How ITAM & security should work together.
June 15, 2022 | 1pm ET
Most people are now aware that Oracle has changed its licensing rules for Java. What used to be free in most cases is now subject to license costs.
Unfortunately, in an effort to save money on licensing fees, many organizations are keeping their systems on older versions of Java (that are still free to use). While this strategy may save on licensing costs, it also exposes organizations to a new form of risk: cyber vulnerabilities.
This case study highlights why security teams deserve a seat at the ITAM table – and vice versa.
Points covered in this webinar:
- Changes to Oracle Java
- Java options available to users & associated risks
- Ways that ITAM and security should work together
- And more
Watch the webinar now!
MEET THE PRESENTERS
Scott Jensen is a Senior Manager at Anglepoint and leads the Oracle Practice. He originally joined Anglepoint’s Security Team, providing internal audit and audit readiness services for several clients. Shortly thereafter Scott witnessed the industry need for more Oracle expertise, and quickly became well-versed in Oracle licensing, consumption analysis, contract negotiation, and audit support. He has since pioneered and streamlined processes for analyzing Oracle data and has saved his clients billions of dollars in Oracle spend through his observations and insight.
As a Senior Director, Avinash leads the IT Security and GRC services at Anglepoint helping clients in the area of information security, risk management, and privacy. He is also the Data Protection Officer (DPO) and leads the privacy program at Anglepoint
With over 15 years of experience in IT security, Avinash loves working with clients in building security programs focusing on governance, risk and compliance, third party vendors, privacy and overall security risk across the organization.
Scott Jensen: Thank you everybody for joining today. My name is Scott Jensen. I am a senior manager here at Anglepoint, and I lead our Oracle practice. This is a team of global Oracle licensing experts, and we help our customers manage all things. I haven’t always worked in Oracle licensing.
I first started my career at Anglepoint on our security team under my good friend and colleague Avinash. It’s a pleasure to present with you today. Do you want to take just a moment to introduce yourself?
Avinash Kotikalapudi: Yes, Scott. Thanks a lot. Hi everybody. This is Avinash. I am senior director here at the security and compliance practice here at Anglepoint. I have been in this industry for roughly give and take 15 to 16 years now. I have done IT management in the past as well. And obviously, but my focus has been IT, security and GRC. My team is responsible for doing all work related to IT security cybersecurity, and GRC.
I’m happy to present here with my good friend Scott and explore this topic around, obviously security and item and how they are integral to each other. Excited to present with you, Scott. Back to you.
Scott Jensen: Thanks Avinash. That’s right.
So, as you might have been able to tell, Avinash and I are a bit unique in that we both have a background in security and ITAM, which allows us to see the bridge by which these two teams are uniquely related. And so, we. Now, of course, I, coming from the Oracle perspective we want to use Oracle, Java, and the changes to Oracle Java licensing over the last couple of years as a use case for how and why security teams and ITAM teams should work together.
I want to start today by just talking about some of the changes to Java licensing. Anybody in the ITAM space today is probably aware that back in 2019 at the start of 2019, Oracle changed their rules of Java. Historically Java has been free to use in most use cases. There’s always been some cases where a customer would need to purchase a Java license.
What Oracle would consider commercial features that have always required a license. These are things like Java Mission Control and J Rocket. And if customers needed support for Java, then they would need a Java license as well. But to be honest, I would say this probably only impacted maybe 10% of all organizations that utilize Java.
But according to Oracle’s 2019 announcement, all versions and releases of Java on or after April 16th, 2019, would require a Java SE subscription. So, these are no longer perpetual licenses like you could historically purchase. This is an annual subscription that customers would need to purchase to have versions of Java seven, eight, and eleven.
Released on or after April 16th, 2019, installed in their environments, I’ve included just here a price list, and as you can see Oracle, considers this a volume discount, if you will. The more that you purchase, the cheaper that the respective subscriptions. There are two subscriptions.
