Cloud Security Perspectives and Insights

Organizations are thinking differently about the cloud. In fact, nearly half of respondents from the Oracle and KPMG Cloud Threat Report 2019 expect to store the majority of their data in the public cloud by 2020. The trouble is, that organizations must also start to think differently about IT security. Companies are being inundated with alerts and the sheer number of cloud applications being deployed within organizations has left many teams struggling to keep pace with securing their business critical data. So what does this have to do with protecting a kingdom? Good question. In a previous blog, Brian Jensen, Application Risk Consulting Sales Leader at KPMG, uses this analogy in great detail to explain that organizations no longer have the same layers of protection provided by the large castle walls of their on-premise past. They need to protect their critical data(the keep) regardless of where it resides. Jensen says, "Now there is no castle- every application and associated database has to stand alone and be protected on its own." In a new Oracle report, “Thinking Autonomous: IT Security and Risk”, we begin to explore the ways in which the cloud presents different challenges and threats as well as the benefits of incorporating autonomous technologies to better prevent and detect these threats. IT teams are stretched thin trying to maintain security, manage patches, and mitigate risk from shadow IT across their entire environment. During the interview highlighted in this report, I shared that, "Organizations face 3.2 billion events per month. Out of that 3.2 billion today, on average only 31 are actual security threats." Understanding which events are legitimate threats has become a significant hardship for IT team. Unfortunately, companies can’t hire their way out of this problem, there simply aren't enough resources to manually meet the demand. So organizations need to think smarter about this new world of IT. I believe that, "machine learning and artificial intelligence reduce false positives and get to the real threats and reduce mean time to response." By including intelligent automation, organizations can better address security risks in the cloud. "Fast-forward to databases supporting a number of different applications in a corporate environment owned by multiple divisions or locations, autonomous security is the key," says Brian Jensen. As increased cloud adoption continues, implementing automated technologies can help your organization reach new levels of efficiency, while supporting strong security practices. If you're interested in thinking differently about securing your data in the cloud, read our new paper, Thinking Autonomous: IT Security and Risk, to learn more about some of the risks organizations are facing and understand ways in which intelligent automation can help ease the burden.

Organizations are thinking differently about the cloud. In fact, nearly half of respondents from the Oracle and KPMG Cloud Threat Report 2019expect to store the majority of their data in the public...

Written By: Mark Brunelli  Catering software company CaterXpress is protecting its web application from distributed denial-of-service (DDoS) attacks with the Oracle Dyn Web Application Firewall (WAF). The Melbourne, Australia-based company is the creator of FoodStorm, a popular hosted application that makes it easy for catering companies to receive and track orders and manage customer relationships. CaterXpress has long used Oracle Dyn’s Domain Name System (DNS) for its “excellent performance and reliability,” said Anthony Super, the company’s director and co-founder. They recently decided to go live with Oracle Dyn WAF for an additional layer of protection against DDoS attacks and other cybersecurity threats such as cross-site scripting and SQL injections. “At first, I felt in my mind that a WAF product from Oracle was going to be way out of our price range,” Super recalled. “But after seeing the pricing I said, ‘This is a really good value. It’s actually a better value than the other providers we were looking at.’” All about CaterXpress CaterXpress launched in 2007 with a goal to become the world leader in catering technology. Fast-forward to today and the company has made great strides toward achieving that goal. “We’ve got some very high volumes going through our software at the moment,” Super said. “If you’re a catering company using FoodStorm, it really is the cornerstone of your operation. It’s a mission-critical system.” Why Oracle Dyn? The CaterXpress team began using Oracle Dyn Managed DNS soon after the company launched. Super reports that the DNS offering is easy to use and helps the company manage many customer domain names. “The technical features that it had were better than the competitors,” he said. “For example, Oracle Dyn DNS allowed us to point multiple domain names to one server automatically, which was something that a lot of other DNS providers didn’t do.” Super and his team were equally impressed with Oracle Dyn WAF and the Oracle Dyn’s technical account management team, which guided him through the process of testing and implementing the solution. “The Oracle Dyn team was very proactive in scheduling meetings and walking us through the implementation process and explaining everything,” he said. “They were just a phone call away. They were great.” Oracle Dyn WAF is designed to protect internet-facing applications while addressing the specific requirements of today’s multicloud and hybrid cloud IT environments. Configured as a reverse proxy, the WAF inspects all incoming web traffic and quickly identifies and blocks any malicious traffic. The WAF is fully managed, cloud-based, and distributed across Oracle’s global points of presence to ensure minimum latency and maximum coverage. Super added that the WAF’s biggest benefit is the peace of mind it gives him. “Now I can sleep at night knowing that we are ready,” Super said. “We’ve now got the systems in place to handle incoming threats, so that’s really good.” Learn more about how CaterXpress is using Oracle Dyn’s DNS and WAF today.  

Written By: Mark Brunelli  Catering software company CaterXpress is protecting its web application from distributed denial-of-service (DDoS) attacks with the Oracle Dyn Web Application Firewall (WAF). T...

Oracle Identity Cloud Service (IDCS) is a cloud native Identity-as-a-Service (IDaaS) platform, which also underpins Oracle Cloud. It serves as a single point of entry into Oracle Cloud, irrespective of whether you are using IaaS, PaaS, or SaaS. There are many ways to manage users within IDCS. However, the most common method I talk to customers about is the ability to synchronise users and groups from Active Directory (AD), either from an on-premise AD or from Azure AD. The user interface within IDCS makes it extremely simple to setup the required AD Bridge, as shown in the screenshot below. For administrators who need a hand, there is also a step-by-step tutorial within the documentation here. As you can see, it’s a simple process of defining where in the AD tree you want to sync users and groups from, how often, which attributes, and whether you plan to use federation or have users authenticate locally to IDCS. However, one of the areas I get asked about regularly is how you get more control over which users and groups synchronise, rather than the fairly coarse-grained OU structure represented by the two trees in the previous screenshots. The most common requirement I come across is to only synchronise certain groups as well as the users of those groups. Here’s a scenario….. Let’s say that I have a customer using Oracle Analytics Cloud Service (OACS). This will be accessed by a subset of the organisation, i.e. those responsible for MI dashboards, reporting etc. These users will usually be spread across various OUs within the AD tree and not all within a single container (or OU). Whilst a customer can sync all AD users to IDCS and then manage their access to OACS through group/role memberships, this approach unnecessarily syncs more users than needed. Fortunately, the IDCS AD Bridge has the capability to apply additional filtering over users and groups, and it’s extremely easy to configure. Let’s look at how I would address this scenario. I have created a group called Federated Users. In that group I have added 3 users from different parts of the AD tree. FedUser1 and FedUser2 are both in the cn=Users container, whilst FedUser3 is in the cn=IDCS Users container. The layout can be seen below. The first two screenshots show the users and groups and their positions in the AD tree. Here we see that the Federated Users group contains all 3 federated users. In order to tell the IDCS AD Bridge to only sync this group and the users who are in the group, we use the filter boxes below each tree in the IDCS AD Bridge configuration. This filter box is a standard LDAP search filter and therefore can be as complex or as simple as you need. To meet my scenario, my filters are straightforward. For the users, I select the top container in the tree (emeacloudpursuit.com), and ensure that the Include Hierarchies box is checked to process all containers. Within the filter, I add: (memberOf=cn=federatedusers,cn=Users,dc=emeacloudpursuit,dc=com) A similar approach is taken for groups. I select the top container again, check the Include Hierarchies box and enter the filter: (&(objectclass=group)(cn=federatedusers)) This final configuration is shown in the screenshot below. That’s it! Now when the sync runs, it will only sync my three federated users (by nature of them being in the federatedusers group), and will also only sync that same group, irrespective of how many users and groups I have in the rest of my AD. If you haven't had chance to look at IDCS yet, you can take advantage of a free Oracle Cloud trial by signing up here.

Oracle Identity Cloud Service (IDCS) is a cloud native Identity-as-a-Service (IDaaS) platform, which also underpins Oracle Cloud. It serves as a single point of entry into Oracle Cloud, irrespective...

Until recently, organizations typically only maintained a few encrypted databases. Those databases might store sensitive data like payment card numbers, social security numbers or even intellectual property like trading algorithms or coordinates for oil exploration. With only a nominal number of encrypted databases, managing encryption keys with an individual wallet wasn’t a particularly burdensome task. Encryption as a Necessity for All Databases Fast forward to today.  With relentless cyberattacks amounting to an estimated five billion records exposed in 2018, CISOs across the globe are mandating more widespread encryption of data as almost every piece of data can be exploited if it falls into the wrong hands. With large enterprises and federal agencies running thousands of databases, encrypting databases with individually managed keys and wallets is no longer an option. A complementary and robust key management system built on the tenets of availability and scalability is needed now more than ever. With Encryption Comes Key Management We released Oracle Key Vault 18 last month, specifically to meet the demands of large organizations increasingly deploying encryption across massive swaths of their database environments, sometimes every single database. These organizations needed a robust way to manage keys, with a resilient, highly-available key management system that could scale globally. Oracle Key Vault 18, with multi-master clustering of up to 16 nodes, is optimized to serve keys for thousands of databases in geographically dispersed data centers without creating undue operational burden. Continuous Availability Consider the fact that each Oracle database using Transparent Data Encryption (TDE) checks the Master Encryption Key every three seconds (a heartbeat to ensure the external key store is available) plus every single time a new database process opens an encrypted tablespace. In a busy database, there may be hundreds of requests to the key management system for the Master Encryption Key every second. As a result, absolute continuous availability of the key management system is paramount to your databases - you can’t be down for one second. That’s why Oracle Key Vault 18 was developed for ultimate resiliency supported by uninterrupted failover, meaning your databases can always get the key they need without any user intervention. Maximum Transparency When local wallets are replaced by centralized key management with Oracle Key Vault 18, the ‘transparency’ of Transparent Data Encryption further increases. Components like Oracle RAC databases, Oracle Data Guard, Oracle GoldenGate and others automatically know how and when to access shared keys in Oracle Key Vault 18. If your key management solution can’t do that, or it’s not available, the process is interrupted, causing outages that require human intervention, sometimes on weekends and after midnight, further increasing downtime and exacerbating the deleterious effect on operations. Extreme Scalability Oracle Key Vault 18 can scale both horizontally and vertically to handle growing loads, without any database downtime. Scale horizontally by adding more read-write pairs or read-only nodes to the Oracle Key Vault 18 cluster as more departments or lines of business add their databases to the cluster, for example. The pre-existing cluster will continue to provide uninterrupted key management as additional nodes are added. Or, scale vertically by upgrading servers. Because Oracle Key Vault 18 is a soft-appliance, it can be installed on literally any size server. As your business and encryption needs grow, scale up your Oracle Key Vault 18 ecosystem without downtime for your databases. Don’t Let One Solution Cause Another Problem Demands for encryption have risen immensely in recent years. Yet, if you encrypt, but don’t manage keys well, that can cause problems with access. Database encryption with Oracle Transparent Data Encryption gives you a secure foundation. Oracle Key Vault 18 allows you to further reduce risk and cut costs by consolidating encryption keys into a reliable, scalable, centralized key management cluster. If management is telling you to start encrypting, rest easy knowing that you already have the answer that ensures the requisite levels of resiliency, availability and scalability to meet your organization’s needs. Read the Oracle Key Vault 18 data sheet to learn more or download Oracle Key Vault 18 today.

Until recently, organizations typically only maintained a few encrypted databases. Those databases might store sensitive data like payment card numbers, social security numbers or even intellectual...

I suspect most people, like myself, are very visual learners. Whilst I can plough through reams of documentation, open standards, and whitepapers when necessary, I can usually skip a large proportion of reading when I see a picture, or even better, see things in action through a video or demonstration. Back in February this year, Oracle announced three new Edge services on Oracle Cloud Infrastructure (OCI): Web Application Firewall (WAF), Traffic Steering Policies, and Health Checks. There are plenty of good write-ups and articles on the above services, including the links I have provided above. However, I thought it would be useful to bring some of the new features of these services to life, starting with WAF. As a brief introduction, for those not familiar with WAF technology, the OCI WAF is an enterprise-grade, cloud-based edge security solution that's designed to protect internet-facing applications from cyberattacks. As introduced on its public webpage: The WAF includes over 250 predefined application, compliance, and Open Web Application Security Project (OWASP) rules. It also aggregates useful threat intelligence from multiple sources, including Webroot BrightCloud®. The WAF's bot management feature uses an advanced set of challenges—including JavaScript verification, CAPTCHA, device fingerprinting, and human interaction algorithms—to identify and block malicious bot traffic while allowing legitimate human and bot traffic to proceed. Once deployed, the OCI WAF also protects web-facing applications from Layer 7 distributed denial of service (DDoS) attacks. The description above summarises a number of key capabilities of the WAF. It is these that I am going to focus on below and attempt to bring each of them to life through a set of short videos. I am going to focus on 4 key use cases: Protection Rules Access Control Threat Intelligence Bot Management Within my demo environment I have deployed a simple website emulating a freight shipping company. The website is deployed on a web server within OCI (although it could have been deployed anywhere with an internet facing endpoint.) I have configured a number of clients to access the website, as shown in the diagram below.   Client Connection Route Chrome Direct connection to the website Firefox Connected to the website through WAF Postman Connected to the website through WAF TOR (The Onion Router) Connected to the website through WAF   Scenario 1 - Protection Rules WAF contains over 250 pre-defined protection rules. The rules match web traffic to rule conditions and determine the action to be taken when the conditions are met. Protection Rule Settings allow you to define the parameters for enforcement any time a protection rule is matched. The pre-defined rules help to protect against the most important threats as defined by the OWASP Top 10, e.g.: A1 – Injections (SQL, LDAP, OS, etc.) A2 – Broken Authentication and Session Management A3 – Cross-site Scripting (XSS) A4 – Insecure Direct Object References A6 – Sensitive Data Exposure A7 – Missing Function-Level Access Control The WAF also monitors requests to your protected endpoints and provides recommendations as to which rules to enable. Recommendations are a great way to optimize your WAF security profile. The Security Operations team proactively monitors all events to provide recommendations about the action of a specific ruleset. See Supported Protection Rules for additional information. In my demonstration, I have configured the protection rules to monitor for sensitive data being entered into the website. In my case, this is credit card data. If seen, the WAF is configured to block the traffic.   In this scenario, you saw how the protection rules can reduce the risk to an organisation by preventing some of the top attacks, commonly seen against web applications. The use of OCI WAF can also increase the security of all of your web applications by ensuring a consistent set of protection rules is applied.   Scenario 2 - Access Control Access rules are used to define explicit actions for requests that meet various conditions, including: HTTP Header Information Geography URL address matching IP address In my demonstration, I am using the URL address matching rules to block access to a particular area of the website. Whilst this is a simple example, I could easily combine it with other access control rules to provide capabilities such as geo-fencing access to that part of the website. As with scenario 1, I have configured the outcome action as block. However, I could have allowed the WAF to detect and log only.   The benefits of using access control within OCI WAF include increased compliance, ensuring that only the appropriate users in appropriate locations can access your web application. It also helps to reduce risk by enabling access to be locked down using the right criteria.   Scenario 3 – Threat Intelligence Oracle WAF takes feeds from a number of threat intelligence providers to ensure it has the latest, up-to-date information on suspicious IP addresses. At the time of writing this article, Oracle WAF takes 19 different feeds. The full list can be found here. For my scenario, I decided to block access to my freight website for any users of a TOR browser. As with the previous examples, I opted for a blocking action, rather than just detect and log.   Given the very dynamic nature of threatening sources on the internet, having a strong set of threat intelligence feeds is important. This scenario demonstrates that OCI provides actionable, up-to-date threat intelligence feeds so that you can reduce the risk of a request coming from a bad source.   Scenario 4 – Bot Management Bot Management enables you to mitigate undesired bot traffic from your site using CAPTCHA and JavaScript detection tools, while enabling known published bot providers to bypass these controls. Non-human traffic makes up most of the traffic to sites and bot attacks were the #1 web security threat (Verizon Data Breach Report 2015-2018). Bot Manager is designed to detect and block, or otherwise direct, non-human traffic that may interfere with site operations. The Bot Manager features mitigate bots that conduct content and price scraping, vulnerability scanning, comment spam, brute force attacks, and application-layer DDoS attacks. You can also whitelist good bots. In this demonstration, I have configured two use cases. The first shows how OCI WAF can present a CAPTCHA to validate the user is a human, without requiring any change to the protected web application. The second use case shows how a non-human bot can be automatically blocked. The possible outcomes from detecting a bot can include, issuing the CAPTCHA challenge, displaying an error page, or returning a specific HTTP response code. For this example, I chose to return a CAPTCHA for human users and a HTTP 403 error code for non-human errors.   Bad bots are a major risk on the internet today, as highlighted in many surveys and reports, such as the Verizon Data Breach Investigation Report. Therefore, having a capability to stop the bad bots before they even hit your web application is important. This scenarios shows how OCI WAF reduces your risk by blocking the bad bots at the network edge, at the same time increasing availability of your web application by ensuring only legitimate traffic accesses it. Summary The above videos are not an exhaustive set of capabilities for OCI WAF, rather just an introduction to some of the key capabilities within the platform, using simple, visual examples. Utilising a WAF to protect your internet facing web applications is one layer of a multi-layered defence, helping you to: Reduce risk Increase availability Increase compliance Don’t just take my word for it. Feel free to have a go. You can sign up for a free trial of Oracle Cloud here. Being a cloud-based service, you can be up and running and protecting your web applications within minutes.

I suspect most people, like myself, are very visual learners. Whilst I can plough through reams of documentation, open standards, and whitepapers when necessary, I can usually skip a large proportion...

Authored By: Timothy Mooney, Senior Principal Product Marketing Director If you’re an Oracle DBA, you’ve probably used Oracle Enterprise Manager (EM). It’s the de facto tool that DBAs have relied on for more than a decade. Which is why we’re excited to bring to you the dashboard for the modern database fleet. This new update will enable support for the Oracle Autonomous Database in Oracle Cloud along with many other new capabilities. Why is this news important? According to a survey by the International Oracle User Group, 6 in 10 respondents say the amount of resources going into legacy maintenance is hurting their organizations’ competitiveness. The dashboard coupled with the Autonomous Database frees up time spent on maintenance. Leaving you with more time to spend on innovation. You can now manage Autonomous Databases as a part of your fleet as well as a bigger fleet with your new capabilities. So how does it work? Enterprise Manager continues to add features and support for new targets ensuring you get the deep visibility you are used to regardless of where your database targets are running. You get the same visibility whether they are running in your datacenter, Oracle Cloud infrastructure, and now including the Autonomous Database. Some DBAs have set up their own monitoring and management, which is great, although it is getting progressively more complex and labor intensive with the growth of additional databases and moreover, the complexity of many deployment models, including on-premises, in the cloud, and the Autonomous Database. At the same time the database world gets more complex, Oracle Enterprise Manager continues to make it simpler regardless of where your databases are deployed; they are all managed and monitored the same, in a single pane of glass.  And troubleshooting is also easier with the performance hub, which houses all the most valuable troubleshooting tools reside in a one-stop shop, including ASH reports ADDM, and AWR reports.  On top of making Enterprise Manager easier to use, our new release of Enterprise Manager is also available on the Oracle Cloud Infrastructure marketplace.  With a few clicks you can stand up an instance of Oracle Enterprise Manager in Oracle Cloud Infrastructure. You don’t need to have your own hardware or datacenter for that matter. It’s all available for you in the cloud. To get a sneak peek, register for this on-demand webcast, Introducing the Dashboard for the Modern Database Fleet to learn how administrators can get deep performance visibility for Oracle Autonomous Database with complete control over their entire database environments including on-premises and cloud deployments.  Find us on Twitter @OracleSecurity to learn about Oracle Security news, events, and more.

Authored By: Timothy Mooney, Senior Principal Product Marketing Director If you’re an Oracle DBA, you’ve probably used Oracle Enterprise Manager (EM). It’s the de facto tool that DBAs have relied on...

Maintaining Security with Encryption while ensuring availability at scale with Oracle Key Vault 18.1 You’ve been working on a business-critical project for months and it’s almost ready for executive consumption. Just one last data set to be completed and it’s done. But when you try to access the database this morning, an error message says “Decryption Key Missing”. “No problem,” you think to yourself. My wallet is on an adjacent server and, with a simple password entry I’ll be back in business. But when you search for the wallet (the password-encrypted container that holds your encryption keys), you get another dose of bad news: the file is gone. In a panic, you call up the new Database Administrator and ask if she knows anything about missing encryption keys. “Bad news,” she says, “that server had issues recently. The drive got corrupted and the server hasn’t been backed up for a while.” Your heart sinks. All that work. You were so close, and now you’ll have to start over. Then another level of fear grips you: you don’t have the data to start over. But it gets worse. An even deeper realization hits you as adrenaline starts to pump through your system: Not only is your project toast but that data set was being used by two other teams that report into your COO and they won’t be able to access it either. As the liability spreads, so does your sense of dread. In a panic, you ask the DB Admin If there’s any way she can retrieve the data. The Good News and the Bad: “It’s Protected” “Well,” she says “it’s encrypted and that’s a good thing —Donahue requires all sensitive data to be encrypted in case of a breach.” You recognize the name Donahue as the CISO that was hired at the end of last year after the data breach at your Los Angeles office got the previous one fired. “But you still need a key to read any of the encrypted data,” she continues. “Can’t we get the database vendor to open it up for us?” “Nope…that’s part of the deal with transparent database encryption: even the vendor can’t hack in. Has to do with separation of data administration from the data itself.” More Common than You Might Think This a more common occurrence than most would like to admit. If one Googles “lost decryption key” you get about 1,300 hits, from help forums and news clips. Encryption is a necessity these days — not just for maintaining security and protecting your corporation’s data — as it’s written directly into much of the recent data security legislation. Article 34 of the GDPR, for example, states in the event of a breach, if the data at risk is encrypted, the requirement to contact each data subject affected is removed Caught between a Rock and a Hard Place So, if you can’t do without encryption, yet you can’t risk losing your encryption keys — and let’s face it, many large enterprises have thousands of encrypted databases, each with their own key, and yet another for their backup copy — then what are you supposed to do?                                                            This is where Oracle Key Vault comes in. Oracle Key Vault enables organizations to quickly deploy encryption and other security solutions by centrally managing encryption keys, Oracle Wallets, Java Keystores, and credential files. No more managing wallet files. No need to track keys throughout their lifecycle. And no chance of a new DB Admin deleting your only encryption key. Oracle Key Vault 18 Oracle Key Vault 18 introduces new multi-master clustering functionality, improving the availability and scalability of key management operations, while significantly reducing the operational burden. This means you’ve got keys for all your currently active databases as well as your backup versions.  And they’re managed, secured, and compliant. Databases can connect to any node in the Oracle Key Vault cluster to get encryption keys. Any updates to keys or changes to authorization rules are quickly replicated to all other Oracle Key Vault nodes. If the Oracle Key Vault connection fails or node goes down for any reason, the database servers transparently failover to the nearest active Oracle Key Vault node. And the best part:  it manages your wallets for you. So, when you wake up from that bad dream about your lost decryption key, and actually get to work this morning, your data is there, safe, and accessible. You finish that big project on time and get the recognition you deserve from your group VP: “a job well done.” For more information, review the Data Sheet and FAQ, and be sure to watch the replay of our Database Security Office Hours session focused Oracle Key Vault.  So, if you are using Oracle Database Transparent Data Encryption (TDE), or MySQL database TDE, download the Oracle Key Vault 18 software today from Oracle Software Delivery Cloud.  If you are an existing Oracle Key Vault customer, be sure to upgrade to Oracle Key Vault 18 (patch 29695836 from Oracle Support).

Maintaining Security with Encryption while ensuring availability at scale with Oracle Key Vault 18.1 You’ve been working on a business-critical project for months and it’s almost ready for executive...

Today’s databases run huge workloads, with big demands on their availability, scalability, and security.  Encryption has now become common place in today's cybersecurity and regulatory landscape, but people often struggle with securing and managing the keys. Not only do they need an easy to configure and manage centralized key management solution, but they also need a system that is resilient to network, operating system, and other node failures.  Additionally, the key management system should be able to keep up with the availability requirements of thousands of databases spread across data centers.  We are thrilled to announce that Oracle Key Vault 18 with multi-master clustering is now available for download.  It provides unprecedented improvements in the scalability and availability of keys, while significantly decreasing the operational burden of key management.  Oracle Key Vault cluster is optimized to serve keys for tens of thousands of databases, and at the same time handle disaster scenarios too common in today's world. Based upon feedback from our customers, we redesigned Oracle Key Vault to be continuously available for both read and write operations without any data loss.  Now customers can group up to 16 nodes to form a multi-master cluster that can be deployed across geographically distributed data centers.  All nodes run in active mode and significantly lower the total cost of ownership. Databases can connect to any node in the Oracle Key Vault cluster to get encryption keys.  Any updates to keys or changes to authorization rules are quickly replicated to all other Oracle Key Vault nodes so they are available on at least one other node providing zero data loss. If the Oracle Key Vault connection fails or an Oracle Key Vault node goes down for any reason, the database servers transparently failover to the nearby active Oracle Key Vault nodes for read/write operations without any down time, hiccups, or user intervention. Oracle Key Vault has been extended for streamlined management and security through: Introduction of RESTful APIs to support the full portfolio of key management operations such as create key, register secret, get key, and revoke/destroy key Integration with external Hardware Security Modules (HSM) as root of trust Capability to run in the FIPS mode for stronger assurance through FIPS certified cryptographic modules Oracle Key Vault provides key management for Oracle Database 11g Release 2 and later releases running on a variety of platforms including Oracle Linux, Red Hat Linux, Solaris Sparc, Solaris x64, IBM AIX, HP-UX, and Microsoft Windows. Oracle Key Vault is the only enterprise-grade key management solution tightly integrated with Oracle databases including support for Transparent Data Encryption (TDE), Real Application Clusters (RAC), Multi-tenant databases, Data Guard, Golden Gate, and ASM Cluster File System. For more information, review the Data Sheet and FAQ, and be sure to attend our upcoming Database Security Office Hours session focused on Oracle Key Vault 18.  So, if you are using Oracle Database Transparent Data Encryption (TDE), or MySQL database TDE, download the Oracle Key Vault 18 software today from Oracle Software Delivery Cloud.  If you are an existing Oracle Key Vault customer, be sure to upgrade to Oracle Key Vault 18 (patch 29695836 from Oracle Support).

Today’s databases run huge workloads, with big demands on their availability, scalability, and security.  Encryption has now become common place in today's cybersecurity and regulatory landscape, but...

Thirty percent of respondents in the Oracle and KPMG Cloud Threat Report stated their biggest cloud security challenge is aligning regulatory compliance requirements with their organization’s cloud strategy. This is not to mention the increasing number of threats companies must face every day. Limited resources and staff often leave organizations spread to thin when trying to meet their security and compliance objectives. This week we sat down with Ted Sherrill, Senior Director of Security & Regulatory Solutions in North America at Oracle for a Q& A about the current state of security and compliance for organizations making a transition to the cloud. Our conversation was sparked by the upcoming webcast, Oracle Adaptive Controls for Evolving Threats and Compliance Requirements, this Wednesday, May 8th. We examined some challenges, companies face as they strive to abide by compliance requirements while continually fighting these evolving threats. Cloud transformation has become a priority initiative for most organizations, how should IT/Security teams plan to adopt cloud services while keeping their compliance needs in mind? Security and compliance budgets are limited and every control requires an effort to implement and sustain. Because of this, it’s important to limit the number of controls required for attaining regulatory requirements as well as meeting risk remediation objectives. Utilizing a security framework like NIST can help an organization identify which controls can be utilized from both a compliance and remediation perspective. It’s also vital to understand which of these controls can be utilized both on-premises and in various cloud environments, because if you don’t apply compliance and security in a strategic way, you may implement duplicate or unnecessary controls.   It’s been a year since GDPR took place and CCPA is just around the corner, how do you think organizations in North America will respond?  Many organizations were not subject to the GDPR due to not collecting EU resident data such as some organizations that operate in North America only. Many of those organizations are going to be subject to the CCPA and therefore will need to attain reasonable security procedures and practices for protection of the personal data along with attestation for what personal data they possess for a data subject and which third parties this information is sold to. The organizations that are subject to the EU GDPR have a head start on organizations that were not but many of them are having to enhance their policies, processes and controls for the variations with CCPA. Oracle provides solutions like the Database Security Assessment Tool (DBSAT) that can assist customers with identifying where personal data resides and existing controls in place to protect it.  To hear more from Ted and learn about adaptive controls register for this upcoming webcast, Oracle Adaptive Controls for Evolving Threats and Compliance Requirements on May 8 and join us on twitter to get the latest on all things Oracle Security.                                                      

Thirty percent of respondents in the Oracle and KPMG Cloud Threat Reportstated their biggest cloud security challenge is aligning regulatory compliance requirements with their organization’s...

It is the age-old adage that you are only as strong as your weakest link, and this has never been more true.  We see it in the movies when the intelligence agent approaches the well funded bad guy’s fortress with hundreds of millions in security, infrastructure, weaponry to protect their interests and what ultimately fails them?  That silly underground access panel with a 4 digit passcode requirement.  This is our reality in today’s consumer, business and government environments. We invest a phenomenal amount in people, processes and technology, but for the one key component that ties it all together (the password) we default to what makes our job easier to remember.  This continues to be the weak link for organizational security. The recent Oracle and KPMG Cloud Threat Report 2019 surveyed 450 global organizations and found that 85% of these are looking to replace the password.  Can this really be done?  What would it be replaced with?  The consumerization of IT has done more to influence the way business operates than nearly anything outside of the internet itself.  We have seen this in cloud.  As consumers we have adopted a massive amount of cloud and mobile tech in the last 10 years to make our personal lives more productive, vibrant and engaging. With that, came the expectation by many that our employers should be able to deliver similar type of business-enablement technology, which we have obviously seen.  This same consumerization of IT has also ushered in our views around password management. While we have seen numerous business Single Sign-on “inspired” apps crop up for the consumer market, the wave of new smartphones, tablet and laptops using biometrics (facial recognition, retinal, fingerprint) have hit the market to help simplify the login options for consumers, and also forced the question, “Why can’t we use this same technology in business?”  Do we see the password truly being replaced by a fingerprint, or a face ID? Not any time soon.  There are too many documented cases of this biometric data being stolen or compromised.  Reality is this, if my password is stolen, I can reset it. If my biometric data on my fingerprint or face is stolen, this can never be changed.  So for this reason alone, the death of the password is not likely. So what is a viable option for the 85%? The reality is, every organization should be looking for ways to wrap a second form of authentication around the password (known as two-factor auth).  We see 92% of organizations either have implemented or plan to implement Multi-factor Authentication (MFA) around key business-critical services over the next 18 months. Central to effectively managing this is to gain a foothold on your credential management. The incorporation of mobile and cloud into any business adds more layers of complexity so businesses need to plan accordingly around the following: Develop a unified identity management strategy that covers on-prem into the cloud (hybrid cloud) and set goals for 8 min provision, 2 min deprovision (for example) of all accounts. Enforce complex password policies (unique per service, use of SSO to manage) Recognize password management isn’t an IT issue, cyber issue, or help desk issue….it’s all the above.  Today’s identity is the center of all infrastructure, IT and security initiatives. Educate your users on best practices around password management While today is not necessarily a celebration of “World Password Day”, it is simply a reminder for organizations that they have 365 days to show successful growth from this day, to our next “anniversary” of “World Password Day”.  Let’s make sure we all are using this time wisely.  For more information on discovering the key challenges organizations are dealing with in password management, you can download the Oracle and KPMG Cloud Threat Report, or for information on how Oracle continues to be a leader in the area of Identity Management 5 years running, visit our Oracle Security webpage for more information on our Oracle cloud security technologies.

It is the age-old adage that you are only as strong as your weakest link, and this has never been more true.  We see it in the movies when the intelligence agent approaches the well funded bad guy’s...

Imagine you’re a VP of Finance and you discover that one of your accountants has made 200 illegal transfers into her personal accounts by using the login credentials of former staff to delete the records or alter them so the transactions appeared legitimate. The company suffered a $30 million net loss and now you have to deal with the repercussions. While this scenario might seem rare, it happens all too often. Many companies rely on enterprise resource planning (ERP) systems to run their business-critical processes with access to sensitive data, making them very appealing targets for hackers and disgruntled employees. ERP systems are used by organizations to manage day-to-day business activities, such as accounting, procurement, project management and manufacturing, while enabling data flow between them. This shared data provides data integrity with a "single source of truth". And with cloud, mobile, and digital transformations rapidly expanding ERP’s attack surface, organizations must educate themselves and take appropriate action to make sure that their business operations are not disrupted. The first step is to understand where the cloud service provider’s responsibility ends and the company’s responsibility begins. This division of labor is the shared responsibility model and many companies do not understand their responsibility. According to the Oracle & KPMG Cloud Threat Report, participants shared that “such confusion has led to the introduction of malware (34%)”, “it has exposed them to increased audit risk (32%)”, and it “has also put data at risk, with 30% of organizations reporting that, as a result, data was accessed by unauthorized users.” In order to avoid scenarios like fraud and data theft, companies need to understand their responsibility and take appropriate action. Additionally, manual processes and archaic tools are not enough to deal with this evolving threat landscape. Organizations must leverage tools such as Oracle Identity Cloud Service (IDCS) and Oracle CASB Cloud Service to help protect their ERP from fraud, data loss, and make sure the right people have access to the right information. By using a tool such as Oracle IDCS with a user life cycle management tool, the accountant would have never been able to use the login of former staff because terminated employees would no longer be able to log in. The company could have also leveraged user and entity behavior analytics (UEBA) to correlate users with suspicious activity and set policies to remediate. With Oracle CASB Cloud Service they would have been able to monitor and detect fraudulent patterns. With ERP exploitations on the rise, organizations must take the appropriate action so that their sensitive data is not stolen, and that their business critical application is not compromised. Learn more about the rise of cyber threats and how to safely secure your ERP.  

Imagine you’re a VP of Finance and you discover that one of your accountants has made 200 illegal transfers into her personal accounts by using the login credentials of former staff to delete the...

I remember watching the news coverage of Hurricane Katrina and the wildfires in Paradise, CA, and it’s hard not to have your heart break for the victims of natural disasters.  For that, I’m so grateful that organizations like the American Red Cross exist.  In researching information for this blog, I learned that for 136 years, the American Red Cross has been dedicated to serving people in need during disasters through volunteers and the generosity of donors.  They told us at OpenWorld that they provided more than 3.6 million meals and almost 1.5 million relief items in 2017 alone.  Those are staggering numbers and with 90% of the Red Cross workforce as volunteers, I can imagine it must be a daunting task to coordinate all of the supplies for the volunteers.  With so many volunteers, donations, and locations to distribute materials to those who need help, I am sure that the Red Cross has a strong system to ensure aid gets to the right people in their time of need.  From a logistics perspective, the American Red Cross has five nationwide distribution centers, and they open smaller, temporary hubs, along with rental warehouse space and trucks in areas hit by disaster.  Volunteers step up to stock the warehouses, run the shelters, and transport supplies for up to two weeks at a time. All of these logistics are dizzying, but I am grateful that the American Red Cross has built an early mobile system to get a single view of everything for the volunteers – orders, inventory, and transportation services in a streamlined process.  I’m proud to be a part of Oracle, because Oracle is part of that integrated system.  Oracle Cloud Platform, with Mobile Cloud Service and Integration Cloud, integrated with Oracle E-Business Suite, help deliver a mobile application to order, process, and track donations for the volunteers.  The Red Cross uses Oracle Identity Cloud Service (IDCS) to authenticate the volunteers to ensure the donations do not fall into wrong hands and volunteers can quickly distribute help to those in need. Normally, when we think about IT security, images of large data centers and codes of data security come to mind.  With the American Red Cross, we are reminded of the importance of security to identify and validate all of those volunteers for the Red Cross to make sure that they have a single view of the inventory, orders, and transportation to set up a shelter and provide help to those who need it quickly.   Identity Cloud Service, a key part of the Oracle Security portfolio, provides a cloud-based, integrated service that delivers all of the core identity and access management to organizations of all sizes.  With IDCS, the Red Cross has a single, aggregated view of the volunteers’ identities across all channels (mobile and on laptops) to define and enforce consistent identity policies.  The mobile application that was shared at OpenWorld 2018 was still a pilot, but the senior director of information technology, Susan Gorecki, sounded optimistic when it went live after Hurricane Florence in September 2018.  I look forward to hearing more about how the mobile app will continue to be rolled out to help more people in the future.  Visit the Oracle Identity Cloud Service webpage to learn how IDCS can help your organization. 

