Friday Aug 26, 2016

Focus on Database Security @ Oracle OpenWorld, 2016

This year's Oracle OpenWorld is chock-full of database security sessions and this Focus on Oracle Database Security document provides a full list for the week. For a quick reference, I've outlined some key must-see sessions.


Defense-in-Depth Database Security for On-Premises and Cloud Databases [CON6143]

Vipin Samar, SVP of Database Security, Oracle

The last 24 months have seen an unprecedented scale of data breaches across all sectors. Databases are frequently targeted by organized criminals, nation-states, and even insiders because they hold the most sensitive assets. Join this session to hear the senior vice president of Oracle Database Security development discuss a defense-in-depth strategy to mitigate different threat vectors against attacks on both on-premises and cloud databases. Learn how to evaluate your security posture, reduce attack surface, prevent attacks, and monitor user activities to keep your data safe using the latest innovations in Oracle Database Security. He also shares how to maintain full control and visibility of cloud databases.
Monday, Sep 19, 3:00 p.m. | Moscone South—305

Customer Panel: The Science and Art of Deploying Database Security [CON6578]

Sarah Brydon, Engineer (IT), Paypal

Keith Wilcox, VP, Database, Epsilon Data Management LLC

Leonid Stavnitser, Senior Director, Managed Security Services, Oracle

Troy Kitch, Director of Security Software Product Marketing, Oracle 

Managing risk in the face of data breaches and regulatory compliance is a consistent challenge. One of the best ways to gain insight into database security is to hear firsthand from current customers: how they prioritize what to protect, and then how they deploy database security to mitigate these threats. Come join this session to hear Oracle top-tier customers discuss their deployments, best practices, and the science and art of defending their databases.
Monday, Sep 19, 5:30 p.m. | Park Central—Franciscan IT


Continuing Innovations in Oracle Database Encryption Jump Starts Your Security[CON6368]

Saikat Saha, Senior Principal Product Manager, Database Security, Oracle

Encrypting sensitive data has become a must in light of recent megabreaches and ever-expanding compliance regulations. Join this session to learn about new innovations in Oracle Advanced Security's transparent data encryption capabilities, including the new online and offline encryption capabilities. See a demo and learn about operational considerations, application transparency, performance throughput, and key management. The session also includes a real-world perspective on using Oracle Database encryption technologies.
Wednesday, Sep 21, 12:15 p.m. - 1:00 p.m. | Moscone South—103

Using Oracle Key Vault to Simply Key Management [CON6369]

Saikat Saha, Senior Principal Product Manager, Database Security, Oracle

Steven Zydek, Oracle DBA, Kohl's Corporation

The security of your encrypted data depends upon the security and control you have over the encryption keys. Centralized protection and management of encryption keys has become an important consideration for organizations. This session discusses how Oracle Key Vault accelerates deployment of encryption through centralized management. Optimized for Oracle Databases, Oracle Key Vault is a security-hardened software appliance with the ability to centrally store, share, and manage master encryption keys, Oracle Wallets, and Java KeyStores. Learn about the latest innovations and deployment best practices in the new Oracle Key Vault 12.2, and watch demonstrations of this easy-to-provision key management solution.

Reducing the Risk from Malicious Users with Oracle Database Vault [CON6552]

Alan Williams, Senior Principal Product Manager, Oracle

Shekhar Trivedi, DBA, Verizon wireless

In this session learn best practices for using Oracle Database Vault to protect your sensitive data from access by unauthorized users. Highly privileged database accounts can be used by malicious users to access sensitive data they are not authorized to see. See how to reduce risk and liability and meet regulatory requirements to prevent unauthorized data access. The new simulation mode allows you to quickly and safely analyze the security controls you need to protect sensitive data and prevent unauthorized changes to the database. Simulation mode eliminates the risk of impacting mission-critical applications. Learn how privilege analysis can help you implement least privilege best practices.
Wednesday, Sep 21, 4:15 p.m. - 5:00 p.m. | Moscone South—301Alan Williams, PM

Inside the Head of a Database Hacker [CON6142]

