Cloud Security Perspectives and Insights

Risk #4: Lack of Compliance Regulatory compliance is a complex and perpetual process of aligning with all matter of industry and government regulations. It’s never fully completed. Addressing regulatory compliance was tough in an on premises environment where we “owned” our datacenters, and now with public clouds we have an even more complex and nebulous regulatory landscape. Risk four, the lack of compliance, has to do with organizations not considering all aspects of the different compliance requirements they have to address. Many organizations are not considering compliance holistically: aligning across global requirements for hybrid cloud environments. According to the Oracle and KPMG Cloud Threat Report, 95% of security practitioners cite that the European Union General Data Protection Regulations will impact their cloud strategy and vendor selection. I believe the EU's GDPR is a great opportunity for organizations to strengthen their strategy to protect citizens' and users' data privacy, as it appears many data protection regulations are following suit. Mitigation: Realize Compliance is a Process, Not a Status Align with leaders that can help you through the compliance maze -- experience counts! Engage your Cloud Service Provider (CSP) often and early. Don't treat compliance as a check-box of security controls or measures that need to be ticked off, it's more than that. Here are some pointers: Leverage regional compliance experts Don’t wait too long to engage compliance resources, especially in regulated industries; engage them well before the contract phase begins. The CSP can help you understand compliance needs before you engage in a contract; once you’re in the contract phase it's often too late. Determine what's necessary Distinguish between best practices, “nice-to-haves,” and regulations. By default we want to address more compliance requirements, not less; however, it's likely unnecessary. Discover the motives behind compliance oversight (e.g. is it regulatory, industry, or corporate?) And remember, compliance does not necessarily mean that you are secure. This has been documented in the past where the Verizon PCI DSS (Payment Card Industry Data Security Standards) Compliance report showed organizations that were compliant had also been breached. Organizations often tick the PCI DSS compliance boxes, or implement compensating controls, but quickly fall out of compliance over time. More information on that here. Fully understanding your unique compliance needs is key to properly addressing and protecting your customers and business. Continuously monitoring your compliance controls is also very important, organizations should look to incorporate intelligent solutions that can help monitor your environment and track unsanctioned app usage. This process-oriented approach to compliance will help strengthen your security posture and support objectives to achieve compliance. Please join next week for our final blog of the series, Risk #5: No Cloud Security Leadership.

Risk #4: Lack of Compliance Regulatory compliance is a complex and perpetual process of aligning with all matter of industry and government regulations. It’s never fully completed. Addressing...

The first step in beating your enemy is to understand them.  Knowing all the ways an attacker might try to hack you is virtually impossible.  Understanding what’s in the Mind of a Database Hacker? Much more feasible.  Different hackers have different motivations that can range from simple curiosity to, the most common - financial gain.  They are after your data and probably know where it is. The consequences for Organizations are huge - Reputation loss, fines, class action lawsuits, and C-level resignations. We’ve seen all. Whether attacking alone or sponsored by nation-state attackers tend to be highly motivated, have all the time in the world, all the resources, all the infrastructure and have a great sense of community.  Automation is big in the hackers’ land, and even newcomers to the field now leverage powerful tools that can quickly exploit known vulnerabilities.  These tools are often free or available in a marketplace where you can buy tools and services like HaaS (Hacking as a Service). The impact a relatively new and unskilled newbie can have is unimaginable compared with just a few years back. What about you? Do you know where your sensitive data is? Are you doing enough to protect it? Remember, some data might not look that important but if that data serves an application that fulfills a specific line of business need, it will definitely be interesting for an attacker. Information may either be valuable alone or leveraged by combining it with other pieces of information to reach a bigger target. To know more, join me, Pedro Lopes, Oracle’s EMEA  Product Manager for Database Security at Oracle Open World Middle East in Dubai and take a trip into the mind of a cybercriminal.  We’ll talk about typical ways a database is hacked, some of the recent attacks, and ways to mitigate the most common attack vectors. Inside the Head of a Database Hacker [SES2043-DUB] Monday, February 11, 01:25 PM - 02:00 PM Forum 6 (The Exchange, Level 1) - Dubai World Trade Centre See you there! #OOWDXB #Dubai @OracleSecurity @OracleInfoSec @OracleDatabase  

The first step in beating your enemy is to understand them.  Knowing all the ways an attacker might try to hack you is virtually impossible.  Understanding what’s in the Mind of a Database Hacker?...

Risk #3: Reliance on Manual Processes Do you experience difficulties keeping pace in detecting and responding to threats? If you are just joining us, last week we covered risks one and two of the top five cloud security risks organizations are facing. As I’ve mentioned in my previous posts, if you are interested in learning more about these risks, please register to attend an Oracle Cloud Days presentation in a city near your or access the Oracle and KPMG Cloud Threat Report. Now that we’ve touched on the importance of understanding the shared responsibility model and implementing controls to protect users, let’s explore the need to minimize our reliance on manual, and error-prone, processes when addressing security events. This includes the ability to detect today’s sophisticated threats and respond in near real-time to reduce the window of risk. If you combine that with the 3.3 billion events that the typical organization receives per month (Source: McAfee 2018), keeping pace with manual efforts is nearly impossible. Cloud services are being rolled out faster than security operations can support, creating a security pace gap. Mitigation: Automate with Machine Learning and AI A lot has been said about the benefits of machine learning and artificial intelligence to combat today's sophisticated threats. By using intelligent, highly automated technologies we can better remove threats as soon as they are detected and prevent potential attacks before they begin. To learn more, read the Oracle paper "Machine Learning-based Adaptive Intelligence". By implementing these automated technologies, organizations can free up resources for new innovation, cut costs, and save time. Another way to address the sophisticated and multifaceted attacks organizations face is through a layers of defense approach—starting at the core and moving to the edge. No one security control, no matter how automated, can prevent the many threat actors and their attacks, so it’s important to use multiple layers of defense to protect your data, the users who need it, the applications that use it, and the infrastructure that underlies it all. Whether moving existing workloads to the cloud, or beginning your cloud-first journey, modern security strategies must incorporate consistent security controls that address global industry and government regulations across hybrid and multicloud environments. For information security teams that must reduce overall risk, Oracle’s core-to-edge solutions help prevent, detect, respond to, and predict modern cybersecurity threats. From the core (your data and underlying infrastructure) to the edge (where your users connect), Oracle’s layers of integrated security controls work together to intelligently protect hybrid and multicloud IT environments. Security is built-in and begins with data protection and self-securing Autonomous Databases. It continues with secure infrastructure, compute, and storage. The layers of defense drive powerful security controls out to the edge where end users access applications from all around the world. To learn more about some of Oracle's key core-to-edge security solutions, please visit the following layers of defense: Cloud monitoring and log analytics Cloud infrastructure security Cloud application security Cloud visibility and data loss prevention Identity and access management Encryption key management (Oracle Database) (Cloud Infrastructure) Data security and encryption (Oracle Autonomous Database) Today, we’ve explored two approaches to better protect your organization against threats that can often be missed by under staffed IT teams and error-prone manual processes. Each organization has a unique mixture of hybrid and multicloud environments, but learning more about technologies such as machine learning and AI and how they can fit into your layers of defense strategy just might be a critical piece of that puzzle we mentioned before. As we move into our final two risks, you will see that once again the theme of security falls on everyone in the organization and that compliance requirements are changing the way we must think about data, like it or not.  

Risk #3: Reliance on Manual Processes Do you experience difficulties keeping pace in detecting and responding to threats? If you are just joining us, last week we covered risks one and two of the top...

This morning I was chatting to a colleague about the cyber security landscape and he asked me the question “Do you think machine learning and AI will replace the need for security (SOC) analysts in the future?” Artificial intelligence and machine learning are just a couple of the buzz words that are ‘in fashion’ at the moment, especially around the world of cyber security. I have written before about how different terms come and go as the fashionable phrases to attach to your product. There is no better place to see this in action then to go to an event like InfoSec Europe. Look for the common wording that every vendor has on their stand and you can see what the current buzz words are. Anyway, I digress. We are being promised amazing things from machine learning and its application. The promise of fully autonomous, self-driving cars is tantalisingly close. Across IT, there are some amazing advantages and efficiencies from applying machine learning to everyday processes. In fact, Oracle is doing some fantastic work in applying machine learning across our entire portfolio. Take our SaaS apps for example. Within HCM, recruiters benefit from in-line AI and data-driven candidate recommendations that reduce time-to-fill and cost-to-hire. Within ERP, we are intelligently automating repetitive and mundane tasks, such as approvals, and within CX, optimizing marketing and sales programs to better resonate with customers, increase conversion, and close more business. You can find more information on any of these examples and more here. It’s not just about apps. Within our analytics platform, the use of machine learning allows you to get to insights about your data quicker. And of course, Oracle Autonomous Database, the world’s first self-driving database has a large helping of machine learning under the covers. From a cyber security perspective, machine learning is a perfect fit. Security event data, activity data, configuration data etc is all very structured and therefore ideal to throw at machine learning to understand and process that data very quickly to spot anomalies, identify threats, and recognise attacks. This means that you can reduce the false positives and provide more accurate, focussed insight to your SOC analysts to investigate the real incidents. However, the promise of machine learning goes beyond that. In the world of Oracle Autonomous Database we talk about the database being self-securing. Taking an excerpt from the whitepaper here: “The Autonomous Database is more secure than a manually operated database because it automatically protects itself from internal and external vulnerabilities and attacks. The Oracle Cloud provides continuous threat detection, while the Autonomous Database automatically applies all security updates online and provides “always on”, end-to-end encryption. This preventative approach is critical because 85% of security breaches today occur after a CVE (common vulnerability and exposure) alert has been issued.” So, if we can make the database self-securing, why can’t we apply that to all security events? Why can’t we automatically remediate issues identified by our SOCs and thus get rid of the SOC analysts completely? In fact, within Oracle’s combined cloud-based NOC / SOC platform, Oracle Management Cloud, we talk about automatic remediation as a key capability. However, we need to recognise the limitations of automated remediation and where it is and isn’t suitable. In some places it makes sense. If your monitoring platform notices an increase in load, or a server shutting down, then you could remediate this by automatically spinning up another node, or adding CPU count to existing nodes. Even in some security scenarios, you could take automated remediation steps. If you see machine learning identify a user as risky due to their behaviour, you might disable the user, or enable multi-factor authentication on their account. Within Oracle Autonomous Database, the database is a controlled platform and therefore the remediation steps can be well understood on this focussed platform. If we are looking at remediating incidents, we also need to understand where those attacks are coming from, and I don’t mean geographically in this context. It's true what Larry Ellison said in his keynote at Oracle Openworld back in 2017: However, we need to recognise that it’s not just machine versus machine. The defenders have machine learning, but so do the attackers. Security has always been a game of cat and mouse. The attackers find a hole, the defenders plug it. The defenders put in stronger security, the attackers find another way in or a way around it. If it was just machines vs machines then the game may be more even, but adding the human element guarantees that security experts will still be needed. Let’s go back to the example of autonomous cars. If there were only autonomous cars on the road, then I suspect we would see very few accidents. The biggest challenge autonomous cars are facing today is their interactions with other human drivers. Cyber security is the same. It’s not just computers vs computers, but the humans telling those computers what to do that adds to the unpredictability. Even as machine learning gets more advanced, the size, scale, and complexity of organisations IT today makes it very hard to fully automate all remediation steps or cover every eventuality. In fact, there are many times you might not want to. For example, if you are an online retailer and you see an attack coming in on Cyber Monday, do you want a machine deciding to take your entire online presence down to fix the problem, or do you want to make a judgement call based on business risk on how to proceed? I firmly believe that machine learning has a strong place within our cyber security defender’s toolbag. As it matures further, it will provide increased value and keep helping to strengthen an organisation’s defences. However, I don’t see a time, certainly within the rest of my career when we will be saying goodbye to the hugely talented pool of security analysts, specialists, and experts who underpin the security defences of every organisation.

This morning I was chatting to a colleague about the cyber security landscape and he asked me the question “Do you think machine learning and AI will replace the need for security (SOC) analysts in...

Risk #2: Unprotected Users The consumerization of IT has made it much easier for lines of business to quickly access new cloud services without the oversight of the information security team. IT no longer has a view into the cloud services their users access. These new cloud services often use sensitive corporate data; one in seven organizations are now storing sensitive data in the cloud according to the Oracle and KPMG Cloud Threat Report. As I mentioned in my previous blog post Risk #1 Lack of Responsibility, it's relatively easy for cybercriminals to penetrate organizations and collect intellectual property, healthcare, financial, customer and corporate data. The cybersecurity landscape is changing so often that technology is no longer enough to protect our organizations. Just by connecting to the internet we are at risk of falling victim to an attack. The consequences are more severe than ever—effecting our organization, our customers, and potentially our countries. Over half of the cyber security practitioners surveyed in the Cloud Threat Report experienced one of two major forms of phishing attacks.     Mitigation: Train Your Users and Protect Them We need to think security-first because, as stated at the beginning, it's all of our responsibility. IT and InfoSec must continually employ proven best practices, deploy secure technologies and train users to be secure. This includes applying key best practices that protect users and their login credentials. Adopt security best practices that help reduce the potential for unauthorized access to sensitive data or apps Separation of duties - Break sensitive tasks up between multiple users so that no individual has too much power. Least privilege - Never give people more power than necessary to do their job. If they need a privilege escalation, provide that for the time to do the job, but then revoke that excess privilege when the job is completed. Deploy technologies that protect users Adaptive multifactor authentication - Use a secondary factor of authentication when suspicious activity is detected on a user's account (i.e., 6 digit code sent to your mobile device, or a hard token that you can insert into your computer's USB port). Cloud Access Security Broker (CASB) - Deploy a CASB to gain visibility into cloud application use and set consistent security and compliance across those cloud applications. Conduct regular training and testing Continuous, built-in security training for all employees. (i.e.Oracle Software Security Assurance) Test their knowledge with phishing campaigns and other quality checks  The Cloud Threat Report showed the #1 area of investment was in the area of employee awareness programs and security training. Keeping your employees informed about these threats and implementing mitigation tools will allow you to better protect your organization, brand reputation, and employees. Hopefully risks one and two have provided you with some key risk areas to focus on, next week we will dive into the next two risks, starting with risk #3 – Reliance on Manual Processes.

Risk #2: Unprotected Users The consumerization of IT has made it much easier for lines of business to quickly access new cloud services without the oversight of the information security team. IT no...

Risk # 1: Lack of Responsibility How many of you are responsible for security at your organization? I would like to make the case that we are all responsible for security, regardless of whether it is our 'official' role. If I were a cybercriminal looking to attack your organization, I could search employees on LinkedIn and source potential targets. I could cross reference those names with other social media properties to obtain more personal information, including email addresses. I could then send targeted emails that encourage you to access a malicious link or attachment; 30% of you would open the email and another 12% would click the bait (Source: Verizon Data Breach Investigations Report). This is just one of the many risks that organizations face as they leverage cloud computing, according to the Oracle and KPMG Cloud Threat Report. We have been highlighting these risks at Oracle Cloud Days around the world and I encourage you to attend if you can. For those unable to make it, we’ve created a summary of the top 5 cloud security risks and how to mitigate. Each week we will cover one of these risks and examine mitigation steps that include layers of defense from the core-to-edge. Most organizations are unaware of the division of labor and demarcation with their cloud service provider (CSP). This lack of understanding can create risks that include introducing malware into the environment, mismanaged configurations, and loss of data. Mitigation: Understand the Shared Responsibility Model The shared security responsibility model is an easy-enough concept to understand, but much more difficult in practice. In fact, you will need to better understand the shared responsibility model for each of your given CSPs. This takes time and requires a dedicated responsible person or group within the organization (hint, we will address this during our risk #5 post). In a traditional on-premises environment, it’s quite clear that you own all of the security and compliance requirements. However, working with a CSP, you share that responsibility so it's important to know the demarcation line. The deeper you go into the services, the more responsibility you have. For IaaS (Infrastructure as a Service) environments, the customer owns more of the responsibility. For example, they might own security and management of service configurations, data, apps and operating systems. The CSP would then maybe be responsible for the lowest-level infrastructure: virtualization and physical environments. As you move up the stack, into SaaS (Software as a Service), the CSP is responsible for more. It’s important that you consider this when choosing a SaaS provider: You really need to trust them. That means your cloud vendor is responsible for encrypting the data in the database, managing patch updates, or system configurations so that they don’t drift over time – potentially exposing your data to exploits or unexpected downtime and performance hits. Adding to the confusion, most organizations will have a hybrid, multicloud strategy. Eighty-one percent of organizations have a multicloud strategy, according to the Oracle and KPMG Cloud Threat Report. When you choose your cloud service providers it’s important you understand the SLAs from each of them and know who is responsible for what. That being said, it is important that your dedicated individual or team fully understand the shared responsibility for each CSP and that they educate others within the organization. This risk is just one piece of the puzzle and you will see that there are many interlocking challenges organizations are facing – perhaps challenges you are facing as well. Please join us for our next post, this Thursday on risk #2: Unprotected Users in the Cloud.

Risk # 1: Lack of Responsibility How many of you are responsible for security at your organization? I would like to make the case that we are all responsible for security, regardless of whether it is...

Today's CISOs are challenged not only by today's threats and risks, but also in the effort to engage every aspect of the business with the same end goal.  Reduce risks and prevent threats from impacting the business.  All too often, the C-suite has looked at the CISO as the sole person responsible for securing, and as a result, the one who's head must roll if there is a data breach.  This has created the reputation in the industry that CISOs are simply the Crisis Induced Sacrificial Offering.  The upcoming Oracle and KPMG Cloud Threat Report for 2019 highlights that in the event of a breach, most companies will do two things. 1) hold the responsible party responsible 2) provide new funding for the replacement leadership to ensure it doesn't happen again.  Make no mistake, this is not a model that is sustainable.  When the US Navy builds an aircraft carrier, everybody on the ship has an assigned role. Deck crews actually wear unique clothing to designate who is responsible for arming aircraft, refueling, and many more roles.  However, every man and woman on the ship is a fireman.  Everyone has a responsibility to share in making sure the ship does not go down due to a fire.  This is the same mentality CISOs are looking to institute across the enterprise, starting at the top.  That message is, that the CEO, CIO, CFO, CTO and CDO all have a "shared responsibility" to ensure their programs, efforts and staff are instituting risk reduction measures, and security is top of mind. No CFO wants to wake up tomorrow only to find out they are responsible for the ship sinking due to a rapid ERP deployment that didn't include the company's required security measures.  With that in mind, this year, the CISO has 6 priorities they are focused on to ensure success.  Learn more about your role as "fire support" to ensure the corporate ship stays afloat, and you ensure success for the CISOs stated goals.  Read the article in Forbes, "Chief Information Security Officer Priorities for 2019" and share with others who could benefit!

Today's CISOs are challenged not only by today's threats and risks, but also in the effort to engage every aspect of the business with the same end goal.  Reduce risks and prevent threats from...

History has it that when Willie Sutton was asked by a reporter why he robbed banks he responded, “because that’s where the money is”. Banks still hold lots of money, but a bank heist is likely a bit harder to pull off these days than a virtual bank robbery, one that steals information and data.  A modern-day version of the question posed to Willie Sutton might be why break into an organization’s IT infrastructure with the answer “because that’s where the data is”. In fact, some estimates claim that the “global data sphere” or collection of data created and stored will exceed 175 zettabytes by 2025, up from 33 zettabytes in 2018. That is indeed a significant increase, but it is a bit hard to wrap our minds around just how much data 175 zettabytes represents. The answer for a visual representation is that if all this data were stored on DVD’s (a dated but good physical reference to stored data), it would be a stack of DVDs that could get you to the moon 23 times or circle the Earth 222 times. With all of this data comes tremendous privacy and security challenges for our society. Why so much data? Data is aggregating at rapid rates due to the ever-expanding sources of data; consumers and the actions they are undertaking every day (physical and online shopping, social media, Internet browsing, video creation, smart devices) and organizations creation of information from operations (IoT sensors, big data storage, scenario planning and analysis, extensive customer records). Data is money for most businesses and having more data can mean more money (a relatively recent breach highlighted this issue). Data is very valuable and storage costs have approached near zero, allowing for what seems like infinite storage at almost zero cost. But the combined elements of massive data collection and increasingly stringent regulatory requirements creates a risk to organizations and causes privacy concerns for global society. The rapid creation of large amounts of data is valuable to businesses and can certainly be monetized. The data creation even benefits consumers in many ways (we love it when we get personalized services and recommendations tailored to meet our desires or free applications and services for sharing our data). There can be significant risk of jeopardizing customers’ privacy and even worse failing to meet regulatory mandates for privacy such as the EU GDPR and regional mandates like the forthcoming privacy requirements in the state of California. Protecting these terabytes of data is becoming an even greater challenge with the increasing sophistication, innovation and determination of attackers. We will be discussing these security and privacy challenges with a panel of experts during our session (The Role of Security and Privacy in a Globalized Society) at Oracle OpenWorld Europe on January 16 from 1:40pm-2:15pm. If you are in London for OpenWorld we hope to see you in the audience. P.S. Regarding the Willie Sutton statement, it has been noted that he perhaps didn’t make the statement “that’s where the money is” in response to why he robbed banks. To paraphrase, it has been noted that he said he did it for the thrill. Like Willie Sutton, I suspect that many attackers may also enjoy the thrill, in addition to the financial gains.  

History has it that when Willie Sutton was asked by a reporter why he robbed banks he responded, “because that’s where the money is”. Banks still hold lots of money, but a bank heist is likely a bit...

The “Oracle and KPMG Cloud Threat Report” looks at trends and new concerns. By Tom Haunert January/February 2019 Having previously produced world-class security reports, Oracle and KPMG are due to release their next one in February 2019, based on extensive interviews with 450 companies. I recently sat down with Greg Jensen, senior director of cloud security at Oracle, to talk about the data he’d just received from those interviews and what will make the “Oracle and KPMG Cloud Threat Report” different from other security reports. While some reports are based on metrics gathered by security vendors, others are survey-based. “Oracle saw there was too little conversation about the security risks and challenges organizations are facing as they’re lifting and shifting their workloads to the cloud,” Jensen says. “We concluded we wanted to align with an industry partner such as KPMG to consolidate our research and findings.” The 2019 report will confirm, for example, that companies are moving more and more of their sensitive data to the cloud. It also will delve into the issues of unsanctioned application use in the cloud, and it will look at the challenges of maintaining consistent security practices and configuration baselines both in the cloud and on premises. The 2019 report will also look at how ineffective patch management programs are having a negative impact on organizations, as well as how effectively leadership’s goals are being delivered in completed security projects. Needed: A Broad View I asked Jensen how Oracle expects people to use the report’s findings, and he surprised me. “People should consume four or five different reports to get a broad overview of security risks,” he says. “Organizations need a variety of security information from a variety of sources, and the ‘Oracle and KPMG Cloud Threat Report’ can be a primary source of that security information. Informed security practitioners can then engage C-level leadership in conversations on risk, security, and compliance.” In the next (March/April) issue of Oracle Magazine, look for more on the “Oracle and KPMG Cloud Threat Report” as well as articles on Oracle security technologies and cloud services. Meanwhile, in this issue’s “Generation 2: Ready for Anything,” Kyle York, vice president of product strategy for Oracle Cloud Infrastructure, talks about Oracle’s next-generation cloud infrastructure in general and infrastructure security in particular—from the core to the user edge. Next Steps EXPLORE the “Oracle and KPMG Cloud Threat Report.” LEARN more about Oracle Cloud security.

The “Oracle and KPMG Cloud Threat Report” looks at trends and new concerns. By Tom Haunert January/February 2019 Having previously produced world-class security reports, Oracle and KPMG are due...

Every fall Oracle OpenWorld takes over San Francisco as IT professionals from across the globe attend to learn more about the latest product releases, best practices, and industry changes. This year, Oracle OpenWorld is on the move, with three additional cities on the calendar! Oracle OpenWorld Europe will kick off in London January 16-17th. If you are planning to attend and interested in learning more about security, please be sure to check out these three must see sessions. 1) Modern Management and Security in Action Arena 1 (Level 3) ExCel London - Wednesday 9:00am - 9:35am Effectively securing and managing your hybrid clouds is critical for success in today's environment. Join this session to hear directly from customers as they explain their unique security and management journeys. This is also a great opportunity to hear from management and security executives and understand ways you can increase visibility, save time, and reduce human error.   2) The Role of Security and Privacy in a Globalized Society Arena 3 (Level 3) ExCel London - Wednesday 1:40pm - 2:15pm  The security threat landscape is constantly evolving. Even with the release of new security solutions and increased automation, adversaries continue to look for new angles vulnerable to attack. This phenomenon leads us to the realization that the next big security threat may be unknown at this time. Join trusted security leaders as they discuss a number of topics around 'the next security threat.' The discussion will touch on the importance of maintaining user privacy and evaluating potential threats.   3) Learn How Oracle CASB Has Helped Companies Make a Secure Transition to Cloud Services Forum 1 (Level 0) ExCel London - Thursday 12:10pm - 12:45pm The growing cloud landscape has introduced great innovation, but with innovation, comes risk. Learn how Oracle CASB has enabled companies to gain better visibility, meet compliance requirements, and prevent misuse of admin privileges.   We hope these sessions will provide greater insight into the opportunities to improve security and management within your environment. If you are unable to attend Oracle OpenWorld Europe, there are several other opportunities to attend an OpenWorld near you. Additionally, we have several key assets designed to guide customers looking to learn more about securing their environment from core-to-edge.

Every fall Oracle OpenWorld takes over San Francisco as IT professionals from across the globe attend to learn more about the latest product releases, best practices, and industry changes. This year,...

Cloud adoption shows no signs of slowing down and has benefited many private and public-sector organizations. According to the Oracle and KPMG Cloud Threat Report, 87% of firms have a cloud first orientation. These organizations value the benefits of the cloud, such as lower costs and increased flexibility, and are actively working to expand their cloud footprint. One topic that repeatedly arises when thinking about the cloud is security. While 83% of those surveyed in the Cloud Threat Report believe that cloud security is as good or better than on-premises security, there is still a lot of confusion when it comes to security responsibility between the organization and the cloud service provider. With sensitive data such as personally identifiable information (PII), payment card data, and legal documents, this is an issue that cannot be ignored. At Oracle Cloud Day you can learn about new technologies, successful customer case studies, and network with peers in your industry. We’ve designed this day to fit your personal needs with four customized tracks: IT experts, architects and integrators, data professionals, and developers. If security in the cloud is a priority for your organization, be sure to attend our session, “Mitigating the Top Five Cloud Security Mistakes” in the IT experts track. This session will not only address the most misunderstood aspects of the cloud when it comes to security, it will also help you learn how to best prevent, detect, and respond to the top risks you may be facing in your hybrid cloud environment. Whether your organization is just beginning to think of cloud adoption or is a mature cloud user with multiple vendors, it is always important to stay up to date with best practices and the latest cloud trends.Oracle Cloud Days will be coming to cities near you, don't miss this opportunity to seize the day and learn more about the cloud!  If you’d like to attend one of Oracle’s Cloud Days, register for an event near you!                      New York, NY - January 15, 2019                  Atlanta, GA - January 17, 2019 Boston, MA - January 30, 2019 Chicago, IL - February 5, 2019                                        and Many More!                                                                                                                     

Cloud adoption shows no signs of slowing down and has benefited many private and public-sector organizations. According to the Oracle and KPMG Cloud Threat Report, 87% of firms have a cloud first...

Data breaches and cyberattacks are a way of life for businesses today. How will they evolve in 2019? And what new tactics and technologies can companies employ to fight back? We asked security experts from Oracle Cloud Infrastructure and the tech industry at large to share their predictions.   Eran Feigenbaum Chief security officer, Oracle Cloud Infrastructure More consumer, employee, and corporate data records will make their way to dark markets in 2019. The culprits behind most of these breaches remain unchanged, namely a lack of patching, strong passwords and two-factor authentication. Further, expect more troubling details about how many popular applications and platforms use personal information. As a result, the themes of GDPR will continue to go global, spawning even more calls for data privacy laws and regulations.   Kevin L. Jackson CEO/founder, GovCloud Network @kevin_jackson 2019 will be a watershed year for cloud and cybersecurity. This will be driven by three factors: Continuing massive data breaches; Excessive marketing hype around hybrid cloud; and Corporate existential threats caused by data breach fines and penalties. Although painful in the near term, the global economic engine we call the internet will become better, more secure, and more international as cloud computing services become more secure and more multi-polar from a service provider point of view.   Kyle York Vice president, product strategy, Oracle Cloud Infrastructure @kyork20 There are good bots and bad bots on today’s internet. I predict that 2019 will be the year that the market becomes painfully aware of just how damaging the bad ones can be to enterprise brands. As more and more applications and workloads move to run on hyper-scale cloud providers, it is imperative that these vendors decipher the difference, allow only clean traffic, protect your assets, secure your data, and keep a positive end-user experience for all your constituents. Reputations are at stake everywhere, and we all must be vigilant.    Sophina Kio-Lawson and Lilian Douglas Co-founders, SheSecures @she_secures We predict the use of more bug bounty programs and the adoption of automated tools using artificial intelligence. These tools will be able to identify and patch bugs swiftly without having to wait for three to six months for the bugs to be exploited and leaked by cybercriminals.   Laurent Gil Security product strategy architect, Oracle Cloud Infrastructure @laurentgil As security technologies and practices improve, hackers will increasingly use botnets that behave like humans, making it harder to identify bad actors. Such malicious traffic will hide within the mass of regular, legitimate human-based traffic -- just a few hundred bad requests among millions of good, human requests. This approach will require much more sophisticated behavior-based analysis, powered by artificial intelligence.   Mark Cliff Lynd Managing partner, Relevant Track @mclynd Commerce and cybersecurity apps in the cloud will require multi-factor authentication, with two-factor authentication as the minimum. This additional security will come at a cost, because support calls will go up as humans struggle to use and remember all the different authentication steps utilized across multiple platforms in the enterprise. Cybersecurity attacks against online platforms will increase, especially ransomware and DDoS attacks. These attacks will affect availability, and new approaches will emerge to combat them.  

Data breaches and cyberattacks are a way of life for businesses today. How will they evolve in 2019? And what new tactics and technologies can companies employ to fight back? We asked security experts...

2019! Can you believe it? The beginning of a new year always seems like a fresh start, a chance to visit new places and explore new subject areas. Many people opt for a New Year's resolution: getting in shape, being more productive at work, or meeting new people. Some of you may even make it a New Year's resolution to learn more about security, based on personal interest or your profession. If that's the case, you've come to the right place. Along with my plan to eat more plant-based meals, I've decided to dive deeper into the world of security and challenge myself to learn more about the new advances industry wide and here at Oracle. If you are also looking to learn more about security, please read on. Traveling in 2019? If you are looking to take your security education on the road, join us for one of our Oracle Cloud Days in a city near you. This is a great opportunity to meet industry peers, learn about Oracle Cloud technologies, and map out a unique strategy for your cloud transformation. Access the Oracle Cloud Days registration page to sign up for dates in January and February! Transforming the way you secure and manage your environment? Cloud transformation strategies vary greatly depending on the needs of the individual organization. If your organization is rapidly adopting the cloud, it is important to understand your organization's responsibilities for security and compliance. Increasing visibility and strengthening IAM policies are critical to effectively secure your SaaS environments. Evaluating new solutions? According to the 2018 Oracle and KPMG Cloud Threat Report, 87% of companies have a cloud first orientation. Cloud transformation is gradual, so even if your department has not yet made the switch, it is likely that your company is in the process. It is important to be well educated on the latest cloud security updates in order to become a thought leader within your department. If your interest is in learning more about Oracle Security, please take a moment to read a recent report published by Ovum, Oracle Bakes Security into its DNA. You may also be interested in taking the Cloud Security Alliance Top Threats to Cloud Computing 2018 survey and accessing the report. Regardless of your 2019 security strategy, there are several ways to learn more about the latest updates in security. Whether you are looking to increase security around your SaaS deployments, your IaaS environments, or your hybrid cloud deployments - Oracle Security offers the agility and  flexibility to improve security and compliance in your organization.

2019! Can you believe it? The beginning of a new year always seems like a fresh start, a chance to visit new places and explore new subject areas. Many people opt for a New Year's resolution: getting...

In partnership with Oracle, the Cloud Security Alliance (CSA)  is happy to announce the survey of the Top Threats to Cloud Computing 2019 report. Last year's report was an incredible success for CSA, and Oracle is looking to help make 2019 even more impactful than ever.  As a sponsors and contributor to this report, Oracle is encouraging all to take 6 minutes to walk through the CSA survey to indicate the challenges impacting your cloud experience. We have shortlisted 19 security issues from recurring issues like Data Breaches and Insecure Interfaces and APIs to new issues like Weak Control Plane. While the list could be much longer, our goal is to focus on the top of line threats impacting organizations today.  Your involvement is crucial in helping raise awareness  across the industry.  Help the Cloud Security Alliance (CSA) determine industry perceptions of the most significant issues! The survey will take about 6 minutes to complete.  To encourage participation, CSA is giving away: $100 worth of gift-card vouchers one CCSK token. Link to survey: https://www.surveymonkey.com/r/MQ553TW

In partnership with Oracle, the Cloud Security Alliance (CSA)  is happy to announce the survey of the Top Threats to Cloud Computing 2019 report. Last year's report was an incredible success for...

Like baking, security is an art and science. Both require planning from the beginning, adding the right ingredients that work well together, and integrating those ingredients for a final product.

Like baking, security is an art and science. Both require planning from the beginning, adding the right ingredients that work well together, and integrating those ingredients for a final product.

It’s not surprising to hear that an increasing number of organizations are moving their mission critical applications to the cloud in order to leverage its flexible functionalities. While there are many benefits, such as a reduction in operational costs, moving to the cloud also poses new security risks and challenges. Organizations must address this increasingly complex threat landscape in order to protect their users, applications, and data. Critical applications, such as Enterprise Resource Planning (ERP) systems, host very sensitive data, making them prime targets for cyberattacks. While SaaS vendors are responsible for the security of the application infrastructure, SaaS customers must protect the customer data and access of the application. Due to the high risk of attack, organizations must implement security policies and solutions in order to protect themselves. As illustrated below, most business leaders are expecting an increased number of cyberattacks on an ERP system, so organizations need to move fast. According to the Cloud Security Alliance ERP Working Group, “you must continually monitor user activity to detect malicious and anomalous behavior.” To start, organizations must find a way to give different employees, different levels of access to business critical applications and monitor what users are doing at any point in time. As shown below, Oracle’s CASB Cloud Service (CASB) and Identity Cloud Service (IDCS) can help organizations protect the data in their ERP system while continually monitoring user activity.                             As organizations transition their critical applications to the cloud, many questions may arise. Success in the cloud depends highly on the amount of visibility and ability to scale. For more information on creating a security strategy for your critical SaaS applications, access our  Securing Sensitive ERP Data infographic and dive deeper into strategies for securing all of your mission-critical SaaS applications in our new Cloud Security guide. 

It’s not surprising to hear that an increasing number of organizations are moving their mission critical applications to the cloud in order to leverage its flexible functionalities. While there are...