I remember watching the news coverage of Hurricane Katrina and the wildfires in Paradise, CA, and it’s hard not to have your heart break for the victims of natural disasters.  For that, I’m...

A critical shift in cloud usage has occurred, organizations are no longer looking at cloud as nice to have. Cloud deployments have transitioned into business-critical initiatives for organizations looking to innovate their business, increase efficiency, and improve security. In fact, the Oracle and KPMG Cloud Threat Report 2019 shared that nearly half of all respondents expect to store the majority of their data in a public cloud by 2020. This promising shift in cloud usage is highlighted in Oracle’s Top 10 Cloud Predictions 2019. The paper highlights several exciting predictions such as the further incorporation of automated and AI technologies into every layer of security. These innovative solutions enable greater accessibility for non-technical business users who are looking for a tool that can be easily managed and reliable. However, this speedy innovation has caused challenges within the organization; securing applications (and your environment as a whole) is more critical than ever. The Cloud Threat Report also found that 93% of respondents are dealing with rogue cloud app usage, in other words, IT organizations are struggling to keep up with their LoBs and the risk of a breach is greater than ever. Risks are Real, The Future can be Promising Organizations are reaping the benefits of cloud usage, but they must also be aware of potential risks. Companies no longer retain the sole control over their data. The rapid roll out of cloud solutions has left many organizations struggling with visibility. These organizations have multiple tools all designed to complete a specialized function, but not intended to integrate together to create a full picture. Understaffed IT security departments simply do not have the bandwidth to piece together all of the notifications from their disparate systems. This vulnerability gap leaves organizations susceptible to attack. The paper predicts 90% of enterprises will use a single identity platform that bridges the visibility gap within hybrid environments. Food for thought when we consider the massive amount of data each user in our organizations may have access to. Standardizing your identity platform on a modern tool designed to meet the needs of both on premises and cloud solutions is critical in protecting not only your users, but also your corporate applications and sensitive data. Organizations also find that with a unified hybrid IAM solution, they are better able to support their security and compliance objectives all while improving user experience and trust. Security Events Will Continue to Rise, How Will You Respond Streamlining tools and increasing automation will be critical as the paper’s ninth prediction states that the number of security events will continue to rise in 2019. Organizations are pounded with hundreds or even thousands of security events each week. The overwhelming number of events makes it impossible for teams to catch and act on every real threat. So how do we compete with highly sophisticated attackers? The recent Secure and Manage Hybrid Clouds guide, discusses the importance of incorporating AI and machine learning capabilities into your security strategy. Cyber criminals are utilizing automated technologies to blend into your environment and sneakily expose or steal your sensitive information.  Organizations looking to beat these attackers at their own game must bring automation to the forefront and work on better ways to train all employees on security best practices. These small steps can protect an organization’s employees, customers, and brand reputation. As we head into the second half of this year, think about the changes you see on the horizon for organizations in your industry. Any predictions? Access Oracle’s Top 10 Cloud Predictions 2019 to see a full list of cloud predictions that could affect your organization and understand strategies to address them.

A critical shift in cloud usage has occurred, organizations are no longer looking at cloud as nice to have. Cloud deployments have transitioned into business-critical initiatives for...

The security stakes are higher than ever as more mission-critical workloads -- and their data -- move to the cloud.

The security stakes are higher than ever as more mission-critical workloads -- and their data -- move to the cloud.

Is your organization using SaaS applications? The answer is most likely yes, with 84% of organizations who participated in the Oracle and KPMG Cloud Threat Report 2019 stating that they use SaaS services within their company. There is no denying the cost and time savings an organization can get from consuming SaaS services. What is even more interesting, is that organizations are now adopting SaaS for their mission-critical applications. Organizations have made a shift with 69% of respondents stating that more of the cloud services they use are business critical compared with just 12 months prior. Companies are reaping the benefits of cloud, but they must also be informed and prepared to protect their apps, users, and data. Join the creators of the Oracle and KPMG Cloud Threat Report 2019 as they discuss highlights from the report and touch on emerging cyber security challenges and risks that organizations are facing today. Join the webcast for an overview of: - Cloud utilization and adoption trends - The shared responsibility security model - Using AI and machine learning in your security program - Leading practices and strategies in managing and remediating cloud risk ERP Risk Series: Oracle and KPMG Cloud Threat Report 2019 April 17th 2:00pm EDT Register Now!

Is your organization using SaaS applications? The answer is most likely yes, with 84% of organizations who participated in the Oracle and KPMG Cloud Threat Report 2019 stating that they use SaaS...

Security attacks are getting more sophisticated, with Fast Company predicting that the security industry will see a rise in AI-powered malware, smart phishing, AI-powered defenses, trust attacks, and more.  Those attacks could go after your database, where all of the rich data for your company is stored.  You, as the database administrator and security professional, must keep up.   Industry research firm IDC found that as much as 75 percent of the total cost of database management can be attributed to labor, and some of that labor is focused on securing the database. The simple act of keeping up with the latest patches and vulnerabilities is dizzying.  According to the Verizon Data Breach Investigation Report, 85% of security breaches today occur after a common vulnerability and exposure alert has already been issued but has not been addressed. The natural question is, how can you use the sophistication of Machine Learning and AI for the good of securing your database?  Can you find a way for your database to secure itself? An autonomous database can combine the dynamic agility of the cloud with the intelligence of machine learning.  As a result, organizations like yours can transform their IT operations for their database security from a manual process into a modern cloud model that lowers operating expenses, eliminates costly downtime, and ultimately enables security and database professionals like you to innovate using fewer resources. The Oracle Autonomous Database is designed to deliver these benefits across three primary categories, with minimal to zero human intervention: self-driving database and infrastructure provisioning, management, monitoring, backup, recovery and tuning, self-securing database which automatically protects itself from internal and external vulnerabilities and attacks, and self-repairing database which provides preventative protection against unplanned and planned downtime.  As a security expert, the Autonomous Database allows you to sit back, relax, and let Oracle do the driving, knowing that your data is secure. As a result, you see automatic, in-depth data protection at all levels, and you can focus on database administration instead of security concerns. Join us on May 1st to hear from Oracle’s security experts about how Oracle Autonomous Database self-secures itself and proves that self-securing databases are a reality.  Register today!

Security attacks are getting more sophisticated, with Fast Company predicting that the security industry will see a rise in AI-powered malware, smart phishing, AI-powered defenses, trust attacks, and...

One year ago, we hosted one of our most successful events in the “Big Apple” and Oracle and KPMG are back in New York again to host our annual Oracle Cloud Security Day on May 7th. Registration is live now, and seating is limited!  According to the recent Oracle and KPMG Cloud Threat Report 2019, organizations are placing a tremendous amount of business-critical data in the public cloud than ever before. In fact, 7 out of 10 cite that they are placing more sensitive data in the cloud than the prior year. We also see 92% of organizations that feel the cloud can provide as secure or more secure of an environment than their own on-premise data center, so trust is at an all-time high.  What complicates this is the fact that while there is tremendous trust and increasing plans to transition to the cloud, there is a great deal of confusion on just how to do this in a way that reduces risk, prevents cases of fraud, ensures data protection and privacy regulations are not violated and sophisticated threats are not impacting customer data. 90% of cyber leaders state that they do not know what their organization’s role is in securing SaaS relative to their cloud provider. This full day session will be focused on breaking down the growing risks, examples of fraud, data breaches and areas where data privacy and protection regulations are most at risk. Oracle and KPMG leaders will present how layered defense and controls can work to mitigate the risks each organization is facing today and help each organization make their cloud journey a successful one.  Register today for this New York event, or for another event near you.

One year ago, we hosted one of our most successful events in the “Big Apple” and Oracle and KPMG are back in New York again to host our annual Oracle Cloud Security Day on May 7th. Registration...

Have you registered yet for the Oracle Cloud Security Day near you? Now is your time! We have seen tremendous strides organizations are making in their plans to adopt new cloud services, while at the same time…we have also seen the increasing challenges.   This year’s Oracle and KPMG Cloud Threat Report 2019 highlights this clearly with 7 out of 10 organizations placing more business-critical information in the cloud than the year prior.  While at the same time, we also see that 90% of security leaders are struggling to understand their responsibility in securing SaaS vs the cloud service provider. This imbalance in preparedness is not sustainable for organizations as they lift and shift workloads into the hybrid cloud and require a top down look at the potential risks exposed to applications and services when proper controls are not put in place.  That’s why we’re bringing Oracle Cloud Security Day to a location near you. Join us for a one-day session that will highlight the top security risks, root-causes of fraud and we will walk thru leading practices for remediating the risk.  Here are the top 5 reasons you should attend Oracle Cloud Security Day: Learn about effective cloud shared security responsibility model Develop a security strategy with help from our security experts Explore how organizations can employ a layered defense strategy with multiple controls-in-depth for the hybrid-cloud Learn how the autonomous database can help secure business-critical data Discover how Oracle and KPMG work together to support a heterogeneous and multi-cloud environment Register to join us for free in a city near you: Events in Your Region Toronto, Canada May 2, 2019 Register for FREE New York, New York May 7, 2019 Register for FREE Washington, D.C. May 9, 2019 Register for FREE  

Have you registered yet for the Oracle Cloud Security Day near you? Now is your time! We have seen tremendous strides organizations are making in their plans to adopt new cloud services, while at the...

At OpenWorld Asia, a few weeks ago, I moderated a discussion with an impressive panel of cyber security experts, discussing security and privacy. The panelists included: Rob Soan of the Wall Street Journal, Vivek Jaiswal of NRMA, Laurent Gil from Oracle, and Yum Shoen Yih representing the Cyber Security Agency of Singapore. We pondered the question “Are we doomed?” given the data and headlines flooding our newsfeeds each week.  It goes without saying that we are facing global cyber security challenges. As evidence of the challenges we reviewed a few data points: Cyber Security is a top global risk as identified by the World Economic Forum in their Global Risk Report for 2019. It ranks just behind climate change as the top issue, highlighting the risk we face with our dependency on systems. Our reliance on systems has grown so much that it threatens to disrupt stability and integrity, making it a potentially massive risk for societies.   Data breaches know no geographical boundaries. We reviewed information for breaches that occurred in the last two years in the AESEAN region. Over 100 million records were breached in 9 incidents. The information types included passport information, healthcare data and imagery, voting records, passwords, and the usual base identity information. Most of this data was not financial payment information but the kinds of information that attackers can use to commit fraud quietly over longer periods of time. This information does not have the short shelf life of a stolen payment card that can easily be cancelled. This information can be stored and sold on the dark web and used to launch massive fraud schemes such as healthcare based on fraudulent claims, file fraudulent tax returns claiming refunds, using credentials for fraudulent travel documents such as passports, or even attempting to affect election outcomes (voter registration info). We now live in a world where every interaction creates and leaves crumbs of data behind. A trip to the supermarket, a drive in our smart-car, booking travel, seeing our healthcare professional, downloading content, visiting the DMV, registering to vote… very few interactions remain only physical with no digital crumbs left behind. IDC has noted this rapid increase in data creation and expects that the global datasphere will reach 175 zettabytes by 2025, up from 33 zettabytes in 2018. This raises the bar on organizations’ accountability for the data they are collecting and hold with evolving privacy regulations. Cyber security best practices are required to avoid fines, damaged customer trust, down time, recovery costs, and even jail time as our panelist highlighted is the case in Singapore. We are not doomed, but need to stay focused to get better. Many attacks are actually simple and not sophisticated. Organizations often struggle with bad password hygiene (not hashed nor encrypted), lack of encryption of data, not enough attention to manage least privilege, and failure to quickly identify early signs of an attack when damages and massive breaches can be stopped. We need to make cyber security a priority. For many organizations, this is occurring, investments are being made but it is often not just the money that matters but what is done. We need to evolve our security thinking and how we pursue “defense in depth” the motto of security professionals for some time. As noted in the Oracle and KPMG Cloud Threat Report 2019, almost 75% of respondents believe that security in the cloud can be better than what they can do in their own data center. Cloud offers a simpler path for security by streamlining visibility and reducing manual processes; it may not need all the traditional layers of defense or at least they are implemented differently in cloud. We are not doomed if we act now to strengthen cyber security, tap technologies, and don’t stick our heads in the sand. The statistics are clear, threats are everywhere, but with preparation and strategy, organizations can better protect their employees, customers, and their reputation.

At OpenWorld Asia, a few weeks ago, I moderated a discussion with an impressive panel of cyber security experts, discussing security and privacy. The panelists included: Rob Soan of the Wall Street...

One of the most rewarding things a product manager does is work with User Groups, and next week is one of my best opportunities of the year.  The International Oracle User’s Group (IOUG) is holding their annual Collaborate conference in San Antonio from 7-11 April.  The Database Security team was fortunate to have three sessions and two hands-on labs accepted for the conference, with both hands-on labs on Sunday, a session on Monday, and two more sessions on Tuesday. Collaborate sessions are focused on problem solving and technical content.  The attendees are almost all Oracle professionals, and the base skill level for conference attendees tends to be quite high. These are people who work with my Oracle Database on a daily basis, and in my sessions at Collaborate I get to skip straight to the good stuff.  It can be challenging – the questions I’ll get from the audience next week are almost guaranteed to be tough ones – but that’s also part of the fun. We'll be offering hands-on experience with the latest version of the Database Security Assessment Tool, sessions on Privilege Analysis and Unified Audit, and a potpourri session on ten security features that you might not know about, but should be using.  Almost guaranteed to be something for everyone!  The venue is also a nice change from the standard convention scene – for the past several years Collaborate was held in Las Vegas, and Las Vegas is always fun.  But this year Collaborate changed things up and moved to the Fiesta City, with the event held in the Henry B. Gonzalez convention center - right on San Antonio’s Riverwalk – which is absolutely fantastic, especially this time of year.  Nice weather, great scenery, and the food is amazing!  If your travels take you to San Antonio next week, please stop by – we’ll have a large exhibit in the conference show floor, and the session schedule is: Sunday,  7 April 10:30 am Hands-on Lab: Assess your Database Security 2:00 pm Hands-on Lab:  Assess your Database Security Monday, 8 April 10:30 am  Oracle Database Privilege Analysis for Least Privileges - Now Available with Enterprise Edition! Tuesday, 9 April 10:30 am Shedding decades of technical debt with Unified Audit 12:45 pm  Recent Database Security Innovations You Might Not Be Using, but Should Be

One of the most rewarding things a product manager does is work with User Groups, and next week is one of my best opportunities of the year.  The International Oracle User’s Group (IOUG) is holding...

Whilst Cloud-based IAM services such as Oracle Identity Cloud Service are clearly the strategic direction for many customers, I still work with lots of companies either using today, or still considering traditional ‘on-premise’ IAM solutions. This can be for a variety of reasons, including: They cannot move to the cloud due to the sensitivity of their organisation, or possibly for regulatory reasons. They need deep technical capabilities and flexibility of an on-premise IAM platform, not typically provided with cloud-based Identity-as-a-Service (IDaaS) solutions. They are in the process of migrating to Cloud, but still have many systems, including their IAM platform running on-premise. Of course, when I refer to ‘on-premise’ IAM I am talking about traditional IAM platforms, where the customer is responsible for installation and configuration of the software, as well as the day-to-day operation of it. Whether that software is actually running ‘on-premise’ within a customer’s own data centre, in a partner’s DC, or within an Cloud IaaS platform, it is still distinctly different to a Cloud-based IDaaS platform, where the customer is not installing and managing the underlying platform. Instead, they are just consuming the IDaas service. For the remainder of this article, I will refer to this ‘on-premise’ IAM as Enterprise IAM. As anyone who has looked at a true IDaaS solution such as Oracle Identity Cloud Service is aware, you are not responsible for many of the non-functional requirements of the platform, such as performance, monitoring, backup and recovery, DR etc. However, all of this is firmly your responsibility with Enterprise IAM, just like any other on-premise software. At the moment, I am working on a project that uses Oracle Management Cloud (OMC) to monitor Enterprise IAM (in this case, Oracle Enterprise Identity Services Suite). In case you aren’t aware, OMC is a cloud-native suite of management services that eliminates the human effort associated with traditional solutions for monitoring, managing and securing applications and infrastructure. OMC leverages machine learning and big data techniques against the full breadth of the operational data set to help customers drive innovation while removing cost and risk from operational processes. More details on this project in a future post. An Overview of Oracle Management Cloud   In my environment, I have a full demo platform of Oracle Enterprise IAM deployed and OMC agents deployed to monitor the activity and metrics for that platform. However, monitoring provides limited value without any throughput and, being my own demo platform, it’s not heavily used enough to generate any serious metrics or activity. For access management, I want to throw some load at the servers for different use case and see how they perform, together with the underlying LDAP. Similarly, for identity governance, I want to perform a number of activities to kick off various actions and workflows etc. Therefore, I have been spending some time building some automated testing scripts using tools like Apache JMeter and Postman. To make the testing realistic I needed to generate some fake test data. In the past, I have used Perl scripts to generate data but I didn’t really fancy brushing up on my very rusty Perl skills. Therefore, after asking a couple of colleagues I was pointed at a Python module called Faker. If you are already familiar with Faker, then you can stop reading now. However, if you aren’t, then I found it extremely useful. In just a few lines of code I was able to generate a CSV containing completely random test data. The official location for Faker is in GitHub here, and it provides installation instructions and simple usage instructions. As you will see, Faker has a wide range of different modules for generating different types of fake data. Below is the script I wrote to generate a simple CSV of random user details. # Paul Toal, Oracle # March 2019 # This file is used to generate a CSV file containing # random user details for use with an Oracle Identity # Governance test script   #Import the Faker module for generating fake data from faker import Factory #Import the random module to generate an employeeID import random   fake = Factory.create()   #Define the file to write the output to file = open("OIGTestUsers.csv","w")   # How many entries to make howMany = 10   #Create a random number to use as a starting point for employeeID entropy = random.randint(10000,99999)   #Write the CSV header file file.write("employeeNumber, title, familyName, givenName, organization, email, userName, userType, phone" + "\r")   ### Create a new line in the CSV for n in range(1,howMany+1):       #Generate job title. Returned value can contain a comma, so will be stripped out later    title=str(fake.job())    #Generate phone number. Return value can contain an extension, i.e. x1234, so will be stripped out later    phone=str(fake.phone_number())    # Generate first and last names separately to re-use in fields such as userName and email    lastName = str(fake.last_name())    firstName = str(fake.first_name())       #Write each entry line to the output file    file.write(str(n+entropy) + "," \     + title.split(',')[0] + "," \     + lastName + "," \     + firstName + "," \     + "Finance," \     + firstName + "." + lastName + "@oracledemo.com," \     + firstName + "." + lastName + "," \     + "Full-Time," \     + phone.split('x')[0] \     + "\r")   #Close the file handler file.close()   I hope you find this useful as a guide to generating your own fake test data. Of course, there are many alternative ways to generate test data, in many different languages. However, I found this ideal for my particular purpose, and with very little effort.

Whilst Cloud-based IAM services such as Oracle Identity Cloud Service are clearly the strategic direction for many customers, I still work with lots of companies either using today, or...

“Oracle and KPMG Cloud Threat Report 2019” demonstrates the importance of visibility, shared responsibility, and a CISO seat at the table. By Alan Zeichick Want to protect your assets in the cloud? You need to know what those assets are and who is using them. Your security teams must be able to see everything going on in the cloud infrastructure, from the cloud’s core to its edge. They need to be certain about which parts of your cloud applications are the business’s responsibility to secure—and which fall under the domain of the cloud service provider. And at the C level, the chief information security officer (CISO) must have a seat at the table during each and every discussion that involves acquiring or using new cloud applications or resources, in order to make sure those services are safe and compliant with enterprise policies. Those are three of the top takeaways from the “Oracle and KPMG Cloud Threat Report 2019.” Attention to cloud security is essential for modern-day enterprises—as a glance at any newspaper instantly communicates, with headlines reporting downloads of unsecured customer files from retailers, theft of intellectual property from tech firms, and complete business disruption. Cloud security is a big challenge for another reason: Enterprise use of the cloud has reached surprising levels of adoption and is continuing to increase. In the Oracle/KPMG study, 7 out of 10 organizations reported an increase in the use of business-critical cloud services—and there’s a huge increase in the number of enterprises storing their data in the cloud. At the same time that cloud usage is accelerating, security considerations are being left behind. Fully 93% of the participating organizations reported that users have adopted rogue cloud applications. That’s a prime example of “shadow IT”—that is, technology decisions being made by employees without the knowledge or approval of the IT department. These decisions are rooted in the BYOD movement and the consumerization of IT.               Individual employees, for example, may be running consumer-grade cloud services (think Evernote or Dropbox) to improve personal productivity—and, in the process, might store or even share confidential business information such as customer data or financial documents in those services. Departments may be signing up for hosted SaaS applications (such as WordPress or Adobe Creative Suite). Developers could be using popular cloud-based software development code repositories (GitHub, say, or SourceForge). And staffers might be sharing cloud-based collaboration platforms such as Slack or SharePoint with partners, suppliers, or customers. Are those cloud applications bad? In most cases, the products are fine from a software-quality perspective. But having a solid reputation doesn’t clear those specific apps for use in your business without the IT department’s knowledge and approval. And even after an application is approved for use, the CISO must ensure that it is implemented in accordance with your company’s security policies; otherwise, the organization is at risk of having critical data lost or stolen or of letting outsiders gain access to confidential internal information and processes. There are too many risks to organizations for leaders to be complacent about security. Here are three key ways to address those threats—and tackle the challenges head-on. Key #1: See Everything You Need to Protect Visibility is essential to every aspect of security. Consider the office building: Cameras are watching over exterior doorways, for example, and logging software is recording when employees and vendors badge in to secure work areas. The same must be true of critical information about network traffic, successful and unsuccessful attempts to log in to the network, and use of enterprise applications. It’s not enough to know that the CFO logged in to the accounting system at 1 a.m. It’s also important to know the device type, device location, and telemetry involved. The transaction might be completely valid, or it might come from a place halfway around the world when the CFO is actually at home. Or it might come from the CFO’s own smartphone, after a click on a link in a phishing email. Without visibility, AI-based security software can’t detect anomalies or piece together patterns of behavior that might indicate fraud or illegal activity. Without visibility, security investigators can’t find root causes of unusual situations quickly and accurately. That’s particularly true with cloud services, says Greg Jensen, senior director of cloud security at Oracle and coauthor of the “Oracle and KPMG Cloud Threat Report 2019.” “There are so many examples throughout this report about challenges with visibility,” he says. “Organizations don’t know what their employees are doing with cloud services and where their corporate data is being placed. Is it going on Google? Or Amazon? Is it going on Bill and Ted’s excellent cloud service? They don’t have that visibility.” One way to get more visibility is to implement CASB-compliance technology for the cloud ecosystem, says report coauthor Brian Jensen (no relation), a risk-management consultant at KPMG. A CASB, or Cloud Access Service Broker, provides visibility into the entire cloud stack while providing security automation for enforcing corporate policies. A full-featured CASB platform provides threat detection, automated incident response, predictive analytics, and security configuration management. “A CASB shows what employees are doing with cloud-sanctioned and unsanctioned cloud services,” says KPMG’s Jensen. “The average organization is running in excess of 1,900 applications—including cloud applications. By and large, security professionals need to use a CASB to monitor business-critical cloud transactions” and then enforce policies regarding those apps. Key #2: Understand the Shared Security Model In a classic data center application, the enterprise has complete ownership of security: everything from the physical installation to network access, from patching vulnerabilities to checking users’ digital credentials. In a cloud service—any cloud service—security responsibility is shared between the enterprise and the cloud services provider. Problems occur when the enterprise fails to realize its security responsibilities, says Oracle’s Jensen. This can happen because of shadow IT or because of misunderstandings about the shared security model for cloud services.         For example, take penetration testing, which measures how easy it is to attack a cloud service with known hacking techniques. Many enterprises don’t see that as any part of their responsibility, so they don’t do it. “A lot of businesses believe they aren’t responsible for testing the security of a cloud service,” Oracle’s Jensen says. “The reality is that whether you are using IaaS, PaaS, or SaaS, your business is responsible for doing penetration testing. The business is responsible for ensuring that the cloud cannot be penetrated—either the service or the application itself.” KPMG’s Jensen points to user authentication as an area of common misunderstanding. “While SaaS providers include a single-sign-on authentication solution, passwords simply aren’t good enough,” he says. “You need balanced user enablement with the requirement to protect sensitive data and transactions, so organizations should consider the use of multifactor authentication with biometrics.” Event monitoring touches both the visibility issue and responsibility sharing, he adds. “Security event monitoring in SaaS is still your responsibility,” he says. “If there are suspicious user activities associated with your portion of the shared responsibility model, you have to be aware of those events, monitor them, and react to them.” (This shouldn’t be confused with the foundational event monitoring that the cloud services provider uses to defend against a variety of network-level events.) Key #3: Seat the CISO at the Table A line-of-business department is considering adoption of a cloud-based application—perhaps a turnkey SaaS application. Is the CISO invited to the meetings where that product is discussed, evaluated, and approved? Maybe. But then again, maybe not. And it’s quite likely that the CISO’s team is not involved in the implementation and integration of that cloud application. In fact, the security team members may not even know about that app until security incidents begin showing up on their dashboard. “There’s a lack of communication, lack of collaboration, and lack of visibility across the C-suite,” says Oracle’s Jensen. “The C-suite is facing challenges in terms of how to collaborate on security, risk, compliance, and privacy.” Teams won’t work together if their managers don’t work together. “We have to address these C-suite problems head-on,” Jensen says. “We have to try to make sure that this is a collaborative conversation where everyone understands their unique role in making cloud security successful for the organization. When executives aren’t doing their part, the company as a whole is at risk.” A Bright Future for the Cloud Increasingly, organizations trust the cloud for critical applications and for storing essential data. Security technology is doing a good job of keeping up, but more still needs to be done, as is documented in the “Oracle and KPMG Cloud Threat Report 2019,” says Oracle’s Jensen. “The cloud capabilities and the solutions available today are far superior to what we had just a couple of years ago,” he says. “There is much more security awareness now than what we had in years past—and more acceptance about the need to have conversations with the security teams and the risk teams.” Next Steps READ the “Oracle and KPMG Cloud Threat Report 2019.” LEARN more about Oracle CASB.    

“Oracle and KPMG Cloud Threat Report 2019” demonstrates the importance of visibility, shared responsibility, and a CISO seat at the table. By Alan Zeichick Want to protect your assets in the cloud? You...

Oracle OpenWorld has hit the road this year, moving across the globe to several cities and will be landing in Singapore March 26th-27th. If you are registered to this sold out event, here are a few great sessions to catch. If you were not able to attend, please be sure to check back for more blogs with recaps on these sessions and the latest Oracle Security updates.  For those of you in attendance, you are in for an action packed two days with several focus areas you can zero in on. If you are interested in learning more about security, consider these sessions:  1) Navigating the Technology Revolution- Security and Compliance in the Cloud  Tuesday, March 26th | 2:35 pm - 3:10 pm | Main Stage (Level 5) - Marina Bay Sands Join Eran Feigenbaum, Chief Security Officer, Oracle, Steve Daheb, Senior Vice President, Oracle Cloud and Fernanda Kroup, Managing Director, Corporate Research and Consulting for Eurasia Group as they discuss their point of view on the technology revolution and how it pertains to security in the cloud.  2) Role of Security and Privacy in Globalized Society - Threats, Implications and Outcomes Wednesday, March 27th | 1:05 pm - 1:40 pm | Arena 4 (Level 3) - Marina Bay Sands This panel of security experts will discuss topics around threats organizations are facing today and the potential threats they may battle against in the future. This discussion on 'the next security threat' is sure to be thought provoking and provide a glance into the future of security and privacy around the world.  3) Introducing Oracle's Data Security Cloud Service for Oracle Databases Wednesday, March 27th | 1:05 pm - 1:40 pm | Forum 3 (Level 5) - Marina Bay Sands A secure infrastructure, data encryption by default, and automated patching make Oracle Databases in the Oracle Cloud secure, but there are risks associated with customers controlling access and monitoring the use of data. Join Russ Lowenthal, Director of Product Management for Database Security, as he introduces Data Security Cloud Service and its data security management capabilities.  4) Security in Oracle Cloud Infrastructure: Core to Edge Protection Wednesday, March 27th | 3:30 pm - 4:05 pm | Arena 9 (Level 3) - Marina Bay Sands   Join Laurent Gil, Evangelist and Security Architect for OCI, as he explains the need for organizations to adopt a core-to-edge security strategy in order to deal with the complex and varied threat landscape. Data breaches and security-related outages have huge negative impacts on organizations, but this session will detail how an approach that extends from the core infrastructure to the user edge will help protect your organization.    Check out the content overview for a list of all the sessions, spanning a variety of topics.   

Oracle OpenWorld has hit the road this year, moving across the globe to several cities and will be landing in Singapore March 26th-27th. If you are registered to this sold out event, here are a few...

Are differing opinions about cloud cyber security an indication of a major unchecked risk, or just two different sides of the same valuable coin?   Security leads are confident about cloud security and are planning to house more and more of their sensitive data in the cloud. Recent data indicates a 3.5x increase in the amount of data expected to be stored on the public cloud from 2018 – 2020, according to the Oracle and KPMG Cloud Threat Report 2019.             However, at the same time, many practitioners question the inherent security of the cloud, even as they are directed to make the move by these leaders. One recent Twitter poll of IT practitioners (versus leaders) showed a distinct lack of confidence in cloud-based security. And in defense of these practitioners, some breaches have occurred as a result of the move to the cloud. (One that comes to mind — the Amazon GoDaddy breach — was due to a misconfiguration of the AWS S3 buckets.) So, is there something fundamentally insecure about today’s cloud services and infrastructure? The short answer is “no”. But like many complex issues, the answer depends on the context. To fully unpack this issue requires taking a short detour into the history of cloud migration and observing how the first generation of cloud computing was created. Generation 1 Infrastructure In the first generation (this includes AWS, Microsoft Azure, and Google Cloud) the same servers that hosted control code were shared with customer data and code. This created a vulnerability, and ultimately prompted the need for another generation of cloud computing. Generation 2 is different, however, and takes the idea of isolation very seriously. Separation of Church and State Oracle was second to the cloud infrastructure offering. While this may have been, in some respects, disadvantageous, ultimately it has allowed Oracle to learn from others’ mistakes and design a cloud infrastructure with security in mind, from the ground up. In a recent video clip, Oracle security execs, Eran Feigenbaum and Johnnie Konstantas, discuss how the initial weakness turned into an advantage. In a security keynote at Oracle Open World last year, Larry Ellison explained that customers may have their own bare metal server or may share them amongst each other for economic reasons. However, they will never share the same server that houses cloud control code.   “We will never put our cloud control code on the same computer that houses customer code — this creates an incredible vulnerability….” — Larry Ellison                An excerpt from Larry Ellison’s Keynote comparing Gen 1 and Gen 2 cloud infrastructures. 2nd Generation Infrastructure In Gen 2, Oracle made the decision to add a completely different layer of computer networks to house the cloud control code and has kept it separate from the tenant infrastructure. In Larry Ellison’s Gen 2 Cloud Keynote at Open World 2018, Ellison talked about two things: An Impenetrable Barrier — dedicated network of cloud control computers to ensure one user can’t access another user’s data Autonomous Robots — Bots that find and kill threats These two things have fundamentally change the security posture of tenants using cloud infrastructure. Staying Safe in the Cloud So, to answer the question: “Is the cloud more secure than on premises”, we can provide a resounding “yes,” but only when adhering to the following requirements: Know your responsibility — Although we didn’t dive into this any detail here, it’s an important consideration. Many people don’t realize that they have a security responsibility when taking tenancy in a cloud infrastructure setting. Make sure you’re aware of your responsibility and if you subscribe to a bare metal service, you have more responsibility than if, for example, you were subscribing to a SaaS offering. To learn more, read our blog on the Shared Responsibility Model. Use Gen 2, not Gen 1 — make sure your cloud infrastructure is designed from the ground up with security in mind, and this means, by necessity, Gen 2 or higher. Automation — ensure that the best AI and ML-based security tools are employed in your cloud infrastructure so that threats will be identified and stopped before they access (or worst yet, exfiltrate) your data. So, whether you’re leading your organization full tilt to the cloud, or you’re an IT practitioner concerned about the underlying architecture of the service in which you’re about to take tenancy, rest assured, Oracle has you covered. This means not only has the infrastructure been designed from the ground up to be secure, but also the services that ride on top of it (like, for example, Oracle Autonomous Database) are also clad with an additional layer of security. To learn more about how Oracle secures your most vulnerable and sensitive data assets, visit Oracle Database Security.    

Are differing opinions about cloud cyber security an indication of a major unchecked risk, or just two different sides of the same valuable coin?   Security leads are confident about cloud security and...

We have all heard the rumors about trusted technology vendors who were compromised by nation states through supply chain compromises (SCM), but this is an age-old issue.  Hundreds of years ago, kingdoms were born out of the dirt, and came into power by consolidating their armies and resources behind mighty fortresses.  Even in the times of King Arthur, castles sometimes fell by the sword, sometimes by mythical dragons and sometimes because of food supplies. The untold story of the castle was the supply chain risk.  For those at this week’s Oracle MBX Conference, this conversation is being shared. The ability of the castle model to work was based upon, four key factors.  The ability to secure the keep (the crown jewels/gold) and the royal family The ability to provide security for the kingdom using the king’s armies In return, the people, provide the provisions and materials that the kingdom consumes Inner-kingdom trade is ensured to the people by the kingdom The challenge for any king is, how do you ensure materials and goods, are not compromised? How do I ensure that a 500% increase in grain does not alert my enemies to my plans for war, by marching my armies? How do I ensure somebody is not skimming grain out of every delivery to my customers while accepting the full price of silver?  These are the concerns that keep kings and CEOs awake at night.   The threat landscape today is very much like that of the past.  Supply chain is under risk of financial fraud, theft, and worse…an attacker slipping a dead fish in a supply of dairy, has the potential of injuring or killing the king’s army.  This is a supply chain compromise and we see it in modern times with the risk of attackers penetrating supply chain systems to receive counterfeit chip-sets in the production of a TV or video conference system. Little did anybody realize, but a video processing chip produced in Austin, was replaced with one made by a foreign intelligence agency for the sole purpose of collecting information on their adversary or gaining an advantage in the IP wars.  Oracle Cloud Applications have undergone tremendous strides in recent years to ensure the security of the cloud platform itself, but to help identify areas of supply chain risk, highlight potential fraud and look for suspicious behaviors that we can identify through our edge control technologies in Oracle Cloud Infrastructure.  Today, the kingdom has more tools than ever at their disposal to help mitigate the risks targeting their suppliers and providers.  The key question is, are you driving this strategy like a king, or just entertaining it like the court’s jester?  Time for serious planning.  For more information on how Oracle and KPMG can help you with uncovering the risks and threats of your own “kingdom”, download your free copy of the Oracle and KPMG Cloud Threat Report 2019 where we highlight the challenges and leading practices for a secure cloud application journey. Also, join Brian Jensen (KPMG) and I as we discuss these key application challenges around SCM, ERP, HCM and CX, in our April 17th webcast event. Register now for the KPMG ERP Risk Series: Oracle and KPMG Cloud Threat Report webcast and start your planning, regardless if you are a CEO or the king of your castle.