There’s the desktop subscription, which is licensed under the named User Plus model which means that if you have a user who has a desktop, a laptop, and a VDI, all three of which have a licensable version of Java installed, you still only need to use. To license that user a single time. So, something to factor for if you haven’t already done your own Java assessment.
Make sure that you’re only counting users a single instance. And then the Java SE subscription is intended to license a customer’s server environment. And this is utilizing Oracle’s standard processor, Metric definition. And again, if you’re familiar with Oracle licensing, you probably know that installing Oracle products in a virtualized environment, using this processor definition, Oracle’s position is that you should license the entirety of your virtual environment.
And so oftentimes for a lot of my customers they begin to fall into the bottom tier of the subscription models where, you know they’re paying $12.50 per month for each processor license. But when you annualize this cost, it lands somewhere in the three to $5 million range per year that customers are now subject to for Oracle Java licensing.
So, this of course, created a big, ripple throughout the industry. Two, two major ways that, that organizations were impacted by this change. One is of course, that, organizations just were not prepared for this. Nobody really anticipated Oracle to begin licensing something that for the previous decade and more has historically been free.
But that said, while customers weren’t really prepared, Oracle sales was prepared to begin charging customers. So almost immediately after the April, Licensing change. A Java sales team was created, and they began reaching out to customers that they knew were using Java and getting these customers to enter these large subscriptions without really giving them the time to properly assess if they even need a Java or to assess any alternatives to Java.
And then the second impact is a lot of customers just to even avoid conversations with the Java sales team or to avoid penalties and the threat of an audit. They just entered subscriptions again, whether they needed it or not, we saw a number of customers in 2019 who just went out and purchased Java subscription ULAs Unlimited license agreements, and again, spending, 3 to 5 million on a licensing agreement that they may not even need in the first place if they just had the opportunity to assess Java within their environment.
So, this then brings us to, what options do Java users have and we can distill it into to three, three options, right? One option is that users of Java could just stay on a version of Java, which was released prior to April the 16th, 2019. So, for Java version, seven or eight you might want to stay, we’ll just use Java eight as an example.
You may want to stay on any updates. If it’s prior to 211, then it’s free to use. So that’s one option. You could just stay on an old version of Java. The second option would be to remove or replace Java from your environments. And we’ve had many customers who’ve done this as well.
They’ve assessed whether or not Java was needed, and they uninstalled it, or they moved to a free and open-source solution such as open JDK or Amazon Cotto or now Java 17, which is a free to use version of Java that we can discuss later. But, Then the third option becomes to purchase a Java subscription, right?
If you can’t remove or replace it and you can’t stay an old version of Java, then you’re going to have to purchase a Java subscription. And again, this could be, quite expensive. A question now to our attendees, and I would welcome you to enter your answers in the chat, please.
And that is what do you as. ITAM or security practice practitioners’ parties, interested in the topic we’re talking about today, what do you see as the risks associated with each of these three options? So, I’ll give you just a moment to enter your comments into the chat. What are some risks associated with any of these three options?
Okay, so we’ve got a couple of responses so far. One is that there’s going to be currency or and vulnerabilities to hacking. Absolutely right. So, staying on an old version of Java has some inherent cybersecurity risks of doing so. I should say the whole point, but one of the points of upgrades and new versions is that vulnerabilities are being patched.
And so, if you don’t have access to those upgrades you don’t have access to those patches, then your environment could certainly be vulnerable. Another comment is that it’s a large project to remove or replace Oracle Java within an environment, and that’s absolutely correct.
I’ve seen customers who have sponsored. Projects to do just that, to remove or replace Java. And it typically takes about a year of a well-managed product to remove Java from a very large enterprise. I’ve seen some customers do it in less amount of time. They’re typically not, the largest of customers, but certainly it takes a long time.
It’s a big investment. And there’s a few com comments about cost, right? And that most of this cost is not typically budgeted for, right? So now all sudden customers are reading required to pay, whether it be a hundred thousand dollars or 3 million or $5 million.
