Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Web Application Firewall

3/22/2017
03:03 PM
Curtis Franklin
Curtis Franklin
Curt Franklin
50%
50%

Security Takes the Stage at Oracle Industry Connect

Security is a supporting player at Oracle Industry Connect. Is it hero or villain to the assembled customers and partners?

When security is mentioned at an IT industry conference, it's normal to say, "Security took center stage." At Oracle Industry Connect in Orlando, Fla., it would be more correct to say that security was hanging out in the crowd stage-left, in a role with a credit two-thirds of the way down the billing. In other words, security made the stage but it was in a small, mostly non-speaking role.

In a series of sessions that all point in the direction of moving every function, service and customer to a cloud infrastructure, security was generally seen as a solved problem. In his Tuesday afternoon keynote discussion, Oracle CEO Mark Hurd was asked whether security had transitioned from an issue that kept companies out of the cloud to one that is part of the justification for moving to a cloud infrastructure. He agreed that this has, in fact, become the case for Oracle customers.

"I do think the security levels in our cloud are so much higher than you could ever achieve in your own environment on-premise," Hurd said. The reasons for this, he said, have to do with expertise, technology and infrastructure size. "When you get into these environments it's very hard to secure all of this at scale," he explained.

One of the factors that allows Oracle to provide security at scale, Hurd said in a Q&A session with journalists and analysts, is simplicity. "Our cloud is literally one configuration. We have to secure that one environment," he said. Hurd expanded on the "one environment" statement by saying that the entire Oracle cloud is built on one version of operating system, one version of one database manager and one Oracle-defined hardware platform. A patch or update to the "master" software image can be quickly propagated across the entire cloud.

Hurd contrasted the Oracle cloud to the situation faced by many customers. "Our customers have to secure tens of servers, tens of operating systems, tens of databases and they tend to be 14 to 18 months behind us in patching," he said. As result, "We're going to do security better. It's simpler; we have the technology."

On the second day of the conference, the heads of Oracles global business units (GBUs) were asked about security as part of a group Q & A session with journalists and analysts. Sonny Singh, SVP and GM of Oracle's financial services global business unit, said that his group addresses security through three broad initiatives. First, he said, they can, "...leverage underlying platforms with inherent security built in." He explained that this involved the security features of the cloud platform as well as the streamlined infrastructure Hurd spoke of.

Next, Singh said, they are required to have definitive processes that can demonstrate compliance with the myriad regulations and laws under which financial institutions operate around the world. Finally, he said, "We partner with the other GBUs. We can learn on a very quick cycle from the other units." Hurd referenced something similar in talking about Oracle's ability to learn from its customers when he said, "Our customers, on average, will get attacked a lot. We see all sorts of tricks and innovation and we patch to that."

All of the advancements and advantages that come from Oracle's approach to security are critical, Singh said, because the demand is rising in lock step with customers' shift to the cloud. "Scrutiny has gone up with the move to the cloud," Singh said. "The security onus has shifted from the customer to Oracle." It's a contractual and regulatory spotlight that grows brighter for a security -- a player that has moved out of the wings and is inching closer to center stage.

— Curtis Franklin, Security Editor, Light Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...