We have all heard the rumors about trusted technology vendors who were compromised by nation states through supply chain compromises (SCM), but this is an age-old issue.  Hundreds of years ago,...

It’s been 10 months since the European Union’s General Data Protection Regulation (GDPR) enforcement date took effect. Last summer a global buzz kicked in around the world about data privacy and the impact of the GDPR’s strict requirements. Since then, much of the buzz around GDPR has died down, but the threat of a data breach continues to rise as adversaries are highly funded and motivated. This week, I sat down with Allan Boardman, former director of ISACA and founder of CyberAdvisor.London, to continue the conversation we began at Oracle OpenWorld Europe. Expanding on our initial topic, “The Role of Security and Privacy in a Globalized Society”, we discussed GDPR today, the impact of regulations on citizens globally, and tactics organizations can employ to better protect their critical data. GDPR began a little less than a year ago, how have companies responded to it? Are organizations meeting their compliance goals?  “What I found quite interesting is that it [GDPR] was created for European citizens, but I was at conferences in Washington DC and Chicago in late 2017 and GDPR was one of the most popular topics, even at RSA 2018 last April. I thought this would be a European topic, but it has certainly caught the attention of organizations globally with other countries looking to roll out similar legislation. GDPR has been a game changer.” Boardman continued by saying, “Approaching the deadline, there was a lot of shuffling going on, people wanted to check the boxes, and it would not surprise me if the quality of some of those activities were undermined.” We are in a moment of transition, as organizations begin to understand more about their data privacy needs, they are starting to understand the gaps in their compliance and security strategies. Organizations must take a proactive approach to protect their data, ideally through properly integrated cybersecurity tools and solutions including potentially cyber insurance. Boardman explained the importance of this, “the [consequences of a breach] shouldn’t be under played because the impact can be very significant, including long term reputational damage and for publicly quoted companies, the effect on the stock price can be significant.” Organizations that fall victim to a breach are faced with hefty fines and long-term damage to their brand. Have these severe repercussions caused organizations to be overly cautious in reporting loss of data that might not have been critical? “I think GDPR and data privacy is a journey and if you think about it we are still very much at the compliance level. Right now, it is a fight to make sure organizations comply with regulations, rather than this being baked into everyday processes. They are working towards providing data privacy at an enterprise scale. Although data protection has been around for some time, it is still very much compliance driven. I think we are starting to move out of that a bit – for example initially organizations thought one of GDPR’s requirements, the Data Protection Impact Assessments (DPIA), should just be done for new applications or projects. You really need to run this exercise across the board and for all the main business processes that involve personal data, as it is the only way to really identify and understand all your most sensitive data. How has GDPR affected the way people value their data and has it impacted the way they judge an organization’s ability to protect it? “It is still early on in terms of seeing actual effects, but organizations are starting to see some of the impacts. Certainly, there was a level of increased awareness, people received the notifications in terms of companies ensuring they had the acceptable controls in place and the topic was regularly coming up at dinner tables, with people previously totally uninterested in data privacy and data protection starting to talk about GDPR. As I mentioned before, organizations have been overly cautious in reporting any breach and there are still a lot of gaps to fill in the journey towards compliance.” Can data be protected or are breaches to be accepted as the new norm? “There have been a number of widely reported significant breaches over the past few years, but people seem to be getting sanitized to them and seem to be getting used to the fact that some level of breach can happen anywhere. It is definitely the new norm, but having said that, there are now much stronger sanctions, so organizations need to understand which of their data is most critical and sensitive and apply appropriate controls or risk facing sanctions causing a significant impact on their bottom line.” Please feel free to access our whitepaper, Helping Address GDPR Compliance Using Oracle Security Solutions, to learn more about GDPR and how Oracle can support your journey to compliance.   About Allan Boardman: Allan Boardman (CISA CISM CGEIT CRISC CISSP), founder of CyberAdvisor.London, is an experienced business advisor helping organizations manage their information, technology, cybersecurity and privacy risks. He started his career at Deloitte in Cape Town where he qualified as a Chartered Accountant before moving to London in 1986. He has held leadership positions in audit, risk, security and governance at various global organizations including GlaxoSmithKline, Morgan Stanley, JPMorgan, Goldman Sachs, PwC and KPMG. He is a Past President of ISACA London Chapter and has served on ISACA International’s Board of Directors, its Strategic Advisory Council, its Leadership Development Committee and chaired its Credentialing and Career Management Board, CISM Certification Committee and Audit and Risk Committee. He served as a volunteer at the London 2012 Paralympics, Sochi 2014 Paralympics, Rio 2016 Olympics, and PyeongChang 2018 Olympics and Paralympics.

It’s been 10 months since the European Union’s General Data Protection Regulation (GDPR) enforcement date took effect. Last summer a global buzz kicked in around the world about data privacy and the...

It’s that familiar IT analogy that “Elvis has left the building” in the context of, your enterprise data has left your data center, and is now in the cloud. It’s more true than ever before. What we are seeing instead is the rush to cloud, without all the pieces in place, is leading to heartbreaking results when increased risk is transferred into the cloud and amplified. This week marks the kick-off of Oracle’s Modern Customer Experience Conference (MBX). This includes a phenomenal collection of attendees, partners and solution providers all centered around business-critical cloud solutions such as ERP, HCM, SCM and CX.   While these solutions are built around amazingly sound, secure, high performing cloud environments, there is always opportunity for fraud and risk that require a second look at the controls we place around these platforms. Many know Brian Jensen (KPMG) and I as the co-authors behind the Oracle and KPMG Cloud Threat Report that we publish each year. No, we are not related, but we share a common concern from two unique perspectives. My cyber background paired with his background in ERP risk controls. Together we have been able to help elevate the conversation around what are the risks we are seeing around today’s business critical applications and how should businesses prepare?  Below are a few of the topics Brian and I will discuss in April as KPMG hosts their ERP Risk Series: Oracle and KPMG Cloud Threat Report 2019.  Register for this now! Buy your CISO a coffee – The best $5 you can spend is to share a coffee with the person who can make you very successful within your line of business. Get to know the CISO priorities, but more importantly, educate them on yours.  Today’s CISO is not about saying “No”, they are about saying “Yes, but let me help you get there faster….and safely”. Identify your cloud quarterback – Every successful team needs a leader on the field who is organizing, driving strategy, interpreting the calls played and what it means on the field. This is the role of the Cloud Security Architect who is enabled and empowered by the CISO to drive security, privacy, data protection and risk programs. They are also focused on ensuring all LoB programs are engaging SecOps up front and meet key requirements before go-live. Know Shared Responsibility – 90% of CISOs, 75% of CIOs and 54% of SaaS teams are unsure about their role in securing the apps vs the cloud provider. Address this across ALL cloud services. Pull out the contracts, talk to your providers quarterly, understand the SLAs and identify the gaps where you are putting your company and customers at risk. Revitalize the Lunch and Learn – The lowest cost impact you can make to the organization is a round of pizza once a month, in exchange for asking them to sit down, and take notes on safe practices at work.  Phishing scams that target employees that have access to business applications is on the rise. Educating your staff on the risks, how to report and safe practices is a great starting point. This week is a busy week for many at Oracle’s MBX. Make sure you register for next month’s session with Oracle and KPMG as we walk thru some of the key findings in the new Cloud Threat Report, and what we learned that will change the way you approach your upcoming enterprise application strategy. 

It’s that familiar IT analogy that “Elvis has left the building” in the context of, your enterprise data has left your data center, and is now in the cloud. It’s more true than ever before. What we...

It’s never been easier than now, to stand up new business-critical services in the cloud.  To the credit of cloud providers around the globe, they have all responded to the demands of the LoB (Line of Business) to enable a more seamless acquisition and onboarding experience for these new services.  In fact, 2019 marks the year where we saw a tipping point of use where 7 out of 10 businesses are placing more business-critical data in the cloud than in 2018.  So, things are great, right?   Let’s not move so fast. Have you asked your cloud coach about their game plan for keeping that data private, protected and secure as you transition into the cloud and on an ongoing basis? One of the key areas tripping up organizations today in their rush to the cloud is assuming that cloud is just an extension of on-prem.  This is like saying my car is similar to my airplane simply because they both have round rubber tires and an engine. The risk profile changes as you shift to the cloud. On prem data center owners know that they are 100% responsible for the full stack.  They own the selection of hardware, service connections, OS layer, patching, app, containers and more.  One of the challenges organizations are struggling with today is the knowledge base of todays IT and Cyber workers. As the demands continue to increase, the talent pool is unable to keep up with those skillset requirements which has created a fundamental challenge in filling the thousands and millions of open headcounts in the IT and cyber sector. Cloud offers the promise of making these problems somebody else’s problem, thru financial incentives (SLAs). But not all responsibility can be shifted to the cloud service provider.  Click to learn more about the impacts of Shared Responsibility in the Enterprise Are you the type that likes to build their own car, buy in a dealership, rent it, or do you prefer Uber/Lyft? Clearly the benefits are, less control, but also less responsibility.  This is also what you see as you move from On-prem, to IaaS, to PaaS, to SaaS. Customers are shifting ERP, HCM, SCM and CX workloads to the cloud in mass.  Oracle and others have done a tremendous job securing the cloud frameworks that these SaaS services run on, but there is still more that must be accommodated.  So just how prepared are organizations today? 54% of organizations say that they are confused about their role in shared responsibility vs the cloud provider.  Ok… so let’s look to the coach, the CISO, as surely they know. Right?  Unfortunately, 90% of CISOs are unsure about their organization’s role, and 75% of CIOs are also unsure, so leadership is struggling at the very time when there is a tremendous push for these new cloud services.  So, what does this tell us?  It tells us that there is a desire to play in the cloud game, however it may require players to make up the plays as they go along (or call an audible), because the coach may not have the answers.  That simply isn’t sustainable. So, what can we do now?  It starts with identifying an internal advocate for shared responsibility, such as the Cloud Security Architect, to help educate and drive change inside the organization.  It also means we need executive investment into the topic of privacy, data protection and security, and it must be accepted as not just a c-suite responsibility, but a boardroom responsibility.   The C-Suite is starting to understand that they all play a role in security, privacy and data protection, and it is not just the role of the CISO.  But for CISOs that do not get engaged with the LoB, and find a seat at the table for this up front planning, they will continue to be called the “Crisis Induced Sacrificial Offering”.  So regardless if you are at Oracle’s MBX Conference this week, or following the news from around the world, take a moment to find out what your role is, in helping to ensure a secure, private and protected journey to the cloud.  Register now for the new Oracle and KPMG Cloud Threat Report 2019 and learn how it can help your organization build out more defined security and risk strategies for 2019 and beyond. For additional information on Shared Responsibilities and tools you can use to manage, register for this on-demand webcast that covers this topic in great detail.  

It’s never been easier than now, to stand up new business-critical services in the cloud.  To the credit of cloud providers around the globe, they have all responded to the demands of the LoB (Line...

Oracle is happy to announce the availability of Oracle Audit Vault and Database Firewall 12.2 Bundle Patch 10. Oracle Audit Vault and Database Firewall (AVDF) secures databases and other critical components of IT infrastructure. AVDF provides a first line of defense for databases and consolidates audit data from databases, operating systems, and directories to support monitoring and compliance reporting. Audit records from on-premises and cloud databases are collected for centralized management and provide monitoring, reporting, and alerting of anomalous activity across databases. A highly accurate SQL grammar-based engine monitors unauthorized SQL traffic before it reaches the database. Please take a moment to visit our webpage for more information on Oracle AVDF. The following changes are included in the Bundle Patch 10 release: Added support for audit collection and database firewall protection for Microsoft SQL Server 2017. Expanded support for host monitor on AIX 7.2 platform and Microsoft Windows Server 2016. Introduced support for host monitor on Oracle Solaris 11 SPARC X64 super cluster using IPNET protocol. Introduced support for audit collection, host monitor and agent installation on Oracle Linux/Red Hat Enterprise Linux 7.4 and 7.5. Expanded support for host monitor on Oracle Linux/Red Hat Enterprise Linux 6.9. Added support for audit collection, host monitor and agent installation on Oracle Linux/Red Hat Enterprise Linux 6.10. Updated the underlying infrastructure to incorporate the January 2019 Bundle Patch for Oracle Database 12.1.0.2, which includes latest security fixes. Security and stability fixes for Java and Oracle Linux operating system. Fixes for a number of customer bugs. For database security practitioners looking to upgrade, please note that Audit Vault and Database Firewall 12.2 Bundle Patch 9 is a mandatory prerequisite. Audit Vault and Database Firewall 12.2 BP9 established a new minimum security baseline with underlying inter-component communications defaulting to TLS 1.2. Please refer to Patch release notes for detailed installation instructions. Patch for upgrading to Audit Vault and Database Firewall 12.2 BP10 is available through ARU Patch#22787271. Full install image for Audit Vault and Database Firewall 12.2 BP10 is available on eDelivery. To learn more about Oracle Database Security, please visit our Oracle OTN and Oracle Security webpages.

Oracle is happy to announce the availability of Oracle Audit Vault and Database Firewall 12.2 Bundle Patch 10. Oracle Audit Vault and Database Firewall (AVDF) secures databases and other critical...

Yesterday turned out to be a very soggy day for attendees at the RSA Conference. Fortunately, the rain didn't put a damper on the numerous events going on throughout the day. If you weren't able to attend the conference this year, here is a quick recap of the conference so far, and a few must see events for today.  1) The RSAC Innovation Sandbox Monday started off with the RSAC Innovation Sandbox Contest. This was a great opportunity for attendees to learn about the latest innovations in the security space. Each company competing is given time on the stage to showcase their innovative work and the winner is announced in an awards ceremony to conclude the day.  2) Visiting the Expo Floor The Moscone North and South halls have been transformed completely. With only two more days to visit the expo floors, we encourage all attendees to spend some time visiting the vendor booths. As always, RSA would not be complete without magicians, raffles, and great demonstrations. If you are interested in learning more about Oracle Security, please feel free to stop by one of our booths:  Booth #5570 in the North Hall is focused on Oracle Database Security, Oracle Cloud Infrastructure, and Security within the Oracle Autonomous Database Booth #1559 in the South Hall is focused on Oracle Security Monitoring and Analytics, Oracle CASB, and IDCS Booth #2261 in the South Hall is focused on Oracle’s Edge Security services 3) Networking opportunities  Many people at the conference have remarked, " coming to RSA is like one big reunion." It truly is a great opportunity to network with new contacts or meet up with past colleagues Don't miss out on the several events happening throughout the day at RSA.  Make the most of the last two days at RSAC and keep up to date on the latest information by visiting Oracle's Security twitter. 

Yesterday turned out to be a very soggy day for attendees at the RSA Conference. Fortunately, the rain didn't put a damper on the numerous events going on throughout the day. If you weren't able...

We are now halfway through RSA Conference 2019. It has been an exciting week filled with great sessions, opportunities to learn about new companies, and networking with other professionals in the industry. One of the main events on Monday and perhaps one of the most popular events of the week, was the RSAC Innovation Sandbox. Every year, 10 finalists compete for the “Most Innovative Startup” title. Each company is allowed only three minutes to demonstrate how they are minimizing infosec risk. This year’s competition started with Hugh Thompson inviting one of the judges, Niloofar Razi Howe, on stage to discuss the current security landscape. Niloofar Razi Howe is a cybersecurity entrepreneur and investor who has been in the technology industry for 25 years. She explained how the current threat landscape is expanding and we need innovation to not only fix our current problems, but also the problems of the future. Niloofar continued the conversation with some of the most common cybercrimes, such as phishing, and ended by stating that “cybersecurity is about enabling digital transformation.” This idea on the expanding threat landscape is mentioned many times in different publications, speeches, etc., including the Oracle and KPMG Cloud Threat Report. Organizations are experiencing speed and agility as they embrace the cloud, but it has also introduced new security challenges and risks. This year’s “participating organizations report experiencing a wide range of cyber-attacks over the last 24 months”. With the increasing amount of threat vectors, organizations must adopt a defense-in-depth strategy. The report’s “call to action to treat cloud security as a strategic imperative, one that entails a multifaceted approach to secure the business cloud” shares similarities with Niloofar’s concluding statement. For more information, read the Oracle and KPMG Cloud Threat Report. Also stop by Oracle’s three booths at RSAC for more information on how to protect your company from the evolving threat landscape by adopting core-to-edge security. Booth #5570 in the North Hall is focused on Oracle Database Security, Oracle Cloud Infrastructure, and Security within the Oracle Autonomous Database Booth #1559 in the South Hall is focused on Oracle Security Monitoring and Analytics, Oracle CASB, and IDCS Booth #2261 in the South Hall is focused on Oracle’s Edge Security services

We are now halfway through RSA Conference 2019. It has been an exciting week filled with great sessions, opportunities to learn about new companies, and networking with other professionals in the...

For all those in attendance yesterday, what a great start to RSA! Thank you for joining us today for our second daily download. If you are just joining us, we will be sharing big moments from RSA as well as sharing must see events each morning of the conference. Please join us each morning and keep an eye on the Oracle Security Twitter account, which has been sharing information from sessions and the expo floor.  There is a lot going on at RSA, so it would come as no surprise if you weren't able to catch all the happenings yesterday. Here were some of the highlights we captured: 1) CSA at RSA: Celebrating 10 years in the Cloud  The CSA Summit was packed with insightful sessions, best practices from industry leaders, and even a little magic! Each session offered attendees a new perspective and panel discussions, like Ten Years in the Cloud: An Observation of Success and CISO Counterpoint: Mission Critical Cloud, provided thought provoking conversations that are sure to continue throughout the conference. The CSA Summit brought together thought leaders from several industries to create a valuable and vibrant agenda for attendees across several verticals from Technology to financial institutions.  2) The Welcome Reception Gave us a First Look at the Future of Security  Yesterday evening, the halls of Moscone North and South were buzzing with people looking to get a first look at vendor demos. With magicians, video games, and in booth presentations, there was certainly something for everyone! The welcome reception allowed attendees to learn more about the latest product releases and best practices all while munching on treats. The Oracle Booth (#S1559) had it's first presentation, featuring Troy Kitch, Senior Product Marketing Director - Cloud Security, on the Top Five Risks Organizations Face in the Cloud. if you missed the presentation, there will be several opportunities to attend sessions in the oracle booth as well as learn more from our demo pods.  Now, as we shift into Tuesday, let's evaluate some of the exciting events happening today.  3) Visit the Expo Floor If you haven't already had the chance, take a moment to take in the expo floors in the North and South halls. Be sure to stop by the south hall Executive Briefing Center for Laurent Gil's presentation at 10:40am. Gil, Security Architect for Oracle Cloud Infrastructure, will be discussing an Intelligent Approach to Beating Global Cybersecurity Threats. Additionally, Oracle booth #1559 will cover several topics tomorrow, you can also view a full schedule of in booth presentations. This is a great opportunity to learn more about products from every vendor, regardless of where your organization is on their cloud journey.  4) Attend the Keynotes As with all conferences, keynotes are the opportunity to learn new points of view and look at the big picture of security. RSA has provided attendees with a powerful lineup of keynote speakers. You won't want to miss their presentations!  We are looking forward to an extremely insightful day of sessions and presentations! Keep up to date with us on Oracle's security page as well as with the hashtag #OracleatRSA. 

For all those in attendance yesterday, what a great start to RSA! Thank you for joining us today for our second daily download. If you are just joining us, we will be sharing big moments from RSA as...

We live in a world where data is an organization’s most valuable asset but remains under-protected.  Hackers, malicious users, or even curious users, are aware of this gap and are taking advantage of it. Today, our data is typically available at the click of a mouse button and that availability leads to a significant advantage for the attackers.  Attackers have all the tools, time, infrastructure and knowledge to target your organization’s data; while data classification, data security, and risk remediation is yet another set of TBD items in a long list for corporate I.T. This is where DBSAT can make a difference! Oracle DBSAT accelerates the security assessment process by collecting and evaluating relevant configuration information from the database.  It assesses the current security state by analyzing the security policies and controls in place, identifying what is missing, and then showing how to mitigate the risks.  Second, DBSAT helps you quickly analyze your users, their roles and privileges, and what type of access they have on your sensitive data.  Lastly, DBSAT helps you locate and classify your sensitive data so that you can secure them appropriately. DBSAT 2.1 is now available with tons of new features and capabilities to help you improve your overall security posture, and lower your risks on Oracle databases: Added support for Oracle Database 18c, 19c, and Autonomous Databases Security Assessment Introduced rules highlighting for STIG in addition to earlier GDPR and CIS Benchmark Added checks on password file, global names, instance names, RMAN backups, and more Updated remarks and recommendations for quick action Simplified identification of directly granted system privileges Improved classification of system privileges granted to PUBLIC PDB runs show only Roles and Privileges that can be acted upon for quicker remediation Enhanced checks for Audit Configuration and Audit Trail Management Sensitive Data Discovery Added support to help find sensitive data in Dutch, French, German, Italian, Portuguese and Spanish Expanded coverage for dozens of new Sensitive Types, Categories, and Subcategories Added Recommended controls per Risk Level DBSAT has been downloaded 18,000 times since Sensitive Data Discovery was introduced in January 2018. Customers are using DBSAT to find their sensitive data and understand their risks. What about you?  Visit our webpage for more information and to download the DBSAT. Oh, did I mention, DBSAT is free to all Oracle Database customers?

We live in a world where data is an organization’s most valuable asset but remains under-protected.  Hackers, malicious users, or even curious users, are aware of this gap and are taking advantage of...

As the RSA Conference kicks off today in San Francisco, be sure to stop by our blog each morning for a list of must see events and activities. For our readers not in attendance, this is also a great opportunity to hear the latest trends and strategies in security. To start off the week, I'd like to point out some must see activities for the day.  1) Attend the CSA Summit Monday, March 4th | 8:30am-4:30pm | Moscone South 207 SEM If you are in San Francisco this week, be sure to catch the CSA Summit at RSA. As a celebration of 10 years at the RSA Conference, this year the CSA Summit will reflect on lessons learned in the transition to the cloud. The summit is packed with exciting panels and sessions featuring security professionals from cloud security leaders across the country. Be sure to grab a seat at Ten Years in the Cloud: An Observation of Success and CISO Counterpoint: Mission Critical Cloud.  2) Explore the Expo Floor at the Welcome Reception Are you attending RSA to learn about the latest releases in security solutions? Start your evening off by exploring the expo floors in the Moscone north and south halls. The Monday evening welcome reception is a great time to see presentations, watch demos, and grab a free t-shirt or fidget spinner!  3) Grab a Refreshment and Network  The welcome reception is not only designed as an opportunity to learn about security vendors and products. It is also a time to wind down, grab a snack, and meet up with colleagues. After the welcome reception, you can head to a coffee shop or restaurant to enjoy the night and gear up for the busy week ahead.  For more updates, visit the Oracle Security and Oracle Infrastructure twitter accounts to stay in the know throughout the day. Join us tomorrow for a recap of big Monday moments and must sees for Tuesday.  

As the RSA Conference kicks off today in San Francisco, be sure to stop by our blog each morning for a list of must see events and activities. For our readers not in attendance, this is also a...

It is finally here, RSA 2019 will be kicking off in three days! If you’ve had the opportunity to read our previous posts, you’ll see several mentions of Oracle sessions at RSA. Conference attendees will have several opportunities to learn about Oracle Security on the big stage, but we would also like to take a moment to highlight the mini sessions we are offering to attendees looking for a quick overview of Oracle Security. Each of the 15-minute sessions mentioned below will take place in our Oracle Security booth #1559 in the South Hall of the Moscone Center. Stop by to hear from our security subject matter experts as they present on some of the top challenges organizations are facing today.  Core-to-Edge Integrated Security Layers Monday, March 4th – 5:30pm, Wednesday, March 6th – 4:30pm, & Thursday, March 7th - 12:30pm Troy Kitch, Senior Principal Product Marketing Director Oracle’s core-to-edge approach to IT security helps organizations prevent, detect, respond to, and predict modern cybersecurity threats. Beginning from the core (your data) and continuing out to the edge (where your users connect), Oracle’s layers of integrated security controls are built to work together to intelligently protect hybrid and multi-cloud IT environments. Threats to Your Data are Bigger Than They Appear Tuesday, March 5th – 10:30am & Wednesday March 6th – 10:30am Alan Williams, Senior Principal Product Manager, Database Vault, Label Security, RAS Data is the most valuable asset in today's digital world, but without proper security, data can easily become your biggest liability.  Most critical business data is stored in databases, making them the prime targets for malicious actors who use a variety techniques to try to steal data. The battle between data security professionals and hackers is an asymmetric one, where the bad guys have access to all the infrastructure, all the tools, all the time, and all the hackers they need to accomplish their goals. Learn how Oracle Database Security protects your data with rings of controls and helps keep your organization compliant with regulatory mandates such as GDPR. Leverage Oracle Security to Aid with New Privacy Requirements like the California Consumer Privacy Act Tuesday, March 5th – 12:30pm Ted Sherrill, Director, NAS Product Ambassadors Security The California Consumer Privacy Act (CCPA) expands the rights of data subjects and requires businesses subject to it to increase transparency concerning the collection, use and disclosure of personal information. Oracle’s Core to Edge capabilities provide many automated controls that can be utilized to assist with meeting these requirements. IT Operations and Cyber Security: Two Sides of the Same Coin Tuesday, March 5th – 2:30pm Dan Koloski, Vice President, Product Management & Business Development Join this talk to learn about the similar challenges, analytic requirements and remediation mechanisms that make IT Operations and Cyber Security two sides of the same coin.  See how better collaboration and a common source of truth can simultaneously improve service levels and harden the security posture of a complex, hybrid, multi-cloud estate. Preparing for the Four Dimensions of Cloud Security Threats Tuesday, March 5th – 4:30pm Mike Kane, Senior Manager, Product Management Cybercrime is all around, literally. Threats to the integrity of your data on the cloud can come in four dimensions - inside threats, outside threats, top-down application threats and bottom-up infrastructure threats. This presentation explores these four different security threat dimensions and how Oracles Core-to- Edge Security strategy helps you to defeat each of them. Learn about key approaches to defeating some of the newest and most damaging security threats around. Securing the Edge: Understanding and Managing Security Events Wednesday, March 6 – 12:30pm Laurent Gil, Evangelist Oracle Cloud Infrastructure As distributed applications push more connectivity and functionality to the edge, application managers and DevOps teams must be aware of not only the evolving threat landscape but also design systems that are resilient in the face of evolving threats and the resulting volatility. We share the latest cybersecurity research findings based on real-world security operations along with innovative approaches to managing and mitigating security events at the cloud edge. Maintaining Compliance and Control of Hybrid IT Estates Wednesday, March 6th – 2:30pm David Wolf, Senior Director of Product Management Learn how proactive configuration and compliance management can help you maintain a hardened security posture across fast-moving, hybrid IT estates. Measuring DDoS Protection and Why it Matters Thursday, March 7th – 10:30pm Julien Lehmann, Senior Product Strategy Director The popularity of Cloud-based DDoS protection has grown as the size and complexity of DDoS attacks has increased. Examining route coverage percentages for DDoS attacks provides a critical measure of the effectiveness of cloud-based DDoS protection. This session will walk through detecting, tracking and measuring the rerouting of traffic to a DDoS protection provider, as observed in BGP routing data. If you are not able to attend RSA, please visit the Oracle Security webpage to learn more about Oracle’s security solutions. Follow the Oracle Security twitter account for daily updates on the latest news.

It is finally here, RSA 2019 will be kicking off in three days! If you’ve had the opportunity to read our previous posts, you’ll see several mentions of Oracle sessions at RSA. Conference attendees...

As the information security world gathers in San Francisco next week for the RSA Conference 2019, cloud computing will be front and center. Most security professionals (72 percent) feel the public cloud is more secure than their own on-premises data centers, according to the new Oracle and KPMG Cloud Threat Report. But they still have significant concerns about cloud visibility, incident response and the role of artificial intelligence (AI) and machine learning.  Oracle Cloud Infrastructure will be at RSA Conference 2019 to help attendees address these concerns and learn how to use the cloud to their benefit. View demos and speak to experts about our latest edge security products in our booth (South Hall 2261), and attend these sessions to discover how security is a pillar of everything we do. CISO Counterpoint: Mission Critical Cloud March 4, 3:05 p.m. Moderator: Eran Feigenbaum, Chief Security Officer, Oracle Cloud Infrastructure An increasing number of organizations are putting more of their data in the public cloud, and more of this data is sensitive in nature, according to the Cloud Threat Report. In this panel discussion, held as part of the Cloud Security Alliance Summit at RSA, chief security officers from large financial firms will discuss the security requirements and other considerations for having a truly mission-critical cloud. An Intelligent Approach to Beating Global Cybersecurity Threats March 5, 1:40 p.m. Speaker: Laurent Gil, Security Product Strategy Architect, Oracle Cloud Infrastructure Malicious hackers are using AI and machine learning to launch sophisticated attacks such as botnets that mimic normal human behavior. Relying on humans alone to detect and mitigate these threats just doesn't cut it anymore. In this session, attendees will learn how to fight fire with fire by deploying AI-powered cybersecurity technologies.   Practical Approaches to Cloud Native Security March 6, 1:30 p.m. Speaker: Karthik Gaekwad, Principal Engineer, Oracle Cloud Infrastructure Cloud native technologies aren't only for startups. More large enterprises are going this route, particularly with the Kubernetes orchestration platform. This session will cover some recent security exploits around Kubernetes and other tools and explain how organizations can infuse more security into their cloud native deployments. If you can't attend RSA Conference 2019, follow @OracleIaaS on Twitter to keep up with the week's happenings.

As the information security world gathers in San Francisco next week for the RSA Conference 2019, cloud computing will be front and center. Most security professionals (72 percent) feel the public...

Next week around 45,000 people will be navigating to downtown San Francisco for one of the biggest security conferences all year. With this year’s theme being “Better.”, companies will pull out all the stops to try and show customers that they are the best. There are countless things to do during this week long conference, but here are my top 5.   1.Ask Questions There are over 500 exhibitors distributed throughout the north and south halls of the Moscone Center. As you walk through these huge halls, different companies will try to draw you into their booth with prizes, food, etc. While these goodies are a nice perk, make sure you take the time to get familiar with the company, their products, and ask questions. Many companies will be providing demos of their products and in-booth speaking sessions, including Oracle! This year Oracle has three booths, each focusing on different aspects of our security portfolio, so make sure to stop by! Booth #5570 in the North Hall is focused on Oracle Database Security, Oracle Cloud Infrastructure, and Security within the Oracle Autonomous Database. Booth #1559 in the South Hall is focused on Oracle Security Monitoring and Analytics, Oracle CASB, and IDCS Booth #2261 in the South Hall is focused on Oracle’s Edge Security services  Visit the RSA website for a map of the South Hall and North Hall. 2.Get (Net)Working During RSA, companies put on networking events all around San Francisco. Whether it be a happy hour, a fancy dinner, or even an elaborate party, this is a great opportunity to network with peers. While conference goers are busy attending sessions and visiting booths during the day, these networking events are a nice way to relax and have fun at the end of the day.   3.Arrive Early While there are many different sessions to choose from, there are also thousands of people that will try to attend. To beat the rush and secure a spot for the sessions and keynotes that interest you, make sure you arrive early. Be sure to arrive early to these Oracle sessions: Session: Introducing an Intelligent Approach to Beating Global Cybersecurity Threats Tuesday, March 5th 10:40am -11:10am - Briefing Center, South Hall Presenter: Laurent Gil, Security Evangelist, Oracle Cloud Infrastructure (OCI) Session: What Sennacherib Taught Me About Security: How to Translate Cyber-Speak Thursday, March 7th 8:00am - 8:50am - Moscone West 2003 Presenter: MaryAnn Davidson, Chief Security Officer, Global Product Security, Oracle   4.Download the App Knowing what sessions to go to, when, and where can get very confusing very quickly. Soon you will realize how overwhelming a conference of this size can be, so to avoid missing something that interests you, download the official RSA Conference mobile app. With the app you’ll be able to: ·        View your agenda and explore sessions ·        Build your personal schedule ·        Access speaker profiles, exhibitor and sponsor information ·        View interactive maps of the RSAC Campus ·        Get session and event details – including dates, times, locations and speakers ·        Notifications – get a list of updates and informative notices Planning ahead will help you get the most out of all the valuable content that is presented over the week. Visit the RSA website for direction on how to download and use the mobile app.   5.Don’t miss the CSA summit This year’s conference marks the 10 year anniversary of the Cloud Security Alliance. The summit will take place the Monday of the conference and as their website states, “the CSA has been dedicated to defining and raising awareness of best practices to ensure a secure cloud computing environment throughout the world.” Oracle will be participating in panels during the CSA summit, so make sure to register for this event. Panel: Ten years in Cloud: An Observation of Success Monday, March 4th 9:40am - 10:25am - CSA Summit at RSA Moscone 207 SEM Panelist: Eric Olden, Oracle Senior Vice President and GM Security and Identity Panel: CISO Counterpoint: Mission Critical Cloud Monday, March 4th 3:05pm- 3:50pm - CSA Summit at RSA Moscone 207 SEM Panel Moderator: Eran Feigenbaum, Chief Security Officer Oracle Cloud

Next week around 45,000 people will be navigating to downtown San Francisco for one of the biggest security conferences all year. With this year’s theme being “Better.”, companies will pull out...

