The top 10 security risks in Oracle E-Business Suite

Users may be worried about the obvious security risks associated with putting data in a cloud, but what about those Oracle security risks which aren’t as obvious?

Collaborate ‘09 speaker Jeffrey Hare, CPA, CIA, CSA from ERP Seminars, addressed some of these risks Tuesday in his session, “Top 10 Application Security Risks and Related Best Practices for companies running Oracle E-Business Suite.”

The majority of these application risks described by Hare are internal - so, even if you’re not putting your data out on the internet, you’re certainly not free from unwanted users accessing your systems.

What did Hare list as his the top 10 risks for E-Business Suite users, and what did he recommend for dealing with them?

10. Upgrade risk: To avoid upgrade risks, Hare said end user security should be designed from scratch, using completely custom menus and sub menus. He also advised against using AZN menus.

9. Risk analysis: Hare said it’s important to look at risk analysis holistically, from outside the system to access and processes inside the system. He recommended choosing a risk analysis firm that specialized in E-Business Suite, and to make sure to take into account material risks as well as sub-material risks.

8. Relying on auditors: Be aware that many auditors do not take into account risks of sub-material fraud and often fail to look at the business process holistically. He recommended starting with Procure- to -Play, hire a firm that specializes in fraud risk to do a risk assessment beyond SOX and review their conflict matrix before hiring them.

7. Security changes- Change management process: The change management process is not something you can afford to get wrong, Hare said. It should be very specific and include menus, responsibilities, roles, request groups, functions and profile options.  All security changes should go through a change management process.

6. SQL Forms: All activity in SQL forms should go through the change management process just like an UPDATE SQL statement would, including peer review and code freeze, Hare said. All activity should be audited via trigger or log-based technology.

5. High risk fraud forms: Hare said to be aware of forms subject to high fraud risk such as banks, remit to address, locations and suppliers. Define a procedure for changes and additions such as a form and procedure for new suppliers.

4. Password hacking: Hackers can get into production applications and database accounts via a published exploit code. Hare recommended reading the white paper Oracle applications 11i: Password decryption for solutions.

3. Override of workflow policy: It’s important to have a process in place regarding delegation of authority for processes such as worklist access and vacation rules, Hare said. Figure out the allowable delegation of authority within your company, and audit and trace back your changes.

2. Support personnel access: Lack of inquiry only access and non-production support instance is a problem within organizations, Hare said. He recommends using SysAdmin Views, identify high risk single functions and SOD issues and to take the same precautions with security analysts as with end users.

1. Utilities: diagnostics: Hare stressed that no one should have access to these profile options in the production environment - they should be left off the production environment and go through the change management process.

What risks and/or best practices could you add to this list? If you’re an E-Business Suite or other application user, what has or hasn’t worked in terms of security and what do you think is worth your time and investment?

‘MySQL is not going to die,’ Collaborate speaker claims

One question has been on everyone’s minds since Oracle announced its acquisition of Sun Microsystems:

What is the future of MySQL now that it’s in the hands of Oracle?

This question about the highly popular open source database is being debated in the Oracle and Sun communities — some are insistent that Oracle won’t kill MySQL, but other open source executives are split. Some point out that this is Oracle’s chance to innovate and prove it’s serious about open source; however, the software giant has not shown a commitment in the past to open source even as it’s grown in popularity, according to the ZDNet article.

Collaborate ‘09 presenter and Oracle and MySQL DBA George Trujillo addressed the question Monday at the conference in his session, “What Every Oracle Professional Needs to Know about MySQL.” Trujillo said he could not say exactly what was going to happen with Oracle and Sun, but he did know one thing:

“I will tell you MySQL is not going to die,” he said.

Trujillo said because of the simple fact that MySQL is an open source database — a free source code available to anyone — it will continue on no matter what Oracle decides to do with it.

So, maybe MySQL is not as much in the hands of Oracle as we are think it is.

“It’s open source — if we wanted to get together tonight to get the source code and create our own version to start selling tomorrow, we could do that,” Trujillo told session attendees.  He said what’s more important is that whoever is the leader of open source has to be innovative.