There, with purchasing a Java subscription, you run the risk of perhaps over purchasing, right? You say let’s just license the entire enterprise because it’s too difficult for us to really assess whether we need Java and where it’s deployed. So, I’d say that’s certainly a risk as well.
So, thank you all for your comments.
Avinash Kotikalapudi: Scott. Yeah, I had a point in question for you, right? So, what are you seeing in the industry, right? Java obviously is an integral part of so much software, right? It comes free with that all the time over so many years. And what are you seeing in the industry where, for Java, which you never paid Chem as free as a part of other software, how are you seeing organizations tackling that now as a part of this change in licensing?
Because if I’m not correct, and again, I’m not an SME here, but. Whatever you got free as a part of the software. Also. Now in some sense, the organization must start looking at that and see how to license that. Is that true or is that probably not true?
Scott Jensen: Yeah. So, I would say of the previous, of the three options that we present here, I’m seeing a variety of all three of them being deployed and it all is dependent on the organization.
I’ve seen customers who virtually uninstall Java overnight and their viewpoint was we’ll uninstall it, and then if something breaks, we’ll reinstall it. And they treat, and honestly, they treat Java as if it were a virus. If Java pops up in their environment, they uninstall it immediately, and then they go back to the user or the installer for them to justify their need for Java. So, I’ve seen that sort of extreme. But then I’ve seen a lot of customers who try to find a hybrid model where they assess specifically where they need Oracle Java, where they need to have those upgrades and patches most immediately.
But then anywhere else they’re moving to a free and open-source solution such as Open JDK. A lot of customers are putting open JDK on all their desktops while keeping Oracle Java on their servers, right? Since their servers are what’s really hosting most of their infrastructure or all their infrastructure for that matter.
So I would say it’s a wide array and I wish I could pin down exact what the exact pattern not is, but it really comes down to each organization, and that’s something that, as part of our services, that’s something that we try to help our customers assess is what are their options, what is their license need and what’s their path forward?
Thanks for that question, Avinash. Alright, so of course, as you can imagine we just talked about some of the risks associated with these three options. We’re of course going to spend the point of this presentation is really to focus in on this first one.
So, we have organizations who are saying let’s just stay on an old version of Java. And I’m not joking. I’ve had several, CTOs, CIOs, very senior leadership who have said that’s the path forward for them. Just don’t upgrade Java, stay on an old version and then, where possible try to move off Oracle, Java.
And something that I’ve witnessed as somebody who has a sec, a background in security, but who largely works in the ITAM space today, I see that if we’re looking at how the. The scales are balanced between cybersecurity and IT asset management. There are a number of organizations that I’ve witnessed that seemed very concerned with their IT savings opportunities without considerate.
Considering their cybersecurity risks. A lot of organizations are saying, how do I reduce my software spend? How do I reduce my hardware spend? There’s certainly a big move to the cloud right now to reduce costs. There’s a hyper focus on this and that’s just, in some organizations it’s, I’m not saying it’s unique to all, but I’m sure if you’re in the ITAM space today you might be thinking that doesn’t seem very representative of my organization. If anything, it’s the other way around. And that is that my organization seems hyper-focused on security without a lot of regard to the benefits of IT asset management.
I don’t know, Avinash can speak to this or if you’ve witnessed the same. From your point of view.
Avinash Kotikalapudi: Yeah, that’s right, Scott. We on the security team, work with a lot of our clients who obviously, consider security at a very, high risk of course, right?
You must spend a lot of focus on those dollars. But really right, the advantages of having an very matured I time program, or at least if not hundred very mature, but in that journey really will, I guess help a lot of those advantages to trickle into the security side as well, because, a lot of things we see on the security side do need a lot of similar work, which the item team does or, and should do, of course, as a part of their business.
And we want to see we are trying to really educate our customers on that front quite a lot, right? And make sure item program will help you not only grow that side, but also, help that insecurity business as well. We just put some status up there where, you know, A data breach report was, said by IBM and the Point one Institute, which kind of reflects what the data breach has been costing general, the industry in 2021.