Organizations are rapidly expanding their cloud footprint, incorporating tools from multiple vendors and utilizing hybrid cloud deployments. If you are looking to learn more about Oracle Security, what better way to explore the portfolio than seeing Oracle's cloud services in action?  Next week, The 2019 RSA Conference (RSAC) kicks off in San Francisco. Security professionals from across the globe will have the opportunity to attend exciting keynotes, demo presentations, and networking sessions. It is a great opportunity to meet new security professionals, reconnect with past colleagues, and explore the latest innovations in security.        Each year the RSA Conference provides attendees with numerous events to interact and learn. Whether this is your first trip to RSA or you are a seasoned veteran looking for agenda planning inspiration, we have put together a list of must see Oracle events and sessions to make the most of your RSAC experience.   Learn more about the Oracle and KPMG Cloud Threat Report   Growing cloud usage within organizations has prompted a shift from simple business-enablement cloud tools to business-critical deployments. This calls for an equally innovative shift in security strategy, one that integrates tools to create a layers of defense approach. The Oracle and KPMG Cloud Threat Report 2019  is a global survey that uncovers the key security challenges organizations face as they lift and shift workloads to the cloud. Visit booth #1559 to learn more about the report findings and implications for your organization.    Visit the Oracle booths   Oracle is a Bronze Sponsor at RSA this year! We have three Oracle Security booths, stop by each booth to discover different aspect of our security portfolio. Join us in booth #1559 for daily in-booth speaking sessions on a number of topics. We are also happy to provide a comprehensive overview of our security portfolio. Here is a quick guide to our Oracle Security Booths at RSA:   If you are interested in learning about Oracle Database Security, Oracle Cloud Infrastructure, or Security within the Oracle Autonomous Database, please visit our booth #5570 in the North Hall. Grab a refreshment and explore Oracle Security Monitoring and Analytics, Oracle CASB, and IDCS at booth #1559 in the South Hall. Finally, if you are interested in learning about Oracle's Edge Security services, stop by booth #2261 in the South Hall.   Attend Sessions    If you are looking to learn more about Oracle Security at RSA this year, we have a number of sessions throughout the week. Be sure to attend each session whether that be at the CSA Summit, Executive Briefing Center, or one of our in booth presentations (booth #1559).    Panel: Ten years in Cloud: An Observation of Success Monday, March 4th 9:40am - 10:25am - CSA Summit at RSA Moscone 207 SEM Panelist: Eric Olden, Oracle Senior Vice President and GM Security and Identity In celebration of ten years with the Cloud Security Alliance, we take a look at the successes and advantages that cloud has contributed to over the past decade as a capability and in security. Additionally, this panel will discuss the areas that need to be improved and how current initiatives are shaping the future of cloud. This overview will allow us to combine ideas to formulate and connect the dots for our next steps on moving forward into the future.   Panel: CISO Counterpoint: Mission Critical Cloud Monday, March 4th 3:05pm- 3:50pm - CSA Summit at RSA Moscone 207 SEM Panel Moderator: Eran Feigenbaum, Chief Security Officer Oracle Cloud In this keynote panel, leading CISOs discuss their cloud adoption experiences for enterprise applications. We will explore the ability of cloud to address mission critical demands and provide lessons learned of the journey to secure leading edge cloud systems.   Session: Introducing an Intelligent Approach to Beating Global Cybersecurity Threats Tuesday, March 5th 10:40am -11:10am - Briefing Center, South Hall Presenter: Laurent Gil, Security Evangelist, Oracle Cloud Infrastructure (OCI) AI and machine learning are no longer a "nice to have" but rather a necessity and core component that reinforces an organization's cybersecurity strategy. Attackers will continue to use everything in their arsenal, including machine learning to power sophisticated botnets. Simply relying on human intervention to combat their attacks is a losing proposition. Organizations must infuse the traditional rules-driven methods with AI algorithms and machine learning to identify and fend off advanced attacks. However, most organizations don’t know where to get started. This session is designed to help organizations develop an approach to implementing real AI-enabled security in their own environments.   Session: What Sennacherib Taught Me About Security: How to Translate Cyber-Speak Thursday, March 7th 8:00am - 8:50am - Moscone West 2003 Presenter: MaryAnn Davidson, Chief Security Officer, Global Product Security, Oracle What do cuneiform and cybersecurity have in common? Both are “C” words and both are arcane languages. Cuneiform is the past; cybersecurity is the future as Everything Is Connected. How do we de-geek our speak for the many who Need to Know? Learn how to use the communication weapons in your armory you didn’t know you had: stories, analogies, humor, sarcasm, economics, history, biology, and more.    

Organizations are rapidly expanding their cloud footprint, incorporating tools from multiple vendors and utilizing hybrid cloud deployments. If you are looking to learn more about Oracle Security,...

So here are some interesting facts that we’ve recently uncovered about cloud database security in the Oracle and KPMG Cloud Threat Report 2019. What this tells us is that organizations everywhere are seeing the merits of the cloud databases and are making that move—but there are still many concerns about how secure they are.

So here are some interesting facts that we’ve recently uncovered about cloud database security in the Oracle and KPMG Cloud Threat Report 2019. What this tells us is that organizations everywhere are...

Interested in learning more about securing your Oracle SaaS? Join Oracle's Senior Product Manager, Subbu Iyer and AST Security Architect, Abhay Kumar as they demonstrate how Oracle IDCS and CASB can be deployed as a platform to secure and continuously monitor your Oracle ERP Cloud. Join live on February 27th at 10:00 am PT, Register Now to attend! The webcast will showcase several features, including: Key security factors to consider when implementing Cloud ERP Introduction to Oracle Identity Cloud Service and Cloud Access Security Broker Improved Cloud Application Security  Success Story: How a leading Utility company secured Cloud ERP using Oracle IDCS and CASB Cloud Security Reference Architecture Webcast Details: Securing Your Oracle SaaS Implementation with CASB and IDCS February 27, 2019 10:00 am PT Register Now

Interested in learning more about securing your Oracle SaaS? Join Oracle's Senior Product Manager, Subbu Iyer and AST Security Architect, Abhay Kumar as they demonstrate how Oracle IDCS and CASB can...

Risk #5: Lack of Cloud Security Leadership As we come to a close with risk number five, my hope is that this series has given you some key takeaways for addressing cloud security threats within your organization. Many organizations lack the cloud security leadership that can help address the cloud security risks outlined in this series. This might be a person or a team that helps the organization understand all of the cloud security risks and then determines how and when to mitigate. Cloud services are often rolled out by multiple lines of business owners with limited security oversight. Business leaders will often sidestep IT and simply use a credit card to purchase new cloud services without the knowledge of IT. This shadow IT has been known to increase risks and cause data leaks and breaches. The lack of cloud security leadership is arguably the biggest risk that organizations face because it exacerbates all of our other risks. Mitigation: Determine Your Leader - Cloud Security Architect The Cloud Security Architect has surfaced over the past two years as being very strategic to cloud security success. Forty-one percent of security practitioners in the Oracle and KPMG Cloud Threat Report say they have a cloud security architect to help address cloud security. Some key points to consider; this person should be: A single security point of contact for all cloud projects Subject matter expertise Quarterback across people, processes and technology Enabled and empowered by the organization Involved in planning through execution stages Empowered to halt unsanctioned cloud projects Establishes policies, directs implementation, and determines enforcement Identifies violations and plans remediation Is this a role your organization has filled or considered bringing onboard? If not, it may be a critical step in addressing and mitigating cloud security risks. Having a single point of contact for cloud security expertise and strategy can help your organization better reach its compliance goals and streamline the number of cloud solutions being onboarded, all through eliminating silos throughout the organization. Once again, please feel free to take a look back at my previous posts and consider reading the Oracle and KPMG Cloud Threat Report to learn more about today’s cloud security risks and understand how organizations like yours can address them.

Risk #5: Lack of Cloud Security Leadership As we come to a close with risk number five, my hope is that this series has given you some key takeaways for addressing cloud security threats within your...

As many of us grew up, our parents told us, being proactive will save you time. If you were in Boy Scouts, you lived each day to “be prepared”.  However, in more recent years, some great examples I tend to cite again and again as I talk about organizational risk and security.  Sitting from his chair in the Cal Fire offices, while being filmed for a Netflix docuseries on the California wildfires, Ken Pimlott, retired Director at CAL FIRE, said “Everyone focuses on the response part. The fire that never started will always cost less on so many levels.”.   While I am no firefighter, all of us in security often compare ourselves to either being a builder, or a firefighter because that is simply what we do each day.  We make a conscious decision if we are going to make investments that allow us to step away from being a firefighter and do more proactive and constructive things with our time and break the cycle of constantly fighting fires.  The idea isn’t to have a successful engagement when we are called to the fire and defend.  It is to make sure we are never called.  This requires up front investment, planning, and a new look into processes and people. In October of 2018, we all watched in horror as Hurricane Michael came to shore as one of the most intense storms recorded in the history of the Florida Panhandle causing at least $25.1 billion (USD) 1 in damages, and 72 deaths. As the storm passed, and the pictures emerged, there was a scene of flattened beachfront communities and homes, except for one single home. A home with seemingly little to no damage to it. Barely even a mark.  In fact, within days, the homeowner, Russell King, and his nephew Dr Lebron Lackey, whom helped him build the home, had the home available for rental again.  How was this possible?  This simply was an example of preparation.  Mr. King and Dr. Lackey both built this home to survive this exact type of storm with 40 ft pilings, they chose concrete board, ballistic glass windows, and hurricane proof roofing and decking. They chose weather proof electricals and utilities.  One interview quoted them as stating this was only about a 20% increase over the original price but allowed them to continue renting out days after the event, while miles around them, will be unable to build for months, if not longer. Easily covering the up-front investment.  These stories in up front investment have real-world applications in what we re dealing with in our own IT Security environments.  When we invest in effective defensive planning, we don’t have to be fire-fighters. When we invest in vault-like environments to protect our most sensitive IP, we don’t risk the downtime in our business operations when we see competitors being taken out. This is all about business continuity when cyber-attacks continue to increase the point of risk for our organizations. Assisting any builder in the construction of a weather proof home, or a fire chief in developing a battle plan is a risk prevention plan that looks ahead at measures that can be taken 12 months or more in advance to ensure that the defensive postures never need to be taken, that repairs never need to be made.  It is with this same intent that Oracle and KPMG once again have joined forces this month to release the Oracle and KPMG Cloud Threat Report 2019 takes a detailed look at organizations that are investing in a hybrid cloud strategy, or actively planning to lift and shift their workloads to the cloud.  This report takes a detailed look at the steps organizations are taking along this cloud journey, the challenges they are experiencing, and what results yield the most positive impacts in reducing risk and exposing the organizational data to threats. More and more organizations are using business-critical services than ever before and with this, it is more important than ever before to implement overlapping security controls that includes people, process and technologies, according to this year’s report, to ensure a more secure hybrid cloud journey, and to ensure our staff can spend more time enjoying the business, not fighting fires.  For more information on this year’s report, visit us at the Oracle and KPMG Cloud Threat Report 2019 page.   1              http://www.ncei.noaa.gov/news/national-climate-201812

As many of us grew up, our parents told us, being proactive will save you time. If you were in Boy Scouts, you lived each day to “be prepared”.  However, in more recent years, some great examples I...

The edge is where your cloud meets your users and endpoints. A secure, high-performing edge is a requirement for delivering secure, high-performing cloud services. Oracle Cloud Infrastructure has released three new features -- a web application firewall (WAF), DNS traffic management, and health checks -- to improve edge security and performance. Let's take a look at each service and how it works: Web application firewall The web is the hub of modern business. DDoS attacks can take down web applications and sites, grinding business to a halt. And malicious bots can steal sensitive data, scrape content, and otherwise cause havoc on the web. The Oracle Cloud Infrastructure WAF protects against these threats, whether they target web applications hosted on premises, in the Oracle Cloud, or even in multicloud deployments. The cloud-based WAF inspects all traffic requests going to and from a web server, and it identifies potential threats based on Open Web Access Security Project rules, threat intelligence feeds, and other sources. Organizations can also use the Oracle Cloud Infrastructure WAF to control access to web services based on the request's country of origin or other factors. Traffic management and health checks Oracle Cloud Infrastructure's traffic management capabilities now enable administrators to optimize the user experience by controlling where to route incoming DNS queries. Organizations can configure and implement routing policies based on the user's location, the availability of specific endpoints, and other factors. The main use cases of DNS traffic management include failover for high availability and disaster recovery, load balancing for cloud migration and scaling, and source-based steering to improve performance. Oracle Cloud Infrastructure's external health checks, which integrate with traffic management, monitor a workload's performance and availability outside of its host cloud. This is important because external factors can hurt the user experience of a particular service, even if it's running optimally in the cloud environment. If external health checks identify an issue, traffic management can re-route requests around it, improving performance and availability. For more information about Oracle's core-to-edge security, visit the Oracle Cloud Infrastructure Edge Services page.

The edge is where your cloud meets your users and endpoints. A secure, high-performing edge is a requirement for delivering secure, high-performing cloud services. Oracle Cloud Infrastructure has...

For the second straight year, Oracle and KPMG have partnered to bring you the insights into what 450 global organizations are experiencing as they lift and shift their workloads to the cloud.  Some are experiencing tremendous successes with effective planning, while some are realizing the difficulties because of mis-understanding cloud security principals. Today’s press release for the Oracle and KPMG Cloud Threat Report 2019 highlights this and more. It starts with shared responsibility. Businesses are understanding what a head coach knows when football players don’t understand offense and defense. Who’s responsible for catching vs blocking vs throwing?  82% of organizations are struggling with not knowing their role in cloud shared responsibility security model. If the players don’t know, let’s look to the coach who should know the playbook.  The most concerning challenge, today’s CISOs are often in the dark, as 90% of CISOs are unsure about their role in securing SaaS vs the cloud service provider. Playbook just went out the window! It follows with visibility. The number one cloud security challenge today is detecting and reacting to security incidents in the cloud, according to this year’s respondents. This is a leading driver for why only 1 out of 10 can analyze and respond to 75%+ of security event telemetry.  Now let’s put this into perspective. This would be like putting your entire family in a car, blacking out the windows, driving on a highway in the rain, and only have your rear-view camera to guide you. It simply is not enough visibility to see the threats ahead of you. It continues with cloud controls. Organizations continue to be impacted by employees who place sensitive business IP into unsanctioned cloud services and put the organization at risk against loss of data, malware and exposed services. So how are they addressing?  91% are employing formalized cloud usage policies, even though 71% feel confident those policies are not being followed.  Another 93% have evidence of unsanctioned services in use in the organization. This pattern of use increases organizational risk and makes it more challenging with the ever-changing regulatory landscape. This year’s report touches on a wide range of challenges that have been reported, and a leading practices approach to help reduce the impact from threats and implement proper risk reduction measures across the business.  We also look at the education of cyber teams, users, and helping to elevate the CISO and the role the entire org plays in collaborating with the CISO to ensure data privacy is a company wide concern. Learn more about this report in the joint Oracle and KPMG press release. To learn more at the Oracle and KPMG Cloud Threat Report page, and for more detailed reports from Oracle, click here

For the second straight year, Oracle and KPMG have partnered to bring you the insights into what 450 global organizations are experiencing as they lift and shift their workloads to the cloud.  Some...

Risk #4: Lack of Compliance Regulatory compliance is a complex and perpetual process of aligning with all matter of industry and government regulations. It’s never fully completed. Addressing regulatory compliance was tough in an on premises environment where we “owned” our datacenters, and now with public clouds we have an even more complex and nebulous regulatory landscape. Risk four, the lack of compliance, has to do with organizations not considering all aspects of the different compliance requirements they have to address. Many organizations are not considering compliance holistically: aligning across global requirements for hybrid cloud environments. According to the Oracle and KPMG Cloud Threat Report, 95% of security practitioners cite that the European Union General Data Protection Regulations will impact their cloud strategy and vendor selection. I believe the EU's GDPR is a great opportunity for organizations to strengthen their strategy to protect citizens' and users' data privacy, as it appears many data protection regulations are following suit. Mitigation: Realize Compliance is a Process, Not a Status Align with leaders that can help you through the compliance maze -- experience counts! Engage your Cloud Service Provider (CSP) often and early. Don't treat compliance as a check-box of security controls or measures that need to be ticked off, it's more than that. Here are some pointers: Leverage regional compliance experts Don’t wait too long to engage compliance resources, especially in regulated industries; engage them well before the contract phase begins. The CSP can help you understand compliance needs before you engage in a contract; once you’re in the contract phase it's often too late. Determine what's necessary Distinguish between best practices, “nice-to-haves,” and regulations. By default we want to address more compliance requirements, not less; however, it's likely unnecessary. Discover the motives behind compliance oversight (e.g. is it regulatory, industry, or corporate?) And remember, compliance does not necessarily mean that you are secure. This has been documented in the past where the Verizon PCI DSS (Payment Card Industry Data Security Standards) Compliance report showed organizations that were compliant had also been breached. Organizations often tick the PCI DSS compliance boxes, or implement compensating controls, but quickly fall out of compliance over time. More information on that here. Fully understanding your unique compliance needs is key to properly addressing and protecting your customers and business. Continuously monitoring your compliance controls is also very important, organizations should look to incorporate intelligent solutions that can help monitor your environment and track unsanctioned app usage. This process-oriented approach to compliance will help strengthen your security posture and support objectives to achieve compliance. Please join next week for our final blog of the series, Risk #5: No Cloud Security Leadership.

Risk #4: Lack of Compliance Regulatory compliance is a complex and perpetual process of aligning with all matter of industry and government regulations. It’s never fully completed. Addressing...

The first step in beating your enemy is to understand them.  Knowing all the ways an attacker might try to hack you is virtually impossible.  Understanding what’s in the Mind of a Database Hacker? Much more feasible.  Different hackers have different motivations that can range from simple curiosity to, the most common - financial gain.  They are after your data and probably know where it is. The consequences for Organizations are huge - Reputation loss, fines, class action lawsuits, and C-level resignations. We’ve seen all. Whether attacking alone or sponsored by nation-state attackers tend to be highly motivated, have all the time in the world, all the resources, all the infrastructure and have a great sense of community.  Automation is big in the hackers’ land, and even newcomers to the field now leverage powerful tools that can quickly exploit known vulnerabilities.  These tools are often free or available in a marketplace where you can buy tools and services like HaaS (Hacking as a Service). The impact a relatively new and unskilled newbie can have is unimaginable compared with just a few years back. What about you? Do you know where your sensitive data is? Are you doing enough to protect it? Remember, some data might not look that important but if that data serves an application that fulfills a specific line of business need, it will definitely be interesting for an attacker. Information may either be valuable alone or leveraged by combining it with other pieces of information to reach a bigger target. To know more, join me, Pedro Lopes, Oracle’s EMEA  Product Manager for Database Security at Oracle Open World Middle East in Dubai and take a trip into the mind of a cybercriminal.  We’ll talk about typical ways a database is hacked, some of the recent attacks, and ways to mitigate the most common attack vectors. Inside the Head of a Database Hacker [SES2043-DUB] Monday, February 11, 01:25 PM - 02:00 PM Forum 6 (The Exchange, Level 1) - Dubai World Trade Centre See you there! #OOWDXB #Dubai @OracleSecurity @OracleInfoSec @OracleDatabase  

The first step in beating your enemy is to understand them.  Knowing all the ways an attacker might try to hack you is virtually impossible.  Understanding what’s in the Mind of a Database Hacker?...

Risk #3: Reliance on Manual Processes Do you experience difficulties keeping pace in detecting and responding to threats? If you are just joining us, last week we covered risks one and two of the top five cloud security risks organizations are facing. As I’ve mentioned in my previous posts, if you are interested in learning more about these risks, please register to attend an Oracle Cloud Days presentation in a city near your or access the Oracle and KPMG Cloud Threat Report. Now that we’ve touched on the importance of understanding the shared responsibility model and implementing controls to protect users, let’s explore the need to minimize our reliance on manual, and error-prone, processes when addressing security events. This includes the ability to detect today’s sophisticated threats and respond in near real-time to reduce the window of risk. If you combine that with the 3.3 billion events that the typical organization receives per month (Source: McAfee 2018), keeping pace with manual efforts is nearly impossible. Cloud services are being rolled out faster than security operations can support, creating a security pace gap. Mitigation: Automate with Machine Learning and AI A lot has been said about the benefits of machine learning and artificial intelligence to combat today's sophisticated threats. By using intelligent, highly automated technologies we can better remove threats as soon as they are detected and prevent potential attacks before they begin. To learn more, read the Oracle paper "Machine Learning-based Adaptive Intelligence". By implementing these automated technologies, organizations can free up resources for new innovation, cut costs, and save time. Another way to address the sophisticated and multifaceted attacks organizations face is through a layers of defense approach—starting at the core and moving to the edge. No one security control, no matter how automated, can prevent the many threat actors and their attacks, so it’s important to use multiple layers of defense to protect your data, the users who need it, the applications that use it, and the infrastructure that underlies it all. Whether moving existing workloads to the cloud, or beginning your cloud-first journey, modern security strategies must incorporate consistent security controls that address global industry and government regulations across hybrid and multicloud environments. For information security teams that must reduce overall risk, Oracle’s core-to-edge solutions help prevent, detect, respond to, and predict modern cybersecurity threats. From the core (your data and underlying infrastructure) to the edge (where your users connect), Oracle’s layers of integrated security controls work together to intelligently protect hybrid and multicloud IT environments. Security is built-in and begins with data protection and self-securing Autonomous Databases. It continues with secure infrastructure, compute, and storage. The layers of defense drive powerful security controls out to the edge where end users access applications from all around the world. To learn more about some of Oracle's key core-to-edge security solutions, please visit the following layers of defense: Cloud monitoring and log analytics Cloud infrastructure security Cloud application security Cloud visibility and data loss prevention Identity and access management Encryption key management (Oracle Database) (Cloud Infrastructure) Data security and encryption (Oracle Autonomous Database) Today, we’ve explored two approaches to better protect your organization against threats that can often be missed by under staffed IT teams and error-prone manual processes. Each organization has a unique mixture of hybrid and multicloud environments, but learning more about technologies such as machine learning and AI and how they can fit into your layers of defense strategy just might be a critical piece of that puzzle we mentioned before. As we move into our final two risks, you will see that once again the theme of security falls on everyone in the organization and that compliance requirements are changing the way we must think about data, like it or not.  

Risk #3: Reliance on Manual Processes Do you experience difficulties keeping pace in detecting and responding to threats? If you are just joining us, last week we covered risks one and two of the top...

This morning I was chatting to a colleague about the cyber security landscape and he asked me the question “Do you think machine learning and AI will replace the need for security (SOC) analysts in the future?” Artificial intelligence and machine learning are just a couple of the buzz words that are ‘in fashion’ at the moment, especially around the world of cyber security. I have written before about how different terms come and go as the fashionable phrases to attach to your product. There is no better place to see this in action then to go to an event like InfoSec Europe. Look for the common wording that every vendor has on their stand and you can see what the current buzz words are. Anyway, I digress. We are being promised amazing things from machine learning and its application. The promise of fully autonomous, self-driving cars is tantalisingly close. Across IT, there are some amazing advantages and efficiencies from applying machine learning to everyday processes. In fact, Oracle is doing some fantastic work in applying machine learning across our entire portfolio. Take our SaaS apps for example. Within HCM, recruiters benefit from in-line AI and data-driven candidate recommendations that reduce time-to-fill and cost-to-hire. Within ERP, we are intelligently automating repetitive and mundane tasks, such as approvals, and within CX, optimizing marketing and sales programs to better resonate with customers, increase conversion, and close more business. You can find more information on any of these examples and more here. It’s not just about apps. Within our analytics platform, the use of machine learning allows you to get to insights about your data quicker. And of course, Oracle Autonomous Database, the world’s first self-driving database has a large helping of machine learning under the covers. From a cyber security perspective, machine learning is a perfect fit. Security event data, activity data, configuration data etc is all very structured and therefore ideal to throw at machine learning to understand and process that data very quickly to spot anomalies, identify threats, and recognise attacks. This means that you can reduce the false positives and provide more accurate, focussed insight to your SOC analysts to investigate the real incidents. However, the promise of machine learning goes beyond that. In the world of Oracle Autonomous Database we talk about the database being self-securing. Taking an excerpt from the whitepaper here: “The Autonomous Database is more secure than a manually operated database because it automatically protects itself from internal and external vulnerabilities and attacks. The Oracle Cloud provides continuous threat detection, while the Autonomous Database automatically applies all security updates online and provides “always on”, end-to-end encryption. This preventative approach is critical because 85% of security breaches today occur after a CVE (common vulnerability and exposure) alert has been issued.” So, if we can make the database self-securing, why can’t we apply that to all security events? Why can’t we automatically remediate issues identified by our SOCs and thus get rid of the SOC analysts completely? In fact, within Oracle’s combined cloud-based NOC / SOC platform, Oracle Management Cloud, we talk about automatic remediation as a key capability. However, we need to recognise the limitations of automated remediation and where it is and isn’t suitable. In some places it makes sense. If your monitoring platform notices an increase in load, or a server shutting down, then you could remediate this by automatically spinning up another node, or adding CPU count to existing nodes. Even in some security scenarios, you could take automated remediation steps. If you see machine learning identify a user as risky due to their behaviour, you might disable the user, or enable multi-factor authentication on their account. Within Oracle Autonomous Database, the database is a controlled platform and therefore the remediation steps can be well understood on this focussed platform. If we are looking at remediating incidents, we also need to understand where those attacks are coming from, and I don’t mean geographically in this context. It's true what Larry Ellison said in his keynote at Oracle Openworld back in 2017: However, we need to recognise that it’s not just machine versus machine. The defenders have machine learning, but so do the attackers. Security has always been a game of cat and mouse. The attackers find a hole, the defenders plug it. The defenders put in stronger security, the attackers find another way in or a way around it. If it was just machines vs machines then the game may be more even, but adding the human element guarantees that security experts will still be needed. Let’s go back to the example of autonomous cars. If there were only autonomous cars on the road, then I suspect we would see very few accidents. The biggest challenge autonomous cars are facing today is their interactions with other human drivers. Cyber security is the same. It’s not just computers vs computers, but the humans telling those computers what to do that adds to the unpredictability. Even as machine learning gets more advanced, the size, scale, and complexity of organisations IT today makes it very hard to fully automate all remediation steps or cover every eventuality. In fact, there are many times you might not want to. For example, if you are an online retailer and you see an attack coming in on Cyber Monday, do you want a machine deciding to take your entire online presence down to fix the problem, or do you want to make a judgement call based on business risk on how to proceed? I firmly believe that machine learning has a strong place within our cyber security defender’s toolbag. As it matures further, it will provide increased value and keep helping to strengthen an organisation’s defences. However, I don’t see a time, certainly within the rest of my career when we will be saying goodbye to the hugely talented pool of security analysts, specialists, and experts who underpin the security defences of every organisation.

This morning I was chatting to a colleague about the cyber security landscape and he asked me the question “Do you think machine learning and AI will replace the need for security (SOC) analysts in...

Risk #2: Unprotected Users The consumerization of IT has made it much easier for lines of business to quickly access new cloud services without the oversight of the information security team. IT no longer has a view into the cloud services their users access. These new cloud services often use sensitive corporate data; one in seven organizations are now storing sensitive data in the cloud according to the Oracle and KPMG Cloud Threat Report. As I mentioned in my previous blog post Risk #1 Lack of Responsibility, it's relatively easy for cybercriminals to penetrate organizations and collect intellectual property, healthcare, financial, customer and corporate data. The cybersecurity landscape is changing so often that technology is no longer enough to protect our organizations. Just by connecting to the internet we are at risk of falling victim to an attack. The consequences are more severe than ever—effecting our organization, our customers, and potentially our countries. Over half of the cyber security practitioners surveyed in the Cloud Threat Report experienced one of two major forms of phishing attacks.     Mitigation: Train Your Users and Protect Them We need to think security-first because, as stated at the beginning, it's all of our responsibility. IT and InfoSec must continually employ proven best practices, deploy secure technologies and train users to be secure. This includes applying key best practices that protect users and their login credentials. Adopt security best practices that help reduce the potential for unauthorized access to sensitive data or apps Separation of duties - Break sensitive tasks up between multiple users so that no individual has too much power. Least privilege - Never give people more power than necessary to do their job. If they need a privilege escalation, provide that for the time to do the job, but then revoke that excess privilege when the job is completed. Deploy technologies that protect users Adaptive multifactor authentication - Use a secondary factor of authentication when suspicious activity is detected on a user's account (i.e., 6 digit code sent to your mobile device, or a hard token that you can insert into your computer's USB port). Cloud Access Security Broker (CASB) - Deploy a CASB to gain visibility into cloud application use and set consistent security and compliance across those cloud applications. Conduct regular training and testing Continuous, built-in security training for all employees. (i.e.Oracle Software Security Assurance) Test their knowledge with phishing campaigns and other quality checks  The Cloud Threat Report showed the #1 area of investment was in the area of employee awareness programs and security training. Keeping your employees informed about these threats and implementing mitigation tools will allow you to better protect your organization, brand reputation, and employees. Hopefully risks one and two have provided you with some key risk areas to focus on, next week we will dive into the next two risks, starting with risk #3 – Reliance on Manual Processes.

Risk #2: Unprotected Users The consumerization of IT has made it much easier for lines of business to quickly access new cloud services without the oversight of the information security team. IT no...

Risk # 1: Lack of Responsibility How many of you are responsible for security at your organization? I would like to make the case that we are all responsible for security, regardless of whether it is our 'official' role. If I were a cybercriminal looking to attack your organization, I could search employees on LinkedIn and source potential targets. I could cross reference those names with other social media properties to obtain more personal information, including email addresses. I could then send targeted emails that encourage you to access a malicious link or attachment; 30% of you would open the email and another 12% would click the bait (Source: Verizon Data Breach Investigations Report). This is just one of the many risks that organizations face as they leverage cloud computing, according to the Oracle and KPMG Cloud Threat Report. We have been highlighting these risks at Oracle Cloud Days around the world and I encourage you to attend if you can. For those unable to make it, we’ve created a summary of the top 5 cloud security risks and how to mitigate. Each week we will cover one of these risks and examine mitigation steps that include layers of defense from the core-to-edge. Most organizations are unaware of the division of labor and demarcation with their cloud service provider (CSP). This lack of understanding can create risks that include introducing malware into the environment, mismanaged configurations, and loss of data. Mitigation: Understand the Shared Responsibility Model The shared security responsibility model is an easy-enough concept to understand, but much more difficult in practice. In fact, you will need to better understand the shared responsibility model for each of your given CSPs. This takes time and requires a dedicated responsible person or group within the organization (hint, we will address this during our risk #5 post). In a traditional on-premises environment, it’s quite clear that you own all of the security and compliance requirements. However, working with a CSP, you share that responsibility so it's important to know the demarcation line. The deeper you go into the services, the more responsibility you have. For IaaS (Infrastructure as a Service) environments, the customer owns more of the responsibility. For example, they might own security and management of service configurations, data, apps and operating systems. The CSP would then maybe be responsible for the lowest-level infrastructure: virtualization and physical environments. As you move up the stack, into SaaS (Software as a Service), the CSP is responsible for more. It’s important that you consider this when choosing a SaaS provider: You really need to trust them. That means your cloud vendor is responsible for encrypting the data in the database, managing patch updates, or system configurations so that they don’t drift over time – potentially exposing your data to exploits or unexpected downtime and performance hits. Adding to the confusion, most organizations will have a hybrid, multicloud strategy. Eighty-one percent of organizations have a multicloud strategy, according to the Oracle and KPMG Cloud Threat Report. When you choose your cloud service providers it’s important you understand the SLAs from each of them and know who is responsible for what. That being said, it is important that your dedicated individual or team fully understand the shared responsibility for each CSP and that they educate others within the organization. This risk is just one piece of the puzzle and you will see that there are many interlocking challenges organizations are facing – perhaps challenges you are facing as well. Please join us for our next post, this Thursday on risk #2: Unprotected Users in the Cloud.

Risk # 1: Lack of Responsibility How many of you are responsible for security at your organization? I would like to make the case that we are all responsible for security, regardless of whether it is...

Today's CISOs are challenged not only by today's threats and risks, but also in the effort to engage every aspect of the business with the same end goal.  Reduce risks and prevent threats from impacting the business.  All too often, the C-suite has looked at the CISO as the sole person responsible for securing, and as a result, the one who's head must roll if there is a data breach.  This has created the reputation in the industry that CISOs are simply the Crisis Induced Sacrificial Offering.  The upcoming Oracle and KPMG Cloud Threat Report for 2019 highlights that in the event of a breach, most companies will do two things. 1) hold the responsible party responsible 2) provide new funding for the replacement leadership to ensure it doesn't happen again.  Make no mistake, this is not a model that is sustainable.  When the US Navy builds an aircraft carrier, everybody on the ship has an assigned role. Deck crews actually wear unique clothing to designate who is responsible for arming aircraft, refueling, and many more roles.  However, every man and woman on the ship is a fireman.  Everyone has a responsibility to share in making sure the ship does not go down due to a fire.  This is the same mentality CISOs are looking to institute across the enterprise, starting at the top.  That message is, that the CEO, CIO, CFO, CTO and CDO all have a "shared responsibility" to ensure their programs, efforts and staff are instituting risk reduction measures, and security is top of mind. No CFO wants to wake up tomorrow only to find out they are responsible for the ship sinking due to a rapid ERP deployment that didn't include the company's required security measures.  With that in mind, this year, the CISO has 6 priorities they are focused on to ensure success.  Learn more about your role as "fire support" to ensure the corporate ship stays afloat, and you ensure success for the CISOs stated goals.  Read the article in Forbes, "Chief Information Security Officer Priorities for 2019" and share with others who could benefit!

Today's CISOs are challenged not only by today's threats and risks, but also in the effort to engage every aspect of the business with the same end goal.  Reduce risks and prevent threats from...

History has it that when Willie Sutton was asked by a reporter why he robbed banks he responded, “because that’s where the money is”. Banks still hold lots of money, but a bank heist is likely a bit harder to pull off these days than a virtual bank robbery, one that steals information and data.  A modern-day version of the question posed to Willie Sutton might be why break into an organization’s IT infrastructure with the answer “because that’s where the data is”. In fact, some estimates claim that the “global data sphere” or collection of data created and stored will exceed 175 zettabytes by 2025, up from 33 zettabytes in 2018. That is indeed a significant increase, but it is a bit hard to wrap our minds around just how much data 175 zettabytes represents. The answer for a visual representation is that if all this data were stored on DVD’s (a dated but good physical reference to stored data), it would be a stack of DVDs that could get you to the moon 23 times or circle the Earth 222 times. With all of this data comes tremendous privacy and security challenges for our society. Why so much data? Data is aggregating at rapid rates due to the ever-expanding sources of data; consumers and the actions they are undertaking every day (physical and online shopping, social media, Internet browsing, video creation, smart devices) and organizations creation of information from operations (IoT sensors, big data storage, scenario planning and analysis, extensive customer records). Data is money for most businesses and having more data can mean more money (a relatively recent breach highlighted this issue). Data is very valuable and storage costs have approached near zero, allowing for what seems like infinite storage at almost zero cost. But the combined elements of massive data collection and increasingly stringent regulatory requirements creates a risk to organizations and causes privacy concerns for global society. The rapid creation of large amounts of data is valuable to businesses and can certainly be monetized. The data creation even benefits consumers in many ways (we love it when we get personalized services and recommendations tailored to meet our desires or free applications and services for sharing our data). There can be significant risk of jeopardizing customers’ privacy and even worse failing to meet regulatory mandates for privacy such as the EU GDPR and regional mandates like the forthcoming privacy requirements in the state of California. Protecting these terabytes of data is becoming an even greater challenge with the increasing sophistication, innovation and determination of attackers. We will be discussing these security and privacy challenges with a panel of experts during our session (The Role of Security and Privacy in a Globalized Society) at Oracle OpenWorld Europe on January 16 from 1:40pm-2:15pm. If you are in London for OpenWorld we hope to see you in the audience. P.S. Regarding the Willie Sutton statement, it has been noted that he perhaps didn’t make the statement “that’s where the money is” in response to why he robbed banks. To paraphrase, it has been noted that he said he did it for the thrill. Like Willie Sutton, I suspect that many attackers may also enjoy the thrill, in addition to the financial gains.  

History has it that when Willie Sutton was asked by a reporter why he robbed banks he responded, “because that’s where the money is”. Banks still hold lots of money, but a bank heist is likely a bit...

