-of-service (DDoS) attacks with the Oracle Dyn Web Application Firewall (WAF). The Melbourne, Australia-based company is the creator of FoodStorm, a popular hosted application that makes it easy for catering companies to receive and track orders and manage customer relationships. CaterXpress has long used Oracle Dyn’s Domain Name System (DNS) for its “excellent performance and reliability,” said Anthony Super, the company’s director and co-founder. They recently decided to go live with Oracle Dyn WAF for an additional layer of protection against DDoS attacks and other cybersecurity threats such as cross-site scripting and SQL injections. “At first, I felt in my mind that a WAF product from Oracle was going to be way out of our price range,” Super recalled. “But after seeing the pricing I said, ‘This is a really good value. It’s actually a better value than the other providers we were looking at.’” All about CaterXpress CaterXpress launched in 2007 with a goal to become the world leader in catering technology. Fast-forward to today and the company has made great strides toward achieving that goal. “We’ve got some very high volumes going through our software at the moment,” Super said. “If you’re a catering company using FoodStorm, it really is the cornerstone of your operation. It’s a mission-critical system.” Why Oracle Dyn? The CaterXpress team began using Oracle Dyn Managed DNS soon after the company launched. Super reports that the DNS offering is easy to use and helps the company manage many customer domain names. “The technical features that it had were better than the competitors,” he said. “For example, Oracle Dyn DNS allowed us to point multiple domain names to one server automatically, which was something that a lot of other DNS providers didn’t do.” Super and his team were equally impressed with Oracle Dyn WAF and the Oracle Dyn’s technical account management team, which guided him through the process of testing and implementing the solution. “The Oracle Dyn team was very proactive in scheduling meetings and walking us through the implementation process and explaining everything,” he said. “They were just a phone call away. They were great.” Oracle Dyn WAF is designed to protect internet-facing applications while addressing the specific requirements of today’s multicloud and hybrid cloud IT environments. Configured as a reverse proxy, the WAF inspects all incoming web traffic and quickly identifies and blocks any malicious traffic. The WAF is fully managed, cloud-based, and distributed across Oracle’s global points of presence to ensure minimum latency and maximum coverage. Super added that the WAF’s biggest benefit is the peace of mind it gives him. “Now I can sleep at night knowing that we are ready,” Super said. “We’ve now got the systems in place to handle incoming threats, so that’s really good.” Learn more about how CaterXpress is using Oracle Dyn’s DNS and WAF today.  

Written By: Mark Brunelli  Catering software company CaterXpress is protecting its web application from distributed denial-of-service (DDoS) attacks with the Oracle Dyn Web Application Firewall (WAF). T...

Hybrid-Cloud Identity

Synchronising subsets of AD users and groups into IDCS

Oracle Identity Cloud Service (IDCS) is a cloud native Identity-as-a-Service (IDaaS) platform, which also underpins Oracle Cloud. It serves as a single point of entry into Oracle Cloud, irrespective of whether you are using IaaS, PaaS, or SaaS. There are many ways to manage users within IDCS. However, the most common method I talk to customers about is the ability to synchronise users and groups from Active Directory (AD), either from an on-premise AD or from Azure AD. The user interface within IDCS makes it extremely simple to setup the required AD Bridge, as shown in the screenshot below. For administrators who need a hand, there is also a step-by-step tutorial within the documentation here. As you can see, it’s a simple process of defining where in the AD tree you want to sync users and groups from, how often, which attributes, and whether you plan to use federation or have users authenticate locally to IDCS. However, one of the areas I get asked about regularly is how you get more control over which users and groups synchronise, rather than the fairly coarse-grained OU structure represented by the two trees in the previous screenshots. The most common requirement I come across is to only synchronise certain groups as well as the users of those groups. Here’s a scenario….. Let’s say that I have a customer using Oracle Analytics Cloud Service (OACS). This will be accessed by a subset of the organisation, i.e. those responsible for MI dashboards, reporting etc. These users will usually be spread across various OUs within the AD tree and not all within a single container (or OU). Whilst a customer can sync all AD users to IDCS and then manage their access to OACS through group/role memberships, this approach unnecessarily syncs more users than needed. Fortunately, the IDCS AD Bridge has the capability to apply additional filtering over users and groups, and it’s extremely easy to configure. Let’s look at how I would address this scenario. I have created a group called Federated Users. In that group I have added 3 users from different parts of the AD tree. FedUser1 and FedUser2 are both in the cn=Users container, whilst FedUser3 is in the cn=IDCS Users container. The layout can be seen below. The first two screenshots show the users and groups and their positions in the AD tree. Here we see that the Federated Users group contains all 3 federated users. In order to tell the IDCS AD Bridge to only sync this group and the users who are in the group, we use the filter boxes below each tree in the IDCS AD Bridge configuration. This filter box is a standard LDAP search filter and therefore can be as complex or as simple as you need. To meet my scenario, my filters are straightforward. For the users, I select the top container in the tree (emeacloudpursuit.com), and ensure that the Include Hierarchies box is checked to process all containers. Within the filter, I add: (memberOf=cn=federatedusers,cn=Users,dc=emeacloudpursuit,dc=com) A similar approach is taken for groups. I select the top container again, check the Include Hierarchies box and enter the filter: (&(objectclass=group)(cn=federatedusers)) This final configuration is shown in the screenshot below. That’s it! Now when the sync runs, it will only sync my three federated users (by nature of them being in the federatedusers group), and will also only sync that same group, irrespective of how many users and groups I have in the rest of my AD. If you haven't had chance to look at IDCS yet, you can take advantage of a free Oracle Cloud trial by signing up here.

Oracle Identity Cloud Service (IDCS) is a cloud native Identity-as-a-Service (IDaaS) platform, which also underpins Oracle Cloud. It serves as a single point of entry into Oracle Cloud, irrespective...

DB Sec

Robust Key Management for Mission Critical Databases

Until recently, organizations typically only maintained a few encrypted databases. Those databases might store sensitive data like payment card numbers, social security numbers or even intellectual property like trading algorithms or coordinates for oil exploration. With only a nominal number of encrypted databases, managing encryption keys with an individual wallet wasn’t a particularly burdensome task. Encryption as a Necessity for All Databases Fast forward to today.  With relentless cyberattacks amounting to an estimated five billion records exposed in 2018, CISOs across the globe are mandating more widespread encryption of data as almost every piece of data can be exploited if it falls into the wrong hands. With large enterprises and federal agencies running thousands of databases, encrypting databases with individually managed keys and wallets is no longer an option. A complementary and robust key management system built on the tenets of availability and scalability is needed now more than ever. With Encryption Comes Key Management We released Oracle Key Vault 18 last month, specifically to meet the demands of large organizations increasingly deploying encryption across massive swaths of their database environments, sometimes every single database. These organizations needed a robust way to manage keys, with a resilient, highly-available key management system that could scale globally. Oracle Key Vault 18, with multi-master clustering of up to 16 nodes, is optimized to serve keys for thousands of databases in geographically dispersed data centers without creating undue operational burden. Continuous Availability Consider the fact that each Oracle database using Transparent Data Encryption (TDE) checks the Master Encryption Key every three seconds (a heartbeat to ensure the external key store is available) plus every single time a new database process opens an encrypted tablespace. In a busy database, there may be hundreds of requests to the key management system for the Master Encryption Key every second. As a result, absolute continuous availability of the key management system is paramount to your databases - you can’t be down for one second. That’s why Oracle Key Vault 18 was developed for ultimate resiliency supported by uninterrupted failover, meaning your databases can always get the key they need without any user intervention. Maximum Transparency When local wallets are replaced by centralized key management with Oracle Key Vault 18, the ‘transparency’ of Transparent Data Encryption further increases. Components like Oracle RAC databases, Oracle Data Guard, Oracle GoldenGate and others automatically know how and when to access shared keys in Oracle Key Vault 18. If your key management solution can’t do that, or it’s not available, the process is interrupted, causing outages that require human intervention, sometimes on weekends and after midnight, further increasing downtime and exacerbating the deleterious effect on operations. Extreme Scalability Oracle Key Vault 18 can scale both horizontally and vertically to handle growing loads, without any database downtime. Scale horizontally by adding more read-write pairs or read-only nodes to the Oracle Key Vault 18 cluster as more departments or lines of business add their databases to the cluster, for example. The pre-existing cluster will continue to provide uninterrupted key management as additional nodes are added. Or, scale vertically by upgrading servers. Because Oracle Key Vault 18 is a soft-appliance, it can be installed on literally any size server. As your business and encryption needs grow, scale up your Oracle Key Vault 18 ecosystem without downtime for your databases. Don’t Let One Solution Cause Another Problem Demands for encryption have risen immensely in recent years. Yet, if you encrypt, but don’t manage keys well, that can cause problems with access. Database encryption with Oracle Transparent Data Encryption gives you a secure foundation. Oracle Key Vault 18 allows you to further reduce risk and cut costs by consolidating encryption keys into a reliable, scalable, centralized key management cluster. If management is telling you to start encrypting, rest easy knowing that you already have the answer that ensures the requisite levels of resiliency, availability and scalability to meet your organization’s needs. Read the Oracle Key Vault 18 data sheet to learn more or download Oracle Key Vault 18 today.

Until recently, organizations typically only maintained a few encrypted databases. Those databases might store sensitive data like payment card numbers, social security numbers or even intellectual...