Obviously, we know that COVID-19 was still up in the air, right? Covid was going on. People are all remote working. So remote work, we know was a big factor into, a lot of these cybersecurity attacks, ransomware attacks happening, right? You, everybody was working in the offices.
We thought, we are behind the firewalls, we’re secure enough, but, COVID-19 hit, and everybody had to move home. And then, companies were struggling to get, make sure that the cybersecurity posture is correct, but unfortunately, we know cybersecurity takes some time to get mature.
If you’re not focused on that, then, we saw a lot of increased costs. So, with that, and of course, little data breaches also happening, right? Then data breach happens. Which is obviously one element and one headache, but also it costs a lot of business to the customers to the clients.
We all know that organizations obviously have a public facing entities and other things, they lose a lot of their business because. Customers don’t want to work with them, or they try to take business somewhere else. So those costs are, as you said, it says about 38% of the cost.
Again, taking Java just as a use case, this could be very well, taken to a next level and see if this does not manage properly. Log4j we all know log4j happened last year in 2021 and the resulting out of that, we all know it was just an attack where, somebody exploited and got into the Java libraries for this log4J, and it was so much available, widespread everywhere.
So, everybody was scrambling, everybody was running around. And trying to figure out whether we are using this, are not using this. And if obviously an organization was in sync with the security teams, our security teams was well in sync with ITAM, with both, we versa. We believe organizations will have saved a lot of time, energy to probably save the cost associated with not only just finding out, but also making sure if there was anything going on, then if they could have trimmed the cost down or trimmed the effects of that as well.
We’ve known, we’ve seen the past similar things like SolarWinds has happened. We’ve seen the example of the Apache struts happening in about 4, 3, 4 years back as well. And again, these are examples where it clearly indicates that, the availability of ITAM team working with security team just really, will help each other to make sure the data is available.
Straight away for us. Yeah. Security and item are not competitive, right? I guess that’s the key point here, right? We, whenever we go into security meetings or we are trying to understand, what is the ITAM portion, a particular company we unfortunately see that ITAM has less role to play in the security space.
Again, I’m not saying that it’s, we’ve not seen that happening, but the maturity level in terms of interactions of the two organizations, whether it’s at ITAM and security, is not a lot. And I’d like to see that happening where, you, for example, if security team wants to get an information about a certain applications or certain endpoints running an IT team, a lifetime team has that available to them.
And that can be easily then trans transferred into a documentation which can be used for running some of these checks on different issues going on. Yeah, it’s area which we want ITAM and security to work more together.
Scott, what have you seen, as a part of ITAM, at what levels are you seeing these teams talking together to each other really?
Scott Jensen: Yeah. And so that, that’s a fantastic question and I would say not enough. Which is, part of the reason that we felt like a presentation like this is necessary is because again I’m seeing, teams who are making decisions about the future of their Oracle software without seemingly any consulting or collaboration with their security team, right?
So, when somebody makes the decision to stay on an old version of Java my response as a, as their consultant with a security background is, have you checked with your security team to make sure that they’re okay with this particular idea? And I certainly am aware that some organizations have mastered this.
Some organizations are very good at making sure that key ITAM representatives and security representatives are sitting on some of the same committees and councils within their organization. But in others it seems like there’s a major disconnect to the extent where sometimes I find that security teams are almost roadblocking the ITAM efforts.
And I think of examples where we have new ITAM organizations being established within their organizations and they’re on, they want to onboard ITAM tools which allow them to get a high level of inventory of the software and hardware deployed within their environments. And I’ve seen security teams who will not approve of these kinds of.
ITAM tools within their environments, right? So, you’ve got one team that’s trying to get better coverage and an understanding of what’s deployed and what’s being used. And then I see security teams who say nope, we don’t approve of that particular agent being installed on our device. And then we run into a situation where ITAM and security are competitive and there’s some conflict there.