The “Oracle and KPMG Cloud Threat Report” looks at trends and new concerns. By Tom Haunert January/February 2019 Having previously produced world-class security reports, Oracle and KPMG are due to release their next one in February 2019, based on extensive interviews with 450 companies. I recently sat down with Greg Jensen, senior director of cloud security at Oracle, to talk about the data he’d just received from those interviews and what will make the “Oracle and KPMG Cloud Threat Report” different from other security reports. While some reports are based on metrics gathered by security vendors, others are survey-based. “Oracle saw there was too little conversation about the security risks and challenges organizations are facing as they’re lifting and shifting their workloads to the cloud,” Jensen says. “We concluded we wanted to align with an industry partner such as KPMG to consolidate our research and findings.” The 2019 report will confirm, for example, that companies are moving more and more of their sensitive data to the cloud. It also will delve into the issues of unsanctioned application use in the cloud, and it will look at the challenges of maintaining consistent security practices and configuration baselines both in the cloud and on premises. The 2019 report will also look at how ineffective patch management programs are having a negative impact on organizations, as well as how effectively leadership’s goals are being delivered in completed security projects. Needed: A Broad View I asked Jensen how Oracle expects people to use the report’s findings, and he surprised me. “People should consume four or five different reports to get a broad overview of security risks,” he says. “Organizations need a variety of security information from a variety of sources, and the ‘Oracle and KPMG Cloud Threat Report’ can be a primary source of that security information. Informed security practitioners can then engage C-level leadership in conversations on risk, security, and compliance.” In the next (March/April) issue of Oracle Magazine, look for more on the “Oracle and KPMG Cloud Threat Report” as well as articles on Oracle security technologies and cloud services. Meanwhile, in this issue’s “Generation 2: Ready for Anything,” Kyle York, vice president of product strategy for Oracle Cloud Infrastructure, talks about Oracle’s next-generation cloud infrastructure in general and infrastructure security in particular—from the core to the user edge. Next Steps EXPLORE the “Oracle and KPMG Cloud Threat Report.” LEARN more about Oracle Cloud security.

The “Oracle and KPMG Cloud Threat Report” looks at trends and new concerns. By Tom Haunert January/February 2019 Having previously produced world-class security reports, Oracle and KPMG are due...

Every fall Oracle OpenWorld takes over San Francisco as IT professionals from across the globe attend to learn more about the latest product releases, best practices, and industry changes. This year, Oracle OpenWorld is on the move, with three additional cities on the calendar! Oracle OpenWorld Europe will kick off in London January 16-17th. If you are planning to attend and interested in learning more about security, please be sure to check out these three must see sessions. 1) Modern Management and Security in Action Arena 1 (Level 3) ExCel London - Wednesday 9:00am - 9:35am Effectively securing and managing your hybrid clouds is critical for success in today's environment. Join this session to hear directly from customers as they explain their unique security and management journeys. This is also a great opportunity to hear from management and security executives and understand ways you can increase visibility, save time, and reduce human error.   2) The Role of Security and Privacy in a Globalized Society Arena 3 (Level 3) ExCel London - Wednesday 1:40pm - 2:15pm  The security threat landscape is constantly evolving. Even with the release of new security solutions and increased automation, adversaries continue to look for new angles vulnerable to attack. This phenomenon leads us to the realization that the next big security threat may be unknown at this time. Join trusted security leaders as they discuss a number of topics around 'the next security threat.' The discussion will touch on the importance of maintaining user privacy and evaluating potential threats.   3) Learn How Oracle CASB Has Helped Companies Make a Secure Transition to Cloud Services Forum 1 (Level 0) ExCel London - Thursday 12:10pm - 12:45pm The growing cloud landscape has introduced great innovation, but with innovation, comes risk. Learn how Oracle CASB has enabled companies to gain better visibility, meet compliance requirements, and prevent misuse of admin privileges.   We hope these sessions will provide greater insight into the opportunities to improve security and management within your environment. If you are unable to attend Oracle OpenWorld Europe, there are several other opportunities to attend an OpenWorld near you. Additionally, we have several key assets designed to guide customers looking to learn more about securing their environment from core-to-edge.

Every fall Oracle OpenWorld takes over San Francisco as IT professionals from across the globe attend to learn more about the latest product releases, best practices, and industry changes. This year,...

Cloud adoption shows no signs of slowing down and has benefited many private and public-sector organizations. According to the Oracle and KPMG Cloud Threat Report, 87% of firms have a cloud first orientation. These organizations value the benefits of the cloud, such as lower costs and increased flexibility, and are actively working to expand their cloud footprint. One topic that repeatedly arises when thinking about the cloud is security. While 83% of those surveyed in the Cloud Threat Report believe that cloud security is as good or better than on-premises security, there is still a lot of confusion when it comes to security responsibility between the organization and the cloud service provider. With sensitive data such as personally identifiable information (PII), payment card data, and legal documents, this is an issue that cannot be ignored. At Oracle Cloud Day you can learn about new technologies, successful customer case studies, and network with peers in your industry. We’ve designed this day to fit your personal needs with four customized tracks: IT experts, architects and integrators, data professionals, and developers. If security in the cloud is a priority for your organization, be sure to attend our session, “Mitigating the Top Five Cloud Security Mistakes” in the IT experts track. This session will not only address the most misunderstood aspects of the cloud when it comes to security, it will also help you learn how to best prevent, detect, and respond to the top risks you may be facing in your hybrid cloud environment. Whether your organization is just beginning to think of cloud adoption or is a mature cloud user with multiple vendors, it is always important to stay up to date with best practices and the latest cloud trends.Oracle Cloud Days will be coming to cities near you, don't miss this opportunity to seize the day and learn more about the cloud!  If you’d like to attend one of Oracle’s Cloud Days, register for an event near you!                      New York, NY - January 15, 2019                  Atlanta, GA - January 17, 2019 Boston, MA - January 30, 2019 Chicago, IL - February 5, 2019                                        and Many More!                                                                                                                     

Cloud adoption shows no signs of slowing down and has benefited many private and public-sector organizations. According to the Oracle and KPMG Cloud Threat Report, 87% of firms have a cloud first...

Data breaches and cyberattacks are a way of life for businesses today. How will they evolve in 2019? And what new tactics and technologies can companies employ to fight back? We asked security experts from Oracle Cloud Infrastructure and the tech industry at large to share their predictions.   Eran Feigenbaum Chief security officer, Oracle Cloud Infrastructure More consumer, employee, and corporate data records will make their way to dark markets in 2019. The culprits behind most of these breaches remain unchanged, namely a lack of patching, strong passwords and two-factor authentication. Further, expect more troubling details about how many popular applications and platforms use personal information. As a result, the themes of GDPR will continue to go global, spawning even more calls for data privacy laws and regulations.   Kevin L. Jackson CEO/founder, GovCloud Network @kevin_jackson 2019 will be a watershed year for cloud and cybersecurity. This will be driven by three factors: Continuing massive data breaches; Excessive marketing hype around hybrid cloud; and Corporate existential threats caused by data breach fines and penalties. Although painful in the near term, the global economic engine we call the internet will become better, more secure, and more international as cloud computing services become more secure and more multi-polar from a service provider point of view.   Kyle York Vice president, product strategy, Oracle Cloud Infrastructure @kyork20 There are good bots and bad bots on today’s internet. I predict that 2019 will be the year that the market becomes painfully aware of just how damaging the bad ones can be to enterprise brands. As more and more applications and workloads move to run on hyper-scale cloud providers, it is imperative that these vendors decipher the difference, allow only clean traffic, protect your assets, secure your data, and keep a positive end-user experience for all your constituents. Reputations are at stake everywhere, and we all must be vigilant.    Sophina Kio-Lawson and Lilian Douglas Co-founders, SheSecures @she_secures We predict the use of more bug bounty programs and the adoption of automated tools using artificial intelligence. These tools will be able to identify and patch bugs swiftly without having to wait for three to six months for the bugs to be exploited and leaked by cybercriminals.   Laurent Gil Security product strategy architect, Oracle Cloud Infrastructure @laurentgil As security technologies and practices improve, hackers will increasingly use botnets that behave like humans, making it harder to identify bad actors. Such malicious traffic will hide within the mass of regular, legitimate human-based traffic -- just a few hundred bad requests among millions of good, human requests. This approach will require much more sophisticated behavior-based analysis, powered by artificial intelligence.   Mark Cliff Lynd Managing partner, Relevant Track @mclynd Commerce and cybersecurity apps in the cloud will require multi-factor authentication, with two-factor authentication as the minimum. This additional security will come at a cost, because support calls will go up as humans struggle to use and remember all the different authentication steps utilized across multiple platforms in the enterprise. Cybersecurity attacks against online platforms will increase, especially ransomware and DDoS attacks. These attacks will affect availability, and new approaches will emerge to combat them.  

Data breaches and cyberattacks are a way of life for businesses today. How will they evolve in 2019? And what new tactics and technologies can companies employ to fight back? We asked security experts...

2019! Can you believe it? The beginning of a new year always seems like a fresh start, a chance to visit new places and explore new subject areas. Many people opt for a New Year's resolution: getting in shape, being more productive at work, or meeting new people. Some of you may even make it a New Year's resolution to learn more about security, based on personal interest or your profession. If that's the case, you've come to the right place. Along with my plan to eat more plant-based meals, I've decided to dive deeper into the world of security and challenge myself to learn more about the new advances industry wide and here at Oracle. If you are also looking to learn more about security, please read on. Traveling in 2019? If you are looking to take your security education on the road, join us for one of our Oracle Cloud Days in a city near you. This is a great opportunity to meet industry peers, learn about Oracle Cloud technologies, and map out a unique strategy for your cloud transformation. Access the Oracle Cloud Days registration page to sign up for dates in January and February! Transforming the way you secure and manage your environment? Cloud transformation strategies vary greatly depending on the needs of the individual organization. If your organization is rapidly adopting the cloud, it is important to understand your organization's responsibilities for security and compliance. Increasing visibility and strengthening IAM policies are critical to effectively secure your SaaS environments. Evaluating new solutions? According to the 2018 Oracle and KPMG Cloud Threat Report, 87% of companies have a cloud first orientation. Cloud transformation is gradual, so even if your department has not yet made the switch, it is likely that your company is in the process. It is important to be well educated on the latest cloud security updates in order to become a thought leader within your department. If your interest is in learning more about Oracle Security, please take a moment to read a recent report published by Ovum, Oracle Bakes Security into its DNA. You may also be interested in taking the Cloud Security Alliance Top Threats to Cloud Computing 2018 survey and accessing the report. Regardless of your 2019 security strategy, there are several ways to learn more about the latest updates in security. Whether you are looking to increase security around your SaaS deployments, your IaaS environments, or your hybrid cloud deployments - Oracle Security offers the agility and  flexibility to improve security and compliance in your organization.

2019! Can you believe it? The beginning of a new year always seems like a fresh start, a chance to visit new places and explore new subject areas. Many people opt for a New Year's resolution: getting...

In partnership with Oracle, the Cloud Security Alliance (CSA)  is happy to announce the survey of the Top Threats to Cloud Computing 2019 report. Last year's report was an incredible success for CSA, and Oracle is looking to help make 2019 even more impactful than ever.  As a sponsors and contributor to this report, Oracle is encouraging all to take 6 minutes to walk through the CSA survey to indicate the challenges impacting your cloud experience. We have shortlisted 19 security issues from recurring issues like Data Breaches and Insecure Interfaces and APIs to new issues like Weak Control Plane. While the list could be much longer, our goal is to focus on the top of line threats impacting organizations today.  Your involvement is crucial in helping raise awareness  across the industry.  Help the Cloud Security Alliance (CSA) determine industry perceptions of the most significant issues! The survey will take about 6 minutes to complete.  To encourage participation, CSA is giving away: $100 worth of gift-card vouchers one CCSK token. Link to survey: https://www.surveymonkey.com/r/MQ553TW

In partnership with Oracle, the Cloud Security Alliance (CSA)  is happy to announce the survey of the Top Threats to Cloud Computing 2019 report. Last year's report was an incredible success for...

Like baking, security is an art and science. Both require planning from the beginning, adding the right ingredients that work well together, and integrating those ingredients for a final product.

Like baking, security is an art and science. Both require planning from the beginning, adding the right ingredients that work well together, and integrating those ingredients for a final product.

It’s not surprising to hear that an increasing number of organizations are moving their mission critical applications to the cloud in order to leverage its flexible functionalities. While there are many benefits, such as a reduction in operational costs, moving to the cloud also poses new security risks and challenges. Organizations must address this increasingly complex threat landscape in order to protect their users, applications, and data. Critical applications, such as Enterprise Resource Planning (ERP) systems, host very sensitive data, making them prime targets for cyberattacks. While SaaS vendors are responsible for the security of the application infrastructure, SaaS customers must protect the customer data and access of the application. Due to the high risk of attack, organizations must implement security policies and solutions in order to protect themselves. As illustrated below, most business leaders are expecting an increased number of cyberattacks on an ERP system, so organizations need to move fast. According to the Cloud Security Alliance ERP Working Group, “you must continually monitor user activity to detect malicious and anomalous behavior.” To start, organizations must find a way to give different employees, different levels of access to business critical applications and monitor what users are doing at any point in time. As shown below, Oracle’s CASB Cloud Service (CASB) and Identity Cloud Service (IDCS) can help organizations protect the data in their ERP system while continually monitoring user activity.                             As organizations transition their critical applications to the cloud, many questions may arise. Success in the cloud depends highly on the amount of visibility and ability to scale. For more information on creating a security strategy for your critical SaaS applications, access our  Securing Sensitive ERP Data infographic and dive deeper into strategies for securing all of your mission-critical SaaS applications in our new Cloud Security guide. 

It’s not surprising to hear that an increasing number of organizations are moving their mission critical applications to the cloud in order to leverage its flexible functionalities. While there are...

Following several widespread and highly publicized breaches around the world, companies have realized a need to invest more in security. Although security was always a concern, these attacks have been a catalyst for change. Despite this surge in recognition, cyberattacks are still on the rise. In parallel, customers are rapidly adopting new applications, many of which are SaaS deployments. As organizations recognize the benefits of change, they must also acknowledge the massive expansion of hybrid and multi-cloud deployments, and that the changing IT landscape requires a shift in thinking. IT organizations must now work closely with the lines of business(LoB), which have been empowered by easily deployed cloud solutions. These business leaders, sometimes referred to as "shadow IT", often ran into difficulty with IT teams in the past. These challenges stemmed from the painful deployment of legacy applications, requirements to adhere to corporate risk policy, and perhaps frequent outages. IT teams should approach cloud transformation as an opportunity to strengthen the relationship between IT and LoBs. Rather than be seen as inhibitors to business transformation and speed, IT has the opportunity to be seen as enablers of a more secure future for the business. Organizations should consider how their security and management strategy may change in this transition as well. Businesses need solutions designed for the future, that incorporate AI and Machine Learning to enhance an organization's ability to rapidly detect suspicious behavior and respond without human interaction. This is a critical piece of the puzzle as organizations fight to stay ahead of cybercriminals. Visibility To combat today's sophisticated threats, organizations must recognize the need for greater visibility. Incorporating an integrated security and management strategy can offer the visibility and automated remediation customers need to hold the competitive edge. Stronger Together A constant concern expressed by IT organizations is the lack of consolidated information. According to the Oracle and KPMG Cloud Threat Report, organizations manage an average of 46 different cybersecurity products. These tools were implemented to alleviate one problem, but can often cause other problems as organizations try to piece together data from a multitude of systems. Oracle's security and management  solutions are designed to offer customers the flexibility and support needed to protect today's hybrid and multi-cloud environment. Real-Time Insights, Proactive Defense Oracle's security and management cloud services utilize machine learning techniques to deliver fast insights, streamline diagnostics, and predict outages before they occur - allowing organizations to focus on innovation, rather than manually sorting through thousands of security alerts each week. Cloud solutions continue to spread across organizations and the need for a comprehensive platform seems more crucial than ever. Each organization is responsible for protecting their unique technology footprint, with Oracle's security and management cloud services, organizations have the flexibility and agility to add in completely integrated services that will support their needs. Access our new cloud essentials guide to learn more about securing and managing hybrid clouds.

Following several widespread and highly publicized breaches around the world, companies have realized a need to invest more in security. Although security was always a concern, these attacks have been...

The 2018 Chief Information Officer Leadership Forum is just around the corner! Be sure to secure your ticket to the forum taking place in Atlanta on Thursday December 13th. Improving security posture has become a prime business initiative for most organizations, as I shared in my previous core-to-edge blog, advancements in new and emerging technologies are opening doors for both businesses and adversaries. Prompting the need for organizations to make dramatic shifts in the way they look at security and the strategies they implement to effectively secure and manage their environments. This year, Oracle is a sponsor for the Argyle Executive Forum aimed to bring together thought leaders and senior IT leaders for a series of strategic sessions and peer networking. Oracle's Vice President of Systems Management & Security Products Group Dan Koloski will present a thought leadership keynote on the topic of, Transforming your IT Operations and Security Detect-and-Response Regimes for Today's Reality. The keynote is sure to touch on some of the major challenges CIOs face today and strategies for shifting their IT operations to meet modern business needs. In addition, Oracle will host a breakout session titled, 'Measuring the Impact of Transformed IT Operations and Security,'  specifically geared toward understanding the metrics CIOs use to achieve real results. Attendees will also have the opportunity to attend sessions from CIOs at several leading organizations across a multitude of industries. This event has been tailored specifically to meet the interests and needs of senior IT executives, with an emphasis on topics such as: Leveraging Information Technology as a new center for innovation in the digital age Navigating top trends and risks driving IT spend in 2018 Embracing and facilitating the migration to a digital ecosystem to boost productivity and increase speed to market Nurturing a nimble and flexible workforce that will continue to evolve alongside modernized IT infrastructure We look forward to the collaboration between executive leaders at the forum. Be sure to register for this exciting event and to learn more about Oracle Security and Management, please visit our webpages. Event Overview: Argyle CIO Leadership Forum: Register Today! Location: Grand Hyatt Atlanta 3300 Peachtree Road NE Atlanta, GA 30305 Join Us:December 13, 2018 From 8:00 a.m. - 5:15 p.m. Oracle's Keynote: Transforming your IT Operations and Security Detect-and-Response Regimes for Today's Reality Abstract:The speed of business, the rapid iteration of application development and the explosion in threat sophistication has overrun traditional operational and security approaches, resulting in increased risk of outages and data breach. Prevention and detect-and-response regimes must be overhauled to match this new reality.  Oracle experts will discuss ways organizations are transforming detect-and-response regimes to match today’s requirements. About Oracle's Keynote Presenter: Dan Koloski Vice President - Systems Management & Security Products Group, Oracle  Biography: Dan Koloski is a software industry expert with broad experience as both a technologist working on the IT side and as a management executive on the vendor side. Dan is a Vice President in Oracle's Systems Management and Security products group, which produces the Oracle Management Cloud Services and Oracle Enterprise Manager family of products. Previously, Dan was CTO and Director of Strategy for the Web BU at Empirix, which he helped spin out and sell to Oracle in 2008. Dan holds a B.A. from Yale University and an M.B.A. from Harvard Business School.  

The 2018 Chief Information Officer Leadership Forum is just around the corner! Be sure to secure your ticket to the forum taking place in Atlanta on Thursday December 13th. Improving security posture...

Implementing separation of duty (SOD) and the least privilege model are basic foundations of your security strategy – what we call security hygiene.  This is applicable to not only your databases, but all your systems.  Separation of duty splits tasks between individuals so no single user has enough privileges to steal sensitive data or damage the system.  Least privilege limits the privileges the user has to just what they need for their day-to-day tasks.  The worry is not so much your trusted insiders, but malicious users who leverage stolen credentials from privileged users to mount attacks to steal data, alter information or otherwise damage the system. Separation of Duty Separation of duty (SOD) is a method to separate sensitive task roles to different people to minimize the ability for any one individual to steal or damage the system. A classic application example is to separate the task of entering vendor invoices and paying it.  Separation of duty suggests splitting this across at least two people since one malicious user can’t create a new vendor, enter a fake invoice and pay himself/herself.  In a similar way, separation of duty in a database looks at common attack vectors and separates roles to prevent the attack.  A common attack vector for the database is a malicious user leveraging stolen privileged credentials to create a new rogue account.  The malicious user escalates the privileges on the rogue user account and then logs into the rogue account to attack the system.  Separation of duty in this scenario separates the ability to create a new user and the ability to grant privileges from the privileged user account. Least Privileges In the Least privilege model, users are only given the privileges and access they need to do their jobs.  Frequently, even though users perform different tasks, users are all granted the same set of powerful privileges.  Figuring out what set of privileges each user needs is hard work and in many cases, users end up with some common set of privileges even though they have different tasks.  Even in organizations that manage privileges, users tend to accumulate privileges over time and rarely lose any privilege.  Separation of duty breaks a single process into separate tasks for different users.  Least privileges enforces the separation so users can only do their required tasks.  The enforcement of SOD is beneficial for internal control, but it also reduces the risk from malicious users who steal privileged credentials. Privilege Analysis So implementing SOD and the least privilege model is good practice, but how do you go about doing this?  Not only is it hard to analyze what privileges every user and application need, you also need to review and remove un-needed privileges. It’s not just a one-time project – but an on-going process that can be labor intensive without automation.  There are multiple tools that can tell you the roles and privileges granted to any particular account – but they don’t tell you if they ever get used – or if they’re used, why they were used. Privilege Analysis was first introduced with Oracle Database 12c and licensed as part of the Oracle Database Vault option.  Since then, Privilege Analysis has been used by many customers to reduce their attack surface area by helping them implement least privilege model.  This innovative capability created by Oracle is unique in the database world and is vastly superior to any static analysis tool. Built into the Oracle database kernel, Privilege Analysis tracks not only what privileges and roles are NOT used over a period of time, but also which privileges and roles are used – and how they are used.  Privilege Analysis is designed to minimally affect existing operations so it can safely run in your production and test environments. You typically run Privilege Analysis over a time period that captures all the use cases for either a user, groups of users, role, an application or even the entire database.  A report is generated that shows which privileges and roles were used and unused.  You may find that an account was granted the powerful SELECT ANY TABLE system privilege, but it was only used to access seven tables from the same schema.  It would be much better if the SELECT ANY privilege was replaced by direct object SELECT grants to these tables. The Unused Privileges Report lists privileges that weren’t used during the time the data was collected. You can simply revoke the user’s unused privileges if you determine the user doesn’t need them, however another option is to audit and alert on these unused privileges instead.  This gives you flexibility so the user can use the privilege without impact, but you’ll also be notified if a malicious user uses these “unused” privileges. While all database accounts can benefit from the least privilege model, application service accounts and DBA user accounts are especially well suited for this analysis. Application service accounts typically need three different types of privileges and roles.  First set is used by the application to operate on a daily basis, second for patching and upgrades, and then third to install the application schema.  Privilege Analysis can track which privileges and roles are used for day to day operations so you can limit the service account to just these privileges and roles.  They can even be grouped into an operational role to make it easier to manage.  Running Privilege Analysis on a test database during patching and updates can tell you which additional privileges and roles are needed for patching/updates.  This can be granted to the production service account before these activities take place, and then revoked afterwards.  Oracle Database DBAs are frequently just granted the out-of-the-box DBA role.  This out-of-the-box DBA role should not be granted to every DBA as it contains almost every possible privilege, including most system privileges in the database.  DBAs have different tasks to perform and least privileges dictates granted privileges should match the tasks.  Privilege Analysis can be used to implement least privileges for DBAs in a number of ways.  DBAs in the same job can be analyzed to see which privileges they need to perform their job.  Then a new role can be created (xxx_dba role) to be granted to each DBA in that job.  Or individual tasks can be run by DBAs and Privilege Analysis can capture privileges used for each task.  Task based roles can be created and DBAs can be granted the task roles they are responsible for.  Task based roles provide more flexibility as a DBA’s job changes over time. Oracle continues to be a security leader through innovative, unique security controls to protect your data. Distributing the Database Security Assessment Tool (DBSAT) for no additional license fee through Oracle support shows our commitment to help our customers understand the risk profile of their databases that manages their critical data.  In today’s world, we need tools to assess our own security before hackers analyze our weaknesses and gaps.  Privilege Analysis Included with Oracle Database Enterprise Edition Oracle recognizes the critical importance of assessing your database environment in order to better improve security.  We are pleased to announce that Privilege Analysis is now included with Oracle Database Enterprise Edition for no additional license fee.  This change applies to all supported versions of the Oracle Database. Users can refer to the Privilege Analysis documentation in the Oracle Database Vault Administration Guide.  Separate documentation for Privilege Analysis will be part of the next Database Security Guide.  Database Vault does not have to be configured or enabled to use Privilege Analysis in any version. By implementing separation of duties, least privileges and using DBSAT – you will reduce the risk of malicious users using your privileged credentials to steal or alter data.

Implementing separation of duty (SOD) and the least privilege model are basic foundations of your security strategy – what we call security hygiene.  This is applicable to not only your databases, but...

According to the 2018 Oracle and KPMG Cloud Threat Report, 90% of firms reported that more than half of their cloud data includes sensitive information. With organizations rapidly housing their most critical data in the cloud, visibility is key. The report also uncovered that 82% of cyber leaders are concerned that employees do not follow cloud security policies. How are organizations supposed to secure environments they aren't even aware of? Visibility is Critical The proliferation of threats organizations face and the release of several major compliance regulations have prompted a renewed sense of urgency for the entire business to better secure their environment. Visibility is very important, as customers purchase cloud-based infrastructure they need to be sure that the applications and data residing on top of it remain secured. Oracle's Cloud Access Security Broker (CASB) Cloud Service allows customers to gain that visibility along with threat protection, and data security for both OCI deployments and multi cloud environments. Interested in Learning More? With Oracle CASB Cloud Service for OCI, customers can monitor configuration drift, set automated controls for remediation of high risk user profiles, and an understanding of user behavior. Allowing organizations to quickly detect and act on possible threats. Please join our Cloud Platform Specialists, Gordon Trevorrow and Indranil Jha for a live demo of Oracle CASB to learn more about the ways in which Oracle CASB helps organizations better monitor, understand, and secure their OCI deployments. Virtual Workshop Register now! Secure Oracle Cloud Infrastructure with Oracle CASB December 11, 2018 10:00 am PT

According to the 2018 Oracle and KPMG Cloud Threat Report, 90% of firms reported that more than half of their cloud data includes sensitive information. With organizations rapidly housing their most...

Gartner has named Oracle a Leader both in the 2018 Gartner Magic Quadrant for Identity Governance and Administration and 2018 Gartner Magic Quadrant for Access Management, Worldwide. In response, Oracle released an announcement. The press release covers brief insights on the report and explains Oracle's security strategy, "Oracle believes this recognition further validates the strength and innovation of cloud security services Oracle has introduced over the past year and its ability to help enterprises better integrate security solutions to manage their business." According to Gartner, “IGA Leaders deliver a comprehensive toolset for governance and administration of identity and access. These vendors have successfully built a significant installed customer base and revenue stream, and have high viability ratings and robust revenue growth. Leaders also show evidence of superior vision and execution for anticipated requirements related to technology, methodology or means of delivery. Leaders typically demonstrate customer satisfaction with IGA capabilities and/or related service and support.” To learn more, access the full 2018 Gartner Magic Quadrant for Identity Governance and Administration. Within the 2018 Gartner Magic Quadrant for Access Management, Worldwide, Oracle also placed in the Leaders quadrant. Oracle's security strategy incorporates several layers of defense to enable organizations to increase their security posture across the entire cloud, including users, apps, data, and infrastructure.  By implementing Oracle's Identity and Access Management solutions in conjunction with emerging technologies and existing investments, we believe customers have the opportunity improve their security posture and enable greater innovation within their industries. Oracle's complete, integrated, next-generation identity management platform provides breakthrough scalability and enables organizations to reduce operational costs. Organizations gain the flexibility to secure sensitive applications and data - regardless of their deployment. Please be sure to download a complimentary copy of the 2018 Gartner Magic Quadrant for Identity Governance and Administration and the 2018 Gartner Magic Quadrant for Access Management,Worldwide.    Gartner Magic Quadrant for Identity Governance and Administration, Felix Gaehtgens, Kevin Kampman, Brian Iverson, 21 February 2018.   Gartner Magic Quadrant for Access Management, Worldwide, Gregg Kreizman, 18 June 2018.   This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Oracle. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.    

Gartner has named Oracle a Leader both in the 2018 Gartner Magic Quadrant for Identity Governance and Administration and 2018 Gartner Magic Quadrant for Access Management, Worldwide. In response,...

Today's world is all about the go go go. People simply do not have time to wait and as a result, organizations are tasked with producing products, applications, and services at a rapid rate. Being first to the market is no longer just a goal, it can make or break an organization. Imagine for a moment that a consumer opens up their smartphone to complete a transaction. Within a matter of minutes, they may have accessed several apps, entered highly sensitive Personally Identifiable Information (PII), and perhaps used the same login password they use for every account - including work accounts- all on a public network. Threats are everywhere and this example is just one out of thousands of ways in which personal accounts are at risk. Now translate that risk from an individual to an organization. Cybercriminals are highly funded and motivated to snatch certified credentials from end users. These stolen credentials could end up as the starting point for an attack against an organization in an attempt to collect or manipulate critical core data.  The widespread use of weak passwords, unsecured networks, and frequent occurrence of phishing attacks make organizations prime targets for attack. Compound this with the proliferation of users, applications, and devices all enabled for a fast, digital, and mobile world - the threat seems inevitable. Understanding Who is in Your Environment Organizations have long relied on strong perimeter controls and although these do well to protect the on premises environment behind the firewall, what can be said about the use of mobile devices and the increasingly common Hybrid Cloud landscape? Organizations need a solution that can leave the boundaries of the traditional firewall and provide security at every layer, as discussed in our recent Core-to-Edge blog. Organizations have invested heavily in the use of traditional Identity and Access Management solutions for on premises, but the move to the cloud has created a security mandate to consolidate identity management under one framework that extends into the cloud. In the 2018 Oracle and KPMG Cloud Threat Report, 38% of respondents reported detecting and responding to cloud security incidents as the number one cybersecurity challenge. Gaining visibility into the behavior of users and devices across an entire hybrid cloud ecosystem is crucial in determining if users have appropriate access to critical applications, if those users are abusing their access, and remediating anomalous behavior in the event privileged user credentials have been compromised. Flexibility and Choice Make the Difference Organizations have quickly realized the benefits of cloud adoption and have implemented several solutions at every layer of the stack. However, protecting an entire hybrid and multi-cloud environment under one solution can be challenging. After all, every vendor has unique shared responsibility requirements and the growing number of compliance regulations have pulled organizations in too many directions, leaving them exposed to attackers. In order to keep pace with innovation and the changing IT landscape, organizations must streamline their security controls with solutions such as Oracle Identity Cloud Service and additional cutting edge technologies, that can play an integral part in enabling organizations looking to secure their hybrid cloud environment. Learn more about the ways in which Oracle offers organizations flexibility in managing identities in a hybrid cloud and securing SaaS environments for increased visibility and control.  

Today's world is all about the go go go. People simply do not have time to wait and as a result, organizations are tasked with producing products, applications, and services at a rapid rate. Being...

Looking to learn more about Oracle Cloud? We are happy to announce six upcoming Oracle Cloud Day events in cities near you! Oracle Cloud Day offers attendees a wide array of sessions, hands-on experiences, and networking opportunities. These single day events allow you to explore new cloud technologies, best practices, and customer success stories.   Every cloud journey is unique and the Oracle Cloud Day is designed to be enable organizations at all stages of their transformation. Each event features keynotes, developer playgrounds, and networking in the Oracle Innovation Lounge. Three customized tracks designed to meet each attendee's needs - IT Experts, Architects and Integrators, and Data Professionals. Join the IT Experts track to learn more about Oracle's latest innovations in Security solutions.   Oracle Security offers organizations flexibility and choice in securing their deployment. With the overload of threats organizations face it is important to implement a layers of defense approach to security. If you are planning to attend, be sure to join our session, "Mitigating the Top Five Cloud Security Mistakes," within the IT Experts track.   Abstract: One of the most misunderstood aspects of the cloud is determining where the cloud service provider’s security responsibility ends and your responsibility begins. The Oracle and KPMG Cloud Threat Report indicates less than half of surveyed organizations could correctly identify their IaaS security responsibilities. Join this session to learn the top five cloud security mistakes organizations make, and how to mitigate them using Oracle’s security solutions. Learn how to best prevent, detect, and respond to the top risks to your hybrid cloud environment, including misconfigurations, data loss, shadow IT, and more. We’ll also share an insider’s view of the top questions to ask your cloud service provider to best protect your organization.     Register Now for a City Near You! Toronto, ON                                             Atlanta,GA December 4th, 2018                             January 17,2019   Dallas, TX                                                 Boston, MA December 6th, 2018                             January 30, 2019   New York, NY                                          Chicago, IL January 15th, 2019                               February 5, 2019      

Looking to learn more about Oracle Cloud? We are happy to announce six upcoming Oracle Cloud Day events in cities near you! Oracle Cloud Day offers attendees a wide array of sessions, hands-on...

The Gartner Identity and Access Management Summit 2018 in Las Vegas is quickly approaching! If you are attending the conference, we encourage you to catch these sessions and events. 1. Visit the Oracle Booth Oracle is a Platinum Exhibitor at the Gartner Identity and Access Management Summit 2018. We encourage you to spend some time at the Oracle Security Booth (#601) to learn more about Oracle's Security solutions in the identity management space. Additionally, connect with product management and other Oracle pecialists to discuss the ways in which Oracle has helped customers succeed in hybrid and multi cloud environments. 2. Session: Learn more about Oracle's Trust Fabric Join Oracle SVP and General Manager of Security and Identity, Eric Olden, for a session that explores today's sophisticated threats and the need for proactive and intelligent solutions that can quickly scale to meet changing IT requirements. Olden will also share how Oracle's Trust Fabric helps organizations predict, prevent, detect, and respond to threats. The session will take place Monday, December 3rd from 3:45pm- 4:30pm. 3. Create a Winning Plan The Gartner Identity and Access Management Summit offers attendees over 50 sessions, exhibit floors, and access to several peer and analyst networking opportunities. With so many options, we believe it is critical to come to the conference with a game plan. Gartner's registration page offers full abstracts for each session and can be filtered a number of ways, including by topic or track. This allows attendees to fine tune their interests and build an agenda through the registered attendee portal. 4. Understanding Your Roadmap According to the 2018 Oracle and KPMG Cloud Threat Report, 82% of cyber leaders are concerned that employees do not follow cloud security policies. This leaves organizations at risk and exposed in ways they may not even be aware of. Prior to the conference, we recommend all attendees take the time to understand their roadmap and consider assessing their environments to understand any pace gaps they may need to address. Each environment is unique and exercises like this will give attendees a fresh lens to approach each session and gain meaningful takeaways from each session they attend. 5. Continuing Support Throughout the conference, we encourage all attendees to visit @OracleSecurity on Twitter. Additionally, visit our webpage to learn about Oracle Security Solutions. About the Gartner Identity & Access Management Summit 2018 The Gartner Identity & Access Management Summit 2018 will help attendees reimagine significant elements of their IAM approach for digital age success. Gartner analysts will explain the latest tactics and best practices across IAM fundamentals to help craft and implement an IAM vision and strategy for the digital age.

The Gartner Identity and Access Management Summit 2018 in Las Vegas is quickly approaching! If you are attending the conference, we encourage you to catch these sessions and events. 1. Visit the Oracle...

