Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Oracle Helps Enterprises Tackle Encryption Key Management Challenges

As the saying goes, a chain is only as strong as its weakest link. And in the technology world, while encryption is an instrumental component in protecting sensitive data, encryption is only as strong as its key management.

As the saying goes, a chain is only as strong as its weakest link. And in the technology world, while encryption is an instrumental component in protecting sensitive data, encryption is only as strong as its key management.

As organizations increasingly encrypt data to comply with regulatory requirements, fend off government snooping, and protect from malicious attackers, managing a growing list of encryption keys and credential files has become a major challenge.

Oracle LogoIn an effort to help customers address the challenges surrounding key management, Oracle today introduced Oracle Key Vault, a solution that allows customers to centrally manage assets including Oracle wallet files, Java KeyStores, Kerberos keytab files, SSH key files, and SSL certificate files.

Deployed as a software appliance, Oracle Key Vault is the latest addition to the Oracle Database security portfolio and gives enterprises an efficient tool for managing these critical credential that are often scattered across servers.

 ResourceIs Your Enterprise Managing Certificates? Three Reasons It Should Be

The new offering puts the database giant in competition with niche key management vendors such as Venafi, Vormetric and Entrust, among others.

Built for x86-64 hardware, the software appliance runs on Oracle Linux and is optimized for the Oracle technology stack, including Oracle Database and Oracle Fusion Middleware.

How Oracle Key Vault Works

Oracle Key Vault can be deployed in existing environments, Oracle says, and offers features including:

Archival and recovery –  Archiving Oracle wallet files, Java KeyStores, and other credential files in a master repository, supporting fast, easy file sharing and recovery.

Advertisement. Scroll to continue reading.

Centralized management. A browser-based management console offers point-and-click administration, simplified server enrollment, and audit reports.

Streamlined sharing – Customers can securely share Oracle wallet files across database clusters or disaster recovery environments. The solution currently supports Oracle Real Application Clusters, Oracle Active Data Guard, and Oracle GoldenGate.

Flexibility – In Oracle Database environments using Oracle Advanced Security with Transparent Data Encryption (TDE), Oracle Key Vault manages TDE keys over a direct network connection as an alternative to a local Oracle wallet.

Standards Compliance – Based on the OASIS Key Management Interoperability Protocol (KMIP), Oracle Key Vault can manage keys from KMIP-compliant clients.

“Encryption is no longer optional for managing enterprise data. It has become an essential element of end-to-end data protection,” said Carl Olofson, IDC research vice president, Application Development and Deployment.

“Following Heartbleed, every CISO, IT security manager, and incident responder understood the impact of not being able to trust webservers, cloud services, and devices,” Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, told SecurityWeek.

According to recent research, only 3 percent of external-facing servers in the world’s largest companies have been fully protected from the Heartbleed vulnerability, researchers found. In a scan of external servers owned by the Global 2000 companies, 97 percent of the machines were still vulnerable to the OpenSSL flaw, Venafi said in its Q3 Heartbleed Threat Research Analysis report released on late last month.

“From The Mask to Energetic Bear, adversaries of all types are increasingly attacking keys and certificates to gain trusted status to evade detection and expand their attacks,” Bocek said.

“Along with others in the IT security community, Oracle is recognizing the need to secure and protect all types of keys and certificates: from SSL keys and certificates that protect customer privacy for application servers to SSH keys that provide privileged access for apps and admins to virtual machines and cloud services.”

“Organizations’ failure to control and protect keys and certificates, the foundation of digital security and online trust, leaves the front doors open for attackers to enter at will and pilfer whatever sensitive data they want, whenever they want,” Bocek continued. “It’s clear that certificate- and key-based attacks have become the attack vector of choice. As Oracle has acknowledged with this announcement, enterprises must implement effective controls to ensure the safety of their network to avoid attacks, loss of intellectual property, and reputational damage.” 

Additional Resources:

• Is Your Enterprise Managing Certificates? Three Reasons It Should Be. 

• Forrester Attacks On Trust Report

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...