My goal oftentimes when this happens is to try to bring all of the right people to the table to address those concerns, to help illustrate to the security teams how and why this, it a m data will be so valuable to them.
Avinash Kotikalapudi: Yep. And again, what we have seen from the security side. As you said, right? If in some organizations where they’re under the same umbrella, maybe like the c CTO or the CIO’s umbrella there has been maybe discussions going on, or they’re talk, the teams talk to each other, right?
They’re not in complete silos. But, in some cases organizations, I a m probably is a part of a different team. Maybe sometimes legal or sometimes procurement, or sometimes finance, right? And they do not have much interaction with the. The CIO side of the house or the security space of the house.
And that’s where an example where you gave a new tool comes in, the security probably is not involved in it, it gets approved by a business for certain reason. And then security kind of obviously shoots it down because it doesn’t help, or they do not know that it they must review this first.
And there’s obviously time loss between the translation between the two teams really. Again, Great examples of why the ITAM and the security team should probably talk more often, regularly, even if they’re not, part of the same umbrella. That’s
Scott Jensen: exactly right.
So, we’ve come up with just, three simple ways that we feel like ITAM ENT security teams should be working together. And the first one is regarding governance. We feel that ITAM ENT security teams should be working together to create policies and to write procedures for how its assets are used within their environments.
Again, ITAM teams have a lot of data to understand how Different software and hardware and IT assets are being used throughout the organization. But then sometimes we’ll see security teams who create a policy without, understanding the needs of IT. Consumers on their network.
They’ll write these policies, and they’ll say x, y, z technology is, not allowed in the environment without understanding that technology is already. Has widespread use throughout the environment and may have a business need. And again, that’s an overly simplified example but this kind of thing happens, and it can be prevented if it a m and security teams were both tasked with writing policies and procedures from a governance standpoint.
Avinash Kotikalapudi: Scott gave very clear example of, we know there are so many frameworks and there’s so many guidelines coming across the globe, which, talks about really, what kind of assets are being used and what capacity and, who is using that from a standpoint of business or any other reason really.
So, I think it’s important to clearly layout what asset has been used, where, and their policies about that. What is allowed and what is not allowed. I think often case the ITAM team is probably unaware of certain security team doing something which, from an ITAM perspective, it’s they are not aware of it, which obviously is not helpful because the item team is tasked to understand that from an asset perspective or sometimes, it’s just that, the item team really has the data. Again, doing a rework of a similar thing is obviously going to waste everybody’s time. I think that is a key point where if you’re writing a policy and a procedure about how the use case should be, then the teams should be talking to each other really.
Scott Jensen: The second one is regarding a, a company’s attack surface. Avinash, do you want to maybe explain what an attack surface is in the terms of the cybersecurity world?
Avinash Kotikalapudi: Yeah, exactly right. The greater number of entry points which exist in organization the bigger the attack surface, right?
It could be your application. It could be a hardware, it could be any of your software, or it could be any of your cloud environment. More number of those in your environment. You have much broader interface to work with to secure it and to make sure that. People are not looking to penetrate and, get into an organization really.
Attacks phase the lesser it is as it says. You have a lesser smaller Asus attack and lesser things to worry about. And an example I would probably, mention to you that, we often see in the security world and again, this is why even an example in ITAM, and security have to work very closely is there are repeated same software of, for the same use cases.
So different software for the same use cases in an environment or an organization, right? You probably do not want that to happen, right? If you want to try to obviously, we understand there are some use cases in some organizations which are huge globally. But most of the time you won’t have a single software with the same use case for Internalizations so that you do not have to worry about.
Patching, upgrading, managing the same the different software for the same use cases, really. So again, a simple example of, keeping the smaller inventory or helps you to keep a smaller attack interface and that way you have you can manage things better.
Scott Jensen: Yeah. From the Oracle perspective, I think of cases where oftentimes we’re.