Edge Security

Oracle Cloud Infrastructure Web Application Firewall in action

I suspect most people, like myself, are very visual learners. Whilst I can plough through reams of documentation, open standards, and whitepapers when necessary, I can usually skip a large proportion of reading when I see a picture, or even better, see things in action through a video or demonstration. Back in February this year, Oracle announced three new Edge services on Oracle Cloud Infrastructure (OCI): Web Application Firewall (WAF), Traffic Steering Policies, and Health Checks. There are plenty of good write-ups and articles on the above services, including the links I have provided above. However, I thought it would be useful to bring some of the new features of these services to life, starting with WAF. As a brief introduction, for those not familiar with WAF technology, the OCI WAF is an enterprise-grade, cloud-based edge security solution that's designed to protect internet-facing applications from cyberattacks. As introduced on its public webpage: The WAF includes over 250 predefined application, compliance, and Open Web Application Security Project (OWASP) rules. It also aggregates useful threat intelligence from multiple sources, including Webroot BrightCloud®. The WAF's bot management feature uses an advanced set of challenges—including JavaScript verification, CAPTCHA, device fingerprinting, and human interaction algorithms—to identify and block malicious bot traffic while allowing legitimate human and bot traffic to proceed. Once deployed, the OCI WAF also protects web-facing applications from Layer 7 distributed denial of service (DDoS) attacks. The description above summarises a number of key capabilities of the WAF. It is these that I am going to focus on below and attempt to bring each of them to life through a set of short videos. I am going to focus on 4 key use cases: Protection Rules Access Control Threat Intelligence Bot Management Within my demo environment I have deployed a simple website emulating a freight shipping company. The website is deployed on a web server within OCI (although it could have been deployed anywhere with an internet facing endpoint.) I have configured a number of clients to access the website, as shown in the diagram below.   Client Connection Route Chrome Direct connection to the website Firefox Connected to the website through WAF Postman Connected to the website through WAF TOR (The Onion Router) Connected to the website through WAF   Scenario 1 - Protection Rules WAF contains over 250 pre-defined protection rules. The rules match web traffic to rule conditions and determine the action to be taken when the conditions are met. Protection Rule Settings allow you to define the parameters for enforcement any time a protection rule is matched. The pre-defined rules help to protect against the most important threats as defined by the OWASP Top 10, e.g.: A1 – Injections (SQL, LDAP, OS, etc.) A2 – Broken Authentication and Session Management A3 – Cross-site Scripting (XSS) A4 – Insecure Direct Object References A6 – Sensitive Data Exposure A7 – Missing Function-Level Access Control The WAF also monitors requests to your protected endpoints and provides recommendations as to which rules to enable. Recommendations are a great way to optimize your WAF security profile. The Security Operations team proactively monitors all events to provide recommendations about the action of a specific ruleset. See Supported Protection Rules for additional information. In my demonstration, I have configured the protection rules to monitor for sensitive data being entered into the website. In my case, this is credit card data. If seen, the WAF is configured to block the traffic.   In this scenario, you saw how the protection rules can reduce the risk to an organisation by preventing some of the top attacks, commonly seen against web applications. The use of OCI WAF can also increase the security of all of your web applications by ensuring a consistent set of protection rules is applied.   Scenario 2 - Access Control Access rules are used to define explicit actions for requests that meet various conditions, including: HTTP Header Information Geography URL address matching IP address In my demonstration, I am using the URL address matching rules to block access to a particular area of the website. Whilst this is a simple example, I could easily combine it with other access control rules to provide capabilities such as geo-fencing access to that part of the website. As with scenario 1, I have configured the outcome action as block. However, I could have allowed the WAF to detect and log only.   The benefits of using access control within OCI WAF include increased compliance, ensuring that only the appropriate users in appropriate locations can access your web application. It also helps to reduce risk by enabling access to be locked down using the right criteria.   Scenario 3 – Threat Intelligence Oracle WAF takes feeds from a number of threat intelligence providers to ensure it has the latest, up-to-date information on suspicious IP addresses. At the time of writing this article, Oracle WAF takes 19 different feeds. The full list can be found here. For my scenario, I decided to block access to my freight website for any users of a TOR browser. As with the previous examples, I opted for a blocking action, rather than just detect and log.   Given the very dynamic nature of threatening sources on the internet, having a strong set of threat intelligence feeds is important. This scenario demonstrates that OCI provides actionable, up-to-date threat intelligence feeds so that you can reduce the risk of a request coming from a bad source.   Scenario 4 – Bot Management Bot Management enables you to mitigate undesired bot traffic from your site using CAPTCHA and JavaScript detection tools, while enabling known published bot providers to bypass these controls. Non-human traffic makes up most of the traffic to sites and bot attacks were the #1 web security threat (Verizon Data Breach Report 2015-2018). Bot Manager is designed to detect and block, or otherwise direct, non-human traffic that may interfere with site operations. The Bot Manager features mitigate bots that conduct content and price scraping, vulnerability scanning, comment spam, brute force attacks, and application-layer DDoS attacks. You can also whitelist good bots. In this demonstration, I have configured two use cases. The first shows how OCI WAF can present a CAPTCHA to validate the user is a human, without requiring any change to the protected web application. The second use case shows how a non-human bot can be automatically blocked. The possible outcomes from detecting a bot can include, issuing the CAPTCHA challenge, displaying an error page, or returning a specific HTTP response code. For this example, I chose to return a CAPTCHA for human users and a HTTP 403 error code for non-human errors.   Bad bots are a major risk on the internet today, as highlighted in many surveys and reports, such as the Verizon Data Breach Investigation Report. Therefore, having a capability to stop the bad bots before they even hit your web application is important. This scenarios shows how OCI WAF reduces your risk by blocking the bad bots at the network edge, at the same time increasing availability of your web application by ensuring only legitimate traffic accesses it. Summary The above videos are not an exhaustive set of capabilities for OCI WAF, rather just an introduction to some of the key capabilities within the platform, using simple, visual examples. Utilising a WAF to protect your internet facing web applications is one layer of a multi-layered defence, helping you to: Reduce risk Increase availability Increase compliance Don’t just take my word for it. Feel free to have a go. You can sign up for a free trial of Oracle Cloud here. Being a cloud-based service, you can be up and running and protecting your web applications within minutes.

I suspect most people, like myself, are very visual learners. Whilst I can plough through reams of documentation, open standards, and whitepapers when necessary, I can usually skip a large proportion...

News

Oracle Introduces the Dashboard For The Modern Database Fleet

Authored By: Timothy Mooney, Senior Principal Product Marketing Director If you’re an Oracle DBA, you’ve probably used Oracle Enterprise Manager (EM). It’s the de facto tool that DBAs have relied on for more than a decade. Which is why we’re excited to bring to you the dashboard for the modern database fleet. This new update will enable support for the Oracle Autonomous Database in Oracle Cloud along with many other new capabilities. Why is this news important? According to a survey by the International Oracle User Group, 6 in 10 respondents say the amount of resources going into legacy maintenance is hurting their organizations’ competitiveness. The dashboard coupled with the Autonomous Database frees up time spent on maintenance. Leaving you with more time to spend on innovation. You can now manage Autonomous Databases as a part of your fleet as well as a bigger fleet with your new capabilities. So how does it work? Enterprise Manager continues to add features and support for new targets ensuring you get the deep visibility you are used to regardless of where your database targets are running. You get the same visibility whether they are running in your datacenter, Oracle Cloud infrastructure, and now including the Autonomous Database. Some DBAs have set up their own monitoring and management, which is great, although it is getting progressively more complex and labor intensive with the growth of additional databases and moreover, the complexity of many deployment models, including on-premises, in the cloud, and the Autonomous Database. At the same time the database world gets more complex, Oracle Enterprise Manager continues to make it simpler regardless of where your databases are deployed; they are all managed and monitored the same, in a single pane of glass.  And troubleshooting is also easier with the performance hub, which houses all the most valuable troubleshooting tools reside in a one-stop shop, including ASH reports ADDM, and AWR reports.  On top of making Enterprise Manager easier to use, our new release of Enterprise Manager is also available on the Oracle Cloud Infrastructure marketplace.  With a few clicks you can stand up an instance of Oracle Enterprise Manager in Oracle Cloud Infrastructure. You don’t need to have your own hardware or datacenter for that matter. It’s all available for you in the cloud. To get a sneak peek, register for this on-demand webcast, Introducing the Dashboard for the Modern Database Fleet to learn how administrators can get deep performance visibility for Oracle Autonomous Database with complete control over their entire database environments including on-premises and cloud deployments.  Find us on Twitter @OracleSecurity to learn about Oracle Security news, events, and more.

Authored By: Timothy Mooney, Senior Principal Product Marketing Director If you’re an Oracle DBA, you’ve probably used Oracle Enterprise Manager (EM). It’s the de facto tool that DBAs have relied on...

DB Sec

I Lost My Wallet: Now My Data's Gone

Maintaining Security with Encryption while ensuring availability at scale with Oracle Key Vault 18.1 You’ve been working on a business-critical project for months and it’s almost ready for executive consumption. Just one last data set to be completed and it’s done. But when you try to access the database this morning, an error message says “Decryption Key Missing”. “No problem,” you think to yourself. My wallet is on an adjacent server and, with a simple password entry I’ll be back in business. But when you search for the wallet (the password-encrypted container that holds your encryption keys), you get another dose of bad news: the file is gone. In a panic, you call up the new Database Administrator and ask if she knows anything about missing encryption keys. “Bad news,” she says, “that server had issues recently. The drive got corrupted and the server hasn’t been backed up for a while.” Your heart sinks. All that work. You were so close, and now you’ll have to start over. Then another level of fear grips you: you don’t have the data to start over. But it gets worse. An even deeper realization hits you as adrenaline starts to pump through your system: Not only is your project toast but that data set was being used by two other teams that report into your COO and they won’t be able to access it either. As the liability spreads, so does your sense of dread. In a panic, you ask the DB Admin If there’s any way she can retrieve the data. The Good News and the Bad: “It’s Protected” “Well,” she says “it’s encrypted and that’s a good thing —Donahue requires all sensitive data to be encrypted in case of a breach.” You recognize the name Donahue as the CISO that was hired at the end of last year after the data breach at your Los Angeles office got the previous one fired. “But you still need a key to read any of the encrypted data,” she continues. “Can’t we get the database vendor to open it up for us?” “Nope…that’s part of the deal with transparent database encryption: even the vendor can’t hack in. Has to do with separation of data administration from the data itself.” More Common than You Might Think This a more common occurrence than most would like to admit. If one Googles “lost decryption key” you get about 1,300 hits, from help forums and news clips. Encryption is a necessity these days — not just for maintaining security and protecting your corporation’s data — as it’s written directly into much of the recent data security legislation. Article 34 of the GDPR, for example, states in the event of a breach, if the data at risk is encrypted, the requirement to contact each data subject affected is removed Caught between a Rock and a Hard Place So, if you can’t do without encryption, yet you can’t risk losing your encryption keys — and let’s face it, many large enterprises have thousands of encrypted databases, each with their own key, and yet another for their backup copy — then what are you supposed to do?                                                            This is where Oracle Key Vault comes in. Oracle Key Vault enables organizations to quickly deploy encryption and other security solutions by centrally managing encryption keys, Oracle Wallets, Java Keystores, and credential files. No more managing wallet files. No need to track keys throughout their lifecycle. And no chance of a new DB Admin deleting your only encryption key. Oracle Key Vault 18 Oracle Key Vault 18 introduces new multi-master clustering functionality, improving the availability and scalability of key management operations, while significantly reducing the operational burden. This means you’ve got keys for all your currently active databases as well as your backup versions.  And they’re managed, secured, and compliant. Databases can connect to any node in the Oracle Key Vault cluster to get encryption keys. Any updates to keys or changes to authorization rules are quickly replicated to all other Oracle Key Vault nodes. If the Oracle Key Vault connection fails or node goes down for any reason, the database servers transparently failover to the nearest active Oracle Key Vault node. And the best part:  it manages your wallets for you. So, when you wake up from that bad dream about your lost decryption key, and actually get to work this morning, your data is there, safe, and accessible. You finish that big project on time and get the recognition you deserve from your group VP: “a job well done.” For more information, review the Data Sheet and FAQ, and be sure to watch the replay of our Database Security Office Hours session focused Oracle Key Vault.  So, if you are using Oracle Database Transparent Data Encryption (TDE), or MySQL database TDE, download the Oracle Key Vault 18 software today from Oracle Software Delivery Cloud.  If you are an existing Oracle Key Vault customer, be sure to upgrade to Oracle Key Vault 18 (patch 29695836 from Oracle Support).