Following several widespread and highly publicized breaches around the world, companies have realized a need to invest more in security. Although security was always a concern, these attacks have been a catalyst for change. Despite this surge in recognition, cyberattacks are still on the rise. In parallel, customers are rapidly adopting new applications, many of which are SaaS deployments. As organizations recognize the benefits of change, they must also acknowledge the massive expansion of hybrid and multi-cloud deployments, and that the changing IT landscape requires a shift in thinking. IT organizations must now work closely with the lines of business(LoB), which have been empowered by easily deployed cloud solutions. These business leaders, sometimes referred to as "shadow IT", often ran into difficulty with IT teams in the past. These challenges stemmed from the painful deployment of legacy applications, requirements to adhere to corporate risk policy, and perhaps frequent outages. IT teams should approach cloud transformation as an opportunity to strengthen the relationship between IT and LoBs. Rather than be seen as inhibitors to business transformation and speed, IT has the opportunity to be seen as enablers of a more secure future for the business. Organizations should consider how their security and management strategy may change in this transition as well. Businesses need solutions designed for the future, that incorporate AI and Machine Learning to enhance an organization's ability to rapidly detect suspicious behavior and respond without human interaction. This is a critical piece of the puzzle as organizations fight to stay ahead of cybercriminals. Visibility To combat today's sophisticated threats, organizations must recognize the need for greater visibility. Incorporating an integrated security and management strategy can offer the visibility and automated remediation customers need to hold the competitive edge. Stronger Together A constant concern expressed by IT organizations is the lack of consolidated information. According to the Oracle and KPMG Cloud Threat Report, organizations manage an average of 46 different cybersecurity products. These tools were implemented to alleviate one problem, but can often cause other problems as organizations try to piece together data from a multitude of systems. Oracle's security and management  solutions are designed to offer customers the flexibility and support needed to protect today's hybrid and multi-cloud environment. Real-Time Insights, Proactive Defense Oracle's security and management cloud services utilize machine learning techniques to deliver fast insights, streamline diagnostics, and predict outages before they occur - allowing organizations to focus on innovation, rather than manually sorting through thousands of security alerts each week. Cloud solutions continue to spread across organizations and the need for a comprehensive platform seems more crucial than ever. Each organization is responsible for protecting their unique technology footprint, with Oracle's security and management cloud services, organizations have the flexibility and agility to add in completely integrated services that will support their needs. Access our new cloud essentials guide to learn more about securing and managing hybrid clouds.

Following several widespread and highly publicized breaches around the world, companies have realized a need to invest more in security. Although security was always a concern, these attacks have been...

The 2018 Chief Information Officer Leadership Forum is just around the corner! Be sure to secure your ticket to the forum taking place in Atlanta on Thursday December 13th. Improving security posture has become a prime business initiative for most organizations, as I shared in my previous core-to-edge blog, advancements in new and emerging technologies are opening doors for both businesses and adversaries. Prompting the need for organizations to make dramatic shifts in the way they look at security and the strategies they implement to effectively secure and manage their environments. This year, Oracle is a sponsor for the Argyle Executive Forum aimed to bring together thought leaders and senior IT leaders for a series of strategic sessions and peer networking. Oracle's Vice President of Systems Management & Security Products Group Dan Koloski will present a thought leadership keynote on the topic of, Transforming your IT Operations and Security Detect-and-Response Regimes for Today's Reality. The keynote is sure to touch on some of the major challenges CIOs face today and strategies for shifting their IT operations to meet modern business needs. In addition, Oracle will host a breakout session titled, 'Measuring the Impact of Transformed IT Operations and Security,'  specifically geared toward understanding the metrics CIOs use to achieve real results. Attendees will also have the opportunity to attend sessions from CIOs at several leading organizations across a multitude of industries. This event has been tailored specifically to meet the interests and needs of senior IT executives, with an emphasis on topics such as: Leveraging Information Technology as a new center for innovation in the digital age Navigating top trends and risks driving IT spend in 2018 Embracing and facilitating the migration to a digital ecosystem to boost productivity and increase speed to market Nurturing a nimble and flexible workforce that will continue to evolve alongside modernized IT infrastructure We look forward to the collaboration between executive leaders at the forum. Be sure to register for this exciting event and to learn more about Oracle Security and Management, please visit our webpages. Event Overview: Argyle CIO Leadership Forum: Register Today! Location: Grand Hyatt Atlanta 3300 Peachtree Road NE Atlanta, GA 30305 Join Us:December 13, 2018 From 8:00 a.m. - 5:15 p.m. Oracle's Keynote: Transforming your IT Operations and Security Detect-and-Response Regimes for Today's Reality Abstract:The speed of business, the rapid iteration of application development and the explosion in threat sophistication has overrun traditional operational and security approaches, resulting in increased risk of outages and data breach. Prevention and detect-and-response regimes must be overhauled to match this new reality.  Oracle experts will discuss ways organizations are transforming detect-and-response regimes to match today’s requirements. About Oracle's Keynote Presenter: Dan Koloski Vice President - Systems Management & Security Products Group, Oracle  Biography: Dan Koloski is a software industry expert with broad experience as both a technologist working on the IT side and as a management executive on the vendor side. Dan is a Vice President in Oracle's Systems Management and Security products group, which produces the Oracle Management Cloud Services and Oracle Enterprise Manager family of products. Previously, Dan was CTO and Director of Strategy for the Web BU at Empirix, which he helped spin out and sell to Oracle in 2008. Dan holds a B.A. from Yale University and an M.B.A. from Harvard Business School.  

The 2018 Chief Information Officer Leadership Forum is just around the corner! Be sure to secure your ticket to the forum taking place in Atlanta on Thursday December 13th. Improving security posture...

Implementing separation of duty (SOD) and the least privilege model are basic foundations of your security strategy – what we call security hygiene.  This is applicable to not only your databases, but all your systems.  Separation of duty splits tasks between individuals so no single user has enough privileges to steal sensitive data or damage the system.  Least privilege limits the privileges the user has to just what they need for their day-to-day tasks.  The worry is not so much your trusted insiders, but malicious users who leverage stolen credentials from privileged users to mount attacks to steal data, alter information or otherwise damage the system. Separation of Duty Separation of duty (SOD) is a method to separate sensitive task roles to different people to minimize the ability for any one individual to steal or damage the system. A classic application example is to separate the task of entering vendor invoices and paying it.  Separation of duty suggests splitting this across at least two people since one malicious user can’t create a new vendor, enter a fake invoice and pay himself/herself.  In a similar way, separation of duty in a database looks at common attack vectors and separates roles to prevent the attack.  A common attack vector for the database is a malicious user leveraging stolen privileged credentials to create a new rogue account.  The malicious user escalates the privileges on the rogue user account and then logs into the rogue account to attack the system.  Separation of duty in this scenario separates the ability to create a new user and the ability to grant privileges from the privileged user account. Least Privileges In the Least privilege model, users are only given the privileges and access they need to do their jobs.  Frequently, even though users perform different tasks, users are all granted the same set of powerful privileges.  Figuring out what set of privileges each user needs is hard work and in many cases, users end up with some common set of privileges even though they have different tasks.  Even in organizations that manage privileges, users tend to accumulate privileges over time and rarely lose any privilege.  Separation of duty breaks a single process into separate tasks for different users.  Least privileges enforces the separation so users can only do their required tasks.  The enforcement of SOD is beneficial for internal control, but it also reduces the risk from malicious users who steal privileged credentials. Privilege Analysis So implementing SOD and the least privilege model is good practice, but how do you go about doing this?  Not only is it hard to analyze what privileges every user and application need, you also need to review and remove un-needed privileges. It’s not just a one-time project – but an on-going process that can be labor intensive without automation.  There are multiple tools that can tell you the roles and privileges granted to any particular account – but they don’t tell you if they ever get used – or if they’re used, why they were used. Privilege Analysis was first introduced with Oracle Database 12c and licensed as part of the Oracle Database Vault option.  Since then, Privilege Analysis has been used by many customers to reduce their attack surface area by helping them implement least privilege model.  This innovative capability created by Oracle is unique in the database world and is vastly superior to any static analysis tool. Built into the Oracle database kernel, Privilege Analysis tracks not only what privileges and roles are NOT used over a period of time, but also which privileges and roles are used – and how they are used.  Privilege Analysis is designed to minimally affect existing operations so it can safely run in your production and test environments. You typically run Privilege Analysis over a time period that captures all the use cases for either a user, groups of users, role, an application or even the entire database.  A report is generated that shows which privileges and roles were used and unused.  You may find that an account was granted the powerful SELECT ANY TABLE system privilege, but it was only used to access seven tables from the same schema.  It would be much better if the SELECT ANY privilege was replaced by direct object SELECT grants to these tables. The Unused Privileges Report lists privileges that weren’t used during the time the data was collected. You can simply revoke the user’s unused privileges if you determine the user doesn’t need them, however another option is to audit and alert on these unused privileges instead.  This gives you flexibility so the user can use the privilege without impact, but you’ll also be notified if a malicious user uses these “unused” privileges. While all database accounts can benefit from the least privilege model, application service accounts and DBA user accounts are especially well suited for this analysis. Application service accounts typically need three different types of privileges and roles.  First set is used by the application to operate on a daily basis, second for patching and upgrades, and then third to install the application schema.  Privilege Analysis can track which privileges and roles are used for day to day operations so you can limit the service account to just these privileges and roles.  They can even be grouped into an operational role to make it easier to manage.  Running Privilege Analysis on a test database during patching and updates can tell you which additional privileges and roles are needed for patching/updates.  This can be granted to the production service account before these activities take place, and then revoked afterwards.  Oracle Database DBAs are frequently just granted the out-of-the-box DBA role.  This out-of-the-box DBA role should not be granted to every DBA as it contains almost every possible privilege, including most system privileges in the database.  DBAs have different tasks to perform and least privileges dictates granted privileges should match the tasks.  Privilege Analysis can be used to implement least privileges for DBAs in a number of ways.  DBAs in the same job can be analyzed to see which privileges they need to perform their job.  Then a new role can be created (xxx_dba role) to be granted to each DBA in that job.  Or individual tasks can be run by DBAs and Privilege Analysis can capture privileges used for each task.  Task based roles can be created and DBAs can be granted the task roles they are responsible for.  Task based roles provide more flexibility as a DBA’s job changes over time. Oracle continues to be a security leader through innovative, unique security controls to protect your data. Distributing the Database Security Assessment Tool (DBSAT) for no additional license fee through Oracle support shows our commitment to help our customers understand the risk profile of their databases that manages their critical data.  In today’s world, we need tools to assess our own security before hackers analyze our weaknesses and gaps.  Privilege Analysis Included with Oracle Database Enterprise Edition Oracle recognizes the critical importance of assessing your database environment in order to better improve security.  We are pleased to announce that Privilege Analysis is now included with Oracle Database Enterprise Edition for no additional license fee.  This change applies to all supported versions of the Oracle Database. Users can refer to the Privilege Analysis documentation in the Oracle Database Vault Administration Guide.  Separate documentation for Privilege Analysis will be part of the next Database Security Guide.  Database Vault does not have to be configured or enabled to use Privilege Analysis in any version. By implementing separation of duties, least privileges and using DBSAT – you will reduce the risk of malicious users using your privileged credentials to steal or alter data.

Implementing separation of duty (SOD) and the least privilege model are basic foundations of your security strategy – what we call security hygiene.  This is applicable to not only your databases, but...

According to the 2018 Oracle and KPMG Cloud Threat Report, 90% of firms reported that more than half of their cloud data includes sensitive information. With organizations rapidly housing their most critical data in the cloud, visibility is key. The report also uncovered that 82% of cyber leaders are concerned that employees do not follow cloud security policies. How are organizations supposed to secure environments they aren't even aware of? Visibility is Critical The proliferation of threats organizations face and the release of several major compliance regulations have prompted a renewed sense of urgency for the entire business to better secure their environment. Visibility is very important, as customers purchase cloud-based infrastructure they need to be sure that the applications and data residing on top of it remain secured. Oracle's Cloud Access Security Broker (CASB) Cloud Service allows customers to gain that visibility along with threat protection, and data security for both OCI deployments and multi cloud environments. Interested in Learning More? With Oracle CASB Cloud Service for OCI, customers can monitor configuration drift, set automated controls for remediation of high risk user profiles, and an understanding of user behavior. Allowing organizations to quickly detect and act on possible threats. Please join our Cloud Platform Specialists, Gordon Trevorrow and Indranil Jha for a live demo of Oracle CASB to learn more about the ways in which Oracle CASB helps organizations better monitor, understand, and secure their OCI deployments. Virtual Workshop Register now! Secure Oracle Cloud Infrastructure with Oracle CASB December 11, 2018 10:00 am PT

According to the 2018 Oracle and KPMG Cloud Threat Report, 90% of firms reported that more than half of their cloud data includes sensitive information. With organizations rapidly housing their most...

Gartner has named Oracle a Leader both in the 2018 Gartner Magic Quadrant for Identity Governance and Administration and 2018 Gartner Magic Quadrant for Access Management, Worldwide. In response, Oracle released an announcement. The press release covers brief insights on the report and explains Oracle's security strategy, "Oracle believes this recognition further validates the strength and innovation of cloud security services Oracle has introduced over the past year and its ability to help enterprises better integrate security solutions to manage their business." According to Gartner, “IGA Leaders deliver a comprehensive toolset for governance and administration of identity and access. These vendors have successfully built a significant installed customer base and revenue stream, and have high viability ratings and robust revenue growth. Leaders also show evidence of superior vision and execution for anticipated requirements related to technology, methodology or means of delivery. Leaders typically demonstrate customer satisfaction with IGA capabilities and/or related service and support.” To learn more, access the full 2018 Gartner Magic Quadrant for Identity Governance and Administration. Within the 2018 Gartner Magic Quadrant for Access Management, Worldwide, Oracle also placed in the Leaders quadrant. Oracle's security strategy incorporates several layers of defense to enable organizations to increase their security posture across the entire cloud, including users, apps, data, and infrastructure.  By implementing Oracle's Identity and Access Management solutions in conjunction with emerging technologies and existing investments, we believe customers have the opportunity improve their security posture and enable greater innovation within their industries. Oracle's complete, integrated, next-generation identity management platform provides breakthrough scalability and enables organizations to reduce operational costs. Organizations gain the flexibility to secure sensitive applications and data - regardless of their deployment. Please be sure to download a complimentary copy of the 2018 Gartner Magic Quadrant for Identity Governance and Administration and the 2018 Gartner Magic Quadrant for Access Management,Worldwide.    Gartner Magic Quadrant for Identity Governance and Administration, Felix Gaehtgens, Kevin Kampman, Brian Iverson, 21 February 2018.   Gartner Magic Quadrant for Access Management, Worldwide, Gregg Kreizman, 18 June 2018.   This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Oracle. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.    

Gartner has named Oracle a Leader both in the 2018 Gartner Magic Quadrant for Identity Governance and Administration and 2018 Gartner Magic Quadrant for Access Management, Worldwide. In response,...

Today's world is all about the go go go. People simply do not have time to wait and as a result, organizations are tasked with producing products, applications, and services at a rapid rate. Being first to the market is no longer just a goal, it can make or break an organization. Imagine for a moment that a consumer opens up their smartphone to complete a transaction. Within a matter of minutes, they may have accessed several apps, entered highly sensitive Personally Identifiable Information (PII), and perhaps used the same login password they use for every account - including work accounts- all on a public network. Threats are everywhere and this example is just one out of thousands of ways in which personal accounts are at risk. Now translate that risk from an individual to an organization. Cybercriminals are highly funded and motivated to snatch certified credentials from end users. These stolen credentials could end up as the starting point for an attack against an organization in an attempt to collect or manipulate critical core data.  The widespread use of weak passwords, unsecured networks, and frequent occurrence of phishing attacks make organizations prime targets for attack. Compound this with the proliferation of users, applications, and devices all enabled for a fast, digital, and mobile world - the threat seems inevitable. Understanding Who is in Your Environment Organizations have long relied on strong perimeter controls and although these do well to protect the on premises environment behind the firewall, what can be said about the use of mobile devices and the increasingly common Hybrid Cloud landscape? Organizations need a solution that can leave the boundaries of the traditional firewall and provide security at every layer, as discussed in our recent Core-to-Edge blog. Organizations have invested heavily in the use of traditional Identity and Access Management solutions for on premises, but the move to the cloud has created a security mandate to consolidate identity management under one framework that extends into the cloud. In the 2018 Oracle and KPMG Cloud Threat Report, 38% of respondents reported detecting and responding to cloud security incidents as the number one cybersecurity challenge. Gaining visibility into the behavior of users and devices across an entire hybrid cloud ecosystem is crucial in determining if users have appropriate access to critical applications, if those users are abusing their access, and remediating anomalous behavior in the event privileged user credentials have been compromised. Flexibility and Choice Make the Difference Organizations have quickly realized the benefits of cloud adoption and have implemented several solutions at every layer of the stack. However, protecting an entire hybrid and multi-cloud environment under one solution can be challenging. After all, every vendor has unique shared responsibility requirements and the growing number of compliance regulations have pulled organizations in too many directions, leaving them exposed to attackers. In order to keep pace with innovation and the changing IT landscape, organizations must streamline their security controls with solutions such as Oracle Identity Cloud Service and additional cutting edge technologies, that can play an integral part in enabling organizations looking to secure their hybrid cloud environment. Learn more about the ways in which Oracle offers organizations flexibility in managing identities in a hybrid cloud and securing SaaS environments for increased visibility and control.  

Today's world is all about the go go go. People simply do not have time to wait and as a result, organizations are tasked with producing products, applications, and services at a rapid rate. Being...

Looking to learn more about Oracle Cloud? We are happy to announce six upcoming Oracle Cloud Day events in cities near you! Oracle Cloud Day offers attendees a wide array of sessions, hands-on experiences, and networking opportunities. These single day events allow you to explore new cloud technologies, best practices, and customer success stories.   Every cloud journey is unique and the Oracle Cloud Day is designed to be enable organizations at all stages of their transformation. Each event features keynotes, developer playgrounds, and networking in the Oracle Innovation Lounge. Three customized tracks designed to meet each attendee's needs - IT Experts, Architects and Integrators, and Data Professionals. Join the IT Experts track to learn more about Oracle's latest innovations in Security solutions.   Oracle Security offers organizations flexibility and choice in securing their deployment. With the overload of threats organizations face it is important to implement a layers of defense approach to security. If you are planning to attend, be sure to join our session, "Mitigating the Top Five Cloud Security Mistakes," within the IT Experts track.   Abstract: One of the most misunderstood aspects of the cloud is determining where the cloud service provider’s security responsibility ends and your responsibility begins. The Oracle and KPMG Cloud Threat Report indicates less than half of surveyed organizations could correctly identify their IaaS security responsibilities. Join this session to learn the top five cloud security mistakes organizations make, and how to mitigate them using Oracle’s security solutions. Learn how to best prevent, detect, and respond to the top risks to your hybrid cloud environment, including misconfigurations, data loss, shadow IT, and more. We’ll also share an insider’s view of the top questions to ask your cloud service provider to best protect your organization.     Register Now for a City Near You! Toronto, ON                                             Atlanta,GA December 4th, 2018                             January 17,2019   Dallas, TX                                                 Boston, MA December 6th, 2018                             January 30, 2019   New York, NY                                          Chicago, IL January 15th, 2019                               February 5, 2019      

Looking to learn more about Oracle Cloud? We are happy to announce six upcoming Oracle Cloud Day events in cities near you! Oracle Cloud Day offers attendees a wide array of sessions, hands-on...

The Gartner Identity and Access Management Summit 2018 in Las Vegas is quickly approaching! If you are attending the conference, we encourage you to catch these sessions and events. 1. Visit the Oracle Booth Oracle is a Platinum Exhibitor at the Gartner Identity and Access Management Summit 2018. We encourage you to spend some time at the Oracle Security Booth (#601) to learn more about Oracle's Security solutions in the identity management space. Additionally, connect with product management and other Oracle pecialists to discuss the ways in which Oracle has helped customers succeed in hybrid and multi cloud environments. 2. Session: Learn more about Oracle's Trust Fabric Join Oracle SVP and General Manager of Security and Identity, Eric Olden, for a session that explores today's sophisticated threats and the need for proactive and intelligent solutions that can quickly scale to meet changing IT requirements. Olden will also share how Oracle's Trust Fabric helps organizations predict, prevent, detect, and respond to threats. The session will take place Monday, December 3rd from 3:45pm- 4:30pm. 3. Create a Winning Plan The Gartner Identity and Access Management Summit offers attendees over 50 sessions, exhibit floors, and access to several peer and analyst networking opportunities. With so many options, we believe it is critical to come to the conference with a game plan. Gartner's registration page offers full abstracts for each session and can be filtered a number of ways, including by topic or track. This allows attendees to fine tune their interests and build an agenda through the registered attendee portal. 4. Understanding Your Roadmap According to the 2018 Oracle and KPMG Cloud Threat Report, 82% of cyber leaders are concerned that employees do not follow cloud security policies. This leaves organizations at risk and exposed in ways they may not even be aware of. Prior to the conference, we recommend all attendees take the time to understand their roadmap and consider assessing their environments to understand any pace gaps they may need to address. Each environment is unique and exercises like this will give attendees a fresh lens to approach each session and gain meaningful takeaways from each session they attend. 5. Continuing Support Throughout the conference, we encourage all attendees to visit @OracleSecurity on Twitter. Additionally, visit our webpage to learn about Oracle Security Solutions. About the Gartner Identity & Access Management Summit 2018 The Gartner Identity & Access Management Summit 2018 will help attendees reimagine significant elements of their IAM approach for digital age success. Gartner analysts will explain the latest tactics and best practices across IAM fundamentals to help craft and implement an IAM vision and strategy for the digital age.

The Gartner Identity and Access Management Summit 2018 in Las Vegas is quickly approaching! If you are attending the conference, we encourage you to catch these sessions and events. 1. Visit the Oracle...

Next Generation Cybersecurity The next generation cloud revolution has begun. Emerging technologies are opening doors for innovation and, unfortunately, risk as well. Technologies such as AI, Blockchain, and IoT are gaining momentum and creating new threat vectors for organizations. Security teams are struggling to keep pace, in fact, according to the Oracle and KPMG Cloud Threat Report, detecting and responding to cloud security incidents is the number one cited cyber security challenge. How can organizations address this challenge? Core-to-Edge Security The rising number of sophisticated attacks has prompted organizations to adopt a layers of defense approach- protecting their environment at the core (your data) and moving to the edge (anywhere users access data, including your applications and infrastructure). we encourage you to join us at the Gartner Identity and Access Management Summit 2018 from December 3rd-5th in Las Vegas at Caesars Palace to discuss these challenges and more. Visit Oracle at Booth #601 We encourage attendees to visit our booth to meet experts and learn more about: Oracle's Identity-based Security Operations Center (Identity SOC) which provides comprehensive monitoring, threat detection, analytics, and remediation tools to stay ahead of threats. Get insight into Oracle's Trust Fabric approach, which enables customers to better predict, prevent, detect, and respond to highly sophisticated attacks. Sign up for an Oracle Cloud Trial. Attend our Session Title: Combat Sophisticated Threats with Oracle Security Date: Monday, December 3, 2018 | 3:45 PM - 4:30 PM | Roman II Promenade Level Speaker: Eric Olden, Senior Vice President and General Manager of Security and Identity, Oracle Abstract: Today's advanced security threats require proactive and intelligent automation that can quickly scale with a rapidly changing IT environment. Learn how Oracle's Trust Fabric helps predict, prevent, detect, and respond to the overwhelming number of security events that challenge IT and security operations. Oracle's Trust Fabric is a comprehensive set of integrated solutions designed to help reduce the time required to respond to security threats. About the Gartner Identity & Access Management Summit 2018 The Gartner Identity & Access Management Summit 2018 will help attendees reimagine significant elements of their IAM approach for digital age success. Gartner analysts will explain the latest tactics and best practices across IAM fundamentals to help craft and implement an IAM vision and strategy for the digital age.  

Next Generation CybersecurityThe next generation cloud revolution has begun. Emerging technologies are opening doors for innovation and, unfortunately, risk as well. Technologies such as AI,...

Provisioning an Oracle database in Oracle Cloud Infrastructure (OCI) is quick and easy .... it takes not more than a few mouse clicks and your database is ready within minutes.  Once you've provisioned a 12.2 database (that includes all the 18c releases) in OCI, you'll notice that ...: it is always configured as a single-tenant database (root container with one pluggable database), and Transparent Data Encryption is already turned on, and the USERS tablespaces of the root container and the PDB are already encrypted. Because the 'encrypt_new_tablespaces' system parameter is set to CLOUD_ONLY by default, all new application tablespaces will be automatically encrypted with AES128, even if the "encryption" syntax is omitted from the 'create tablespace' commands. Databases in OCI are created with an auto-open wallet, but for further wallet operations, the wallet password needs to be known regardless; the default wallet password is the administrator password that you provided when completing the Web-Form to initially provision the database. In order to make the configuration of TDE complete, set the ORACLE_UNQNAME environment variable on the OS level (set in .bash_profile), and in server control (because even single instance databases in OCI run on Oracle Grid Infrastructure). In a single instance database, ORACLE_UNQNAME is usually the same as the ORACLE_SID; in RAC databases, the ORACLE_UNQNAME is equal to ORACLE_SID minus the number, for example: A 2-node RAC has FINRAC1 and FINRAC2 as ORACLE_SIDs, the ORACLE_UNQNAME should be FINRAC. How to clone a pluggable database with encrypted tablespaces: SYS:CDB$ROOT> show pdbs; CON_ID CON_NAME  OPEN MODE  RESTRICTED ------ --------- ---------- -----------      2 PDB$SEED  READ ONLY  NO      3 FINPDB    READ WRITE NO If the source database is opened READ WRITE, then the next command will create a "hot" clone, which requires local UNDO tablespaces and archive logging to be turned on.  If this is not feasible, stop and restart the source PDB as READ ONLY while it is being cloned. SYS:CDB$ROOT> create pluggable database TESTPDB from FINPDB keystore identified by "wallet-pwd"; This guarantees that your source database (which might contain sensitive data) can only be cloned by an administrator who knows the wallet password. SYS:CDB$ROOT> alter pluggable database TESTPDB open; Now the new pluggable database needs its own encryption key.  Connect to TESTPDB and execute: SYS:TESTPDB> administer key management set key force keystore identified by "wallet-pwd" with backup [container = current]; To test, select data from a table that is stored in an encrypted tablespace, or create a new tablespace which will be encrypted by default; in both cases, the cloned database will use its own master encryption key that was created in the previous step. SYS:TESTPDB> create tablespace PROTECTED datafile size 50m; Tablespace created. If you are interested learning more about other use cases, please let me know through the comment section below.  To learn more about Oracle Database Security and Oracle Cloud Infrastructure, please visit our webpages.

Provisioning an Oracle database in Oracle Cloud Infrastructure (OCI) is quick and easy .... it takes not more than a few mouse clicks and your database is ready within minutes.  Once you've...

According to the Economist, “The world’s most valuable resource is no longer oil, but data.” As organizations embrace the digital revolution and transform themselves by adapting new business models, data will be the single most valuable asset to ensure competitive advantage. Organizations have a lot of sensitive data (IP, SSN, credit card numbers), all which continue to increase exponentially. Lots of people are coming after that data ranging from internal employees, customers, competitors to nation states, criminals and activists - Organizations need to ensure their sensitive data is protected.  Due to the increasing number of data breaches, government agencies have stepped in to enforce data privacy and security mandates such as GDPR to protect privacy. No matter where you are, data privacy laws are in effect, and new regulations will be enforced every single year. While these mandates may differ on enforcement, penalties, breach notification, or scope (high level or detailed), they will all aim to accomplish the same thing: Keep people’s personal data safe and secure. It’s an asymmetric warfare! The attackers and hackers have excellent tools, time, and infrastructure to ensure they succeed. on the other hand, as defenders, organizations are highly constrained with time, people, and resources. These constraints force organizations to fight hard and fight smart. In order to take the right steps to protect data, organizations first need to fully understand their environment. Many organizations don't really know how much and what type of sensitive data they have.  They may not know how all their systems are configured - and more importantly, where those configurations introduce unnecessary risk. They need to know what users they have, their entitlements, what controls are in place, which ones are missing, etc. They must assess their current state in a comprehensive fashion, analyze and report on identified gaps, and draft a strategic plan to improve their security posture. To learn more about best practices on how to assess your IT system and risks, please join Oracle's Pedro Lopes and The Pythian Group's Simon Pane for the following webcast. Title: Assessing Risks in an IT system Date: Thursday, November 8, 2018 Time: 2:00 p.m. ET/ 11:00 a.m. PT Register here  Pedro Lopes, DBSAT and EMEA Field Product Manager, Oracle  Simon Pane,Principal Consultant, The Pythian Group

According to the Economist, “The world’s most valuable resource is no longer oil, but data.” As organizations embrace the digital revolution and transform themselves by adapting new business models,...

It’s been busy at Oracle OpenWorld this week, but I wanted to take some time to summarize some recent news. Bad news first: There isn’t any one cloud security silver bullet. Now, the good news: There are smart approaches you can take to secure your cloud environments. If you’ve made it to this blog, you’re probably facing at least one of these challenges: Your organization is eager to capitalize on the benefits that come with cloud adoption, but it doesn’t know a lot of about how to secure its information in the cloud. According to ESG research, 85% of businesses now use some form of public cloud service. That’s up from 57% just five years ago. Your company is increasingly risk aware due to the prevalence of cyberattacks and may have already been affected by an attack. In the Oracle and KPMG Cloud Threat Report 2018, two-thirds of our respondents said that they experienced a cybersecurity incident that affected business operations over the past two years. You’re trying to secure a footprint that stretches across on-premises and cloud environments. And even within your cloud footprint, you’re using multiple clouds from multiple cloud service providers—some of which you probably don’t even know about. Bottom line, it’s complicated. ESG Research also says that 81% of companies using IaaS platform services say they use services from more than one cloud service provider. During the last several weeks, my colleagues Greg Jensen (Oracle), Brian Jensen (KPMG), and I (me on Twitter) have posted a series of blogs and hosted a handful of webcasts, all examining an aspect of cloud security that will help you address these concerns. Today, I want to put it all together in a handy list (and give you a shortcut in case you’ve missed one or two of our posts). Although this is far from comprehensive, you can get much more information by downloading the Oracle and KPMG Cloud Threat Report 2018 for yourself or by viewing our latest webcast installment Enabling a Secure SaaS Experience on demand. Without further ado, here are the top seven tips for tackling your cloud security challenges. Understand the cloud service provider shared responsibility model. We did a blog about this a few months ago. In a nutshell, understanding shared responsibility means getting crystal clear on what your cloud service provider is responsible for when it comes to management and security and what you as the customer are responsible for. Sounds easy, but in our research for the Oracle and KPMG Cloud Threat Report we found that less than half of our survey respondents could identify the most common shared responsibility model for IaaS, SaaS, or PaaS. Appoint a Master of All Cloud Security. We call this a Cloud Security Architect. The CSA understands every possible security and compliance-related challenge that a line of business (LoB) owner or infrastructure, platform, or app team could run into when deploying new cloud services. And it’s the one position that has stood out as the most central and strategic in meeting security and compliance milestones. We go into detail about the Cloud Security Architect in this post. Get a single view into all data. The average cybersecurity professional has their attention split between about 46 different security products. Trying to find the signal in that amount of noise is unfair at best and disastrous at worst. Getting a single view into all the data being generated by these products is critical to making sense of it. Use artificial intelligence. A single view is critical, but it isn’t enough. Only 37% of our Cloud Threat Report survey respondents said that they can analyze a modest sample of their data (defined as 25% to 49%), and another 14% report they can only analyze small samples of their data (less than 25%). This isn’t a problem we can just throw more people at. First, they don’t exist. Current estimates suggest there will be 3.5 million open cybersecurity jobs by 2021. But even more importantly, it’s just not practical. Automated systems are much better at handling volume than humans will ever be. Address the complete threat lifecycle. Predict. Prevent. Detect. Respond. You need to be able to predict a potential threat by flagging anomalous behavior. You need to prevent cybercriminals from stealing that data. If they do, you need to be able to detect the breach, and, finally, respond automatically. Each stage is crucial. Apply these security practices across disparate organizations. The saying, “Change is the one thing you can count on” applies here. Mergers, acquisitions, and growth all come with change in the form of new applications and systems, creating the beautiful heterogeneous environment that your business uses to thrive. Finding a way to protect this environment is an absolute must. Continuously monitor. Fortunately or unfortunately, your work is never finished. You’ll need to continuously monitor and assess the environment for suspicious activity, keep up on the latest trends, and find new solutions. But, hey, that’s why you read this blog right? So, there they are, the seven tips for tackling your cloud security challenges. It’s not easy, but it’s vital, and we can help. For more information on how Oracle approaches these mandates, read my recent blog on our Core-to-Edge approach. And for a more in-depth look at reducing risks by implementing consistent security controls and governance across hybrid and multi-cloud environments, join us for our webcast: Enabling a Secure SaaS Experience – Register Here.

It’s been busy at Oracle OpenWorld this week, but I wanted to take some time to summarize some recent news. Bad news first: There isn’t any one cloud security silver bullet. Now, the good news: There...

If you’re stymied about how to protect your on premises data now, then leverage that security layer in your move to the cloud, read on. With about 2 Billion pieces of malware circulating and 1M new ones created each day, any user, asset, or application is at risk of being attacked. But databases containing sensitive information pose a significantly higher risk. This holds true for companies with on premises datacenters and self-sourced IT groups as well as those using cloud-based services or outsourcing arrangements. To make things worse, as cyberattacks become more sophisticated and IT environments more complex, detecting and responding becomes costly, often requiring many analysts, using many different tools to conduct forensic analysis, that can take weeks to complete. Forty-two percent of cybersecurity professionals say their organization ignores a significant number of security alerts because they can’t keep up. This is where the right security solution — with that perfect combination of SIEM-like features plus UEBA and IT Compliance — comes into play. With the appropriate features, this context can be accomplished in just a few clicks. Does this miracle tool exist? Let’s go through a few sample workflows and let you decide for yourself. Database Firewall Alert. Let’s start our journey toward increased database security by processing an alert from Oracle Audit Vault and Database Firewall (AVDF). In this case, Oracle has the ability to assess risks with on premises applications natively, or consuming an enhanced threat feed from AVDF. This alert, in itself, doesn’t mean you’ve got an attempted infiltration. Security Monitoring and Analytics pulls in an alert from the Audit Vault and Database Firewall application SQL Anomaly.  When we see anomalous SQL correlated concisely with the above database firewall alert, we’ve got improved context. First off, as the image below indicates, the user is in Marketing, not Finance. Yet they are accessing a Finance database. Second, they are doing a “select from a user table” command which is a form of SQL injection. Both of these points make this highly suspicious. This SQL anomaly is from a user who resides in Marketing and does not access the financial database, “FINDB” in their day-to-day work Brute Force Attack. By the time this happens we would normally engage our forensic team. But we don’t have to, because Oracle Security Monitoring and Analytics (SMA) has already done the correlations and kicked off an auto-remediation workflow. This is good news because with most companies triaging less than 50% of their alerts, most need the extra help. SMA correlates repeated login attempts over the course of a few minutes with the same high-risk user Will it be useful when I move to the cloud? The short answer is “yes”. This is where investing in a cloud service to protect your on-site assets makes sense because, instead of spending 75% of your IT budget maintaining internal systems like our friends in the healthcare sector, you’re planning ahead by lowering fixed costs. And if you’re not yet cloud-bound, chances are you will be. In a 2017 survey of 196 IT managers and leaders, 79% of respondents said they have a cloud project underway or planned. SMA consumes information from on premises or cloud applications equally well. So, as you begin to transition to the cloud, that same SMA analytics and risk assessment tool will do an equally effective job monitoring you cloud posture, incorporating alerts from — for example — Oracle’s Cloud Access Security Broker (CASB), or Identity Cloud Service. SMA reports an anomalous access to a cloud resource based on a CASB alert Finding threats is most useful if they can quickly be remediated. Fortunately — especially for those without dedicated threat-hunting teams — SMA interfaces with Oracle Configuration and Compliance to set in motion a remediation workflow. The configuration and compliance ruleset reveals that guest accounts have unexpectedly been enabled on the database, and remediates the insecure settings. To watch SMA perform these functions in action, see our SMA demo video. For product details or to start a free trial, visit our SMA web page. And be sure to catch SMA at Oracle Open World for a tech talk, hands-on-lab, or a live demo.  

If you’re stymied about how to protect your on premises data now, then leverage that security layer in your move to the cloud, read on. With about 2 Billion pieces of malware circulating and 1M new...