We’re looking at things through a licensing lens, and we’re and so we’re helping customers understand, where do they have Oracle products deployed? What is their compliance position per the licenses that they already own. And oftentimes when an organization is out of compliance from a licensing perspective, one of the ways to remediate any financial risk is by uninstalling.
Oracle applications or decommissioning devices that are no longer needed, and this happens with probably every customer I have where they will decommission. Servers based on our assessment, because they say, we haven’t used that device in a long time. Or that VM was spun up for some test purposes.
It’s been running for two years, but nobody’s ever touched it. From that, that, that is the ITAM practitioner’s role is to identify these use cases and to decrease inventory that is not, Necessary. And so, when we do when we decrease inventory, then we are also reducing our attack surface as well.
So here again, we can just illustrate how, the ITAM Practitioner’s objective is completely in line with somebody whose role is in the cyber security space. I really like this quote, the quote at the bottom of the screen here that talks, from Suzu classic Art of work quote, which is in any battle there’s going to be both direct and indirect methods.
And so, in all fighting, the direct method may be used for joining battle, but indirect methods will be needed to secure victory, right? And so, if the cybersecurity team is seen as your traditional method, your direct method for joining battle in these cybersecurity wars, if you will for protecting an organization’s assets and intellectual property, then perhaps ITAM could be viewed as the indirect method that’s really going to be needed to secure victory.
All right, that brings us to our third point which is around audit and audit readiness. Everybody loves audits, right? I’m guessing if you’ve been, if you’re on this call, you’ve probably been involved either in a security audit or a software related audit. The point that we’re that we’re making here is, when I was working, with Avena, a lot of the work we did was in, in governance around the various security frameworks that are in place, ISO 27001, HIPAA, GDPR, etc.
Now that I’m on the Oracle side of things, I’m helping customers navigate and prepare for, or hopefully prevent Oracle audits. And most of the major software publishers do have audit programs as well. And so, the idea here is, maybe these organizations should be working together.
I don’t know. I’m not sure if you have some ideas on, what that looks like for ITAM and security teams to be engaged or partnering in their audit readiness programs.
Avinash Kotikalapudi: Yeah. Again, like to just echo your thought there, right? On the security side, when are we are, doing a review of, any of these frameworks or in the GRC space trying to work with the, some of the vendor compliance initiatives, other things, on and off, things which come up.
Okay, we need to make sure that, there are. There’s an asset inventory. We need to make sure there is all the unauthorized software the shared assets are tracked. They want to make sure that everything is, patched properly in the right fashion.
There’s a process behind that and how that’s being managed. There is a proper flow diagram, right? Flow diagrams is needed. For every team. So, it’s security team, a lifetime team, right? Data is flowing from which direction, where, and other things, which is also important by the way.
Now, from a from a privacy perspective, right? We all know privacy is so key now in this modern world of data mapping and in data collection where, it is important to know which of your software. Is having what kind of data so you can track it back, delete it, or manage it for personal reasons and other things as well.
Again, just eco thought, right? This all obviously from a ITAM and a security perspective are so much done from an audit perspective in a day-to-day world that, these teams obviously should work and must work closely, right? From my perspective whenever we are doing some of these secure and G R c work, we are always looking to engage the teams which manage this whole asset process.
Asset onboarding, process asset tracking process completely because they’re the key for us from a security perspective to give us the data make sure that, we can demonstrate. From a framework perspective that, there is a process in place, it’s being done accurately, done correctly.
And the security team, of course must be a part of that. There’s a lot of data available with the ITAM team, whether it’s Oracle products, IBM products, Microsoft, or given anything. And then just making sure, these teams exchange the data and don’t have to do the rebook again.
Again, making sure that you have these touchpoints. If you talk weekly, biweekly, great, at least monthly so that you know what is coming up on the horizon for, from the security and an item perspective and can coordinate more closely instead of, reading anything really.
