Oracle’s earliest customers included the US Central Intelligence Agency and the Department of Defense, organizations focused intensely on security. In more than 30 years in the enterprise software business, Oracle has refined a security strategy that starts with an engineering culture rooted in secure development practices and support processes; provides security controls throughout the Oracle enterprise technology stack; and delivers on-premises and cloud security solutions.
The Oracle Critical Patch Update (CPU) program provides customers of Oracle’s on-premises software with security updates four times a year, according to a schedule announced a year in advance. Oracle establishes the priority of its patch regimen using the Common Vulnerability Scoring System (CVSS), an international standard that characterizes and categorizes vulnerabilities on a scale of 0 to 10. “We rate our vulnerability using the standard, and we give a general description of what the vulnerability refers to,” says John Heimann, vice president of security program management, global product security, at Oracle.
Patches are quarterly and cumulative. “Everybody gets the patches at the same time,” Heimann says. “And the most recent CPU includes all the previously released patches.”
A security-driven culture is key to developing, deploying, and supporting secure technologies.
“Organizations rely heavily on security controls provided by a wide range of systems,” says John Heimann, vice president of security program management, global product security, at Oracle. “Ensuring the effectiveness of these security controls does not just magically happen. It requires that security be built into the culture of the development organization and into the development, deployment, and support lifecycle of products.”
Oracle has established various security policies and programs collectively referred to as Oracle Software Security Assurance. These policies and programs are intended to do the following:
1. Maintain organizational focus on security. Put security expertise in place at appropriate levels and in connection with specific practices for reviewing, testing, and improving security.
2. Measure compliance. Ensure that security objectives are met throughout the product lifecycle.
3. Perform ongoing assurance activities. Fix security bugs in a timely fashion and ensure that the security posture of Oracle customers is protected. (See the “Security Comes to Order” sidebar for more information.)
In terms of maintaining an organizational focus on security, for instance, Oracle maintains an “internal ethical hacking team,” whose job is to ferret out security problems, Heimann says. “The primary reason for that team is not to do security sign-off on products, but rather to find new categories of vulnerabilities that we haven’t previously thought of, identify common mistakes, and make sure those are reflected in our coding standards.”
This exhaustive approach to security is reflected in the company’s approach to offering cloud computing services. “All of Oracle’s cloud services are required to closely align with the company’s secure development lifecycle practices,” says Eric Maurice, director of security assurance at Oracle. “Our operational security oversight and review for cloud services includes the same kind of checks and the same kind of processes that we follow for on-premises product development.”
It helps that Oracle runs on Oracle. “We’re in a unique position because we own the cloud ‘supply chain,’” Maurice says. “Based on our intimate security knowledge of our products, we can ensure that all cloud services are developed and implemented as securely as possible.”
Oracle’s new SPARC M7 microprocessor introduces an engineering advance called Software in Silicon, whereby Oracle engineers have embedded software functions directly into the processor. Two Software in Silicon features deliver security at the processor level: Silicon Secured Memory and high-speed encryption.
“Silicon Secured Memory is always on—you can’t turn it off,” says Marshall Choy, vice president of systems product management at Oracle. It works like this: At the time memory is allocated to an application, it’s locked, so that only the owner can access it. If a malicious program tries to access the locked memory of a legitimate program, the malicious program is aborted. “The overread and overwrite types of attacks of the notorious Heartbleed and Venom aren’t possible against SPARC M7 Silicon Secured Memory,” Choy says.
The second built-in security feature of SPARC M7 is high-speed encryption. SPARC M7 incorporates 32 crypto accelerators per processor, employing a broad range of ciphers, including the advanced SHA-512 and AES-256—all without noticeable effect on performance. “The encryption overhead is so minimal that customers can simply run everything fully encrypted with a near-zero performance overhead,” Choy says.
Even though security is an enterprise priority, IT organizations still need to show the value of security products to the business, says Clayton Donley, vice president of product development for Oracle Identity and Access Management. That search for value has created demand for broadly applicable identity and access management technology, what Donley’s team calls “multichannel access management,” he says.
To that end, Oracle recently updated its Oracle Identity Management Suite to Oracle Identity Management Suite 11g Release 2 Patchset 3 (PS3), to make it easier to use, broadening its appeal and effectiveness. “We’ve significantly improved our capabilities around mobile and also made it possible to bring cloud applications under the same identity and security umbrella as your on-premises applications,” Donley says.
Oracle Identity Management Suite 11g Release 2 PS3 employs “shopping-cart-like experiences that, really, anybody knows how to use,” Donley says. That intuitive interface makes identity management more effective on mobile devices, while integrated mobile management capabilities make administration of those devices simpler and provide tighter controls.
As for extending security to cloud applications, the key word is hybrid, Donley says. Oracle Identity Management Suite 11g Release 2 PS3 gives customers the ability to manage users and single sign-on with their public cloud services, both Oracle’s and those from third-party providers, from the same solution that is used for their existing on-premises applications. It provides a coordinated, consolidated view of user access that matches the needs of most real-world customer environments, which have a hybrid mix of on-premises and cloud applications.
“The customer gets a single view of who has access to what—single sign-on across all of these properties, all of these services,” Donley says. “Being able to unify identity management across platforms—having the same user be the same user across all those different environments—is very important.”
That hackers are targeting corporate databases is not a surprise, given the wealth of sensitive data and IP they represent, notes Vipin Samar, vice president of Oracle Database Security. “Databases organize this information very well, not only for applications, but also for attackers—if they can get in.”
That’s why Oracle builds in security functions at the database level, including a database firewall, encryption, and data masking. Oracle Audit Vault and Database Firewall monitors database activity, blocks threats, and audits activity across the enterprise. Oracle Advanced Security delivers transparent data encryption and redaction. Oracle Key Vault provides centralized encryption key management. (See the Oracle Database Security page for the full inventory of Oracle Database Security solutions.)
In addition to offering identity management and database security solutions, Oracle has gone even further down the technology stack to build in security. In 2015 Larry Ellison, Oracle executive chairman and CTO, introduced a breakthrough in microprocessor engineering called Software in Silicon, which embeds software functions directly into the microprocessor, improving system performance and security.
Among the Software in Silicon functions built into Oracle’s new SPARC M7 processor are high-performance encryption and a capability known as Silicon Secured Memory. (See the “Security at the Processor” sidebar for more information.) These processor-based security features herald an era of enterprise security hardwired from the bottom up.
One of the big concerns about the cloud has been security. Can a third party deliver complete security for your company’s digital crown jewels in a public cloud? Oracle addresses that security concern in its public cloud: Oracle Cloud (at cloud.oracle.com).
In each of Oracle’s cloud service tiers—software as a service, platform as a service, and infrastructure as a service—users access services and confirm their identities using cloud-based Oracle identity management and access technologies that have evolved from Oracle’s on-premises identity management solutions. Data in Oracle Cloud is transmitted securely, and data at rest in Oracle Database Cloud Service is subject to always-on encryption, based on Oracle transparent data encryption technology.
For more than 30 years Oracle has been delivering top-notch security to security-focused customers. From processors and on-premises systems to hybrid cloud and Oracle Cloud, Oracle security solutions secure business IT at every level.
READ security white papers
Photography by Antony Xia,Unsplash