As OpenWorld begins to wind down, we hope you've enjoyed the sessions, events, and announcements this year. CloudFest. 18 was a great time! With such a busy week, it is time for us to grab a cup of coffee! Although the official conference is coming to an end, it is just the beginning of new innovations for Oracle Security. Stay tuned for more thought leadership blogs, announcement recaps, and deep dive information on our Oracle Security solutions throughout the year.   Here are some of the main highlights from yesterday's sessions: 1.Keynote Corner: Cyberspace is a Battlefield  We kicked off Wednesday with Mark Hurd, Oracle Chief Executive Officer,leading a panel of security intelligence thought leaders. The hour and half was filled with powerful statements on the current state of security, growing sophistication and frequency of attacks. Jeh Johnson, Former Secretary of Homeland Security, stated that, “Cybersecurity is going to get worse before it gets better,” describing the need to understand these threats and how we can better address the challenges organizations face today. The panel went on to stress that organizations need to make the right security decisions daily. To empower customers, Oracle has announced their second generation cloud with a defense in depth approach, which incorporates encryption by default. Many important topics were discussed throughout the keynote, from nation state sponsored cyber attacks to the changing cloud landscape, but the key takeaway is that organizations should prioritize security in the cloud and employ a strategy that takes into account the core-to-edge framework. To learn more around strategies and solutions your organization can adopt to create a defense in depth approach visit our Oracle security  webpage.   2.Session Alert: For Some Organizations, Breaches can be Life or Death   The day continued with the topic of security and the importance of thinking of your data (core) as a valuable, traveling asset. It is key to protect that core with several layers of defense, a concept explored further in a session this morning with Oracle's Troy Kitch. Kitch led a partner panel with representatives from Deloitte, KPMG, and PwC. Each panelist explored topics that affect companies as they progress on their journey to the cloud. The panel covered the need to implement omni-channel security solution as well as the importance of tools, such as the Oracle CASB Cloud Service, that will enable businesses to gain greater visbility into their sanctioned and unsanctioned apps.   OpenWorld isn't over yet! Please join us for a number of great security sessions today.   1. Session Alert: Getting Started with Oracle Security Monitoring and Analytics Cloud Service Marriott Marquis (Golden Gate Level) - Golden Gate A |12:00pm - 12:45pm    Join this session to learn how Oracle Security Monitoring and Analytics Cloud Service protects modern enterprises by enabling early detection of threats across on-premises and hybrid cloud assets, rapid forensics with cyberattack chain discovery and visualization, and much more.   2. Session Alert: Adaptive Security in a Hybrid Cloud World Moscone South - Room 206 | 1:00pm - 1:45pm   In this session see how the adaptive security capabilities within Oracle’s security and identity solutions enable organizations to identify and mitigate security risks in real time by analyzing user behavior and leveraging security feeds from other products and platforms. Learn how Oracle’s identity products can be used to identify risky behavior and make intelligent decisions about the types of authentication that are appropriate and required given that behavior.   3. Session Alert: Recent Database Security Innovations You Might Not Be Using, but Should Be Moscone West - Room 3006 | 1:00pm - 1:45pm   In this session learn about the new way to authenticate and authorize database users in Active Directory. Explore review recent security innovations including privilege analysis, database vault simulation mode, data redaction, online encryption, and passwordless schemas. See how to assess the security of your database with Oracle Database Security Assessment Tool. Attend this session and you'll be able take advantage of these features next week to create a more secure database environment.

As OpenWorld begins to wind down, we hope you've enjoyed the sessions, events, and announcements this year. CloudFest. 18 was a great time! With such a busy week, it is time for us to grab a cup of...

We are at the halfway point! Oracle OpenWorld 18 has not disappointed! If you are here at OpenWorld, don't forget to check the Oracle Security Twitter account for the latest session information throughout the day. Each day has brought about new highlights, catch up on what you missed Monday and Tuesday, but today is always an especially exciting day - Oracle CloudFest18 kicks off tonight!    Yesterday, we heard some exciting announcements and attended several key sessions. Here are the major points:   1. Struggling to Keep Pace at Scale? Core-To-Edge Security is the Answer This week several Oracle sessions have focused on Core-To-Edge security, which promotes a proactive approach to creating layers of defense throughout your environment - regardless of deployment (hybrid, multi-cloud, etc.). Today marked the announcement of several key Core-To-Edge Security Announcements.    2. Oracle's Empowering Customers to Disrupt the Status Quo Steve Daheb, Senior Vice President of Oracle Cloud, took to the stage today in front of a packed and eager crowd.  The session covered the most important challenges in today's organizations as well as ways Oracle is innovating it's solutions to better support customers. Security was a major focus in the presentation, as Daheb shared a stat from a Verizon Study stating that 85 percent of successful breaches were from vulnerabilities where patches were available up to a year before the attack occurred.  He continued by explaining that Oracle's solutions are designed to seamlessly integrate helping customers reduce costs, avoid breaches, and ultimately disrupt their industries with cutting edge innovations. The presentation also covered major innovations around the Oracle Autonomous Database and showcased the benefits it provides to customers running 24/7 business models. Customers are now able to reduce the risk of human error and unpatched systems, lower downtime significantly, and focus on new innovation across the enterprise. Regardless of your unique cloud journey, we encourage you to learn more about the Oracle Cloud Platform!   Now, let's take a look at some major events on the schedule for today.   1. Keynote Corner: The Role of  Security and Privacy in a Globalized Society- Threats, Implications, and Opportunities Moscone North | 9am -10:30am   Join Mark Hurd, Oracle CEO, as he discusses the future of security with several of the leading voices from some of the most highly respected intelligence positions around the world. The session will also explore how "the next security threat" might relate to the direction of technology and the adoption of cloud computing.      2. Session Alert: Tips and Tricks for Security at Scale Marriott Marquis (Golden Gate Level) - Golden Gate C2 | 11:15 am - 12:00pm   This session was highlighted in our Top 5 Things to do at OpenWorld blog - It truly is a must see! Join Oracle's Troy Kitch and representatives from PwC, KPMG, and Deloitte as they discuss the expanding threat landscape. It has become difficult for companies to effectively secure their hybrid and multicloud environments due to the growing number of internal and external threats. If you’re interested in learning about Oracle Identity Cloud Service or Oracle CASB Cloud service, this might just be at the top of your Wednesday agenda.   3. Session Alert: Oracle Database Security Assessment Tool: Know Your Security Posture Before Hackers Do Moscone West - Room 3006 | 12:30pm - 1:15 pm   This product training session will teach you about the Database Security Assessment Tool, this tool is freely available to all Oracle Database customers and is designed to help discover sensitive personal data, identify database users and their entitlements, and understand the configuration and operational security risks.   4. Celebrate Good Times: Oracle CloudFest. 18 AT&T Park (24 Willie Mays Plaza, SF) |6:30pm -11pm   After the long day you've had, you deserve a pat on the back….and a party! Attend Oracle CloudFest. 18 and celebrate with colleagues and fellow attendees. This year, the concert features live music from Beck, Portugal. The Man, and Bleachers. This event is by ticket only, these tickets are included with the full conference pass purchase!  

We are at the halfway point! Oracle OpenWorld 18 has not disappointed! If you are here at OpenWorld, don't forget to check the Oracle Security Twitter account for the latest session information...

By: Nishi Shah, Director Cyber Security & Privacy, PwC As I discussed in my last blog, “Security Operations: Using Artificial Intelligence to Lock Down Your Cloud,” I talked about how technology security teams can improve efficiency and incident resolution in cloud solutions with Oracle Management Cloud’s (OMC) automated artificial intelligence (AI) and machine learning capabilities. But, let’s turn our attention to the bigger picture for a moment: Technology security has become more than just an information technology (IT) issue.  As security incidents have become front page news and cost organizations billions of dollars, IT security has become a board-level issue.  Executive leadership at major enterprise organizations continue to drive their IT and Security teams to deploy the most innovative and effective security solutions available.   As the last blog pointed out, automated AI and machine learning security tools, like OMC, are a good start to make security operations teams more efficient as they manage flagged incidents.  However, there’s another technology—behavior analytics in Oracle Cloud Access Security Broker (Oracle CASB)—that can also enhance application and data security in the cloud.  We’re all familiar with the typical legacy on-premises security tools, like web gateways and firewalls.  These rules-based tools aren’t as effective in a cloud environment because a skilled adversary can bypass perimeter security solutions by stealing information from cloud endpoints using compromised access credentials.  This is where the behavior analytics functionality in Oracle CASB comes into play.  It can establish a baseline of typical behavior within an organization.  When the system detects an anomaly that doesn’t fit the company’s normal patterns, the incident is flagged for further investigation.  When used in combination with the Oracle Security Monitoring and Analytics Cloud Service, which is bundled in OMC that we discussed in the previous blog, the platform can learn which anomalies are real threats and which are false positives.  Because the functionality is automated, the solution takes the manual work effort off of the security team. Here’s an example—an employee logs into the company’s cloud ERP solution from their laptop in their Dallas office at 8:00 a.m. central time and logs off at 5:00 p.m. at the end of the work day.  At 6:00 p.m., Oracle CASB detects five failed login attempts from the same employee originating in Yemen.  The Oracle CASB solution knows that this scenario is not physically possible, and also identifies that the Yemen device does not comply with the company device policy.  Therefore, Oracle CASB would automatically force an adaptive multi-factor authentication to prevent the rogue access to the company cloud ERP solution, and it would flag the incident as suspicious activity. Along the same lines, if an HR person is processing annual salary increases for employees who were recently promoted, the behavior analytics tool may also flag this as a suspicious incident.  However, a security analyst could help the system weed out this false positive by approving the incident as acceptable.  Through machine learning functionality, the system would eventually learn that although the large annual salary increases are an anomaly, they are not a security threat.  On the other hand, if this example was actually an “inside job” where an employee is maliciously attempting to increase his or her salary, Oracle CASB can natively process Oracle Cloud ERP and Salesforce transactions in a real-time audit mode to halt the fraudulent transaction as it’s occurring.  Therefore, Oracle CASB can dramatically shift the paradigm from a reactive approach to a preventative solution. Oracle CASB offers the robust security functionality, like machine learning and behavior analytics, to help ensure that your applications and data are secure in the cloud.  Since it’s a subscription-based product, it’s easy to acquire and install.  With out-of-the-box functionality, most security operations teams can easily deploy the solution, which makes it ideal for smaller organizations.  But it also offers deep functionality that’s well-suited for large, global enterprise organizations.  This is where PwC can help—to install the solution with advanced functionality to not only detect but also to respond, remediate, and prevent potential security incidents with forensics, incident management, and orchestration. To learn more, please visit the Oracle Security webpage. 

By: Nishi Shah, Director Cyber Security & Privacy, PwC As I discussed in my last blog, “Security Operations: Using Artificial Intelligence to Lock Down Your Cloud,” I talked about how technology...

It is no doubt that data is the single most valuable asset today as organizations undergo digital transformation. Lots of people are coming after your data ranging from internal employees, customers, competitors to nation states, criminals and activists. As a result of the increasing number and sophistication of breaches, governments across the globe are enforcing data privacy and security mandates to protect citizens data. It’s a war! An asymmetric one. While attackers continue to get more sophisticated with latest technologies such as machine learning to exploit vulnerabilities and steal data, organizations continue to face challenges around limited time, few people and scarcity of resources. Yesterday at Oracle Openworld, Vipin Samar, SVP of Oracle Database Security, talked about how organizations need to protect their data from all attack vectors with multiple rings of control. You need to first assess your databases, and understand how they are configured, how users are managed, what privileges they have where sensitive data exist and how much is there. Oracle provides a free tool called the Database Security Assessment Tool (DBSAT) to help customers assess their security risk posture. To learn more about DBSAT, please attend the following session: Oracle Database Security Assessment Tool: Know Your Security Posture Before Hackers Do [TRN4107] Wednesday, Oct 24, 12:30 p.m. - 1:15 p.m. | Moscone West - Room 3006 Pedro Lopes, DBSAT and EMEA Field Product Manager, Oracle Marella Folgori, Oracle Riccardo D'Agostini, Responsabile Progettazione Data Security, Intesa Sanpaolo Next, you need to ensure you know what’s happening in your environment and can detect any inappropriate activity in the system with appropriate auditing, alerting and monitoring controls. Additionally, you need to protect your data with strong preventive controls such as encryption, data masking and data redaction to ensure sensitive data is not compromised. Oracle continues to be the leader in managing your data and one of the biggest innovations is the Oracle Autonomous Database. It offers a high degree of security in the Oracle Cloud with self-securing capabilities such as automated patching, data encryption by default, auditing and separation of duties, to keep data safe from a variety of threats.  However, security is a shared responsibility in the cloud, where its the customer's responsibility to protect their users and data. Vipin Samar gave us a quick preview on our upcoming Oracle Data Security Cloud Service which helps customers protect their data and users. It is a unified control center for managing data security in Oracle Databases in the cloud. It allows organizations to quickly discover sensitive data, evaluate configuration risks, enable auditing and detective controls, and mask data for use in test and development environments, and more. To learn more about this new service, please be sure to attend the following session: Introducing Oracle's Data Security Cloud Service for Oracle Databases [PRM4102] Tuesday, Oct 23, 12:30 p.m. - 1:15 p.m. | Moscone West - Room 3006 Vikram Pesati, Vice President, Product Development, Oracle Michael Mesaros, Director, Product Management, Oracle Corporation   Some of the other sessions that you must attend through the week are: Autonomous and beyond: Security in the age of Autonomous Databases [PRM4108] Tuesday, Oct 23, 5:45 p.m. - 6:30 p.m. | Moscone West - Room 300 Russ Lowenthal, Director, Product Management, Oracle Data Security in the GDPR Era [PRO4111] Wednesday, Oct 24, 11:15 a.m. - 12:00 p.m. | Moscone West - Room 3006 Joao Nunes, IT Senior Manager, NOS Tiago Rocha, Database Administrator, "Nos Comunicaões, Sa." Eric Lybeck, Director, PwC Recent Database Security Innovations You Might Not Be Using, but Should Be [TIP4112] Thursday, Oct 25, 1:00 p.m. - 1:45 p.m. | Moscone West - Room 3006 Alan Williams, Database Security Product Management, Oracle Russ Lowenthal, Director, Product Management, Oracle Manish Choudhary, Oracle

It is no doubt that data is the single most valuable asset today as organizations undergo digital transformation. Lots of people are coming after your data ranging from internal employees,...

For enterprise-grade organizations -- large, traditional businesses and the smaller companies that aspire to be like them -- security and multi-cloud support are paramount.  These organizations need to be able to run each of their applications where it makes the most sense to do so from a cost and performance perspective. Some applications may reside in one cloud, while some live in another. Some may remain on premises, while others require a hybrid model.  Supporting a range of platform and infrastructure services may be best for agility and functionality, but it increases complexity -- especially when it comes to security and maintaining consistency. Oracle Cloud Infrastructure features announced today at Oracle OpenWorld 2018 enhance security from the cloud to the edge of the network, protecting data and applications in an increasingly multi-cloud world.  Web application security Web applications and sites are central to online business success, so it's not surprising that web attacks have emerged to target these systems and the sensitive data they contain. In fact, web application attacks are the top cause of data breaches, according to the Verizon 2018 Data Breach Investigations Report.  Oracle Cloud Infrastructure announced new native web application firewall (WAF) capabilities to protect against these threats. The Oracle Cloud Infrastructure WAF inspects traffic to any internet-facing endpoint and enables organizations to create and enforce rules to protect against a variety of attacks, including but not limited to botnets, cross-site scripting, SQL injection and distributed denial-of-service (DDoS) attacks.  Oracle Cloud Infrastructure also announced the addition of automated DDoS attack detection and mitigation to all of its data centers. These capabilities monitor and protect against common Layer 3 and 4 DDoS attacks, such as SYN floods, user datagram protocol (UDP) floods, internet control message protocol (ICMP) floods, and network time protocol (NTP) amplification attacks. This approach helps ensure that Oracle Cloud Infrastructure network resources remain available in the event of an attack.  Cloud access security    Two additional Oracle Cloud Infrastructure security announcements focus on configuring and protecting access to cloud resources.  The Oracle Cloud Access Security Broker (CASB), which provides continuous configuration monitoring, predictive threat detection, and automated incident response, now supports Oracle Cloud Infrastructure. And the new Oracle Cloud Infrastructure Key Management service integrates with other Oracle Cloud Infrastructure services to enable customers to more easily encrypt data and manage keys and key vaults.  For more information, read the Oracle Cloud Infrastructure security press release.  

For enterprise-grade organizations -- large, traditional businesses and the smaller companies that aspire to be like them -- security and multi-cloud support are paramount.  These organizations need to...

Advancements in new and emerging technologies are opening doors for businesses what seems like every day. We’re already in the midst of a cloud revolution, but AI, machine learning, blockchain, and IoT—just to name a few technologies—are gaining momentum and fueling new opportunities. These technologies represent opportunity for businesses. But, unfortunately, they also mean opportunity for the bad guys. For one, adopting these technologies creates a larger surface area to defend. And if that weren’t enough, cybercriminals are using these same emerging technologies to wage a highly sophisticated war aimed at undermining businesses. It’s no secret that security teams at organizations of every size are struggling to keep pace with these persistent attacks. But it only takes a handful of stats to illustrate just how dire the situation is: Patching – According to a Verizon study, 85 percent of successful breaches were from vulnerabilities where patches were available up to a year before the attack occurred.  Whether it’s a lack of resources or difficulty scheduling the necessary downtime, most companies simply can’t implement their patches fast enough. Lack of Available Talent - There simply isn’t enough cybersecurity talent to handle the problem. Current estimates suggest there will be 3.5 million open cybersecurity jobs by 2021. But even if organizations could fill these open positions, it wouldn’t be enough. Cybercriminals are using sophisticated technology to scale their attacks, creating more work than humans can handle on their own. Alert Overload – According to the Oracle and KPMG Cloud Threat Report, detecting and responding to cloud security incidents is the number one cited cyber security challenge. This aligns with ESG research, which adds that 42 percent of cybersecurity professionals ignore a significant number of alerts because they can’t keep up with the volume. Security teams need to be empowered to separate the signal from the noise if they’re going to have a fighting chance. So, how do you grab hold of the incredible opportunities that cloud and emerging technologies promise without opening our businesses up to what seems like inevitable damage? The Answer Is Core-to-Edge Security Sophisticated and multifaceted attacks call for layers of defense—starting at the core (your data) and moving to the edge (all the ways in which your users access your data, including your applications and infrastructure). No one security control can prevent the many threat actors and their attacks, so it’s important to use multiple layers of defense to protect your data, the users who need it, the applications that use it, and the infrastructure that underlies it all. For example, Oracle provides layers of defense that protect: Data - Data loss prevention (DLP), at rest and in motion encryption, key management, nonproduction data masking, privileged user access controls, and online self-patching Users - Identity and access management, user and entity behavioral analytics (UEBA), multi-factor authentication, single sign-on identity governance, and risk management Applications - Web application security, API security, malware protection, data redaction, access controls, and Cloud Access Security Broker (CASB) Infrastructure – Distributed denial of service (DDoS) and botnet protection, threat detection and response, security monitoring and analytics, configuration and compliance Our most recent addition to Oracle’s core includes the Oracle Autonomous Database, which incorporates self-securing and self-repairing capabilities that help reduce risk by avoiding breaches and the possible reputational damage and revenue loss that come with them. Self-securing means automatically applying security patches with no downtime and preventing unauthorized data access with default data encryption. In addition, Oracle provides security cloud services that help customers protect their hybrid cloud environments. These security services help predict, prevent, detect, and respond to sophisticated security threats. To reduce manual processes and enable the business, we use advanced machine learning algorithms to determine anomalous user and entity behaviors, then apply an adaptive and defensive response. We provide continuous monitoring that consistently assesses suspicious activities, then alerts and reports on that activity to ensure the attack chain has been broken and remediated. All of this helps reduce mean time to detect and respond to threats. We do this with: Highly automated security, based on machine learning Support for securing and managing hybrid and multi-cloud environments A single pane of glass for security orchestration, automation and response An open and secure platform that you can integrate with your existing environment Only Oracle can protect your business from core-to-edge with this level of automation, integration, and simplicity. And we’re continuing to build our layers of defense every day. Click here to see our latest Core-to-Edge security announcements from Oracle OpenWorld.

Advancements in new and emerging technologies are opening doors for businesses what seems like every day. We’re already in the midst of a cloud revolution, but AI, machine learning, blockchain, and...

How did your day go yesterday? Ours was action packed! Great experiences and announcements all around as OpenWorld 2018 kicked off. If you weren't able to attend all of the sessions on your schedule, or if you are joining us from home - sit back, sip your coffee, and take a look at the highlights from Monday. We will even throw in a few exciting must see items for today! 1. Cloud Generation 2: Core to Edge Security In his opening keynote at OpenWorld 2018, Larry Ellison, Oracle Executive Chairman and CTO, covered many exciting innovations for the future of cloud for the enterprise. The presentation covered a variety of topics, but focused in on the importance of Oracle's Generation 2 cloud running on a single, secure platform. "Security, security, security," Larry said as he explained the importance of a core to edge approach to security. He continued by saying that security in first generation cloud models was often considered an afterthought, but with the rising numbers of breaches and the continual addition of regulatory compliance requirements - security must be a main priority for all businesses. Oracle's Gen 2 cloud has security built in, not bolted on.   2. It's All About the Data One theme rang true throughout Monday's security sessions - data is king. In both Roadmap: Innovations in Security and Compliance for Databases and Oracle's Trust Fabric: The Foundation for Identity-Centric Cybersecurity the importance of securing your data (your core) was stressed. This causes a ripple effect, because your data is so imporant to protect, organizations must be proactive in creating a layers of defense approach to security. Protecting your users, apps, data, and infrastructure is key to maintaining good security practices.  3. Security Must Keep Pace with the Cloud  We enjoyed a very interesting session with Oracle's Greg Jensen and KPMG's Brian Jensen as they emphasized the importance of security as customers move to the cloud. With the rapidly expanding cloud landscape, every organization is faced securing devices and data in new ways. This can cause a "pace gap" as cloud technologies (and the adoption of them) are outpacing the adoption of new security strategies and solutions. This and many other themes were explored in the 2018 Oracle and KPMG Cloud Threat Report.    Now that you're all caught up on Monday's big ticket security items, let's explore some of the Security sessions and events you won't want to miss today. 1. Session Alert: Introducing an Intelligent Approach to Beating Global Cybersecurity Threats Moscone South -Room 206 |12:30pm -1:15pm Security is changing rapidly and organizations need to keep pace. Incorporating AI algorithms and machine learning with traditional security methods is a must in order to protect your company from today's threats. Learn more about this session featuring Laurent Gil, Security Product Strategy Architect for Oracle Dyn, through our recent blog post. 2. Session Alert: Oracle Cloud: The Future is Autonomous The Exchange @ Moscone South - The Arena | 1:45pm - 2:30pm Companies today are tasked with modernization, innovation, and cost reduction. As these mandates become crucial drivers of success, companies are battling to satisfy all three at once. Selecting the right cloud for your business is critical, hear from industry peers as they discuss their transition to the cloud and cover some key points on reducing cost and risk. 3. Session Alert: A CISOs Path to Success in the Age of Cybersecurity Moscone South - Room 206 | 3:45pm-4:30pm This session addresses real-world customer use cases, best practices, and technology usage for how CISOs are building and maturing their information security programs to address hybrid environments, regulatory compliance, and the continually evolving threat landscape. If you are interested in hearing Oracle Security success stories directly from customers, this is the session for you!  Be sure to access our security focus on document for a complete list of must see security sessions. Don't forget to visit the vendor floor to check out interesting demos, learn about Oracle partners, and grab a free swag bag! We will be back tomorrow morning with the latest #OOW18 news.

How did your day go yesterday? Ours was action packed! Great experiences and announcements all around as OpenWorld 2018 kicked off. If you weren't able to attend all of the sessions on your schedule,...

Authored By: Christina Richmond, IDC Program VP WW Security Services for Oracle In this series of blogs, we’ve discussed hybrid IT and managed cloud security as well as managed identity. These topics beg the question, “how do I find the right managed security services provider (MSSP) to work with?” The answer is, “it depends” and in this blog we’ll pull the thread on considerations and dependencies to understand how, why and when to work with an MSSP. Basic considerations for choosing an MSSP range from evaluating the provider’s technical and resource expertise and capabilities, how they fit with your company (industry, size of company) and architecture environment (legacy architecture, cloud or hybrid), whether they can assist your organization with compliance (do they provide assessments, and can they help you remediate), cost and scalability. These are table stakes. But given the complex transformation we’re engaging in today from legacy premises tools to some SaaS, some private cloud and multiple public cloud instances MSSPs are required to do a lot more. IDC separates legacy and advanced MSSPs into a 1.0 and 2.0 definition. As seen in the graphic below, MSSP 1.0 firms will provide core services such as log monitoring, basic managed and monitored services for devices such as firewalls, intrusion detection services/intrusion prevention services, and unified threat management (and others). They provide vulnerability scanning and basic threat management. MSSP 1.0 firms are moving into delivery of some advanced services like management and monitoring of identity and access management in recent years and some may also offer advanced services such as DDoS, managed security information and event management (SIEM), and managed Security Operations Center (SOC) functions. MSSPs 2.0 deliver basic and advanced MSS plus professional/complementary services such as breach readiness, incident response, forensics, compliance services, and assessment of architecture and design. And still others provide managed security testing, application security testing, and data privacy assessment. Many are investing in mobile/IoT, cloud, threat intelligence/big data analytics, incident response/forensics, and advanced detection techniques. This last is where organizations building out their hybrid landscape need to focus greater and greater attention. It is imperative to find advanced MSSP support that includes visibility and management/monitoring in identity, mobile/IOT and cloud. This is where IT is moving and the monitoring the perimeter of old no longer suffices. Beyond these capabilities the MSSP of today will also utilize advanced threat detection and analytic techniques like big data analysis, heuristics, machine learning and artificial intelligence. IDC sees a good mix of companies doing their own inhouse advanced threat detection and outsourcing the requirement. Finally, the newest trend of endpoint detection and response (EDR) tools and managed detection and response (MDR) services is a critical defense in depth addition for MSSPs.   In the last blog, I stated that identity and data security are the new perimeter tools in this digital world. The above lists of basic to advanced capabilities are all important to consider, but the ability to detect, monitor, provide visibility into and respond to alerts on your behalf within these two areas is something that should be considered depending on your environment. If your organization is like many large organizations that are in the midst of the digital journey, it is imperative that you consider managed identity and data security services because of the complexity and dynamic nature of the environment. Consider tuning in for the Twitter Periscope with Christina Richmond, IDC Program VP and Rohit Gupta, Oracle’s GVP of Identity, to share their perspectives on the cyber challenges impacting today’s organizations as they lift and shift workloads to the cloud. Follow Christina Richmond @Xtina_Richmond Follow Rohit Gupta @Roh1 Follow Greg Jensen @GregJensen10 Oracle Security @OracleSecurity If you are attending Oracle OpenWorld in person, join us at on Tuesday, Oct 23, @4:45 pm for the session Secure Your IT Services with Oracle Managed Identity Cloud Services.

Authored By: Christina Richmond, IDC Program VP WW Security Services for Oracle In this series of blogs, we’ve discussed hybrid IT and managed cloud security as well as managed identity. These topics...

Oracle OpenWorld 2018 has officially begun! Join us each morning for a daily dose of information, announcements, and key highlights for the day ahead. Our team is out in force at OpenWorld and ready to bring you the latest information surrounding happenings at the conference! If you are in San Francisco for the week, we highly recommend that you check out some of the events we feature in these daily download blogs, we'd love to see you there! If you cannot attend, not to worry, we will also feature follow up information and blogs throughout the week and as the conference wraps up and session replays are made available. 1) Session Alert: The State of Cloud Security: Keeping Pace at Scale Marriott Marquis (Yerba Buena Level) - Nob Hill A/B 11:30am-12:15pm Join Oracle's Greg Jensen and KPMG's Brian Jensen for a session highlighting some of the top security challenges organizations face when moving to the cloud. With increased migration to the cloud, customers are faced with a "pace gap", creating more opportunities for increased risk and decreased visibility. As senior editors/contributors to the Oracle and KPMG Cloud Threat Report, this session is sure to shed light challenges all cloud security professionals face. 2) Keynote Corner: Cloud Generation 2 Moscone North - Hall D 1:45 pm- 3:00pm The Second Generation Cloud is built for the enterprise to protect your critical data; secure from core to edge; easily move apps and data from on-premises. It is built for all enterprise workloads, is designed to run in the public cloud or at customer and is simple to upgrade. Don't miss this exciting keynote session with Oracle Executive Chairman and CTO, Larry Ellison. This is sure to be a packed session, you won't want to miss!  3) Session Alert: Protect Cloud Data with Oracle CASB Cloud Service Moscone South - Room 206 4:45pm- 5:30pm Hear from Chet Sharrar, Chief Information Security Officer for Marlette Funding, as he discusses how Oracle CASB Cloud Service provides complete enterprise-grade cloud data protection with integrated user and entity behavior analytics, data loss prevention, antimalware, and encryption capabilities. 4) Join us for a Periscope Interview with IDC! Oracle and IDC will be live broadcasting a Periscope interview with Christina Richmond, IDC Program VP WW Security Services for Oracle and Rohit Gupta, GVP Product Management for Oracle. The interview will take place today at 1:45pm (PT). 5) Check Out The Exchange and Participate in a Scavenger Hunt!  Moscone South | 9:45am - 5:45pm Be sure to visit the Exchange, where you can explore Oracle technologies and understand new innovations. Stop by, network with peers, and have a T-shirt printed (booth 2501!). We love to hear from our readers! Be sure to interact with us on Twitter (@OracleSecurity) and mention Oracle OpenWorld using #OOW18. Access our Oracle Security Focus on Document for a full list of Oracle Security Sessions. Don't forget to join us as share more of the latest news in tomorrow's Daily Download.

Oracle OpenWorld 2018 has officially begun! Join us each morning for a daily dose of information, announcements, and key highlights for the day ahead. Our team is out in force at OpenWorld and...

Last week my colleague Brian Jensen published a great blog highlighting the many potential security risks you could face when moving your ERP to the cloud. To borrow his analogy from medieval times, it’s like sending your king into the countryside carrying a bag of gold. Without the protection of stout castle walls and a moat – aka your data center’s firewall – your king becomes an easy target for highway men, rogues, and bad actors of every stripe. But there are ways to protect your king – and your cloud apps – from harm. What’s more, if you do it right, you can also save money and drive business growth along the way. The key is securing and harnessing your digital identities. Let’s dig deeper. The first thing to understand is there are two types of digital identities: Enterprise Identities. These are IDs associated with employees, contractors, and temporary workers Consumer Identities. These are IDs tied to individuals and consumers outside the boundaries of the business Digital identities are multiplying exponentially. Not long ago, most people had just one or two identities. A Google or Yahoo email ID, and maybe a work ID. Now people have dozens of digital IDs: social media IDs for Twitter, Facebook and LinkedIn; IDs to purchase stuff on retail websites; IDs for your credit cards; and multiple IDs at your workplace to access different apps and systems. Your digital ID is thus a collection of many identities spanning your business, consumer and social lives. Intelligent systems can not only manage the linkages between these different identities of an individual but can also provide valuable business insight to help improve data & application security, enhance user experience and enable businesses in their desire to expose relevant capabilities & offerings to their consumers. Leveraging Digital IDs for Security Digital IDs can help protect businesses and individuals against cybercrime and fraud. An effective way to do that is by attaching restrictions to IDs. For example, you could put dollar limits on how much your finance staff can purchase based on the roles and responsibilities tied to their IDs. Smart ID systems can also help you spot suspicious behavior. Take an employee who normally executes only two or three transactions a day – and then suddenly starts executing 15. This might be an indicator of nefarious activity – or a stolen ID. By integrating analytics with digital identity systems, you can detect these unusual kinds of behavior and either block the purchase or alert management. Likewise you might have a sales rep who, day-in day-out, gathers data for just a handful of accounts in a single industry. But what if one day the rep starts pulling data for every single account in every industry? A smart monitoring system, aided by analytics, can easily flag questionable behavior like this and initiate follow-up action. Such monitoring is all the more relevant where critical systems are hosted in cloud. When flags aren’t raised, businesses can get into trouble. Take the case of a UK based stock trader, working for one of Europe's largest banks. Ten years ago the hapless junior trader managed to lose billions of dollars for his employer by executing a large number of unauthorized derivatives trades. Proper controls tied to his digital ID could have averted the gigantic loss, which sent the bank’s stock plummeting 8 percent. Instead, the bank simply learned a very expensive lesson about internal controls and digital IDs.   Another danger: People can accumulate multiple IDs over the years as they climb the organizational ladder, move to new groups, and take on new roles and responsibilities. Whenever people get ahold of more keys to the castle, security risks increase. That’s why a good ID system monitors user “lifecycles” and adjusts controls appropriately, including taking away privileges that are no longer relevant to a person’s job. Organizations practicing good digital ID governance also conduct regular “attestation” surveys in which employees and their managers confirm they still need access to various applications and systems. Unnecessary IDs can then be de-provisioned. Greater Operational Efficiency In the pre-cloud days, digital IDs were managed exclusively in the data center by IT teams that exerted tight control over what users could and couldn’t do within the walls of the enterprise. But provisioning IDs and managing access was painfully manual. At big global enterprises, teams consisting of a hundred or more labored around the clock to manage employee onboarding and system access. The cloud is simplifying that process. Automated digital ID systems powered by analytics are gradually doing away with centralized and labor-intensive access-management operations. With cloud-based digital ID platforms, most of the work is self-managed, self-provisioned and self-requested. As a result, help desk traffic has eased, along with support costs. I’ve seen clients, once they’ve put appropriate automated systems and controls in place, shrink their identity and access management teams by 80% or more. Enabling the Business As businesses move to the cloud, their digital IDs become more distributed and mobile, potentially adding to the risk of cyberattacks and data breaches. New digital ID management solutions, however, can help extend user identities to the cloud in a secure fashion, supporting rapid deployment of digital initiatives and making it easier for mobile users to gain access to the internal systems they need to get work done.   An effective digital ID system gives you a powerful tool for enabling your business. After all, you want to let friendly customers and suppliers into your castle. But you also want to screen out the bad guys and block their access to sensitive systems and data, whether they’re from inside and outside of the enterprise. By using digital IDs to expand the virtual boundaries of the castle wall, businesses can safely open new lines of communications and commerce with customers and business partners, creating opportunities for monetization and growth. Today, my team continues to help businesses build strong castle walls to fend off cyberintruders. But more and more we’re showing them the possibility of leveraging digital IDs to expand the business and drive competitive advantage. Are you using digital identities to enable and grow your business? To learn more, download the Oracle and KPMG Cloud Threat Report 2018. 

Last week my colleague Brian Jensen published a great bloghighlighting the many potential security risks you could face when moving your ERP to the cloud. To borrow his analogy from medieval times,...