Maintaining Security with Encryption while ensuring availability at scale with Oracle Key Vault 18.1 You’ve been working on a business-critical project for months and it’s almost ready for executive...

DB Sec

Continuous Availability and Extreme Scalability with Oracle Key Vault

Today’s databases run huge workloads, with big demands on their availability, scalability, and security.  Encryption has now become common place in today's cybersecurity and regulatory landscape, but people often struggle with securing and managing the keys. Not only do they need an easy to configure and manage centralized key management solution, but they also need a system that is resilient to network, operating system, and other node failures.  Additionally, the key management system should be able to keep up with the availability requirements of thousands of databases spread across data centers.  We are thrilled to announce that Oracle Key Vault 18 with multi-master clustering is now available for download.  It provides unprecedented improvements in the scalability and availability of keys, while significantly decreasing the operational burden of key management.  Oracle Key Vault cluster is optimized to serve keys for tens of thousands of databases, and at the same time handle disaster scenarios too common in today's world. Based upon feedback from our customers, we redesigned Oracle Key Vault to be continuously available for both read and write operations without any data loss.  Now customers can group up to 16 nodes to form a multi-master cluster that can be deployed across geographically distributed data centers.  All nodes run in active mode and significantly lower the total cost of ownership. Databases can connect to any node in the Oracle Key Vault cluster to get encryption keys.  Any updates to keys or changes to authorization rules are quickly replicated to all other Oracle Key Vault nodes so they are available on at least one other node providing zero data loss. If the Oracle Key Vault connection fails or an Oracle Key Vault node goes down for any reason, the database servers transparently failover to the nearby active Oracle Key Vault nodes for read/write operations without any down time, hiccups, or user intervention. Oracle Key Vault has been extended for streamlined management and security through: Introduction of RESTful APIs to support the full portfolio of key management operations such as create key, register secret, get key, and revoke/destroy key Integration with external Hardware Security Modules (HSM) as root of trust Capability to run in the FIPS mode for stronger assurance through FIPS certified cryptographic modules Oracle Key Vault provides key management for Oracle Database 11g Release 2 and later releases running on a variety of platforms including Oracle Linux, Red Hat Linux, Solaris Sparc, Solaris x64, IBM AIX, HP-UX, and Microsoft Windows. Oracle Key Vault is the only enterprise-grade key management solution tightly integrated with Oracle databases including support for Transparent Data Encryption (TDE), Real Application Clusters (RAC), Multi-tenant databases, Data Guard, Golden Gate, and ASM Cluster File System. For more information, review the Data Sheet and FAQ, and be sure to attend our upcoming Database Security Office Hours session focused on Oracle Key Vault 18.  So, if you are using Oracle Database Transparent Data Encryption (TDE), or MySQL database TDE, download the Oracle Key Vault 18 software today from Oracle Software Delivery Cloud.  If you are an existing Oracle Key Vault customer, be sure to upgrade to Oracle Key Vault 18 (patch 29695836 from Oracle Support).

Today’s databases run huge workloads, with big demands on their availability, scalability, and security.  Encryption has now become common place in today's cybersecurity and regulatory landscape, but...

News

How to Address Evolving Threats and Compliance Requirements

Thirty percent of respondents in the Oracle and KPMG Cloud Threat Report stated their biggest cloud security challenge is aligning regulatory compliance requirements with their organization’s cloud strategy. This is not to mention the increasing number of threats companies must face every day. Limited resources and staff often leave organizations spread to thin when trying to meet their security and compliance objectives. This week we sat down with Ted Sherrill, Senior Director of Security & Regulatory Solutions in North America at Oracle for a Q& A about the current state of security and compliance for organizations making a transition to the cloud. Our conversation was sparked by the upcoming webcast, Oracle Adaptive Controls for Evolving Threats and Compliance Requirements, this Wednesday, May 8th. We examined some challenges, companies face as they strive to abide by compliance requirements while continually fighting these evolving threats. Cloud transformation has become a priority initiative for most organizations, how should IT/Security teams plan to adopt cloud services while keeping their compliance needs in mind? Security and compliance budgets are limited and every control requires an effort to implement and sustain. Because of this, it’s important to limit the number of controls required for attaining regulatory requirements as well as meeting risk remediation objectives. Utilizing a security framework like NIST can help an organization identify which controls can be utilized from both a compliance and remediation perspective. It’s also vital to understand which of these controls can be utilized both on-premises and in various cloud environments, because if you don’t apply compliance and security in a strategic way, you may implement duplicate or unnecessary controls.   It’s been a year since GDPR took place and CCPA is just around the corner, how do you think organizations in North America will respond?  Many organizations were not subject to the GDPR due to not collecting EU resident data such as some organizations that operate in North America only. Many of those organizations are going to be subject to the CCPA and therefore will need to attain reasonable security procedures and practices for protection of the personal data along with attestation for what personal data they possess for a data subject and which third parties this information is sold to. The organizations that are subject to the EU GDPR have a head start on organizations that were not but many of them are having to enhance their policies, processes and controls for the variations with CCPA. Oracle provides solutions like the Database Security Assessment Tool (DBSAT) that can assist customers with identifying where personal data resides and existing controls in place to protect it.  To hear more from Ted and learn about adaptive controls register for this upcoming webcast, Oracle Adaptive Controls for Evolving Threats and Compliance Requirements on May 8 and join us on twitter to get the latest on all things Oracle Security.                                                      

Thirty percent of respondents in the Oracle and KPMG Cloud Threat Reportstated their biggest cloud security challenge is aligning regulatory compliance requirements with their organization’s...

News

World Password Day: Are the Doors to Your Data Unlocked?

It is the age-old adage that you are only as strong as your weakest link, and this has never been more true.  We see it in the movies when the intelligence agent approaches the well funded bad guy’s fortress with hundreds of millions in security, infrastructure, weaponry to protect their interests and what ultimately fails them?  That silly underground access panel with a 4 digit passcode requirement.  This is our reality in today’s consumer, business and government environments. We invest a phenomenal amount in people, processes and technology, but for the one key component that ties it all together (the password) we default to what makes our job easier to remember.  This continues to be the weak link for organizational security. The recent Oracle and KPMG Cloud Threat Report 2019 surveyed 450 global organizations and found that 85% of these are looking to replace the password.  Can this really be done?  What would it be replaced with?  The consumerization of IT has done more to influence the way business operates than nearly anything outside of the internet itself.  We have seen this in cloud.  As consumers we have adopted a massive amount of cloud and mobile tech in the last 10 years to make our personal lives more productive, vibrant and engaging. With that, came the expectation by many that our employers should be able to deliver similar type of business-enablement technology, which we have obviously seen.  This same consumerization of IT has also ushered in our views around password management. While we have seen numerous business Single Sign-on “inspired” apps crop up for the consumer market, the wave of new smartphones, tablet and laptops using biometrics (facial recognition, retinal, fingerprint) have hit the market to help simplify the login options for consumers, and also forced the question, “Why can’t we use this same technology in business?”  Do we see the password truly being replaced by a fingerprint, or a face ID? Not any time soon.  There are too many documented cases of this biometric data being stolen or compromised.  Reality is this, if my password is stolen, I can reset it. If my biometric data on my fingerprint or face is stolen, this can never be changed.  So for this reason alone, the death of the password is not likely. So what is a viable option for the 85%? The reality is, every organization should be looking for ways to wrap a second form of authentication around the password (known as two-factor auth).  We see 92% of organizations either have implemented or plan to implement Multi-factor Authentication (MFA) around key business-critical services over the next 18 months. Central to effectively managing this is to gain a foothold on your credential management. The incorporation of mobile and cloud into any business adds more layers of complexity so businesses need to plan accordingly around the following: Develop a unified identity management strategy that covers on-prem into the cloud (hybrid cloud) and set goals for 8 min provision, 2 min deprovision (for example) of all accounts. Enforce complex password policies (unique per service, use of SSO to manage) Recognize password management isn’t an IT issue, cyber issue, or help desk issue….it’s all the above.  Today’s identity is the center of all infrastructure, IT and security initiatives. Educate your users on best practices around password management While today is not necessarily a celebration of “World Password Day”, it is simply a reminder for organizations that they have 365 days to show successful growth from this day, to our next “anniversary” of “World Password Day”.  Let’s make sure we all are using this time wisely.  For more information on discovering the key challenges organizations are dealing with in password management, you can download the Oracle and KPMG Cloud Threat Report, or for information on how Oracle continues to be a leader in the area of Identity Management 5 years running, visit our Oracle Security webpage for more information on our Oracle cloud security technologies.

It is the age-old adage that you are only as strong as your weakest link, and this has never been more true.  We see it in the movies when the intelligence agent approaches the well funded bad guy’s...

News

Risky Business: An ERP Story

Imagine you’re a VP of Finance and you discover that one of your accountants has made 200 illegal transfers into her personal accounts by using the login credentials of former staff to delete the records or alter them so the transactions appeared legitimate. The company suffered a $30 million net loss and now you have to deal with the repercussions. While this scenario might seem rare, it happens all too often. Many companies rely on enterprise resource planning (ERP) systems to run their business-critical processes with access to sensitive data, making them very appealing targets for hackers and disgruntled employees. ERP systems are used by organizations to manage day-to-day business activities, such as accounting, procurement, project management and manufacturing, while enabling data flow between them. This shared data provides data integrity with a "single source of truth". And with cloud, mobile, and digital transformations rapidly expanding ERP’s attack surface, organizations must educate themselves and take appropriate action to make sure that their business operations are not disrupted. The first step is to understand where the cloud service provider’s responsibility ends and the company’s responsibility begins. This division of labor is the shared responsibility model and many companies do not understand their responsibility. According to the Oracle & KPMG Cloud Threat Report, participants shared that “such confusion has led to the introduction of malware (34%)”, “it has exposed them to increased audit risk (32%)”, and it “has also put data at risk, with 30% of organizations reporting that, as a result, data was accessed by unauthorized users.” In order to avoid scenarios like fraud and data theft, companies need to understand their responsibility and take appropriate action. Additionally, manual processes and archaic tools are not enough to deal with this evolving threat landscape. Organizations must leverage tools such as Oracle Identity Cloud Service (IDCS) and Oracle CASB Cloud Service to help protect their ERP from fraud, data loss, and make sure the right people have access to the right information. By using a tool such as Oracle IDCS with a user life cycle management tool, the accountant would have never been able to use the login of former staff because terminated employees would no longer be able to log in. The company could have also leveraged user and entity behavior analytics (UEBA) to correlate users with suspicious activity and set policies to remediate. With Oracle CASB Cloud Service they would have been able to monitor and detect fraudulent patterns. With ERP exploitations on the rise, organizations must take the appropriate action so that their sensitive data is not stolen, and that their business critical application is not compromised. Learn more about the rise of cyber threats and how to safely secure your ERP.  