Mark Fallon, Architect / Security Lead, Oracle

With unprotected assets hiding in plain sight in databases, no wonder hackers seek to steal intellectual property, personally identifiable information, and payment cards from databases. Exploiting common vulnerabilities-such as unpatched systems, overprivileged accounts, insecure database configurations, and stolen passwords-and unencrypted data is a good place to start. However, knowing the mind of a hacker can better help you strategize a blueprint for protecting your database. In this session, a world-renowned database white hat hacker takes you step by step into the mind of a cybercriminal adept at exploiting vulnerabilities to access sensitive data stored in databases.
Wednesday, Sep 21, 3:00 p.m. | Moscone South—104


Accelerate Compliance with EU General Data Protection Regulation [CON6587]

Dinesh Rajasekharan, Product Manager, Oracle

The European Union (EU) recently announced the General Data Protection Regulation (GDPR) to address increasing security threats. Noncompliance fines can be up to 4 percent of global annual revenue. Come to this session to learn about how this regulation applies to both EU and non-EU organizations that have data about EU residents. Learn about the key data protection controls imposed by GDPR, and how they apply to the database, the source of sensitive data. Understand GDPR’s key objectives and actors, and learn how Oracle Database Security technologies can help implement data protection guidelines recommended by GDPR.
Thursday, Sep 22, 9:30 a.m. | Marriott Marquis—Salon 10/11 

Oracle Audit Vault and Database Firewall: New Features, Hybrid Cloud Deployment [CON6579]

Wilson Verardi, CSRA

George Csaba, Director, Product Management, Database Security , Oracle

Attend this session to learn about the new features available with Oracle Audit Vault and Database Firewall 12.2. Find out how they protect your Oracle and non-Oracle databases against insider threats and help achieve regulatory compliance. Learn how Oracle Audit Vault and Database Firewall consolidates audit data for not only on-premises, but also in hybrid cloud environments where some databases are on-premises and others are in the Oracle Public Cloud. Discover how Oracle Audit Vault and Database Firewall ensures consistent security and audit policies across all database instances while decreasing implementation time and lowering TCO.
Thursday, Sep 22, 10:45 a.m. | Moscone South—301

Quickly Mask Test/Dev Environments: Securing Production Data Alone Is Insufficient [CON6583]

Dinesh Rajasekharan, Product Manager, Oracle

While many organizations implement protective and detective controls for their production databases, their test/dev databases are often left unprotected and become low hanging fruits for attackers. Test/dev databases are typically the first databases to be moved to the cloud, and it is really critical to remove sensitive data prior to the move. Attend this session to find out how Oracle Data Masking and Subsetting Pack can help de-identify sensitive data from test/dev systems. This helps take such databases out of scope from audit and compliance and reduces the cost of compliance. Learn how to mask data dynamically in real time using Data Redaction. Learn about latest product updates, best practices, and a customer case study.
Thursday, Sep 22, 12:00 p.m. | Moscone South—301

Monday Aug 22, 2016

Audit Vault and Database Firewall Wins DBTA Readers' Choice Award for Best Database Security Solution

We are happy to announce that for the third year in a row, Oracle Audit Vault and Database Firewall won the - 2016 DBTA (Database Trends and Applications) Readers’ Choice Awards for Best Database Security Solution. DBTA Readers Choice Award for Best Database Security Solution

Unlike other awards programs, the DBTA Readers’ Choice Awards are unique in that the winning information management solutions are chosen by the people who use them.

We are humbled and appreciative of this honor. Thank you to our users! 

Data is increasingly appreciated by companies as their most valuable asset. But the problem is that this view is not just held by organizations themselves, amd there are others - including hackers - who see it that way as well. 

Wednesday Aug 03, 2016

Announcing Data Masking templates for Oracle E-Business Suite 12.2

As more and more organizations are upgrading to Oracle E-Business Suite (EBS) 12.2, we are announcingData Masking templates for EBS 12.2. New and existing customer base of Oracle's one of the most popular applications can now easily secure sensitive information for their application development and testing. You require Oracle Enterprise Manager Cloud Control 13c with Oracle Data Masking and Subsetting to use EBS 12.2 Data Masking templates.