Trujillo also discussed common misconceptions users have about MySQL, one being that the database can be compared with Oracle. He said comparing MySQL to Oracle is like comparing a fast speedboat to an aircraft carrier — if you bought one, it was probably for a reason, and you won’t be happy switching to the other.

So, maybe the real question is not will Oracle keep MySQL, but what will the software giant choose to do with it? How innovative will they be? Is there anything you would like to see Oracle do with the open source database? How do you think, or would like to see, Oracle will market itself to the open source community?

Is your data secure in the cloud?

As Oracle’s Bill Hodak looked out at the approximately 30 attendees at the Oracle in the Cloud session Monday at Collaborate, he noted it was probably the largest group he’s spoken to about cloud computing over the past two years.

Despite the growing interest, however, session attendees were not hesitant to voice their concerns - the biggest being the security of their data.

Hodak began his session by describing the benefits of cloud computing, which he described as “computing resources residing on the internet (aka’the cloud’).”  Cloud computing requires no long-term commitment, is infinitely scalable and allows the user to be billed by consumption rather than a fixed price, he said.

He went on to describe how Oracle works with Amazon — the top cloud computing vendor and Oracle’s first cloud computing partner — to provide Amazon Web Services for Oracle customers. Users can create an Amazon Web Services account to deploy Oracle software or back up an Oracle Database. Hodak described Amazon’s Elastic Compute Cloud (EC2), an environment which can be used for Oracle deployments. In EC2, users can also choose from a catalog of virtual machine images, such as Oracle Enterprise Linux or APEX, and within 10 minutes have a fully functional Oracle environment.

But one user had a question that Hodak admitted was a good one — how does one ensure privacy and securing of personal data when operating in the cloud?

Amazon is just beginning to promote its cloud services to larger enterprises rather than smaller start-ups, Hodak said, so security is just now becoming a bigger concern. Though he could offer no specific details, Hodak said that Amazon is in the process of getting certified as a “secure organization,” but in the meantime, users should encrypt their data through Oracle.

Private, on-premise clouds are also an option that that may lessen security-related concerns. Hodak said these are a good option for large enterprises that might find it difficult to move to public clouds in the immediate future. While many companies may not be ready to move to a third-party cloud, internal clouds can allow developers to faster respond to their organization’s need at a lower cost.

Hodak emphasized that few enterprises are actually in the deployment stage of their cloud computing initiatives-most are still only in the evaluating stage or deploying non-mission critical systems.

But with Oracle cloud computing still in the initial stages, what can we expect in the future? While most of that is still to be seen, it looks like Oracle is close to announcing seven new online products as part of its SaaS initiative.

Is security a concern for you when considering cloud computing? Has your organization considered cloud computing as an option? What factors have helped you decide for or against a cloud computing initiative?

Oracle users can attend Collaborate 09 virtually

Coming to the rescue of cash-strapped IT professionals unable to attend Collaborate 09 in Orlando (May 3-7) the Independent Oracle Users Group (IOUG) announced it will be hosting virtual sessions. IOUG officials said that companies registering at least one employee for the conference are then eligible to set up virtual access for everyone in their organization.

The IOUG plans to offer 40 virtual sessions over the course of the conference. IT professionals interested in Webinar sessions, which range between 30 minutes up to two hours, can be customized to best suit their specific educational interests.

Conference officials explained that obtaining a license for one seat provides unlimited access to virtual sessions.

“We recognize companies everywhere are looking for ways to save. This option takes into account economic conditions while still allowing members to get value from networking, continuing education and best practice sharing,” said Ian Abramson, President of the IOUG.

Collaborate 09 organizers, which also include the Oracle Applications User Group and Quest International Users Group, said they expect 5,000 people to attend the conference to be held at the Orange County Convention Center West.

Those interested in registering for virtual attendance can do so at:  http://www.ioug.org/collaborate09/attending/virtual.cfm.

If you are planning to attend Collaborate 09 virtually, let us know. If you have attended other Oracle conferences virtually, let us know what your experience has been and we’ll share it with the rest of the SearchOracle.com community.

Will Oracle be the good shepherd for open source?

With its acquisition of Sun, Oracle, like it or not sports fans, is now the steward of the open source community. It is now Oracle’s opportunity to take open source technologies up to the next level of acceptance in corporate America — or not.

