The RSA Conference and the Cloud

Organizations are moving their workloads to the cloud and perhaps it’s appropriate that in 2021 the #RSAC has moved to the cloud. After many years of the annual security gathering in San Francisco (and San Jose long ago), this year the gathering is virtual.

At Oracle, the security team has been busy in the last year. We expanded our cloud security services portfolio to help our customers protect their data and operate workloads securely in the cloud. We have built security in at all layers, enabled it by default, and pursued automation to remove complexity and make security easier.

From product innovations in data security, identity management, and infrastructure security to cloud security research, there’s a lot to catch up on. The great news is that the virtual #RSAC allows you to experience all of these via Oracle speaker sessions (@fredkost, @jkonstantas, @RussLowenthal, @MrDBCross, Jeppe Larsen, @BG_Chandran, Frederick Bosco and Hiran Patel from @Accenture), demos, and dedicated conversations with Oracle security geeks. If you don’t already have one, grab a digital expo pass on using pass code 54SORCLDE accessed through the #RSAC registration link.

Here are some key Oracle security highlights since we last gathered at Moscone for #RSAC:

Oracle Cloud Infrastructure Security
We added many new Oracle Cloud Infrastructure Security services, notably the launch of our newest cloud security posture management (CSPM) services, Oracle Cloud Guard and Maximum Security Zones. The new services came as organizations are moving more business-critical workloads to the cloud and wrestling with cloud misconfigurations. Cloud users and admins are expected to understand how cloud security services work, configure them correctly, and securely maintain them. Oracle Maximum Security Zones and Oracle Cloud Guard embed security expertise and best practices into the Oracle public cloud, accelerating customers’ ability to build and operate their cloud estate securely. 

• “Security has been a critical design consideration across Oracle Cloud for years. We believe security should be foundational and built in, and customers shouldn’t be forced to make tradeoffs between security and cost,” said Clay Magouyrk, executive vice president, Oracle Cloud Infrastructure. “With Oracle Cloud Guard and Oracle Maximum Security Zones’ security automation and embedded expertise, customers can feel confident running their business-critical workloads on Oracle Cloud.” 
• KuppingerCole reviewed Cloud Guard and found that the service “strongly matches their recommended functionality for Cloud Security Posture Management (CSPM) within Oracle Cloud Infrastructure.” Get the report: KuppingerCole executive view: Oracle Cloud Guard.

Oracle Identity and Access Management
Oracle continues to innovate in Identity and Access Management (IAM). Oracle has long been a leader in IAM. Our IAM portfolio is designed to support the needs of each organization regardless of deployment requirements. Modernize enterprise IAM with our cloud-native IDaaS solution, Identity Cloud Service (IDCS) or learn more about moving Oracle IAM to OCI with resources from the IAM Upgrade Factory we launched this year. There have been a number of exciting innovations this year. The new capabilities and microservices outlined below are designed to simplify the way organizations approach common challenges, help address their security and compliance goals, and improve user experience:

• FIDO2 Web Authentication: We announced the general availability of FIDO2 Web Authentication for IDCS. Websites and applications that are protected by Oracle can enable their users to authenticate with FIDO2 authenticators for multi-factor authentication (MFA) as well as passwordless authentication. Oracle supports passwordless authentication through our mobile authenticator app, but this announcement provides more flexibility for users to authenticate through their mobile device face or fingerprint biometrics or hardware-based FIDO2 authenticators like YubiKeys from Yubico.
• Oracle Radius Agent is an application layer user authentication and authorization service that leverages the industry standard RADIUS (Remote Authentication Dial-In User Service) protocol. Radius Agent acts as an intermediary between client applications that require services and one or more authentication providers. Application clients can vary from VPN servers, Linux servers using SSH, Oracle Database, or any RADIUS based client application.
• Oracle Advanced Authentication integrates with various applications to modernize and strengthen the authentication process and establish the identity of users accessing applications. Oracle Advanced Authentication provides flexibility to administrators to define assurance levels and polices and offers intuitive self-service capabilities for users. Oracle Radius Agent supports multi-factor authentication when used in conjunction with Oracle Advanced Authentication.
• Oracle Identity Role Intelligence helps enterprises optimize role-based access control (RBAC) and reduce the cost and time spent to address IAM compliance requirements. This microservice is an extension of OIG and helps reduce the manual processes of building roles, deciphering entitlement data, and addresses the lack of tooling for what if analysis.

Oracle IAM aims to meet customers where they are today, providing the flexibility and customization to meet the needs of their organization and to support them as they progress in their cloud IAM journey.

Oracle Database Security
Oracle Data Safe has delivered essential security services for Oracle Databases running in the cloud like Oracle Autonomous Database since September 2019. Since that time, Oracle extended Data Safe to support on-premises Oracle Database, Cloud@Customer, and even multi-cloud deployments. Now, all Oracle Database customers can reduce the risk of a data breach and simplify compliance by using Data Safe to assess configuration and user risks, monitor and audit user activity, and discover, classify, and mask sensitive data. Both analysts and customers have noticed how Data Safe immediately secures their Oracle Databases without requiring special security expertise.

• Oracle Data Safe builds on Oracle’s established industry leadership in database security. For the third year in a row, KuppingerCole rated Oracle as the unequivocal leader in Database and Big Data Security. Get the report: Database and Big Data Security: KuppingerCole Leadership Compass.
• An IDC Technology Spotlight, sponsored by Oracle, Data Intelligence: Safely Protecting Cloud and On-Premises Databases highlights how “Oracle Data Safe offers a metadata and metrics-driven approach to securing data in a database, protecting not only the database but also the people, places, and artifacts that are represented in the data.”
• An executive report by Alexei Balaganski of KuppingerCole stated that “…Data Safe can be recommended as an essential security service to every Oracle DBA without further reservations.” Get the report: KuppingerCole Executive View: Oracle Data Safe.

Take a self-driven tour of Data Safe, or dive right in with Oracle LiveLabs. You can also try Data Safe with your own databases with the Oracle Cloud Free Tier 30-day free trial.

Additional database security innovations over the past year include much more than just Data Safe. Oracle debuted new releases of Oracle Audit Vault and Database Firewall and Oracle Key Vault, and even a new Oracle Database release – all with so many new features and capabilities that this blog would become a book if we were to talk about them all!

Security Industry Research
Oracle released the 2020 Oracle and KPMG Cloud Threat Report. The report highlights the key challenges and opportunities organizations face as they move workloads to the cloud. Individual ‘deep-dive’ companion reports showcase shared responsibility, application security, data protection, and CISO priorities. Some key findings include:

• IT professionals are 3X more concerned about the security of company financials and intellectual property than their own home security
• 78 percent of organizations use more than 50 discrete cybersecurity solutions to address security issues: 37 percent use more than 100 cybersecurity solutions
• Only 8 percent of IT security executives state that they fully understand the shared responsibility model of cloud computing

In lieu of face-to-face meetings at Moscone, W Hotel, or Thirsty Bear, we invite you to stop by and visit Oracle at the virtual #RSAC next week to learn more about Oracle security. If you need a digital expo pass, get one using code 54SORCLDE in the RSA Conference registration link.