Oracle Data Masking and Subsetting has been significantly enhanced to support EBS 12.2's one of the marquee features - "Online Patching", which leverages Oracle Database features such as Edition-Based Redefinition and Editioning Views. Data Masking templates for previous EBS versions are revamped to mask sensitive data in the EBS 12.2 Editioning Views.

As always, the comprehensive EBS 12.2 Data Masking templates are included in the Oracle Data Masking and Subsetting License at no additional cost and is one of the unique differentiators when compared to competition.

Click here for more details about the announcement.

Accelerate Your Response to the EU General Data Protection Regulation (GDPR)

If you are an information security professional then unless you are off the internet and media for the past few months, you would not have missed the news on European Union(EU) General Data Protection Regulation(GDPR). The new data privacy regulation in Europe affects anyone globally who directly or indirectly deals with EU individual’s personal information, imposing fines up to 4% of global annual revenue upon non-compliance.

We recently published a white paper summarizing several key requirements of the GDPR and how Oracle Data Security technologies can help to respond to the key GDPR data protection principles. We hope this white paper will help in your journey towards GDPR compliance.

Tuesday Jun 28, 2016

Register now for Oracle University Security Training Subscription

Protecting corporate information and technology assets from intruders, thieves, and vandals is a significant challenge for most enterprises. Historically, investments in security technology were made by individual technology managers and business units in response to the specific threats they faced. 

CIOs are now implementing technologies that can support the centralized management and enforcement of security policies. Now more than ever, training employees to use these security technologies has become paramount. In response, Oracle University has released updated security training so that customers can get educated on the latest Oracle security content, including:

  • Content developed by industry and product engineers and delivered by expert instructors
  • More than 10 courses totaling over 30 days worth of instructor-led training
  • Over a hundred continuous learning and just-in-time training videos
Curriculum focuses on content from the following key areas:
  • Security and Risk Management
  • Asset Security
  • Security Engineering
  • Cyber Security
  • Identity and Access Management
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security
  • and so much more....
Also Available: 
  • Quizzes to assess your understanding of key topics
  • Learning paths to guide your career choices 
  • 24/7 availability of offerings
  • Demonstrations

Subscribe to Oracle Security Learning and get prepared to help your organization reduce its overall risk.

Thursday May 12, 2016

How Spain Protects 400 Million Citizen Records

Ministry of Justice of Spain (Ministerio de Justicia de España) is the public entity responsible for preparing, managing, and executing Spanish government justice system policy. It oversees the consistent execution of national laws across the country’s 23 provincial offices, while coordinating funding and procurement for tribunals, magistrate courts, and prosecutor’s offices. The organization is responsible for managing all staff - including lawyers, court officers, clerks and other administrative personnel - involved in the justice system. 

“We selected Oracle because we know its solutions work flawlessly. Oracle solutions are an investment in peace of mind and security,” said Jose Luis Hernández Carrión, Deputy Director of New Technologies for Justice.

Spain’s Ministry of Justice allocates resources based on different jurisdictional needs, which fluctuate based on crime rates, type and seasonality. The organization’s IT department provides support to the central registry, a number of other provincial offices nationwide, collecting data from all jurisdictions, archiving it and providing decision-makers with the tools needed to analyze resource allocation and program efficiency


  • Ensure compliance with data privacy laws by protecting citizens’ personal data
  • Control and monitor access to data, restricting it to authorized users and mitigating the risk of data leaks
  • Enable real-time backup of geographically disperse databases to reduce downtime, improve recovery time, and reduce costs


  • Comply with data privacy laws by using Oracle Advanced Security to encrypt more than 400 million pieces of citizens’ personal information
  • Establish an access control and monitoring system, isolating user functions to enable only authorized users to access or modify data, logging all accesses to mitigate the risk of data leaks and ensure accountability
  • Secure data in development and test environments with Oracle Data Masking and Subsetting Pack, enabling the ministry to develop and test new applications without compromising sensitive datareducing overall masking time from a week to a few hours
  • Use Oracle Active Data Guard to centralize more than 20 geographically dispersed standby databases, reducing costs 8x by executing 8 backups simultaneously on a single machine
  • Enable real-time backups with Oracle Active Data Guard, eliminating downtime and reducing data recovery window from 48 hours or more to 2 hours—improving the ministry’s productivity and enabling forms and data to remain available to citizens 

Why Oracle?