Next Generation Cybersecurity The next generation cloud revolution has begun. Emerging technologies are opening doors for innovation and, unfortunately, risk as well. Technologies such as AI, Blockchain, and IoT are gaining momentum and creating new threat vectors for organizations. Security teams are struggling to keep pace, in fact, according to the Oracle and KPMG Cloud Threat Report, detecting and responding to cloud security incidents is the number one cited cyber security challenge. How can organizations address this challenge? Core-to-Edge Security The rising number of sophisticated attacks has prompted organizations to adopt a layers of defense approach- protecting their environment at the core (your data) and moving to the edge (anywhere users access data, including your applications and infrastructure). we encourage you to join us at the Gartner Identity and Access Management Summit 2018 from December 3rd-5th in Las Vegas at Caesars Palace to discuss these challenges and more. Visit Oracle at Booth #601 We encourage attendees to visit our booth to meet experts and learn more about: Oracle's Identity-based Security Operations Center (Identity SOC) which provides comprehensive monitoring, threat detection, analytics, and remediation tools to stay ahead of threats. Get insight into Oracle's Trust Fabric approach, which enables customers to better predict, prevent, detect, and respond to highly sophisticated attacks. Sign up for an Oracle Cloud Trial. Attend our Session Title: Combat Sophisticated Threats with Oracle Security Date: Monday, December 3, 2018 | 3:45 PM - 4:30 PM | Roman II Promenade Level Speaker: Eric Olden, Senior Vice President and General Manager of Security and Identity, Oracle Abstract: Today's advanced security threats require proactive and intelligent automation that can quickly scale with a rapidly changing IT environment. Learn how Oracle's Trust Fabric helps predict, prevent, detect, and respond to the overwhelming number of security events that challenge IT and security operations. Oracle's Trust Fabric is a comprehensive set of integrated solutions designed to help reduce the time required to respond to security threats. About the Gartner Identity & Access Management Summit 2018 The Gartner Identity & Access Management Summit 2018 will help attendees reimagine significant elements of their IAM approach for digital age success. Gartner analysts will explain the latest tactics and best practices across IAM fundamentals to help craft and implement an IAM vision and strategy for the digital age.  

Next Generation CybersecurityThe next generation cloud revolution has begun. Emerging technologies are opening doors for innovation and, unfortunately, risk as well. Technologies such as AI,...

Provisioning an Oracle database in Oracle Cloud Infrastructure (OCI) is quick and easy .... it takes not more than a few mouse clicks and your database is ready within minutes.  Once you've provisioned a 12.2 database (that includes all the 18c releases) in OCI, you'll notice that ...: it is always configured as a single-tenant database (root container with one pluggable database), and Transparent Data Encryption is already turned on, and the USERS tablespaces of the root container and the PDB are already encrypted. Because the 'encrypt_new_tablespaces' system parameter is set to CLOUD_ONLY by default, all new application tablespaces will be automatically encrypted with AES128, even if the "encryption" syntax is omitted from the 'create tablespace' commands. Databases in OCI are created with an auto-open wallet, but for further wallet operations, the wallet password needs to be known regardless; the default wallet password is the administrator password that you provided when completing the Web-Form to initially provision the database. In order to make the configuration of TDE complete, set the ORACLE_UNQNAME environment variable on the OS level (set in .bash_profile), and in server control (because even single instance databases in OCI run on Oracle Grid Infrastructure). In a single instance database, ORACLE_UNQNAME is usually the same as the ORACLE_SID; in RAC databases, the ORACLE_UNQNAME is equal to ORACLE_SID minus the number, for example: A 2-node RAC has FINRAC1 and FINRAC2 as ORACLE_SIDs, the ORACLE_UNQNAME should be FINRAC. How to clone a pluggable database with encrypted tablespaces: SYS:CDB$ROOT> show pdbs; CON_ID CON_NAME  OPEN MODE  RESTRICTED ------ --------- ---------- -----------      2 PDB$SEED  READ ONLY  NO      3 FINPDB    READ WRITE NO If the source database is opened READ WRITE, then the next command will create a "hot" clone, which requires local UNDO tablespaces and archive logging to be turned on.  If this is not feasible, stop and restart the source PDB as READ ONLY while it is being cloned. SYS:CDB$ROOT> create pluggable database TESTPDB from FINPDB keystore identified by "wallet-pwd"; This guarantees that your source database (which might contain sensitive data) can only be cloned by an administrator who knows the wallet password. SYS:CDB$ROOT> alter pluggable database TESTPDB open; Now the new pluggable database needs its own encryption key.  Connect to TESTPDB and execute: SYS:TESTPDB> administer key management set key force keystore identified by "wallet-pwd" with backup [container = current]; To test, select data from a table that is stored in an encrypted tablespace, or create a new tablespace which will be encrypted by default; in both cases, the cloned database will use its own master encryption key that was created in the previous step. SYS:TESTPDB> create tablespace PROTECTED datafile size 50m; Tablespace created. If you are interested learning more about other use cases, please let me know through the comment section below.  To learn more about Oracle Database Security and Oracle Cloud Infrastructure, please visit our webpages.

Provisioning an Oracle database in Oracle Cloud Infrastructure (OCI) is quick and easy .... it takes not more than a few mouse clicks and your database is ready within minutes.  Once you've...

According to the Economist, “The world’s most valuable resource is no longer oil, but data.” As organizations embrace the digital revolution and transform themselves by adapting new business models, data will be the single most valuable asset to ensure competitive advantage. Organizations have a lot of sensitive data (IP, SSN, credit card numbers), all which continue to increase exponentially. Lots of people are coming after that data ranging from internal employees, customers, competitors to nation states, criminals and activists - Organizations need to ensure their sensitive data is protected.  Due to the increasing number of data breaches, government agencies have stepped in to enforce data privacy and security mandates such as GDPR to protect privacy. No matter where you are, data privacy laws are in effect, and new regulations will be enforced every single year. While these mandates may differ on enforcement, penalties, breach notification, or scope (high level or detailed), they will all aim to accomplish the same thing: Keep people’s personal data safe and secure. It’s an asymmetric warfare! The attackers and hackers have excellent tools, time, and infrastructure to ensure they succeed. on the other hand, as defenders, organizations are highly constrained with time, people, and resources. These constraints force organizations to fight hard and fight smart. In order to take the right steps to protect data, organizations first need to fully understand their environment. Many organizations don't really know how much and what type of sensitive data they have.  They may not know how all their systems are configured - and more importantly, where those configurations introduce unnecessary risk. They need to know what users they have, their entitlements, what controls are in place, which ones are missing, etc. They must assess their current state in a comprehensive fashion, analyze and report on identified gaps, and draft a strategic plan to improve their security posture. To learn more about best practices on how to assess your IT system and risks, please join Oracle's Pedro Lopes and The Pythian Group's Simon Pane for the following webcast. Title: Assessing Risks in an IT system Date: Thursday, November 8, 2018 Time: 2:00 p.m. ET/ 11:00 a.m. PT Register here  Pedro Lopes, DBSAT and EMEA Field Product Manager, Oracle  Simon Pane,Principal Consultant, The Pythian Group

According to the Economist, “The world’s most valuable resource is no longer oil, but data.” As organizations embrace the digital revolution and transform themselves by adapting new business models,...

It’s been busy at Oracle OpenWorld this week, but I wanted to take some time to summarize some recent news. Bad news first: There isn’t any one cloud security silver bullet. Now, the good news: There are smart approaches you can take to secure your cloud environments. If you’ve made it to this blog, you’re probably facing at least one of these challenges: Your organization is eager to capitalize on the benefits that come with cloud adoption, but it doesn’t know a lot of about how to secure its information in the cloud. According to ESG research, 85% of businesses now use some form of public cloud service. That’s up from 57% just five years ago. Your company is increasingly risk aware due to the prevalence of cyberattacks and may have already been affected by an attack. In the Oracle and KPMG Cloud Threat Report 2018, two-thirds of our respondents said that they experienced a cybersecurity incident that affected business operations over the past two years. You’re trying to secure a footprint that stretches across on-premises and cloud environments. And even within your cloud footprint, you’re using multiple clouds from multiple cloud service providers—some of which you probably don’t even know about. Bottom line, it’s complicated. ESG Research also says that 81% of companies using IaaS platform services say they use services from more than one cloud service provider. During the last several weeks, my colleagues Greg Jensen (Oracle), Brian Jensen (KPMG), and I (me on Twitter) have posted a series of blogs and hosted a handful of webcasts, all examining an aspect of cloud security that will help you address these concerns. Today, I want to put it all together in a handy list (and give you a shortcut in case you’ve missed one or two of our posts). Although this is far from comprehensive, you can get much more information by downloading the Oracle and KPMG Cloud Threat Report 2018 for yourself or by viewing our latest webcast installment Enabling a Secure SaaS Experience on demand. Without further ado, here are the top seven tips for tackling your cloud security challenges. Understand the cloud service provider shared responsibility model. We did a blog about this a few months ago. In a nutshell, understanding shared responsibility means getting crystal clear on what your cloud service provider is responsible for when it comes to management and security and what you as the customer are responsible for. Sounds easy, but in our research for the Oracle and KPMG Cloud Threat Report we found that less than half of our survey respondents could identify the most common shared responsibility model for IaaS, SaaS, or PaaS. Appoint a Master of All Cloud Security. We call this a Cloud Security Architect. The CSA understands every possible security and compliance-related challenge that a line of business (LoB) owner or infrastructure, platform, or app team could run into when deploying new cloud services. And it’s the one position that has stood out as the most central and strategic in meeting security and compliance milestones. We go into detail about the Cloud Security Architect in this post. Get a single view into all data. The average cybersecurity professional has their attention split between about 46 different security products. Trying to find the signal in that amount of noise is unfair at best and disastrous at worst. Getting a single view into all the data being generated by these products is critical to making sense of it. Use artificial intelligence. A single view is critical, but it isn’t enough. Only 37% of our Cloud Threat Report survey respondents said that they can analyze a modest sample of their data (defined as 25% to 49%), and another 14% report they can only analyze small samples of their data (less than 25%). This isn’t a problem we can just throw more people at. First, they don’t exist. Current estimates suggest there will be 3.5 million open cybersecurity jobs by 2021. But even more importantly, it’s just not practical. Automated systems are much better at handling volume than humans will ever be. Address the complete threat lifecycle. Predict. Prevent. Detect. Respond. You need to be able to predict a potential threat by flagging anomalous behavior. You need to prevent cybercriminals from stealing that data. If they do, you need to be able to detect the breach, and, finally, respond automatically. Each stage is crucial. Apply these security practices across disparate organizations. The saying, “Change is the one thing you can count on” applies here. Mergers, acquisitions, and growth all come with change in the form of new applications and systems, creating the beautiful heterogeneous environment that your business uses to thrive. Finding a way to protect this environment is an absolute must. Continuously monitor. Fortunately or unfortunately, your work is never finished. You’ll need to continuously monitor and assess the environment for suspicious activity, keep up on the latest trends, and find new solutions. But, hey, that’s why you read this blog right? So, there they are, the seven tips for tackling your cloud security challenges. It’s not easy, but it’s vital, and we can help. For more information on how Oracle approaches these mandates, read my recent blog on our Core-to-Edge approach. And for a more in-depth look at reducing risks by implementing consistent security controls and governance across hybrid and multi-cloud environments, join us for our webcast: Enabling a Secure SaaS Experience – Register Here.

It’s been busy at Oracle OpenWorld this week, but I wanted to take some time to summarize some recent news. Bad news first: There isn’t any one cloud security silver bullet. Now, the good news: There...

If you’re stymied about how to protect your on premises data now, then leverage that security layer in your move to the cloud, read on. With about 2 Billion pieces of malware circulating and 1M new ones created each day, any user, asset, or application is at risk of being attacked. But databases containing sensitive information pose a significantly higher risk. This holds true for companies with on premises datacenters and self-sourced IT groups as well as those using cloud-based services or outsourcing arrangements. To make things worse, as cyberattacks become more sophisticated and IT environments more complex, detecting and responding becomes costly, often requiring many analysts, using many different tools to conduct forensic analysis, that can take weeks to complete. Forty-two percent of cybersecurity professionals say their organization ignores a significant number of security alerts because they can’t keep up. This is where the right security solution — with that perfect combination of SIEM-like features plus UEBA and IT Compliance — comes into play. With the appropriate features, this context can be accomplished in just a few clicks. Does this miracle tool exist? Let’s go through a few sample workflows and let you decide for yourself. Database Firewall Alert. Let’s start our journey toward increased database security by processing an alert from Oracle Audit Vault and Database Firewall (AVDF). In this case, Oracle has the ability to assess risks with on premises applications natively, or consuming an enhanced threat feed from AVDF. This alert, in itself, doesn’t mean you’ve got an attempted infiltration. Security Monitoring and Analytics pulls in an alert from the Audit Vault and Database Firewall application SQL Anomaly.  When we see anomalous SQL correlated concisely with the above database firewall alert, we’ve got improved context. First off, as the image below indicates, the user is in Marketing, not Finance. Yet they are accessing a Finance database. Second, they are doing a “select from a user table” command which is a form of SQL injection. Both of these points make this highly suspicious. This SQL anomaly is from a user who resides in Marketing and does not access the financial database, “FINDB” in their day-to-day work Brute Force Attack. By the time this happens we would normally engage our forensic team. But we don’t have to, because Oracle Security Monitoring and Analytics (SMA) has already done the correlations and kicked off an auto-remediation workflow. This is good news because with most companies triaging less than 50% of their alerts, most need the extra help. SMA correlates repeated login attempts over the course of a few minutes with the same high-risk user Will it be useful when I move to the cloud? The short answer is “yes”. This is where investing in a cloud service to protect your on-site assets makes sense because, instead of spending 75% of your IT budget maintaining internal systems like our friends in the healthcare sector, you’re planning ahead by lowering fixed costs. And if you’re not yet cloud-bound, chances are you will be. In a 2017 survey of 196 IT managers and leaders, 79% of respondents said they have a cloud project underway or planned. SMA consumes information from on premises or cloud applications equally well. So, as you begin to transition to the cloud, that same SMA analytics and risk assessment tool will do an equally effective job monitoring you cloud posture, incorporating alerts from — for example — Oracle’s Cloud Access Security Broker (CASB), or Identity Cloud Service. SMA reports an anomalous access to a cloud resource based on a CASB alert Finding threats is most useful if they can quickly be remediated. Fortunately — especially for those without dedicated threat-hunting teams — SMA interfaces with Oracle Configuration and Compliance to set in motion a remediation workflow. The configuration and compliance ruleset reveals that guest accounts have unexpectedly been enabled on the database, and remediates the insecure settings. To watch SMA perform these functions in action, see our SMA demo video. For product details or to start a free trial, visit our SMA web page. And be sure to catch SMA at Oracle Open World for a tech talk, hands-on-lab, or a live demo.  

If you’re stymied about how to protect your on premises data now, then leverage that security layer in your move to the cloud, read on. With about 2 Billion pieces of malware circulating and 1M new...

As OpenWorld begins to wind down, we hope you've enjoyed the sessions, events, and announcements this year. CloudFest. 18 was a great time! With such a busy week, it is time for us to grab a cup of coffee! Although the official conference is coming to an end, it is just the beginning of new innovations for Oracle Security. Stay tuned for more thought leadership blogs, announcement recaps, and deep dive information on our Oracle Security solutions throughout the year.   Here are some of the main highlights from yesterday's sessions: 1.Keynote Corner: Cyberspace is a Battlefield  We kicked off Wednesday with Mark Hurd, Oracle Chief Executive Officer,leading a panel of security intelligence thought leaders. The hour and half was filled with powerful statements on the current state of security, growing sophistication and frequency of attacks. Jeh Johnson, Former Secretary of Homeland Security, stated that, “Cybersecurity is going to get worse before it gets better,” describing the need to understand these threats and how we can better address the challenges organizations face today. The panel went on to stress that organizations need to make the right security decisions daily. To empower customers, Oracle has announced their second generation cloud with a defense in depth approach, which incorporates encryption by default. Many important topics were discussed throughout the keynote, from nation state sponsored cyber attacks to the changing cloud landscape, but the key takeaway is that organizations should prioritize security in the cloud and employ a strategy that takes into account the core-to-edge framework. To learn more around strategies and solutions your organization can adopt to create a defense in depth approach visit our Oracle security  webpage.   2.Session Alert: For Some Organizations, Breaches can be Life or Death   The day continued with the topic of security and the importance of thinking of your data (core) as a valuable, traveling asset. It is key to protect that core with several layers of defense, a concept explored further in a session this morning with Oracle's Troy Kitch. Kitch led a partner panel with representatives from Deloitte, KPMG, and PwC. Each panelist explored topics that affect companies as they progress on their journey to the cloud. The panel covered the need to implement omni-channel security solution as well as the importance of tools, such as the Oracle CASB Cloud Service, that will enable businesses to gain greater visbility into their sanctioned and unsanctioned apps.   OpenWorld isn't over yet! Please join us for a number of great security sessions today.   1. Session Alert: Getting Started with Oracle Security Monitoring and Analytics Cloud Service Marriott Marquis (Golden Gate Level) - Golden Gate A |12:00pm - 12:45pm    Join this session to learn how Oracle Security Monitoring and Analytics Cloud Service protects modern enterprises by enabling early detection of threats across on-premises and hybrid cloud assets, rapid forensics with cyberattack chain discovery and visualization, and much more.   2. Session Alert: Adaptive Security in a Hybrid Cloud World Moscone South - Room 206 | 1:00pm - 1:45pm   In this session see how the adaptive security capabilities within Oracle’s security and identity solutions enable organizations to identify and mitigate security risks in real time by analyzing user behavior and leveraging security feeds from other products and platforms. Learn how Oracle’s identity products can be used to identify risky behavior and make intelligent decisions about the types of authentication that are appropriate and required given that behavior.   3. Session Alert: Recent Database Security Innovations You Might Not Be Using, but Should Be Moscone West - Room 3006 | 1:00pm - 1:45pm   In this session learn about the new way to authenticate and authorize database users in Active Directory. Explore review recent security innovations including privilege analysis, database vault simulation mode, data redaction, online encryption, and passwordless schemas. See how to assess the security of your database with Oracle Database Security Assessment Tool. Attend this session and you'll be able take advantage of these features next week to create a more secure database environment.

As OpenWorld begins to wind down, we hope you've enjoyed the sessions, events, and announcements this year. CloudFest. 18 was a great time! With such a busy week, it is time for us to grab a cup of...

We are at the halfway point! Oracle OpenWorld 18 has not disappointed! If you are here at OpenWorld, don't forget to check the Oracle Security Twitter account for the latest session information throughout the day. Each day has brought about new highlights, catch up on what you missed Monday and Tuesday, but today is always an especially exciting day - Oracle CloudFest18 kicks off tonight!    Yesterday, we heard some exciting announcements and attended several key sessions. Here are the major points:   1. Struggling to Keep Pace at Scale? Core-To-Edge Security is the Answer This week several Oracle sessions have focused on Core-To-Edge security, which promotes a proactive approach to creating layers of defense throughout your environment - regardless of deployment (hybrid, multi-cloud, etc.). Today marked the announcement of several key Core-To-Edge Security Announcements.    2. Oracle's Empowering Customers to Disrupt the Status Quo Steve Daheb, Senior Vice President of Oracle Cloud, took to the stage today in front of a packed and eager crowd.  The session covered the most important challenges in today's organizations as well as ways Oracle is innovating it's solutions to better support customers. Security was a major focus in the presentation, as Daheb shared a stat from a Verizon Study stating that 85 percent of successful breaches were from vulnerabilities where patches were available up to a year before the attack occurred.  He continued by explaining that Oracle's solutions are designed to seamlessly integrate helping customers reduce costs, avoid breaches, and ultimately disrupt their industries with cutting edge innovations. The presentation also covered major innovations around the Oracle Autonomous Database and showcased the benefits it provides to customers running 24/7 business models. Customers are now able to reduce the risk of human error and unpatched systems, lower downtime significantly, and focus on new innovation across the enterprise. Regardless of your unique cloud journey, we encourage you to learn more about the Oracle Cloud Platform!   Now, let's take a look at some major events on the schedule for today.   1. Keynote Corner: The Role of  Security and Privacy in a Globalized Society- Threats, Implications, and Opportunities Moscone North | 9am -10:30am   Join Mark Hurd, Oracle CEO, as he discusses the future of security with several of the leading voices from some of the most highly respected intelligence positions around the world. The session will also explore how "the next security threat" might relate to the direction of technology and the adoption of cloud computing.      2. Session Alert: Tips and Tricks for Security at Scale Marriott Marquis (Golden Gate Level) - Golden Gate C2 | 11:15 am - 12:00pm   This session was highlighted in our Top 5 Things to do at OpenWorld blog - It truly is a must see! Join Oracle's Troy Kitch and representatives from PwC, KPMG, and Deloitte as they discuss the expanding threat landscape. It has become difficult for companies to effectively secure their hybrid and multicloud environments due to the growing number of internal and external threats. If you’re interested in learning about Oracle Identity Cloud Service or Oracle CASB Cloud service, this might just be at the top of your Wednesday agenda.   3. Session Alert: Oracle Database Security Assessment Tool: Know Your Security Posture Before Hackers Do Moscone West - Room 3006 | 12:30pm - 1:15 pm   This product training session will teach you about the Database Security Assessment Tool, this tool is freely available to all Oracle Database customers and is designed to help discover sensitive personal data, identify database users and their entitlements, and understand the configuration and operational security risks.   4. Celebrate Good Times: Oracle CloudFest. 18 AT&T Park (24 Willie Mays Plaza, SF) |6:30pm -11pm   After the long day you've had, you deserve a pat on the back….and a party! Attend Oracle CloudFest. 18 and celebrate with colleagues and fellow attendees. This year, the concert features live music from Beck, Portugal. The Man, and Bleachers. This event is by ticket only, these tickets are included with the full conference pass purchase!  

We are at the halfway point! Oracle OpenWorld 18 has not disappointed! If you are here at OpenWorld, don't forget to check the Oracle Security Twitter account for the latest session information...

By: Nishi Shah, Director Cyber Security & Privacy, PwC As I discussed in my last blog, “Security Operations: Using Artificial Intelligence to Lock Down Your Cloud,” I talked about how technology security teams can improve efficiency and incident resolution in cloud solutions with Oracle Management Cloud’s (OMC) automated artificial intelligence (AI) and machine learning capabilities. But, let’s turn our attention to the bigger picture for a moment: Technology security has become more than just an information technology (IT) issue.  As security incidents have become front page news and cost organizations billions of dollars, IT security has become a board-level issue.  Executive leadership at major enterprise organizations continue to drive their IT and Security teams to deploy the most innovative and effective security solutions available.   As the last blog pointed out, automated AI and machine learning security tools, like OMC, are a good start to make security operations teams more efficient as they manage flagged incidents.  However, there’s another technology—behavior analytics in Oracle Cloud Access Security Broker (Oracle CASB)—that can also enhance application and data security in the cloud.  We’re all familiar with the typical legacy on-premises security tools, like web gateways and firewalls.  These rules-based tools aren’t as effective in a cloud environment because a skilled adversary can bypass perimeter security solutions by stealing information from cloud endpoints using compromised access credentials.  This is where the behavior analytics functionality in Oracle CASB comes into play.  It can establish a baseline of typical behavior within an organization.  When the system detects an anomaly that doesn’t fit the company’s normal patterns, the incident is flagged for further investigation.  When used in combination with the Oracle Security Monitoring and Analytics Cloud Service, which is bundled in OMC that we discussed in the previous blog, the platform can learn which anomalies are real threats and which are false positives.  Because the functionality is automated, the solution takes the manual work effort off of the security team. Here’s an example—an employee logs into the company’s cloud ERP solution from their laptop in their Dallas office at 8:00 a.m. central time and logs off at 5:00 p.m. at the end of the work day.  At 6:00 p.m., Oracle CASB detects five failed login attempts from the same employee originating in Yemen.  The Oracle CASB solution knows that this scenario is not physically possible, and also identifies that the Yemen device does not comply with the company device policy.  Therefore, Oracle CASB would automatically force an adaptive multi-factor authentication to prevent the rogue access to the company cloud ERP solution, and it would flag the incident as suspicious activity. Along the same lines, if an HR person is processing annual salary increases for employees who were recently promoted, the behavior analytics tool may also flag this as a suspicious incident.  However, a security analyst could help the system weed out this false positive by approving the incident as acceptable.  Through machine learning functionality, the system would eventually learn that although the large annual salary increases are an anomaly, they are not a security threat.  On the other hand, if this example was actually an “inside job” where an employee is maliciously attempting to increase his or her salary, Oracle CASB can natively process Oracle Cloud ERP and Salesforce transactions in a real-time audit mode to halt the fraudulent transaction as it’s occurring.  Therefore, Oracle CASB can dramatically shift the paradigm from a reactive approach to a preventative solution. Oracle CASB offers the robust security functionality, like machine learning and behavior analytics, to help ensure that your applications and data are secure in the cloud.  Since it’s a subscription-based product, it’s easy to acquire and install.  With out-of-the-box functionality, most security operations teams can easily deploy the solution, which makes it ideal for smaller organizations.  But it also offers deep functionality that’s well-suited for large, global enterprise organizations.  This is where PwC can help—to install the solution with advanced functionality to not only detect but also to respond, remediate, and prevent potential security incidents with forensics, incident management, and orchestration. To learn more, please visit the Oracle Security webpage. 

By: Nishi Shah, Director Cyber Security & Privacy, PwC As I discussed in my last blog, “Security Operations: Using Artificial Intelligence to Lock Down Your Cloud,” I talked about how technology...

It is no doubt that data is the single most valuable asset today as organizations undergo digital transformation. Lots of people are coming after your data ranging from internal employees, customers, competitors to nation states, criminals and activists. As a result of the increasing number and sophistication of breaches, governments across the globe are enforcing data privacy and security mandates to protect citizens data. It’s a war! An asymmetric one. While attackers continue to get more sophisticated with latest technologies such as machine learning to exploit vulnerabilities and steal data, organizations continue to face challenges around limited time, few people and scarcity of resources. Yesterday at Oracle Openworld, Vipin Samar, SVP of Oracle Database Security, talked about how organizations need to protect their data from all attack vectors with multiple rings of control. You need to first assess your databases, and understand how they are configured, how users are managed, what privileges they have where sensitive data exist and how much is there. Oracle provides a free tool called the Database Security Assessment Tool (DBSAT) to help customers assess their security risk posture. To learn more about DBSAT, please attend the following session: Oracle Database Security Assessment Tool: Know Your Security Posture Before Hackers Do [TRN4107] Wednesday, Oct 24, 12:30 p.m. - 1:15 p.m. | Moscone West - Room 3006 Pedro Lopes, DBSAT and EMEA Field Product Manager, Oracle Marella Folgori, Oracle Riccardo D'Agostini, Responsabile Progettazione Data Security, Intesa Sanpaolo Next, you need to ensure you know what’s happening in your environment and can detect any inappropriate activity in the system with appropriate auditing, alerting and monitoring controls. Additionally, you need to protect your data with strong preventive controls such as encryption, data masking and data redaction to ensure sensitive data is not compromised. Oracle continues to be the leader in managing your data and one of the biggest innovations is the Oracle Autonomous Database. It offers a high degree of security in the Oracle Cloud with self-securing capabilities such as automated patching, data encryption by default, auditing and separation of duties, to keep data safe from a variety of threats.  However, security is a shared responsibility in the cloud, where its the customer's responsibility to protect their users and data. Vipin Samar gave us a quick preview on our upcoming Oracle Data Security Cloud Service which helps customers protect their data and users. It is a unified control center for managing data security in Oracle Databases in the cloud. It allows organizations to quickly discover sensitive data, evaluate configuration risks, enable auditing and detective controls, and mask data for use in test and development environments, and more. To learn more about this new service, please be sure to attend the following session: Introducing Oracle's Data Security Cloud Service for Oracle Databases [PRM4102] Tuesday, Oct 23, 12:30 p.m. - 1:15 p.m. | Moscone West - Room 3006 Vikram Pesati, Vice President, Product Development, Oracle Michael Mesaros, Director, Product Management, Oracle Corporation   Some of the other sessions that you must attend through the week are: Autonomous and beyond: Security in the age of Autonomous Databases [PRM4108] Tuesday, Oct 23, 5:45 p.m. - 6:30 p.m. | Moscone West - Room 300 Russ Lowenthal, Director, Product Management, Oracle Data Security in the GDPR Era [PRO4111] Wednesday, Oct 24, 11:15 a.m. - 12:00 p.m. | Moscone West - Room 3006 Joao Nunes, IT Senior Manager, NOS Tiago Rocha, Database Administrator, "Nos Comunicaões, Sa." Eric Lybeck, Director, PwC Recent Database Security Innovations You Might Not Be Using, but Should Be [TIP4112] Thursday, Oct 25, 1:00 p.m. - 1:45 p.m. | Moscone West - Room 3006 Alan Williams, Database Security Product Management, Oracle Russ Lowenthal, Director, Product Management, Oracle Manish Choudhary, Oracle

It is no doubt that data is the single most valuable asset today as organizations undergo digital transformation. Lots of people are coming after your data ranging from internal employees,...

For enterprise-grade organizations -- large, traditional businesses and the smaller companies that aspire to be like them -- security and multi-cloud support are paramount.  These organizations need to be able to run each of their applications where it makes the most sense to do so from a cost and performance perspective. Some applications may reside in one cloud, while some live in another. Some may remain on premises, while others require a hybrid model.  Supporting a range of platform and infrastructure services may be best for agility and functionality, but it increases complexity -- especially when it comes to security and maintaining consistency. Oracle Cloud Infrastructure features announced today at Oracle OpenWorld 2018 enhance security from the cloud to the edge of the network, protecting data and applications in an increasingly multi-cloud world.  Web application security Web applications and sites are central to online business success, so it's not surprising that web attacks have emerged to target these systems and the sensitive data they contain. In fact, web application attacks are the top cause of data breaches, according to the Verizon 2018 Data Breach Investigations Report.  Oracle Cloud Infrastructure announced new native web application firewall (WAF) capabilities to protect against these threats. The Oracle Cloud Infrastructure WAF inspects traffic to any internet-facing endpoint and enables organizations to create and enforce rules to protect against a variety of attacks, including but not limited to botnets, cross-site scripting, SQL injection and distributed denial-of-service (DDoS) attacks.  Oracle Cloud Infrastructure also announced the addition of automated DDoS attack detection and mitigation to all of its data centers. These capabilities monitor and protect against common Layer 3 and 4 DDoS attacks, such as SYN floods, user datagram protocol (UDP) floods, internet control message protocol (ICMP) floods, and network time protocol (NTP) amplification attacks. This approach helps ensure that Oracle Cloud Infrastructure network resources remain available in the event of an attack.  Cloud access security    Two additional Oracle Cloud Infrastructure security announcements focus on configuring and protecting access to cloud resources.  The Oracle Cloud Access Security Broker (CASB), which provides continuous configuration monitoring, predictive threat detection, and automated incident response, now supports Oracle Cloud Infrastructure. And the new Oracle Cloud Infrastructure Key Management service integrates with other Oracle Cloud Infrastructure services to enable customers to more easily encrypt data and manage keys and key vaults.  For more information, read the Oracle Cloud Infrastructure security press release.  

For enterprise-grade organizations -- large, traditional businesses and the smaller companies that aspire to be like them -- security and multi-cloud support are paramount.  These organizations need to...

Advancements in new and emerging technologies are opening doors for businesses what seems like every day. We’re already in the midst of a cloud revolution, but AI, machine learning, blockchain, and IoT—just to name a few technologies—are gaining momentum and fueling new opportunities. These technologies represent opportunity for businesses. But, unfortunately, they also mean opportunity for the bad guys. For one, adopting these technologies creates a larger surface area to defend. And if that weren’t enough, cybercriminals are using these same emerging technologies to wage a highly sophisticated war aimed at undermining businesses. It’s no secret that security teams at organizations of every size are struggling to keep pace with these persistent attacks. But it only takes a handful of stats to illustrate just how dire the situation is: Patching – According to a Verizon study, 85 percent of successful breaches were from vulnerabilities where patches were available up to a year before the attack occurred.  Whether it’s a lack of resources or difficulty scheduling the necessary downtime, most companies simply can’t implement their patches fast enough. Lack of Available Talent - There simply isn’t enough cybersecurity talent to handle the problem. Current estimates suggest there will be 3.5 million open cybersecurity jobs by 2021. But even if organizations could fill these open positions, it wouldn’t be enough. Cybercriminals are using sophisticated technology to scale their attacks, creating more work than humans can handle on their own. Alert Overload – According to the Oracle and KPMG Cloud Threat Report, detecting and responding to cloud security incidents is the number one cited cyber security challenge. This aligns with ESG research, which adds that 42 percent of cybersecurity professionals ignore a significant number of alerts because they can’t keep up with the volume. Security teams need to be empowered to separate the signal from the noise if they’re going to have a fighting chance. So, how do you grab hold of the incredible opportunities that cloud and emerging technologies promise without opening our businesses up to what seems like inevitable damage? The Answer Is Core-to-Edge Security Sophisticated and multifaceted attacks call for layers of defense—starting at the core (your data) and moving to the edge (all the ways in which your users access your data, including your applications and infrastructure). No one security control can prevent the many threat actors and their attacks, so it’s important to use multiple layers of defense to protect your data, the users who need it, the applications that use it, and the infrastructure that underlies it all. For example, Oracle provides layers of defense that protect: Data - Data loss prevention (DLP), at rest and in motion encryption, key management, nonproduction data masking, privileged user access controls, and online self-patching Users - Identity and access management, user and entity behavioral analytics (UEBA), multi-factor authentication, single sign-on identity governance, and risk management Applications - Web application security, API security, malware protection, data redaction, access controls, and Cloud Access Security Broker (CASB) Infrastructure – Distributed denial of service (DDoS) and botnet protection, threat detection and response, security monitoring and analytics, configuration and compliance Our most recent addition to Oracle’s core includes the Oracle Autonomous Database, which incorporates self-securing and self-repairing capabilities that help reduce risk by avoiding breaches and the possible reputational damage and revenue loss that come with them. Self-securing means automatically applying security patches with no downtime and preventing unauthorized data access with default data encryption. In addition, Oracle provides security cloud services that help customers protect their hybrid cloud environments. These security services help predict, prevent, detect, and respond to sophisticated security threats. To reduce manual processes and enable the business, we use advanced machine learning algorithms to determine anomalous user and entity behaviors, then apply an adaptive and defensive response. We provide continuous monitoring that consistently assesses suspicious activities, then alerts and reports on that activity to ensure the attack chain has been broken and remediated. All of this helps reduce mean time to detect and respond to threats. We do this with: Highly automated security, based on machine learning Support for securing and managing hybrid and multi-cloud environments A single pane of glass for security orchestration, automation and response An open and secure platform that you can integrate with your existing environment Only Oracle can protect your business from core-to-edge with this level of automation, integration, and simplicity. And we’re continuing to build our layers of defense every day. Click here to see our latest Core-to-Edge security announcements from Oracle OpenWorld.

Advancements in new and emerging technologies are opening doors for businesses what seems like every day. We’re already in the midst of a cloud revolution, but AI, machine learning, blockchain, and...