My guess is they will pursue that opportunity. Not necessarily out of any sense of contributing to the greater good by encouraging the spread of free software to IT shops strapped for cash in recessionary times, for instance. It would have more to do with the fact that there is money, good money, to be made by committing more deeply to open source technologies.

This should not surprise anyone. After all, this is the company that jacked up its licensing fees some 15 to 20 percent last year, right around the time the recession was crushing the economy.

I really don’t have any problems with vendors large or small, making as much money as they can from open source. If Oracle can intelligently and fairly find a way to charge Oracle and Sun users for open source products and associated technical services, it could lay down a business model that the rest of the open source world could follow. With greater revenue streams generated, more jobs can be created among both vendor and IT companies, which would result in more useful products delivered and greater productivity.

Lord knows many Linux distributors and other open source software developers have had their chance over the past decade to establish growing and profitable businesses. But with the exception of Red Hat and possibly Novell, none have succeeded at sustaining a largely open source business capable of generating hundreds of millions in revenues. Sun is the other possible exception here. A recent Goldman Sachs report estimated that the company’s Java-based revenues could approach $300 million in the current fiscal year ending in June, but even that tidy sum was enough to allow the company to continue under its own steam.

But Oracle, with revenues of $25 billion and significant market share in multiple enterprise software markets, is in a strong enough position to show the industry how real money can be made in open source world.

The biggest change Oracle has to make to achieve this goal doesn’t depend largely on clever ways of blending of open source and its proprietary products, although it will have to do some of that vis-à-vis positioning and pricing strategies, but on taking a more enlightened approach to attracting new customers. Yes, I’ll say it, we need to see a kinder, gentler Oracle coming into this market.

There is a way to achieve a balance that allows the company to continue to compete aggressively without trying to win the Albert Schweitzer Award for Humanitarianism .

And why not be kinder? The company can’t charge major companies such as IBM or SAP any more for licensing Java. Those licensing fees are protected under long term contracts and can’t be touched until they come up for renewal. The same goes for Sun’s corporate users, particularly those locked into multi-year support and maintenance deals.

Instead of tossing aside good products from Sun such as the MySQL and Glassfish, Oracle could put development monies into enhancing them and making them even more useful to customers. In doing so they could also serve as effective weapons against Microsoft in the lower end of the market. More than a few open source users have told me they would be willing to pay for products such as MySQL and Glassfish if they can continue to deliver good ROI and be properly maintained for a reasonable fee.

There is no need for Oracle to be overly protective (read greedy) of its higher end proprietary databases and applications. That business is solid and under no immediate competitive threats, even from IBM.

I’ll give Oracle the benefit of doubt here; it is still early in a process that will take a year or two to fully play out. The company may find the right balance between its software-as-a-contact sport approach and being a more enlightened leader that could bring the open source and proprietary worlds together in a way that profits everyone.

How will the Oracle-Sun deal affect you?

Since the Monday morning announcement of the Oracle-Sun deal, we’ve already heard a lot about how the merger will affect Oracle: how it will help the software giant get ahead of IBM in a wide range of software and hardware markets, and help it better compete  against other archrivals in the enterprise Java arena, for example.

But what kind of effect will the deal actually have on the everyday life of IT professionals like you?

Site Editor Ed Scannell and I talked with Independent Oracle Users Group president Ian Abramson about the Oracle-Sun deal, including how the acquisition will affect the Oracle user community. Since the deal was just made this week, it’s difficult to accurately  predict its repercussions for users. But Abramson discussed some possible scenarios that the Oracle user community could see, including:

The Oracle-ization of Java: Abramson pointed out that while Oracle will gain greater control of Java, it may also take it one step further with an “Oracle-enhanced version”. He said that if Oracle repackaged and repurposed Java like it did with Linux, leaving the industry standard version alone, it could be beneficial to the Oracle community.

Lower maintenance costs: Abramson also said a reduction in support and maintenance fees is possible with the “consolidation of all these different support organizations, and Oracle’s ability to support a complete technology stack.” He thought this is something the user community is ultimately hoping for.

Other Oracle experts and analysts from around the Web have also weighed in on how Oracle’s latest acquisition will affect customers — especially with Java and MySQL. SearchEnterpriseLinux.com’s Leah Rosin examined the open source community’s reaction to the deal. While she found that many were worried about this being the end of MySQL, others more hopeful because of Oracle’s commitment to Linux.