Oracle Advanced Security, Oracle Data Masking and Subsetting Pack, and Oracle Active Data Guard seamlessly integrated with the ministry’s Oracle Database.

“We selected Oracle because we know its solutions work flawlessly. Oracle solutions are an investment in peace of mind and security,” said Jose Luis Hernández Carrión, Deputy Director of New Technologies for Justice.

Success story here 

Tuesday Apr 19, 2016

Wanted: Outstanding Oracle Security Experts to Speak @OpenWorld 2016

We want you to speak at OpenWorld 2016

The Oracle OpenWorld 2016 call for proposals is now open. Attendees at the conference are eager to hear from experts on Oracle security and technology. They're looking for insights and improvements they can put to use in their own jobs: exciting innovations, strategies to modernize their business, different or easier ways to implement, unique use cases, lessons learned, the best of best practices.

Oracle OpenWorld in San Francisco

If you've got something special to share with other Oracle Identity Management and Database Security users and technologists, they want to hear from you, and so do we.

Submit your proposal now for this opportunity to present at Oracle OpenWorld, the most important Oracle technology and business conference of the year.

Tuesday Apr 05, 2016

New Paper Explains Oracle Public Cloud Security

Security: Top Priority 

Security is a top priority for Oracle Cloud solutions. Oracle’s vision is to create the most secure and trusted public cloud infrastructure and platform services for enterprises and government organizations. Oracle’s mission is to build secure public cloud infrastructure and platform services where there is greater trust - where Oracle customers have effective and manageable security to run their workloads with more confidence, and build scalable and trusted secure cloud solutions.

In a new whitepaper, titled Oracle Infrastructure and Platform Cloud Services Security, Oracle's cloud security philosophy is explained, which includes our shared cloud security model that we have with our customers.

The paper focuses on shared and service-specific security capabilities of the following services:

  • Oracle Compute Cloud Service
  • Oracle Storage Cloud Service
  • Oracle Network Cloud Service
  • Oracle Java Cloud Service
  • Oracle Database Cloud Service – Enterprise Edition

For a comprehensive list of the available Oracle Cloud services, go to

Cloud Security Capabilities

As we talk to customers, they desire the following security capabilities. The paper therefore, is organized to explain how we address:


  • Control: Security mechanisms to control who can access data and under which conditions
  • Auditing: Ability to audit resources to maintain their security configuration
  • Visibility: Logs providing visibility into accounts and resources
  • Assurance: Ability to independently verify how data is being stored, accessed, and protected against unauthorized access and modification
  • Security: Services that are designed, coded, tested, deployed, and managed securely
  • Out-of-the-box integration with existing Oracle technologies: Seamless integration with existing Oracle solutions such as identity and access management 

Fully Committed to Cloud

The protection of customer data is a primary design consideration for all of Oracle’s public cloud infrastructure and services. Oracle Cloud was developed to offer secure infrastructure and platform services that are used by Oracle customers to run their mission-critical enterprise workloads and store their data. Oracle believes that it has the right security philosophy, strategy, proven expertise, and resources to protect customer data and enable customers to build secure and private cloud solutions. Oracle is fully committed to continuing to invest in security capabilities to create the most secure public cloud infrastructure and trusted cloud services. These capabilities enable Oracle customers to have effective and manageable security, to run their workloads with more confidence, and to build trusted hybrid cloud solutions. 

Download the new whitepaper here.

Wednesday Mar 23, 2016

Oracle Magazine Highlights "Security at Every Level"

Oracle’s security focus and strategy protect the enterprise with a secure technology portfolio and identity management, database, and silicon security solutions.

Oracle’s earliest customers included the US Central Intelligence Agency and the Department of Defense, organizations focused intensely on security. In more than 30 years in the enterprise software business, Oracle has refined a security strategy that starts with an engineering culture rooted in secure development practices and support processes; provides security controls throughout the Oracle enterprise technology stack; and delivers on-premises and cloud security solutions.

Read the rest of the article here to learn how Oracle ensures trust, builds security into our stack, and delivers security in silicon with the new SPARC M7 chipset.