How did your day go yesterday? Ours was action packed! Great experiences and announcements all around as OpenWorld 2018 kicked off. If you weren't able to attend all of the sessions on your schedule, or if you are joining us from home - sit back, sip your coffee, and take a look at the highlights from Monday. We will even throw in a few exciting must see items for today! 1. Cloud Generation 2: Core to Edge Security In his opening keynote at OpenWorld 2018, Larry Ellison, Oracle Executive Chairman and CTO, covered many exciting innovations for the future of cloud for the enterprise. The presentation covered a variety of topics, but focused in on the importance of Oracle's Generation 2 cloud running on a single, secure platform. "Security, security, security," Larry said as he explained the importance of a core to edge approach to security. He continued by saying that security in first generation cloud models was often considered an afterthought, but with the rising numbers of breaches and the continual addition of regulatory compliance requirements - security must be a main priority for all businesses. Oracle's Gen 2 cloud has security built in, not bolted on.   2. It's All About the Data One theme rang true throughout Monday's security sessions - data is king. In both Roadmap: Innovations in Security and Compliance for Databases and Oracle's Trust Fabric: The Foundation for Identity-Centric Cybersecurity the importance of securing your data (your core) was stressed. This causes a ripple effect, because your data is so imporant to protect, organizations must be proactive in creating a layers of defense approach to security. Protecting your users, apps, data, and infrastructure is key to maintaining good security practices.  3. Security Must Keep Pace with the Cloud  We enjoyed a very interesting session with Oracle's Greg Jensen and KPMG's Brian Jensen as they emphasized the importance of security as customers move to the cloud. With the rapidly expanding cloud landscape, every organization is faced securing devices and data in new ways. This can cause a "pace gap" as cloud technologies (and the adoption of them) are outpacing the adoption of new security strategies and solutions. This and many other themes were explored in the 2018 Oracle and KPMG Cloud Threat Report.    Now that you're all caught up on Monday's big ticket security items, let's explore some of the Security sessions and events you won't want to miss today. 1. Session Alert: Introducing an Intelligent Approach to Beating Global Cybersecurity Threats Moscone South -Room 206 |12:30pm -1:15pm Security is changing rapidly and organizations need to keep pace. Incorporating AI algorithms and machine learning with traditional security methods is a must in order to protect your company from today's threats. Learn more about this session featuring Laurent Gil, Security Product Strategy Architect for Oracle Dyn, through our recent blog post. 2. Session Alert: Oracle Cloud: The Future is Autonomous The Exchange @ Moscone South - The Arena | 1:45pm - 2:30pm Companies today are tasked with modernization, innovation, and cost reduction. As these mandates become crucial drivers of success, companies are battling to satisfy all three at once. Selecting the right cloud for your business is critical, hear from industry peers as they discuss their transition to the cloud and cover some key points on reducing cost and risk. 3. Session Alert: A CISOs Path to Success in the Age of Cybersecurity Moscone South - Room 206 | 3:45pm-4:30pm This session addresses real-world customer use cases, best practices, and technology usage for how CISOs are building and maturing their information security programs to address hybrid environments, regulatory compliance, and the continually evolving threat landscape. If you are interested in hearing Oracle Security success stories directly from customers, this is the session for you!  Be sure to access our security focus on document for a complete list of must see security sessions. Don't forget to visit the vendor floor to check out interesting demos, learn about Oracle partners, and grab a free swag bag! We will be back tomorrow morning with the latest #OOW18 news.

How did your day go yesterday? Ours was action packed! Great experiences and announcements all around as OpenWorld 2018 kicked off. If you weren't able to attend all of the sessions on your schedule,...

Authored By: Christina Richmond, IDC Program VP WW Security Services for Oracle In this series of blogs, we’ve discussed hybrid IT and managed cloud security as well as managed identity. These topics beg the question, “how do I find the right managed security services provider (MSSP) to work with?” The answer is, “it depends” and in this blog we’ll pull the thread on considerations and dependencies to understand how, why and when to work with an MSSP. Basic considerations for choosing an MSSP range from evaluating the provider’s technical and resource expertise and capabilities, how they fit with your company (industry, size of company) and architecture environment (legacy architecture, cloud or hybrid), whether they can assist your organization with compliance (do they provide assessments, and can they help you remediate), cost and scalability. These are table stakes. But given the complex transformation we’re engaging in today from legacy premises tools to some SaaS, some private cloud and multiple public cloud instances MSSPs are required to do a lot more. IDC separates legacy and advanced MSSPs into a 1.0 and 2.0 definition. As seen in the graphic below, MSSP 1.0 firms will provide core services such as log monitoring, basic managed and monitored services for devices such as firewalls, intrusion detection services/intrusion prevention services, and unified threat management (and others). They provide vulnerability scanning and basic threat management. MSSP 1.0 firms are moving into delivery of some advanced services like management and monitoring of identity and access management in recent years and some may also offer advanced services such as DDoS, managed security information and event management (SIEM), and managed Security Operations Center (SOC) functions. MSSPs 2.0 deliver basic and advanced MSS plus professional/complementary services such as breach readiness, incident response, forensics, compliance services, and assessment of architecture and design. And still others provide managed security testing, application security testing, and data privacy assessment. Many are investing in mobile/IoT, cloud, threat intelligence/big data analytics, incident response/forensics, and advanced detection techniques. This last is where organizations building out their hybrid landscape need to focus greater and greater attention. It is imperative to find advanced MSSP support that includes visibility and management/monitoring in identity, mobile/IOT and cloud. This is where IT is moving and the monitoring the perimeter of old no longer suffices. Beyond these capabilities the MSSP of today will also utilize advanced threat detection and analytic techniques like big data analysis, heuristics, machine learning and artificial intelligence. IDC sees a good mix of companies doing their own inhouse advanced threat detection and outsourcing the requirement. Finally, the newest trend of endpoint detection and response (EDR) tools and managed detection and response (MDR) services is a critical defense in depth addition for MSSPs.   In the last blog, I stated that identity and data security are the new perimeter tools in this digital world. The above lists of basic to advanced capabilities are all important to consider, but the ability to detect, monitor, provide visibility into and respond to alerts on your behalf within these two areas is something that should be considered depending on your environment. If your organization is like many large organizations that are in the midst of the digital journey, it is imperative that you consider managed identity and data security services because of the complexity and dynamic nature of the environment. Consider tuning in for the Twitter Periscope with Christina Richmond, IDC Program VP and Rohit Gupta, Oracle’s GVP of Identity, to share their perspectives on the cyber challenges impacting today’s organizations as they lift and shift workloads to the cloud. Follow Christina Richmond @Xtina_Richmond Follow Rohit Gupta @Roh1 Follow Greg Jensen @GregJensen10 Oracle Security @OracleSecurity If you are attending Oracle OpenWorld in person, join us at on Tuesday, Oct 23, @4:45 pm for the session Secure Your IT Services with Oracle Managed Identity Cloud Services.

Authored By: Christina Richmond, IDC Program VP WW Security Services for Oracle In this series of blogs, we’ve discussed hybrid IT and managed cloud security as well as managed identity. These topics...

Oracle OpenWorld 2018 has officially begun! Join us each morning for a daily dose of information, announcements, and key highlights for the day ahead. Our team is out in force at OpenWorld and ready to bring you the latest information surrounding happenings at the conference! If you are in San Francisco for the week, we highly recommend that you check out some of the events we feature in these daily download blogs, we'd love to see you there! If you cannot attend, not to worry, we will also feature follow up information and blogs throughout the week and as the conference wraps up and session replays are made available. 1) Session Alert: The State of Cloud Security: Keeping Pace at Scale Marriott Marquis (Yerba Buena Level) - Nob Hill A/B 11:30am-12:15pm Join Oracle's Greg Jensen and KPMG's Brian Jensen for a session highlighting some of the top security challenges organizations face when moving to the cloud. With increased migration to the cloud, customers are faced with a "pace gap", creating more opportunities for increased risk and decreased visibility. As senior editors/contributors to the Oracle and KPMG Cloud Threat Report, this session is sure to shed light challenges all cloud security professionals face. 2) Keynote Corner: Cloud Generation 2 Moscone North - Hall D 1:45 pm- 3:00pm The Second Generation Cloud is built for the enterprise to protect your critical data; secure from core to edge; easily move apps and data from on-premises. It is built for all enterprise workloads, is designed to run in the public cloud or at customer and is simple to upgrade. Don't miss this exciting keynote session with Oracle Executive Chairman and CTO, Larry Ellison. This is sure to be a packed session, you won't want to miss!  3) Session Alert: Protect Cloud Data with Oracle CASB Cloud Service Moscone South - Room 206 4:45pm- 5:30pm Hear from Chet Sharrar, Chief Information Security Officer for Marlette Funding, as he discusses how Oracle CASB Cloud Service provides complete enterprise-grade cloud data protection with integrated user and entity behavior analytics, data loss prevention, antimalware, and encryption capabilities. 4) Join us for a Periscope Interview with IDC! Oracle and IDC will be live broadcasting a Periscope interview with Christina Richmond, IDC Program VP WW Security Services for Oracle and Rohit Gupta, GVP Product Management for Oracle. The interview will take place today at 1:45pm (PT). 5) Check Out The Exchange and Participate in a Scavenger Hunt!  Moscone South | 9:45am - 5:45pm Be sure to visit the Exchange, where you can explore Oracle technologies and understand new innovations. Stop by, network with peers, and have a T-shirt printed (booth 2501!). We love to hear from our readers! Be sure to interact with us on Twitter (@OracleSecurity) and mention Oracle OpenWorld using #OOW18. Access our Oracle Security Focus on Document for a full list of Oracle Security Sessions. Don't forget to join us as share more of the latest news in tomorrow's Daily Download.

Oracle OpenWorld 2018 has officially begun! Join us each morning for a daily dose of information, announcements, and key highlights for the day ahead. Our team is out in force at OpenWorld and...

Last week my colleague Brian Jensen published a great blog highlighting the many potential security risks you could face when moving your ERP to the cloud. To borrow his analogy from medieval times, it’s like sending your king into the countryside carrying a bag of gold. Without the protection of stout castle walls and a moat – aka your data center’s firewall – your king becomes an easy target for highway men, rogues, and bad actors of every stripe. But there are ways to protect your king – and your cloud apps – from harm. What’s more, if you do it right, you can also save money and drive business growth along the way. The key is securing and harnessing your digital identities. Let’s dig deeper. The first thing to understand is there are two types of digital identities: Enterprise Identities. These are IDs associated with employees, contractors, and temporary workers Consumer Identities. These are IDs tied to individuals and consumers outside the boundaries of the business Digital identities are multiplying exponentially. Not long ago, most people had just one or two identities. A Google or Yahoo email ID, and maybe a work ID. Now people have dozens of digital IDs: social media IDs for Twitter, Facebook and LinkedIn; IDs to purchase stuff on retail websites; IDs for your credit cards; and multiple IDs at your workplace to access different apps and systems. Your digital ID is thus a collection of many identities spanning your business, consumer and social lives. Intelligent systems can not only manage the linkages between these different identities of an individual but can also provide valuable business insight to help improve data & application security, enhance user experience and enable businesses in their desire to expose relevant capabilities & offerings to their consumers. Leveraging Digital IDs for Security Digital IDs can help protect businesses and individuals against cybercrime and fraud. An effective way to do that is by attaching restrictions to IDs. For example, you could put dollar limits on how much your finance staff can purchase based on the roles and responsibilities tied to their IDs. Smart ID systems can also help you spot suspicious behavior. Take an employee who normally executes only two or three transactions a day – and then suddenly starts executing 15. This might be an indicator of nefarious activity – or a stolen ID. By integrating analytics with digital identity systems, you can detect these unusual kinds of behavior and either block the purchase or alert management. Likewise you might have a sales rep who, day-in day-out, gathers data for just a handful of accounts in a single industry. But what if one day the rep starts pulling data for every single account in every industry? A smart monitoring system, aided by analytics, can easily flag questionable behavior like this and initiate follow-up action. Such monitoring is all the more relevant where critical systems are hosted in cloud. When flags aren’t raised, businesses can get into trouble. Take the case of a UK based stock trader, working for one of Europe's largest banks. Ten years ago the hapless junior trader managed to lose billions of dollars for his employer by executing a large number of unauthorized derivatives trades. Proper controls tied to his digital ID could have averted the gigantic loss, which sent the bank’s stock plummeting 8 percent. Instead, the bank simply learned a very expensive lesson about internal controls and digital IDs.   Another danger: People can accumulate multiple IDs over the years as they climb the organizational ladder, move to new groups, and take on new roles and responsibilities. Whenever people get ahold of more keys to the castle, security risks increase. That’s why a good ID system monitors user “lifecycles” and adjusts controls appropriately, including taking away privileges that are no longer relevant to a person’s job. Organizations practicing good digital ID governance also conduct regular “attestation” surveys in which employees and their managers confirm they still need access to various applications and systems. Unnecessary IDs can then be de-provisioned. Greater Operational Efficiency In the pre-cloud days, digital IDs were managed exclusively in the data center by IT teams that exerted tight control over what users could and couldn’t do within the walls of the enterprise. But provisioning IDs and managing access was painfully manual. At big global enterprises, teams consisting of a hundred or more labored around the clock to manage employee onboarding and system access. The cloud is simplifying that process. Automated digital ID systems powered by analytics are gradually doing away with centralized and labor-intensive access-management operations. With cloud-based digital ID platforms, most of the work is self-managed, self-provisioned and self-requested. As a result, help desk traffic has eased, along with support costs. I’ve seen clients, once they’ve put appropriate automated systems and controls in place, shrink their identity and access management teams by 80% or more. Enabling the Business As businesses move to the cloud, their digital IDs become more distributed and mobile, potentially adding to the risk of cyberattacks and data breaches. New digital ID management solutions, however, can help extend user identities to the cloud in a secure fashion, supporting rapid deployment of digital initiatives and making it easier for mobile users to gain access to the internal systems they need to get work done.   An effective digital ID system gives you a powerful tool for enabling your business. After all, you want to let friendly customers and suppliers into your castle. But you also want to screen out the bad guys and block their access to sensitive systems and data, whether they’re from inside and outside of the enterprise. By using digital IDs to expand the virtual boundaries of the castle wall, businesses can safely open new lines of communications and commerce with customers and business partners, creating opportunities for monetization and growth. Today, my team continues to help businesses build strong castle walls to fend off cyberintruders. But more and more we’re showing them the possibility of leveraging digital IDs to expand the business and drive competitive advantage. Are you using digital identities to enable and grow your business? To learn more, download the Oracle and KPMG Cloud Threat Report 2018. 

Last week my colleague Brian Jensen published a great bloghighlighting the many potential security risks you could face when moving your ERP to the cloud. To borrow his analogy from medieval times,...

With Oracle OpenWorld kicking off in a few days, we would like to invite all attendees to join us for key Oracle Database Security Sessions. There are many sessions to choose from, but we have selected a few "must see" sessions for you to attend. The Database Security team will be out in full force to bring attendees the latest news, hear customer perspectives, and showcase solutions. Here is our guide to the top 6 Database Security sessions at OpenWorld 2018. 1. Roadmap: Innovations in Security and Compliance for Databases [PRM4101] Monday, Oct 22, 10:30 a.m. - 11:15 a.m. | Moscone West - Room 3006 Vipin Samar, Senior Vice President, Database Security, Oracle Russ Lowenthal, Director, Product Management, Oracle Session Description: It's been an incredibly busy year for Oracle’s Database Security team, with the new Oracle Data Security Cloud Service, Oracle Database Security Assessment Tool, and Oracle Key Vault with multimaster support. The European Union's General Data Protection Regulation (EU-GDPR) is now in effect as well, and efforts to comply have started. In this session learn what the team is working on this year to help you comply with latest regulations, and how to secure your databases whether on-premises or on the cloud.   2. Introducing Oracle's Data Security Cloud Service for Oracle Databases [PRM4102] Tuesday, Oct 23, 12:30 p.m. - 1:15 p.m. | Moscone West - Room 3006 Vikram Pesati, Vice President, Product Development, Oracle Michael Mesaros, Director, Product Management, Oracle Session Description: Oracle Databases in the Oracle Cloud offer a high degree of security. Secure infrastructure, data encryption by default, and automated patching all help to keep data safe from a variety of threats.  However, understanding the risks associated with data, controlling access to it and monitoring its use are customer choices, making security a shared responsibility between the customer and the cloud provider. Oracle Data Security Cloud Service is a unified control center for managing data security in Oracle Databases in the cloud. It allows you to quickly understand the sensitive data in your care, evaluate configuration risks, enable auditing and detective controls, mask data for use in test and development environments, and more. This session provides an overview of the Data Security Cloud Service and takes attendees through a full end-to-end scenario of how they can protect data in Oracle Databases. No prior security experience is needed.   3. Data Security in the GDPR Era [PRO4111] Wednesday, Oct 24, 11:15 a.m. - 12:00 p.m. | Moscone West - Room 3006 Joao Nunes, IT Senior Manager, NOS Tiago Rocha, Database Administrator, "Nos Comunicaões, Sa." Eric Lybeck, Director, PwC Session Description: The European Union's General Data Protection Regulation (GDPR) has been in effect for half a year, and much has been learned about how best to protect personal privacy data in Oracle Database. In this session explore GDPR's first six months and take a tour through security by design and default in the Oracle Database. Join PWC, NOS (one of the largest media companies in Portugal), and Oracle to learn how Oracle customers are addressing GDPR challenges such as sensitive data discovery, encryption, data minimization, pseudonimization, privacy impact analysis, and more.   4. Inside the Mind of a Database Hacker [THT6814] Monday, Oct 22, 5:00 p.m. - 5:20 p.m. | The Exchange @ Moscone South - Theater 4 Mark Fallon, Chief Security Architect, Oracle Database, Oracle Russ Lowenthal, Director, Product Management, Oracle Session Description: In this session get an alternative way of thinking about how to protect enterprise data: by examining the hacker's point of view.   5. Oracle Database Security Assessment Tool: Know Your Security Posture Before Hackers Do [TRN4107] Wednesday, Oct 24, 12:30 p.m. - 1:15 p.m. | Moscone West - Room 3006 Pedro Lopes, DBSAT and EMEA Field Product Manager, Oracle Marella Folgori, Oracle Riccardo D'Agostini, Responsabile Progettazione Data Security, Intesa Sanpaolo Session Description: Before hackers map out your database users, configuration, data, and security controls to devise their strategy, use new Oracle Database Security Assessment Tool to help discover sensitive personal data, identify database users and their entitlements, and understand the configuration and operational security risks. Attend this session to learn how you can generate Oracle Database Security Assessment Tool reports to create your database security strategy or support GDPR data privacy impact assessments. No prior security experience needed. And the tool is freely available to all Oracle Database customers. 6. Recent Database Security Innovations You Might Not Be Using, but Should Be [TIP4112] Thursday, Oct 25, 1:00 p.m. - 1:45 p.m. | Moscone West - Room 3006 Alan Williams, Database Security Product Management, Oracle Russ Lowenthal, Director, Product Management, Oracle Manish Choudhary, Oracle Session Description: Recent Oracle Database releases include significant new features that streamline user administration, reduce database attack surfaces, and protect personally identifiable information, and other sensitive data. In this session learn about the new way to authenticate and authorize database users in Active Directory. Explore review recent security innovations including privilege analysis, database vault simulation mode, data redaction, online encryption, and passwordless schemas. See how to assess the security of your database with Oracle Database Security Assessment Tool. Attend this session and you'll be able take advantage of these features next week to create a more secure database environment.        

With Oracle OpenWorld kicking off in a few days, we would like to invite all attendees to join us for key Oracle Database Security Sessions. There are many sessions to choose from, but we have...

Authored By: Pedro Lopes Databases are storing all kinds of sensitive data these days.  Think for a second. Either your name, address, SSN, age, phone number, bank account information, healthcare data, employment, academic… pick one, and it is for sure stored into a database and powering a business application. Regulations are also evolving and becoming more stringent aiming to protect data by setting requirements for the way data is handled and processed. So what can you do about it? Assess the current security state with the Oracle Database Security Assessment Tool. It is simple to use, to execute and provides instant value. Its reports contain a high-level summary and details of the current security posture, details about users, their entitlements, and the sensitive data. There will be plenty of DBSAT activity this year at OOW, and for sure you will have the opportunity to learn more about it. Do not wait for tomorrow, start today! Drop by the Demo Grounds (Moscone South), the Hands-on Labs (Mon to Thu), the Teather session (Mon) or at the DBSAT session presentation (Wed) where Mr. Riccardo D’Agostini from Intesa Sanpaolo Bank, one of the major Italian banks, will be on stage sharing their experience on using DBSAT under a GDPR compliance initiative. You can’t miss it. As a summary: Database Security Assessment Tool [THT6816] Monday, Oct 22, 04:00 PM - 04:20 PM | The Exchange @ Moscone South - Theater 4 Oracle Database Security Assessment Tool: Know Your Security Posture Before Hackers Do [TRN4107] Wednesday, Oct 24, 12:30 PM - 01:15 PM | Moscone West - Room 3006 Assess Your Database Security [HOL6289] – Fully booked! Monday, Oct 22, 12:15 PM - 01:15 PM | Marriott Marquis (Yerba Buena Level) - Salon 1/2 Tuesday, Oct 23, 11:15 AM - 12:15 PM | Marriott Marquis (Yerba Buena Level) - Salon 1/2 Wednesday, Oct 24, 08:00 AM - 09:00 AM | Marriott Marquis (Yerba Buena Level) - Salon 1/2 Thursday, Oct 25, 09:00 AM - 10:00 AM | Marriott Marquis (Yerba Buena Level) - Salon 1/2   See you there! Pedro Lopes DBSAT and Field Product Manager for EMEA Oracle Database Security

Authored By: Pedro Lopes Databases are storing all kinds of sensitive data these days.  Think for a second. Either your name, address, SSN, age, phone number, bank account information, healthcare...

With Halloween approaching rapidly, a bit of trivia on US candy consumption is worth noting. Americans purchase a whopping 600 million pounds of chocolate each year during Halloween1. But that’s a fraction of the total US consumption of chocolate each year, which happens to be about 22 pounds per American. Clearly, the US towers over many other countries in its sheer appetite for chocolate. But did you know that two-thirds of the world’s cocoa production –so essential for chocolate production – comes from West Africa?  An estimated 2 million children2 are employed in the cocoa industry in West Africa – kids ranging between 5 and 15 years of age. If I’ve just killed your Halloween appetite, maybe join forces with us and invent a modern solution to this problem. Enterprises worldwide are struggling to gain insights into their supplier networks to find answers to these sorts of questions – how many of their suppliers honor ethical child labor laws? Which suppliers comply to local environment regulations? Which suppliers can companies rely on to honor anti-bribery laws with local governments? So far, the answers to these questions have been really hard to get for most companies, not because of lack of intent, but because of sheer complexity of today’s supply chain networks. Many industries rely on complex multi-tier networks with several suppliers in each tier, distributed across large geographical regions. Tracking and verifying the latest status of certifications and regulatory compliance for each supplier is an onerous and expensive task. Even if such data is painstakingly aggregated, it tends to go stale rapidly since many of these certifications are designed to expire every few years. Today, many companies are exploring blockchain as a potential solution to build modern supply chain networks that are transparent to manage across multiple organizations. Blockchain technology particularly excels at allowing organizations who may not have an explicit trust relationship between them, to mutually share information in a reliable manner. This could help in storing information about suppliers, including their various industry accreditations or certifications, all duly verified and endorsed by various validating authorities. Such a decentralized network would require suppliers, validating authorities, and relying parties that depend on the certifications to share information between each other. For Identity Management professionals, such decentralized applications pose several implementation challenges. Traditional protocols like Federation are not designed to exchange decentralized sets of attributes, attestations and entitlements between untrusted organizations. Instead, a new set of Identity Management protocols and data exchanges are required to exchange shared identities, while at the same time storing sensitive information off-ledger, protected by appropriate cryptographic keys and key management. A decentralized Identity Management implementation will help organizations with the following: Allow suppliers to manage the accuracy of their identities stored on and off-ledger in a local identity “wallet”. When information about them changes, they own the responsibility of updating the necessary information. Enable industry authorities to digitally attest the validity of supplier identities and corresponding accreditations and certifications. This would serve as proof of the certification claims to all participants authorized to read the information. Allow organizations to query the decentralized network for accurate information about suppliers meeting their desired criteria, like geographical location, size or type. Here at Oracle, we are working with several customers to build decentralized identity management on Oracle Cloud for such applications. At Oracle Open World 2018, we’ll demonstrate one such application built by a global healthcare company for their procurement risk management needs and its underlying architecture. If you are responsible for managing identities for traditional supply chain networks and would like to explore new blockchain-based solutions, be sure to come check out our session (Architecting Decentralized Identity Networks Using Blockchain on Oracle Cloud) on Wednesday, Oct 24 at 4:45 pm. Subbu Iyer, Sr. Director of Product Management for Oracle Cloud Security, and Prateek Mishra, Architect and creator of the SAML standard, will talk about architecting blockchain-based decentralized Identity Management.   1: https://visual.ly/community/infographic/food/how-much-candy-do-we-eat-halloween 2: https://ilpi.org/wp-content/uploads/2015/11/20151126-Child-labour-in-the-West-African-Cocoa-Sector-ILPI.pdf

With Halloween approaching rapidly, a bit of trivia on US candy consumption is worth noting. Americans purchase a whopping 600 million pounds of chocolate each year during Halloween1. But that’s a...

One of my favorite things about Oracle OpenWorld is the chance to learn more about how our partners and customers solve real-world business problems with the technology we develop. This year I get the chance to work with some of the best.  I've teamed up with a couple of great organizations -  NOS and PwC - to dig more into regulatory compliance and on how they are approaching the European Union’s General Data Protection Regulation (GDPR). NOS is a large media and communications company based in Portugal – NOS is a leader in content delivery, including Pay TV, broadband, mobile phone service, and cinema distribution and execution.  PwC is one of the world's largest professional services organizations, and helps customers around the world address challenging regulatory environments.   We’ve been taking a look at GDPR- from several different angles.  GDPR has been in effect for over six months now, and we’ve had a good chance to learn what works and what needs further consideration. How does a major commercial organization that manages significant amounts of personal data protect that data and satisfy their obligations under GDPR?  NOS is telling their story.  How does one of the world most respected professional services groups help clients meet their GDPR responsibilities?  PwC is telling their story.  How does the largest provider of enterprise software help our customers protect data privacy and comply with regulations – I’ll be telling that story. If you are at OpenWorld this week, stop by Moscone West, room 3006 on Wednesday, 24 October at 11:15 am.  Join Oracle, PwC, and NOS as we take you through data security in the GDPR era from all three points of view.  You’ll get a chance to see how people are solving the real-world requirements of the regulation, and have the opportunity to ask questions from our panel.  For a quick guide to the database security sessions, demos, and hands-on labs at OpenWorld this year, take a look at Focus on Database Security Hope to see you there!

One of my favorite things about Oracle OpenWorld is the chance to learn more about how our partners and customers solve real-world business problems with the technology we develop. This year I get the...

Oracle’s Cloud at Customer portfolio offers the premium security of Oracle Cloud, like continuous patching and threat monitoring, and offers you the ability to control the security within your own data center.

Oracle’s Cloud at Customer portfolio offers the premium security of Oracle Cloud, like continuous patching and threat monitoring, and offers you the ability to control the security within your own...

  1. Hear about real stories from real customers By attending customer case study sessions at this year’s Oracle OpenWorld, you’ll be able to hear from real companies on how Oracle helped them protect their users, apps, data, and infrastructure. Customers such as Marlette Funding and Wells Fargo, will walk you through how Oracle Security products helped with data loss prevention, antimalware, and more. 2. Learn by doing with hands-on labs Although there are many great sessions, the best way to retain all the information is by doing. The hands-on sessions give you a unique experience and they touch on a range of topics. Learn how to detect advanced threats, enhance the security of your SaaS solutions, secure information in your cloud services, and much more. 3. Get social The week can get very hectic with hundreds of different session, labs, keynotes, etc. to choose from, but you can follow @OracleSecurity on Twitter to keep updated throughout the week. We will be live tweeting certain sessions, alerting you on any changes, and much more. Also, the Oracle Security Blog will be posting insights throughout the week and even after OpenWorld. Be sure to take lots of photos and use #OOW18, we look forward to connecting! 4. Stop by Be sure to stop by the demo booths featuring the different security products. In the security section we have demos of data security, such as encryption, masking, access controls, etc. If you are more interested in learning how you can monitor your mission-critical apps, visit the Oracle CASB Cloud Service demo booth. For even more, visit the Oracle Cloud Infrastructure area to learn how Oracle thinks about security from the core of infrastructure to the edge of the cloud. Visit the Demo List for more information and a booth map. 5. Must see Some of the top security sessions include topics surrounding securing hybrid and multi-cloud environments at the Tips and Tricks for Security at Cloud Scale session [CAS3773] and the Oracle and KPMG Cloud Threat Report at The State of Cloud Security: Keeping Pace at Scale [BUS3774]. To go even beyond security, make sure to attend the Oracle Cloud: The Future is Autonomous session [GEN1229] for insight on how Oracle Cloud Platform can help your organization modernize, innovate, and cut costs.   Visit our Focus on Document for more information on all of the sessions and events around DBSec, Identity, OMC, CASB, Dyn, and Keynote sessions at OpenWorld.

  1. Hear about real stories from real customers By attending customer case study sessions at this year’s Oracle OpenWorld, you’ll be able to hear from real companies on how Oracle helped them protect...

By Nishi Shah, Director Cyber Security & Privacy, PwC and Soumya Banerjee, Director Cyber Security & Privacy, PwC A mid-sized company with about 5,000 employees gets approximately 1,000 to 2,000 security incidents per day.  This equates to nearly 60,000 threat incidents per month and as many as 720,000 per year.  That number has increased dramatically because of automated security attacks using bots.  According to The Cybersecurity Intelligence Report from Oracle + Dyn “over 50% of internet traffic is bots.  [And,] some of these bots are probing your site for vulnerabilities.”  With these huge numbers, there are just too many threat incidents for the typical security operations team to manage with any level of precision.  Various niche security products help to flag these 1,000-2,000 incidents each day, which is a step in the right direction as more potential threats are identified.  However, the next step in the usual security operations process requires a person to review each of the incidents and make a judgement call about whether the threat is real or a false positive.  It’s a very manual process, and needless to say, there are a lot of security tickets to sift through each day. So how does a security operations center (SOC) manage that massive amount of data?  How can the security team automate the manual process to review flagged incidents?  The answer is artificial intelligence (AI) or machine learning.  Consider this example:  An employee is sending a 9-digit number to an external partner.  The email is flagged as a possible threat incident because the 9-digit number is recognized by a security monitoring tool as a social security number, which could imply a theft of personally identifiable information.  However, the flagged incident is really a false positive because the 9-digit number is a P.O. number, which is acceptable information for an employee to email to a partner. Oracle Management Cloud (OMC) is a suite of autonomous management services that automate processes and eliminate the human effort associated with traditional solutions for monitoring, managing, and securing applications and infrastructure.  OMC leverages machine learning and big data techniques across the full breadth of the operational data set to help drive innovation while removing cost and risk from operational processes. Let’s go back to our example and assume that 20% of the typical 1,000 to 2,000 daily incidents fall into this 9-digit number scenario.  That means approximately 200-400 incidents are false positives.  OMC, with its ability to collect data from many discrete sources (i.e., cloud applications, on-premise applications, infrastructure components), has built-in machine learning functionality with strong data visualization capabilities.  The solution evaluates each incident in the context of user behavior and helps the security team eliminate the false positives. While OMC will flag all emails matching with 9-digit pattern, once the security analyst identifies the incidents as false positive, OMC would remember the email pattern along with other contextual user information to automatically segregate the emails into a potential false-positive category.  This automated process allows the SOC to focus on critical incidents and review the potential false positives as a lower priority. As the threat of cyber-attacks continues to escalate, from thieves, rouge entities, or aggressive governments, enterprise organizations need to invest in automation so to improve depth and scale for their current monitoring and incident management capabilities. PwC has helped many customers establish an SOC transformation strategy that intelligently automates manual monitoring and incident resolution processes.  The strategy also measures the value of the automation program.   If you’d like to have further discussion on transforming your security operations team with automated efficiencies from AI and machine learning, give PwC a call and visit the Oracle Cloud Security page. 

By Nishi Shah, Director Cyber Security & Privacy, PwC and Soumya Banerjee, Director Cyber Security & Privacy, PwC A mid-sized company with about 5,000 employees gets approximately 1,000 to 2,000...

Authored By: Christina Richmond, IDC Program VP WW Security Services In the previous two blogs, we looked at the challenges of securing hybrid IT and how managed cloud security can benefit the organization. In this blog, we’re going to drill down into managed identity and access management, which in today’s digital world is key to security survival. Let’s face it, the network perimeter has become identity- and data-based, and no longer locked down by firewalls and intrusion-detection appliances. Moreover, the challenges of securing identity are legendary. Add to this that we now have computing environments spanning on-premises, cloud, and multicloud environments. Given this new complexity, existing security controls such as authentication, authorization, and identity management must work in both the private and public cloud. When handling identity security internally within an enterprise, there are two options for integrating hybrid security protocols: 1) replicate controls in both public and private clouds and keep security data synchronized, or 2) use an identity management service that provides a single service to systems running in either cloud. Be sure to allow time during the planning and implementation phases to address what could be complex integration issues. But if you don’t want to go solo, managed identity can assist with planning and integration, as well as the operational efficacy of an identity and access management program. Escalating numbers of internet-facing applications and services expose the business to greater risk. Securing the data at rest and in motion is only one piece of the equation; effective identity management is the other. A key component of identity and access management (IAM) is making sure users are minimally impacted and that solutions are tailored to the organization’s needs. The last – but by no means the least – necessity is visibility into regulatory compliance controls. To bring these requirements into one solution, it must have the following basic components: Single sign-on (SSO) and visibility into authentication Centralized identity management Threat and anomalous behavior alerts Admin-friendly management dashboard User account management Compliance reporting Simplified identity management across the entire lifecycle Today, 40% of respondents in the IDC Cybersecurity Pulse Survey outsource their IAM to a service provider and another 22% are evaluating their future investment (see chart). And, nearly 40% will increase their spending on IAM and another 50% will keep their budget about the same, but not decrease it. When we look specifically at managed cloud security services, over 21% of respondents would require IAM to be included in an engagement for cloud security. But interestingly, one of the very reasons you might consider outsourcing IAM is also an inhibitor—assistance with regulatory controls. Over 22% of respondents in IDC’s Managed CloudView survey are concerned about provider governance and management capabilities, and possible inability to meet SLAs. Sometimes management is opposed to outsourcing (22.8%). Just under 22% of respondents state that regulatory factors are an impediment. However, given the complexities of today’s IT infrastructure, it’s exceedingly difficult to gain compliance visibility across all platforms. This is exactly why outsourcing could help solve the regulatory conundrum. In our next blog we’ll discuss how to choose the right MSS partner to use. To learn more about Oracle Managed Security Services and how MSS can help you, visit our website. Monday, October 22nd @1:45pm PST, we will be live from Oracle OpenWorld with IDC's Christina Richmond and Oracle's Rohit Gupta to hear their perspectives about the security challenges Oracle's customers are dealing with as they shift their workloads to the cloud. Follow both Christina, Rohit, @OracleSecurity and Greg below to stay on top of the latest information related to this IDC live Periscope interview.  Follow Christina Richmond @Xtina_Richmond Follow Rohit Gupta @Roh1 Follow Greg Jensen @GregJensen10 Oracle Security @OracleSecurity If you are attending Oracle OpenWorld in person, join us at on Tuesday, Oct 23, @4:45 pm for the session Secure Your IT Services with Oracle Managed Identity Cloud Services.

