Académique Documents
Professionnel Documents
Culture Documents
Abstract
Taking risks can be an expensive business; in an increasingly complex regulatory
environment, driven in part by evolving cyber - security threats, how can
organizations remain compliant, current and secure? ... One answer is automation;
software tools exist that can dramatically reduce the administrative burden facing
IT departments, those responsible for Database and ERP Application Support - this
W hite Paper presents typical scenarios faced by such organizations and explains
the opportunities for efficiencies and more rapidity in the Oracle software lifecycle.
CONTENTS
Executive Summary
Today, more than ever, Oracle customers are confronting a growing number of regulations and an
exponential growth in cyber-attacks. The impact of a cyber breach has a long tail cost distribution
which masks the true financial exposure most organizations have. In order to mitigate risk, they need
to manage two dichotomous scenarios: (a) Maintaining the highest level of compliance with a rapidly
expanding number of databases, and (b) reducing operating costs and provide better visibility of the
Oracle assets.
However, managing Oracle, with its monopolistic vision of enterprise applications and high total cost
of ownership presents some unique challenges. Until now there has been a limited choice of vendors
capable of reducing the complexity and cost of Oracle Compliance - when viewed through the lens
of competing, integrated products for other platforms that have better functionality and value.
The study will show that patchVantage can dramatically cut costs, reduce downtime and accelerate
delivery of new releases to the end user.
1
Oracle Automated Patching ROI
About patchVantage
patchVantage is enabling security-as-a-service using automation technology which keeps
Oracle Databases , WebLogic and EBS Applications current, secure and compliant. Our
aim is to help organizations focus on innovation and let us manage the business of security
and maintenance.
Our REST API can compress complex security updates in a single command.
2
Oracle Automated Patching ROI
Introduction
With more than 310,000 customers using the Oracle Database it is widely recognized as the leading
database for almost 40 years. It is mature and stable but also contains many innovative features to
support your business requirements. It’s used in notable critical industries such as the National Grid
and SWIFT Banking system.
However, there are several pain points for many Oracle customers - primarily the cost of ownership
(TCO) and security. In fact, Oracle Database and Applications have features more in common with a
legacy system (see Table 1). This is sometimes referred to as the "Oracle Complexity Tax" or
"Technical Debt" because there is a resistance to change.
Another significant challenge is the importance of cyber security. The idea that attacks are
increasingly likely – and perhaps inevitable – is forcing companies to mitigate IT security risks and
threats. There is also the misconception that the impact of a cyber-attack is mostly shaped by what
companies report publicly. This is dominated by reporting of personal information theft and incident
management. However, the most severe costs are less obvious such as loss of intellectual property,
data destruction, downtime of core operations and loss of business.
In fact according to Deloitte (Beneath the Surface of a Cyber Attack) the cost of a breach can cost
billions of dollars. They identify 14 impact factors which can be used to quantify the real costs. The
integration of cyber and valuation principles provides a better insight that should inform an
organization about how to plan for cyber incidents. Another report commissioned by CGI and Oxford
Economics developed a rigorous model to show the long term effect of a breach on the company’s
share price (Cyber-Value Connection)
The first objective of this study is to illustrate how the cost and complexity for the Oracle Customer
can be significantly reduced using automation. The second takeaway is to demonstrate that even
small amounts of risk reduction can significantly reduce financial exposure. We then explain how
the product can reduce risk in 3 key areas: Operational Velocity, Limit Data Controllers and Precise
Unified Compliance Reporting.
3
Oracle Automated Patching ROI
Enterprises who implement management and monitoring tools tend to be more engaged with the
complex issues around security, governance and compliance. Keeping environments up-to-date is
not a simple task. Organizations not using automation will require significantly more effort to
manage their workload.
The scenarios also depict organizations which have bigger footprints, both in terms of the sheer
numbers as well as capacity. These organizations run in excess of 4 different set configurations of
patches databases/applications in production, pre-production, test and development.
