Business Value of

Oracle Automated Patching

Oracle Enterprise Customer Perspective

Abstract
Taking risks can be an expensive business; in an increasingly complex regulatory
environment, driven in part by evolving cyber - security threats, how can
organizations remain compliant, current and secure? ... One answer is automation;
software tools exist that can dramatically reduce the administrative burden facing
IT departments, those responsible for Database and ERP Application Support - this
W hite Paper presents typical scenarios faced by such organizations and explains
the opportunities for efficiencies and more rapidity in the Oracle software lifecycle.
CONTENTS

Executive Summary ........................................................... 1

About patchVantage .......................................................... 2
Introduction ..................................................................... 3
Cost Reduction (ROI) ......................................................... 4
1.1 Overview ..................................................................... 4
1.2 Scenario – Technology provider for Financial Services...... 4
1.3 Financial Analysis ROI ................................................... 5
1.4 Competitor Analysis ..................................................... 6
Downtime Reduction.......................................................... 7
1.5 Overview ..................................................................... 7
Continuous Deployment(DevOps) ........................................ 8
1.6 Overview ..................................................................... 8
Risk Reduction (ROSI) ........................................................ 9
1.7 Overview ..................................................................... 9
1.8 How Risk Reduction is Achieved using patchVantage ........ 9
1.9 Risk Model ................................................................. 13
Conclusions .................................................................... 15
 Oracle Automated Patching ROI

Executive Summary
Today, more than ever, Oracle customers are confronting a growing number of regulations and an
exponential growth in cyber-attacks. The impact of a cyber breach has a long tail cost distribution
which masks the true financial exposure most organizations have. In order to mitigate risk, they need
to manage two dichotomous scenarios: (a) Maintaining the highest level of compliance with a rapidly
expanding number of databases, and (b) reducing operating costs and provide better visibility of the
Oracle assets.

The situation is compounded by regulation such as GDPR which increases pressure on IT

departments. Activities such as duplication of live production data and security patching - both of
which are disruptive, time-consuming processes. Additionally, as enterprises scale up their use of the
public cloud, they must rethink how they protect data and applications. The public cloud disrupts
security models built over years. They will need to evolve their cybersecurity practices dramatically
in order to consume public cloud services in a way that enables them to both protect data and exploit
the speed and agility these services provide

However, managing Oracle, with its monopolistic vision of enterprise applications and high total cost
of ownership presents some unique challenges. Until now there has been a limited choice of vendors
capable of reducing the complexity and cost of Oracle Compliance - when viewed through the lens
of competing, integrated products for other platforms that have better functionality and value.

The study will show that patchVantage can dramatically cut costs, reduce downtime and accelerate
delivery of new releases to the end user.

More than 500% ROI compared to manual patching solutions

Potential 95% reduction in downtime for non-clustered databases or applications
100% downtime reduction for clustered databases or applications
Faster upgrades leading to improved time-to-market and better service levels
Faster vulnerability remediation reduces risk and financial exposure
Accurate and immediate compliance reporting reduces risk and financial exposure
Less privileges access to data and tighter controls means less risk and financial exposure
Cost over 5 years is between 10-20% of comparable Oracle Solution (Subscription, no CAPEX)

Figure 1 Source Oracle Applications

Users Group

Security has been a User’s top concern regarding the Cloud

1
 Oracle Automated Patching ROI

About patchVantage
patchVantage is enabling security-as-a-service using automation technology which keeps
Oracle Databases , WebLogic and EBS Applications current, secure and compliant. Our
aim is to help organizations focus on innovation and let us manage the business of security
and maintenance.
Our REST API can compress complex security updates in a single command.

2
 Oracle Automated Patching ROI

Introduction
With more than 310,000 customers using the Oracle Database it is widely recognized as the leading
database for almost 40 years. It is mature and stable but also contains many innovative features to
support your business requirements. It’s used in notable critical industries such as the National Grid
and SWIFT Banking system.

However, there are several pain points for many Oracle customers - primarily the cost of ownership
(TCO) and security. In fact, Oracle Database and Applications have features more in common with a
legacy system (see Table 1). This is sometimes referred to as the "Oracle Complexity Tax" or
"Technical Debt" because there is a resistance to change.

