Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Web Application Firewall

3/22/2017
03:03 PM
Curtis Franklin
Curtis Franklin
Curt Franklin
50%
50%

Security Takes the Stage at Oracle Industry Connect

Security is a supporting player at Oracle Industry Connect. Is it hero or villain to the assembled customers and partners?

When security is mentioned at an IT industry conference, it's normal to say, "Security took center stage." At Oracle Industry Connect in Orlando, Fla., it would be more correct to say that security was hanging out in the crowd stage-left, in a role with a credit two-thirds of the way down the billing. In other words, security made the stage but it was in a small, mostly non-speaking role.

In a series of sessions that all point in the direction of moving every function, service and customer to a cloud infrastructure, security was generally seen as a solved problem. In his Tuesday afternoon keynote discussion, Oracle CEO Mark Hurd was asked whether security had transitioned from an issue that kept companies out of the cloud to one that is part of the justification for moving to a cloud infrastructure. He agreed that this has, in fact, become the case for Oracle customers.

"I do think the security levels in our cloud are so much higher than you could ever achieve in your own environment on-premise," Hurd said. The reasons for this, he said, have to do with expertise, technology and infrastructure size. "When you get into these environments it's very hard to secure all of this at scale," he explained.

One of the factors that allows Oracle to provide security at scale, Hurd said in a Q&A session with journalists and analysts, is simplicity. "Our cloud is literally one configuration. We have to secure that one environment," he said. Hurd expanded on the "one environment" statement by saying that the entire Oracle cloud is built on one version of operating system, one version of one database manager and one Oracle-defined hardware platform. A patch or update to the "master" software image can be quickly propagated across the entire cloud.

Hurd contrasted the Oracle cloud to the situation faced by many customers. "Our customers have to secure tens of servers, tens of operating systems, tens of databases and they tend to be 14 to 18 months behind us in patching," he said. As result, "We're going to do security better. It's simpler; we have the technology."

On the second day of the conference, the heads of Oracles global business units (GBUs) were asked about security as part of a group Q & A session with journalists and analysts. Sonny Singh, SVP and GM of Oracle's financial services global business unit, said that his group addresses security through three broad initiatives. First, he said, they can, "...leverage underlying platforms with inherent security built in." He explained that this involved the security features of the cloud platform as well as the streamlined infrastructure Hurd spoke of.

Next, Singh said, they are required to have definitive processes that can demonstrate compliance with the myriad regulations and laws under which financial institutions operate around the world. Finally, he said, "We partner with the other GBUs. We can learn on a very quick cycle from the other units." Hurd referenced something similar in talking about Oracle's ability to learn from its customers when he said, "Our customers, on average, will get attacked a lot. We see all sorts of tricks and innovation and we patch to that."

All of the advancements and advantages that come from Oracle's approach to security are critical, Singh said, because the demand is rising in lock step with customers' shift to the cloud. "Scrutiny has gone up with the move to the cloud," Singh said. "The security onus has shifted from the customer to Oracle." It's a contractual and regulatory spotlight that grows brighter for a security -- a player that has moved out of the wings and is inching closer to center stage.

— Curtis Franklin, Security Editor, Light Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
CVE-2020-25598
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
CVE-2020-25599
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
CVE-2020-25600
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...