Blogger Frederic Paul says that while the Oracle-Sun merger may result in more efficient technologies, it will also “reduce choice.” Still, he points out that nothing will change immediately and customers will have plenty of time to plan ahead.

And while many seem to think MySQL’s fate is sealed, many others - like analyst Michael Dortch– think Java should be safe. Analyst Dana Gardener agrees, pointing out that Oracle will keep Java to stay strong against its main Java competitor, IBM.

What was your reaction to the Oracle-Sun deal? How do you hope Oracle utilizes its new technologies? What are you most hopeful about? Worried about?

Oracle’s cloud confusing strategy

It’s difficult to understand what exactly Larry Ellison’s problem is in using the phrase cloud computing.

Despite the statements made at OpenWorld last September where he said - “maybe I’m an idiot, but I have no idea what anyone is talking about (in regards to cloud computing). What is it? It’s complete gibberish. It’s insane. When is this idiocy going to stop?” — Larry Ellison is no idiot. We know you know what it is, Larry, and why it represents a different approach for users.

His reluctance to use the term could have something to do with his belief that he has been there and done that with Oracle’s grid computing initiatives over the past decade. It could involve something more serious like wanting to slow the acceptance cloud computing because it reduces IT shops’ costs which could threaten Oracle’s lucrative maintenance revenues and software licensing renewals.

But that can’t be it. He knows that cloud computing, Software-as-a-Service and some forms of virtualization are an inevitability because they can save users precious dollars in their shrinking IT budgets. He can’t be totally against that.

What has confused people further is Mr. Ellison’s recent lapsing in and out of admitting and then denying Oracle even has a cloud computing strategy. One day he is belittling the idea of cloud computing and that he doesn’t need to go there, the next he is boasting that Oracle has a more aggressive and forward thinking cloud strategy than competitors such SAP.

I am not the only one trying to figure out Mr. Ellison’s word games or if the company actually wants to have a strategy. When I asked an analyst with a top-tier market research firm to help me sift through the tangle of products that make up Oracle’s would-be cloud computing strategy he couldn’t.

“I think the reason you’ve been having trouble is simple: Oracle doesn’t have a cloud computing strategy. They have tactical and experimental initiatives only. My bet: They buy their way into cloud sometime in the future,” he wrote back in an e-mail.

Great. An opportunity to spread rumors about what company Oracle might buy so it can to jump into yet another market. While I am on the soap box, let me just say a merger with EMC, owners of VMware, would be an excellent candidate given its cloud computing initiatives.  Those rumors can swirl around with those that have Oracle interested in buying Sun and Red Hat the last month or so.

But when it comes to making money from users needing solutions involving cloud computing concepts and products, Mr. Ellison has no problem with terminology.

In one notable example, Harvard University last year was shopping around for a cloud-based solution when a scientist there saw a posting on an Amazon Web services Web site from an Oracle executive. The posting asked that anyone interested in experimenting with Oracle data bases in the cloud to contact the company.

Harvard responded and less than two months later it had a cloud-based solution up and working with an Oracle database, Ruby on Rails, and OpenXava. Harvard’s Laboratory for Personalized Medicine is now using cloud computing services to run virtual services to run clinical trials, and is reportedly pleased with the solution. See Larry? Not so hard.

Further evidence that Oracle is interested in putting together a cohesive cloud computing strategy was put on display six months ago when it announced users could license Oracle Database 11g, Fusion Middleware and Oracle Enterprise Manager to run in a cloud computing environment. Not just that but the first available products would work with Amazon’s Web Services’ Elastic Compute Cloud environment.

Maybe we just need to be more patient with Mr. Ellison, there is some evidence he may actually be softening up on the issue. Again in a meeting with analysts a few months ago he talked about wins Oracle had racked up against archrival Salesforce.com describing one as the “largest deal ever of salesforce-on-demand, or cloud computing, or whatever you want to call it.”

Not exactly waving the cloud computing flag high and wide but he seems to be making progress.