Scott Jensen: From the Oracle perspective, when we’re helping customers try to identify. Let’s say how many users are assigned to an application. For example, we’re doing this from a licensing perspective to make sure that the customer has enough licenses.
But from any of the security frameworks you see on the screen Those users are managed from a different perspective, which is to make sure that the right users have are authorized to use or have access to say, for example, financial data of an organization. And so oftentimes a request for users, a list of users goes through the same individual within an organization.
And between the various security audits and the various software audits that may be going on at a single time. This user might be getting several requests a month or a quarter or a year for data that they’ve provided several times already, and naturally that leads to frustration on the end user, PO part or the product owner.
And of course, that’s something we would want to avoid, and it can be avoided. If the security teams and ITAM teams are collaborating on the types of data that must be requested to. Maintain compliance, whether it be for a security framework, an ITAM or a software audit.
Just managing that, entering that request into their GRC tools such that data only be re being requested as necessary and we’re not alienating. Users in the organization.
Avinash Kotikalapudi: I just want to highlight a very a point example over here. As a part of a security review with one of the organizations.
We were obviously trying to do a security analysis work and help similar kind of, say if anybody on the audit, anybody on the team call in probably knows about SOX audits, right? SOX audits are heavy intensive in terms of access, especially trying to understand, what have segregation of duties and so on and so forth for every user, depending on, what type of license it is.
This is also needed for an Oracle lessons perspective or a save lesson perspective, which Scott just mentioned, and I think we were at this particular client, and we were going through this particular review on the security side and, item team had all these data already available, which was, again, because access reviews generally happen in a big organization probably every quarter. And that was very. Timely for that information to be shared between the teams and you know that r o b was done quickly. I think again, a point, an example of how the specific data can be shared between the two teams really.
Scott Jensen: Yeah, that’s a, it’s a fantastic example. All right, so that brings us to just a summary of this presentation. Which is to say that Java is just one of many use cases that can demonstrate why security teams and it a m teams should be collaborating in. The various decisions of an IT organization that, have a widespread impact.
These two teams should not be competitive. Security is integral to it. SAM and ITAM is integral to security. And if they’re not, within your organization, they should be and hopefully you’ll be able to work with the appropriate individuals to gain this sponsorship and this collaboration such that there’s a, there is an appropriate balance between security and item.
And then the three ways that we’ve illustrated that these teams can work together is related to governance. To risk management, which was about reducing the attack surface of an organization. And then audit readiness you might also summarize that as just saying GRC, right?
Governance, risk, and compliance really is the way that these two teams overlap. With that said we are happy to use the remainder time that we have today to answer any questions that our audience has for us. Feel free to use the Q&A feature that we have built in here to zoom to, to enter your questions.
Braden will you moderate that for us and let us know any questions that have come in. But we’re happy to talk about Java if that’s what you want to talk about. If you want to spend some more time doing a deep dive into to just the Java piece of what we talked about today, more than happy to address that.
If you have security relate related questions or just something related to the overlap between the two, we’re more than happy to use the remainder time, remaining time to address that. Great. Thank you. Yeah, we have one question here that hopefully the two of you can help answer. It is there any examples or what, like specific types of data can the asset management teams be sharing with the security team?
Yeah, that’s a great question. And Avinash, feel free to chime in too. The first thing that I readily think of is inventory data, right? And if we look at the case of Log4J for example naturally the security team is going to have a vested interest in identifying anywhere log four J is installed so that, such that it can be either removed or properly patched or addressed, however it may be.
If the ITAM team has the right tooling in place, chances are they could download a report within minutes that shows all locations were. Log4J was installed and then passed that over to the security team to address it. So that’s one, piece of data that, readily comes to my mind.
Avinash Kotikalapudi: That’s a great point for sure. Just to add onto that. I think some of the other things which. And I think I only give an example about how data related to segregation of duties, right? Between it a m and security teams are something which they can easily share, right?
It’s both the teams will need the data for various purposes. And that can be used easily as well. But the other, which comes to my mind, with again talking so much about security and privacy a big piece of GRC nowadays asset data the asset metric carries a lot of rich information as to, what type of software or hardware is there, and you know who owns that.