Table 1 Features of a Legacy System

Time Consuming and expensive maintenance

Costly Support – Many Oracle customers on Sustained Support

Integration with other systems complex

Business processed typically work around, rather than vice versa

Another significant challenge is the importance of cyber security. The idea that attacks are
increasingly likely – and perhaps inevitable – is forcing companies to mitigate IT security risks and
threats. There is also the misconception that the impact of a cyber-attack is mostly shaped by what
companies report publicly. This is dominated by reporting of personal information theft and incident
management. However, the most severe costs are less obvious such as loss of intellectual property,
data destruction, downtime of core operations and loss of business.

In fact according to Deloitte (Beneath the Surface of a Cyber Attack) the cost of a breach can cost
billions of dollars. They identify 14 impact factors which can be used to quantify the real costs. The
integration of cyber and valuation principles provides a better insight that should inform an
organization about how to plan for cyber incidents. Another report commissioned by CGI and Oxford
Economics developed a rigorous model to show the long term effect of a breach on the company’s
share price (Cyber-Value Connection)

The first objective of this study is to illustrate how the cost and complexity for the Oracle Customer
can be significantly reduced using automation. The second takeaway is to demonstrate that even
small amounts of risk reduction can significantly reduce financial exposure. We then explain how
the product can reduce risk in 3 key areas: Operational Velocity, Limit Data Controllers and Precise
Unified Compliance Reporting.

3
 Oracle Automated Patching ROI

Cost Reduction (ROI)

1.1 Overview
The scenario presented represents a typical Oracle customer which runs mission-critical
applications and must balance cost, availability and security. Frantic development cycles and the
accelerated rate of business innovation require that data and insights be available at a moment’s
notice. In today’s climate rolling out new products and services is critical to staying ahead of the
competition. To do this, organizations need to rely on their applications and IT services. Behind the
scenes are the administrators managing it all.

Enterprises who implement management and monitoring tools tend to be more engaged with the
complex issues around security, governance and compliance. Keeping environments up-to-date is
not a simple task. Organizations not using automation will require significantly more effort to
manage their workload.

The scenarios also depict organizations which have bigger footprints, both in terms of the sheer
numbers as well as capacity. These organizations run in excess of 4 different set configurations of
patches databases/applications in production, pre-production, test and development.

1.2 Scenario – Technology provider for Financial Services

Sample organization is one of the world's leading providers of integrated, modern core software
solutions for the global insurance industry. It relates to the fast growing “Insuretech” with a strong
focus on agility and giving insurers options to replace legacy systems and provide better customer
engagement. It is increasing its use of the public cloud and offering customers hosting services.
Compliance and Security are also key with a major focus on GDPR & POPIA. As the company grows
it needs to ensure no reduction in the response to new business requirements and provide high levels
of security with minimal downtime, without escalating costs. WebLogic is also central to product
development and delivering fixes and upgrades quickly will reduce delivery times and increase
productivity.

Table 2 Key Scenario Parameters US Health Insurer

Data Values
Deployment On-Premise and Public Cloud
Infrastructure Growth 20%
Number of Databases 80
Number of WebLogic Instances 320
DBA to Environment Ratio 1:25
Issues Compliance and Minimal Downtime
Versions 12c,19c on Linux
patchVantage Solutions RDBMS and WebLogic Accelerator, API
Ancillary Solutions Data Masking and Rapid Clone

4
 Oracle Automated Patching ROI

1.3 Financial Analysis ROI

The analysis reveals the capabilities of the product to automate existing tasks and perform work that
could not be done before. The ROI increases in line with growth because of price breaks and
scalability of the product. The cost of the DBA is estimated at $94,000(Glassdoor) with about 40%
added for benefits with wage growth estimated at 2.8%. There is also a management overhead in the
co-ordination of DBA’s for large scale patching plus maintaining patch history, which is very difficult
to do manually with high volumes of databases.

Table 3 Scenario – 80 Oracle Databases (USD)

Projected Benefit Year 1 Year 2 Year 3 Year 4 Year 5 Totals

# of Databases 80 96 115 138 166
Product RDBMS-DBA Ratio 100 119 141 169 201
Price Per Unit 938 933 928 923 915
Subscription Cost 75,040 89,568 106,906 128,287 153,944 553,744
Product Savings 315,840 410,356 527,711 673,268 853,643 2,780,819
Management Savings 21,056 25,975 32,042 39,527 48,761 167,362
Net Savings 261,865 346,763 452,848 584,509 748,460 2,394,437
ROI 349% 387% 424% 456% 486% 432%

Table 4 Scenario – 320 Oracle WebLogic(USD)