With Oracle OpenWorld kicking off in a few days, we would like to invite all attendees to join us for key Oracle Database Security Sessions. There are many sessions to choose from, but we have selected a few "must see" sessions for you to attend. The Database Security team will be out in full force to bring attendees the latest news, hear customer perspectives, and showcase solutions. Here is our guide to the top 6 Database Security sessions at OpenWorld 2018. 1. Roadmap: Innovations in Security and Compliance for Databases [PRM4101] Monday, Oct 22, 10:30 a.m. - 11:15 a.m. | Moscone West - Room 3006 Vipin Samar, Senior Vice President, Database Security, Oracle Russ Lowenthal, Director, Product Management, Oracle Session Description: It's been an incredibly busy year for Oracle’s Database Security team, with the new Oracle Data Security Cloud Service, Oracle Database Security Assessment Tool, and Oracle Key Vault with multimaster support. The European Union's General Data Protection Regulation (EU-GDPR) is now in effect as well, and efforts to comply have started. In this session learn what the team is working on this year to help you comply with latest regulations, and how to secure your databases whether on-premises or on the cloud.   2. Introducing Oracle's Data Security Cloud Service for Oracle Databases [PRM4102] Tuesday, Oct 23, 12:30 p.m. - 1:15 p.m. | Moscone West - Room 3006 Vikram Pesati, Vice President, Product Development, Oracle Michael Mesaros, Director, Product Management, Oracle Session Description: Oracle Databases in the Oracle Cloud offer a high degree of security. Secure infrastructure, data encryption by default, and automated patching all help to keep data safe from a variety of threats.  However, understanding the risks associated with data, controlling access to it and monitoring its use are customer choices, making security a shared responsibility between the customer and the cloud provider. Oracle Data Security Cloud Service is a unified control center for managing data security in Oracle Databases in the cloud. It allows you to quickly understand the sensitive data in your care, evaluate configuration risks, enable auditing and detective controls, mask data for use in test and development environments, and more. This session provides an overview of the Data Security Cloud Service and takes attendees through a full end-to-end scenario of how they can protect data in Oracle Databases. No prior security experience is needed.   3. Data Security in the GDPR Era [PRO4111] Wednesday, Oct 24, 11:15 a.m. - 12:00 p.m. | Moscone West - Room 3006 Joao Nunes, IT Senior Manager, NOS Tiago Rocha, Database Administrator, "Nos Comunicaões, Sa." Eric Lybeck, Director, PwC Session Description: The European Union's General Data Protection Regulation (GDPR) has been in effect for half a year, and much has been learned about how best to protect personal privacy data in Oracle Database. In this session explore GDPR's first six months and take a tour through security by design and default in the Oracle Database. Join PWC, NOS (one of the largest media companies in Portugal), and Oracle to learn how Oracle customers are addressing GDPR challenges such as sensitive data discovery, encryption, data minimization, pseudonimization, privacy impact analysis, and more.   4. Inside the Mind of a Database Hacker [THT6814] Monday, Oct 22, 5:00 p.m. - 5:20 p.m. | The Exchange @ Moscone South - Theater 4 Mark Fallon, Chief Security Architect, Oracle Database, Oracle Russ Lowenthal, Director, Product Management, Oracle Session Description: In this session get an alternative way of thinking about how to protect enterprise data: by examining the hacker's point of view.   5. Oracle Database Security Assessment Tool: Know Your Security Posture Before Hackers Do [TRN4107] Wednesday, Oct 24, 12:30 p.m. - 1:15 p.m. | Moscone West - Room 3006 Pedro Lopes, DBSAT and EMEA Field Product Manager, Oracle Marella Folgori, Oracle Riccardo D'Agostini, Responsabile Progettazione Data Security, Intesa Sanpaolo Session Description: Before hackers map out your database users, configuration, data, and security controls to devise their strategy, use new Oracle Database Security Assessment Tool to help discover sensitive personal data, identify database users and their entitlements, and understand the configuration and operational security risks. Attend this session to learn how you can generate Oracle Database Security Assessment Tool reports to create your database security strategy or support GDPR data privacy impact assessments. No prior security experience needed. And the tool is freely available to all Oracle Database customers. 6. Recent Database Security Innovations You Might Not Be Using, but Should Be [TIP4112] Thursday, Oct 25, 1:00 p.m. - 1:45 p.m. | Moscone West - Room 3006 Alan Williams, Database Security Product Management, Oracle Russ Lowenthal, Director, Product Management, Oracle Manish Choudhary, Oracle Session Description: Recent Oracle Database releases include significant new features that streamline user administration, reduce database attack surfaces, and protect personally identifiable information, and other sensitive data. In this session learn about the new way to authenticate and authorize database users in Active Directory. Explore review recent security innovations including privilege analysis, database vault simulation mode, data redaction, online encryption, and passwordless schemas. See how to assess the security of your database with Oracle Database Security Assessment Tool. Attend this session and you'll be able take advantage of these features next week to create a more secure database environment.        

With Oracle OpenWorld kicking off in a few days, we would like to invite all attendees to join us for key Oracle Database Security Sessions. There are many sessions to choose from, but we have...

Authored By: Pedro Lopes Databases are storing all kinds of sensitive data these days.  Think for a second. Either your name, address, SSN, age, phone number, bank account information, healthcare data, employment, academic… pick one, and it is for sure stored into a database and powering a business application. Regulations are also evolving and becoming more stringent aiming to protect data by setting requirements for the way data is handled and processed. So what can you do about it? Assess the current security state with the Oracle Database Security Assessment Tool. It is simple to use, to execute and provides instant value. Its reports contain a high-level summary and details of the current security posture, details about users, their entitlements, and the sensitive data. There will be plenty of DBSAT activity this year at OOW, and for sure you will have the opportunity to learn more about it. Do not wait for tomorrow, start today! Drop by the Demo Grounds (Moscone South), the Hands-on Labs (Mon to Thu), the Teather session (Mon) or at the DBSAT session presentation (Wed) where Mr. Riccardo D’Agostini from Intesa Sanpaolo Bank, one of the major Italian banks, will be on stage sharing their experience on using DBSAT under a GDPR compliance initiative. You can’t miss it. As a summary: Database Security Assessment Tool [THT6816] Monday, Oct 22, 04:00 PM - 04:20 PM | The Exchange @ Moscone South - Theater 4 Oracle Database Security Assessment Tool: Know Your Security Posture Before Hackers Do [TRN4107] Wednesday, Oct 24, 12:30 PM - 01:15 PM | Moscone West - Room 3006 Assess Your Database Security [HOL6289] – Fully booked! Monday, Oct 22, 12:15 PM - 01:15 PM | Marriott Marquis (Yerba Buena Level) - Salon 1/2 Tuesday, Oct 23, 11:15 AM - 12:15 PM | Marriott Marquis (Yerba Buena Level) - Salon 1/2 Wednesday, Oct 24, 08:00 AM - 09:00 AM | Marriott Marquis (Yerba Buena Level) - Salon 1/2 Thursday, Oct 25, 09:00 AM - 10:00 AM | Marriott Marquis (Yerba Buena Level) - Salon 1/2   See you there! Pedro Lopes DBSAT and Field Product Manager for EMEA Oracle Database Security

Authored By: Pedro Lopes Databases are storing all kinds of sensitive data these days.  Think for a second. Either your name, address, SSN, age, phone number, bank account information, healthcare...

With Halloween approaching rapidly, a bit of trivia on US candy consumption is worth noting. Americans purchase a whopping 600 million pounds of chocolate each year during Halloween1. But that’s a fraction of the total US consumption of chocolate each year, which happens to be about 22 pounds per American. Clearly, the US towers over many other countries in its sheer appetite for chocolate. But did you know that two-thirds of the world’s cocoa production –so essential for chocolate production – comes from West Africa?  An estimated 2 million children2 are employed in the cocoa industry in West Africa – kids ranging between 5 and 15 years of age. If I’ve just killed your Halloween appetite, maybe join forces with us and invent a modern solution to this problem. Enterprises worldwide are struggling to gain insights into their supplier networks to find answers to these sorts of questions – how many of their suppliers honor ethical child labor laws? Which suppliers comply to local environment regulations? Which suppliers can companies rely on to honor anti-bribery laws with local governments? So far, the answers to these questions have been really hard to get for most companies, not because of lack of intent, but because of sheer complexity of today’s supply chain networks. Many industries rely on complex multi-tier networks with several suppliers in each tier, distributed across large geographical regions. Tracking and verifying the latest status of certifications and regulatory compliance for each supplier is an onerous and expensive task. Even if such data is painstakingly aggregated, it tends to go stale rapidly since many of these certifications are designed to expire every few years. Today, many companies are exploring blockchain as a potential solution to build modern supply chain networks that are transparent to manage across multiple organizations. Blockchain technology particularly excels at allowing organizations who may not have an explicit trust relationship between them, to mutually share information in a reliable manner. This could help in storing information about suppliers, including their various industry accreditations or certifications, all duly verified and endorsed by various validating authorities. Such a decentralized network would require suppliers, validating authorities, and relying parties that depend on the certifications to share information between each other. For Identity Management professionals, such decentralized applications pose several implementation challenges. Traditional protocols like Federation are not designed to exchange decentralized sets of attributes, attestations and entitlements between untrusted organizations. Instead, a new set of Identity Management protocols and data exchanges are required to exchange shared identities, while at the same time storing sensitive information off-ledger, protected by appropriate cryptographic keys and key management. A decentralized Identity Management implementation will help organizations with the following: Allow suppliers to manage the accuracy of their identities stored on and off-ledger in a local identity “wallet”. When information about them changes, they own the responsibility of updating the necessary information. Enable industry authorities to digitally attest the validity of supplier identities and corresponding accreditations and certifications. This would serve as proof of the certification claims to all participants authorized to read the information. Allow organizations to query the decentralized network for accurate information about suppliers meeting their desired criteria, like geographical location, size or type. Here at Oracle, we are working with several customers to build decentralized identity management on Oracle Cloud for such applications. At Oracle Open World 2018, we’ll demonstrate one such application built by a global healthcare company for their procurement risk management needs and its underlying architecture. If you are responsible for managing identities for traditional supply chain networks and would like to explore new blockchain-based solutions, be sure to come check out our session (Architecting Decentralized Identity Networks Using Blockchain on Oracle Cloud) on Wednesday, Oct 24 at 4:45 pm. Subbu Iyer, Sr. Director of Product Management for Oracle Cloud Security, and Prateek Mishra, Architect and creator of the SAML standard, will talk about architecting blockchain-based decentralized Identity Management.   1: https://visual.ly/community/infographic/food/how-much-candy-do-we-eat-halloween 2: https://ilpi.org/wp-content/uploads/2015/11/20151126-Child-labour-in-the-West-African-Cocoa-Sector-ILPI.pdf

With Halloween approaching rapidly, a bit of trivia on US candy consumption is worth noting. Americans purchase a whopping 600 million pounds of chocolate each year during Halloween1. But that’s a...

One of my favorite things about Oracle OpenWorld is the chance to learn more about how our partners and customers solve real-world business problems with the technology we develop. This year I get the chance to work with some of the best.  I've teamed up with a couple of great organizations -  NOS and PwC - to dig more into regulatory compliance and on how they are approaching the European Union’s General Data Protection Regulation (GDPR). NOS is a large media and communications company based in Portugal – NOS is a leader in content delivery, including Pay TV, broadband, mobile phone service, and cinema distribution and execution.  PwC is one of the world's largest professional services organizations, and helps customers around the world address challenging regulatory environments.   We’ve been taking a look at GDPR- from several different angles.  GDPR has been in effect for over six months now, and we’ve had a good chance to learn what works and what needs further consideration. How does a major commercial organization that manages significant amounts of personal data protect that data and satisfy their obligations under GDPR?  NOS is telling their story.  How does one of the world most respected professional services groups help clients meet their GDPR responsibilities?  PwC is telling their story.  How does the largest provider of enterprise software help our customers protect data privacy and comply with regulations – I’ll be telling that story. If you are at OpenWorld this week, stop by Moscone West, room 3006 on Wednesday, 24 October at 11:15 am.  Join Oracle, PwC, and NOS as we take you through data security in the GDPR era from all three points of view.  You’ll get a chance to see how people are solving the real-world requirements of the regulation, and have the opportunity to ask questions from our panel.  For a quick guide to the database security sessions, demos, and hands-on labs at OpenWorld this year, take a look at Focus on Database Security Hope to see you there!

One of my favorite things about Oracle OpenWorld is the chance to learn more about how our partners and customers solve real-world business problems with the technology we develop. This year I get the...

Oracle’s Cloud at Customer portfolio offers the premium security of Oracle Cloud, like continuous patching and threat monitoring, and offers you the ability to control the security within your own data center.

Oracle’s Cloud at Customer portfolio offers the premium security of Oracle Cloud, like continuous patching and threat monitoring, and offers you the ability to control the security within your own...

  1. Hear about real stories from real customers By attending customer case study sessions at this year’s Oracle OpenWorld, you’ll be able to hear from real companies on how Oracle helped them protect their users, apps, data, and infrastructure. Customers such as Marlette Funding and Wells Fargo, will walk you through how Oracle Security products helped with data loss prevention, antimalware, and more. 2. Learn by doing with hands-on labs Although there are many great sessions, the best way to retain all the information is by doing. The hands-on sessions give you a unique experience and they touch on a range of topics. Learn how to detect advanced threats, enhance the security of your SaaS solutions, secure information in your cloud services, and much more. 3. Get social The week can get very hectic with hundreds of different session, labs, keynotes, etc. to choose from, but you can follow @OracleSecurity on Twitter to keep updated throughout the week. We will be live tweeting certain sessions, alerting you on any changes, and much more. Also, the Oracle Security Blog will be posting insights throughout the week and even after OpenWorld. Be sure to take lots of photos and use #OOW18, we look forward to connecting! 4. Stop by Be sure to stop by the demo booths featuring the different security products. In the security section we have demos of data security, such as encryption, masking, access controls, etc. If you are more interested in learning how you can monitor your mission-critical apps, visit the Oracle CASB Cloud Service demo booth. For even more, visit the Oracle Cloud Infrastructure area to learn how Oracle thinks about security from the core of infrastructure to the edge of the cloud. Visit the Demo List for more information and a booth map. 5. Must see Some of the top security sessions include topics surrounding securing hybrid and multi-cloud environments at the Tips and Tricks for Security at Cloud Scale session [CAS3773] and the Oracle and KPMG Cloud Threat Report at The State of Cloud Security: Keeping Pace at Scale [BUS3774]. To go even beyond security, make sure to attend the Oracle Cloud: The Future is Autonomous session [GEN1229] for insight on how Oracle Cloud Platform can help your organization modernize, innovate, and cut costs.   Visit our Focus on Document for more information on all of the sessions and events around DBSec, Identity, OMC, CASB, Dyn, and Keynote sessions at OpenWorld.

  1. Hear about real stories from real customers By attending customer case study sessions at this year’s Oracle OpenWorld, you’ll be able to hear from real companies on how Oracle helped them protect...

By Nishi Shah, Director Cyber Security & Privacy, PwC and Soumya Banerjee, Director Cyber Security & Privacy, PwC A mid-sized company with about 5,000 employees gets approximately 1,000 to 2,000 security incidents per day.  This equates to nearly 60,000 threat incidents per month and as many as 720,000 per year.  That number has increased dramatically because of automated security attacks using bots.  According to The Cybersecurity Intelligence Report from Oracle + Dyn “over 50% of internet traffic is bots.  [And,] some of these bots are probing your site for vulnerabilities.”  With these huge numbers, there are just too many threat incidents for the typical security operations team to manage with any level of precision.  Various niche security products help to flag these 1,000-2,000 incidents each day, which is a step in the right direction as more potential threats are identified.  However, the next step in the usual security operations process requires a person to review each of the incidents and make a judgement call about whether the threat is real or a false positive.  It’s a very manual process, and needless to say, there are a lot of security tickets to sift through each day. So how does a security operations center (SOC) manage that massive amount of data?  How can the security team automate the manual process to review flagged incidents?  The answer is artificial intelligence (AI) or machine learning.  Consider this example:  An employee is sending a 9-digit number to an external partner.  The email is flagged as a possible threat incident because the 9-digit number is recognized by a security monitoring tool as a social security number, which could imply a theft of personally identifiable information.  However, the flagged incident is really a false positive because the 9-digit number is a P.O. number, which is acceptable information for an employee to email to a partner. Oracle Management Cloud (OMC) is a suite of autonomous management services that automate processes and eliminate the human effort associated with traditional solutions for monitoring, managing, and securing applications and infrastructure.  OMC leverages machine learning and big data techniques across the full breadth of the operational data set to help drive innovation while removing cost and risk from operational processes. Let’s go back to our example and assume that 20% of the typical 1,000 to 2,000 daily incidents fall into this 9-digit number scenario.  That means approximately 200-400 incidents are false positives.  OMC, with its ability to collect data from many discrete sources (i.e., cloud applications, on-premise applications, infrastructure components), has built-in machine learning functionality with strong data visualization capabilities.  The solution evaluates each incident in the context of user behavior and helps the security team eliminate the false positives. While OMC will flag all emails matching with 9-digit pattern, once the security analyst identifies the incidents as false positive, OMC would remember the email pattern along with other contextual user information to automatically segregate the emails into a potential false-positive category.  This automated process allows the SOC to focus on critical incidents and review the potential false positives as a lower priority. As the threat of cyber-attacks continues to escalate, from thieves, rouge entities, or aggressive governments, enterprise organizations need to invest in automation so to improve depth and scale for their current monitoring and incident management capabilities. PwC has helped many customers establish an SOC transformation strategy that intelligently automates manual monitoring and incident resolution processes.  The strategy also measures the value of the automation program.   If you’d like to have further discussion on transforming your security operations team with automated efficiencies from AI and machine learning, give PwC a call and visit the Oracle Cloud Security page. 

By Nishi Shah, Director Cyber Security & Privacy, PwC and Soumya Banerjee, Director Cyber Security & Privacy, PwC A mid-sized company with about 5,000 employees gets approximately 1,000 to 2,000...

Authored By: Christina Richmond, IDC Program VP WW Security Services In the previous two blogs, we looked at the challenges of securing hybrid IT and how managed cloud security can benefit the organization. In this blog, we’re going to drill down into managed identity and access management, which in today’s digital world is key to security survival. Let’s face it, the network perimeter has become identity- and data-based, and no longer locked down by firewalls and intrusion-detection appliances. Moreover, the challenges of securing identity are legendary. Add to this that we now have computing environments spanning on-premises, cloud, and multicloud environments. Given this new complexity, existing security controls such as authentication, authorization, and identity management must work in both the private and public cloud. When handling identity security internally within an enterprise, there are two options for integrating hybrid security protocols: 1) replicate controls in both public and private clouds and keep security data synchronized, or 2) use an identity management service that provides a single service to systems running in either cloud. Be sure to allow time during the planning and implementation phases to address what could be complex integration issues. But if you don’t want to go solo, managed identity can assist with planning and integration, as well as the operational efficacy of an identity and access management program. Escalating numbers of internet-facing applications and services expose the business to greater risk. Securing the data at rest and in motion is only one piece of the equation; effective identity management is the other. A key component of identity and access management (IAM) is making sure users are minimally impacted and that solutions are tailored to the organization’s needs. The last – but by no means the least – necessity is visibility into regulatory compliance controls. To bring these requirements into one solution, it must have the following basic components: Single sign-on (SSO) and visibility into authentication Centralized identity management Threat and anomalous behavior alerts Admin-friendly management dashboard User account management Compliance reporting Simplified identity management across the entire lifecycle Today, 40% of respondents in the IDC Cybersecurity Pulse Survey outsource their IAM to a service provider and another 22% are evaluating their future investment (see chart). And, nearly 40% will increase their spending on IAM and another 50% will keep their budget about the same, but not decrease it. When we look specifically at managed cloud security services, over 21% of respondents would require IAM to be included in an engagement for cloud security. But interestingly, one of the very reasons you might consider outsourcing IAM is also an inhibitor—assistance with regulatory controls. Over 22% of respondents in IDC’s Managed CloudView survey are concerned about provider governance and management capabilities, and possible inability to meet SLAs. Sometimes management is opposed to outsourcing (22.8%). Just under 22% of respondents state that regulatory factors are an impediment. However, given the complexities of today’s IT infrastructure, it’s exceedingly difficult to gain compliance visibility across all platforms. This is exactly why outsourcing could help solve the regulatory conundrum. In our next blog we’ll discuss how to choose the right MSS partner to use. To learn more about Oracle Managed Security Services and how MSS can help you, visit our website. Monday, October 22nd @1:45pm PST, we will be live from Oracle OpenWorld with IDC's Christina Richmond and Oracle's Rohit Gupta to hear their perspectives about the security challenges Oracle's customers are dealing with as they shift their workloads to the cloud. Follow both Christina, Rohit, @OracleSecurity and Greg below to stay on top of the latest information related to this IDC live Periscope interview.  Follow Christina Richmond @Xtina_Richmond Follow Rohit Gupta @Roh1 Follow Greg Jensen @GregJensen10 Oracle Security @OracleSecurity If you are attending Oracle OpenWorld in person, join us at on Tuesday, Oct 23, @4:45 pm for the session Secure Your IT Services with Oracle Managed Identity Cloud Services.

Authored By: Christina Richmond, IDC Program VP WW Security Services In the previous two blogs, we looked at the challenges of securing hybrid IT and how managed cloud security can benefit...

By Brian Jensen, Director, KPMG According to a 2018 Cloud  Threat Report commissioned by Oracle and KPMG, 83% of companies believe cloud security is as good as or better than on premises security. It is true, cloud security is very strong; but you can’t just go marching into the cloud and operate the way you did in an on-premises environment. You have to change your mindset. You could be asking for trouble if you don’t go into the cloud with a strong cloud security plan that is aligned with the cloud shared responsibility model requirements Before cloud computing, enterprise security was an addressable challenge. It was analogous to the Middle Ages, when kings built big castles to protect against invaders. They erected high walls and guard towers, dug moats, and posted sentries who scanned the horizon for threats. In the same way, businesses in the pre-cloud era built security layers around their data centers to keep out cyber invaders. Enterprise systems and data – like the king and his treasure – were secured behind the barricades in an effort to prevent attacks. In today’s cloud environment, businesses can be exposed to a whole host of new cyber threats that did not exist in the pre-cloud computing era. Moving to the cloud can expose companies to these new cyber threats if they do not take proper precautions and build out mitigating capabilities to address their portion of the shared responsibility model. What we are seeing in our security practice, and what our recent Cyber Threat Report confirmed, is that cloud agility - which enables rapid deployment of cloud applications – is causing a pace gap between how fast business are scaling up in the cloud and their ability to keep up with commensurate security measures.  Let’s review some of the most common cyber threats.   Rogue Employees There are many documented cases of disgruntled “rogue” employees committing fraud and disrupting businesses. Their favorite method is to hijack or create fake user IDs to delete data and wreak other kinds of havoc, whether out of spite or for financial gain. When IT systems were on-premises, these individuals had to sneak around and be very cautious in what they were doing. Today the cloud makes their job easier because no one is looking over their shoulder. They can access cloud from anywhere, any device and any time and alter company data while sitting on a beach in Belize, for example. Cyber Breaches Looking for Cash / Stealing Cash Cloud-based ERP systems are prime targets for hackers who can target  cloud-enabled transactions with the goal of  siphoning off cash. For example, “Spearphishers” – fraudsters who use clever emails to trick employees into revealing their logins – have become adept at hijacking accounts and redirecting payments intended for legitimate vendors. Data Theft Hackers aren’t just stealing cash. They’re also on the prowl for data, which can be just as valuable. There are plenty of ways hackers can steal data. Take an employee on vacation who wants to squeeze in some work on the hotel computer. He or she might innocently download a company report to the machine, where it’s saved in a temp folder. If that report contains sensitive company data, someone can easily access that information and use it to commit fraud. A less innocent employee might download data at home with the express purpose of selling it. Recently, an ill-intentioned employee at a major technology company downloaded plans for a new leading edge product to his personal computer. Luckily, he was stopped at the airport before he could fly to China to and exploit the stolen information. Incidentally, failing to protect data can also cost millions of dollars in fines. A massive data breach can be a game changer for an industry, especially if the data theft involves Personally Identifiable Information (PII)  such as driver’s license numbers or Social Security numbers. Prosecutors and regulators see these types of company blunders as a serious failure of fiduciary responsibility worthy of steep fines, often in the hundreds of millions of dollars. Protecting Cloud Apps / Beyond Compliance The common refrain that “the auditors aren’t asking about it” is hardly an excuse for not building a solid cloud security strategy. Remember, the auditor’s job is simply to state that your financial records are accurate – not to prevent risk. You need to conduct a comprehensive security risk assessment that documents all your operational, financial, performance, and technology risks. And be honest: Just because it hasn't happened before doesn't mean it’s not going to happen in the future. Once you understand your risk profile, then you can build a “controls-in-depth” (CID) strategy to mitigate that risk. An effective cloud security strategy can include: Smart cloud application controls. These are procedures you can put in place to short circuit cybercrime. For example, hackers love to break into ERP systems and reroute employee paychecks to phony bank accounts. Yet simple controls such as sending an email to the employee whenever their direct deposit is changed, or making sure their first check is always a physical one, can stop scam artists in their tracks. You can also check if multiple employees share the same deposit account – a sure sign something’s not right. Tiered roles and logins. By using concepts like least privileged access and segregation of duties you can limit what people can see and do on your cloud platform. You can also employ adaptive authentication to “tier” access based on risk. So for harmless activities – like looking up vacation days – a simple user ID and password would be enough to get you through the castle gate. But if you’re changing where your paycheck goes, tougher authentication would be required. Vigilant user administration. When you kick someone out of the castle, you don’t want them tunneling back in. But that’s exactly what can happen in cloud environments when you terminate someone and forget to revoke their access. They could literally sit out in the parking lot and create fake expense reports – or worse. You can see why smart user lifecycle management is critical to cybersecurity.  Ongoing Security Testing. The great thing about the cloud applications is that they are constantly updated and “modern.” But every update or patch can be a weak point for new cyber-attacks. To stay safe, make sure your security operations team – or a trusted partner – evaluates each update and checks for new vulnerabilities that might have been introduced. Don’t forget that managing risk in the cloud is a shared responsibility between the provider and the customer. Typically the provider is on the hook for things like power, data center security, backup and recovery, patching, and data at rest encryption. But the client has their own responsibilities, such as controlling user access, configuring the cloud applications, and managing the data the goes in and out of the cloud. If the provider falls down on any of its duties, they are vulnerable to law suits. But if the customer fails to mitigate the risk on their side of the cloud shared responsibility model, they won’t have anybody to blame. For continuing information, explore the key findings uncovered in the annual Oracle and KPMG Cloud Threat Report 2018.  Brian Jensen is Managing Director in KPMG’s Oracle Risk Consulting practice. He  is a business development and solution delivery executive specializing in ERP, large-scale business transformations, security & controls, and identity management. Brian has a successful track record of building innovative, effective risk management solutions for large and midsized organizations.

By Brian Jensen, Director, KPMG According to a 2018 Cloud  Threat Report commissioned by Oracle and KPMG, 83% of companies believe cloud security is as good as or better than on premises security. It...

We're happy to announce the availability of Audit Vault and Database Firewall (AVDF) Release 12.2 Bundle Patch Nine (BP9). AVDF 12.2 BP9 enhances security and gives our customers greater control in protecting internal communications, allowing customer selection of the TLS level used between different components and establishing a baseline of TLS 1.2 for all new installations.  AVDF 12.2 BP9 is available via MyOracleSupport as patch 28188074.  For new installations of AVDF 12.2, an updated installation media pack that already includes BP9 is available at https://edelivery.oracle.com. AVDF provides a first line of defense for databases and consolidates audit data from databases, operating systems, and directories to support monitoring and compliance reporting.  A highly accurate SQL grammar-based engine monitors unauthorized SQL traffic before it reaches the database.  Audit records from on-premises and cloud databases are collected for centralized management and provide monitoring, reporting, and alerting of anomalous activity across databases.  AVDF helps reduce the costs of regulatory compliance while giving administrators enhanced visibility into their IT operations. AVDF 12.2 BP9 is a mandatory prerequisite for upgrading to next year’s AVDF 19.1 release. Existing AVDF installations must upgrade to at least 12.2 BP9 prior to performing the AVDF 19.1 upgrade. AVDF 12.2 BP9 establishes a new minimum security baseline for Audit Vault and Database Firewall.  We’ve not only changed the default inter-component communications protocol to TLS 1.2, we’ve also desupported older java versions, requiring that Audit Vault agents now use Java 8 in preparation for the upgrade to Java 11 support next year. A complete list of the features and capabilities of this release, along with detailed installation instructions, are available in the patch release notes. To learn more about Audit Vault and Database Firewall, check out our AVDF Product Page on the Oracle Technology Network (OTN). Get the latest details on installing BP9, including how to install the pre-upgrade agent patch, with MOS note 2457374.1 - Details for Applying The Mandatory BP9 Pre-upgrade Patch. You should also review MOS note 15363801.1 - Oracle Audit Vault and Database Firewall Platform Support - this note includes instructions on upgrading the AVDF agent's Java version to Java 8. Learn more about Oracle Database Security Solutions Download Audit Vault and Database Firewall Release 12.2 Bundle Patch Nine now!  Visit My Oracle Support and search for patch 28188074.

We're happy to announce the availability of Audit Vault and Database Firewall (AVDF) Release 12.2 Bundle Patch Nine (BP9). AVDF 12.2 BP9 enhances security and gives our customers greater control in...

Going into OpenWorld 2018 I am reminded how I have often cited the great data migration as “Elvis has Left the Building”, while my colleague Brian Jensen, from KPMG has often called it “The King has Left the Castle”.  Either way, the point is this.  Organizations often get to a point where they realize that their data is now outside their control.  How they respond to this risk and threat is what ensures organizational success or failure. A significant step in preparedness is awareness in the risks and threats, which is what Brian and I have done in the development of a groundbreaking report called The Oracle and KPMG Cloud Threat Report 2018.  This report is based on a detailed survey of 450 global security practitioners who are focused on cloud security and driving the security requirements around cloud initiatives. Oracle and KPMG have collected the key challenges that these respondents are dealing with and using the combined research from both of Oracle and KPMG’s collective cyber research organizations to provide advance analysis around these challenges.  We then provide a best practice approach to preparing the organization for these lift and shift projects to ensure success. It is inevitable that Elvis is going to leave the building, and that the king will leave the castle, but it’s also possible to do this in a secure and a risk averse manner with proper controls in depth.  Download the 2018 report to learn better how to prepare your organization today. If you are attending Oracle OpenWorld 2018 this year, we encourage you to join us as we present the key findings of this highly successful report on Monday at our session “The State of Cloud Security: Keeping Pace at Scale”.   You can also follow me on Twitter @GregJensen10 for more information about the IDC Periscope interview on Monday October 22nd live from OpenWorld that I will share more information on later this week. #OOW18

Going into OpenWorld 2018 I am reminded how I have often cited the great data migration as “Elvis has Left the Building”, while my colleague Brian Jensen, from KPMG has often called it “The King has...

We’re all guilty of thinking myopically at times. It’s easy to get caught up thinking about the objects in our foreground and to lose our sense of depth. We forget about the environment and the context and we focus too narrowly on some singular subject. It’s not always a bad thing. Often, we need to focus very specifically to take on challenges that would otherwise be too big to address. For example, security professionals spend a lot of time thinking about specific attack vectors (or security product categories). And each one perhaps necessarily requires a deep level of focus and expertise. I’m not arguing against that. But I’d like to suggest that someone on the team should expand their focus to think about the broader environment in which cyberattacks and security breaches take place. When you do, I suspect that you’ll find that there are data points from outside of the typical security realm that, if leveraged correctly, will dramatically improve your ability to respond to threats within that realm. I posted recently about the importance of convergence (of security functionality). I noted that “Security solutions are evolving toward cloud, toward built-in intelligence via Machine Learning, and toward unified, integrated-by-design platforms.” I went on to suggest that forward-looking security platforms are autonomous and operate with minimal human intervention. I believe that’s where we’re heading. But to better enable machine learning and autonomous security, we need to feed as much relevant data as possible into the system. We need to feed the machine from an expanding trough of data. And with Internet scale as an enabler, we shouldn’t limit our security data to what has traditionally been in-scope for security discussions. As an example, I’m going to talk about how understanding Application Topology (and feeding that knowledge into the security trough) can help reduce risk and improve your security posture. What is Application Topology? As you likely know, modern applications are typically architected into logical layers or tiers. With web and mobile applications, we’ve traditionally seen a presentation layer, an application or middleware tier, and a backend data tier. With serverless compute and cloud microservice architectures, an application’s workload may be even more widely distributed. It’s even common to see core application functions being outsourced to third parties via the use of APIs and open standards. Application Topology understands all the various parts of an application and how they’re interrelated. Understanding the App Topology means that you can track and correlate activity across components that may reside in several different clouds. How does Application Topology impact security? Consider an application that serves a package delivery service. It has web, mobile, and API interfaces that serve business line owners, delivery drivers, corporate accounts, and consumer customers. It’s core application logic runs on one popular cloud platform while the data storage backend runs on another. The application leverages an identity cloud service using several authentication techniques for the several audiences. It calls out to a third-party service that feeds traffic & weather information and interacts with other internal applications and databases that provide data points such as current pricing based on regional gas prices, capacity planning, and more. Think about what it means to secure an application like this. Many popular security tools focus only on one layer or one component. A tool may scan the web application or the mobile app but probably not both. An app like this might have a few different security products that focus on securing APIs and a few others that focus on securing databases. Even if all components feed their security events into a common stream, there’s not likely a unified view of the risk posture for the application as a whole. None of the security tools are likely to understand the full application topology. If the app owner asked for a security report for the entire application, would you be able to provide it? How many different security products would you need to leverage? Would you be able to quantify the impact of a single security configuration issue on the application as a whole? If a security solution fully understands the application topology and incorporates that knowledge, here are a few of the benefits: You can generate a holistic report on the application to the app owner that covers all components whether on-premises, in the cloud, or via third-parties. You can monitor user activity at one tier and understand how that impacts your risk posture across other tiers. You can monitor for security configuration changes at all components via a unified service and automatically adjust risk scores accordingly. In other words, a deep understanding of the IT infrastructure underneath the application yields a more robust understanding of security issues and an increased ability to respond quickly and automatically. Summary Challenge yourself to expand the scope of which data points might be useful for improving security. Are security appliance event logs and threat feeds enough? As we enter an era dominated by AI and Machine Learning, we need to add as much high-value data as possible into the security trough. ML performs better as it incorporates more information. And as Larry Ellison famously said, the threats are becoming increasingly more sophisticated. “It can't be our people versus their computers. We're going to lose that war. It's got to be our computers versus their computers.” We must rely on Machine Learning and we have to feed it with as much intelligence from as many sources as possible. Oracle Cloud Security solutions are built on Oracle Management Cloud (OMC) so they fully understand the application topology, application performance metrics, and configuration. Oracle’s built-in Machine Learning leverages this data to make better security decisions and to remediate issues through OMC’s Orchestration service. Learn more about how Oracle helps customers modernize their security solutions with Machine Learning adaptive intelligence at Oracle OpenWorld this month!  

We’re all guilty of thinking myopically at times. It’s easy to get caught up thinking about the objects in our foreground and to lose our sense of depth. We forget about the environment and...

Software vendors like to throw around industry buzzwords like artificial intelligence (AI) and machine learning (ML). But when it comes to web application security, it's important to look beyond the buzzwords and realize that AI and ML are really all about automating the response to incoming cyberthreats, according to Laurent Gil, Security Product Strategy Architect at Oracle Dyn.  That's one of the messages Gil will deliver during an Oracle OpenWorld 2018 session,  Introducing an Intelligent Approach to Beating Cybersecurity Threats. Gil will lead the session along with Rodrigo Balan, Director of IT operations at IdentityMind, a regulatory technology company that uses AI as part of its web application security strategy, and Terence Chong, principal product manager at Oracle Dyn.  In this Q&A, Gil—the co-founder of security company Zenedge, which was acquired by Oracle in March—previews the Oracle OpenWorld 2018 session and shares his insights on the effects that AI and ML are having in the IT security market.   Why is it important for today's businesses to incorporate AI and ML as part of their web application security strategies?   Laurent Gil: It's not really that they need AI or ML. The point is they need to use tools that are truly automated. The traditional way of doing web application security is to set up some rules to test the validity of incoming traffic. These rules are very rigid and sometimes create a lot of false positives. While false positives are to be expected, they may generate so many alerts that administrators stop looking at them. If you stop looking at them, the hackers have won.   What AI, ML, and related techniques do is allow you to automate the response to security events as much as possible, so you don't even need to look at them. Instead, you trust the machine to block incoming traffic when necessary, and you only need to look at true anomalies or corner cases.   How do AI and ML ensure an automated response to incoming web application security threats?  Gil: ML technologies examine similarities found in different types of web traffic. They collect all sorts of information that taken together allow for the classifier to decide which traffic is valid and which traffic may be a threat. The techniques we use must also have a very strong feedback loop, so the platform becomes better as you are using it. Once you identify the corner cases, for example, you should not need to identify any more. The machine will then know what to do. That's the goal that we all have in the industry.   What are the major types of web application security threats that businesses need to guard against today?  Gil: You can classify these into two categories. The first category is what I call background noise. This means that there is a small percentage of traffic that is poking around your applications to see if there are any weaknesses due to, for example, a patch that you forgot to install. So, the background noise is there to automatically identify vulnerabilities. If a vulnerability is found, the hackers will launch the real attack—one that can severely damage the application.  The second type of attack is the tough one. This is when hackers have identified the vulnerability and they are going to exploit it. Sometimes the vulnerability is that you are not able to identify bot traffic. If they see this, they will program bots to attack and steal information, crawl your site, and wreak havoc.  Organizations need tools to defend against both types of attack. They need to block the background noise as much as possible, so the bad guys will see that they are fully protected. And they need to be ready to defend against the second attack, which is a greater challenge because, by definition, the bad guys already know what to do.   Why did you invite Rodrigo Balan from IdentityMind to join your discussion?  Gil: IdentityMind is a great example of the right way to do web application security. Like many companies, they have their own data center. But they wanted to move their software as a service (SaaS) application to the cloud. They looked at Amazon Web Services, Microsoft Azure, and other cloud providers and ultimately chose Oracle Cloud Infrastructure. They selected Oracle in part because we are able to provide tools that de-risk the move to the cloud. We started by installing our Web Application Firewall (WAF) on their on-premises applications. This eliminated the web app security concerns related to migrating to the cloud. Using our WAF, their SaaS application was secure before the migration, during the migration, and after the migration. In other words, Oracle WAF enabled them to peacefully lift and shift their application to the cloud. What advice do you have for companies that want to start down the road to securing web applications with AI and ML?  Gil: First, don't trust your vendor (laughs). By that I mean, do not select a software company because it uses words like 'machine learning' and 'artificial intelligence.' Instead, do an actual proof of concept (POC), because that's the only way to find out what works and what doesn't. The second thing is that you shouldn't focus on AI or ML. Focus on automation. Verify that the tool uses automated systems for detection and mitigation and enables you to reduce the number of false positives. You can verify all of this when you do the POC.      