Data Values
Deployment On-Premise and Public Cloud
Infrastructure Growth 20%
Number of Databases 80
Number of WebLogic Instances 320
DBA to Environment Ratio 1:25
Issues Compliance and Minimal Downtime
Versions 12c,19c on Linux
patchVantage Solutions RDBMS and WebLogic Accelerator, API
Ancillary Solutions Data Masking and Rapid Clone
4
Oracle Automated Patching ROI
5
Oracle Automated Patching ROI
The new autonomous database was a response to an existing service offered by Amazon(RDS). It
is supposed to be free but clearly since most customers are on earlier versions of the database
there will be an upgrade cost plus a migration cost, quickly followed by Cloud lock-in. It claims to
have high availability, but this is only true for mission critical applications and requires a standby
system which incurs 2X subscription costs. There are also restrictions involved in patching the
autonomous database which may not be suitable for all organizations. Finally, it does not apply to
applications like WebLogic.
Below are some costs and comparisons which complete the analysis.
Assuming 20% Infrastructure growth this cost rises substantially. Our solution is subscription with
has no capital outlay and is fraction of the cost of Oracle’s Lifecycle Manager.
Patching Restrictions
6
Oracle Automated Patching ROI
Downtime Reduction
1.5 Overview
Downtime can be costly as it leads to a loss of productivity, customer churn and damage to brand -
Gartner estimates the costs can be as high as 6500USD/minute. In addition, technology
companies may be offering highly customized SaaS solutions that are contingent on Oracle
patches. Therefore, in addition to security needs the overall package requires regular upgrades as
quickly as possible to provide a competitive solution.
So, an important reason for using automation is reducing the amount planned downtime. If a
customer has a RAC cluster, it makes use of rolling upgrades to eliminate downtime. The same
applies to WebLogic as the product detects rolling patches and can upgrade with loss of service.
However, many Oracle databases are not clustered because of the technical complexity and cost. In
such cases automation can still substantially reduce planned downtime.
Using the RDBMS patch cycle as an example can illuminate the benefits (WebLogic cycle is
comparable). We compare one DBA patching 80 Databases sequentially compared to parallel
automated patching.
Downtime
Phase Manual Elapsed Automation Elapsed
Reduction
Download & Upload Patch 5 400 1 1
Upgrade opatch 15 1200 2 2
Stop Database 2 160 1.5 1.5 40
Apply Patch 5 400 2 2 240
Start Database 2 160 1.5 1.5 40
Apply DataPatch 4 320 1 1 240
Update History & Notify 2 160 0.25 0.25
Totals 35Mins 47Hours 9.25Mins 9.25Mins 9.3Hours
DBA’s are not highly efficient and human factors come into play which is totally normal and expected.
Set periods of downtime for contingency not less than 30minutes and probably more like one hour
would be the norm. This will substantially increase the negative impact on the business.
patchVantage also maintains accurate timings of every patch applied so it’s mostly possible to
predict the downtime impact and overall duration of a patch - helpful insights to managers.
In summary the product is integrated with Oracle’s Clustering to reduce downtime where possible,
but the speed and accuracy of patching automation aside provides genuine business benefits.
7
Oracle Automated Patching ROI
Continuous Deployment
1.6 Overview
The product has the capability to push patches from a master (which has been tested and
approved) to many other Databases or WebLogic Applications. This is possible because each time
the product applies a patch to one database it maintains a record of whether this patch is MISSING
or APPLIED relative to all the other database.
It’s also possible to rollback patches from databases, this is necessary because of patch conflicts.
When developing complex Oracle applications , patches are usually an important part of the
release. This feature will facilitate rapid and accurate upgrades that can be integrated with your
release management system to ensure builds are deployed on-time and without issues .
To complement the web interface there is also an easy-to-use single line API command.
Any organization that is heavily involved in developing core Oracle applications will gain a
significant edge using this feature because it will reduce development times and bring their product
to the market faster.