Imagine you’re a VP of Finance and you discover that one of your accountants has made 200 illegal transfers into her personal accounts by using the login credentials of former staff to delete the...

News

American Red Cross Manages Volunteers' Identities with Oracle

I remember watching the news coverage of Hurricane Katrina and the wildfires in Paradise, CA, and it’s hard not to have your heart break for the victims of natural disasters.  For that, I’m so grateful that organizations like the American Red Cross exist.  In researching information for this blog, I learned that for 136 years, the American Red Cross has been dedicated to serving people in need during disasters through volunteers and the generosity of donors.  They told us at OpenWorld that they provided more than 3.6 million meals and almost 1.5 million relief items in 2017 alone.  Those are staggering numbers and with 90% of the Red Cross workforce as volunteers, I can imagine it must be a daunting task to coordinate all of the supplies for the volunteers.  With so many volunteers, donations, and locations to distribute materials to those who need help, I am sure that the Red Cross has a strong system to ensure aid gets to the right people in their time of need.  From a logistics perspective, the American Red Cross has five nationwide distribution centers, and they open smaller, temporary hubs, along with rental warehouse space and trucks in areas hit by disaster.  Volunteers step up to stock the warehouses, run the shelters, and transport supplies for up to two weeks at a time. All of these logistics are dizzying, but I am grateful that the American Red Cross has built an early mobile system to get a single view of everything for the volunteers – orders, inventory, and transportation services in a streamlined process.  I’m proud to be a part of Oracle, because Oracle is part of that integrated system.  Oracle Cloud Platform, with Mobile Cloud Service and Integration Cloud, integrated with Oracle E-Business Suite, help deliver a mobile application to order, process, and track donations for the volunteers.  The Red Cross uses Oracle Identity Cloud Service (IDCS) to authenticate the volunteers to ensure the donations do not fall into wrong hands and volunteers can quickly distribute help to those in need. Normally, when we think about IT security, images of large data centers and codes of data security come to mind.  With the American Red Cross, we are reminded of the importance of security to identify and validate all of those volunteers for the Red Cross to make sure that they have a single view of the inventory, orders, and transportation to set up a shelter and provide help to those who need it quickly.   Identity Cloud Service, a key part of the Oracle Security portfolio, provides a cloud-based, integrated service that delivers all of the core identity and access management to organizations of all sizes.  With IDCS, the Red Cross has a single, aggregated view of the volunteers’ identities across all channels (mobile and on laptops) to define and enforce consistent identity policies.  The mobile application that was shared at OpenWorld 2018 was still a pilot, but the senior director of information technology, Susan Gorecki, sounded optimistic when it went live after Hurricane Florence in September 2018.  I look forward to hearing more about how the mobile app will continue to be rolled out to help more people in the future.  Visit the Oracle Identity Cloud Service webpage to learn how IDCS can help your organization. 

I remember watching the news coverage of Hurricane Katrina and the wildfires in Paradise, CA, and it’s hard not to have your heart break for the victims of natural disasters.  For that, I’m...

News

Your Company in the Cloud: Predicting Security in 2019 and Beyond

A critical shift in cloud usage has occurred, organizations are no longer looking at cloud as nice to have. Cloud deployments have transitioned into business-critical initiatives for organizations looking to innovate their business, increase efficiency, and improve security. In fact, the Oracle and KPMG Cloud Threat Report 2019 shared that nearly half of all respondents expect to store the majority of their data in a public cloud by 2020. This promising shift in cloud usage is highlighted in Oracle’s Top 10 Cloud Predictions 2019. The paper highlights several exciting predictions such as the further incorporation of automated and AI technologies into every layer of security. These innovative solutions enable greater accessibility for non-technical business users who are looking for a tool that can be easily managed and reliable. However, this speedy innovation has caused challenges within the organization; securing applications (and your environment as a whole) is more critical than ever. The Cloud Threat Report also found that 93% of respondents are dealing with rogue cloud app usage, in other words, IT organizations are struggling to keep up with their LoBs and the risk of a breach is greater than ever. Risks are Real, The Future can be Promising Organizations are reaping the benefits of cloud usage, but they must also be aware of potential risks. Companies no longer retain the sole control over their data. The rapid roll out of cloud solutions has left many organizations struggling with visibility. These organizations have multiple tools all designed to complete a specialized function, but not intended to integrate together to create a full picture. Understaffed IT security departments simply do not have the bandwidth to piece together all of the notifications from their disparate systems. This vulnerability gap leaves organizations susceptible to attack. The paper predicts 90% of enterprises will use a single identity platform that bridges the visibility gap within hybrid environments. Food for thought when we consider the massive amount of data each user in our organizations may have access to. Standardizing your identity platform on a modern tool designed to meet the needs of both on premises and cloud solutions is critical in protecting not only your users, but also your corporate applications and sensitive data. Organizations also find that with a unified hybrid IAM solution, they are better able to support their security and compliance objectives all while improving user experience and trust. Security Events Will Continue to Rise, How Will You Respond Streamlining tools and increasing automation will be critical as the paper’s ninth prediction states that the number of security events will continue to rise in 2019. Organizations are pounded with hundreds or even thousands of security events each week. The overwhelming number of events makes it impossible for teams to catch and act on every real threat. So how do we compete with highly sophisticated attackers? The recent Secure and Manage Hybrid Clouds guide, discusses the importance of incorporating AI and machine learning capabilities into your security strategy. Cyber criminals are utilizing automated technologies to blend into your environment and sneakily expose or steal your sensitive information.  Organizations looking to beat these attackers at their own game must bring automation to the forefront and work on better ways to train all employees on security best practices. These small steps can protect an organization’s employees, customers, and brand reputation. As we head into the second half of this year, think about the changes you see on the horizon for organizations in your industry. Any predictions? Access Oracle’s Top 10 Cloud Predictions 2019 to see a full list of cloud predictions that could affect your organization and understand strategies to address them.

A critical shift in cloud usage has occurred, organizations are no longer looking at cloud as nice to have. Cloud deployments have transitioned into business-critical initiatives for...

Cloud Threat Report

ERP Risk Series Webcast: Join Oracle and KPMG Tomorrow

Is your organization using SaaS applications? The answer is most likely yes, with 84% of organizations who participated in the Oracle and KPMG Cloud Threat Report 2019 stating that they use SaaS services within their company. There is no denying the cost and time savings an organization can get from consuming SaaS services. What is even more interesting, is that organizations are now adopting SaaS for their mission-critical applications. Organizations have made a shift with 69% of respondents stating that more of the cloud services they use are business critical compared with just 12 months prior. Companies are reaping the benefits of cloud, but they must also be informed and prepared to protect their apps, users, and data. Join the creators of the Oracle and KPMG Cloud Threat Report 2019 as they discuss highlights from the report and touch on emerging cyber security challenges and risks that organizations are facing today. Join the webcast for an overview of: - Cloud utilization and adoption trends - The shared responsibility security model - Using AI and machine learning in your security program - Leading practices and strategies in managing and remediating cloud risk ERP Risk Series: Oracle and KPMG Cloud Threat Report 2019 April 17th 2:00pm EDT Register Now!

Is your organization using SaaS applications? The answer is most likely yes, with 84% of organizations who participated in the Oracle and KPMG Cloud Threat Report 2019 stating that they use SaaS...

DB Sec

Myth or reality – Can a database secure itself?

Security attacks are getting more sophisticated, with Fast Company predicting that the security industry will see a rise in AI-powered malware, smart phishing, AI-powered defenses, trust attacks, and more.  Those attacks could go after your database, where all of the rich data for your company is stored.  You, as the database administrator and security professional, must keep up.   Industry research firm IDC found that as much as 75 percent of the total cost of database management can be attributed to labor, and some of that labor is focused on securing the database. The simple act of keeping up with the latest patches and vulnerabilities is dizzying.  According to the Verizon Data Breach Investigation Report, 85% of security breaches today occur after a common vulnerability and exposure alert has already been issued but has not been addressed. The natural question is, how can you use the sophistication of Machine Learning and AI for the good of securing your database?  Can you find a way for your database to secure itself? An autonomous database can combine the dynamic agility of the cloud with the intelligence of machine learning.  As a result, organizations like yours can transform their IT operations for their database security from a manual process into a modern cloud model that lowers operating expenses, eliminates costly downtime, and ultimately enables security and database professionals like you to innovate using fewer resources. The Oracle Autonomous Database is designed to deliver these benefits across three primary categories, with minimal to zero human intervention: self-driving database and infrastructure provisioning, management, monitoring, backup, recovery and tuning, self-securing database which automatically protects itself from internal and external vulnerabilities and attacks, and self-repairing database which provides preventative protection against unplanned and planned downtime.  As a security expert, the Autonomous Database allows you to sit back, relax, and let Oracle do the driving, knowing that your data is secure. As a result, you see automatic, in-depth data protection at all levels, and you can focus on database administration instead of security concerns. Join us on May 1st to hear from Oracle’s security experts about how Oracle Autonomous Database self-secures itself and proves that self-securing databases are a reality.  Register today!

Security attacks are getting more sophisticated, with Fast Company predicting that the security industry will see a rise in AI-powered malware, smart phishing, AI-powered defenses, trust attacks, and...

Cloud Threat Report

Oracle Cloud Security Day Comes to New York City

One year ago, we hosted one of our most successful events in the “Big Apple” and Oracle and KPMG are back in New York again to host our annual Oracle Cloud Security Day on May 7th. Registration is live now, and seating is limited!  According to the recent Oracle and KPMG Cloud Threat Report 2019, organizations are placing a tremendous amount of business-critical data in the public cloud than ever before. In fact, 7 out of 10 cite that they are placing more sensitive data in the cloud than the prior year. We also see 92% of organizations that feel the cloud can provide as secure or more secure of an environment than their own on-premise data center, so trust is at an all-time high.  What complicates this is the fact that while there is tremendous trust and increasing plans to transition to the cloud, there is a great deal of confusion on just how to do this in a way that reduces risk, prevents cases of fraud, ensures data protection and privacy regulations are not violated and sophisticated threats are not impacting customer data. 90% of cyber leaders state that they do not know what their organization’s role is in securing SaaS relative to their cloud provider. This full day session will be focused on breaking down the growing risks, examples of fraud, data breaches and areas where data privacy and protection regulations are most at risk. Oracle and KPMG leaders will present how layered defense and controls can work to mitigate the risks each organization is facing today and help each organization make their cloud journey a successful one.  Register today for this New York event, or for another event near you.

