BUSINESS: Enterprise software and services, including Oracle Database and Grid, Middleware, and CRM, financial, HR, supply chain, and other enterprise applications and On Demand services.
SCOPE: Global - $14.4 billion, 2006
SIZE: 68,000 employees
BUSINESS CHALLENGE: Cost-effectively achieve ongoing IT security and regulatory compliance risk mitigation for its own network and new company acquisitions.
OPERATIONAL HURDLE: Retain control over and security of the vulnerability data it gathers regarding its global IT network.
- Qualys @Customer
- Qualys Enterprise
WHY THEY CHOSE QUALYS:
- Automated on demand security and vulnerability audits
- Accurate vulnerability and configuration scans, according to Oracle’s in-house testing.
- Its programs are easy to deploy, manage, and operate.
- Qualys @Customer scales to millions of scans per month, and provides Oracle assurance that vulnerability information remains confidential.
- Qualys’ PCI DSS capabilities mean that Oracle can conduct compliance scans for its internal hosting operations.
Oracle Global IT (GIT) Streamlined Security
To further enhance its IT system risk management capabilities, Oracle GIT has deployed an on-demand software vulnerability and compliance management solution that allows Oracle GIT to gain significant efficiencies and enhance the company’s information security. In addition, Oracle GIT can now more efficiently manage the security of highly-sensitive vulnerability information throughout the deployment of its Security Operation Center.
Vulnerability and risk management programs are crucial for Oracle GIT. Oracle GIT not only needs to secure its own vast global network that supports more than 60,000 employees, but it also helps ensure security for its On Demand customers that utilize the Company’s software as a service applications and infrastructure software.
"Qualys helps us to make sure that our network is secure and that our systems, and those of our customers, are hardened as well."
Senior Manager for Oracle's GIT Security Engineering Team
Oracle GIT Seeks Accurate, Scalable Vulnerability Management
Finding, prioritizing, and then eliminating the software vulnerabilities that place business technology systems at risk to attack, and of falling out of regulatory compliance, is a significant and complex operation. Oracle’s IT infrastructure spans the globe, and encompasses multiple data centers, thousands of servers, more than 200 firewalls, 100 load-balancers, and tens of thousands of endpoints. Such diversity required Oracle GIT Security, which is responsible for working with other security teams to implement and maintain the company’s security infrastructure, to find a way to scale and streamline its vulnerability management processes. Oracle GIT needed a solution that was scalable, easy to manage, and accurate. In addition, because much of the information that Oracle GIT manages is proprietary, the company operates under tight privacy mandates.
Accuracy of assessment scans is crucial. Small errors in any report can multiply the amount of time that security analysts must spend vetting false-positives from actual vulnerabilities in the company’s infrastructure. Leonid Stavnitser, senior manager for Oracle’s GIT security engineering team, explains that for each scan conducted, an analyst could take two hours to review and cleanse the report of errors. “Inaccurate reports add significantly to the actual total cost of ownership of assessment solutions,” he explains.
In order to find the most accurate and secure way to identify and fix vulnerabilities, Stavnitser and his team ran many of the market-leading vulnerability assessment scanners through a series of tests. The first analysis consisted of a blind test in which the evaluation team knew nothing more than the target IP addresses. For the second analysis, the evaluation team was provided details regarding the operating system, applications, and other facts concerning the targeted environment. The goal: understand how each vulnerability management tool fared under all circumstances when it came to accuracy, ease of use, and remedial capabilities.
An Accurate, Secure Solution Prevails
After extensive testing, Leonid and his team found the vulnerability and compliance management solution Qualys Enterprise to be an effective solution. With Qualys Enterprise, Oracle GIT Security can monitor the company’s global vulnerability management process, track remediation, and validate policy compliance. With its comprehensive vulnerability KnowledgeBase, which consists of thousands of unique checks, and a six-sigma accuracy rate, Qualys provided the precision Oracle GIT Security sought. Now, Oracle GIT Security has streamlined control of its vulnerability management life cycle starting with asset discovery, extending to vulnerability assessments and tracking of security fixes.
Faster Time to Remediation, Effective Regulatory Compliance
The high accuracy rate and remedial information provided by Qualys slash the amount of time analysts spend identifying and classifying vulnerabilities throughout Oracle’s complex IT network. This was crucial, explains Stavnitser, as Oracle GIT Security performs between 10 and 20 vulnerability assessments each week. So any time wasted analyzing false-positives, or other faulty report information, grows extremely costly over the course of a year. Stavnitser estimates that traditional server or desktop-based scanners would cost his team an additional 2,000 work hours annually if it tried to perform the same number of scans it’s able to conduct with Qualys. “We just wouldn’t be able to scale our vulnerability assessment services,” he says.
Oracle GIT has also leveraged the fact that Qualys is fully PCI DSS certified. Some of Oracle On Demand’s hosted clients are merchants that process credit card information for online sales—and they need to be able to demonstrate that they’re PCI DSS compliant. One of the key PCI DSS requirements is that a quarterly scan be completed, using an approved assessment tool. “Qualys is one of the vulnerability management solutions certified for PCI DSS compliance. Therefore, by having Qualys in-house, we save ourselves plenty of aggravation and expense because we don’t need to go to a third-party vendor and provide access to our network to conduct the required PCI quarterly scans. We do that ourselves!” Stavnitser says “Qualys helps us to make sure that our network is secure and that our systems, and those of our customers, are hardened as well.” Stavnitser says.
Secure and Manageable Vulnerability Information
In order to meet Oracle’s internal security policy and customer security and confidentiality agreements, Oracle GIT required assurance that its vulnerability scan data be kept secure. For that, the team selected Qualys @Customer, the first security solution that provides all of the quality, cost, and deployment benefits associated with software-as-a-service, coupled with the scalability, power, coupled with the scalability, power, and data control of an onsite Security Operations Center. The Qualys @ Customer offering is capable of scaling to conduct millions of scans a month, and can be delivered, installed, and deployed within a day.
Just as with Qualys, @Customer hardware, software, and security update information is fully managed by Qualys. “@Customer provides us the best of both worlds. We benefit from the same level of managed services, in terms of product upgrades and signature updates, and maintain the control we need over this very sensitive vulnerability data,” says Stavnitser.