8
Oracle Automated Patching ROI
We quantify how the three components Operational Velocity, Data Controller Limits and Compliance
Reporting reduce risk. These components can only be improved through automation.
Garrett Bekker, a cybersecurity analyst at 451 Research, says managing cyber risks from third-party
vendors is becoming a “huge problem” for big firms. Some large enterprises are demanding that
supplier’s cyber risk can be quantified. This has led to another way of measuring cyber-risk called
FICO® Enterprise Security Score. Since patching frequency is a component of this metric then
automated patching will elevate the score.
If the organization is heavily involved in development and patches are a vital component of
the configuration management , then operational velocity will be a key metric.
Limit Data Controllers applies the Least Privilege concept. It reduces the insider threat,
manual errors and holds historical information on all administrator activity. There is no need
to store or provide passwords and any access to databases is limited to a chosen few.
DBA’s can be monitored and de-activated using our API’s which can be integrated with a
company’s HR system.
9
Oracle Automated Patching ROI
SMS/E-Mail Notification
10
Oracle Automated Patching ROI
80%
11
Oracle Automated Patching ROI
Table 12 Enterprise reports which are intuitive for both operations management and auditors
50%
12
Oracle Automated Patching ROI
In order to evaluate the return on a security investment (ROSI) it is first important to calculate the
cost of an incident – referred to as the Single Loss Expectancy (SLE). Incident costs fall into two
categories Direct and Indirect. In this document we use the model from Deloitte called “Beneath the
surface of a cyber-attack” because they are industry leading audit and consulting firm with a
specialization in Cyber Risk Services. The model also allows the reader to adjust the parameters to
any business in any industry and derive and a reasonable estimate.
Increasingly, companies are talking about a "cloud-first" strategy for some projects. What this
means from a data security perspective is that there are more attack vectors that leave
organizations susceptible to data breaches. The biggest cost factor for breaches in the US
stemmed from lost business, such as customer turnover, system downtime, and business
disruption. There is a “long tail“ distribution of costs that masks the true impact of a cyber breach.
Any organization that is heavily dependent on Oracle and especially those with Cloud deployments
should consider automating software security updates. This is because it negates the insider threat
, accelerates vulnerability remediation and dramatically improves reporting to avoid missing
security patches and serious incidents like the Equifax Breach.
ROSI
55%
of DBA’s consider improving security
a top challenge
Figure 5 Source Unisphere Research
13
Oracle Automated Patching ROI
Incident triage
efforts comprise
Recovery stretches
<10% over years
Of total impact
Impact
management
1 2 Business 3 4 5
Incident recovery
triage
!
INCCIDENT TIMELINE
Months or years
• Repair damage to the business
• Re-design processes and assets
Incident discovery
Days or weeks
• Stop compromises in progress
• Remediate security controls
• Communicate with customers, partners, and other
external parties
• Address disruption and business continuity issues
14
Oracle Automated Patching ROI
Conclusions
Companies who use the Oracle Database value uptime ,stability and scalability. However, it’s the
applications connected with Oracle that are most important to a business. WebLogic is lightweight,
extremely user friendly and allows a lot of flexibility, but all this comes at a cost in terms of
maintenance ,customizations and security.
Cybersecurity is only as strong as the weakest link, so it is necessary for Oracle customers to
maintain Compliance at a highest level and still overcome the prohibitive complexity tax that comes
with Oracle.
Additionally, as enterprises scale up their use of the public cloud, they must rethink how they protect
data and applications. The public cloud disrupts security models built over years. They will need to
evolve their cybersecurity practices dramatically in order to consume public cloud services in a way
that enables them to both protect data and exploit the speed and agility these services provide.
Delays in creating and securing databases will attenuate the public cloud's agility and reduce
developer productivity.
The velocity at which attacks transpire is also driving the need for automation. Software firms that
deliver specialized SaaS solutions to meet the ever-changing demands of their customer base will
welcome rapid deployments of Oracle patches as part of its configuration management.
patchVantage has unique capabilities to help firms deliver innovation quickly to their customers.
15