One year ago, we hosted one of our most successful events in the “Big Apple” and Oracle and KPMG are back in New York again to host our annual Oracle Cloud Security Day on May 7th. Registration...

Cloud Threat Report

Top 5 Reasons to Attend Oracle Cloud Security Day

Have you registered yet for the Oracle Cloud Security Day near you? Now is your time! We have seen tremendous strides organizations are making in their plans to adopt new cloud services, while at the same time…we have also seen the increasing challenges.   This year’s Oracle and KPMG Cloud Threat Report 2019 highlights this clearly with 7 out of 10 organizations placing more business-critical information in the cloud than the year prior.  While at the same time, we also see that 90% of security leaders are struggling to understand their responsibility in securing SaaS vs the cloud service provider. This imbalance in preparedness is not sustainable for organizations as they lift and shift workloads into the hybrid cloud and require a top down look at the potential risks exposed to applications and services when proper controls are not put in place.  That’s why we’re bringing Oracle Cloud Security Day to a location near you. Join us for a one-day session that will highlight the top security risks, root-causes of fraud and we will walk thru leading practices for remediating the risk.  Here are the top 5 reasons you should attend Oracle Cloud Security Day: Learn about effective cloud shared security responsibility model Develop a security strategy with help from our security experts Explore how organizations can employ a layered defense strategy with multiple controls-in-depth for the hybrid-cloud Learn how the autonomous database can help secure business-critical data Discover how Oracle and KPMG work together to support a heterogeneous and multi-cloud environment Register to join us for free in a city near you: Events in Your Region Toronto, Canada May 2, 2019 Register for FREE New York, New York May 7, 2019 Register for FREE Washington, D.C. May 9, 2019 Register for FREE  

Have you registered yet for the Oracle Cloud Security Day near you? Now is your time! We have seen tremendous strides organizations are making in their plans to adopt new cloud services, while at the...

News

Cyber Security: Are We Doomed?

At OpenWorld Asia, a few weeks ago, I moderated a discussion with an impressive panel of cyber security experts, discussing security and privacy. The panelists included: Rob Soan of the Wall Street Journal, Vivek Jaiswal of NRMA, Laurent Gil from Oracle, and Yum Shoen Yih representing the Cyber Security Agency of Singapore. We pondered the question “Are we doomed?” given the data and headlines flooding our newsfeeds each week.  It goes without saying that we are facing global cyber security challenges. As evidence of the challenges we reviewed a few data points: Cyber Security is a top global risk as identified by the World Economic Forum in their Global Risk Report for 2019. It ranks just behind climate change as the top issue, highlighting the risk we face with our dependency on systems. Our reliance on systems has grown so much that it threatens to disrupt stability and integrity, making it a potentially massive risk for societies.   Data breaches know no geographical boundaries. We reviewed information for breaches that occurred in the last two years in the AESEAN region. Over 100 million records were breached in 9 incidents. The information types included passport information, healthcare data and imagery, voting records, passwords, and the usual base identity information. Most of this data was not financial payment information but the kinds of information that attackers can use to commit fraud quietly over longer periods of time. This information does not have the short shelf life of a stolen payment card that can easily be cancelled. This information can be stored and sold on the dark web and used to launch massive fraud schemes such as healthcare based on fraudulent claims, file fraudulent tax returns claiming refunds, using credentials for fraudulent travel documents such as passports, or even attempting to affect election outcomes (voter registration info). We now live in a world where every interaction creates and leaves crumbs of data behind. A trip to the supermarket, a drive in our smart-car, booking travel, seeing our healthcare professional, downloading content, visiting the DMV, registering to vote… very few interactions remain only physical with no digital crumbs left behind. IDC has noted this rapid increase in data creation and expects that the global datasphere will reach 175 zettabytes by 2025, up from 33 zettabytes in 2018. This raises the bar on organizations’ accountability for the data they are collecting and hold with evolving privacy regulations. Cyber security best practices are required to avoid fines, damaged customer trust, down time, recovery costs, and even jail time as our panelist highlighted is the case in Singapore. We are not doomed, but need to stay focused to get better. Many attacks are actually simple and not sophisticated. Organizations often struggle with bad password hygiene (not hashed nor encrypted), lack of encryption of data, not enough attention to manage least privilege, and failure to quickly identify early signs of an attack when damages and massive breaches can be stopped. We need to make cyber security a priority. For many organizations, this is occurring, investments are being made but it is often not just the money that matters but what is done. We need to evolve our security thinking and how we pursue “defense in depth” the motto of security professionals for some time. As noted in the Oracle and KPMG Cloud Threat Report 2019, almost 75% of respondents believe that security in the cloud can be better than what they can do in their own data center. Cloud offers a simpler path for security by streamlining visibility and reducing manual processes; it may not need all the traditional layers of defense or at least they are implemented differently in cloud. We are not doomed if we act now to strengthen cyber security, tap technologies, and don’t stick our heads in the sand. The statistics are clear, threats are everywhere, but with preparation and strategy, organizations can better protect their employees, customers, and their reputation.

At OpenWorld Asia, a few weeks ago, I moderated a discussion with an impressive panel of cyber security experts, discussing security and privacy. The panelists included: Rob Soan of the Wall Street...

DB Sec

Margaritas, Mariachi, and the Maximum Security Architecture – Database Security in the Fiesta City

One of the most rewarding things a product manager does is work with User Groups, and next week is one of my best opportunities of the year.  The International Oracle User’s Group (IOUG) is holding their annual Collaborate conference in San Antonio from 7-11 April.  The Database Security team was fortunate to have three sessions and two hands-on labs accepted for the conference, with both hands-on labs on Sunday, a session on Monday, and two more sessions on Tuesday. Collaborate sessions are focused on problem solving and technical content.  The attendees are almost all Oracle professionals, and the base skill level for conference attendees tends to be quite high. These are people who work with my Oracle Database on a daily basis, and in my sessions at Collaborate I get to skip straight to the good stuff.  It can be challenging – the questions I’ll get from the audience next week are almost guaranteed to be tough ones – but that’s also part of the fun. We'll be offering hands-on experience with the latest version of the Database Security Assessment Tool, sessions on Privilege Analysis and Unified Audit, and a potpourri session on ten security features that you might not know about, but should be using.  Almost guaranteed to be something for everyone!  The venue is also a nice change from the standard convention scene – for the past several years Collaborate was held in Las Vegas, and Las Vegas is always fun.  But this year Collaborate changed things up and moved to the Fiesta City, with the event held in the Henry B. Gonzalez convention center - right on San Antonio’s Riverwalk – which is absolutely fantastic, especially this time of year.  Nice weather, great scenery, and the food is amazing!  If your travels take you to San Antonio next week, please stop by – we’ll have a large exhibit in the conference show floor, and the session schedule is: Sunday,  7 April 10:30 am Hands-on Lab: Assess your Database Security 2:00 pm Hands-on Lab:  Assess your Database Security Monday, 8 April 10:30 am  Oracle Database Privilege Analysis for Least Privileges - Now Available with Enterprise Edition! Tuesday, 9 April 10:30 am Shedding decades of technical debt with Unified Audit 12:45 pm  Recent Database Security Innovations You Might Not Be Using, but Should Be

One of the most rewarding things a product manager does is work with User Groups, and next week is one of my best opportunities of the year.  The International Oracle User’s Group (IOUG) is holding...

Hybrid-Cloud Identity

A Simple Guide to Generating Fake Identity Test Data

Whilst Cloud-based IAM services such as Oracle Identity Cloud Service are clearly the strategic direction for many customers, I still work with lots of companies either using today, or still considering traditional ‘on-premise’ IAM solutions. This can be for a variety of reasons, including: They cannot move to the cloud due to the sensitivity of their organisation, or possibly for regulatory reasons. They need deep technical capabilities and flexibility of an on-premise IAM platform, not typically provided with cloud-based Identity-as-a-Service (IDaaS) solutions. They are in the process of migrating to Cloud, but still have many systems, including their IAM platform running on-premise. Of course, when I refer to ‘on-premise’ IAM I am talking about traditional IAM platforms, where the customer is responsible for installation and configuration of the software, as well as the day-to-day operation of it. Whether that software is actually running ‘on-premise’ within a customer’s own data centre, in a partner’s DC, or within an Cloud IaaS platform, it is still distinctly different to a Cloud-based IDaaS platform, where the customer is not installing and managing the underlying platform. Instead, they are just consuming the IDaas service. For the remainder of this article, I will refer to this ‘on-premise’ IAM as Enterprise IAM. As anyone who has looked at a true IDaaS solution such as Oracle Identity Cloud Service is aware, you are not responsible for many of the non-functional requirements of the platform, such as performance, monitoring, backup and recovery, DR etc. However, all of this is firmly your responsibility with Enterprise IAM, just like any other on-premise software. At the moment, I am working on a project that uses Oracle Management Cloud (OMC) to monitor Enterprise IAM (in this case, Oracle Enterprise Identity Services Suite). In case you aren’t aware, OMC is a cloud-native suite of management services that eliminates the human effort associated with traditional solutions for monitoring, managing and securing applications and infrastructure. OMC leverages machine learning and big data techniques against the full breadth of the operational data set to help customers drive innovation while removing cost and risk from operational processes. More details on this project in a future post. An Overview of Oracle Management Cloud   In my environment, I have a full demo platform of Oracle Enterprise IAM deployed and OMC agents deployed to monitor the activity and metrics for that platform. However, monitoring provides limited value without any throughput and, being my own demo platform, it’s not heavily used enough to generate any serious metrics or activity. For access management, I want to throw some load at the servers for different use case and see how they perform, together with the underlying LDAP. Similarly, for identity governance, I want to perform a number of activities to kick off various actions and workflows etc. Therefore, I have been spending some time building some automated testing scripts using tools like Apache JMeter and Postman. To make the testing realistic I needed to generate some fake test data. In the past, I have used Perl scripts to generate data but I didn’t really fancy brushing up on my very rusty Perl skills. Therefore, after asking a couple of colleagues I was pointed at a Python module called Faker. If you are already familiar with Faker, then you can stop reading now. However, if you aren’t, then I found it extremely useful. In just a few lines of code I was able to generate a CSV containing completely random test data. The official location for Faker is in GitHub here, and it provides installation instructions and simple usage instructions. As you will see, Faker has a wide range of different modules for generating different types of fake data. Below is the script I wrote to generate a simple CSV of random user details. # Paul Toal, Oracle # March 2019 # This file is used to generate a CSV file containing # random user details for use with an Oracle Identity # Governance test script   #Import the Faker module for generating fake data from faker import Factory #Import the random module to generate an employeeID import random   fake = Factory.create()   #Define the file to write the output to file = open("OIGTestUsers.csv","w")   # How many entries to make howMany = 10   #Create a random number to use as a starting point for employeeID entropy = random.randint(10000,99999)   #Write the CSV header file file.write("employeeNumber, title, familyName, givenName, organization, email, userName, userType, phone" + "\r")   ### Create a new line in the CSV for n in range(1,howMany+1):       #Generate job title. Returned value can contain a comma, so will be stripped out later    title=str(fake.job())    #Generate phone number. Return value can contain an extension, i.e. x1234, so will be stripped out later    phone=str(fake.phone_number())    # Generate first and last names separately to re-use in fields such as userName and email    lastName = str(fake.last_name())    firstName = str(fake.first_name())       #Write each entry line to the output file    file.write(str(n+entropy) + "," \     + title.split(',')[0] + "," \     + lastName + "," \     + firstName + "," \     + "Finance," \     + firstName + "." + lastName + "@oracledemo.com," \     + firstName + "." + lastName + "," \     + "Full-Time," \     + phone.split('x')[0] \     + "\r")   #Close the file handler file.close()   I hope you find this useful as a guide to generating your own fake test data. Of course, there are many alternative ways to generate test data, in many different languages. However, I found this ideal for my particular purpose, and with very little effort.