Tuesday Mar 01, 2016

Securing Oracle Public Clouds

There is an incredible transformation we are all experiencing with cloud computing. The cloud truly is changing everything. It’s changing how businesses run and people work; it’s creating new categories, disrupting existing categories, and it’s changing how we communicate and share. It’s changing the economics of business forever.  It’s happening at a speed no one ever imagined and it means a new way of thinking for security practitioners.


When we look at the enterprise, we see that on every level, there are transformations that are encouraging a fluidity of boundaries.

The Extended Enterprise is about the always-on expectation from users, about a corporate environment that is no longer limited to the four walls of the enterprise.  Essentially, the Internet has become the corporate network; a coffee shop has become the corporate office. Work is no longer a place…it’s wherever you get inspiration.

Within that corporate network, applications that used to be selected, deployed and maintained by IT are increasingly giving way to applications that employees introduce into the network themselves.  Often this is to increase productivity, or solve a problem that can’t be addressed by existing tools.  For example, when files get too large for emailing, users may be tempted to use unsanctioned software as a service like Dropbox, or YouSendIt/Hightail in order to distribute information. This can cause challenges with internal IT teams that are enforcing corporate processes designed to lock down sensitive corporate data and keep it from showing up on shadow IT sites where they have no control.

The growing use of social collaboration and sharing regardless of location; the rising adoption of cloud computing; the proliferation of mobile devices; these are creating a fundamental shift within the enterprise that are breaking down the traditional four walls that have constrained IT to the corporate network and private WAN.  This begs the questions, “where did the perimeter go?"

The Perimeter has Evolved

We’re moving fast and it’s difficult to run a business with the expectation that we can prevent perimeter network penetration. The perimeter has evolved and we must assume the perimeter will be breached and deploy solutions that protect our assets, starting with the most valuable. Now, enterprises face a boundless future where the four walls of the enterprise are fluid.  They extend to the cloud. And follow users from network to network, device to device. These need to be addressed within the context of rapid evolution in the threat landscape. This heightened risk comes at a time when users are increasingly leaving the safety of the corporate network, yet are still trying to access corporate assets – now from anywhere in the world as we embrace mobile and cloud. 

In fact, according to a CSO MarketPulse survey we find that the allocation of resources are not appropriately aligned with the most vulnerable areas of attack.

Sixty-seven percent of the 200+ CSOs indicated they are allocating most of their resources to the network layer, and only 15% were allocating most of their resources to the database layer. And yet, when asked what IT layers were most vulnerable to an attack, more than half (52%) said their databases.

Let me be clear, I am not saying that securing the perimeter is a bad idea.  However, we need to augment where we’re placing our resources—now more than ever. The challenge is that for most enterprises, the network has become so large--encompassing multiple countries across the globe, outsourced data centers, and cloud computing--that it is harder and harder to secure the traditional perimeter from attack.

This is even more important when we consider how to secure on premises and cloud based assets in a boundless world. It’s how you secure everything from your perimeters to your networks to your software and even your hardware. To help businesses achieve that, we will need to change.

Turning Security from an Inhibitor to an Enabler of Cloud

How many of you believe security is actually an inhibitor to Cloud adoption? In Oracle's eleven critical cloud predictions to take into 2016, Oracle CIO Mark Sunday says, “Today, the #1 reason organizations are not moving to the cloud is security. However, tomorrow, security will be one of the most important drivers to move to the cloud.”

The article goes on to explain, "A survey by Harvard Business Review Analytic Services (sponsored by Oracle) found that 62 percent of respondents thought security issues were by far the biggest barriers to expanding cloud adoption at their companies. Nearly half said data security is harder in the cloud.

But those very same concerns will soon drive organizations to the cloud. Established cloud vendors with a solid security track record have the expertise and resources to deploy layers of defense that many companies can’t hope to duplicate in-house."

So, How Do We Do It?

Oracle secures every layer of both on premises and the cloud. By owning best in class SaaS, PaaS, and IaaS, our goal is to protect each and every aspect of your on premises, private, and public cloud environments.

[Disclaimer: Not all technologies identified here are available for all Oracle Cloud Services.]

To build a secure cloud, it starts with the underlying infrastructure—a secure cloud must be built on a foundation that is securely designed and developed from the outset.