Software vendors like to throw around industry buzzwords like artificial intelligence (AI) and machine learning (ML). But when it comes to web application security, it's important to look beyond the...

All my customer demo databases always have Database Vault configured and enabled, and that fact requires a few extra gymnastics when patching, especially in 12.1.0.2 with root container and PDBs. If Database Vault is selected during DB installation of a multi-tenant (MTA) database via DBCA (Database Configuration Assistant), you are prompted to create two common users, let's call them C##SEC_ADMIN_OWEN (this user will be the Database Vault 'Owner'), and C##ACCTS_ADMIN_ACE, the DBVault Account Manager; the Oracle Installer will grant the common roles DV_OWNER and DV_ACCT_MNGR to them, but the grant command is executed without the 'CONTAINER = ALL' clause, which means C##SEC_ADMIN_OWEN and C##ACCTS_ADMIN_ACE exist in all present and future PDBs, but their DBVault specific roles are only granted to them in the root container. First, confirm that Database Vault is correctly setup; run this in the root container and all PDBs: SQL> select * from dba_ols_status order by 2 desc; NAME                  STATUS  DESCRIPTION --------------------- ------- -------------------------------------- OLS_CONFIGURE_STATUS  TRUE    Determines if OLS is configured OLS_ENABLE_STATUS     TRUE    Determines if OLS is enabled OLS_DIRECTORY_STATUS  FALSE   Determines if OID is enabled with OLS Only the OLS_CONFIGURE_STATUS and OLS_ENABLE_STATUS rows need to be TRUE. The fact that OLS policies can be stored in Oracle Internet Directory is irrelevant in the context of DBVault. SQL> select * from dba_dv_status; NAME                      STATUS ------------------------- ------- DV_CONFIGURE_STATUS       TRUE DV_ENABLE_STATUS          TRUE Most likely you see TRUE in the root container, and FALSE in the PDBs.  If this is the case, execute the following in all PDBs: SQL> EXEC LBACSYS.CONFIGURE_OLS; SQL> EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS; That turns on Oracle Label Security in so far as it is used by Oracle Database Vault internally. Confirm with: SQL> select * from dba_ols_status order by 2 desc; Then, turn on Database Vault; execute in all PDBs: SQL> GRANT CREATE SESSION, SET CONTAINER TO C##SEC_ADMIN_ROOT, C##ACCTS_ADMIN_ROOT CONTAINER = CURRENT; SQL> exec dvsys.configure_dv('C##SEC_ADMIN_ROOT', 'C##ACCTS_ADMIN_ROOT'); SQL> @?/rdbms/admin/utlrp.sql C##SEC_ADMIN_ROOT> EXEC DBMS_MACADM.ENABLE_DV; Confirm with: SQL> select * from dba_dv_status; For patching, we don't need to turn off, or disable, Database Vault anymore; instead, the DV Owner executes: C##SEC_ADMIN_OWEN:CDB$ROOT> grant DV_PATCH_ADMIN to SYS container = ALL; That would allow the changed SQL to be applied to the root container and all open PDBs. But, DV Owner doesn't have the proper privilege as I explained earlier. To confirm in the root container: SYS:CDB$ROOT> SELECT granted_role, username FROM USER_ROLE_PRIVS where granted_role like '%PATCH%'; GRANTED_ROLE    USERNAME --------------- --------- DV_PATCH_ADMIN  SYS Confirm in the PDBs: SYS:FINPDB> SELECT granted_role, username FROM USER_ROLE_PRIVS where granted_role like '%PATCH%'; no rows selected C##SEC_ADMIN_OWEN:FINPDB> grant DV_PATCH_ADMIN to sys container = current; You would need to execute that step in all PDBs across the container.  Of course the 'container = current' part of the command is not needed as this is the default when executed in a PDB, I added it here for clarity. Confirm: SYS:FINPDB> SELECT granted_role, username FROM USER_ROLE_PRIVS where granted_role like '%PATCH%'; GRANTED_ROLE    USERNAME --------------- --------- DV_PATCH_ADMIN  SYS Voilà, now you can run 'opatchauto' or 'datapatch' and the changed SQL will be applied to root container and all open PDBs. After successful patching, you would revoke the granted patching privilege from SYS (execute in root container and all PDBs): C##SEC_ADMIN_OWEN:CDB$ROOT> revoke DV_PATCH_ADMIN from sys container = current; C##SEC_ADMIN_OWEN:FINPDB> revoke DV_PATCH_ADMIN from sys [container = current]; But there is more ... you want to audit what SYS is doing with that new privilege; is it only used for patching, or will that user do something else while s/he has the extra powers? Find out with: C##SEC_ADMIN_OWEN:CDB$ROOT> EXEC DBMS_MACADM.ENABLE_DV_PATCH_ADMIN_AUDIT; in the root container and C##SEC_ADMIN_OWEN:FINPDB> EXEC DBMS_MACADM.ENABLE_DV_PATCH_ADMIN_AUDIT; in all PDBs. The audit events are written to dvsys.audit_trail$. When you are done patching, you can turn auditing off, but I would leave it running for the next patch cycle. Happy patching, Peter

All my customer demo databases always have Database Vault configured and enabled, and that fact requires a few extra gymnastics when patching, especially in 12.1.0.2 with root container and PDBs. If...

It’s no secret that cloud adoption is growing—and at an incredible rate. This year’s Oracle and KPMG Cloud Threat Report survey showed that 87% of responding organizations now have cloud-first orientations. Organizations, initially concerned about a lack of security in the cloud, have clearly decided that cloud benefits outweigh the risks—at least for some parts of their businesses. But, like any transformational change, cloud adoption also comes with its own unique set of challenges, especially when it comes to security. The dirty secret is that cloud adoption has led to the creation of a multidimensional data center, where new technologies run alongside traditional solutions. And all of it is managed and secured using islands of disconnected tools and process—at least for now. The unintended consequence is that security teams have a metaphorical hand tied behind their back when it comes to detecting and responding to security incidents in their cloud environments. In fact, it was the most frequently mentioned concern by far, cited by 38% of respondents to our survey. The root of this problem lies in the fundamental difference between securing on-premises infrastructure and cloud services. But one of the key issues is that these disparate and still expanding number of systems have buried security teams in a landslide of telemetry data. Only 37% of survey respondents said that they can analyze a modest sample of their data (defined as 25% to 49%), and another 14% report they can only analyze small samples of their data (less than 25%). Not only is the amount of data a problem, but to really understand what’s coming in, security teams have to be able to see the correlations between different data points. Unfortunately, the average cybersecurity professional has their attention split between about 46 different security products, making it hard to focus on any one thing for too long. It’s as if we buried our security teams in that landslide of data, handed them spoons, and told them to dig themselves out before they’re crushed. It’s just not humanly possible. Cybercriminals figured out the answer to this problem a while back. It used to be that if you logged on to an unsecure Wi-Fi connection, some nefarious character could be hanging out there and start probing your system within a few minutes. It was a manual process. Today, it’s automatic. You connect to the network, and the automated systems are at your machine immediately. What cybercriminals figured out—and what we have to learn—is that automated systems are much better at handling volume than humans. So, what we need to do is equip our security teams with the same basic technologies that the criminals already have. Security teams are already using machine learning to find zero-day threats. Now, teams can use that same technology to automate the analysis of all that security event data. It used to be that IT and security professionals were uncomfortable with handing such an important task over to automated tools. Now, it’s a necessity. In fact, more than a third of survey respondents said their organizations are actively investing in automated solutions. And almost another half are considering it. With automation, security teams can go from distraction to being better able to hone in on the issues that matter most and get on a more level playing field with cybercriminals. For more information on this topic, join us for our webcast: Enabling a Secure SaaS Experience  – Register Here.

It’s no secret that cloud adoption is growing—and at an incredible rate. This year’s Oracle and KPMG Cloud Threat Reportsurvey showed that 87% of responding organizations now have cloud-first...

Roughly half of the traffic on the internet now is bot traffic: Bits of code created for tasks both good and not-so-good. Bots index content for search engines, making it easier for customers to find your business. But bots can also exploit vulnerabilities, expose data, shut down entire websites, or even steal your intellectual property.   Bot management and mitigation are both crucial parts of modern website security. Bot attacks can be as subtle as activity that mirrors what humans do on your site, or as blatant as a swarm of bots that takes your entire site offline.  Oracle Cloud Infrastructure architect Laurent Gil is a pioneer in bot management. Gil co-founded Zenedge, a cybersecurity company focused on WAF and DDoS protection with an advanced bot solution. Zenedge was acquired by Oracle this year.   We sat down with Gil for a wide-ranging Q&A that covers the essentials of bot management.   Oracle Dyn:   How would you define bot management, in simple terms?   Laurent:  Bot management is a feature of an application security platform that is trying to identify whether the requests that come into a website or to a mobile application are coming from a human or from a machine. That’s the simple definition.   Now, there are some machines that are fine, like Google’s bots. You obviously want Google bots to go and access every one of your pages. But you don’t want other bots — malicious bots or unknown bots — trying to access your site. Your site is supposed to be designed for humans.  Our task is to classify incoming requests into the human bucket or the good bot bucket. And anything that is not a good bot would be classified as a malicious bot or unknown. In our world, unknown is the same as malicious. You can’t afford to assume something unknown has good intent.   Now when it is a good bot, or a human, it doesn’t mean that there is no attack payload inside this request. That is what a web application firewall (WAF) would look for. So, this is the reason why a bot management layer of application security must be part of a bigger platform that will vet every request that comes in.    Oracle Dyn:   What are the different types of bot attacks we should be aware of and prepared for?  Laurent:  There are four major types of attack we have to deal with:  #1: Finding and Exploiting Vulnerability  First, it’s important to realize that any site or any application that creates a website is vulnerable. They have lots of exposed surface area, lots of vulnerabilities. There have been patches for these vulnerabilities and there are decades of patching available. But every so often, a person may forget to patch one part of their site.   This is the first type of attack. It’s scanning of applications looking for vulnerabilities, almost like a background noise that you can see on the internet, where hackers are consistently poking every site to see if they forgot to patch.   This background noise is all run by machines. So, there is a small percentage of traffic on the internet today that is run by botnets, and this traffic’s only objective is to poke every site for vulnerabilities.  A bot manager will identify this request and will prevent it from going to the web server. But the bot manager will also tell the sender of this request that the page was not found. So, we are sending two messages there: We are preventing any of this poking from reaching the web servers of our customers, and we are also misleading the hacker by having them believe that these pages do not exist.   #2: Traditional Layer 3 and 4 Volumetric DDoS Attacks  The second type of bot traffic we see is what we call DDoS (distributed denial of service) attacks. The traditional DDoS is what you may hear in the news, which are these very large -- hundreds of gigabits per second — surges of traffic to a host or web server. Traditionally, there is a large industry of DDoS vendors that would mitigate a DDoS attack. We call these attacks the Layer 3 and Layer 4 volumetric attack.  These are pure network attacks. They are sending garbage traffic to an IP or to a data center and they hope that the garbage traffic is so big that it will fill up the internet pipe of that data center. And therefore, all the legitimate traffic has little space to come in. They are not trying to do a data breach. They are just trying to keep users from accessing the asset.  Such an attack can focus on web servers, email servers, databases, even an entire data center. A few years ago, there was a data center in Northern Europe that went offline. The whole data center became offline just because there was one gaming company using this data center that had a DDoS attack so large, it was bigger than the size of the internet pipe of the entire data center. And so, half of a country went down because of this.   It is now rare that hackers are successful, unless the attack is really, really large. There are a number of DDoS providers that are able to mitigate using cloud-based techniques where you have almost limitless capability to divert and clean this traffic.   #3: Application Layer DDoS Attack  The other type of DDoS attack is much harder to catch and much more difficult to guard against. It’s what we call the Application Layer DDoS attack. This is an attack directly on a website. I’ll give you an example: Imagine you go to a website’s search bar and make a search. The issue is, almost every search is unique based on the phrase that you are typing, based on the keywords you’re looking for. So, the results won’t be in the cache; they must come from the server.  Hackers use bots to input keywords that have nothing to do with one another. They could put the entire dictionary into that field, one word at a time. The immediate impact is they utilize all the web server resources. The web server is busy trying to process all the malicious requests and becomes unavailable to the legitimate user.  These attacks are much harder to identify, because they’re using the same interface that a human would. This is where bot management is crucial. By using sophisticated techniques to identify whether the user is a bot or a human, we can divert and block all this garbage bot traffic and stop it before it reaches the web server.  #4: Fraudulent Site Activity  The fourth use of bots that a manager must detect and mitigate, one that is almost criminal in nature, is also very, very hard to catch and to protect against: it’s the simulation of a human transaction.   For example: we had a client, an airline, that was under a bot attack. It is an airline in Asia, and suddenly they started to see a lot of tickets being booked from China. They knew it’s from China because of the incoming IP address. So, more tickets were being booked from China than usual, but almost all of these tickets were cancelled within 24 hours of the acquisition.    You see, a lot of airlines allow for a full refund within 24 hours. So, these bots would simulate human traffic: They would go on the site, select the city fare, as well as the class of travel, put a real credit card number, buy the ticket. The next day, the same bot will come to the site and cancel the reservation and request for a full refund. They were using real credit card numbers, they were behaving as humans behave by selecting the city and buying the ticket. This is a criminal utilization and fraud. We have now seen similar behaviors from bots that would stop short of entering a credit card number, but that would create a temporary reservation, usually for a few minutes.  We suspect that some other airline was paying hackers in China to do this. You see, as the bot buys tickets, the plane gets full. And the airline site sees the rise in demand and adjusts prices; the remaining seats become more expensive. As they become more expensive, the competition is able to sell tickets to the same city for cheaper. The tickets will be canceled the next day, and our customer would have lost business because the actual humans would have bought a plane ticket on a cheaper airline.  So, the impact there is real fraud that has a direct impact on our customer’s business. Thankfully, we were able to identify some irregularities in their behavior that indicated these users were not human.   We see also bots that are doing content scraping. For example, they are going to a directory company site and copying all the content on the site. This is what the Google bot does as well, but Google does it for a good purpose. Malicious bots do it so that they can resell the content to third parties. For the directory company, the content is the value of the site. So, this is another type of criminal or fraudulent utilization of an application.  Oracle Dyn:  This goes deeper than good bots and bad bots though, right? Are there situations where you would want to identify and block a benign bot?  Laurent:   Even when the bot traffic is not malicious, there are times when a site might want to prioritize human traffic over bot traffic. Bot management helps with that as well. We have a customer that is a rental car company. This customer has good bot traffic coming to their site from travel agencies. Travel agencies just want to check prices, so they can show them to their customers, and when the customer is ready to buy, obviously, our client makes money.   Our customer wanted to prioritize human traffic. Because obviously, a human coming in to rent a car has direct impact versus just a travel agent that is just looking for pricing from other rental agencies as well. So here, the idea is “we are fine with traffic from bots, but we want human traffic to be first”. And, if the web server is still available, then we will serve the bot traffic.    It’s a two-part process. First the bot management software identifies which traffic is from bots, then it can take an action based on what the traffic is trying to do and what you want it to be allowed to do.    Oracle Dyn: In broad terms, how does bot management software classify traffic?  Laurent:  Well, there are a few different levels of sophistication for identifying bots versus humans. The simplest technique is linked to the type of browser the end-user is using. When a person is using a browser such as Safari, Chrome, or Edge, we know that browser has a JavaScript engine and other specific features that are necessary for almost any application today.   If the end-user browser doesn’t have a JavaScript engine and the likes, then there is an almost certainty that the end-user is a bot. So, some of the techniques we use to prevent or to identify bots are just based on the type of devices and features that you have and the capability of that machine.   This bot mitigation techniques are very efficient because it’s expensive for hackers to simulate a full internet browser. Especially when they launch a DDoS attack, because it’s relatively expensive to run full internet browser simulations inside of a botnet. However, though it’s expensive, it’s not impossible. So, we needed to evolve.  The second generation of bot management is much more sophisticated. We analyze the behavior of the user, and based on its behavior, we can identify whether the user is human or not human.   The third generation uses even more sophisticated machine learning techniques towards an artificial intelligence engine that is making this classification. And this is where we are today with some of our most sophisticated customers. And a lot of these are actually custom made for a particular customer. That’s why they are very high end. We do use some machine learning techniques for the second generation to look at the behavior analysis. But some of our most sophisticated customers use a platform that is being trained to recognize the bot based on their specific application.  Oracle Dyn:   How can businesses get started with bot management? What’s the first step?  Laurent:  Business should look for a good bot management vendor. Very often, we start with proof of concepts with our customers. During POCs, we typically show all the bots that are identified by the platform. Sometimes, it is a bit of a surprise, and clients see for the very first time that their sites and mobile apps get quite a lot of weird bot traffic.   So, it is almost like you try it, before you buy it, but try it with the full extent and full power of the platform, which sometimes provides very interesting results. A lot of the time customers are not aware of what is happening to their applications and so having visibility into it is an eye opener to these clients. I mean, you’ll be surprised at the things we find. For example, this poking that I was talking about before, this background noise, sometimes customers are not even aware that this is happening.   This is something people can’t do soon enough. 

Roughly half of the traffic on the internet now is bot traffic: Bits of code created for tasks both good and not-so-good. Bots index content for search engines, making it easier for customers to find...

Authored By: Christina Richmond, IDC Program VP WW Security Services for Oracle  Adoption to the cloud is no longer stymied by security concerns as it once was. If anything, companies believe too fully in the security of the cloud service provider (CSP) these days. This belief may exist because security teams are understaffed, overburdened or because of true security competency within the cloud provider. But at the end of the day, the organization is on the hook for protecting its data in motion and at rest. CSPs are not responsible for the ingress and egress of data but rather only what resides within its data center. And even that is shared responsibility. One might say the new security perimeter is identity and data which are the underpinnings of every action taken in this digital world. To secure this new perimeter a deep understanding of data inventory and classification is required. The other side of this coin is knowing the identify and privileges of the user and which data they have access to. However, these requirements are not easily satisfied. With digital transformation comes an explosion of applications, APIs and delivery methods. “Cloud” can be private, public, as a Service and part of a many-cloud or “multicloud” approach. IT staff is still burdened with legacy security tools and lines of business are increasingly engaging in platform solutions which impact security. While these new platforms fuel digital growth and customer engagement they also complicate security visibility because they are outside the purview of the security staff. Managed security services (MSS) have existed for decades and they, too, are evolving to embrace the cloud ecosystem. Traditionally, MSS providers (MSSPs) managed and monitored the on-premise security appliances for a customer. Today we are seeing a rapid buildout of tools which provide MSSPs the ability to visual the customer’s entire architecture from on premise to SaaS-based including single and multicloud. Gaining visibility allows the MSSP to then quantify vulnerabilities against the threat landscape which in turn provides a view into risk.   According to an IDC study conducted last year we see that the MSSP purchasing form factor is shifting from predominately on-premises to hosted and SaaS based (see chart below). Adoption of MSS which once was an ROI-based decision swapping Capex for Opex cost is now one of imminent necessity if for no other reason than to provide visibility. We can’t protect what we can’t see. We can’t thwart what lurks in the shadows and we can’t respond if we don’t know what and where the danger is. With more and more of the architecture in cloud and multicloud the challenge of finding, tracking and combatting an adversary is compounded. MSS provide the “eyes on screen” of a Security Operations Center (SOC), advanced detection capabilities and increasingly they provide automated detection and response.  It’s no surprise then that advanced detection and analytic techniques are called out by nearly 40% of respondents as “required as part of a managed cloud services engagement.” Visibility is the one aspect of security that will in the end “right the ship.” When a SOC analyst receives an alert and discovers it to be an actual incident the advanced detection tools and threat intelligence the MSS provider (MSSP) possesses can vastly improves the analyst’s ability to see within a hybrid environment where the attack is and when it first entered. Today the Band-Aid approach of “look, alert, combat…repeat” is becoming more and more automated with the use of machine learning and big data analytics; meanwhile the skills of the MSSP provide the glue to keep the enterprise safe. The market is demanding greater cloud security capabilities and cloud providers are responding with enhanced visibility and response tools but remember that their responsibility stops at the door to their data center and the organization is ultimately responsible for the data outside. In our next blog we’ll diver deeper into addressing identity and access management challenges in MSS. To learn more about Oracle Managed Security Services and how MSS can help you, visit our website. Follow Christina Richmond @Xtina_richmond Follow Greg Jensen @GregJensen10

Authored By: Christina Richmond, IDC Program VP WW Security Services for Oracle  Adoption to the cloud is no longer stymied by security concerns as it once was. If anything, companies believe too fully...

Recently, Mike Faden wrote a stellar article in Oracle Magazine that highlights the issues and challenges that organizations are faced with around the attack surface that is leading to breaches.  Responding to this is a new wave of sophisticated technologies and methodologies that Mike has highlighted after interviewing some of Oracle's security leadership.  What Mike has learned is that there are some new and sophisticated approaches in the area of Identity Management, Database Security and more, that are helping to reduce the attack surface and help to reign in the risk and exposure that organizations are dealing with today. Read this amazing article from Oracle Magazine and Mike Faden today, and if when you are ready to learn more about Oracle's security solutions, check out our solution page for the latest information.

Recently, Mike Faden wrote a stellar article in Oracle Magazine that highlights the issues and challenges that organizations are faced with around the attack surface that is leading to breaches.  Respon...

Authored By: Christina Richmond, IDC Program VP WW Security Services for Oracle As discussed in previous blogs, the market is increasingly willing to move to the cloud. In fact, adoption is reaching an inflection point, with 80% of cloud budgets focusing above and beyond the cloud infrastructure (now only 20% of budget) to engage adjacent emerging services for cloud acceleration and enhanced management.1 However, obstacles still exist: inconsistent cloud configuration leaves security vulnerability gaps; detection, response and remediation visibility in the cloud environment is difficult—and hybrid IT multiplies this difficulty many times. Many more challenges exist which have been discussed in an earlier blog, Today's Threat Landscape and How to Tackle It, to which organizations are finding solutions in managed security services (MSS).                                     Source: IDC Managed CloudView September 2018 As you can see in the above graphic, drivers of managed cloud security adoption are many, ranging from the inability to keep pace with the rapid evolution of security technologies, lack of resources and talent, the need to lower cost and re-focus the business to core initiatives, and the desire for access to new security capabilities. But the most significant of these is the need for support across multiple types of delivery models, or what is commonly called “hybrid IT.” Hybrid IT is a mix of on-premises and public and/or private cloud workloads. An ideal future hybrid IT state, according to 400 enterprises in the U.S., would be roughly 25% in the public cloud, 48% in a private cloud and 27% non-cloud or on-premises, shown in the below graphic.2Source: IDC's Cloud and AI Adoption Survey, 2018 We all know that the security perimeter is a thing of the past. And we know that hybrid IT complicates all aspects of securing an organization’s data. Today’s security challenges are widely known but solutions are still evolving. In any massive transformation era such as the digital transformation of today we see increased need for professional services to help the organization get a grasp on strategy, policies, architecture design. And these services are in full use today. Adoption of managed security services, once an ROI-based decision swapping capex for opex cost, is now an imminent necessity if for no other reason than to provide visibility. When we double-click into the most significant of drivers of MSS in cloud and hybrid IT, we discover specific vulnerabilities that haunt the security team managing hybrid environments. Six of the 11 attacks and/or vulnerabilities are called out by over 40% of respondents in the below graphic as areas requiring additional support because they occur across multiple delivery models such as private, public, and hybrid workloads.   Source: IDC Managed CloudView September 2018 We can’t protect what we can’t see. We can’t thwart what lurks in the shadows, and we can’t respond if we don’t know what and where the danger is. Hybrid IT magnifies the challenge of finding, tracking, and combating an adversary that is better funded and faster than most IT departments. Many managed security services providers tout the drivers listed above, but MSSPs that focus on providing visibility into and security of the hybrid environment provide organizations with a 360-degree view into their full architecture across all workloads no matter where they reside. In addition, they bolster the agility of the enterprise as it transforms itself into a digital company. Finally, these services can consolidate the “eyes on screen” of a security operations center (SOC) team, which today typically works across multiple platforms for the same insights. This in turn naturally saves time and expense. Please be sure to check back to read the next blog in our series on “Securing your data in the cloud using MSS.” To learn more about Oracle Managed Security Services and how MSS can help you, visit our website.   Additional Source: 1, 2. IDC’s Cloud and AI Adoption Survey, January 2018 3. IDC Managed CloudView September 2018  

Authored By: Christina Richmond, IDC Program VP WW Security Services for Oracle As discussed in previous blogs, the market is increasingly willing to move to the cloud. In fact, adoption is reaching...

As a parent, I have pretty simple rules for my kids: Clean your rooms. Pick up your stuff. Don’t speed in the car. But as I’m writing this blog, I know that at least two out of my three kids are breaking those rules. They don’t quite comprehend that these rules aren’t just for my good. They’re for them too. Similarly, we found out in our 2018 Oracle and KPMG Cloud Threat Report that 97 percent of respondents say their organizations have defined cloud-approval policies. But we also found that 82 percent of those respondents felt those rules were being ignored. It’s a common scenario, and even an understandable one: Some line of business or another needs to get an application up to achieve a goal. They find or develop an application that will achieve that goal or put them on the cutting edge, and they decide they want to get it out quickly. “We’ll put it together, push it out, meet our goal, and ask for forgiveness later,” the thinking goes. The problem is that this road leads to disappointment at the very least and disaster at the very worst. Say the security team is brought in at the very end, and they’re told, “We’re launching this app in a month. Let’s do what we need to do.” The security team has a series of minor heart attacks as they figure out how they’re going to fit four months of work into a month, and they bring the project to a grinding halt. Eventually, the app is brought up to compliance and proper configuration standards and is accepted as a “sanctioned” application. Or let’s say that the line of business goes ahead and launches the app without checking the proper boxes with security at all. Now, security doesn’t have any visibility into what’s happening with that app, can’t adequately protect it, and the organization gets breached. This is what we call, an “unsanctioned” application. In these scenarios, the difference between a line of business’ timeline for rolling out an application and security’s ability to secure it in that timeline is called the “Pace Gap.” It’s a real problem, but it’s also a problem with a solution.             The line of business and security team both have goals. The line of business wants to accomplish things quickly, and security wants to keep the organization safe. People often see these goals as being at odds with each other, but they don’t have to be. Security can actually help lines of business get their projects done faster, but they have to be involved from the beginning.                                                                  For instance, if you look at a traditional ERP application, it can take up to six months for a large enterprise to fully roll out that platform with the right entitlements and credentials. But if you’re able to port over all your on-premises identities to any new cloud application with a product like Oracle Identity Management Cloud, you can cut a significant amount of time off the project timeline—and satisfy both sides. That’s the carrot. Here’s the stick. Even in the absence of a shortcut that shaves time off the schedule, folks need to slow their roll. Yes, that’s a technical term. If an organization gets breached, asking for forgiveness might not be an option. People are going to lose their jobs—even at the executive level. So, folks shouldn’t just be incentivized to work with security teams. It should be mandated. One person needs to be in charge of understanding shared responsibility models, regulatory compliance issues, and all of the organization’s security needs and standards. That same person should be empowered and given full visibility and the support of the organization to either approve an application’s deployment or to halt it. If you’re an avid reader of this blog, you’ll know that we’re big advocates for having a cloud security architect, but really, organizations just need to have somebody with the right knowledge who can act as a gatekeeper for the company. And with that person’s guidance, the organization can start forming best practices that accomplish both goals—a timely release of a much needed application and the right security measures in place to keep it protected. Once this becomes common practice and the pace gap is closed, all parties can rest a bit easier knowing that their needs are being taken care of. For more on this topic, see our webcast Keeping Security Pace at the Speed of Emerging Technologies - Register Here.

As a parent, I have pretty simple rules for my kids: Clean your rooms. Pick up your stuff. Don’t speed in the car. But as I’m writing this blog, I know that at least two out of my three kids are...

The lead up to Oracle OpenWorld and Code One 2018 is starting to fire up. With just about a month to go, we would like to encourage attendees to access the Oracle OpenWorld Schedule Builder. As in previous years, the Schedule Builder will allow attendees to create a personalized schedule and lock in spots to key sessions. Visitors can reserve a spot for a particular session by logging in and selecting the star icon to the right of each session description.  Customers attending OpenWorld this year will be treated to a number of sessions covering every topic from ongoing system upgrades to cutting edge technology releases. The Schedule Builder is an interactive tool that provides information including session times, locations, and abstracts all centralized in one place - making it a one stop destination to schedule out the entire week. In addition, attendees have access to our Oracle Security Focus On Document. We encourage all security professionals attending to look over the Security Focus On Document for a comprehensive list of essential security sessions and keynotes!  Once again, we encourage any customer attending Oracle OpenWorld and Code One to use the Schedule Builder! Haven't registered yet? It's not too late, register prior to the event to save!

The lead up to Oracle OpenWorld and Code One 2018 is starting to fire up. With just about a month to go, we would like to encourage attendees to access the Oracle OpenWorld Schedule Builder. As in...

By Pedro Lopes Thanks for attending last week DBSAT webcast. In case  you have missed it, you can watch it now on demand here. We had over 900 registrations and engaged customers attending the webcast and received over a 100 questions. Due to the time constraint, we could not answer all your questions, but wanted to follow up to clarify all your doubts. The key categories of questions that came up were: Does it run on the Cloud? Does it run for multiple databases? Performance impact of running DBSAT How does DBSAT Discoverer know which data is sensitive? Does it work on (ODA, Linux, Windows, Amazon RDS, 18c, Salesforce, Oracle Point of Sales)? Regulatory Compliance - Can it help me with SOX compliance? Apps - Any EBS/Retails/xStore/RMS specific checks? Does it have any Integration with OEM? Let me address those questions. Running DBSAT on the Cloud Since this is a pretty broad question, let’s address the easiest use cases first. In IaaS, you’ll have full control so, yes. You can install it on IaaS or run it against a database deployed on IaaS. On SaaS, as you won’t have direct access to the database, so no. On PaaS offerings, DBSAT can discover sensitive data as long it can connect to the database using JDBC. For the Security Assessment part (Collector and Reporter), typically we ask for the collector to on the database server and if you can do that, yes. That you to collect both database and operating system information.   SaaS IaaS DB EE/HP/EP ADW Exadata Express CS Collector   No Yes Yes No No Reporter   No Yes Yes No No Discoverer   No                Yes           Yes Yes          Yes Table: DBSAT components per Cloud targets Performance Impact DBSAT relies on data dictionary views and statistics for row counts. The impact should be negligible, as it does not execute anything different from queries that a DBA on daily activities. How does DBSAT Discoverer know what data is sensitive? DBSAT ships a configuration file with Sensitive Categories and Risk Levels and a Sensitive Pattern file that includes several Sensitive Types that look for matches on metadata based on regular expressions. We have used as a knowledge base our own Oracle Apps sensitive data medatada information and years of field experience and bundled it in the pattern file. There might be some false positives and DBSAT might miss some tables/columns holding sensitive data, but it provides a great start. As a best practice, DBSAT results should be reviewed carefully. DBSAT also provides several parameters/input files to help reduce false positives and make the final result more accurate. Does it work on (ODA, Linux, Windows, Amazon RDS, 18c, Salesforce, Oracle Point of Sales) DBSAT runs on Linux, Windows, Solaris, HP-UX, AIX. So it runs on Oracle Database Appliance. It runs on Oracle Databases (10g up to 18c). Regulatory Compliance - Can it help me with SOX compliance? It will help regulatory compliance initiatives. It will help to understand the current security posture, the gap the best practice, give and highlight technical controls that might help. Regulatory compliance is typically a mix of having the right Organization (People), Processes and Technology in place. DBSAT helps on the technology side. Apps - Any EBS/Retails/xStore/RMS specific checks? No. However, most recommendations will apply. The best practice is to check your specific Oracle App security best practices as well. If there’s a conflict, Oracle App security recommendation shall prevail. Any Integration with OEM While there’s no out-of-the-box integration, have customers that have integrated DBSAT into OEM and other 3rd party tools successfully either leveraging the fact that DBSAT is mainly a shell script and the JSON/CSV output. Hope it helps. Please reach out to me (pedro.lopes@oracle.com) in case of any additional questions/doubts/ideas or just meet me at #OOW. Database Security focused sessions at Oracle Open World: https://events.rainfocus.com/widget/oracle/oow18/1536064610966001SVrg

By Pedro Lopes Thanks for attending last week DBSAT webcast. In case  you have missed it, you can watch it now on demand here. We had over 900 registrations and engaged customers attending the webcast...

Gartner named Oracle a "Visionary" in its 2018 Magic Quadrant for Web Application Firewalls (WAFs). This post will spotlight the Oracle WAF's visionary use of machine learning to assign risk scores to incoming web traffic. Traditional web application security works in the same way as antivirus software, using a rule-based approach. It looks for signatures of known attacks and, as long as you have a good database of signatures, identifies attacks based on that information. Example of a rule-based approach to web application security The problem with rule-based security is that it is only able to identify what it knows, and the definition of what it knows is very rigid. It doesn't work when an attack is similar but not identical to what was seen before. It also doesn't work for all of the attacks that are not known yet -- zero-day vulnerabilities. Supervised machine learning techniques are completely different. They can recognize similarities, even when an attack is not exactly the same. We train an engine on what types of traffic are appropriate for a website or application and what types of traffic are not appropriate. And the engine is able to flag requests based on similarities to what it has learned. It can say, "I have seen something that looks like this request in the past, and that request was malicious, so I am going to flag this request as malicious as well." Example of WAF machine learning training  The Oracle WAF takes this approach a step further by analyzing how closely an unknown request resembles a known request and expressing that in a numeric value known as a risk score. The risk scoring scale goes from 0 (legitimate) to 100 (malicious). When a request's score exceeds certain thresholds, the WAF can either generate an alert to a security analyst or automatically block that traffic. We typically perform automatic blocks at 80 to 85, depending on the application. Example of risk scoring before training Example of risk scoring after training In the screenshots above, note that telnet.exe was part of the training, hence a score of 100%, but telnet and ftp were not, and they were still flagged, correctly, as malicious with 80% scores. So, what happens when the WAF sees a completely new request, as in the case of a zero-day attack, and says, "I'm not sure if this is good or bad?" The machine learning engine is able to flag this traffic and alert an analyst to make a decision on what it is. And after the analyst makes that decision, the next time the request happens, the WAF will know what to do, because it has learned. Organizations typically have to manually configure their WAF to recognize and respond to newly identified threats -- a process known as WAF tuning. Machine learning makes this process much more efficient and effective. The Oracle WAF has more advanced capabilities than others in the market when it comes to anomaly detection and scoring. We analyze information in request headers, the IP address, content and language of requests, and other factors in determining risk scores. Additionally, the machine learning engine considers data from our classic rule-based WAF; if a request does not appear to be malicious based on the engine's learnings, but similar requests resulted in rule-based alerts in the past, that could increase the request's risk score. Example of a malicious application attack (legitimate traffic in green, attack traffic in red), flagged by the Oracle WAF The training of machine learning engines is extremely important. If, by mistake, you tell the engine that a specific attack is good, it will always identify that attack as good and not block it. You must also train the engine to recognize good and bad traffic for each particular application, because what looks like suspicious activity for one application may be completely normal behavior for another. This training is done on an individual customer basis at the time of deployment. Large enterprises and other organizations with strict security and compliance requirements are typically the customers that take advantage of these capabilities today, but we expect others to follow suit as web attacks become more prevalent, more varied, and more malicious. Gartner, Magic Quadrant for Web Application Firewalls, Jeremy D'Hoinne, Adam Hils, Ayal Tirosh, Claudio Neiva, 29 August 2018 Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner named Oracle a "Visionary" in its 2018 Magic Quadrant for Web Application Firewalls (WAFs). This post will spotlight the Oracle WAF's visionary use of machine learning to assign risk scores to...