Projected Benefit Year 1 Year 2 Year 3 Year 4 Year 5 Totals

# of Databases 320 384 461 553 664
Product WL-DBA Ratio 100 119 142 169 201
Price Per Unit 625 610 590 570 550
Subscription Cost 200,000 234,240 271,872 326,246 391,496 1,423,854
Product Savings 982,613 1,295,096 1,683,614 2,166,040 2,764,426 8,891,789
Management Savings 70,187 86,582 106,808 131,758 162,537 557,872
Net Savings 852,800 1,147,438 1,518,550 1,971,552 2,535,467 8,025,807
ROI 426% 490% 559% 604% 648% 564%

Figure 1 Source Unisphere Research

On average DBA’s manage around 25 Databases each

5
 Oracle Automated Patching ROI

1.4 Competitor Analysis

The closest competitor is Oracle Enterprise Manager and Oracle Autonomous Database . Enterprise
manager requires special packs that must be specifically licensed against each server. Most DBA’s
consider it to be a very expensive product and difficult to learn .

The new autonomous database was a response to an existing service offered by Amazon(RDS). It
is supposed to be free but clearly since most customers are on earlier versions of the database
there will be an upgrade cost plus a migration cost, quickly followed by Cloud lock-in. It claims to
have high availability, but this is only true for mission critical applications and requires a standby
system which incurs 2X subscription costs. There are also restrictions involved in patching the
autonomous database which may not be suitable for all organizations. Finally, it does not apply to
applications like WebLogic.

Below are some costs and comparisons which complete the analysis.

Table 6 Cost Comparison with Enterprise Manager in Cores (USD)

Oracle Management Pack Quantity Cores Price Cost Support Total

Lifecycle Manager RDBMS 80 40 12000 480,000 105,600 585,600
Lifecycle Manager WebLogic 320 160 12000 1.92m 422,400 2.34m
** Core calculation based on Oracle’s study by Forrester -lowered to 0.5 cores/DB for impartiality

Assuming 20% Infrastructure growth this cost rises substantially. Our solution is subscription with
has no capital outlay and is fraction of the cost of Oracle’s Lifecycle Manager.

Table 7 Cost Factors and Restrictions with Autonomous Database

Not available for WebLogic Applications

Patching Restrictions

Upgrade Cost to 19c as most sites are still on 12c

Migration costs to Cloud

Cloud Vendor Lock

99.9% Downtime only available on mission critical with standby at 2X cost

6
 Oracle Automated Patching ROI

Downtime Reduction
1.5 Overview

Downtime can be costly as it leads to a loss of productivity, customer churn and damage to brand -
Gartner estimates the costs can be as high as 6500USD/minute. In addition, technology
companies may be offering highly customized SaaS solutions that are contingent on Oracle
patches. Therefore, in addition to security needs the overall package requires regular upgrades as
quickly as possible to provide a competitive solution.

So, an important reason for using automation is reducing the amount planned downtime. If a
customer has a RAC cluster, it makes use of rolling upgrades to eliminate downtime. The same
applies to WebLogic as the product detects rolling patches and can upgrade with loss of service.
However, many Oracle databases are not clustered because of the technical complexity and cost. In
such cases automation can still substantially reduce planned downtime.

Using the RDBMS patch cycle as an example can illuminate the benefits (WebLogic cycle is
comparable). We compare one DBA patching 80 Databases sequentially compared to parallel
automated patching.

Table 8 – Patch Cycle Analysis time in Minutes – patch is < 1MB

Downtime
Phase Manual Elapsed Automation Elapsed
Reduction
Download & Upload Patch 5 400 1 1
Upgrade opatch 15 1200 2 2
Stop Database 2 160 1.5 1.5 40
Apply Patch 5 400 2 2 240
Start Database 2 160 1.5 1.5 40
Apply DataPatch 4 320 1 1 240
Update History & Notify 2 160 0.25 0.25
Totals 35Mins 47Hours 9.25Mins 9.25Mins 9.3Hours

Some salient points are worth mentioning:

Even small differences in efficiency result in large downtime savings - 9.3Hours

Patching manually means it can take 6 working days to resolve a security vulnerability
For development it can mean waiting 6 working days to provide a solution

DBA’s are not highly efficient and human factors come into play which is totally normal and expected.
Set periods of downtime for contingency not less than 30minutes and probably more like one hour
would be the norm. This will substantially increase the negative impact on the business.

patchVantage also maintains accurate timings of every patch applied so it’s mostly possible to
predict the downtime impact and overall duration of a patch - helpful insights to managers.