Oracle starts with defensive layers of defense. This is how we’ve built our solutions to work together and be more secure through seamless integration and layers of security. Then we add a comprehensive set of security controls across these solutions in order to protect the entire environment, from physical to logical security controls.

These include preventive controls that protect against bad guys getting to the data, and if they do, it would be rendered useless. This includes detective security controls that detect suspicious activity in process and can raise an alert. This is what I like to call our forensics capabilities. Finally, it includes the administrative process and procedures we follow to build security in to our cloud environment. Let's look at both of these in more detail: Security and Control.

Layered Security Defense

When looking at security, it’s important to provide layered security, also known as defense-in-depth, because no one control can mitigate all threats. Oracle is working to provide multiple layers of security in our cloud. So, whether on premise or cloud, these are the requirements for a secure IT environment.

[Disclaimer: Not all technologies identified here are available for all Oracle Cloud Services.]

First, you want to integrate security into the foundation of the software. From the underlying silicon to the firmware that is built into the silicon, to the operating systems and applications.

Let’s start with the Silicon layer and work our way up to the applications layer:


Ultimately, security should be enabled at multiple layers and pushed down the stack as far as you can go. For example, security at the database layer is preferable to security at the application layer. When you encrypt data in the database, all applications that are connected to that database gain the encryption capability. Otherwise, you would have to code encryption into each of those applications, which would take a long time and is error prone. If you push security down into the silicon layer, then the software that is built on that silicon inherits that security. You need to be able to secure data in memory from corruption and attack through unauthorized access or buffer over-runs, because if someone can control your systems at the chip layer, then they can potentially own all the software that sits on top.


At the infrastructure layer, Oracle provides storage and will soon be offering elastic compute so that our customers can run any workload in the cloud. For our storage service, we provide backup of your sensitive data and can encrypt it all for you.
When our elastic compute service is ready, organizations will enable unrestricted, and yet secure communications between selected VMs. By creating dynamic firewalls, also known as security lists, and adding your VMs to that list, the VMs can communicate with each other in the same list over any protocol and port. This is a secure way to communicate between known virtual machines. By default, the VMs in a security list are isolated from hosts outside the security list.
At any time, to block access— permanently or temporarily—to all VMs in a security list, delete or disable the relevant security rules. To block access to specific VMs rather than to the entire security list, remove those VMs from the security list. What you ultimately get is the ability to have fine grained network access control over your compute environment.


At the database layer, Oracle Database as a Service includes tightly integrated Oracle Advanced Security with transparent data encryption to secure data at rest on disk and on database backups. Our same on premise data encryption technology is built into our database as a service and is transparent to users and applications because the encryption takes place at the kernel layer.

This extends up into the application layer, so that when applications make calls to the database, we can redact, or remove sensitive data from the application layer, on the fly, so that unauthorized users are unable to see sensitive data. This data redaction is part of our Advanced Security solution. And again, is built into the kernel, which avoids tampering methods and provides better security.

In order to prevent privileged users (ours in the cloud or yours on premise) from gaining unfettered access across the entire database, Oracle Database Vault can restrict credentials to a least privilege state, so that administrators can only perform the tasks necessary to do their jobs, and no more. So for example, they can maybe administrate backups, but not necessarily be able to read or write into that database.


Throughout many of our Oracle cloud services (Fusion Apps, PaaS, and IaaS) when a user registers, the account and credential information is stored in Oracle Internet Directory. When a user wants to authenticate and gain access to several services, the single sign-on is handled by Oracle Access Manager. When a user account is disabled, it can be disabled across multiple services. Each of these capabilities is enabled by Oracle Identity Management, and we’ve been providing these services for some time now.

Oracle has put a great deal of effort into developing powerful, robust security mechanisms within its products and within our cloud, and we want to make sure that customers are fully leveraging these security features.


Finally, at the top of our stack you want to provide Single Sign-On across multiple applications because the least amount of user names and passwords you manage, the better. Oracle provides integrated access controls that are dependent on your role. And I mentioned the ability to remove or redact sensitive data from applications by way of the database kernel; application developers do not have to do complete development rewrites in the application code in order to redact data. Instead, DBAs can implement redaction policies within the database and cover multiple applications.

