Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Web Application Firewall

3/22/2017
03:03 PM
Curtis Franklin Jr.
Curtis Franklin Jr.
Curt Franklin
50%
50%

Security Takes the Stage at Oracle Industry Connect

Security is a supporting player at Oracle Industry Connect. Is it hero or villain to the assembled customers and partners?

When security is mentioned at an IT industry conference, it's normal to say, "Security took center stage." At Oracle Industry Connect in Orlando, Fla., it would be more correct to say that security was hanging out in the crowd stage-left, in a role with a credit two-thirds of the way down the billing. In other words, security made the stage but it was in a small, mostly non-speaking role.

In a series of sessions that all point in the direction of moving every function, service and customer to a cloud infrastructure, security was generally seen as a solved problem. In his Tuesday afternoon keynote discussion, Oracle CEO Mark Hurd was asked whether security had transitioned from an issue that kept companies out of the cloud to one that is part of the justification for moving to a cloud infrastructure. He agreed that this has, in fact, become the case for Oracle customers.

"I do think the security levels in our cloud are so much higher than you could ever achieve in your own environment on-premise," Hurd said. The reasons for this, he said, have to do with expertise, technology and infrastructure size. "When you get into these environments it's very hard to secure all of this at scale," he explained.

One of the factors that allows Oracle to provide security at scale, Hurd said in a Q&A session with journalists and analysts, is simplicity. "Our cloud is literally one configuration. We have to secure that one environment," he said. Hurd expanded on the "one environment" statement by saying that the entire Oracle cloud is built on one version of operating system, one version of one database manager and one Oracle-defined hardware platform. A patch or update to the "master" software image can be quickly propagated across the entire cloud.

Hurd contrasted the Oracle cloud to the situation faced by many customers. "Our customers have to secure tens of servers, tens of operating systems, tens of databases and they tend to be 14 to 18 months behind us in patching," he said. As result, "We're going to do security better. It's simpler; we have the technology."

On the second day of the conference, the heads of Oracles global business units (GBUs) were asked about security as part of a group Q & A session with journalists and analysts. Sonny Singh, SVP and GM of Oracle's financial services global business unit, said that his group addresses security through three broad initiatives. First, he said, they can, "...leverage underlying platforms with inherent security built in." He explained that this involved the security features of the cloud platform as well as the streamlined infrastructure Hurd spoke of.

Next, Singh said, they are required to have definitive processes that can demonstrate compliance with the myriad regulations and laws under which financial institutions operate around the world. Finally, he said, "We partner with the other GBUs. We can learn on a very quick cycle from the other units." Hurd referenced something similar in talking about Oracle's ability to learn from its customers when he said, "Our customers, on average, will get attacked a lot. We see all sorts of tricks and innovation and we patch to that."

All of the advancements and advantages that come from Oracle's approach to security are critical, Singh said, because the demand is rising in lock step with customers' shift to the cloud. "Scrutiny has gone up with the move to the cloud," Singh said. "The security onus has shifted from the customer to Oracle." It's a contractual and regulatory spotlight that grows brighter for a security -- a player that has moved out of the wings and is inching closer to center stage.

— Curtis Franklin, Security Editor, Light Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31923
PUBLISHED: 2021-09-24
Ping Identity PingAccess before 5.3.3 allows HTTP request smuggling via header manipulation.
CVE-2021-41581
PUBLISHED: 2021-09-24
x509_constraints_parse_mailbox in lib/libcrypto/x509/x509_constraints.c in LibreSSL through 3.4.0 has a stack-based buffer over-read. When the input exceeds DOMAIN_PART_MAX_LEN, the buffer lacks '\0' termination.
CVE-2021-41583
PUBLISHED: 2021-09-24
vpn-user-portal (aka eduVPN or Let's Connect!) before 2.3.14, as packaged for Debian 10, Debian 11, and Fedora, allows remote authenticated users to obtain OS filesystem access, because of the interaction of QR codes with an exec that uses the -r option. This can be leveraged to obtain additional VP...
CVE-2021-41584
PUBLISHED: 2021-09-24
Gradle Enterprise before 2021.1.3 can allow unauthorized viewing of a response (information disclosure of possibly sensitive build/configuration details) via a crafted HTTP request with the X-Gradle-Enterprise-Ajax-Request header.
CVE-2020-19949
PUBLISHED: 2021-09-23
A cross-site scripting (XSS) vulnerability in the /link/add.html component of YzmCMS v5.3 allows attackers to execute arbitrary web scripts or HTML.