Incriminating evidence that Oracle is interested in putting together a cohesive cloud computing strategy was put on display six months ago when it announced users could license Oracle Database 11g, Fusion Middleware and Oracle Enterprise Manager to run in a cloud computing environment. Not just that but the first available products would work with Amazon’s Web Services’ Elastic Compute Cloud environment. So what’s the big deal with all this?

Say it Larry, just say it: Cloud computing.

Oracle still interested in planes, trains and automobiles

As the owner of one of the world’s largest yachts and an avid racer, Oracle CEO Larry Ellison can probably handle his boat in just about any fleet.

Now, his company has released an application to help its customers do the same — in a slightly different way. Oracle Fleet Management, a component of Oracle’s newly released Oracle Transportation Management 6.0, will help users manage fleet and common carrier networks through a single platform. The tool can be used for all kinds of private fleets, including trucks, trailers and ocean freighters.

Oracle Transportation Management 6.0, announced Tuesday, is the latest update to Oracle’s global transformation management system. Oracle Transportation Management, part of the Oracle E-Business Suite, integrates and streamlines transportation planning, execution, payment and process automation in a single application across all modes of transportation, according to Oracle.

In the first major update to the management system in nearly three years, version 6.0 allows users  to manage transportation by third parties.  In an eWeek article, Derek Gittoes, vice president of Logistics Product Strategy for Oracle, says that manufacturers will be able to manage both their own drivers and those of third-party fleets  reportedly a first in the commercial software market. This release is also reportedly the first in the industry that combines shipment and asset-centric transportation solutions.

But will customers want to invest in this technology in the down economy?

According to Oracle, version 6.0 should actually help customers save on transportation and fleet management costs. The tools will reduce fuel costs, support sustainability, and measure and control financial performance, according to the company.

This isn’t the first time  Oracle has used the recession to invest in niche markets or offer enterprise businesses cost effective solutions. In February, for example, it released two new risk management applications, which Oracle believes will prove  cost effective for users  in the down economy. The software giant also continues to invest in eSourcing tools — including its newly released Oracle Sourcing on Demand — which helps  IT shops to save money by negotiating online with suppliers.

How has the recession affected your Oracle-related spending? Have you been able to take advantage of any of these supposedly cost effective tools?

Living in a three company world

Several years ago or so Oracle chairman and CEO Larry Ellison made a typically brash prediction that eventually there would only be two or three major IT vendors left standing. Of course he believes Oracle is going to be one of them.

It is the kind of prophecy most people discount as self serving, and that couldn’t possibly come to pass.

But with persistent rumors swirling around the last couple of weeks involving IBM, Hewlett-Packard and Oracle all interested in buying Sun Microsystems, as well as rumors circulating that Oracle again wants to gobble up Red Hat, the possibility of a three vendor IT world seems more possible.

The development with the most potential to create this three vendor world is not the one where IBM buys Sun, but the one involving Oracle and HP dividing up Sun. According to those rumors Oracle is willing to put up $2 billion to buy Sun’s software business, most notably its crown jewels, Java and the open source data base, MySQL. At $2 billion it would be the steal of this young century.

Rumorologists have yet to attach a figure to what HP is willing to plunk down to take over Sun’s server-based hardware business. It is safe to say it would cost HP $3 to $4 billion, and that too could be worth it to secure HP’s top position in the overall server market.

But its Oracle’s possible move on Sun and Red Hat, in tandem with its increasingly chummy relationship with HP the last few years, that is at the center of all this.

First, there is the prospect of Oracle taking over control of Java. It is unlikely that even Oracle would consider monkeying around and changing the technical working of Java to serve its own development needs and so put a major competitor such as IBM at a disadvantage.

But it could make life difficult for competitors, most notably IBM, by raising the fees on Java next time Big Blue’s Java licenses came up for renewal. It could put IBM server products at a price-performance disadvantage against those of Oracle.

If it grabs hold of MySQL, Oracle could significantly enhance its credibility in the open source world, as well as gaining a low-end data base that could effectively compete against Microsoft. As more IT shops strongly consider open source products in these recessionary times, the prospects for MySQL are looking better and better.