From the chip level up, we have thought through layered security defenses built into the cloud. This strategy is not dependent on a single security tactic or approach. It provides multiple layers of protection.

Comprehensive Security Controls for the Cloud

From physical security in and around our datacenters, to applying security controls at the application, network, and logical access layers, you can see why Oracle can provide as good as, or dare I say better security, than you can obtain on premise.

As we drill down into each layer you can see security is baked into both physical and logical access.

For physical access, we have multiple security zones that our IT staff must pass through in order to gain clearance throughout the datacenter, including a reception desk, access cards, biometrics in the way of keypads or retina scanners. All of this is under video surveillance, plus more.

We carry this practice of depth in defense to Logical Access layer. We mandate encryption on all staff computers, implement personal firewalls, two-factor authentication, and layers of role based privilege access controls. This helps mitigate stolen username and password threat vectors. All of this is managed by Oracle Identity Management, the same suite that many of you use to gain access to corporate systems.

And for detective security controls, we apply forensics – looking for security vulnerabilities.  We monitor access and conduct monthly reviews.  And the layers of defense continue; we also deploy security controls using vendors that we do not directly compete with in order to cover the gaps where Oracle doesn’t play.

Security is no longer a reason to not move to the cloud, but in fact a reason to move to the cloud. Security is an enabler: Just as Oracle helps reduce costs associated with system deployments, maintenance and tuning, it’s is even more difficult to find qualified staff to secure your environments. Oracle has the resources and knowledge to secure your deployments in the Oracle Cloud.

Securing the Hybrid Cloud

Security has also enabled you with a choice of how you deploy, as well as a transition from on premise to the cloud.

You see, now you can maintain existing on premises deployments and connect to your public cloud. This provides comprehensive security for a hybrid deployment. This also provides flexibility and choice because we’ve integrated many of our technologies.

Security is an enabler: You now have a common set of security controls that address regulatory compliance requirements, a common set of security policies that extend across on premise and cloud, and multiple security layers that are integrated and built in from the infrastructure up.

To learn more about how Oracle Secures the Public Cloud, please read Oracle Cloud Enterprise Hosting and Delivery Policies.

Tuesday Feb 16, 2016

Larry Ellison, New Rules of Thumb for Next-Generation Data Security

In his keynote address at Oracle OpenWorld 2015, Oracle Executive Chairman and Chief Technology Officer Larry Ellison highlighted the urgent need for advanced next-generation data security technologies—and outlined two new rules of thumb for data security in the age of megabreaches. 

Recent breaches extend far beyond the theft of data from tens of millions of retail and banking customers. Even the US Office of Personnel Management has lost highly sensitive data relating to over 20 million federal employees—all the way up to White House staff. 

"Organizations are losing a lot of these cyberbattles," said Ellison. "Our industry needs to rethink how we deliver technology, especially as vast amounts of data are moved to the cloud."

Read more of this article and Oracle's perspective.

Thursday Feb 04, 2016

ISACA Webcast on Cloud Security Prediction, Feb 11, 2016

Please join me February 11, 2016 for the ISACA webcast, Prediction: Security Moves from Barrier to Main Benefit of Cloud Adoption where I will discuss some of the cloud security challenges facing organizations. I will also discuss how cloud vendors should be implementing security controls for their public clouds so that organizations have more confidence putting their sensitive systems and data there. And you'll receive a CPE for joining me.

Here's the abstract:

In a recent cloud predictions article, Oracle CIO, Mark Sunday predicts “Today, the #1 reason organizations are not moving to the cloud is security. However, tomorrow, security will be one of the most important drivers to move to the cloud.” A survey by Harvard Business Review Analytic Services (sponsored by Oracle) found that 62 percent of respondents thought security issues were by far the biggest barriers to expanding cloud adoption at their companies. But those very same concerns will soon drive organizations to the cloud. Join this Oracle and ISACA webcast to learn how established cloud vendors with a solid security track record have the expertise and resources to deploy layers of defense that many companies can’t hope to duplicate in-house. 

I hope to see you there.  

Wednesday Jan 13, 2016

Oracle at RSA Conference 2016

Announcing Oracle at RSA Conference 2016 – Where the World Talks Security!

