An Interview with Juan Pablo Perez-Etchegoyen, Chief Technology Officer, Onapsis
Sponsored Content, July/August 2018
Oracle E-Business Suite (EBS) applications are considered critical to the operations of many of the largest global companies. In fact, 60 percent of respondents to a recent Ponemon Institute study said the impact of information theft, modification of data and disruption of business processes on their company’s Oracle EBS applications would be either catastrophic (16 percent) or very serious (44 percent), resulting in an average cost of $5 million. The frequency and sophistication of cybersecurity threats is expected to significantly increase, making the protection of these critical applications even more important. Organizations can no longer rely on existing approaches to secure business-critical applications. They must develop a plan to operationalize security at the application layer.
Onapsis cybersecurity solutions automate the monitoring and protection of business-critical applications, keeping them compliant and safe from insider and outsider threats. Last September, Onapsis extended the Onapsis Security Platform to provide support for Oracle EBS applications. The new functionality enables organizations using Oracle EBS to manage the security and compliance of these critical, yet complex, applications within a constantly shifting threat landscape. The Onapsis Security Platform combines a behavioral-based and context-aware approach to help organizations better protect their business-critical applications, whether they are on-premises or in hybrid or public cloud environments.
Q: Why was Onapsis founded? What problem were you trying to solve?
A: We launched the company in 2009 after we recognized an industry-wide problem: organizations were investing heavily in infrastructure security, but not in securing the technology layer to ensure their mission-critical applications were properly protected. Onapsis was created to work closely with Oracle and SAP customers to provide a security platform to help organizations protect their applications from cybersecurity attacks.
Q: What are some common myths regarding Oracle E-Business Suite security and why are they important for organizations to be aware of?
A: Many organizations rely on segregation of duties; governance, risk and compliance (GRC); or database security approaches to protect their Oracle EBS implementations, but they don’t deal with the technology components and security in those applications. Companies need to purposefully analyze how they are implementing those applications, how they are maintaining them, and how they are securing the technology layer. They need to do more.
Many companies believe that when they upgrade to the latest version of Oracle EBS, it will improve their security posture. That’s true, but many companies upgrade only once a year or every other year, so it’s not a bulletproof approach. You still need to manage risks, install patches, review your security approach, and reduce the attack surface. The new version of the Onapsis Security Platform allows organizations to bridge a critical gap in their current processes and the ways they secure the applications they rely on to run their businesses.
Q: Tell us about the vulnerabilities that exist within Oracle E-Business Suite?
A: Our research team, the Onapsis Research Labs, has found over 200 Vulnerabilities in Oracle EBS over the last two years. Oracle EBS is a complex product with multiple protocols, components, and scenarios. Each component could have its own vulnerabilities and those vulnerabilities need to be holistically managed. That means patching, implementing security configurations, securing the interfaces, managing critical users and authorizations, performing an attack surface reduction, and more. Due to their potential exposure to untrusted networks, web-based components should be dealt with immediately, followed by components built on other technological layers.
Business data and supporting business processes are the most critical assets in many organizations and they must be protected. An Oracle EBS outage is considered by some organizations as a catastrophic event, potentially putting them out of business. Based on the existing threat landscape, it’s no longer enough to deliver basic security. Organizations need to provide holistic security to secure the most critical assets in the organization. We work with Oracle to deliver a platform that provides security against cybersecurity attacks. Onapsis and Oracle both want Oracle products to be secure.
We work with Oracle to deliver a platform that provides security against cybersecurity attacks. Onapsis and Oracle both want Oracle products to be secure.”–Juan Pablo Perez-Etchegoyen, Chief Technology Officer, Onapsis
Q: Why is it critical to have the level of security that Onapsis provides to secure Oracle E-Business Suite?
A: The Onapsis context-aware solutions deliver vulnerability and compliance controls to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading security information and event management, and GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk, and incident response management programs.
Q: What is the importance of patch management and continuous monitoring for Oracle E-Business Suite?
A: We often see organizations without the time windows or resources to install patches promptly. It’s important to invest in proper patch management and to implement governance and controls around that. If an organization can’t apply a patch right away, they need to monitor their Oracle EBS systems. They need to make sure they have visibility into what’s happening, who’s accessing what, and who’s doing what on the system. If there is a threat actor exploiting vulnerabilities, they need to deal with it immediately. Unfortunately, organizations are falling behind in monitoring activity in their systems.
Q: Why include security when moving Oracle E-Business Suite to the cloud?
A: Moving to the cloud is an opportunity for organizations to make a fresh start. It can help them avoid living with a backlog of security issues and continuously trying to catch up. We’ve calculated that it is five times less costly to implement security during digital transformation projects and/ or cloud migrations than afterwards. That’s because of change management processes, resources and the operational burden it takes to maintain and implement security after a new system is operational.
Onapsis works with customers to set up security during a cloud migration to provide the most cost-effective and secure environment. While adopting security for cloud used to be considered a roadblock, the market has evolved, and it is now viewed as an enabler.
Q: What role does the Onapsis Research Labs play in providing security for critical applications such as Oracle E-Business Suite?
A: The Onapsis Research Labs continuously provides leading intelligence on security threats affecting Oracle enterprise applications. Our research team is a key component of the security capabilities we provide to our customers. The team is made up of security experts who provide the context and understanding of the Oracle-specific security threats. The results of their research is incorporated into our products to make the products more robust. Every time a new threat is discovered, we integrate that knowledge into our platform.
Q: How are Onapsis and Oracle working together to deliver enterprise security for Oracle customers going forward?
A: The Onapsis approach involves understanding the business processes, risks, and concepts as well as the supporting technology. Good security is built on years of experience and study of business applications and it takes time to understand the best approach. We’ve been working closely with Oracle for years, reporting vulnerabilities in a number of Oracle products. After building trust through responsible disclosure and joint work, we have maintained a relationship that is beneficial for Oracle, for Onapsis, and—most importantly—for our shared customers.
For more information, visit www.onapsis.com.
Sponsored Content as Seen in Oracle Magazine July/August 2018