The whole of your security portfolio should provide significantly more value than the sum of its parts. The challenge facing security professionals seems to grow bigger and more complex by the hour. New threats and risk factors are constantly emerging while the IT landscape continuously evolves. At times, it feels like we’re patching holes on a moving target that’s endlessly shape-shifting. One of the major contributing factors to those feelings of chaos and disorder is the sheer quantity of security products that we rely on to cover our vast IT landscapes. The Oracle and KPMG Cloud Threat Report 2018 found that cybersecurity professionals manage an average of 46 different security products. 7% of respondents reported being personally responsible for managing over 100 different products. 100 different security products! I don’t imagine that those folks can possibly have a complete understanding of what’s happening across 50 or 100 different security products or what value each of those products is contributing to reducing their risk. This quantity of products alone contributes to the overall challenge in several ways, including: Product Overlap: Security products often have significant functional overlap. In an environment with several security products, it quickly becomes unclear which product will answer which questions. The result is wasted time and effort and longer delays getting critical answers. When addressing an on-going attack or a breach, the speed of the response effort is critical. The longer it takes, the broader the damage will be. Skills Shortage: Organizations spend too much time finding or developing talent across security products. It’s rare for security professionals to have the exact mix of skills and experience that an organization needs. And with an on-going skills shortage, it’s difficult to retain top talent over long periods of time. Again, not having the right expertise in place means that you’re more likely to miss the signals of developing attacks or on-going breaches and to demonstrate longer response times to security events. Delays in Addressing Gaps: Nobody likes wasted money or shelfware. When a gap is found in an organization’s security posture, security professionals are less likely to find and deploy the right solution if they have numerous other security solutions in place that may (or may not) fix the problem. Of course, without a complete understanding of where the limits are on each of those products, it could take months to sort through them and to formulate an approach. It’s the classic human response of freezing in indecision when there are too many factors to consider. When it comes to addressing information security issues, the last thing you want to do is freeze. So, what can be done and how can we address the issue? Here’s the good news: Security solutions are evolving toward cloud, toward built-in intelligence via Machine Learning, and toward unified, integrated-by-design platforms. This approach eliminates the issues of product overlap because each component is designed to leverage the others. It reduces the burden related to maintaining skills because fewer skills are needed and the system is more autonomous. And, it promotes immediate and automated response as opposed to indecision. While there may not be a single platform to replace all 50 or 100 of your disparate security products today, platforms are emerging that can address core security functions while simplifying ownership and providing open integration points to seamlessly share security intelligence across functions. For example, you know that you need an identity and access component for addressing access management needs across numerous SaaS applications and IaaS services. And you need a Cloud Access Security Broker (CASB) to scan SaaS applications and Cloud Infrastructures for insecure configurations and to monitor user activity. But, for the most part, these functions are silo’ed today. One doesn’t talk to the other. But they can. And they should. Understanding what a user is doing across cloud applications (visibility often provided by CASB) enables you to create a risk score for that user that can then be used by the Identity function to make decisions and take actions such as stepping up authentication, requesting approvals, initiating an access review, or denying access. Understanding that a target system’s configuration was modified recently or that it doesn’t conform to the organization’s security policies also increases risk. And there are numerous sources of additional risk data: identity, CASB, security configuration scanning, SIEM, UEBA, external threat feeds, session context, etc. Forward-looking security platforms will leverage hybrid cloud architecture to address hybrid cloud environments. They’re autonomous systems that operate without relying on human maintenance, patching, and monitoring. They leverage risk intelligence from across the numerous available sources. And then they rationalize that data and use Machine Learning to generate better security intelligence and feed that improved intelligence back to the decision points. And they leverage built-in integration points and orchestration functionality to automate response when appropriate. In other words, your security platform should serve as a central brain that doesn’t only import the various security data points but also makes sense of it without relying on human eyes to catch potential threats. And it adds intelligence, identifies patterns, recognizes anomalies, and responds appropriately and within seconds. This is much more advanced than the old SIEM model which simply aggregates data from numerous sources and tries to raise alerts for humans to evaluate. This is a system that thinks for you and leverages advanced analytics to make decisions across those numerous disparate systems. It’s a cloud service so you don’t need to administer and manage it. You become a user; a consumer of its benefits rather than a caretaker. And the result is much more value and further reduced risk than you’d get from the parts alone. To learn more about challenges organizations face today and how new technologies and strategies help enable innovation, register for Oracle OpenWorld 2018 and visit the Oracle Cloud Security page for more information. 

The whole of your security portfolio should provide significantly more value than the sum of its parts. The challenge facing security professionals seems to grow bigger and more complex by the hour....

In recent years, security has gone from cloud objection to cloud benefit. In fact, according to the Oracle and KPMG Cloud Threat Report 2018, 83 percent of respondents to the report’s survey said they believe their cloud service providers’ security is as good or better than their own. While this growing confidence bodes well for an increasingly cloud-enabled world, companies would be wise not to drop their guard when it comes to security. Bad actors of all kinds have found ways to exploit weaknesses in your security posture—most notably, in the customer’s end of the shared responsibility model. Recently, my co-author on the Oracle and KPMG Cloud Threat Report 2018, Brian Jensen from KPMG and I discussed some of the top attacks and pitfalls that companies are falling prey to. Phishing At its core, phishing in all its forms is a social engineering attack designed to create fear, uncertainty, and doubt. And even the best of us have been suckered by a phishing attack at one point or another. The main goal here is to get credentials by tricking the user into handing them over. A phishing email might say “Click here to learn about the audit problem we just discovered,” then take the user to a fake website where they have to log in. Or it might have a malicious attachment or link. But once they have those credentials, the attackers have free rein inside the system. As Brian noted during our conversation, what makes phishing so successful is that not only have we moved some of our most valuable information outside the firewall, but that many of our core business applications are similar across companies. “This leads to a one-two-three punch. Phishing is easy. The data is outside the firewall. And everything is pretty much the same. So, once I identify a pattern as a breacher, I can do it over and over and over again,” Brian said. According to the Oracle and KPMG Cloud Threat Report, 55 percent of survey respondents have experienced phishing. Malware and Ransomware Phishing can often be a vehicle to unload malware onto a system. The Oracle and KPMG Cloud Threat report noted that of all their expected security concerns during the next 24 months, four of the top five have to do with malware. One of the common forms of malware that we see is ransomware, where the victim is locked out of their system until the attacker is paid some sort of fee, usually in the form of bitcoin. This form of attack can wipe out an organization and leave it without a way to recover its information. Configuration Another way organizations put themselves at risk is by not having proper controls around cloud configurations. In fact, 45% of respondents to the Cloud Threat Report survey said they had experienced one or more incidents where the attacker exploited an unpatched vulnerability—either known or unknown. These unpatched gaps are especially dangerous because the attacker can wreak havoc on an organization (or multiple organizations using the same vulnerability) until it’s patched. The problem here, as Brian noted during our conversation, is that companies don’t have a good framework for (1) knowing that they’re using cloud, (2) categorizing the type of cloud they have, (3) having an understanding of the shared responsibility model for that cloud instance, (4) framing the configuration model, and (5) monitoring and patching it. To be fair, this is no easy task. The number of people and details involved make separating responsibilities and defining processes a real problem. But it’s a problem that needs to be solved if you want to secure your organization. Protecting Your Organization from These Pitfalls Of course we all want to protect our organizations, but buying the right tools is only a third of the answer. What it really takes is a focus on your people, your processes, and then your technology. In terms of people, organizations need to make sure their people are properly trained. All of your general users need to know the basics behind identifying a phishing attempt. But more importantly, cyber teams, email teams, and application teams need to be trained correctly on how to maintain configuration and compliance. Next, there needs to be a process behind everything. If you have a system that has stayed unpatched for the last two days, what’s your process? If you’re introducing a new cloud application, what’s your process for making sure it’s secure? This can be one of the hardest aspects because it requires communicating and establishing agreed upon actions across departments. But it’s also the most necessary. And lastly, you have technology. And that’s the part where Oracle does a really good job. We provide some excellent technologies for securing your cloud investment. At the end of the day, people’s confidence in the cloud isn’t misplaced. Organizations just need to adjust their thinking to protect themselves from evolving threats. For more on this topic, join us for our webcast Keeping Security Pace at the Speed of Emerging Technologies - Register here.

In recent years, security has gone from cloud objection to cloud benefit. In fact, according to the Oracle and KPMG Cloud Threat Report 2018, 83 percent of respondents to the report’s survey said they...

Monitor and Secure Your Systems You have made the business decision to outsource database administration, including some or all of your IT organization.  Yes, you can save money, but it comes with a lot of headaches and frustration when you can’t get tasks turned around fast enough.  Contract vendors have strong SLAs for what they will and will not do. This makes troubleshooting systems that span different domains very difficult.  The DBA always says the database is fine. The system administrators say the hardware is fine. The developers say their code is fine. But for some reason authentications have slowed down by 200% in the core application that drives your business. Unfortunately, your vendors won’t give you database accounts or access to logs. What’s a DBA to do? Gain Access to All Logs To gain increased visibility, many customers turn to Oracle Management Cloud (OMC). OMC is a cloud service that can consume any log on premises or in the cloud.  OMC leverages a Big Data backend so you are not limited by the volume of data you send to your tenant.  You will have a User Interface for all logs in your ecosystem.  But that’s just the beginning.  It has a sophisticated parsing engine leveraging Machine Learning and End User and Entity Behavior Analytics (UEBA) to learn what is normal and what is not.  OMC clusters like patterns of problems across your entire ecosystem to present the health of your servers, databases, and applications in one user interface. You have 100% control to view the logs with full dashboarding and drag and drop query capabilities.  Oracle is in the unique position to perform this type of analysis as our products include Cloud Services, Hardware, Operating Systems, Databases, and Applications.  Oracle owns Java, which makes us uniquely qualified to understand Log4 J.  Working with our application teams, OMC gives intelligent views into Oracle Applications such as EBS, Seibel, Peoplesoft, and even SAP.  Remember, any log any system. The screenshot below is a summary of the different options you can enable in OMC. Application Performance Monitoring (APM):  Oracle’s APM for Peoplesoft, Java, .Net, Node JS, Ruby, Docker, and Mobile Applications including both Android and Apple platforms that will diagnose performance bottlenecks in your code and system performance in your Application Servers. Infrastructure Monitoring:  The ability to view the health of your eco-system. Log Analytics: Provides a user interface for your logs. Log Analytics has the ability to cluster errors and categorize them into common and uncommon events (which tend to be the source of problems).  It is much easier to troubleshoot when you can view the logs for the operating system, database, application and WebLogic in one user interface. IT Analytics:  IT Analytics provides the ability to look across your applications, webservers, databases, operating systems, and servers to get a comprehensive perspective on the current state of performance, availability, and utilization.  and leverages Machine Learning to forecast capacity requirements.  It answers tough questions – such as “when will I need more disk, CPU, memory, etc.” – that allows you to get ahead of potential problems and bottlenecks instead of just reacting when things go wrong. Configuration and Compliance:  The ability to baseline your configurations and if desired the ability to provision back the desired configuration.  Would you like to know if someone accidently created an unencrypted s3 bucket in Amazon Block Storage? Orchestration:  Think of it as a scheduler for your IT ecosystem.   You can also attach fix jobs to break fix events in OMC.  For example, if a database comes back with 90% storage is taken, OMC can fire a job that will increase space by 25% or maybe you want to automatically restart your WebLogic servers if they shut down.  I won’t go so far to say the database will be 100% self-healing, but it is kind of like self-driving cars - you would not have it drive you to the airport - but, helping you stay in the lane and emergency breaking is helpful.  Automation for your databases is on the way and can definitely cut down on the support tickets you create, which costs you money. Security Monitoring and Analytics (SMA): Perhaps the most important of all, SMA will help you audit your contract vendors.  Oracle now has a SIEM (Security Information and Event Management System) with machine learning and UEBA incorporated so you will have complete visibility to your IT ecosystem. SMA can leverage Identity Management, Oracle’s CASB, Audit Vault Database Firewall (AVDF) that will fulfill the complete picture to your Identity Security Operations Center (SOC) for both on premise and Cloud environments.  The Big Data backend also makes it okay to send database events to your SIEM. OMC can take the load unlike traditional SIEMs in the market! OMC is one application that provides the ability for rapid troubleshooting, application performance monitoring and the baseline for your Security Operation Center spanning both your on premises and cloud systems.  It will allow you to reclaim your systems by gaining the visibility you desire on your IT systems, so you can take advantage of the cost savings outsourcing parts of your IT organization.  And if you do not outsource your IT organization, OMC is an excellent tool to minimize downtime, learn predictable performance behavior, and bring UEBA into your SIEM and Security Operations Center. Take a moment to explore how OMC could be a great fit for your organization.         

Monitor and Secure Your Systems You have made the business decision to outsource database administration, including some or all of your IT organization.  Yes, you can save money, but it comes with...

It's that time of year again! Oracle OpenWorld 2018 is less than two months away. Has your organization registered for the event? Every year, more than 60,000 attendees from over 145 countries attend Oracle OpenWorld. It is a great opportunity to learn the latest and greatest news in emerging technologies, learn new feature functionalities, collaborate with partners, and share ideas with industry peers. This year a pass to Oracle OpenWorld will give you and your colleagues access to 2,200 sessions and over 300 partners. This year's event takes place at San Francisco's Moscone Center from October 22nd-25th.    If you are considering attending OpenWorld this year, but are still in the final decision making stage, here are 5 reasons why it is absolutely essential to attend: Attend 2000+ sessions focused on solving business and IT problems OpenWorld sessions cover a wide range of topics. Keynotes from Oracle executives, Technical presentations, as well as sessions featuring Oracle Customers, such as, Tips and Tricks for Security Cloud at Scale. Help your company keep pace with cloud innovations According to the recent Oracle and KPMG Cloud Threat Report, 90% of respondents say at least half of their cloud data is sensitive information. As cloud becomes commonplace in technology, it is important to fully understand every aspect of the cloud and how to make the best decisions when choosing a Cloud Service Provider (CSP). CSPs are often not clear about their security offerings and what your responsibilities are as a customer. At OpenWorld, you can gain a better understanding of emerging technologies in the cloud and which of these technologies are the right fit for your IT environment Network with your peers and share innovations Every company has a unique structure, but there is definitely something to be said about the power of collaboration. OpenWorld is a great opportunity to meet and mingle with industry peers. Learning about common technologies and strategies for strengthening security, reducing cost, or improving innovation. Enjoy all the entertainment the conference and San Francisco has to offer If the exciting technology news is not enough to convince you, consider this: there is never a dull moment at OpenWorld. Attendees have a long list of choices for activities, socializing, and exploring. Oracle, partners, and sponsors put on receptions for OpenWorld attendees each evening of the conference. This is a great opportunity to get a more in-depth view of their offerings and ask any questions you may have in a smaller setting. It is also a change to network with peers and catch up with your colleagues who may have attended different sessions. Wednesday night is CloudFest 2018, each year, customers with a ticket to this event are in for a special treat. Concert goers in the past have danced the night away to performers such as Sting, Elton John, and Maroon 5. Although the lineup for this year has not been released, it is sure to be a crowd-pleaser. Save on early registration and group rates If you are now planning to attend, be sure to register for OpenWorld early to take advantage of the $200 savings. Additionally, government employees and large group rates are available to companies looking to send large teams!   If you are curious about what you missed at OpenWorld 2017, take a look at some of the highlights and start to imagine all of the great opportunities you can explore this year. We hope to see you at OpenWorld 2018, don't forget to register early!

It's that time of year again! Oracle OpenWorld 2018 is less than two months away. Has your organization registered for the event? Every year, more than 60,000 attendees from over 145 countries...

Organizations are increasing their cloud adoption, but they aren’t necessarily keeping pace with their security practices. Every year Oracle and KPMG collaborate on the Oracle and KPMG Cloud Threat Report, a survey of cybersecurity and IT professionals from private- and public-sector organizations about their public cloud usage and cybersecurity products and services. In 2013, 57 percent of our respondents said they were using public cloud services. Today, that number has jumped to 85 percent. While people are feeling more confident than ever about security in the public cloud, many organizations are putting themselves at risk by making a handful of common mistakes. I’ll outline each of the main pitfalls below, but for more detail on what’s causing these mistakes and pointers on how to remedy them, don’t miss our on-demand webcast “Sharing the Cloud Security Responsibility and Mitigating the Top 5 Risks.” Mistake #1 Lack of Responsibility When you adopt a cloud service, it’s tempting to think that they’ve got security covered. Sure, they’re probably taking care of some of it, but there are certain things that they just can’t be responsible for—like how careful your employees are with their credentials. The division between what you’re responsible for and what your cloud provider is responsible for is an important one to iron out with your cloud provider to ensure that there aren’t any gaps. In the Cloud Threat Report, we found that only 43 percent of organizations could correctly identify the most common IaaS shared responsibility model. Knowing what your responsibilities are is the first step to fulfilling them and keeping your organization protected. Mistake #2 Lack of Training One of the most common ways an organization can be breached is through the average employee. The number 1 and 2 most common attack vectors are phishing scams, and all it takes is one person making one mistake to expose your company. In this case, it’s training (and not some fancy tool) that will make the difference. Mistake #3 Lack of Automation The number 1 challenge for security organizations is being able to detect and react to cloud threats. In the Cloud Threat Report, only 14 percent of respondents said they were able to analyze all of their relevant security event and telemetry data. This lack of insight usually happens because cloud services are rolling out faster than SecOps can support them. In order to combat this problem, organizations need to remove manual processes and introduce more automated responses to risks. We’re past the point of hiring our way out of this problem. There just aren’t enough of us. We need assistance in the form of automation. Mistake #4 Lack of Compliance Organizations are struggling with not only how to meet, but also maintain their compliance requirements globally. A key distinction that companies often miss is that compliance doesn’t necessarily mean security. Compliance is primarily about data confidentiality, integrity, and making data available. You can be compliant and still get breached. Still, it’s difficult to meet your compliance goals if you don’t have an expert heading up the charge. You really need somebody who knows their stuff, can see the whole picture, and can determine how your organization can best tackle its compliance responsibilities. Mistake #5 Lack of Leadership It’s become a real struggle for security teams to rein in lines of business who think they can get their cloud services out “faster” if they skirt the security process. These projects often hit a snag when their owners realize that they have to meet the company’s security requirements. One of the reasons this happens is that lines of business don’t see how involving security operations early is actually an advantage for them. The key here is leadership. By having someone who can help internal groups see an efficient path to deployment and check all the necessary boxes, organizations can both protect themselves and get what they need sooner. Ultimately our confidence in the cloud is well placed. All we have to do is update our thinking to match our technology. For more detail on these mistakes and how to avoid making them, see our on-demand webcast “Sharing the Cloud Security Responsibility and Mitigating the Top 5 Risks.”  

Organizations are increasing their cloud adoption, but they aren’t necessarily keeping pace with their security practices. Every year Oracle and KPMG collaborate on the Oracle and KPMG Cloud Threat...

In today’s changing threat landscape, organizations need to make smart and innovative decisions in order to stay a step ahead of cyber threats. Organizations utilizing innovative cybersecurity best practices in their hybrid environments are able to effectively keep pace with the ever changing security and compliance landscape. Oracle offers a suite of security cloud and on-premises solutions that enable customers to implement and manage consistent security policies across the hybrid data center. A challenge for one customer, UBI Banca, was complying with GDPR while maintaining excellent customer experience for their different types of clients. They selected Oracle CASB Cloud Service to enable them “to detect and respond not only to potential threats but also data leakage and to better meet [their] regulatory requirements”. This Italian banking group was able to achieve a 50% reduction in time to discover new security threats and an 80% reduction in manual investigation time for security incidents with Oracle CASB Cloud Service. For Pragmatyxs, a solution provider based in Seattle, security was a primary concern since many of their customers are in highly regulated industries. Pragmatyx opted for Oracle Identity Cloud Service (IDCS) to protect their data. With Oracle IDCS, Pragmatyxs has been able to take advantage of global SSO capabilities to manage users globally within a unified dashboard, easy integration within Oracle cloud ecosystem, and much more. Overall Pragmatyxs was able to maximize value while minimizing cost and time spent. You can learn more about how Oracle Identity Cloud Service and Oracle CASB Cloud Service helps customers secure their cloud environments at Oracle OpenWorld this year. Troy Kitch, a Sr. Principal Director for Product Marketing at Oracle, will lead a customer panel on how Oracle security helps organizations “face external cyber threats, internal fraud, and the growing complexity of regulatory compliance regulations”. You don’t want to miss this session - Customer Panel: Tips and Tricks for Security at Cloud Scale. To attend Oracle OpenWorld (and this session), register here.

In today’s changing threat landscape, organizations need to make smart and innovative decisions in order to stay a step ahead of cyber threats. Organizations utilizing innovative cybersecurity best...

Everyone with even a mild understanding of cybersecurity knows that the threat landscape is evolving and growing ever more complex by the day. The accessibility of the Dark Web has made advanced threats readily available to anyone with the cash and desire to steal data and inflict harm. “Set and forget” solutions and mentality will not keep an organization safe in this reality. Supplementing your in-house security team with an augmented on-demand security operations center (SOC), combined with a modern, cloud-based application security solution, is the new imperative for a robust cybersecurity posture. SOC skills in high demand  Every organization needs highly skilled cybersecurity talent, but let’s be honest, it is not an equal opportunity market. Companies like Google and Facebook can recruit top talent with attractive packages and perks, but where does that leave everyone else? Many companies now generate significant revenue streams and store large amounts of highly sensitive data that make them targets for attack. Smaller third-party organizations, which probably don’t have large security teams, act as go-betweens for larger companies that do, like production houses or law firms. No matter how small you think you are, lacking resources is not an excuse. Even if you do have the budget and in-house talent, an external, supplemental SOC provides a valuable second set of eyes on your security. Some of the largest breaches we’ve seen recently were a result of human error, such as not updating a policy or patching a server. An external team, working to provide oversight and an outsider’s perspective, combined with a cloud-based application security platform will add an extra layer of protection and supervision. Harness the latest technology The quality of a SOC is no longer measured by the number of bodies in seats but by the caliber of its technology. An external security team should be using the latest advances in technology and methods such as cloud-based solutions utilizing machine learning and automation. Many solutions, particularly those that are on-prem, require someone to come out to your site, set up the hardware and train someone on your team how to use that hardware. This process can take months, and by the time it’s completed, the solution may already be outdated and a couple months after that, the one person on your team who knows how to use it may be moving on. We believe that the solution provider should also be able to provide onboarding and continued management through an external SOC that use modern, cloud-based and agile application security solutions that scale and integrate as your company grows. Automation is key Automation is a key component for a robust external SOC. Many alerts don't need to be treated by humans. They can be treated directly by an advanced solution’s security engine, which uses machine learning and other techniques to monitor, classify, and escalate incidents. Human intervention occurs when the machines say, "Dear human, I haven't seen this one before. I need some help to understand what is happening." That way, SOC analysts can focus on these alerts rather than spending their time tuning. This also helps eliminate false positives and the draconian measures taken to avoid them. It’s really as simple as that. Automation does not have to mean complication. This is not science fiction - the machines are not going to rise up and do everything, they are an extension of the security team in the same sense as an external SOC. Because monitoring and alerting of low-level incidents is automated, the human security analysts must be of a very high caliber. When alerts come to them, they have to react quickly and treat each one as a legitimate threat. They have to discover, analyze, and respond -- and they have to do it very, very fast with the tools and knowledge to thoroughly investigate and mitigate. For these reasons, a SOC analyst is one of the most difficult people to find in cybersecurity today. A solution that provides managed services can share its analysts' expertise with customers that would otherwise be unable to recruit or retain that level of talent.  Bucking the trend  Despite these benefits, some organizations are hesitant to augment externally their SOCs or bring in outside talent to supplement their own. It goes against conventional wisdom.  Security is typically the most conservative department within an organization. Traditional thinking says if there is an attack, they are the ones who are responsible – and perhaps the only ones to know. An augmented SOC provider needs to win their trust. As the threat landscape continues to evolve, more and more organizations must embrace this approach and realize that truly strong protection includes an external extension of the SOC, with modern, automated and almost always cloud-based application security platforms.

Everyone with even a mild understanding of cybersecurity knows that the threat landscape is evolving and growing ever more complex by the day. The accessibility of the Dark Web has made...

On August 28 in Washington D.C., presenters from Oracle will be on hand at DGI 930Gov to deliver key insights on some of the most pressing government IT issues. Here’s what we’ll be talking about.

On August 28 in Washington D.C., presenters from Oracle will be on hand at DGI 930Gov to deliver key insights on some of the most pressing government IT issues. Here’s what we’ll be talking about.

When I started working in IT security many years ago, it was a very different world to what it is today. For example, Identity and Access Management platforms were extremely new. It was back in the days when companies such as Netegrity, Oblix, and Thor were still in their early days. Centralised IAM was still a vision for many organisations. In fact, most average-sized companies hadn’t even realised they needed single sign-on, never mind actually having a plan or project to deliver it. The reality was that each application had its own user store with its own password, and roles and privileges were handled in each application silo. Remember, this was before the days of standards we have come to take for granted, like SAML. Then we moved to a more platform-based, especially around middleware. IAM as a platform started to gain adoption. Companies recognised the importance of centralising IAM, either because of internal transformation programmes, risk, or regulation. Whilst some organisations never quite reached the nirvana of a fully-integrated IAM platform, completely automating their joiners, movers, and leavers, handling certifications, and segregation of duties etc, many did (and continue) to get value from their IAM platform. I use IAM as the example but this has spanned many areas of security as companies moved from silo’d solutions to enterprise class solutions. There are well recognised benefits to moving away from silo’d solutions to more centralised, enterprise class capabilities across many areas of security. However, it seems that Cloud may be in danger of undoing much of that thinking and evolution. We know that organisations are using an average of 6 cloud providers to run their workloads (State of the Cloud – Right Scale, 2016). This fits well with the cloud model of picking the best place to run different workloads. However, the challenge is that each of these cloud providers come with their own set of security controls and capabilities. In many cases, those security tools and capabilities are specific to that cloud provider’s services. This isn’t a lack of foresight on the cloud provider, but, in most cases its by design. For example, Amazon provides IAM capabilities for managing users and their access to AWS. That isn’t an enterprise IAM capability; it is specific to AWS. As Amazon’s website states:   “Use AWS Identity and Access Management (IAM) to control users' access to AWS services. Create and manage users and groups, and grant or deny access.”   There are lots of other examples of this both within Amazon and other cloud providers. Take threat detection as another example, as Amazon states:   “Amazon GuardDuty is a managed threat detection service that provides you with a more accurate and easy way to continuously monitor and protect your AWS accounts and workloads.”   Microsoft takes the same approach for threat detection: “With Azure Security Center, you get a central view of the security state of all of your Azure resources.”    I understand their rationale for doing this, focusing on delivering capabilities for their own cloud platform, and in some cases such as IAM, it would be impossible to provide a cloud service without delivering such a capability. However, in today’s market, where organisations are taking services from multiple cloud providers, this means that companies are being forced to move back towards a silo’d aproach to security, having to configure and manage the same security capabilities separately in each cloud provider’s platform. Security is all about bringing together knowledge to gain greater insight and intelligence into threats, risks, and attacks. It’s hard to do that from multiple, silo’d platforms. That’s before we even consider the increased cost and complexity associated with managing multiple silo’d solutions. Therefore, it’s important when you are looking at security capabilities from cloud providers to understand how much coverage they give you across your entire estate, not just for that cloud provider, but across all of your cloud providers. We need to ensure that we don’t go back to individual security silos or we are making it too easy for the bads guys to win. Here at Oracle we are working hard to deliver a cloud security portfolio that is heterogeneous and will support you and your organisation in delivering security solutions which work across your multiple cloud providers, whether SaaS, PaaS, or IaaS, whilst not forgetting about your existing non-cloud estate. Head over to the Oracle Cloud Security website if you want to learn more.  

When I started working in IT security many years ago, it was a very different world to what it is today. For example, Identity and Access Management platforms were extremely new. It was back in...

Whether driven by regulations such as GDPR, increased scale of data breaches, industry best practice, risk assessments, or migration of sensitive data to the cloud, the topic of data security is never far from the minds of CISOs and security teams within organisations. A common topic raising lots of questions for me at the moment is how secure my sensitive data is within the Oracle Cloud when using services such as Database Cloud Service (DBCS). This sensitive data could be financial data, personnel data, patient data, or intellectual propery. Irrespective, my answer is simple. “It is at least, if not more, secure than it currently is in your on-premise database”. This surprises many people due to the continued mis-perception that the cloud is always less secure than a database sat behind an organisation’s own firewall. However, when, according to Verizon's 2018 Data Breach Investigation Report, 28% of attacks involve an insider, this still poses a significant risk. Therefore, I wanted to take a bit of time to explain the rationale behind my response and how I justify it. There is no single, silver bullet for securing your data within a database. Ask any security professional and they will tell you that there are many attack vectors and threats, requiring a range of different mitigating controls. Those controls can be a mix of technical controls or manual controls, always combined with the associated processes. For example, you can’t have encryption if you don’t have key management processes. Looking at the technical controls, they are a mix of out-of-the-box controls available within a core database system, as well as (usually chargeable) security add-ons. For example, within the Oracle Database, figure 1 below shows some of the standard security capabilities built into the Oracle database.                               Figure 1 – Standard Oracle Database Security Capabilities In addition to the above standard security features, Oracle provides a wide range of additional security options to provide a further level of mitigating security controls. These include those shown in figure 2 below. Figure 2 – Oracle Database Security Options Why is this relevant to putting sensitive data in the Oracle cloud and specifically DBCS? Simple, the Oracle database is the Oracle database. It is the same database regardless of whether you are using it on-premise or in the Oracle Cloud as DBCS. It is the same product with the same set of standard security controls and security options. You don’t have to buy a different set of products or make any changes to your database or security tools as there is no difference. Similarly, there are no new skills to master for your DBAs and security teams. What’s more, I said in my opening statement that Oracle DBCS is “at least, if not more secure”. How do I justify that? When you install the Oracle database yourself on-premise (or in another cloud provider), you have to buy all of the additional options that you identify a requirement for from figure 2. Once purchased, you have to configure them. However, within DBCS we already configure and include some of those for you. For example, regardless of which DBCS edition you choose from, at-rest encryption is enabled by default for all database instances. If you choose Enterprise, High Performance, or Extreme performance editions of DBCS, additional security options like Privileged User Control (Database Vault), Data Masking and Subsetting, and Label Security are also available to you. This means, through inclusion of capabilities like at -rest encryption by default, in many cases you will already be starting off with a more secure baseline than you have on-premise. Of course, you can have the best products with the best security tools, but if you mis-configure them, or even worse, don’t configure them at all, then you might as well not have them. I can buy the best firewall in the world, but if I put a rule allowing any source to access any destination on any port, then I’m asking for trouble (please don’t try that). Unfortunately, this is something we see far too often and are trying to educate our Oracle database customers on how to make their databases more secure. Within Oracle’s Solution Engineering team (the team I work in), we offer free of charge database security risk assessments to our customers, where we run an assessment to understand the current security status of one or more of your key databases. We then provide recommendations and an action plan to help you become more secure. One of the really interesting observations from my perspective, is that we are seeing evidence that there is often a lack of basic security. Just to be clear, this isn’t about selling as many database security options as possible, it’s about getting the basics right. More often than not, the standard database tools aren’t being used correctly, or indeed at all. Here are the most common mistakes we see over and over again: Sharing passwords No logging Poor patching No encryption Excessive privileges For more details, check out this video. Therefore, when considering security of your sensitive data in the database, make sure you have the basics right. If you need help, reach out to us. This applies equally to your on-premise databases as it does to your cloud databases. Remember, it’s the same product! Finally, if you think that your organization could benefit from a Database Security Risk Assessment, please reach out to me or your local Oracle contact. Alternatively, if you want a more lightweight approach that you can run yourself, please download the excellent, free Database Security Assessment Tool.                      

Whether driven by regulations such as GDPR, increased scale of data breaches, industry best practice, risk assessments, or migration of sensitive data to the cloud, the topic of data security is never...

Back again by popular demand, Oracle is once again re-introducing the Oracle Cloud Security Day series to a location near you! Organizations are being impacted more than ever by common mistakes as they lift and shift their workloads and programs into the cloud. Answering the common question of "How secure is the cloud" is an half-day event that dives into the common mistakes organizations are making as they engage in their new cloud journey, and share some of the best practices these organizations are now taking to overcome the increased risk.  The morning session will focus on real-world, high-risk use cases, led by Oracle and KPMG Security specialists. In the afternoon session, Oracle experts will help guide you through a hands-on test drive of Oracle Security and Management cloud services against some of these high-risk scenarios.  Attendees will also gain a deeper understanding on the risks and threats to cloud, identified in this years Oracle and KPMG Cloud Threat Report. At the end of the test drive, attendees will understand basic concepts and be provided hands-on exposure to: Top 5 security threats impacting enterprise cloud Oracle Cloud Security and Management Services that prevent and remediate real world threats Hands-on test drive of Oracle Security and Management Cloud Services Find your city below for full session description, agenda and dates: Seattle, WA                  8/21/18 Houston, TX                 8/23/18 Minneapolis, MN         8/29/18 Atlanta, GA                 9/25/18 Denver, CO                  9/27/18  

Back again by popular demand, Oracle is once again re-introducing the Oracle Cloud Security Day series to a location near you! Organizations are being impacted more than ever by common mistakes as...

It's 2018 and technology continues to evolve at a rapid pace. Unfortunately, many organizations haven't seemed to figure out how to fend off attacks and they just keep coming. As noted in the new Oracle interactive Ebook, Intelligent, Automated Security, companies are battling a relentless struggle against highly motivated adversaries. Organizations are scrambling to find new, cost effective ways to transform their business - security needs to be at the forefront of that strategy. New threats are emerging, technologies using machine learning, AI, and bots can all be used maliciously. These attacks can cost organizations millions of dollars and damage customer trust. There is a heightened sense of urgency as many IT organizations realize their traditional security solutions are no longer keeping pace with the current threat landscape. Threats continue to pour in, while organizations struggle to keep adequate expertise on hand.  For example, many teams are experiencing alert fatigue, a concept detailing missed malicious attacks due to the sheer number of false positive alerts from siloed systems. In a recent survey, 42% of respondents reported ignoring a significant number of alerts because they simply receive more than they could handle. In response to this, Oracle is taking a new approach to security. Oracle's Identity-based Security Operations Center (SOC) enables organizations to manage authentication, assign risk scores, and automate remediation across your environment. All without human intervention. Every IT organization is unique and with Oracle's comprehensive suite of technologies - you have flexibility and choice. Understanding common challenges and how organizations defend themselves is crucial. Read the new Oracle Cloud Ebook Intelligent, Automated Security,  for more information on the current threat landscape and Oracle's approach to securing hybrid clouds. This interactive book takes you on a journey through some of the most pertinent topics in cybersecurity. It is also a great opportunity to hear directly from customers and experts in your industries on how they have used Oracle Cloud to innovate their business.

It's 2018 and technology continues to evolve at a rapid pace. Unfortunately, many organizations haven't seemed to figure out how to fend off attacks and they just keep coming. As noted in the...