Moscone Center, San Francisco
February 29 – March 4 


Fueled by a $288B black market for information, we are in the midst of a data breach epidemic; spending on technology has failed to reduce the risk. Effective modern security to mitigate a data breach requires an inside-out approach with a focus on data and internal controls. 

Join Oracle at RSA Conference 2016 February 29 – March 4, and glean insight into helping your organization build an inside-out security strategy.

Oracle Speaking Session (PDAC-FO3)

Friday, March 4, 2016 | 11:20 AM – 12:10 PM | West | Room 2005

Encryption without Enterprise Key Management – It’s Like Icing without Cake, Saikat Saha, Sr. Principal Product Manager, Oracle 

Deploying encryption systems without effective key management will not deliver on the promise of data security. Whilst the exciting part is the encryption technologies, loss of the keys will compromise any solution. In this session we’ll explore the value provided by the standardization of key management protocols as well as the critical part of a security solution it plays.

Meet the Experts

Visit the Oracle Security Solution Showcase (Booth #4704) to meet our security experts and see live product demonstrations. 

  • Monday, Feb 29th – 5 – 7 p.m. (Welcome reception)
  • Tuesday, Mar 1st – 10 a.m. – 6p.m.
  • Wednesday, Mar 2nd – 10 a.m. – 6 p.m.
  • Thursday, Mar 3rd – 10 a.m. – 3 p.m.


Register for a complimentary Exhibit Hall Pass using code XEORACLE16 (deadline Friday, February 26th) 

Thursday Jan 07, 2016

Cloud Prediction #2: Security as an Enabler

Check out Oracle's eleven critical predictions as we head into 2016 and you'll find security will move from a barrier to cloud adoption to one of its main benefits.

“Today, the #1 reason organizations are not moving to the cloud is security. However, tomorrow, security will be one of the most important drivers to move to the cloud,” said Oracle CIO Mark Sunday. 

Security should be an enabler for organizations to move to the cloud. A company like Oracle has both the logical and physical security resources and knowledge that many organizations cannot match. Oracle's cloud is a very secure cloud that provides our customers trust that their applications run securely so they can focus on innovation.  

Brakes on a car enable you to go faster. Without brakes, you must go slowly and you can’t drive down hills. It’s very limiting. The cloud is a business enabler and security must be necessary and sufficient so that organizations can move fast as well as safe. 

“Cloud vendors like Oracle that have a comprehensive and integrated defense of layered security controls are what can turn security from an inhibitor to an enabler of enterprise cloud deployments,” Sunday concludes.

Read his prediction and the ten others here.  

Thursday Sep 24, 2015

Encryption is the Easy Part; Managing those Keys is Difficult

Security threats and increased regulation of personally identifiable information, payment card data, healthcare records, and other sensitive information have expanded the use of encryption in the data center and cloud. As a result, management of encryption keys, certificates, wallets, and other secrets has become a vital part of an organization’s ecosystem, impacting both security and business continuity. Join this ISACA and Oracle webcast as we examine the challenges with encryption, on premise and in cloud, and how key management best practices can help facilitate the secure deployment of encryption across the enterprise. Challenges we’ll address include:
  •     Managing encryption keys, Oracle Wallets, Java Keystores and Credential files across the enterprise
  •     Securely sharing keys across authorized endpoints
  •     Auditing key access controls and key lifecycle changes
  •     Detailed management reports

ISACA Members Earn Free CPE

Special Guest

Note, we'll have special guest Saikat Saha who has specialized in the area of data encryption and key management. Saikat currently works as product manager in the Oracle Database security team. He also serves as co-chair of the OASIS KMIP (Key Management Interoperability Protocol) industry standard technical committee. He has launched multiple successful security products in the market related to data encryption, application encryption and key management over last decade. Saikat holds a B.E from National Institute of Technology, Durgapur, India and an MBA from Leavey School of Business, Santa Clara University.

When and Where?

Date:  Thursday, 8 October 2015
Time:  12PM (EDT) / 11AM (CDT) / 9:00 (PDT)

Register Now


Who are we?

Follow us on

  • TwitterFacebookLinkedIn


« August 2016