In summary the product is integrated with Oracle’s Clustering to reduce downtime where possible,
but the speed and accuracy of patching automation aside provides genuine business benefits.

7
 Oracle Automated Patching ROI

Continuous Deployment
1.6 Overview

The product has the capability to push patches from a master (which has been tested and
approved) to many other Databases or WebLogic Applications. This is possible because each time
the product applies a patch to one database it maintains a record of whether this patch is MISSING
or APPLIED relative to all the other database.

MASTER Software Release

RDBMS Patch Status Version Function

CRM 2799112 MISSING Development
18.1

CRM 2028444 APPLIED Pre-Production

18.1

CRM 2195541 APPLIED Test

18.1

HR 2805332 MISSING Test

18.1

HR 2713551 APPLIED Development

18.1

Table 9 – Meta Data collection easily allows synchronization in a click

It’s also possible to rollback patches from databases, this is necessary because of patch conflicts.

When developing complex Oracle applications , patches are usually an important part of the
release. This feature will facilitate rapid and accurate upgrades that can be integrated with your
release management system to ensure builds are deployed on-time and without issues .

To complement the web interface there is also an easy-to-use single line API command.

Any organization that is heavily involved in developing core Oracle applications will gain a
significant edge using this feature because it will reduce development times and bring their product
to the market faster.

8
 Oracle Automated Patching ROI

Risk Reduction (ROSI)

1.7 Overview
Patching is also a risk management exercise. Estimates vary but it’s recognized that around 80% of
attacks use vulnerabilities for which patches already exist. The statistics also show most attacks use
the most common exploits. Oracle is no exception to vulnerabilities, but the patching lifecycle is more
complex than other databases and applications. This section tries to explain how the level of risk can
be reduced using the product and overcome the technical debt associated with Oracle

We quantify how the three components Operational Velocity, Data Controller Limits and Compliance
Reporting reduce risk. These components can only be improved through automation.

Garrett Bekker, a cybersecurity analyst at 451 Research, says managing cyber risks from third-party
vendors is becoming a “huge problem” for big firms. Some large enterprises are demanding that
supplier’s cyber risk can be quantified. This has led to another way of measuring cyber-risk called
FICO® Enterprise Security Score. Since patching frequency is a component of this metric then
automated patching will elevate the score.

1.8 How Risk Reduction is Achieved using patchVantage

Operational Velocity is all about reducing the timeframe for the patch window and closing
the vulnerability gap by reducing the patch cycle time and patching many environments
concurrently. Also, by reducing downtime and having intelligent scheduling it’s much easier
to sell patch updates. This applies to all instances – any unpatched database is a
vulnerability.

If the organization is heavily involved in development and patches are a vital component of
the configuration management , then operational velocity will be a key metric.

Limit Data Controllers applies the Least Privilege concept. It reduces the insider threat,
manual errors and holds historical information on all administrator activity. There is no need
to store or provide passwords and any access to databases is limited to a chosen few.

DBA’s can be monitored and de-activated using our API’s which can be integrated with a
company’s HR system.

Precise Compliance Reporting provides intuitive dashboards and formal compliance

reports across the entire Oracle inventory. Reduce the chance of missing a patch by
subscribing to daily reports that alert staff when the Database or WebLogic are missing
critical security patches.

9
 Oracle Automated Patching ROI

Table 10 How we Reduce Timeframe and Downtime for Installing Patches

Patching Oracle RDBMS

Auto Download Patch from Oracle Support

Upload Patch to Server (and unzip)

Perform up to 16 OPatch pre-requisite checks rapidly

Control Database Shutdown and Startup

Operational Automated OPatch Version Detection and Upgrade

Velocity Post Database Step Automation

Intelligent Scheduler can be based on Historical Load

Log file collection and Audit

SMS/E-Mail Notification

Large scale deployment using Gold/Master Image

Managing more Databases per DBA will be a major challenge

Figure 2 Source Unisphere Research

10
 Oracle Automated Patching ROI

Table 11 Understand methods to reduce necessary access to instances

Dramatically reduce the number of privileged users. Many fewer

DBA’s are now required to manage the Oracle stack

Reduce Misuse of Privileges

Audit and replay Controllers activity

Provide Location Data on Controllers(Cloud)