Did you know Oracle has one of the biggest security practices in the United States?  When you think about breach remediation, your first thoughts may be FireEye or PwC, but the reality is, once you get past the network tier, Oracle takes over because our technologies are usually in place in the Web, Application and the database tiers. In the end, hackers are after data in databases.  Many times, hackers are not even attacking your systems; they are hacking your people.  Do you think your employees are up to the task to stop a cyberattack? If hackers can penetrate the most secure organizations in the world, then they no doubt circumvent your organization’s security controls to get inside of your company. As companies continue to battle against attacks, Oracle is working to provide customers with solutions to strengthen security. One valuable service Oracle provides is the Database Security Risk Assessment (DBRA) where we will ensure you are configuring your databases to reduce security risks.  We will also demonstrate how a threat actor could potentially hack your organization.  We have been providing this service for the last 7 years and it is a very mature program.  Along with the DBRA, Oracle provides the Cloud Security Assessment (CSA) which extends the DBRA into your Cloud Platform. In a Cloud Security Assessment, we will evaluate your current cloud security posture.   Leveraging our Cloud Access Security Broker (CASB) and Oracle Management Cloud (OMC), we can calculate a risk score for every user accessing your Cloud environment to give you visibility into who is accessing your Cloud environment and what actions they are taking. We can also give you insights into the health of your infrastructure and understand the patterns of your workload and what to expect in the future in terms of performance and reliability. Your security responsibilities will differ depending on your SaaS, PaaS or IaaS deployment.  Various public clouds have different security capabilities, it is important to understand what you are receiving from a cloud service provider (CSP). The following questions are important to consider when selecting a CSP and while evaluating your environment:  Does your CSP encrypt data at rest and in-flight? Do they offer both stateful and stateless firewalls? Do you have a Firewall in front of your Systems?  A Stateful Firewall?  Can you implement Network Address Transaction (NAT)?  Have you implemented multi-factor authentication?                                                        As an Oracle customer, the first step is to download the DBRA. Once enrolled, we can provide you with a report on your environment detailing the following 6 domains: data privacy, controlling access to data, systems health, user management, configuration and auditability/visibility. How do you feel about your Cloud Security Architecture?  As shown in the image above, do you think the dials of your report will be all green, indicating low risk?  If not, schedule a Cloud Security Assessment and improve your security to where it needs to be.  It's free program for Oracle customers and takes about 2 days of your time.  

Did you know Oracle has one of the biggest security practices in the United States?  When you think about breach remediation, your first thoughts may be FireEye or PwC, but the reality is, once you get...

You could be forgiven for not being crystal clear about how secure your data is, or would be, in the cloud. On one hand, there’s the argument that security in the cloud has gone from being a barrier to maybe even being an incentive for moving your data and applications to the cloud. On the other, there’s a constant cadence of headlines and news spots detailing the latest security breach. At least some of this confusion comes from the perception that the cloud relieves businesses of all their prior, on-premises responsibilities. Whether it’s the cloud providers who have over promised or users that have underestimated their obligations, this set-it-and-forget-it mindset has clouded—pun not intended—our judgement when it comes to cloud security. The truth is that the cloud, in all its forms, does offer significant security advantages. For example, the Oracle Cloud can apply patches in real time, shoring up vulnerabilities that might, in an on-premises world, leave your systems exposed until you could take them offline and apply the patch yourself. Considering the number of attacks that sneak through while security patches are waiting to be implemented, this is a real advantage. But too often we mistake the fact that the cloud offers security advantages for the belief that the cloud is a security panacea and that the cloud service provider will take care of most security issues. Truth is, there’s a lot that your cloud provider can do to help, but they can’t do everything. For instance, take the employee who shares his password with another coworker or the person who has access and maybe even steals sensitive company information. There’s little that a cloud service provider can do to prevent these behaviors without input from its customers. Of course they can detect suspicious behavior around that credential once it happens. But by then, it may be too late. This is where the concept of shared responsibility comes into play. And all that really means is getting crystal clear on what your cloud service provider is responsible for when it comes to management and security and what you as the customer are responsible for. It sounds simple, but depending on how many different cloud providers you have, it can get complicated quickly. In fact, in the recent Oracle and KPMG Cloud Threat Report, we found that only 43 percent of organizations could correctly identify the most common IaaS shared responsibility model. The results were even worse for PaaS and SaaS. So, where do you start? Turns out there are some fairly simple things you can do to separate your responsibilities from your cloud service provider. 1. Read your contract and SLA. Your contract and service level agreement should clearly outline what responsibilities you own. You might discover that you’re covering many of these responsibilities already, or you might learn that there are inconsistent gaps from one cloud service provider to the next, which will require you to do additional checks and balances. The important thing is to know your role. 2. Have good conversations with your cloud provider. This won’t replace reading your contract, but it will give you a place to start and help you clarify any questions. This can also help you keep on top of your cloud provider and make sure they’re delivering what they promise. With Oracle, any customer can request full visibility audit reports that share any patch or vulnerability information to better understand if your data has ever been at risk. This is an important question to ask of any cloud service provider to find out if the same level of visibility can be provided across all services. This is key for compliance reporting in today’s organizations. 3. Appoint a cloud security quarterback. Having one person that has their thumb on what your business is responsible for is crucial to making sure all sides are living up to their end of the bargain. Plus, this position—which is often called a cloud security architect—can work with both the security team and the applications teams to make sure they know all the best practices and regulatory compliance objectives. 4. Avoid the cloud rush, and pace yourself. Many organizations are rushing applications and workloads into the cloud at a rate faster than their own SecOp teams can catch up with or respond. It is important to go about your cloud journey at pace that ensures no gap or exposure is left in the open as new services come online. At the end of the day, the benefits your cloud service provider offers you more than likely greatly outweigh the responsibility you incur as part of your relationship. The key is to identify those responsibilities and figure out how to address them. For more pointers on shared responsibility, join our upcoming webcast (Aug. 16 at 10 a.m. PT), where we’ll cover the top five cloud transition mistakes organizations make, how to mitigate them, and the top questions to ask your cloud service provider.

You could be forgiven for not being crystal clear about how secure your data is, or would be, in the cloud. On one hand, there’s the argument that security in the cloud has gone from being a barrier...

By Pedro Lopes, Product Manager, Oracle Database Security It has been a great year for Oracle Database Security Assessment Tool (DBSAT) so far. We have over 8000 customer downloads since January 2018! We are also increasingly seeing that our customers and partners are finding new use cases and expanding usage for DBSAT to gain maximum value from the tool. For instance, in order to help comply with GDPR, DBSAT Discoverer helps find personal data in several Oracle Databases. It grabs the JSON output and feeds a BI dashboard that displays sensitive data found by category. We also had a high uptake in our Oracle User Group sessions and the value is clear from the multiple new articles written by the community. Thank you! In case you have missed the announcement, we released Oracle Audit Vault and Database Firewall BP8 in June which has the ability to import data from the DBSAT Discoverer output to add sensitive data context to the new Data Privacy reports. To learn more about this functionality, please refer to “Importing Sensitive Data Into AVDF Repository” in the Oracle Audit Vault and Database Firewall Auditor's Guide. Today, we are excited to announce the release of DBSAT v2.0.2 which adds support for DBSAT Discoverer to connect to Database servers over SSL channel. DBSAT Discoverer can now connect to Exadata Express Cloud Service and Autonomous Data Warehouse Cloud. We will continue to enhance DBSAT further throughout 2H 2018. Some of the enhancements under consideration include: Update the integration of DBSAT with orachk and exachk Add new sensitive data pattern files in several European Languages DBSAT development is community driven, If you have suggestions/recommendations/requests that will help us improve DBSAT please reach out and let us know. Oracle Openworld is coming up in October 2018 in San Francisco where we will have sessions on DBSAT. If you haven’t already, please register here Learn more about DBSAT here  

By Pedro Lopes, Product Manager, Oracle Database Security It has been a great year for Oracle Database Security Assessment Tool (DBSAT) so far. We have over 8000 customer downloads since January 2018!...

87% of respondents in the recent Oracle and KPMG Cloud Threat Report (CTR) reported having a cloud-first orientation within their organization. The cloud is here to stay. However, with widespread adoption, comes an expanding list of challenges and new considerations. Customers rapidly adopting the cloud must also consider how their security solutions can keep pace. Keeping Pace The CTR goes into great depth on this concept. Traditional security procedures are no longer enough for a mobile, digital workforce. It is important to remember that cloud is all about choice and flexibility. This means that customers can retain aspects of their traditional on premises security solutions and begin to incorporate new cloud based solutions overtime. With that being said, the time to consider innovating your security posture is now. Recent data breaches have largely been attributed to human error or cloud account misconfigurations. These attacks can be fiscally devastating, ruin brand reputation, and can even mark the end of a C-level executive's time at the company. The stakes are high. Breaches and Regulations Everywhere you look there seems to be a new breach on the news, exposing sensitive personal information or company financial data. This issue is not unique to any industry and is a primary reason security has become a priority for so many organizations. Not to mention, harsh compliance regulations are continually cracking down on corporations. Organizations simply cannot afford to cut corners in today's hybrid cloud environment. What can companies do to increase their security posture and remain compliant with regulations such as GDPR? First and foremost, "Transparency is key," as Akshay Bhargava, vice president of the cloud business group at Oracle, mentions in 5 Strategic Priorities for Chief Security Officers in 2018. Bhargava later goes on to explain the importance of an incidence response plan, which can be used to quickly respond to an attack and minimize the damage. Companies should explore cloud security options that can help them better monitor their environments and protect them in the event of an attack. When working to comply with these regulations, it also important to maintain visibility into your entire cloud and on premises environment. Threats Modern businesses thrive off of fast development and lowering costs, both undoubtedly accelerated by cloud. The threat landscape has also exploded through these innovations. Overall cloud adoption has created a lack of visibility - leaving companies vulnerable to attack. The CTR explains that today's threat landscape is diverse and hackers aren't always sitting in a dark room millions of miles away. They are everywhere and they are after your data. Attacks can be brought on by nation-states, cybercriminals, and even insiders. Organizations face a wide range of threats including malware, phishing, and theft of credentials. Companies must defend themselves at every layer of their environment. They must also turn to a more Identity driven approach for cybersecurity. By shifting the focus to identity, companies have more control to isolate root cause of a breach or attack, especially those carried out by an insider or by a hacker using stolen, but authorized credentials. Tracking a user's normal behavior enables cutting edge technologies to automatically take action against anomalous behavior by sending out a Multi-Factor Authentication code to a user's phone.  Building a Defense Each organization has a unique journey to the cloud. They must also discover the security solutions that will work best to protect their environment. As cybersecurity threats continue to rise, qualified talent has not been able to scale. Simply too many alerts and not enough expertise to keep up. Companies need to shift toward intelligent solutions that can help them better predict, prevent, detect, and respond to threats. Creating an innovate security environment allows you to gain visibility and intelligence - it is a vital component in the battle of cybersecurity. For more details, please visit the Oracle Security page.

87% of respondents in the recent Oracle and KPMG Cloud Threat Report (CTR)reported having a cloud-first orientation within their organization. The cloud is here to stay. However, with...

It’s the second year Oracle has joined forces with Inc. Media to survey leaders of America’s fastest-growing companies to find out, among other things, what they credit their success to and what their spending priorities for the year are. As you can imagine, amidst all the responses, there were some interesting findings. Like this plot twist: when asked to identify their main obstacles to growth and the biggest contributors to their success, the executives gave the same answer: scalablity, talent, and sales/customer retention. Basically, what landed them on the Inc. 5000 is also what they fear might throw them off.  For these companies, short- and long-term success relies heavily on growing sales and managing the customer relationship (47 percent of respondents named this as a leading success factor), and having and holding on to the correct talent (this came in at a close second at 42 percent). What keeps business afloat is also what can upend the entire apple cart. According to these small-to-medium business (SMB) executives, the #1 reason for success is customers (a healthy 58 percent of respondents cited customer experience as the leading driver of success). Yet those same leaders stated that managing security was their lowest spending priority. And only nine percent of the SMBs surveyed stated that data security was the most important area of investment for 2018. Keeping customers happy and offering a satisfying experience requires keeping their data safe and secure. So why is it then that data security, one of the biggest threats to the health of the customer relationship, ranked so low? Perhaps the reason is buried in misplaced fear and misunderstanding. Let’s unravel this a bit. These Companies Know What They Are Doing First, to land on the Inc. 5000 list, you have to pull off some rather impressive feats of business. The list isn’t a popularity contest, it’s a ranking based on financial statements that cover a three-year period. So yes, the people running these companies know what they’re doing. Achieving triple- and quadruple-digit growth for multiple years is not a fluke. If we dig a bit deeper into the responses, we’ll find that 42 percent of respondents stated that integration across all their cloud products was their biggest objection and obstacle in the cloud. And for 28 percent of them, their biggest objection to using cloud is data security. But this is where the goodness lies. Concerns about security and integration are one of the reasons to go toward the cloud − not away from it. The cloud shouldn’t be viewed as a barrier to success. The contrary. It should be an enabler. Here’s why: Piecing together solutions to solve problems only as they arise will result in a platform that doesn’t work well in the long term. For fast-growth companies like those on the Inc. 5000 list, a future-growth approach works best. The right cloud vendor can create a strategic plan that integrates solutions that are scalable–growth can be accommodated quickly and as needed with systems that all work together. Again, your IT infrastructure should enable growth, not constrain it.  As SMBs move more critical data to the cloud, security should scale with it to enable a secure environment beyond the firewall. Since not any one stop-gap will halt all threat factors, when data sits within the Oracle Cloud, it’s protected with multiple layers of defense built-in from the app down to the database. Among the respondents who stated that security was their most important investment area in 2018, 47 percent said improving awareness of best practices and training was a main focus. This is wise. In the recent Oracle and KPMG Cloud Threat Report, 97 percent of organizations surveyed require that all or most cloud services be approved by the IT/security team, yet 82 percent of those same organizations express concern that employees and teams are violating those policies. A cloud access security broker (CASB) solution can close the gap by monitoring cloud accounts and preventing inside fraud with better processes and more awareness. For example, Oracle’s CASB solution can look at more than fifty-thousand types of SaaS apps, (Oracle and non-), giving IT a view into what their users are accessing (shadow IT), enabling consistent security control. No matter the size of the company or whether you’re on this year’s list of the Inc. 5000 (and congratulations if you are), security should be a top priority, particularly if you want to stay in the business of growth. If you want to know more about what it takes to make it to the Inc. 5000, read the complete report.

It’s the second year Oracle has joined forces with Inc. Media to survey leaders of America’s fastest-growing companies to find out, among other things, what they credit their success to and what their...

Identity and Access management (IAM) has been the main area of focus for most of my career. I have seen lots of changes over that time as trends come and go, and as you would expect, am regularly talking to customers about their IAM strategies (or lack of). Probably the biggest change around IAM in recent years has been Cloud Identity, or Identity-as-a-Service (IDaaS). I hear lots of IAM conversations from customers talking about whether they have an on-premise strategy, a cloud strategy, or a hybrid strategy.  Cloud Identity does indeed provide many benefits over on-premise IAM, but isn’t a silver bullet. It also has its limitations. I can understand some IDaaS vendors pushing customers down the Cloud Identity route. After all, as the famous saying goes “If you only have a hammer, then everything looks like a nail”, meaning that, if you only offer IDaas, then that is always going to be your answer. Whilst Cloud Identity does indeed have a lot of benefits, it’s not always the answer and very rarely the only answer for larger organisations. Some organisations can’t adopt Cloud for a number of reasons Organisations typically have lots of existing on-premise applications and infrastructure that they can’t just forget about and doesn’t always lend itself to IDaaS integration. IDaas doesn’t always provide the flexibility needed by larger, more complex organisations Even those organisations who have a commitment to move to cloud still have to work out their migration and how they manage their existing estate. In my experience it is only the smallest, simplest (from an IT perspective) companies, or the cloud native companies that can easily adopt just IDaaS. Therefore, for most companies, hybrid is the answer, taking advantage of the best of both worlds. Using IDaaS to give you the speed and agility whilst using on-premise IAM to deliver the flexibility and deep integrations needed by many applications. Some industry leader have used the term bi-modal IT and I think it applies perfectly to IAM. Delivering IAM choice and flexibility Oracle’s IAM platform is all about delivering that flexibility and choice to customers. We have the benefit of years of experience in IAM, delivering a market leading on-premise IAM platform. That is still the case today and is a key part of Oracle’s IAM strategy. Oracle also consistently appears as a leader within IAM assessments and reports from industry analysts. We also recognise the importance of Cloud Identity and deliver an IDaaS platform that, not only delivers key IAM capabilities across heterogeneous clouds for our customers, but also underpins Oracle Cloud, showing its strategic importance for Oracle. So, let’s look back at those challenges I identified earlier. Some organisations can’t adopt Cloud for a number of reasons Yes, I have talked to companies who, for whatever reason either can’t or don’t want to move to Cloud. However, that doesn’t mean that they should be left at a disadvantage. Oracle can still deliver on this bi-modal IAM vision for these customers. Our on-premise IAM platform can be delivered, well, on-premise, but we can also deliver our IDaaS platform, Identity Cloud Service, into the customer’s data centre, through our Cloud at Customer. This means that customers can get the speed and agility of IDaaS, whilst still being able to meet their most sophisticated use cases through the Oracle IAM platform, all delivered behind their firewall and in their data centres. Organisations typically have lots of existing on-premise applications and infrastructure that they can’t just forget about and doesn’t always lend itself to IDaaS integration. Again, here Oracle offers customers a choice. The Oracle IAM platform can of course address these existing applications. However, Identity Cloud Service is also constantly being updated and can now reach back into the enterprise to support non-Cloud applications. I have written an article about that recently. This choice of approaches allows customers to make their IAM journey to the cloud  at their pace and under their control. IDaas doesn’t always provide the flexibility needed by larger, more complex organisations This comes back to my earlier point around choice. IDaaS isn’t always the answer (or not always all of the answer). Oracle’s IAM platform can support those advanced use cases requiring that extra flexibility, not usually seen in IDaaS solutions. What's more, deciding you have a need to use on-premise IAM doesn't mean long, expensive projects. For example, you can deploy on Oracle Cloud (either in public cloud or using Cloud at Customer mentioned earlier). This helps you get out of the business of running physical machines. If you don't have the skills or resources to manage it, you can also look to Oracle Managed Identity Services, who can manage your Oracle IAM platform (running in Oracle Cloud) on behalf of your organisation. So, this means, a customer gets the benefits of the flexible, feature-rich capabilities on the Oracle on-premise IAM, but without the headache of installing/running/managing the platform. So, in summary, is on-premise IAM dead as the world looks to Cloud Identity and IDaaS? Absolutely, not! Certainly, within Oracle, there are strong roadmaps for both our on-premise and IDaaS platforms as both remain strategic for our customers who are still deploying both. Hybrid is not going away any time soon and Oracle is there to support you on your IAM journey, whatever flavour of deployment that looks like.      

Identity and Access management (IAM) has been the main area of focus for most of my career. I have seen lots of changes over that time as trends come and go, and as you would expect, am...

Written By: Patrick McLaughlin, Security Architect and Oracle Fellow Introduction to the right to Erasure The EU GDPR regulation[1] provides many rights to people who are located in the EU (European Economic area in fact).  The rights are described in Section 2 ‘Information and access to personal data’ in Articles 13-22.   Some of the rights were available prior to the GDPR; with strengthened rights under the GDPR, together with, the risk of high fines and other legal-remedies under the GDPR, all organisation providing goods and services to individuals located in the EU, are taking the rights of individuals, much more seriously. An individual’s rights can be exercised against the ‘data controller’, who is the organisation who decides to collect, process or store the personal information. The rights include: the right to get access to one’s personal data, the right to rectification if the data is inaccurate, the right to get data in a portable format, rights to restrict, block or object to the processing of one’s personal data, and finally and most importantly from the point of view of this article the right to erasure.  The right to erasure is also known as the right to be forgotten and enables a person (located in the EU) to request that data belonging to them be deleted, for example, if there is no legal basis for its continued processing.  The right to be forgotten was established in 2014 by the highest court in Europe the ECJ/CJEU, as a result of the Google Spain v AEPD and Mario Costeja González case. Traditional IT systems challenges with the right to Erasure The right to erasure creates challenges across all IT systems created over the past many decades.  There has been a lot of ‘IT-sprawl’ in the past 20 years with the proliferation of application and data silos, with considerable duplication of personal data in many different systems.  IT departments had the goal of ensuring high availability of data, including the availability of reliable backups of all data, typically over indefinite periods of time. The designers of applications and backup solutions did not and could not foresee the need to be able to selectively delete, personal data of individuals upon request, across structured and unstructured systems.      Introduction to Blockchain Blockchain is a relatively new concept and technology architecture, derived from the bitcoin architecture, but having application outside of crypto-currencies in business systems requiring a high degree of trust and ‘traceability’ between interacting parties.  In the past digital signatures based on Public Key Infrastructure were deployed as a solution to (dis)trust between interacting/transacting parties.  PKI solutions work well from a technical and legal perspective but they have not come into widespread use.  Blockchain, also signature-based, is regarded as a disruptive force that can make business engagement more efficient, change the structure of markets, and enable the creation of new services. Blockchain and the GDPR right to Erasure A Blockchain works by keeping a history, of all data written onto it, in principle, forever.  Newly written data is cryptographically related to all existing data on the blockchain by including the hash-of-existing-data into the newly computed hash that includes the new data.  Blockchains inventors, like traditional IT architects, did not foresee the need to delete data from the chain and instead highlight the strength of not being able to delete data (data-immutability).  One exception is that Accenture has patented a scheme for editing a permissioned blockchain which leaves a ‘scar’ – see here. In the absence of this editing capability becoming widespread, organisation are faced with the difficulty of complying with, the GDPR right to erasure, in conjunction with, gaining benefit of using blockchain technology.  The GDPR requires organisations, who have the role of a data-controller, and are exploring the use of new technologies, that may carry high risks ‘to the rights and freedoms’ for individuals, to carry out a data protection impact assessment, and there is detailed guidance on how to make such an assessment, from the Article 29 working party – see here.  Given blockchain is a relatively new technology and if a data controller will use a blockchain to, store, process or communicate personal data, it’s very likely they should carry out such a formal data protection impact assessment, and it will have to address, the difficulty of handling the legal right to erasure and rectification of personal data.  The controller may need to consult with their Data Protection Authority and be able to explain and convince the authority about their approach. Is hashed-data still personal data? It is generally accepted that writing business and personal data directly to a blockchain is undesirable as blockchains are not performant enough (yet), and instead a hash of the dataset should be written to the blockchain. In the GDPR, personal data has a very wide definition and includes any data item that could potentially be used to identify an individual. A somewhat surprising example is that a dynamic IP address can be personal data if it can be used to help identify an individual see here.  So, with the blockchain its necessary to think about the right to erasure of data concerning an identified or identifiable person. The personal data may not be secret, but its presence in a transaction on a blockchain is what an individual may wish to have deleted.  For example, an individual may want to erase the fact that they stayed at a hotel chain at a certain time, or that they bought medication over the internet for a certain ailment. It’s also possible that hashed personal data written to a blockchain could be guessed or found out by trial and error / brute-force-attack, in the same way that dictionary-attacks work to crack passwords - the complexity of doing so, will depend on the ‘formula’ for calculating what gets hashed, and the formula could be guessed or ascertained by other means.  The result is that simply writing hashed personal data to the blockchain that cannot be overwritten or deleted is incompatible with the need to delete data under the GDPR right to erasure.  Hashed data is more akin to pseudonymised data in GDPR terms, as the data subject is at least somewhat identifiable to the data controller.  Were this not the case, one has to ask how would the data controller process the hashed personal data? The assumption must be that they have the underlying data stored off the blockchain and they know the formula to check if that data is present on the blockchain e.g. by hashing some combination of attributes – otherwise what is the purpose of having data on the blockchain! Reconciling immutability with the right to erasure The obvious solution is to not write either personal data either, in-the-clear or in hashed format to a blockchain.  Below I discuss what can be done where one needs to write hashed personal data to the blockchain. The GDPR makes it clear that anonymised data i.e. data that in no way can be related back to an individual is not personal data. There is reference to ‘data rendered anonymous in such a way that the data subject is no longer identifiable‘, which begs the question how could one anonymise data. Hashing is not sufficient; however, encryption would do the job if the encryption key is immediately deleted. Not deleting the encryption key, would mean the data could be decrypted and hence the individual would be identifiable. So, a good solution would be to only store encrypted, hashed personal data on the blockchain and if a data erasure request is accepted, reliably throw away the encryption key(s) to make the data anonymous and un-recoverable.  This is the closest to full erasure than can be done.  Storing encrypted data clearly enhances the security of the stored data and given that having appropriate data security, is another requirement of the GDPR there is an additional benefit of encryption. A key management solution would be needed that would assist with data erasure, through key deletion. People will have the right to request deletion of a subset of their data, for example, if they withdraw their consent for some very-sensitive personal data to be processed. Therefore, sophisticated use of a key management solution that enables encryption of fine-grained personal-data would be required, as an accompaniment to the blockchain. Clearly the encryption keys should not be stored on the blockchain as the blockchain would not allow their deletion!  They could be stored in a simple, 2-column KeyID and Value database (relational or non-relational).  The value would be the personal-data-item encryption-key, itself encrypted using, a ‘master’ key-encryption key.  The KeyID would be derived, for example, by hashing the data being stored together with a nonce. The master key-encryption key could be stored in a Hardware Security Module, to increase its protection.  It’s likely that other columns will be needed e.g. to record the deletion of the encryption key in response to a specific data-erasure request, received from a specific person, at a specific time. An interesting legal question arises as to whether the organisation can / should record and store the request for Erasure and the action taken on the blockchain.  The benefit would be to have an dependable (perhaps immutable) record of the activity, as part of the formal record of processing, but what if a request is then received to erase all data identifying the same individual. Data controllers, need to consult their legal representatives on whether and where, such a record of erasure should be maintained as evidence of acting appropriately, on the original individuals request. When it comes to deleting personal data, not stored on the blockchain, today organisations are trusted to simply delete the data and confirm they have done so. By extension, the same organisation storing personal data on a blockchain, could be equally trusted to delete the encryption key, associated with that individual encrypted item. A more advanced encryption-key deletion scheme Instead of relying on a single key to encrypt and decrypt hashed personal data, it’s possible to split the encryption key into 2 or more parts, so that for example the data controller has one part and the individual has the other part.  To encrypt or decrypt data, both key parts would be needed.  Requiring m of n key-shares to enable encryption or decryption, is a well-established technique, even though its uncommon in commercial systems – see here. A 3-key, key management scheme is already in use, to enable the right to erasure, in a blockchain application that enables the storage of diplomas and degrees – see here.  The scheme has the following keys. Graduate Key –  the property of the graduate, integrated into the diploma’s URL. Persistent Key –  kept by the educational establishment. When the graduate wishes to exercise his or her right to be forgotten, she only has to destroy this key. School Permanent Key –  kept by the educational establishment. If the graduate deletes her key, the system will no longer be able to decrypt the diploma and thus the diploma is effectively anonymised/deleted. The graduate does not need to rely upon and trust the school/college to delete a single encryption key. Consequence for blockchain application developer Data-protection/privacy by design and default, is a key tenet of the GDPR and this principle is expected to be applied when developing new systems. To handle the right to erasure, an application developer must leverage a key generation function and encryption library to ensure that hashed personal data is encrypted before storing on the blockchain. A better alternative would be to make the encryption transparent for the developer so she can have personal data transparently encrypted using a dynamically generated key by simply calling a function that highlights the data as ‘personal’ so it undergoes the extra processing steps before storage:                put (bloodtype, Alice, blockchainX, personal) or putPersonal (bloodtype, Alice, blockchainX) A search function should be able to locate and transparently decrypt the data                get (alice, bloodtype, personal) -> Group AB An erasure function would have the effect of transparently deleting the encryption key resulting in:                erase (alice, bloodtype, personal) -> confirmed                get (alice, bloodtype, personal) -> Not found All of these functions should be under the control of an access management system so that only the right people or entities could read, write or delete personal data on the blockchain.  This article does not address the governance needed to handle erasure requests.  All erasure request will not be accepted so an approval process will be required, for example, request to erasure records with the tax department will not be accepted. A further alternative would be to have a personal data discovery function running in the background inspecting any personal data being: written, read or deleted on the blockchain and have it, transparently do the underlying encryption, decryption or key deletion as appropriate. Such an approach would need to be 100% reliable given the maximum fines under the GDPR of €20M or 4% of global revenue, whichever is higher, for infringing individuals rights, including the right to erasure and rectification of data. A final alternative would be to use a hybrid scheme where the functions are explicitly invoked, for example by smart-contracts (programs) and a process is additionally running and checking if data being written to the blockchain is personal data.  If so the write could be rejected if the data is not encrypted or the smart personal data detector could autonomously encrypt the data: a) to make it more secure and b) to ensure that the option is there to support a data subject erasure request. What about rectification of data The right to have inaccurate data changed is also enshrined in the GDPR.  Let’s say Alice’s blood-type is not in fact AB and should be O; there is a compelling reason to ensure this data-item is rectified. The solution would be to first erase the inaccurate data as above and add the correct blood-type to the blockchain at an appropriate location:                erase (alice, bloodtype, personal) -> confirmed             put (correctbloodtype, Alice, blockchainX, personal) For personal data update, a dynamic personal data update function could transparently invoke the same two functions and even transparently verify the result:                erase (alice, bloodtype, personal) -> confirmed             put (correctbloodtype, Alice, blockchainX, personal) get (alice, bloodtype, personal) -> Group O. This could be done for all occurrences of the same attribute on the blockchain. The programmer would simply have to call an update function with or without the personal flag: update (correctbloodtype, Alice, blockchainX, [personal])   Final words This article is intended to highlight a real problem with using blockchain technology to process personal data, to propose concrete candidate solutions, that can stimulate discussion on how real the need is and to help reach conclusions among stakeholders involved in the development and adoption of blockchain technology.   [1] European Parliament and Council Regulation 2016/679 of 27 April 2016, repealing Directive 95/46/EC (General Data Protection Regulation), OJ L119/1, http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN 

Written By: Patrick McLaughlin, Security Architect and Oracle Fellow Introduction to the right to Erasure The EU GDPR regulation[1] provides many rights to people who are located in the EU (European...

As the complex functions that web applications and services perform move closer to users, there is increasing demand for the real-time processing, creation, and exchange of data. Enterprises need to perform the same types of computations at the edge that they traditionally did in the data center. With that comes the need to protect those workloads at the edge as well. Edge computing security takes traditional protections that are done on premises or in the cloud and implements them in proximity to where users interact with data and services. In this interview, Nick Deshpande, principal, product strategy at Oracle, discusses a few of the benefits of edge computing security. What is the biggest advantage of the edge security approach? One of the main benefits of edge computing security is the ability to secure a workload no matter where it is and scale with that workload no matter how big it gets. When Pokémon Go does its giant meetups, for example, users put a huge amount of strain on local networks. Edge security can scale up and down quickly with the demands of those workloads without contributing to that strain. How exactly does this approach improve security? Enterprises have visibility right up to the edge of the network. You're not waiting for the data to come back in to your data center or cloud and be processed by some server. You can deal with any potential threats upstream, where the trusted and un-trusted zones meet. Are there any benefits of edge computing security when it comes to cloud migrations? Edge security is also a great fit for the cloud lift-and-shift use case. Enterprises may be concerned that they're going to have to sacrifice one security posture for another or go without security for a certain amount of time as they get situated in a new environment. They may worry about trying to take a security profile from their on-premises data center and trying to match it to a cloud provider’s environment. How do Oracle's edge services help with that? With our edge computing security approach, enterprises can establish a security profile that moves with their applications and services, regardless of hosting environment. Users have a consistent security layer, whether it's in a hybrid, public or multi-cloud scenario. So if you've already achieved compliance, you’re not going to lose that when you move to the cloud. With some cloud providers, everything is so baked in, it can be really tough to move workloads around or out of their cloud, or to work across multiple clouds when you need to. Being agnostic is a really big benefit.

As the complex functions that web applications and services perform move closer to users, there is increasing demand for the real-time processing, creation, and exchange of data. Enterprises need to...

Next Generation Cybersecurity Organizations are losing the cyber war. They can no longer rely on manual threat detection and respond to address today's sophisticated attacks. Additionally, organizations are finding it hard to keep pace with the volume of security alerts and growing scale of users, apps, and data. In fact, 51% of organizations say that they are unable to analyze the majority of their event data, (Oracle and KPMG Cloud Threat Report 2018). Organizations need to address these challenges with autonomous security. Join us at RSA Conference 2018 from July 25-27 in Singapore at Marina Bay Sands to discuss all these topics and more.   Visit Oracle at Booth #1203, Marina Bay Sands, Sands Ballroom, Level 5 Visit us at our booth to meet our Experts and learn more about: Oracle’s World First Identity-based Security Operations Center (Identity SOC) which provides comprehensive monitoring, threat detection, analytics, and remediation tools to stay ahead of threats. Sign up for an Oracle Cloud trial! Get free giveaway from us! Learn More about the Oracle and KPMG Cloud Threat Report 2018 The Oracle and KPMG Cloud Threat Report 2018 is the inaugural global survey of cloud security challenges, threats, and insights from security practitioners and decisions makers. This report compiles the findings from organizations across the globe that center on one common theme: that the cloud has created a strategic imperative to keep pace at scale. Attend our Keynote Session The Impact of Autonomous Security in today’s Threat Landscape (DETAILS) July 26, 2018 | 2:55 pm - 3:15 pm | Marina Bay Sands, Roselle Simpor Ballroom, Level 4 Speaker: Amit Zavery, Executive Vice President, Cloud Platform Abstract: The combination of sophisticated external attacks, and insufficient security skills in the industry, has intensified the challenges that enterprises face in the race to protect their core information assets. Combined with the move to Cloud and SaaS, the status quo is just not sustainable. Join Amit Zavery, EVP, Oracle Corporation in this keynote, as he shares the findings of the Oracle and KPMG Cloud Threat Report 2018, introduces the concept of Autonomous Security, and provides insights into how enterprises can be empowered to revolutionize and re-imagine their approach to information security and safeguarding their highly sensitive data.

Next Generation Cybersecurity Organizations are losing the cyber war. They can no longer rely on manual threat detection and respond to address today's sophisticated attacks. Additionally,...

Cloud adoption has become a global trend in business technology. However, security and compliance concerns are at an all-time high. Security has always been a cornerstone for IT organizations - but the increasing number cloud applications and continual pressure to lower costs have pushed the need for secure systems to the top of the list for everyone; from top level executives to everyday end users. This has left many organizations in a difficult position. They must consider how to meet their performance and cost goals, while maintaining a strong security posture. Secure technology transformation requires several considerations, but where can IT teams begin their journey? How will you choose to deploy your future environment? According to the Oracle and KPMG Cloud Threat Report, 83% of participants rated cloud security as good as or better than on-premises security. This is a testament to the growing number of organizations putting their data in the cloud and unlocking rapid business innovation. However, every organization has a unique journey to the cloud. Some opt for a hybrid strategy or elect to put new applications in the cloud as they transition to modern systems. Due to stringent data protection policies and industry standards, it is important to have options when moving to the cloud. Flexibility is key when making this transition, whether that be to private, public, or hybrid cloud deployments. Oracle Cloud at Customer is an avenue that has been widely explored by customers looking to gain speed and scalability in the cloud, while retaining control over their data. Keeping their data within the company's firewall, Cloud at Customer enables IT organizations to offload tasks such as patching, upgrades, and regular maintenance to the Oracle team, ensuring that their SaaS, PaaS, and IaaS environments are monitored around the clock. The data resides in the customer's possession, securely isolated with access only awarded to the proper administrators within their organization. Identity management that fits your environment As your cloud environment begins to grow, so does complexity in securing your deployment. Numerous applications spread across the business can often create information silos, making identity management a challenge. Ensuring that your environment is protected by a single solution to manage identities is extremely important for customers with hybrid environments. If a user profile is compromised, this can leave you vulnerable to attack.  Solutions such as Oracle Identity Cloud Service (IDCS) can block these actions by monitoring user behavior and recognizing anomalies in access times or locations. The system automatically launches Multi-Factor Authentication (MFA) actions to verify the user. Automated Machine Learning capabilities are critical to ward off stealthy attacks on sensitive data. Better yet, IDCS can be used to support your cloud journey, managing your users across public, private, and hybrid environments.   What are you looking for in a cloud service provider? Once you have determined the best plan of action for the previous two considerations. Consider one more. How can you find solutions that fit your needs and complement your existing environment? It is important to consider if a cloud service provider can integrate well with heterogeneous systems, enhance performance rather than hinder it, and promote your company's policies for compliance standards. To achieve this, look for a solution, or set of solutions, that come with inherent security features and offer you options to build out additional security functionality to suit your environment.   Striking a balance of seamless security integration across your environment along with enhanced performance and adherence to compliance policies can be a challenge. However, it is certainly attainable and unique to every customer. We encourage you to explore our Oracle Cloud at Customer and Security offerings

Cloud adoption has become a global trend in business technology. However, security and compliance concerns are at an all-time high. Security has always been a cornerstone for IT organizations -...