Whilst Cloud-based IAM services such as Oracle Identity Cloud Service are clearly the strategic direction for many customers, I still work with lots of companies either using today, or...

Cloud Threat Report

Three Keys to Cloud Security

“Oracle and KPMG Cloud Threat Report 2019” demonstrates the importance of visibility, shared responsibility, and a CISO seat at the table. By Alan Zeichick Want to protect your assets in the cloud? You need to know what those assets are and who is using them. Your security teams must be able to see everything going on in the cloud infrastructure, from the cloud’s core to its edge. They need to be certain about which parts of your cloud applications are the business’s responsibility to secure—and which fall under the domain of the cloud service provider. And at the C level, the chief information security officer (CISO) must have a seat at the table during each and every discussion that involves acquiring or using new cloud applications or resources, in order to make sure those services are safe and compliant with enterprise policies. Those are three of the top takeaways from the “Oracle and KPMG Cloud Threat Report 2019.” Attention to cloud security is essential for modern-day enterprises—as a glance at any newspaper instantly communicates, with headlines reporting downloads of unsecured customer files from retailers, theft of intellectual property from tech firms, and complete business disruption. Cloud security is a big challenge for another reason: Enterprise use of the cloud has reached surprising levels of adoption and is continuing to increase. In the Oracle/KPMG study, 7 out of 10 organizations reported an increase in the use of business-critical cloud services—and there’s a huge increase in the number of enterprises storing their data in the cloud. At the same time that cloud usage is accelerating, security considerations are being left behind. Fully 93% of the participating organizations reported that users have adopted rogue cloud applications. That’s a prime example of “shadow IT”—that is, technology decisions being made by employees without the knowledge or approval of the IT department. These decisions are rooted in the BYOD movement and the consumerization of IT.               Individual employees, for example, may be running consumer-grade cloud services (think Evernote or Dropbox) to improve personal productivity—and, in the process, might store or even share confidential business information such as customer data or financial documents in those services. Departments may be signing up for hosted SaaS applications (such as WordPress or Adobe Creative Suite). Developers could be using popular cloud-based software development code repositories (GitHub, say, or SourceForge). And staffers might be sharing cloud-based collaboration platforms such as Slack or SharePoint with partners, suppliers, or customers. Are those cloud applications bad? In most cases, the products are fine from a software-quality perspective. But having a solid reputation doesn’t clear those specific apps for use in your business without the IT department’s knowledge and approval. And even after an application is approved for use, the CISO must ensure that it is implemented in accordance with your company’s security policies; otherwise, the organization is at risk of having critical data lost or stolen or of letting outsiders gain access to confidential internal information and processes. There are too many risks to organizations for leaders to be complacent about security. Here are three key ways to address those threats—and tackle the challenges head-on. Key #1: See Everything You Need to Protect Visibility is essential to every aspect of security. Consider the office building: Cameras are watching over exterior doorways, for example, and logging software is recording when employees and vendors badge in to secure work areas. The same must be true of critical information about network traffic, successful and unsuccessful attempts to log in to the network, and use of enterprise applications. It’s not enough to know that the CFO logged in to the accounting system at 1 a.m. It’s also important to know the device type, device location, and telemetry involved. The transaction might be completely valid, or it might come from a place halfway around the world when the CFO is actually at home. Or it might come from the CFO’s own smartphone, after a click on a link in a phishing email. Without visibility, AI-based security software can’t detect anomalies or piece together patterns of behavior that might indicate fraud or illegal activity. Without visibility, security investigators can’t find root causes of unusual situations quickly and accurately. That’s particularly true with cloud services, says Greg Jensen, senior director of cloud security at Oracle and coauthor of the “Oracle and KPMG Cloud Threat Report 2019.” “There are so many examples throughout this report about challenges with visibility,” he says. “Organizations don’t know what their employees are doing with cloud services and where their corporate data is being placed. Is it going on Google? Or Amazon? Is it going on Bill and Ted’s excellent cloud service? They don’t have that visibility.” One way to get more visibility is to implement CASB-compliance technology for the cloud ecosystem, says report coauthor Brian Jensen (no relation), a risk-management consultant at KPMG. A CASB, or Cloud Access Service Broker, provides visibility into the entire cloud stack while providing security automation for enforcing corporate policies. A full-featured CASB platform provides threat detection, automated incident response, predictive analytics, and security configuration management. “A CASB shows what employees are doing with cloud-sanctioned and unsanctioned cloud services,” says KPMG’s Jensen. “The average organization is running in excess of 1,900 applications—including cloud applications. By and large, security professionals need to use a CASB to monitor business-critical cloud transactions” and then enforce policies regarding those apps. Key #2: Understand the Shared Security Model In a classic data center application, the enterprise has complete ownership of security: everything from the physical installation to network access, from patching vulnerabilities to checking users’ digital credentials. In a cloud service—any cloud service—security responsibility is shared between the enterprise and the cloud services provider. Problems occur when the enterprise fails to realize its security responsibilities, says Oracle’s Jensen. This can happen because of shadow IT or because of misunderstandings about the shared security model for cloud services.         For example, take penetration testing, which measures how easy it is to attack a cloud service with known hacking techniques. Many enterprises don’t see that as any part of their responsibility, so they don’t do it. “A lot of businesses believe they aren’t responsible for testing the security of a cloud service,” Oracle’s Jensen says. “The reality is that whether you are using IaaS, PaaS, or SaaS, your business is responsible for doing penetration testing. The business is responsible for ensuring that the cloud cannot be penetrated—either the service or the application itself.” KPMG’s Jensen points to user authentication as an area of common misunderstanding. “While SaaS providers include a single-sign-on authentication solution, passwords simply aren’t good enough,” he says. “You need balanced user enablement with the requirement to protect sensitive data and transactions, so organizations should consider the use of multifactor authentication with biometrics.” Event monitoring touches both the visibility issue and responsibility sharing, he adds. “Security event monitoring in SaaS is still your responsibility,” he says. “If there are suspicious user activities associated with your portion of the shared responsibility model, you have to be aware of those events, monitor them, and react to them.” (This shouldn’t be confused with the foundational event monitoring that the cloud services provider uses to defend against a variety of network-level events.) Key #3: Seat the CISO at the Table A line-of-business department is considering adoption of a cloud-based application—perhaps a turnkey SaaS application. Is the CISO invited to the meetings where that product is discussed, evaluated, and approved? Maybe. But then again, maybe not. And it’s quite likely that the CISO’s team is not involved in the implementation and integration of that cloud application. In fact, the security team members may not even know about that app until security incidents begin showing up on their dashboard. “There’s a lack of communication, lack of collaboration, and lack of visibility across the C-suite,” says Oracle’s Jensen. “The C-suite is facing challenges in terms of how to collaborate on security, risk, compliance, and privacy.” Teams won’t work together if their managers don’t work together. “We have to address these C-suite problems head-on,” Jensen says. “We have to try to make sure that this is a collaborative conversation where everyone understands their unique role in making cloud security successful for the organization. When executives aren’t doing their part, the company as a whole is at risk.” A Bright Future for the Cloud Increasingly, organizations trust the cloud for critical applications and for storing essential data. Security technology is doing a good job of keeping up, but more still needs to be done, as is documented in the “Oracle and KPMG Cloud Threat Report 2019,” says Oracle’s Jensen. “The cloud capabilities and the solutions available today are far superior to what we had just a couple of years ago,” he says. “There is much more security awareness now than what we had in years past—and more acceptance about the need to have conversations with the security teams and the risk teams.” Next Steps READ the “Oracle and KPMG Cloud Threat Report 2019.” LEARN more about Oracle CASB.    

“Oracle and KPMG Cloud Threat Report 2019” demonstrates the importance of visibility, shared responsibility, and a CISO seat at the table. By Alan Zeichick Want to protect your assets in the cloud? You...

News

Oracle OpenWorld is Coming to Singapore March 26th

Oracle OpenWorld has hit the road this year, moving across the globe to several cities and will be landing in Singapore March 26th-27th. If you are registered to this sold out event, here are a few great sessions to catch. If you were not able to attend, please be sure to check back for more blogs with recaps on these sessions and the latest Oracle Security updates.  For those of you in attendance, you are in for an action packed two days with several focus areas you can zero in on. If you are interested in learning more about security, consider these sessions:  1) Navigating the Technology Revolution- Security and Compliance in the Cloud  Tuesday, March 26th | 2:35 pm - 3:10 pm | Main Stage (Level 5) - Marina Bay Sands Join Eran Feigenbaum, Chief Security Officer, Oracle, Steve Daheb, Senior Vice President, Oracle Cloud and Fernanda Kroup, Managing Director, Corporate Research and Consulting for Eurasia Group as they discuss their point of view on the technology revolution and how it pertains to security in the cloud.  2) Role of Security and Privacy in Globalized Society - Threats, Implications and Outcomes Wednesday, March 27th | 1:05 pm - 1:40 pm | Arena 4 (Level 3) - Marina Bay Sands This panel of security experts will discuss topics around threats organizations are facing today and the potential threats they may battle against in the future. This discussion on 'the next security threat' is sure to be thought provoking and provide a glance into the future of security and privacy around the world.  3) Introducing Oracle's Data Security Cloud Service for Oracle Databases Wednesday, March 27th | 1:05 pm - 1:40 pm | Forum 3 (Level 5) - Marina Bay Sands A secure infrastructure, data encryption by default, and automated patching make Oracle Databases in the Oracle Cloud secure, but there are risks associated with customers controlling access and monitoring the use of data. Join Russ Lowenthal, Director of Product Management for Database Security, as he introduces Data Security Cloud Service and its data security management capabilities.  4) Security in Oracle Cloud Infrastructure: Core to Edge Protection Wednesday, March 27th | 3:30 pm - 4:05 pm | Arena 9 (Level 3) - Marina Bay Sands   Join Laurent Gil, Evangelist and Security Architect for OCI, as he explains the need for organizations to adopt a core-to-edge security strategy in order to deal with the complex and varied threat landscape. Data breaches and security-related outages have huge negative impacts on organizations, but this session will detail how an approach that extends from the core infrastructure to the user edge will help protect your organization.    Check out the content overview for a list of all the sessions, spanning a variety of topics.   