ROLE based Access and segregation of duties

Limit Data Monitor and provision administrators using our REST API’s
Controllers
DBA’s will no longer have passwords or require them

Reduce manual errors

Consistent repeatable operations reduce chance of missing a patch

80%

of organizations had at least one threat

caused by an insider over the past 12
months
Figure 3 Source AT&T Cybersecurity Insights Insider Threat

11
 Oracle Automated Patching ROI

Table 12 Enterprise reports which are intuitive for both operations management and auditors

Full Inventory Visibility

Precise Information on Oracle Patch Levels

Full Compliance Reporting

Precise Dashboard with Compliance Alerts

Compliance Intuitive Graphical Displays of Patch History
Reporting
Reports also available using Web Services(JSON)

50%

of organizations haven’t updated

their security strategy in 3+ years

Figure 4 Source CIO ComputerWorld

12
 Oracle Automated Patching ROI

1.9 Risk Model

In order to evaluate the return on a security investment (ROSI) it is first important to calculate the
cost of an incident – referred to as the Single Loss Expectancy (SLE). Incident costs fall into two
categories Direct and Indirect. In this document we use the model from Deloitte called “Beneath the
surface of a cyber-attack” because they are industry leading audit and consulting firm with a
specialization in Cyber Risk Services. The model also allows the reader to adjust the parameters to
any business in any industry and derive and a reasonable estimate.

Increasingly, companies are talking about a "cloud-first" strategy for some projects. What this
means from a data security perspective is that there are more attack vectors that leave
organizations susceptible to data breaches. The biggest cost factor for breaches in the US
stemmed from lost business, such as customer turnover, system downtime, and business
disruption. There is a “long tail“ distribution of costs that masks the true impact of a cyber breach.

Any organization that is heavily dependent on Oracle and especially those with Cloud deployments
should consider automating software security updates. This is because it negates the insider threat
, accelerates vulnerability remediation and dramatically improves reporting to avoid missing
security patches and serious incidents like the Equifax Breach.

ROSI

55%
of DBA’s consider improving security
a top challenge
Figure 5 Source Unisphere Research

13
 Oracle Automated Patching ROI

Incident triage
efforts comprise
Recovery stretches
<10% over years
Of total impact

Impact
management

1 2 Business 3 4 5
Incident recovery
triage

!
INCCIDENT TIMELINE

Months or years
• Repair damage to the business
• Re-design processes and assets
Incident discovery

• Invest in cyber programs to emerge

stronger
Weeks or months
• Create interim infrastructure or operations
• Take or prepare for legal action
• Address regulatory and audit issues
• Manage client, partner, and other relationships

Days or weeks
• Stop compromises in progress
• Remediate security controls
• Communicate with customers, partners, and other
external parties
• Address disruption and business continuity issues

14
 Oracle Automated Patching ROI

Conclusions
Companies who use the Oracle Database value uptime ,stability and scalability. However, it’s the
applications connected with Oracle that are most important to a business. WebLogic is lightweight,
extremely user friendly and allows a lot of flexibility, but all this comes at a cost in terms of
maintenance ,customizations and security.

Cybersecurity is only as strong as the weakest link, so it is necessary for Oracle customers to
maintain Compliance at a highest level and still overcome the prohibitive complexity tax that comes
with Oracle.

Additionally, as enterprises scale up their use of the public cloud, they must rethink how they protect
data and applications. The public cloud disrupts security models built over years. They will need to
evolve their cybersecurity practices dramatically in order to consume public cloud services in a way
that enables them to both protect data and exploit the speed and agility these services provide.
Delays in creating and securing databases will attenuate the public cloud's agility and reduce
developer productivity.

The velocity at which attacks transpire is also driving the need for automation. Software firms that
deliver specialized SaaS solutions to meet the ever-changing demands of their customer base will
welcome rapid deployments of Oracle patches as part of its configuration management.

patchVantage has unique capabilities to help firms deliver innovation quickly to their customers.

No Lock-in , works on-premise or with any cloud vendor.

No requirement to upgrade/migrate databases or accept rigid support agreements.
Automated discovery facilitates immediate patching
REST API that can deliver complex security updates in a single command
Significant cost reductions in the ownership of Oracle
Engineered to reduce downtime through speed or integration with clustering
Accurate data collection allows real-time compliance reporting across the Oracle platforms
Continuous deployment that pushes patches to many Databases or WebLogic Applications

15