Authored By: Christina Richmond, IDC Program VP WW Security Services In the previous two blogs, we looked at the challenges of securing hybrid IT and how managed cloud security can benefit...

By Brian Jensen, Director, KPMG According to a 2018 Cloud  Threat Report commissioned by Oracle and KPMG, 83% of companies believe cloud security is as good as or better than on premises security. It is true, cloud security is very strong; but you can’t just go marching into the cloud and operate the way you did in an on-premises environment. You have to change your mindset. You could be asking for trouble if you don’t go into the cloud with a strong cloud security plan that is aligned with the cloud shared responsibility model requirements Before cloud computing, enterprise security was an addressable challenge. It was analogous to the Middle Ages, when kings built big castles to protect against invaders. They erected high walls and guard towers, dug moats, and posted sentries who scanned the horizon for threats. In the same way, businesses in the pre-cloud era built security layers around their data centers to keep out cyber invaders. Enterprise systems and data – like the king and his treasure – were secured behind the barricades in an effort to prevent attacks. In today’s cloud environment, businesses can be exposed to a whole host of new cyber threats that did not exist in the pre-cloud computing era. Moving to the cloud can expose companies to these new cyber threats if they do not take proper precautions and build out mitigating capabilities to address their portion of the shared responsibility model. What we are seeing in our security practice, and what our recent Cyber Threat Report confirmed, is that cloud agility - which enables rapid deployment of cloud applications – is causing a pace gap between how fast business are scaling up in the cloud and their ability to keep up with commensurate security measures.  Let’s review some of the most common cyber threats.   Rogue Employees There are many documented cases of disgruntled “rogue” employees committing fraud and disrupting businesses. Their favorite method is to hijack or create fake user IDs to delete data and wreak other kinds of havoc, whether out of spite or for financial gain. When IT systems were on-premises, these individuals had to sneak around and be very cautious in what they were doing. Today the cloud makes their job easier because no one is looking over their shoulder. They can access cloud from anywhere, any device and any time and alter company data while sitting on a beach in Belize, for example. Cyber Breaches Looking for Cash / Stealing Cash Cloud-based ERP systems are prime targets for hackers who can target  cloud-enabled transactions with the goal of  siphoning off cash. For example, “Spearphishers” – fraudsters who use clever emails to trick employees into revealing their logins – have become adept at hijacking accounts and redirecting payments intended for legitimate vendors. Data Theft Hackers aren’t just stealing cash. They’re also on the prowl for data, which can be just as valuable. There are plenty of ways hackers can steal data. Take an employee on vacation who wants to squeeze in some work on the hotel computer. He or she might innocently download a company report to the machine, where it’s saved in a temp folder. If that report contains sensitive company data, someone can easily access that information and use it to commit fraud. A less innocent employee might download data at home with the express purpose of selling it. Recently, an ill-intentioned employee at a major technology company downloaded plans for a new leading edge product to his personal computer. Luckily, he was stopped at the airport before he could fly to China to and exploit the stolen information. Incidentally, failing to protect data can also cost millions of dollars in fines. A massive data breach can be a game changer for an industry, especially if the data theft involves Personally Identifiable Information (PII)  such as driver’s license numbers or Social Security numbers. Prosecutors and regulators see these types of company blunders as a serious failure of fiduciary responsibility worthy of steep fines, often in the hundreds of millions of dollars. Protecting Cloud Apps / Beyond Compliance The common refrain that “the auditors aren’t asking about it” is hardly an excuse for not building a solid cloud security strategy. Remember, the auditor’s job is simply to state that your financial records are accurate – not to prevent risk. You need to conduct a comprehensive security risk assessment that documents all your operational, financial, performance, and technology risks. And be honest: Just because it hasn't happened before doesn't mean it’s not going to happen in the future. Once you understand your risk profile, then you can build a “controls-in-depth” (CID) strategy to mitigate that risk. An effective cloud security strategy can include: Smart cloud application controls. These are procedures you can put in place to short circuit cybercrime. For example, hackers love to break into ERP systems and reroute employee paychecks to phony bank accounts. Yet simple controls such as sending an email to the employee whenever their direct deposit is changed, or making sure their first check is always a physical one, can stop scam artists in their tracks. You can also check if multiple employees share the same deposit account – a sure sign something’s not right. Tiered roles and logins. By using concepts like least privileged access and segregation of duties you can limit what people can see and do on your cloud platform. You can also employ adaptive authentication to “tier” access based on risk. So for harmless activities – like looking up vacation days – a simple user ID and password would be enough to get you through the castle gate. But if you’re changing where your paycheck goes, tougher authentication would be required. Vigilant user administration. When you kick someone out of the castle, you don’t want them tunneling back in. But that’s exactly what can happen in cloud environments when you terminate someone and forget to revoke their access. They could literally sit out in the parking lot and create fake expense reports – or worse. You can see why smart user lifecycle management is critical to cybersecurity.  Ongoing Security Testing. The great thing about the cloud applications is that they are constantly updated and “modern.” But every update or patch can be a weak point for new cyber-attacks. To stay safe, make sure your security operations team – or a trusted partner – evaluates each update and checks for new vulnerabilities that might have been introduced. Don’t forget that managing risk in the cloud is a shared responsibility between the provider and the customer. Typically the provider is on the hook for things like power, data center security, backup and recovery, patching, and data at rest encryption. But the client has their own responsibilities, such as controlling user access, configuring the cloud applications, and managing the data the goes in and out of the cloud. If the provider falls down on any of its duties, they are vulnerable to law suits. But if the customer fails to mitigate the risk on their side of the cloud shared responsibility model, they won’t have anybody to blame. For continuing information, explore the key findings uncovered in the annual Oracle and KPMG Cloud Threat Report 2018.  Brian Jensen is Managing Director in KPMG’s Oracle Risk Consulting practice. He  is a business development and solution delivery executive specializing in ERP, large-scale business transformations, security & controls, and identity management. Brian has a successful track record of building innovative, effective risk management solutions for large and midsized organizations.

By Brian Jensen, Director, KPMG According to a 2018 Cloud  Threat Report commissioned by Oracle and KPMG, 83% of companies believe cloud security is as good as or better than on premises security. It...

We're happy to announce the availability of Audit Vault and Database Firewall (AVDF) Release 12.2 Bundle Patch Nine (BP9). AVDF 12.2 BP9 enhances security and gives our customers greater control in protecting internal communications, allowing customer selection of the TLS level used between different components and establishing a baseline of TLS 1.2 for all new installations.  AVDF 12.2 BP9 is available via MyOracleSupport as patch 28188074.  For new installations of AVDF 12.2, an updated installation media pack that already includes BP9 is available at https://edelivery.oracle.com. AVDF provides a first line of defense for databases and consolidates audit data from databases, operating systems, and directories to support monitoring and compliance reporting.  A highly accurate SQL grammar-based engine monitors unauthorized SQL traffic before it reaches the database.  Audit records from on-premises and cloud databases are collected for centralized management and provide monitoring, reporting, and alerting of anomalous activity across databases.  AVDF helps reduce the costs of regulatory compliance while giving administrators enhanced visibility into their IT operations. AVDF 12.2 BP9 is a mandatory prerequisite for upgrading to next year’s AVDF 19.1 release. Existing AVDF installations must upgrade to at least 12.2 BP9 prior to performing the AVDF 19.1 upgrade. AVDF 12.2 BP9 establishes a new minimum security baseline for Audit Vault and Database Firewall.  We’ve not only changed the default inter-component communications protocol to TLS 1.2, we’ve also desupported older java versions, requiring that Audit Vault agents now use Java 8 in preparation for the upgrade to Java 11 support next year. A complete list of the features and capabilities of this release, along with detailed installation instructions, are available in the patch release notes. To learn more about Audit Vault and Database Firewall, check out our AVDF Product Page on the Oracle Technology Network (OTN). Get the latest details on installing BP9, including how to install the pre-upgrade agent patch, with MOS note 2457374.1 - Details for Applying The Mandatory BP9 Pre-upgrade Patch. You should also review MOS note 15363801.1 - Oracle Audit Vault and Database Firewall Platform Support - this note includes instructions on upgrading the AVDF agent's Java version to Java 8. Learn more about Oracle Database Security Solutions Download Audit Vault and Database Firewall Release 12.2 Bundle Patch Nine now!  Visit My Oracle Support and search for patch 28188074.

We're happy to announce the availability of Audit Vault and Database Firewall (AVDF) Release 12.2 Bundle Patch Nine (BP9). AVDF 12.2 BP9 enhances security and gives our customers greater control in...

Going into OpenWorld 2018 I am reminded how I have often cited the great data migration as “Elvis has Left the Building”, while my colleague Brian Jensen, from KPMG has often called it “The King has Left the Castle”.  Either way, the point is this.  Organizations often get to a point where they realize that their data is now outside their control.  How they respond to this risk and threat is what ensures organizational success or failure. A significant step in preparedness is awareness in the risks and threats, which is what Brian and I have done in the development of a groundbreaking report called The Oracle and KPMG Cloud Threat Report 2018.  This report is based on a detailed survey of 450 global security practitioners who are focused on cloud security and driving the security requirements around cloud initiatives. Oracle and KPMG have collected the key challenges that these respondents are dealing with and using the combined research from both of Oracle and KPMG’s collective cyber research organizations to provide advance analysis around these challenges.  We then provide a best practice approach to preparing the organization for these lift and shift projects to ensure success. It is inevitable that Elvis is going to leave the building, and that the king will leave the castle, but it’s also possible to do this in a secure and a risk averse manner with proper controls in depth.  Download the 2018 report to learn better how to prepare your organization today. If you are attending Oracle OpenWorld 2018 this year, we encourage you to join us as we present the key findings of this highly successful report on Monday at our session “The State of Cloud Security: Keeping Pace at Scale”.   You can also follow me on Twitter @GregJensen10 for more information about the IDC Periscope interview on Monday October 22nd live from OpenWorld that I will share more information on later this week. #OOW18

Going into OpenWorld 2018 I am reminded how I have often cited the great data migration as “Elvis has Left the Building”, while my colleague Brian Jensen, from KPMG has often called it “The King has...

We’re all guilty of thinking myopically at times. It’s easy to get caught up thinking about the objects in our foreground and to lose our sense of depth. We forget about the environment and the context and we focus too narrowly on some singular subject. It’s not always a bad thing. Often, we need to focus very specifically to take on challenges that would otherwise be too big to address. For example, security professionals spend a lot of time thinking about specific attack vectors (or security product categories). And each one perhaps necessarily requires a deep level of focus and expertise. I’m not arguing against that. But I’d like to suggest that someone on the team should expand their focus to think about the broader environment in which cyberattacks and security breaches take place. When you do, I suspect that you’ll find that there are data points from outside of the typical security realm that, if leveraged correctly, will dramatically improve your ability to respond to threats within that realm. I posted recently about the importance of convergence (of security functionality). I noted that “Security solutions are evolving toward cloud, toward built-in intelligence via Machine Learning, and toward unified, integrated-by-design platforms.” I went on to suggest that forward-looking security platforms are autonomous and operate with minimal human intervention. I believe that’s where we’re heading. But to better enable machine learning and autonomous security, we need to feed as much relevant data as possible into the system. We need to feed the machine from an expanding trough of data. And with Internet scale as an enabler, we shouldn’t limit our security data to what has traditionally been in-scope for security discussions. As an example, I’m going to talk about how understanding Application Topology (and feeding that knowledge into the security trough) can help reduce risk and improve your security posture. What is Application Topology? As you likely know, modern applications are typically architected into logical layers or tiers. With web and mobile applications, we’ve traditionally seen a presentation layer, an application or middleware tier, and a backend data tier. With serverless compute and cloud microservice architectures, an application’s workload may be even more widely distributed. It’s even common to see core application functions being outsourced to third parties via the use of APIs and open standards. Application Topology understands all the various parts of an application and how they’re interrelated. Understanding the App Topology means that you can track and correlate activity across components that may reside in several different clouds. How does Application Topology impact security? Consider an application that serves a package delivery service. It has web, mobile, and API interfaces that serve business line owners, delivery drivers, corporate accounts, and consumer customers. It’s core application logic runs on one popular cloud platform while the data storage backend runs on another. The application leverages an identity cloud service using several authentication techniques for the several audiences. It calls out to a third-party service that feeds traffic & weather information and interacts with other internal applications and databases that provide data points such as current pricing based on regional gas prices, capacity planning, and more. Think about what it means to secure an application like this. Many popular security tools focus only on one layer or one component. A tool may scan the web application or the mobile app but probably not both. An app like this might have a few different security products that focus on securing APIs and a few others that focus on securing databases. Even if all components feed their security events into a common stream, there’s not likely a unified view of the risk posture for the application as a whole. None of the security tools are likely to understand the full application topology. If the app owner asked for a security report for the entire application, would you be able to provide it? How many different security products would you need to leverage? Would you be able to quantify the impact of a single security configuration issue on the application as a whole? If a security solution fully understands the application topology and incorporates that knowledge, here are a few of the benefits: You can generate a holistic report on the application to the app owner that covers all components whether on-premises, in the cloud, or via third-parties. You can monitor user activity at one tier and understand how that impacts your risk posture across other tiers. You can monitor for security configuration changes at all components via a unified service and automatically adjust risk scores accordingly. In other words, a deep understanding of the IT infrastructure underneath the application yields a more robust understanding of security issues and an increased ability to respond quickly and automatically. Summary Challenge yourself to expand the scope of which data points might be useful for improving security. Are security appliance event logs and threat feeds enough? As we enter an era dominated by AI and Machine Learning, we need to add as much high-value data as possible into the security trough. ML performs better as it incorporates more information. And as Larry Ellison famously said, the threats are becoming increasingly more sophisticated. “It can't be our people versus their computers. We're going to lose that war. It's got to be our computers versus their computers.” We must rely on Machine Learning and we have to feed it with as much intelligence from as many sources as possible. Oracle Cloud Security solutions are built on Oracle Management Cloud (OMC) so they fully understand the application topology, application performance metrics, and configuration. Oracle’s built-in Machine Learning leverages this data to make better security decisions and to remediate issues through OMC’s Orchestration service. Learn more about how Oracle helps customers modernize their security solutions with Machine Learning adaptive intelligence at Oracle OpenWorld this month!  

We’re all guilty of thinking myopically at times. It’s easy to get caught up thinking about the objects in our foreground and to lose our sense of depth. We forget about the environment and...

Software vendors like to throw around industry buzzwords like artificial intelligence (AI) and machine learning (ML). But when it comes to web application security, it's important to look beyond the buzzwords and realize that AI and ML are really all about automating the response to incoming cyberthreats, according to Laurent Gil, Security Product Strategy Architect at Oracle Dyn.  That's one of the messages Gil will deliver during an Oracle OpenWorld 2018 session,  Introducing an Intelligent Approach to Beating Cybersecurity Threats. Gil will lead the session along with Rodrigo Balan, Director of IT operations at IdentityMind, a regulatory technology company that uses AI as part of its web application security strategy, and Terence Chong, principal product manager at Oracle Dyn.  In this Q&A, Gil—the co-founder of security company Zenedge, which was acquired by Oracle in March—previews the Oracle OpenWorld 2018 session and shares his insights on the effects that AI and ML are having in the IT security market.   Why is it important for today's businesses to incorporate AI and ML as part of their web application security strategies?   Laurent Gil: It's not really that they need AI or ML. The point is they need to use tools that are truly automated. The traditional way of doing web application security is to set up some rules to test the validity of incoming traffic. These rules are very rigid and sometimes create a lot of false positives. While false positives are to be expected, they may generate so many alerts that administrators stop looking at them. If you stop looking at them, the hackers have won.   What AI, ML, and related techniques do is allow you to automate the response to security events as much as possible, so you don't even need to look at them. Instead, you trust the machine to block incoming traffic when necessary, and you only need to look at true anomalies or corner cases.   How do AI and ML ensure an automated response to incoming web application security threats?  Gil: ML technologies examine similarities found in different types of web traffic. They collect all sorts of information that taken together allow for the classifier to decide which traffic is valid and which traffic may be a threat. The techniques we use must also have a very strong feedback loop, so the platform becomes better as you are using it. Once you identify the corner cases, for example, you should not need to identify any more. The machine will then know what to do. That's the goal that we all have in the industry.   What are the major types of web application security threats that businesses need to guard against today?  Gil: You can classify these into two categories. The first category is what I call background noise. This means that there is a small percentage of traffic that is poking around your applications to see if there are any weaknesses due to, for example, a patch that you forgot to install. So, the background noise is there to automatically identify vulnerabilities. If a vulnerability is found, the hackers will launch the real attack—one that can severely damage the application.  The second type of attack is the tough one. This is when hackers have identified the vulnerability and they are going to exploit it. Sometimes the vulnerability is that you are not able to identify bot traffic. If they see this, they will program bots to attack and steal information, crawl your site, and wreak havoc.  Organizations need tools to defend against both types of attack. They need to block the background noise as much as possible, so the bad guys will see that they are fully protected. And they need to be ready to defend against the second attack, which is a greater challenge because, by definition, the bad guys already know what to do.   Why did you invite Rodrigo Balan from IdentityMind to join your discussion?  Gil: IdentityMind is a great example of the right way to do web application security. Like many companies, they have their own data center. But they wanted to move their software as a service (SaaS) application to the cloud. They looked at Amazon Web Services, Microsoft Azure, and other cloud providers and ultimately chose Oracle Cloud Infrastructure. They selected Oracle in part because we are able to provide tools that de-risk the move to the cloud. We started by installing our Web Application Firewall (WAF) on their on-premises applications. This eliminated the web app security concerns related to migrating to the cloud. Using our WAF, their SaaS application was secure before the migration, during the migration, and after the migration. In other words, Oracle WAF enabled them to peacefully lift and shift their application to the cloud. What advice do you have for companies that want to start down the road to securing web applications with AI and ML?  Gil: First, don't trust your vendor (laughs). By that I mean, do not select a software company because it uses words like 'machine learning' and 'artificial intelligence.' Instead, do an actual proof of concept (POC), because that's the only way to find out what works and what doesn't. The second thing is that you shouldn't focus on AI or ML. Focus on automation. Verify that the tool uses automated systems for detection and mitigation and enables you to reduce the number of false positives. You can verify all of this when you do the POC.      

Software vendors like to throw around industry buzzwords like artificial intelligence (AI) and machine learning (ML). But when it comes to web application security, it's important to look beyond the...

All my customer demo databases always have Database Vault configured and enabled, and that fact requires a few extra gymnastics when patching, especially in 12.1.0.2 with root container and PDBs. If Database Vault is selected during DB installation of a multi-tenant (MTA) database via DBCA (Database Configuration Assistant), you are prompted to create two common users, let's call them C##SEC_ADMIN_OWEN (this user will be the Database Vault 'Owner'), and C##ACCTS_ADMIN_ACE, the DBVault Account Manager; the Oracle Installer will grant the common roles DV_OWNER and DV_ACCT_MNGR to them, but the grant command is executed without the 'CONTAINER = ALL' clause, which means C##SEC_ADMIN_OWEN and C##ACCTS_ADMIN_ACE exist in all present and future PDBs, but their DBVault specific roles are only granted to them in the root container. First, confirm that Database Vault is correctly setup; run this in the root container and all PDBs: SQL> select * from dba_ols_status order by 2 desc; NAME                  STATUS  DESCRIPTION --------------------- ------- -------------------------------------- OLS_CONFIGURE_STATUS  TRUE    Determines if OLS is configured OLS_ENABLE_STATUS     TRUE    Determines if OLS is enabled OLS_DIRECTORY_STATUS  FALSE   Determines if OID is enabled with OLS Only the OLS_CONFIGURE_STATUS and OLS_ENABLE_STATUS rows need to be TRUE. The fact that OLS policies can be stored in Oracle Internet Directory is irrelevant in the context of DBVault. SQL> select * from dba_dv_status; NAME                      STATUS ------------------------- ------- DV_CONFIGURE_STATUS       TRUE DV_ENABLE_STATUS          TRUE Most likely you see TRUE in the root container, and FALSE in the PDBs.  If this is the case, execute the following in all PDBs: SQL> EXEC LBACSYS.CONFIGURE_OLS; SQL> EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS; That turns on Oracle Label Security in so far as it is used by Oracle Database Vault internally. Confirm with: SQL> select * from dba_ols_status order by 2 desc; Then, turn on Database Vault; execute in all PDBs: SQL> GRANT CREATE SESSION, SET CONTAINER TO C##SEC_ADMIN_ROOT, C##ACCTS_ADMIN_ROOT CONTAINER = CURRENT; SQL> exec dvsys.configure_dv('C##SEC_ADMIN_ROOT', 'C##ACCTS_ADMIN_ROOT'); SQL> @?/rdbms/admin/utlrp.sql C##SEC_ADMIN_ROOT> EXEC DBMS_MACADM.ENABLE_DV; Confirm with: SQL> select * from dba_dv_status; For patching, we don't need to turn off, or disable, Database Vault anymore; instead, the DV Owner executes: C##SEC_ADMIN_OWEN:CDB$ROOT> grant DV_PATCH_ADMIN to SYS container = ALL; That would allow the changed SQL to be applied to the root container and all open PDBs. But, DV Owner doesn't have the proper privilege as I explained earlier. To confirm in the root container: SYS:CDB$ROOT> SELECT granted_role, username FROM USER_ROLE_PRIVS where granted_role like '%PATCH%'; GRANTED_ROLE    USERNAME --------------- --------- DV_PATCH_ADMIN  SYS Confirm in the PDBs: SYS:FINPDB> SELECT granted_role, username FROM USER_ROLE_PRIVS where granted_role like '%PATCH%'; no rows selected C##SEC_ADMIN_OWEN:FINPDB> grant DV_PATCH_ADMIN to sys container = current; You would need to execute that step in all PDBs across the container.  Of course the 'container = current' part of the command is not needed as this is the default when executed in a PDB, I added it here for clarity. Confirm: SYS:FINPDB> SELECT granted_role, username FROM USER_ROLE_PRIVS where granted_role like '%PATCH%'; GRANTED_ROLE    USERNAME --------------- --------- DV_PATCH_ADMIN  SYS Voilà, now you can run 'opatchauto' or 'datapatch' and the changed SQL will be applied to root container and all open PDBs. After successful patching, you would revoke the granted patching privilege from SYS (execute in root container and all PDBs): C##SEC_ADMIN_OWEN:CDB$ROOT> revoke DV_PATCH_ADMIN from sys container = current; C##SEC_ADMIN_OWEN:FINPDB> revoke DV_PATCH_ADMIN from sys [container = current]; But there is more ... you want to audit what SYS is doing with that new privilege; is it only used for patching, or will that user do something else while s/he has the extra powers? Find out with: C##SEC_ADMIN_OWEN:CDB$ROOT> EXEC DBMS_MACADM.ENABLE_DV_PATCH_ADMIN_AUDIT; in the root container and C##SEC_ADMIN_OWEN:FINPDB> EXEC DBMS_MACADM.ENABLE_DV_PATCH_ADMIN_AUDIT; in all PDBs. The audit events are written to dvsys.audit_trail$. When you are done patching, you can turn auditing off, but I would leave it running for the next patch cycle. Happy patching, Peter

All my customer demo databases always have Database Vault configured and enabled, and that fact requires a few extra gymnastics when patching, especially in 12.1.0.2 with root container and PDBs. If...

It’s no secret that cloud adoption is growing—and at an incredible rate. This year’s Oracle and KPMG Cloud Threat Report survey showed that 87% of responding organizations now have cloud-first orientations. Organizations, initially concerned about a lack of security in the cloud, have clearly decided that cloud benefits outweigh the risks—at least for some parts of their businesses. But, like any transformational change, cloud adoption also comes with its own unique set of challenges, especially when it comes to security. The dirty secret is that cloud adoption has led to the creation of a multidimensional data center, where new technologies run alongside traditional solutions. And all of it is managed and secured using islands of disconnected tools and process—at least for now. The unintended consequence is that security teams have a metaphorical hand tied behind their back when it comes to detecting and responding to security incidents in their cloud environments. In fact, it was the most frequently mentioned concern by far, cited by 38% of respondents to our survey. The root of this problem lies in the fundamental difference between securing on-premises infrastructure and cloud services. But one of the key issues is that these disparate and still expanding number of systems have buried security teams in a landslide of telemetry data. Only 37% of survey respondents said that they can analyze a modest sample of their data (defined as 25% to 49%), and another 14% report they can only analyze small samples of their data (less than 25%). Not only is the amount of data a problem, but to really understand what’s coming in, security teams have to be able to see the correlations between different data points. Unfortunately, the average cybersecurity professional has their attention split between about 46 different security products, making it hard to focus on any one thing for too long. It’s as if we buried our security teams in that landslide of data, handed them spoons, and told them to dig themselves out before they’re crushed. It’s just not humanly possible. Cybercriminals figured out the answer to this problem a while back. It used to be that if you logged on to an unsecure Wi-Fi connection, some nefarious character could be hanging out there and start probing your system within a few minutes. It was a manual process. Today, it’s automatic. You connect to the network, and the automated systems are at your machine immediately. What cybercriminals figured out—and what we have to learn—is that automated systems are much better at handling volume than humans. So, what we need to do is equip our security teams with the same basic technologies that the criminals already have. Security teams are already using machine learning to find zero-day threats. Now, teams can use that same technology to automate the analysis of all that security event data. It used to be that IT and security professionals were uncomfortable with handing such an important task over to automated tools. Now, it’s a necessity. In fact, more than a third of survey respondents said their organizations are actively investing in automated solutions. And almost another half are considering it. With automation, security teams can go from distraction to being better able to hone in on the issues that matter most and get on a more level playing field with cybercriminals. For more information on this topic, join us for our webcast: Enabling a Secure SaaS Experience  – Register Here.

It’s no secret that cloud adoption is growing—and at an incredible rate. This year’s Oracle and KPMG Cloud Threat Reportsurvey showed that 87% of responding organizations now have cloud-first...

Roughly half of the traffic on the internet now is bot traffic: Bits of code created for tasks both good and not-so-good. Bots index content for search engines, making it easier for customers to find your business. But bots can also exploit vulnerabilities, expose data, shut down entire websites, or even steal your intellectual property.   Bot management and mitigation are both crucial parts of modern website security. Bot attacks can be as subtle as activity that mirrors what humans do on your site, or as blatant as a swarm of bots that takes your entire site offline.  Oracle Cloud Infrastructure architect Laurent Gil is a pioneer in bot management. Gil co-founded Zenedge, a cybersecurity company focused on WAF and DDoS protection with an advanced bot solution. Zenedge was acquired by Oracle this year.   We sat down with Gil for a wide-ranging Q&A that covers the essentials of bot management.   Oracle Dyn:   How would you define bot management, in simple terms?   Laurent:  Bot management is a feature of an application security platform that is trying to identify whether the requests that come into a website or to a mobile application are coming from a human or from a machine. That’s the simple definition.   Now, there are some machines that are fine, like Google’s bots. You obviously want Google bots to go and access every one of your pages. But you don’t want other bots — malicious bots or unknown bots — trying to access your site. Your site is supposed to be designed for humans.  Our task is to classify incoming requests into the human bucket or the good bot bucket. And anything that is not a good bot would be classified as a malicious bot or unknown. In our world, unknown is the same as malicious. You can’t afford to assume something unknown has good intent.   Now when it is a good bot, or a human, it doesn’t mean that there is no attack payload inside this request. That is what a web application firewall (WAF) would look for. So, this is the reason why a bot management layer of application security must be part of a bigger platform that will vet every request that comes in.    Oracle Dyn:   What are the different types of bot attacks we should be aware of and prepared for?  Laurent:  There are four major types of attack we have to deal with:  #1: Finding and Exploiting Vulnerability  First, it’s important to realize that any site or any application that creates a website is vulnerable. They have lots of exposed surface area, lots of vulnerabilities. There have been patches for these vulnerabilities and there are decades of patching available. But every so often, a person may forget to patch one part of their site.   This is the first type of attack. It’s scanning of applications looking for vulnerabilities, almost like a background noise that you can see on the internet, where hackers are consistently poking every site to see if they forgot to patch.   This background noise is all run by machines. So, there is a small percentage of traffic on the internet today that is run by botnets, and this traffic’s only objective is to poke every site for vulnerabilities.  A bot manager will identify this request and will prevent it from going to the web server. But the bot manager will also tell the sender of this request that the page was not found. So, we are sending two messages there: We are preventing any of this poking from reaching the web servers of our customers, and we are also misleading the hacker by having them believe that these pages do not exist.   #2: Traditional Layer 3 and 4 Volumetric DDoS Attacks  The second type of bot traffic we see is what we call DDoS (distributed denial of service) attacks. The traditional DDoS is what you may hear in the news, which are these very large -- hundreds of gigabits per second — surges of traffic to a host or web server. Traditionally, there is a large industry of DDoS vendors that would mitigate a DDoS attack. We call these attacks the Layer 3 and Layer 4 volumetric attack.  These are pure network attacks. They are sending garbage traffic to an IP or to a data center and they hope that the garbage traffic is so big that it will fill up the internet pipe of that data center. And therefore, all the legitimate traffic has little space to come in. They are not trying to do a data breach. They are just trying to keep users from accessing the asset.  Such an attack can focus on web servers, email servers, databases, even an entire data center. A few years ago, there was a data center in Northern Europe that went offline. The whole data center became offline just because there was one gaming company using this data center that had a DDoS attack so large, it was bigger than the size of the internet pipe of the entire data center. And so, half of a country went down because of this.   It is now rare that hackers are successful, unless the attack is really, really large. There are a number of DDoS providers that are able to mitigate using cloud-based techniques where you have almost limitless capability to divert and clean this traffic.   #3: Application Layer DDoS Attack  The other type of DDoS attack is much harder to catch and much more difficult to guard against. It’s what we call the Application Layer DDoS attack. This is an attack directly on a website. I’ll give you an example: Imagine you go to a website’s search bar and make a search. The issue is, almost every search is unique based on the phrase that you are typing, based on the keywords you’re looking for. So, the results won’t be in the cache; they must come from the server.  Hackers use bots to input keywords that have nothing to do with one another. They could put the entire dictionary into that field, one word at a time. The immediate impact is they utilize all the web server resources. The web server is busy trying to process all the malicious requests and becomes unavailable to the legitimate user.  These attacks are much harder to identify, because they’re using the same interface that a human would. This is where bot management is crucial. By using sophisticated techniques to identify whether the user is a bot or a human, we can divert and block all this garbage bot traffic and stop it before it reaches the web server.  #4: Fraudulent Site Activity  The fourth use of bots that a manager must detect and mitigate, one that is almost criminal in nature, is also very, very hard to catch and to protect against: it’s the simulation of a human transaction.   For example: we had a client, an airline, that was under a bot attack. It is an airline in Asia, and suddenly they started to see a lot of tickets being booked from China. They knew it’s from China because of the incoming IP address. So, more tickets were being booked from China than usual, but almost all of these tickets were cancelled within 24 hours of the acquisition.    You see, a lot of airlines allow for a full refund within 24 hours. So, these bots would simulate human traffic: They would go on the site, select the city fare, as well as the class of travel, put a real credit card number, buy the ticket. The next day, the same bot will come to the site and cancel the reservation and request for a full refund. They were using real credit card numbers, they were behaving as humans behave by selecting the city and buying the ticket. This is a criminal utilization and fraud. We have now seen similar behaviors from bots that would stop short of entering a credit card number, but that would create a temporary reservation, usually for a few minutes.  We suspect that some other airline was paying hackers in China to do this. You see, as the bot buys tickets, the plane gets full. And the airline site sees the rise in demand and adjusts prices; the remaining seats become more expensive. As they become more expensive, the competition is able to sell tickets to the same city for cheaper. The tickets will be canceled the next day, and our customer would have lost business because the actual humans would have bought a plane ticket on a cheaper airline.  So, the impact there is real fraud that has a direct impact on our customer’s business. Thankfully, we were able to identify some irregularities in their behavior that indicated these users were not human.   We see also bots that are doing content scraping. For example, they are going to a directory company site and copying all the content on the site. This is what the Google bot does as well, but Google does it for a good purpose. Malicious bots do it so that they can resell the content to third parties. For the directory company, the content is the value of the site. So, this is another type of criminal or fraudulent utilization of an application.  Oracle Dyn:  This goes deeper than good bots and bad bots though, right? Are there situations where you would want to identify and block a benign bot?  Laurent:   Even when the bot traffic is not malicious, there are times when a site might want to prioritize human traffic over bot traffic. Bot management helps with that as well. We have a customer that is a rental car company. This customer has good bot traffic coming to their site from travel agencies. Travel agencies just want to check prices, so they can show them to their customers, and when the customer is ready to buy, obviously, our client makes money.   Our customer wanted to prioritize human traffic. Because obviously, a human coming in to rent a car has direct impact versus just a travel agent that is just looking for pricing from other rental agencies as well. So here, the idea is “we are fine with traffic from bots, but we want human traffic to be first”. And, if the web server is still available, then we will serve the bot traffic.    It’s a two-part process. First the bot management software identifies which traffic is from bots, then it can take an action based on what the traffic is trying to do and what you want it to be allowed to do.    Oracle Dyn: In broad terms, how does bot management software classify traffic?  Laurent:  Well, there are a few different levels of sophistication for identifying bots versus humans. The simplest technique is linked to the type of browser the end-user is using. When a person is using a browser such as Safari, Chrome, or Edge, we know that browser has a JavaScript engine and other specific features that are necessary for almost any application today.   If the end-user browser doesn’t have a JavaScript engine and the likes, then there is an almost certainty that the end-user is a bot. So, some of the techniques we use to prevent or to identify bots are just based on the type of devices and features that you have and the capability of that machine.   This bot mitigation techniques are very efficient because it’s expensive for hackers to simulate a full internet browser. Especially when they launch a DDoS attack, because it’s relatively expensive to run full internet browser simulations inside of a botnet. However, though it’s expensive, it’s not impossible. So, we needed to evolve.  The second generation of bot management is much more sophisticated. We analyze the behavior of the user, and based on its behavior, we can identify whether the user is human or not human.   The third generation uses even more sophisticated machine learning techniques towards an artificial intelligence engine that is making this classification. And this is where we are today with some of our most sophisticated customers. And a lot of these are actually custom made for a particular customer. That’s why they are very high end. We do use some machine learning techniques for the second generation to look at the behavior analysis. But some of our most sophisticated customers use a platform that is being trained to recognize the bot based on their specific application.  Oracle Dyn:   How can businesses get started with bot management? What’s the first step?  Laurent:  Business should look for a good bot management vendor. Very often, we start with proof of concepts with our customers. During POCs, we typically show all the bots that are identified by the platform. Sometimes, it is a bit of a surprise, and clients see for the very first time that their sites and mobile apps get quite a lot of weird bot traffic.   So, it is almost like you try it, before you buy it, but try it with the full extent and full power of the platform, which sometimes provides very interesting results. A lot of the time customers are not aware of what is happening to their applications and so having visibility into it is an eye opener to these clients. I mean, you’ll be surprised at the things we find. For example, this poking that I was talking about before, this background noise, sometimes customers are not even aware that this is happening.   This is something people can’t do soon enough. 

Roughly half of the traffic on the internet now is bot traffic: Bits of code created for tasks both good and not-so-good. Bots index content for search engines, making it easier for customers to find...