By Pedro Lopes, Product Manager, Oracle Database Security It has been a great year for Oracle Database Security Assessment Tool (DBSAT) so far. We have over 8000 customer downloads since January 2018! We are also increasingly seeing that our customers and partners are finding new use cases and expanding usage for DBSAT to gain maximum value from the tool. For instance, in order to help comply with GDPR, DBSAT Discoverer helps find personal data in several Oracle Databases. It grabs the JSON output and feeds a BI dashboard that displays sensitive data found by category. We also had a high uptake in our Oracle User Group sessions and the value is clear from the multiple new articles written by the community. Thank you! In case you have missed the announcement, we released Oracle Audit Vault and Database Firewall BP8 in June which has the ability to import data from the DBSAT Discoverer output to add sensitive data context to the new Data Privacy reports. To learn more about this functionality, please refer to “Importing Sensitive Data Into AVDF Repository” in the Oracle Audit Vault and Database Firewall Auditor's Guide. Today, we are excited to announce the release of DBSAT v2.0.2 which adds support for DBSAT Discoverer to connect to Database servers over SSL channel. DBSAT Discoverer can now connect to Exadata Express Cloud Service and Autonomous Data Warehouse Cloud. We will continue to enhance DBSAT further throughout 2H 2018. Some of the enhancements under consideration include: Update the integration of DBSAT with orachk and exachk Add new sensitive data pattern files in several European Languages DBSAT development is community driven, If you have suggestions/recommendations/requests that will help us improve DBSAT please reach out and let us know. Oracle Openworld is coming up in October 2018 in San Francisco where we will have sessions on DBSAT. If you haven’t already, please register here Learn more about DBSAT here  

By Pedro Lopes, Product Manager, Oracle Database Security It has been a great year for Oracle Database Security Assessment Tool (DBSAT) so far. We have over 8000 customer downloads since January 2018!...

Are you transforming the way you secure and monitor your business with Oracle Cloud Security Solutions? If yes, we want to celebrate you and your success with an Oracle Excellence Award. Every year Oracle aims to recognize outstanding cloud security customers who utilize Oracle security solutions to fuel innovation and elevate their business. Winners will be awarded with a complimentary pass to Oracle OpenWorld, a speaking opportunity at OpenWorld, and acknowledgment at a special ceremony to highlight their outstanding accomplishments. Nominations are open now until July 20, 2018, so submit today.   The Oracle Cloud Platform Innovation Awards were designed to celebrate customers who are dynamically driving business innovation with one or more Oracle PaaS solutions. Organizations can be nominated for their use of Oracle Cloud Security tools including: Identity Cloud Service, CASB, Configuration and Compliance, or Security Monitoring and Analytics. To find the full list of eligible solutions and categories, visit the nomination page for more details.   This is a fantastic opportunity to showcase business innovation in security. All  security customers and partners are encouraged to submit a nomination. The 2018 Oracle Cloud Platform Innovation award winners will be announced this September. As part of the Oracle Excellence Awards, recipients will be honored at Oracle OpenWorld amongst peers and thought leaders in several industries from across the globe. Once again, nominations are now open until July 20, 2018. We look forward to recognizing our innovative customers and partners!

Are you transforming the way you secure and monitor your business with Oracle Cloud Security Solutions? If yes, we want to celebrate you and your success with an Oracle Excellence Award. Every year...

“We have to reprioritize and rethink about how we defend our information. We need new systems: it can't be our people versus their computers. We're going to lose that war. It's got to be our computers versus their computers. And make no mistake: it's a war.”  These words from Oracle’s CTO and Chairman, Larry Ellison, are consistently validated in the news with headlines of the latest cyber attack and data breach. As an industry, we face too many security alerts, using manual and error-prone processes, not enough cybersecurity talent and insufficient tools. Due to increasing data breaches, industry and governments are introducing more regulations (i.e., European Union’s GDPR) that require better security. Oracle is uniquely positioned to help customers protect hybrid and multi-cloud environments by detecting, preventing and responding to today’s sophisticated security threats with minimal burden to overwhelmed staff. I would like to introduce Oracle's Trust Fabric, which is comprised of an integrated security portfolio designed for the entire IT ecosystem that includes Oracle and third-party on-premises, SaaS, PaaS, and IaaS environments. It is designed to proactively maintain security with a unified network of trust, a set of security tools, and a methodology. Using machine learning capabilities that automate a fast response, Oracle’s secure cloud platform is designed to address your IT governance and compliance requirements while protecting all your users, apps, data, and infrastructure.  The Trust Fabric security model is built around the notion of protecting mission-critical sensitive data and consists of seven layers: Data security (encryption, masking, redaction and user access controls) Encryption key management Identity and access management Cloud visibility and data loss prevention Cloud application firewall security Cloud infrastructure security Cloud monitoring and security analytics     The Trust Fabric can be implemented using Oracle’s integrated and open product and cloud services platform. Customers can use the entire platform together, or pick and choose the solution mix that meets their requirements.  The Trust Fabric seamlessly integrates the portfolio of Oracle security and identity software and cloud services enabling security interoperability. These security and identity solutions are integrated across the Oracle cloud and application portfolio providing enhanced enterprise-class security for your Oracle investments. Oracle's Trust Fabric incorporates autonomous technology using machine learning to quickly and automatically detect and resolve threats.  This is the “computer versus computer” paradigm that is going to allow us to win this cybersecurity war. Learn more about the Oracle's Trust Fabric and Oracle Security. 

“We have to reprioritize and rethink about how we defend our information. We need new systems: it can't be our people versus their computers. We're going to lose that war. It's got to be our computers...

By George Csaba Director, Product Management, Oracle Database Security   This month Oracle released Audit Vault and Database Firewall (AVDF) Release 12.2 Bundle Patch 8. This release includes new Data Privacy Reports to help users comply with privacy regulations such as GDPR. AVDF provides a first line of defense for databases and consolidates audit data from databases, operating systems, and directories to support monitoring and compliance reporting.  A highly accurate SQL grammar-based engine monitors unauthorized SQL traffic before it reaches the database.  Audit records from on-premises and cloud databases are collected for centralized management and provide monitoring, reporting, and alerting of anomalous activity across databases.  AVDF helps reduce the costs of regulatory compliance while giving administrators enhanced visibility into their IT operations. The new Data Privacy Reports in AVDF leverage sensitive data discovery results to set object level audit policies on data. These can be generated using either Oracle Enterprise Manager or Oracle Database Security Assessment Tool to run a data discovery job to search for sensitive data in Oracle Database secured targets. The sensitive data file is then imported into the AVDF repository and the Audit Vault Server GUI is used to view the related Data Privacy Reports. The reports provide information such as which users have access rights to sensitive data, as well as details of activity on sensitive data by all users, including privileged users. Here are some screenshots of the reports:   Some of the other new features introduced with this release of AVDF include: Collection of audit data from Autonomous Data Warehouse Cloud using AVDF’s hybrid cloud capability Support for UEFI boot mode installation enabling installation on Oracle Server X7-2 Incorporation of April 2018 Bundle Patch for Oracle Database 12.1.0.2, which includes the latest security fixes A complete list of the features and capabilities of this release is available in the release notes. To learn more about Audit Vault and Database Firewall, check out our AVDF Product Page on OTN. Learn more about Oracle Database Security Solutions  

By George Csaba Director, Product Management, Oracle Database Security   This month Oracle released Audit Vault and Database Firewall (AVDF) Release 12.2 Bundle Patch 8. This release includes new Data...

"As part of our business expansion, we were acquiring an increasing amount of group companies. To integrate the systems, we build a system that could immediately be deployed globally. We chose Oracle Identity Cloud Service and Oracle CASB Cloud Service to enhance security and monitor user activity. " - Kinji Manabe, General Manager, Business Management Department  Outsourcing Inc., headquartered in Tokyo,Japan, specializes in outsourcing for IT, manufacturing, and engineering companies. Managing 60,129  employees is not a simple task. The company was looking to monitor their user activity from multiple sources and integrate users across disparate systems. They were looking for a solution that could quickly scale and offer a user friendly experience. Outsourcing Inc. began their evaluation of Oracle Security cloud services following the acquisition of several new subsidiaries. Ease of use and increased visibility were some of the key benefits Outsourcing Inc. gained from the implementation of Oracle Identity Cloud Service (IDCS) and Oracle CASB Cloud Service.   Hear directly from Outsouring Inc. Learn more about IDCS and CASB.   

"As part of our business expansion, we were acquiring an increasing amount of group companies. To integrate the systems, we build a system that could immediately be deployed globally. We chose Oracle...

If there’s one aspect of GDPR that is likely to grab the attention of any CFO it is the potentially eye-watering fines organizations could be hit with if they are found to have breached the new data protection regulation. As the gatekeepers for the company finances, and often the boardroom owner of risk management, what CFO isn’t going to sit up and take notice when the sums involved could be up to €20 million or four per cent of annual revenue — whichever is larger? However, CFOs shouldn’t just be sitting in fear, hoping the day never comes when they have to pay out such a fine. There is much they should be doing to ensure their organization is prepared, starting with participation in cross-organization planning and an audit to ensure they understand the types of personal data that is being processed within their organization, where it resides, who has and needs access to it, and how their processing activities are affected by GDPR. For CFOs this process should include reviewing what data they hold, create and preside over with finance. That could include employee information such as payroll or salary data, as well as data held by suppliers, contractors and outsourcers who may report into the CFO. CFOs should be reviewing the contracts they have in place with those suppliers to ensure they are fit for GDPR. The Role of the CFO in GDPR Compliance Another key role of the CFO is ensuring the organization’s compliance efforts are properly funded and resourced. In order to do that, the CFO must understand the cost of compliance and where investment needs to be made in order to ensure it. This may well involve additional budgets for teams such as IT, which will certainly be at the sharp end of GDPR compliance, ensuring data is protected and structured in such a way that the organization can respond to requests from data subjects to provide, modify or delete data. However, to prevent the cost of compliance spiralling, CFOs will also need to ensure they understand which measures are essential and should maintain a cautious cynicism towards some of the requests for additional budget that may cross their desk. “This is needed for GDPR compliance” could be used to push through any number of purchases that may not be essential. This is all the more reason why the CFO needs to ensure they are on top of GDPR and what it means. There is still some uncertainty surrounding what will happen after the GDPR deadline of 25 May. But whatever happens, the CFO needs to be prepared. There are clear opportunities which can arise in a data-driven economy for any organization that improves its data handling and usage practises. CFOs should therefore be weighing the potential upside of GDPR and the way it could help them unlock valuable insights, improve operations, know their customers better and become more responsive to risks and opportunities. However, as a final consideration, CFOs may also choose to plan for the potential downside. For all the planning there may be some organizations who are caught out and hit with fines — or potentially law suits. While they should of course do all they can to ensure that is not their organization, some CFOs may still choose to plan for the worst and put aside funding as an insurance policy against those eye-watering fines. Learn more about how to comply with GDPR regulations.

If there’s one aspect of GDPR that is likely to grab the attention of any CFO it is the potentially eye-watering fines organizations could be hit with if they are found to have breached the new data...

By Anita Salinas Healthcare organizations sit in a tough spot when it comes to embracing cloud benefits. On one hand, the cloud offers the cost savings and flexibility necessary for improving patient care. On the other, healthcare organizations have a duty and a regulatory responsibility to keep patients’ protected health information (PHI) safe. Fortunately for Oracle customers—and all those looking to realize the benefits of Oracle Cloud—that tough spot just got a whole lot more comfortable. Oracle recently achieved a series of HIPAA attestations for its Infrastructure as a Service and Platform as a Service offerings. These attestations are in addition to already HIPAA-attested Oracle Software as a Service solutions as well as Service Organization Controls (SOC) 1 and SOC 2 audits/reports for Oracle Cloud. Together, these attestations and audits open the door for healthcare organizations to confidently run mission-critical workloads containing PHI in Oracle Cloud—whether hosted by Oracle or behind the organization’s firewall with Cloud@Customer. For forward-thinking healthcare organizations looking to lower costs while improving patient care, here are three benefits that can be realized by adopting Oracle Cloud. 1. Planning for Peak Periods Few industries outside of healthcare can more clearly draw a line between resource conservation and customer benefit. Lowering costs, saving time, and alleviating the demand on staff all lead to better patient care. Trouble is that while some high-demand periods are predictable (open enrollment, for example), others (a late flu season, an epidemic, or just a particularly busy time) can put an unexpected strain on resources. With Oracle Cloud, healthcare organizations can glide through usage spikes knowing that supply will always meet, but not exceed, demand and that they’ll only pay for what they use. Plus, with Oracle’s unprecedented scale, performance, reliability, and autonomous features, healthcare companies can rest assured that their workloads running on Oracle Cloud can handle the busiest times. In fact, a very large healthcare organization is projecting a 37 percent decrease in total cost of ownership and $17 million in savings over three years by running its TriZetto Facets Claims workload on Oracle Cloud. 2. Embracing New Technology Wearables and IoT offer an unprecedented opportunity for healthcare organizations to understand patient needs, make personalized recommendations, and reward positive behavior—all of which can improve care and outcomes. But the tidal wave of PHI associated with these devices is enough to make most run for cover. With Oracle Cloud and its recent HIPAA attestations, healthcare organizations can now embrace these cognitive technologies knowing that protected health information is just that—protected. Plus, the reduced cost of storing data, extreme scale, and Oracle Cloud performance make this former patient-care dream a potential reality. 3. Actionable Insights with Predictive Analytics In the healthcare industry, highly trained professionals make medical miracles happen every day. But even with all the training in the world, you’d be hard pressed to find a clinician who wouldn’t welcome even just a little more information if it meant a better diagnosis, treatment, or outcome. Payers can also benefit from a better handle on determining whether the effectiveness of a specific treatment justifies its cost. Predictive analytics can assist in making these important decisions. But there are challenges. Not only do the sheer amounts of protected data make it difficult, but the number of different kinds of data—both structured and unstructured—stand in the way. Oracle Cloud, backed by recent HIPAA attestations, can help here as well. For example, one healthcare organization is analyzing massive amounts of data about cancer drugs and treatments and correlating those with patient outcomes to determine more effective treatment protocols. Bottom line, modernizing health IT in the cloud accelerates speed to market, reduces cost, and improves patient care and outcomes. Oracle Cloud, offering a broad range of HIPAA-attested cloud services, makes cloud benefits accessible to forward-thinking healthcare organizations. And with enterprise-class performance, scalability, reliability, and end-to-end security baked in, all kinds of healthcare organizations can run their most mission-critical workloads in the Oracle Cloud with complete confidence.  To learn more about what Oracle Cloud can do for your business, join us for our webcast on June 21, where we’ll discuss how healthcare organizations are succeeding with Oracle Cloud. Editorial contribution by Amanda Dyer.  

By Anita Salinas Healthcare organizations sit in a tough spot when it comes to embracing cloud benefits. On one hand, the cloud offers the cost savings and flexibility necessary for improving patient...

By Russ Lowenthal Data is the most valuable IT asset, but if not protected can become your biggest liability. EU GDPR is now being enforced (with the first GDPR lawsuits filed the very first day of the new law), and there is a global trend toward privacy legislation that mirrors GDPR. These new data privacy laws combined with weekly revelations of significant data breaches are driving organization to focus more and more on how to protect their sensitive data. The bad guys are after your data, and they are winning far too often. Hackers exploit unpatched systems; leverage weak, default, and stolen passwords; and slurp up unencrypted data wherever they find it. One of the many lessons in this year's Verizon Data Breach Investigations Report is that databases are high value targets.  In fact, Verizon highlights databases as THE top asset involved in the most significant data breaches. It's time to turn the tide and lock down these valuable data repositories. Gartner Security & Risk Management Summit 2018 is quickly approaching. Attending the event?  Please join Vipin Samar, Oracle's Senior Vice President of Database Security on Wednesday, June 6, to discuss the latest innovations in securing databases both on-premises and in the cloud. Learn how with multiple rings of control, you can protect your data from the bad guys and ensure regulatory compliance. Title: Don't forget to cover your assets!  Oracle on Data Security Wednesday, June 6: 10:45 a.m. to 11:30 a.m. in Annapolis 1        Speaker: Vipin Samar, Senior Vice President Database Security Abstract: Data is the most valuable IT asset, but if not protected can become your biggest liability.  Join Oracle to discuss the latest innovations in securing databases both on premises and in the cloud.  Learn how preventive and detect/respond controls can secure your Oracle and non-Oracle assets, help ensure compliance to EU-GDPR and similar regulations, and simultaneously deliver a step-function improvement in your SOC efficiency. See you there!  

By Russ Lowenthal Data is the most valuable IT asset, but if not protected can become your biggest liability. EU GDPR is now being enforced (with the first GDPR lawsuits filed the very first day of the...

By Russ Lowenthal Data is the most valuable IT asset, but if not protected can become your biggest liability. EU GDPR is now being enforced (with the first GDPR lawsuits filed the very first day of the new law), and there is a global trend toward privacy legislation that mirrors GDPR. These new data privacy laws combined with weekly revelations of significant data breaches are driving organization to focus more and more on how to protect their sensitive data. The bad guys are after your data, and they are winning far too often. Hackers exploit unpatched systems; leverage weak, default, and stolen passwords; and slurp up unencrypted data wherever they find it. One of the many lessons in this year's Verizon Data Breach Investigations Report is that databases are high value targets.  In fact, Verizon highlights databases as THE top asset involved in the most significant data breaches. It's time to turn the tide and lock down these valuable data repositories. Gartner Security & Risk Management Summit 2018 is quickly approaching. Attending the event?  Please join Vipin Samar, Oracle's Senior Vice President of Database Security on Wednesday, June 6, to discuss the latest innovations in securing databases both on-premises and in the cloud. Learn how with multiple rings of control, you can protect your data from the bad guys and ensure regulatory compliance. Title: Don't forget to cover your assets!  Oracle on Data Security Wednesday, June 6: 10:45 a.m. to 11:30 a.m. in Annapolis 1        Speaker: Vipin Samar, Senior Vice President Database Security Abstract: Data is the most valuable IT asset, but if not protected can become your biggest liability.  Join Oracle to discuss the latest innovations in securing databases both on premises and in the cloud.  Learn how preventive and detect/respond controls can secure your Oracle and non-Oracle assets, help ensure compliance to EU-GDPR and similar regulations, and simultaneously deliver a step-function improvement in your SOC efficiency. See you there!  

By Russ Lowenthal Data is the most valuable IT asset, but if not protected can become your biggest liability. EU GDPR is now being enforced (with the first GDPR lawsuits filed the very first day of the...

IT professionals in every industry are searching to gain higher visibility and control over the use of cloud applications within their organization. This situation is not unique to a company based on size, industry, or location. As monitoring the cloud has become a common challenge in digital transformation, some companies are taking steps to change. Marlette Funding, a financial services technology company based in Wilmington, DE, wanted to better understand the actions of their employees and their 270,000 customers. Selecting the right cloud monitoring solution was extremely important to the company's Chief Information Security Officer, Chet Sharrar, the company evaluated several cloud service providers and did a thorough evaluation of their requirements. Marlette Funding built a strong partnership with Oracle and gained greater visibility into their cloud based environment through Oracle CASB.   The journey to adopting Oracle CASB, was prompted by several challenges, including: The need for visibility into the configuration of cloud services. Limited number of staff members and consolidated tools to complete administrative tasks. Lack of evidence demonstrating effective operation.   As a financial institution, ensuring compliance with security and information movement standards was paramount. CASB enabled their limited IT staff to set configuration controls and collect actionable evidence on the effectiveness of their operations. Three years later, Marlette Funding's use of CASB has matured and grown across their cloud environment, creating visibility and peace of mind.   Watch the full video featuring Chet Sharrar and learn more about how Oracle CASB and Oracle Security can support your compliance and cloud security strategies.    

IT professionals in every industry are searching to gain higher visibility and control over the use of cloud applications within their organization. This situation is not unique to a company based on...

Organizations are adopting the cloud across the stack, that is, applications (SaaS), platforms (PaaS), and infrastructure (IaaS). While cloud adoption started with applications, in the past few years, adoption of cloud infrastructure has grown rapidly. For example, the recent Oracle-KPMG Cloud Threat Report, 2018, found that 51% of the respondents were actively adopting IaaS, and a vast majority of them (81%) leverage more than one cloud IaaS. In fact, RightScale’s “2018 State of the Cloud Report”, found that 35% of businesses plan to increase their spend on public cloud services by 50% or more. While these statistics are quite staggering, the security challenges that are posed by this growth can be quite significant. While there is general consensus that there is a lot more comfort and confidence about security in the cloud, the biggest challenge we have seen is how IaaS services can be configured and monitored for security. Many organizations struggle with the shared responsibility model for security in the cloud, particularly as it relates to securing IaaS. One of the challenges they face is defining what secure use of IaaS is and who is responsible for it. While the services themselves are inherently secure and provide many options to fine-tune security, these services may be misconfigured, or may not adhere to the information security team’s standards. The ephemeral nature of the services makes it harder to manage. Leveraging multiple vendor services across departments/business units adds to the complexity. While each of these IaaS solutions is secure, information security teams and SOC operators do not have to use multiple tools for managing a consistent security posture, monitoring usage and configuration changes across IaaS solutions and gaining visibility into SaaS applications. The above challenges are discussed in greater detail in an upcoming webinar. Tune in and listen to Arun Goel, Director of Product Management for Oracle’s Cloud Access Security Broker (CASB) Cloud Service, and other industry experts discuss these issues and potential solutions to address these challenges.

Organizations are adopting the cloud across the stack, that is, applications (SaaS), platforms (PaaS), and infrastructure (IaaS). While cloud adoption started with applications, in the past few years,...

Well, it's only 5 days to go until the infamous GDPR deadline of 25th May 2018 and you can certainly see the activity accelerating. You would have thought that with the deadline so close, most organisations would be sat back, relaxing, safe in the knowledge that they have had 2 years to prepare for GDPR, and therefore, are completely ready for it. It's true, some organisations are prepared and have spent the last 24 months working hard to meet the regulations. Sadly, there are also a significant proportion of companies who aren't quite ready. Some, because they have left it too late. Others, by choice. Earlier this week I had the pleasure of being invited to sit on a panel discussing GDPR at Equinix's Innovation through Interconnection conference in London. As with most panels, we had a very interesting discussion, talking about all aspects of GDPR including readiness, data sovereignty, healthcare, the role of Cloud, and the dreaded Brexit! I have written before about GDPR, but this time I thought I would take a bit of time to summarise three of the more interesting discussion topics from the panel, particularly areas where I feel companies are struggling. Are you including all of your personal right data? There is a clear recognition that an organisation's customer data is in scope for GDPR. Indeed, my own personal email account has been inundated with opt-in consent emails from loads of companies, many of whom I had forgotten even had my data. Clearly, companies are making sure that they are addressing GDPR for their customers. However, I think there is a general concern that some organisations are missing some of the data, especially internal data, such as that of their employees. HR data is just as important when it comes to GDPR. I see some companies paying far less attention to this area than their customer's data. Does Cloud help or hinder GDPR compliance? A lot was discussed on the panel around the use of cloud. Personally, I think that cloud can be a great enabler, taking away some of the responsibility and overhead of implementing security controls, processes, and procedures and allowing the Data Processor (the Cloud Service Provider) to bring all of their experience, skill and resources into delivering you a secure environment. Of course, the use of Cloud also changes the dynamic. As the Data Controller, an organisation still has plenty of their own responsibility, including that of the data itself. Therefore, putting your systems and data into the Cloud doesn't allow you to wash your hands of the responsibility. However, it does allow you to focus on your smaller, more focused areas of responsibility. You can read more about shared responsiblity from Oracle's CISO, Gail Coury in this article. Of course, you need to make sure you pick the right cloud service provider to partner with. I'm sure I must have mentioned before that Oracle does Cloud and does it extremely well. What are the real challenges customers are facing with GDPR? I talk to lots of customers about GDPR and my observations were acknowledged during the panel discussion. Subject access rights is causing lots of headaches. To put it simply, I think we can break GDPR down into two main areas: Information Security and Subject Access Rights. Organisations have been implementing Information Security for many years (to varying degrees), especially if they have been subject to other legislations like PCI, HIPAA, SOX etc. However, whilst the UK Data Protection Act has always had principles around data subjects, GDPR really brings that front and centre. Implementing many of the principles associated with data subjects, i.e. me and you, can mean changes to applications, implementing new processes, identifying sources of data across an organisation etc. None of this is proving simple. On a similar theme, responding to subject access rights due to this spread of data across an organisation is worrying many company service desks, concerned that come 25th May, they will be inundated with requests they cannot fulfil in a timely manner. Oh and of course, that's before you even get to paper-based and unstructured data, which is proving to be a whole new level of challenge. I could continue, but the above 3 areas are some of the main topics I am hearing over and over again with the customers I talk to. Hopefully, everyone has realised that there is no silver bullet for achieving GDPR compliance, and, for those companies who won't be ready in 5 days time, I hope you at least have a strong plan in place.

Well, it's only 5 days to go until the infamous GDPR deadline of 25th May 2018 and you can certainly see the activity accelerating. You would have thought that with the deadline so close,...

Those immortal words "Elvis has left the building" struck many as the point of the night when the King of Rock would wrap his performance and leave the stage/venue.  Have you reached your own "Elvis" moment in your organization's approach to where your data resides?  Has it officially "left the building"?  Do you find more sensitive data, than ever, resides in the cloud and it's alarming to consider that fact knowing you lack some processes and controls? Unless you have been hiding under a rock over the last month, you have missed the exciting news of Oracle and KPMG jointly releasing the Oracle and KPMG Cloud Threat Report 2018.  One of the many topics we highlight in this in-depth report, is the challenges created from a more mobile workforce, coupled with broad cloud service adoption. Key findings from this report include 90% of organizations categorize half or more of their cloud-resident data as "sensitive". Compare that with the alarming statistic that 82% of cyber leaders are concerned that employees do not follow cloud security policies. We clearly need to better understand the challenges and risk, as we know Elvis isn't coming back. KPMG is hosting a replay of a very topical webcast for Oracle ERP customers that help them understand some of these challenges and how to easily overcome them with the proper people, policies and technology to ensure a more secure experience against fraud and abuse. Join this encore webcast presentation for an overview of: The cloud adoption and threat landscape Cybersecurity challenges Identity management in the new paradigm of anyone, any device, any location Leading practices and strategies in managing and remediating cloud risk Speakers for this Webcast are: Nick Seeman, Director, Oracle Security and Controls, KPMG LLP Greg Jensen, Senior Principal Director, Security - Cloud Business Group, Oracle @gregjensen10 To watch this streaming encore presentation now, click here

Those immortal words "Elvis has left the building" struck many as the point of the night when the King of Rock would wrap his performance and leave the stage/venue.  Have you reached your own "Elvis"...

By Vidhi Desai, Senior Principal Product Marketing Director, Cloud GTM Security, Oracle With the May 25 deadline for the European Union’s General Data Protection Regulation (GDPR) fast approaching, the reality is starting to hit home for companies of all sizes. There are hefty fines for noncompliance from the European Commission, but that is only part of the story. The ultimate toll for failing to adopt these important data security measures is arguably far greater, particularly for small- and medium-size businesses (SMBs). No Flying Under the Radar By this point, most companies, regardless of size, location or industry, have heard about GDPR. While this regulation is aimed at giving European Union (EU) citizens more control over their personal data and identifiable information, GDPR has far-reaching implications not just for large European companies and multi-nationals, but for SMBs based outside of the EU. Nevertheless, many non-EU SMBs still assume that GDPR doesn’t apply to their business – when in fact even indirect connections to EU citizens, such as an employee's spouse, put companies in the purview of this regulation. Have no mistake: The EU-U.S. cross-border connection is strong when it comes to GDPR requirements! Other misconceptions abound. One that comes up frequently, for example, is that regulators will initially focus on the largest companies, buying smaller enterprises more time to comply with GDPR requirements. The reality is that enforcement of GDPR will be coming from many different angles and include various data subjects, including individual consumers who suspect and report data security concerns. Meanwhile, any security breach would immediately raise the question of compliance. Given that cybersecurity attacks against SMBs have become more prevalent and data protection has become more important than ever, no organization should assume that it is absolved from the new EU regulation – all SMBs should be GDPR-compliant. For a more detailed overview of GDPR, download the white paper, Accelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications.   More Than a Slap on the Wrist In a global economy where data is a valuable resource, more companies have come around to the idea that GDPR compliance is more than just a regulation – it's an opportunity. Moreover, the cost of non-compliance is significant, whether infractions come to light via a routine audit of data protection, or a data breach. GDPR fines will be issued under two levels, based on the nature of the infringement, the type of data, and the history of infractions, among other criteria. The lowest level of GDPR fines will be up to €10 million, or 2% of worldwide annual revenue of the prior financial year, whichever is higher. The highest level of GDPR fines, meanwhile, can go up to €20 million, or 4% of annual revenue turnover. In addition to these penalties, EU and U.S. companies will need to contend with the cost of legal counsel, mitigation, customer relations, and public relations if they don't prepare for GDPR readiness. Finally, and perhaps most worrisome, is the potential damage to a brand’s reputation. While the impact of reputation is often impossible to quantify, it is arguably one that matters most of all. For growing SMBs, the loss of customer trust – via personal data breach, fines GDPR fines, or otherwise – could be the death knell of a business. Given everything that is at stake, updating security practices and infrastructure for GDPR before the end of May 2018 is a small price to pay for ensuring the ongoing success of your organization. To learn more about getting your organization on the path to GDPR compliance, download the paper, “Helping Address GDPR Compliance Using Oracle Security Solutions.”

By Vidhi Desai, Senior Principal Product Marketing Director, Cloud GTM Security, Oracle With the May 25 deadline for the European Union’s General Data Protection Regulation (GDPR) fast approaching,...

Written By: Tansy Brook  Director of Product Marketing  Facebook LinkedIn Twitter Google Plus Email Comment No one wants to think that their business will be the target of a ransomware attack or cybersecurity breach. But, with more than 4,000 ransomware attacks reported daily since the start of 2016 the odds are not in your small-to-medium-sized business’ (SMB) favor. The question isn’t if, but when. However, while it may be impossible to fully prevent a network attack, you can be prepared. Creating an incident response plan and then practicing it before anything ever goes wrong ensures that your SMB knows what to do if you become a victim. “You don’t want to wait until you are in the middle of an incident, running in emergency mode, to figure out how to react,” says Jay Patel, supervisory special agent with the Federal Bureau of Investigation’s Cyber Division. By having a security plan ready, your SMB can act quickly to remedy the situation—and hopefully, reduce the damage. When Do You Need to Build a Plan? (Answer: Yesterday) As soon as you have more than a couple of employees, and more than one software system, you should probably create an incident response plan. That’s because, from ransomware threats to business email compromise scams, cyberattacks aren’t just inconvenient—they can put your entire business at risk. “If you think it’s important enough to have a business, you should also think it’s important enough to protect it,” Patel says. Creating an incident response plan gives you the chance to think through and address multiple important issues. Not all businesses and data are equal. As the value and pace of data creation accelerates, the layers of complexity have grown exponentially. One of the biggest challenges is determining the amount of resources to allocate to a cybersecurity plan, through quantifying the costs associated with the risks to the business. “These are hard, but important, discussions,” Patel says. “You definitely want to have them before an event takes place.” As part of the process, your SMB leadership team must identify its sensitive information as well as the networks and files critical to the business function; they will need to discuss the hard costs, the potential impact on the brand, and disruption to the business. Cybersecurity spending is on the rise, “89 percent surveyed expect their organization to increase cybersecurity investments in the next fiscal year,” according to a recent Oracle and KPMG Cloud report.  Find out what the FBI recommends you do to protect your business from cyberattacks.   The Key Ingredients Every SMB’s cyber incident response plan is unique. However, most plans include some common security components. These include: Business critical information As noted previously, your plan will outline the operating systems and information that the business needs to function. This can include customer information, intellectual property, employee information, etc. In addition, understanding the value of the data shouldn’t be limited to one person. If they depart the business, it’s immediately at risk. Detection and containment methods Unfortunately, planning to 100% prevent a cyber attack isn’t really possible. Instead, an incident response plan will determine whether your SMB will detect an access breach or attack, and then how it will contain the security threat. Internal and external stakeholders Response plans also map out who may be affected by an attack, both within and also outside the organization and network. The security plan then denotes how you should notify these stakeholders. Outside vendors should be a part of a successful security plan. Often smaller companies will use Security-as-a-Service system. Circle of trust Ensure your vendors are trusted technology partners. The USA is a trust-based country, where companies and citizens take for granted that businesses are held to national security standards. But, the internet easily crosses borders, so it’s important to know where the vendor protecting your data is based.  SMBs should be wary accepting cybersecurity services from foreign or lesser-known companies, especially for penetration testing.  Fight bad tech with good tech The bad guys only need to get it right once, the good guys have to get it right all of the time. Each team member needs to be an amplifier of response, which can only be done by leveraging technology and making security part of a company’s DNA. Invest in advanced technology that automates event analysis and response, freeing up the human capital to focus on more complex issues. Cybersecurity is a growing area where technology and people can complement each other. Also, ensure that all of your systems are always-up-to-date. Cyberthreats are continuously evolving and your systems need to as well. Recovery and mitigation strategies A comprehensive incident response plan will prepare your SMB to recover lost files and information from the network, and lay out a plan for how to resume business after a cybercrime. Patel notes that plans should also address how to preserve evidence along the way, so that law enforcement can investigate what happened and who was behind the security attack.  Fortunately, you don’t need to create a cybersecurity plan from scratch. Both the National Institutes of Standards and Technology and the ISO 270001 provide frameworks that organizations can use to prepare an access incident response plan for computer systems. “Even a small business with five employees can utilize these guidelines,” Patel says. Plan, Practice, Repeat Incident response plans can’t be relegated just to your SMB’s information systems or one IT employee. For your plan to be effective, Patel notes that the organization’s senior leadership need to not only support the plan but also participate in its creation. “This is a business issue, and the business needs to be involved,” he says. In fact, Patel recommends that IT meet with their senior leadership regularly to discuss critical technology issues, network security, and educate the business side about what IT does and its resources. That way, when it comes time to create or update your incident response plan, non-technical leaders aren’t overwhelmed by the information. Once you’ve created your plan, the FBI suggests that SMBs practice it at least once a year as a general protocol. You may take your team offsite or find ways to make it fun. But ultimately, you want to run through the document to see what the response looks like in real life. Experiment with role-playing. That way you can identify holes in the security plan and discover what works and what doesn’t. Get in touch with your local FBI office to participate in local security events or host an information security day. The FBI has a number of resources to support SMB's. Build a relationship with them as part of your education and emergency plan, so you know who to go to in case of an emergency.  “Most organizations that practice a plan realize that many of their components fail,” Patel says. As part of your drill, your SMB should also preemptively reach out to your local FBI division to introduce your business and make sure you know whom to contact if something goes awry or a data breach arises. A cybersecurity incident response plan is a living file—one that requires at least annual review and updating. Take the time to make one, practice your emergency security plan and keep it current. If you do this, your SMB will be prepared for a cyberattack that hopefully never happens. For more information on the FBI's cybersecurity efforts, read their brochure, Addressing Threats to the Nation's Cybersecurity. Source: FBI.gov  

Written By: Tansy Brook  Director of Product Marketing  Facebook LinkedIn Twitter Google Plus Email Comment No one wants to think that their business will be the target of a ransomware attack or...