Some might suggest that acquiring MySQL would threaten the margins Oracle makes on its much higher end bread and butter Unix-based data bases. I don’t believe it will. With Linux-based operating systems and their applications taking on increasingly mission critical applications, along with the high-end Unix market slowly shrinking, Oracle can avoid MySQL canabilizing the lower end of its proprietary databases and make this work.

Couple MySQL with Red Hat’s Linux, particularly the Enterprise versions of that product, and Oracle gains direct control of half the LAMP stack (Linux, Apache, MySQL, and PHP) and suddenly Oracle becomes the strongest vendor in the open source world — certainly the richest.

Then there is the increasingly tighter relationship between Oracle and HP. Oracle and Sun once had a very close relationship. Back in the hay day of the dot com boom, the “miracle stack” was Oracle’s databases, Sun’s SPARC servers and operating systems, Cisco’s communications hardware and the Apache Web server.

But a few years ago Oracle and Sun drifted apart over issues involving Oracle dissatisfaction about the cost of Java licensing fees, and the competition imposed by Oracle’s Unbreakable Linux.

Stepping in to take Sun’s place has been HP, as evidenced by deals such as the one last year between the two that resulted in the Exadata appliance server. That product, which is the marriage of HP hardware and Oracle software, that allows 11g to run insanely fast. Oracle hasn’t shown that kind of tight cooperation with a major vendor since its dealings with, well, Sun. And given that HP can provide all the servers Oracle could need (especially if HP acquires Sun’s SPARC servers), along with storage products, and a large worldwide maintenance organization would make for a very formidable team. And oh yes, Red Hat already has a good working relationship with HP, which makes Red Hat Linux available on its servers.

Oracle’s continued control of the proprietary data base market, its strengthened position in the open source world, and a tight relationship with HP, would put every major competitor, possibly excluding IBM, at a major disadvantage.

Even mighty Microsoft would have difficulty keeping up. As the world gravitates more towards open source for higher end applications involving cloud computing and SOA initiatives and turns  towards a rich well positioned supplier like Oracle, Microsoft would have to go on the defensive. And with Oracle working more closely with HP to deliver higher-end margin rich solutions, Dell too could be commoditized down to a second tier player in the enterprise market.

Two other things lend further credence to this scenario materializing. One, Oracle has a proven track record of making large acquisitions work, and two Sun, despite IBM engaging it in talks first, prefers to sell to a west-coast based company, according to rumors.

Lord knows what Sun’s poor board of directors is thinking given the possibilities potential buyers have presented to them. But if Mr. Ellison can entice Sun, Red Hat and HP to go along, his outrageous prediction of just three IT companies left standing, namely Oracle, HP, and IBM, is not so outrageous.

Oracle shores up health sciences group with Relsys deal

Oracle has certainly had its share of customers in the health services industry. Its Oracle Enterprise Manager is used in hospitals across the country, and healthcare firm AstraZenca has used Oracle intraMedia to help manage its clinical images.

Still, the software giant has never dominated the pharmaceutical or healthcare niche, according to analyst Judy Hanover in this Wall Street Journal blog post.

But that might be about to change.

Oracle announced Monday that it will acquire Relsys International — a leading provider of drug safety and risk management analysis software — in a deal that’s expected to close in the first half of this year. According to Oracle’s press release, its purchase of Relsys will further Oracle’s position in the health sciences industry:

The release also stated that Oracle and Relsys will combine to deliver a unique suite of software applications, focusing on end-to-end drug safety processes across clinical development, post-market surveillance and patient care.

Oracle showed its commitment to the industry last June, when it announced the creation of its new Health Sciences Global Business Unit. The Relsys acquisition is only the latest investment in the business unit, which was designed to provide applications in the health sciences industry. The business unit currently offers a variety of health sciences applications, including Oracle Clinical, Oracle Life Sciences Data Hub and its Siebel Clinical Trial Management System.

The Relsys purchase is also another example of how Oracle is turning away from making larger acquisitions (think BEA and Siebel), to focus on buying smaller companies in niche markets.

In October, Oracle announced it would acquire Primavera, a provider of project portfolio management (PPM) software. A month later, Oracle snatched up software-maker Haley Ltd. in a move that analysts claimed would propel it into the financial and social services industries. And, most recently, Oracle announced its plan to acquire mValent, a leading provider of application configuration management solutions.

What industry will Oracle jump into next?