Oracle OpenWorld has hit the road this year, moving across the globe to several cities and will be landing in Singapore March 26th-27th. If you are registered to this sold out event, here are a few...

News

Is the Cloud Secure?

Are differing opinions about cloud cyber security an indication of a major unchecked risk, or just two different sides of the same valuable coin?   Security leads are confident about cloud security and are planning to house more and more of their sensitive data in the cloud. Recent data indicates a 3.5x increase in the amount of data expected to be stored on the public cloud from 2018 – 2020, according to the Oracle and KPMG Cloud Threat Report 2019.             However, at the same time, many practitioners question the inherent security of the cloud, even as they are directed to make the move by these leaders. One recent Twitter poll of IT practitioners (versus leaders) showed a distinct lack of confidence in cloud-based security. And in defense of these practitioners, some breaches have occurred as a result of the move to the cloud. (One that comes to mind — the Amazon GoDaddy breach — was due to a misconfiguration of the AWS S3 buckets.) So, is there something fundamentally insecure about today’s cloud services and infrastructure? The short answer is “no”. But like many complex issues, the answer depends on the context. To fully unpack this issue requires taking a short detour into the history of cloud migration and observing how the first generation of cloud computing was created. Generation 1 Infrastructure In the first generation (this includes AWS, Microsoft Azure, and Google Cloud) the same servers that hosted control code were shared with customer data and code. This created a vulnerability, and ultimately prompted the need for another generation of cloud computing. Generation 2 is different, however, and takes the idea of isolation very seriously. Separation of Church and State Oracle was second to the cloud infrastructure offering. While this may have been, in some respects, disadvantageous, ultimately it has allowed Oracle to learn from others’ mistakes and design a cloud infrastructure with security in mind, from the ground up. In a recent video clip, Oracle security execs, Eran Feigenbaum and Johnnie Konstantas, discuss how the initial weakness turned into an advantage. In a security keynote at Oracle Open World last year, Larry Ellison explained that customers may have their own bare metal server or may share them amongst each other for economic reasons. However, they will never share the same server that houses cloud control code.   “We will never put our cloud control code on the same computer that houses customer code — this creates an incredible vulnerability….” — Larry Ellison                An excerpt from Larry Ellison’s Keynote comparing Gen 1 and Gen 2 cloud infrastructures. 2nd Generation Infrastructure In Gen 2, Oracle made the decision to add a completely different layer of computer networks to house the cloud control code and has kept it separate from the tenant infrastructure. In Larry Ellison’s Gen 2 Cloud Keynote at Open World 2018, Ellison talked about two things: An Impenetrable Barrier — dedicated network of cloud control computers to ensure one user can’t access another user’s data Autonomous Robots — Bots that find and kill threats These two things have fundamentally change the security posture of tenants using cloud infrastructure. Staying Safe in the Cloud So, to answer the question: “Is the cloud more secure than on premises”, we can provide a resounding “yes,” but only when adhering to the following requirements: Know your responsibility — Although we didn’t dive into this any detail here, it’s an important consideration. Many people don’t realize that they have a security responsibility when taking tenancy in a cloud infrastructure setting. Make sure you’re aware of your responsibility and if you subscribe to a bare metal service, you have more responsibility than if, for example, you were subscribing to a SaaS offering. To learn more, read our blog on the Shared Responsibility Model. Use Gen 2, not Gen 1 — make sure your cloud infrastructure is designed from the ground up with security in mind, and this means, by necessity, Gen 2 or higher. Automation — ensure that the best AI and ML-based security tools are employed in your cloud infrastructure so that threats will be identified and stopped before they access (or worst yet, exfiltrate) your data. So, whether you’re leading your organization full tilt to the cloud, or you’re an IT practitioner concerned about the underlying architecture of the service in which you’re about to take tenancy, rest assured, Oracle has you covered. This means not only has the infrastructure been designed from the ground up to be secure, but also the services that ride on top of it (like, for example, Oracle Autonomous Database) are also clad with an additional layer of security. To learn more about how Oracle secures your most vulnerable and sensitive data assets, visit Oracle Database Security.    

Are differing opinions about cloud cyber security an indication of a major unchecked risk, or just two different sides of the same valuable coin?   Security leads are confident about cloud security and...

Cloud Threat Report

A Tale of King Arthur's Supply Chain Risk

We have all heard the rumors about trusted technology vendors who were compromised by nation states through supply chain compromises (SCM), but this is an age-old issue.  Hundreds of years ago, kingdoms were born out of the dirt, and came into power by consolidating their armies and resources behind mighty fortresses.  Even in the times of King Arthur, castles sometimes fell by the sword, sometimes by mythical dragons and sometimes because of food supplies. The untold story of the castle was the supply chain risk.  For those at this week’s Oracle MBX Conference, this conversation is being shared. The ability of the castle model to work was based upon, four key factors.  The ability to secure the keep (the crown jewels/gold) and the royal family The ability to provide security for the kingdom using the king’s armies In return, the people, provide the provisions and materials that the kingdom consumes Inner-kingdom trade is ensured to the people by the kingdom The challenge for any king is, how do you ensure materials and goods, are not compromised? How do I ensure that a 500% increase in grain does not alert my enemies to my plans for war, by marching my armies? How do I ensure somebody is not skimming grain out of every delivery to my customers while accepting the full price of silver?  These are the concerns that keep kings and CEOs awake at night.   The threat landscape today is very much like that of the past.  Supply chain is under risk of financial fraud, theft, and worse…an attacker slipping a dead fish in a supply of dairy, has the potential of injuring or killing the king’s army.  This is a supply chain compromise and we see it in modern times with the risk of attackers penetrating supply chain systems to receive counterfeit chip-sets in the production of a TV or video conference system. Little did anybody realize, but a video processing chip produced in Austin, was replaced with one made by a foreign intelligence agency for the sole purpose of collecting information on their adversary or gaining an advantage in the IP wars.  Oracle Cloud Applications have undergone tremendous strides in recent years to ensure the security of the cloud platform itself, but to help identify areas of supply chain risk, highlight potential fraud and look for suspicious behaviors that we can identify through our edge control technologies in Oracle Cloud Infrastructure.  Today, the kingdom has more tools than ever at their disposal to help mitigate the risks targeting their suppliers and providers.  The key question is, are you driving this strategy like a king, or just entertaining it like the court’s jester?  Time for serious planning.  For more information on how Oracle and KPMG can help you with uncovering the risks and threats of your own “kingdom”, download your free copy of the Oracle and KPMG Cloud Threat Report 2019 where we highlight the challenges and leading practices for a secure cloud application journey. Also, join Brian Jensen (KPMG) and I as we discuss these key application challenges around SCM, ERP, HCM and CX, in our April 17th webcast event. Register now for the KPMG ERP Risk Series: Oracle and KPMG Cloud Threat Report webcast and start your planning, regardless if you are a CEO or the king of your castle.

We have all heard the rumors about trusted technology vendors who were compromised by nation states through supply chain compromises (SCM), but this is an age-old issue.  Hundreds of years ago,...

News

Data Breaches: The New Norm?

It’s been 10 months since the European Union’s General Data Protection Regulation (GDPR) enforcement date took effect. Last summer a global buzz kicked in around the world about data privacy and the impact of the GDPR’s strict requirements. Since then, much of the buzz around GDPR has died down, but the threat of a data breach continues to rise as adversaries are highly funded and motivated. This week, I sat down with Allan Boardman, former director of ISACA and founder of CyberAdvisor.London, to continue the conversation we began at Oracle OpenWorld Europe. Expanding on our initial topic, “The Role of Security and Privacy in a Globalized Society”, we discussed GDPR today, the impact of regulations on citizens globally, and tactics organizations can employ to better protect their critical data. GDPR began a little less than a year ago, how have companies responded to it? Are organizations meeting their compliance goals?  “What I found quite interesting is that it [GDPR] was created for European citizens, but I was at conferences in Washington DC and Chicago in late 2017 and GDPR was one of the most popular topics, even at RSA 2018 last April. I thought this would be a European topic, but it has certainly caught the attention of organizations globally with other countries looking to roll out similar legislation. GDPR has been a game changer.” Boardman continued by saying, “Approaching the deadline, there was a lot of shuffling going on, people wanted to check the boxes, and it would not surprise me if the quality of some of those activities were undermined.” We are in a moment of transition, as organizations begin to understand more about their data privacy needs, they are starting to understand the gaps in their compliance and security strategies. Organizations must take a proactive approach to protect their data, ideally through properly integrated cybersecurity tools and solutions including potentially cyber insurance. Boardman explained the importance of this, “the [consequences of a breach] shouldn’t be under played because the impact can be very significant, including long term reputational damage and for publicly quoted companies, the effect on the stock price can be significant.” Organizations that fall victim to a breach are faced with hefty fines and long-term damage to their brand. Have these severe repercussions caused organizations to be overly cautious in reporting loss of data that might not have been critical? “I think GDPR and data privacy is a journey and if you think about it we are still very much at the compliance level. Right now, it is a fight to make sure organizations comply with regulations, rather than this being baked into everyday processes. They are working towards providing data privacy at an enterprise scale. Although data protection has been around for some time, it is still very much compliance driven. I think we are starting to move out of that a bit – for example initially organizations thought one of GDPR’s requirements, the Data Protection Impact Assessments (DPIA), should just be done for new applications or projects. You really need to run this exercise across the board and for all the main business processes that involve personal data, as it is the only way to really identify and understand all your most sensitive data. How has GDPR affected the way people value their data and has it impacted the way they judge an organization’s ability to protect it? “It is still early on in terms of seeing actual effects, but organizations are starting to see some of the impacts. Certainly, there was a level of increased awareness, people received the notifications in terms of companies ensuring they had the acceptable controls in place and the topic was regularly coming up at dinner tables, with people previously totally uninterested in data privacy and data protection starting to talk about GDPR. As I mentioned before, organizations have been overly cautious in reporting any breach and there are still a lot of gaps to fill in the journey towards compliance.” Can data be protected or are breaches to be accepted as the new norm? “There have been a number of widely reported significant breaches over the past few years, but people seem to be getting sanitized to them and seem to be getting used to the fact that some level of breach can happen anywhere. It is definitely the new norm, but having said that, there are now much stronger sanctions, so organizations need to understand which of their data is most critical and sensitive and apply appropriate controls or risk facing sanctions causing a significant impact on their bottom line.” Please feel free to access our whitepaper, Helping Address GDPR Compliance Using Oracle Security Solutions, to learn more about GDPR and how Oracle can support your journey to compliance.   About Allan Boardman: Allan Boardman (CISA CISM CGEIT CRISC CISSP), founder of CyberAdvisor.London, is an experienced business advisor helping organizations manage their information, technology, cybersecurity and privacy risks. He started his career at Deloitte in Cape Town where he qualified as a Chartered Accountant before moving to London in 1986. He has held leadership positions in audit, risk, security and governance at various global organizations including GlaxoSmithKline, Morgan Stanley, JPMorgan, Goldman Sachs, PwC and KPMG. He is a Past President of ISACA London Chapter and has served on ISACA International’s Board of Directors, its Strategic Advisory Council, its Leadership Development Committee and chaired its Credentialing and Career Management Board, CISM Certification Committee and Audit and Risk Committee. He served as a volunteer at the London 2012 Paralympics, Sochi 2014 Paralympics, Rio 2016 Olympics, and PyeongChang 2018 Olympics and Paralympics.

