Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/27/2018
12:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Identity Has Become the Perimeter': Oracle Security SVP

Eric Olden, Oracle's new leader in security and identity, shares how the enterprise tech giant plans to operate in a cloud-first world.

Oracle, a company with a long and storied history in enterprise identity, now faces the challenge of how to adjust its approach to security amid the transition to the cloud.

Much of this responsibility falls to Eric Olden, the company's new senior vice president and general manager of security and identity. Oracle's portfolio comprises, in part, a lineup of identity management and cloud security products that include cloud-based enterprise software and CASB solutions.

Olden, who was previously the founder and CTO of startups including Securant Technologies, Symplified, Deep Content, Launch Sciences, and Brite Content, joined the Oracle team last October. Moving from startups to one of the world's largest software companies, he says, has given him a new perspective on how large businesses handle cybersecurity in the cloud.

"It's really come down to complexity," he says. "With the advent of cloud, we're making this transition as an industry."

Whereas businesses used to be able to build their own data centers to protect their information and applications, and put up firewalls for security, the cloud is forcing them to change their approach, he says. Combined with the fact that most people are going mobile, it's time for defenses to evolve.

"We've pushed the notion of a post-perimeter world where the identity has become the perimeter," Olden says. "It's something I've seen coming for 20-plus years, and now we see it all the time."  

The actual cloud transition, however, has "been almost overnight," he adds. It was only a few months ago when customers realized they didn't want to be left behind and couldn't delay cloud adoption.

Hackers Set Their Sights on Cloud
Once an organization begins its cloud transition, the volume and velocity of data can quickly overwhelm traditional manual approaches, Olden says. Moving to the cloud isn't a pilot project, and it's not something people can constantly watch for security alerts. Businesses are overwhelmed "with a sheer amount of noise," and the ability to detect threats in the chaos can't be done by humans alone, he adds.

Amid that struggle, hackers see the opportunity to exploi vulnerabilities with increasingly sophisticated tool sets and new attack techniques, Olden continues.

"We're past the days of writing a virus," he says, noting how hackers once just wanted to see whether they could pull off a cyberattack. "Now we're talking about very organized operations trying to get identity data. [They] want the keys. Identity data is incredibly sensitive."

Many organizations might feel as if they're bringing a knife to a gunfight when they go up against advanced adversaries. Rather than feeling exposed and outdone, Olden explains, they should aim to reduce the time needed to detect and remediate threats.

Cloud Adoption and Oracle's New Approach
How has Oracle adjusted its security strategy in response to the rise of cloud? Olden first points to the way in which customers receive updates for products such as the Oracle Identity Cloud.

"We can push new capabilities and features into the cloud, and all of our customers get access to them immediately ... that's a game changer," he explains. That's especially true for a company like Oracle, which for a long time abided by the enterprise software model of annual releases and planned upgrades for clients. The cloud has driven the level of agility, Olden says.

Oracle is also buckling down on automation and machine learning across its portfolio. Its CASB tool is an example: Once used to monitor activity in the hybrid cloud and detect abnormal behavior, it can now be used in authentication tools to automatically recognize rogue logins. If a CASB identifies suspicious activity, it can trigger multifactor authentication for the device.

By automating multifactor authentication, Olden says, you reduce the time to detect and remediate threats and eliminate passwords, which are "always the weakest link."

This use case also emphasizes the need to secure identity in a post-perimeter world, which Oracle also explains in its Trust Fabric security model – its approach to securing enterprise computing in the cloud. It's the company's way of securing data and apps in its security lineup.

Looking ahead to the rest of 2018, Olden says he plans to push automation deeper across its portfolio and to more deeply integrate Oracle Identity into the Oracle Cloud with new tools.

"With some of the new product introductions, we'll be talking about more defense-in-depth as we get more of these products reimagined in the cloud era," he says.

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lunny
50%
50%
lunny,
User Rank: Strategist
7/30/2018 | 12:10:08 PM
It's all in the Cloud
If your enterprise network is connected to the Internet, you're in the cloud whether you want to believe it or not.  It's about proper security configuration.  Is the right/wrong person able to access the data?  On the right/wrong system (server, application, database)?  At the right/wrong time?  From the right/wrong access point?

Your datacenter walls are only as secure as your ability to design, deliver, and ensure effective controls against the ever-growing list of cyber threats.  And there are no insider threats, right?  Right?
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...