June 12, 2019

June 12, 2019 | Phil Etherton | Director, Security Services

Last week, we opened our Roadblock series by discussing the tactics that may be deployed by SAP and Oracle sales account managers to keep you locked into their own cloud product roadmap.

This week, we’ll compare the different ways in which software vendors and third-party support vendors handle the security of your databases, applications, and overall technology stack.

What They Say: Claims of Inadequate Security and Vulnerability Protection

When moving away from Oracle or SAP support, most – though not all – customers perceive security as one of the top concerns.

Oracle and SAP would like you to believe that they are the only vendors that can keep your enterprise software secure. How can anyone other than the software publisher (who has sole access to the binary code), fix vulnerabilities within the code?

We won’t argue Oracle and SAP are in the best position to find and address existing bugs or vulnerabilities within their own software. It should be a responsibility of the publisher to provide customers with a security patch or update as quickly.

Both SAP and Oracle will contend that third-party vendors rely on a limited and inadequate solution set for security and vulnerability protection. They will tell you that patches are the only true solution, third-party vendors only protect the networks, and third-party vendors will not proactively monitor against potential attacks. Those assertions we WILL argue against.

What They’re Not Saying: Software Publishers Aren’t Great at Security

By pushing patches and updates as the preferred solution, software publishers may be covering up their own security protection inadequacies.

For example, according to Oracle’s published security policy, Oracle monitors for common vulnerabilities and exposures, fixes them by creating cumulative patches delivered quarterly (or one-off fixes for critically deemed updates), and prioritizes based on a scoring system related to their ability to address.

A critical view of this policy would say that these measures are entirely reactive, contain no customer-specific security intelligence, block known threats only, deliver no proactive threat management solution, and provide a one-to-many solution often lacking in transparency.

As for patches, while they may be a strong solution for specific vulnerabilities, they often do not live up to their reputation as a best-fit solution for reducing your security risk. For example:

  • Patches are not timely (in fact, they can be months or years late).
  • Patches are one-size-fits-all and may be problematic for customizations.
  • Patches may not be available for older product versions and applications.
  • Patches require valuable time to test and install.

As a result, many organizations do not patch or patch regularly due to operational constraints.

Note as well that many of the advanced security services and products from Oracle and SAP that deliver comprehensive security solutions are sold separately.

What We Say: A Seven-Point Security Solution Is the Best Solution

Security is not a roadblock to switching to third-party software support. The advertising of Oracle and SAP misrepresents third-party support as an inferior security solution.

At Spinnaker Support, we reject the one-size-fits-all approach of software publishers and focus instead on working collaboratively with every customer. Our global security team actively advises on security concerns and monitors and reports on actionable vulnerabilities. In our 2019 annual customer survey, 98% of respondents who cited security as a concern told us that their security level was either improved or unchanged under Spinnaker Support.

Our team adheres to a Seven-Point Security Solution based around the core concepts of Discover, Harden, and Protect for your data and critical system security. Using this established framework, our experts resolve your issues as immediately and put in place the tools and procedures you need to proactively maintain secure application environments. We also offer software products for virtual database patching and Intrusion Detection Service (IDS) & Intrusion Prevention Service (IPS).

We strongly believe that effective security must address the entire technology stack, full protection requires a proven process and flexible toolset, and that tailored security is the best protection for our customers. Security isn’t secondary to us – it comes standard with our support at no extra cost.

Our Recommendation: Remain Open-Minded When Looking at Third-Party Support Vendor Security

Don’t assume that others cannot provide equal or safer solutions than the vendors AND don’t just take our word for it. Make sure you arrange a meeting between your IT and security professionals and the third-party support security experts.

Spinnaker Support offers a proactive, full technology stack solution that integrates accessible security experts, proven processes, modern detection and protection tools, and continuous monitoring practices. It’s a superior approach to software vendor patches, and the third-party support vendor should be able to clearly explain its processes and how they are certified under global standards.

Depending on the size of your company, plus the internal capabilities of your security team, you may already have security covered. 10% of respondents in our annual survey were not concerned about security as an issue at all, given their own protections and configurations.

If you don’t feel you have security adequately covered, then carefully evaluate the offerings, ask for references, and decide for yourself. We’re glad to speak with you at any time about our Seven-Point Security Solution. Reach out and contact us today.