It’s been 10 months since the European Union’s General Data Protection Regulation (GDPR) enforcement date took effect. Last summer a global buzz kicked in around the world about data privacy and the...

Cloud Threat Report

Is your Cloud ERP Heading for a Heartbreak Hotel Moment

It’s that familiar IT analogy that “Elvis has left the building” in the context of, your enterprise data has left your data center, and is now in the cloud. It’s more true than ever before. What we are seeing instead is the rush to cloud, without all the pieces in place, is leading to heartbreaking results when increased risk is transferred into the cloud and amplified. This week marks the kick-off of Oracle’s Modern Customer Experience Conference (MBX). This includes a phenomenal collection of attendees, partners and solution providers all centered around business-critical cloud solutions such as ERP, HCM, SCM and CX.   While these solutions are built around amazingly sound, secure, high performing cloud environments, there is always opportunity for fraud and risk that require a second look at the controls we place around these platforms. Many know Brian Jensen (KPMG) and I as the co-authors behind the Oracle and KPMG Cloud Threat Report that we publish each year. No, we are not related, but we share a common concern from two unique perspectives. My cyber background paired with his background in ERP risk controls. Together we have been able to help elevate the conversation around what are the risks we are seeing around today’s business critical applications and how should businesses prepare?  Below are a few of the topics Brian and I will discuss in April as KPMG hosts their ERP Risk Series: Oracle and KPMG Cloud Threat Report 2019.  Register for this now! Buy your CISO a coffee – The best $5 you can spend is to share a coffee with the person who can make you very successful within your line of business. Get to know the CISO priorities, but more importantly, educate them on yours.  Today’s CISO is not about saying “No”, they are about saying “Yes, but let me help you get there faster….and safely”. Identify your cloud quarterback – Every successful team needs a leader on the field who is organizing, driving strategy, interpreting the calls played and what it means on the field. This is the role of the Cloud Security Architect who is enabled and empowered by the CISO to drive security, privacy, data protection and risk programs. They are also focused on ensuring all LoB programs are engaging SecOps up front and meet key requirements before go-live. Know Shared Responsibility – 90% of CISOs, 75% of CIOs and 54% of SaaS teams are unsure about their role in securing the apps vs the cloud provider. Address this across ALL cloud services. Pull out the contracts, talk to your providers quarterly, understand the SLAs and identify the gaps where you are putting your company and customers at risk. Revitalize the Lunch and Learn – The lowest cost impact you can make to the organization is a round of pizza once a month, in exchange for asking them to sit down, and take notes on safe practices at work.  Phishing scams that target employees that have access to business applications is on the rise. Educating your staff on the risks, how to report and safe practices is a great starting point. This week is a busy week for many at Oracle’s MBX. Make sure you register for next month’s session with Oracle and KPMG as we walk thru some of the key findings in the new Cloud Threat Report, and what we learned that will change the way you approach your upcoming enterprise application strategy. 

It’s that familiar IT analogy that “Elvis has left the building” in the context of, your enterprise data has left your data center, and is now in the cloud. It’s more true than ever before. What we...

Cloud Threat Report

Shared Responsibility: How Effective is your Cloud Coach in Building a Winning Plan?

It’s never been easier than now, to stand up new business-critical services in the cloud.  To the credit of cloud providers around the globe, they have all responded to the demands of the LoB (Line of Business) to enable a more seamless acquisition and onboarding experience for these new services.  In fact, 2019 marks the year where we saw a tipping point of use where 7 out of 10 businesses are placing more business-critical data in the cloud than in 2018.  So, things are great, right?   Let’s not move so fast. Have you asked your cloud coach about their game plan for keeping that data private, protected and secure as you transition into the cloud and on an ongoing basis? One of the key areas tripping up organizations today in their rush to the cloud is assuming that cloud is just an extension of on-prem.  This is like saying my car is similar to my airplane simply because they both have round rubber tires and an engine. The risk profile changes as you shift to the cloud. On prem data center owners know that they are 100% responsible for the full stack.  They own the selection of hardware, service connections, OS layer, patching, app, containers and more.  One of the challenges organizations are struggling with today is the knowledge base of todays IT and Cyber workers. As the demands continue to increase, the talent pool is unable to keep up with those skillset requirements which has created a fundamental challenge in filling the thousands and millions of open headcounts in the IT and cyber sector. Cloud offers the promise of making these problems somebody else’s problem, thru financial incentives (SLAs). But not all responsibility can be shifted to the cloud service provider.  Click to learn more about the impacts of Shared Responsibility in the Enterprise Are you the type that likes to build their own car, buy in a dealership, rent it, or do you prefer Uber/Lyft? Clearly the benefits are, less control, but also less responsibility.  This is also what you see as you move from On-prem, to IaaS, to PaaS, to SaaS. Customers are shifting ERP, HCM, SCM and CX workloads to the cloud in mass.  Oracle and others have done a tremendous job securing the cloud frameworks that these SaaS services run on, but there is still more that must be accommodated.  So just how prepared are organizations today? 54% of organizations say that they are confused about their role in shared responsibility vs the cloud provider.  Ok… so let’s look to the coach, the CISO, as surely they know. Right?  Unfortunately, 90% of CISOs are unsure about their organization’s role, and 75% of CIOs are also unsure, so leadership is struggling at the very time when there is a tremendous push for these new cloud services.  So, what does this tell us?  It tells us that there is a desire to play in the cloud game, however it may require players to make up the plays as they go along (or call an audible), because the coach may not have the answers.  That simply isn’t sustainable. So, what can we do now?  It starts with identifying an internal advocate for shared responsibility, such as the Cloud Security Architect, to help educate and drive change inside the organization.  It also means we need executive investment into the topic of privacy, data protection and security, and it must be accepted as not just a c-suite responsibility, but a boardroom responsibility.   The C-Suite is starting to understand that they all play a role in security, privacy and data protection, and it is not just the role of the CISO.  But for CISOs that do not get engaged with the LoB, and find a seat at the table for this up front planning, they will continue to be called the “Crisis Induced Sacrificial Offering”.  So regardless if you are at Oracle’s MBX Conference this week, or following the news from around the world, take a moment to find out what your role is, in helping to ensure a secure, private and protected journey to the cloud.  Register now for the new Oracle and KPMG Cloud Threat Report 2019 and learn how it can help your organization build out more defined security and risk strategies for 2019 and beyond. For additional information on Shared Responsibilities and tools you can use to manage, register for this on-demand webcast that covers this topic in great detail.  

It’s never been easier than now, to stand up new business-critical services in the cloud.  To the credit of cloud providers around the globe, they have all responded to the demands of the LoB (Line...

DB Sec

Audit Vault and Database Firewall 12.2.0.10 is Now Available!

Oracle is happy to announce the availability of Oracle Audit Vault and Database Firewall 12.2 Bundle Patch 10. Oracle Audit Vault and Database Firewall (AVDF) secures databases and other critical components of IT infrastructure. AVDF provides a first line of defense for databases and consolidates audit data from databases, operating systems, and directories to support monitoring and compliance reporting. Audit records from on-premises and cloud databases are collected for centralized management and provide monitoring, reporting, and alerting of anomalous activity across databases. A highly accurate SQL grammar-based engine monitors unauthorized SQL traffic before it reaches the database. Please take a moment to visit our webpage for more information on Oracle AVDF. The following changes are included in the Bundle Patch 10 release: Added support for audit collection and database firewall protection for Microsoft SQL Server 2017. Expanded support for host monitor on AIX 7.2 platform and Microsoft Windows Server 2016. Introduced support for host monitor on Oracle Solaris 11 SPARC X64 super cluster using IPNET protocol. Introduced support for audit collection, host monitor and agent installation on Oracle Linux/Red Hat Enterprise Linux 7.4 and 7.5. Expanded support for host monitor on Oracle Linux/Red Hat Enterprise Linux 6.9. Added support for audit collection, host monitor and agent installation on Oracle Linux/Red Hat Enterprise Linux 6.10. Updated the underlying infrastructure to incorporate the January 2019 Bundle Patch for Oracle Database 12.1.0.2, which includes latest security fixes. Security and stability fixes for Java and Oracle Linux operating system. Fixes for a number of customer bugs. For database security practitioners looking to upgrade, please note that Audit Vault and Database Firewall 12.2 Bundle Patch 9 is a mandatory prerequisite. Audit Vault and Database Firewall 12.2 BP9 established a new minimum security baseline with underlying inter-component communications defaulting to TLS 1.2. Please refer to Patch release notes for detailed installation instructions. Patch for upgrading to Audit Vault and Database Firewall 12.2 BP10 is available through ARU Patch#22787271. Full install image for Audit Vault and Database Firewall 12.2 BP10 is available on eDelivery. To learn more about Oracle Database Security, please visit our Oracle OTN and Oracle Security webpages.

Oracle is happy to announce the availability of Oracle Audit Vault and Database Firewall 12.2 Bundle Patch 10. Oracle Audit Vault and Database Firewall (AVDF) secures databases and other critical...