If you’re playing Oracle word association, database and enterprise software — not security — probably come to mind. But as its customers move to hybrid cloud environments, the company is capitalizing on its database security and identity management technologies. It’s also folding in a 2016 cloud access security broker (CASB) acquisition and more recent autonomous capabilities. And it’s wrapping these in a security framework it calls Trust Fabric.
The Oracle security makeover started when it hired Eric Olden as its senior vice president and general manager of security and identity in November 2017. Olden previously co-founded and was CEO of cloud identity and access management vendor Symplified. Prior to that, Olden was co-founder and CTO of identity management pioneer Securant Technologies and an architect at ClearTrust.
At Oracle, he oversees identity management, security strategy, and product development.
“What sets us apart at Oracle is that we have a unique position coming into the market with our extensive install base of enterprise customers, and a big focus for us it to give those existing customers a path to the cloud,” Olden said. “We’re tying together things like CASB and identity, bringing those two solutions to play well together. So customers can get the most innovative things in identity and cloud security, and also have the global support that Oracle can uniquely bring.”
CASB Plus Identity
Over the past several months Olden’s been rolling out the company’s Trust Fabric security strategy. The goal is to secure all applications and workloads across environments, from on-premises data centers to public clouds using an integrated, platform approach. It also relies heavily on the automation and machine learning capabilities that Oracle has been building into its product portfolio.
“Trust Fabric is a way for our customers to have a cohesive security strategy that does three things,” Olden said. First, it extends automation to Oracle’s identity and access software and to its CASB.
“An example: our CASB product will monitor user behavior and can detect if something unusual is happening,” he explained. “It can then reach over and talk to our Identity Cloud and trigger a multi-factor adaptive authentication. What that means is instead of customers’ having to respond and react to threats, you can use algorithms and machine learning to automatically detect when something is unusual, and automatically do something about it and prevent the problem from turning into a real threat.”
This speeds the time to detection and the time to fix the problem.
The second part of the Trust Fabric approach is a layered security model. “It’s an approach that starts with data at its core because that’s the key information we are trying to protect,” Olden said.
It encrypts this data and uses key management to secure it. The next layer uses identity and access management to ensure the right people have access to the appropriate data — and prevent unauthorized users and devices from accessing it.
“It’s then wrapped with user monitoring and cloud access visibility,” Olden said. “And then tied together with analytics that allows customers to have a single pane of glass. We’re giving customers a more cohesive way to manage their threats and protect their data.”
Trust Fabric — Because It’s Integrated
The third piece is integration. “That’s where the metaphor of a fabric comes into play,” Olden said.
Oracle is integrating its security products, and it’s already shipping its CASB integrated with Oracle Identity Cloud and on-premises identity management software. It’s also working to integrate these security and identity capabilities with third-party vendors and clouds across Oracle’s software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-as-service (IaaS) environments.
“Customer use a lot of different solutions today and they are not all Oracle,” Olden said. “We’re extending our security and identity to allow customer to not only secure Oracle but also multi-cloud environments.”
And yes, this even includes CTO Larry Ellison’s favorite punching bag: Amazon Web Services (AWS). “Our CASB product is working with third-party cloud platforms today, so you can use it to monitor workloads on AWS as well as Azure and, of course, OCI [Oracle Cloud Infrastructure].”
Oracle Identity Cloud uses standards to integrate with third-party SaaS applications like Salesforce.
‘Total Oracle Security Refocus’
“It’s almost a total refocus for Oracle in security,” said IDC analyst Sean Pike.“But because of the move to the cloud, companies that were more involved with cloud infrastructure and with identity don’t necessarily have to move in the same way a traditional infrastructure security company would have to move to catch up in cloud security. Oracle had some cloud heritage already, some identity heritage already, those are some of the things the security incumbents didn’t have.”
For this reason, Pike said Oracle’s Trust Fabric strategy is “generally a good move.”
While it does compete against security incumbents with technologies like cloud visibility, data loss prevention, key management, and encryption,“at the same time [Trust Fabric is] almost like a wrapper,” Pike said. “Oracle has thought about some of the key offerings that aren’t in security incumbents’ products and they are filling in some gaps, like cloud application firewall and the identity and access management. They’ve created an approach where they can do quite a bit for your security, and they can fill in some of the holes in your existing security solutions.”
Crowded Security Market
The company still has challenges ahead in terms of integrating its technologies and selling its security strategy to customers, Pike added.
“They really are taking a more structured approach to security, which is great,” he said. “But actually being able to tie all those pieces together in such a large company is the challenge.”
Pike added that Oracle is not the only vendor to realize the potential benefit of a unified security platform that stretches from the data center to the cloud. CASB, for example, is becoming an integral piece in every major vendor’s security portfolio.
“It’s not like Oracle woke up and discovered this,” Pike said. “Oracle has the identity background and the key management background that will help them expand. But it’s a crowded field.”