What kind of inflation is running on them probably. And what kind of data is stored there and all those things, right? We’ve seen item leaders tracking that data, which is, again, very important and needed from a security perspective just to know what is the raiding where, but also from a privacy perspective, just, you know, if you, things like, an impact assessment on some of your hard software and hardware, it’s key to know what kind of data is being tracked in which application, which software really IAM teams generally have that information.
We have seen that in some of the mature programs tracking that. So, we should, exchange that information. Also, if in case that’s available really. Excellent.
Scott Jensen: Another question we have is what are your thoughts about Java 17? And NFTC from a security point of view? NFTC, for anybody who’s not familiar is the, what’s called the Oracle no fee terms and condition license, which is effectively what allows Java 17 to be free. So, I alluded to this at the beginning of the presentation, which was that Oracle announced in 2019, this changed to Oracle licensing. And it seemed like going forward, all Java was going to be Licensable well in September of 2021. So just last year. Oracle surprised everybody again by saying that beginning with Java 17, all long-term releases of Java would be free to use for up to one year after the next long-term release.
So, in the case of Java 17 it’s believed that you’ll be able to use Java 17 for about three years because every two years Oracle is going to issue a new long-term release of Java. So, we believe that the next long-term release will be Java seven excuse me, it’s Java 21 which means that customers would be able to use Java 17 for one year after Java 21 is released.
This is great, for a lot of organizations. But there are some natural risks that you must be aware of, right? One is if you upgrade to Java 17, and this assumes of course, that you’ve tested it to make sure that it doesn’t have any negative impact on your production devices and other applications, right?
So, let’s say you’ve done that whole process and you decide you can move to Java 17 you also have to be able to upgrade it to Java 21. And if you cannot do that by the time. The one year is up, then you’re back to needing a Java subscription again anyways, right? So do be aware that if you stick with Java 17 or if you stick with Oracle Java, you could be subject to these fees again if you’re not on the path to upgrade.
From a security point of view though one of the advantages of Oracle Java. And this is, this is truly a real advantage is that Oracle will release updates and patches as necessary, right? Whereas the free and open-source solution such as open JDK or Amazon Corretto only release on a quarterly or twice annual cadence open JDK only releases update every six months. Amazon Corretto is every quarter, I believe. There are others out there as well. But effectively if you have a vulnerability with open JDK, you may have to wait until the next six-month update before you can patch it well, with Oracle Java, part of the part of what you’re paying for is the fact that Oracle will work to.
To issue an update as soon as possible, you’ll have access to that update, and you can install it. From a security standpoint, there’s an argument to make that staying on Oracle, Java is one of the best things you can do and paying for the subscription if needed to have access to that.
But that said, it really depends on the risk tolerance level of a given organization. I have customers that are, in the financial sector that are maintaining, major financial infrastructure for the United States and. They moved to open JDK in an about a year almost a hundred percent across the board.
They felt like there wasn’t a big enough security concern to stay on Oracle, Java. That was their assessment. I’ve had other customers who’ve said, no way are we moving to a free and open-source solution. We must stick with Oracle because of the security aspect of it. So that’s what we’re going to do and that’s why I say it’s, it just depends on each organization.
All right. Another question is if you continually receive emails from Java / Oracle with the subject Java notice, license, and security requirements, should you respond to the email and involve your security team? So that’s. That’s a good question. I don’t know that I’ve personally ever seen one of these emails.
Feel free, after this call today if you wanted to shoot, forward one to me and I’d be happy to give you my insight on that. So, without knowing really what the content of this it’s not. Surprising to me that you would be getting these kinds of notices, but an along that sort of vein the Java sales team is very aggressive.
They will be reaching out to you or your organization if they haven’t already. And they’ll do it to the extent of saying, listen we can see that you’re downloading Java, right? When a user within your environment downloads Java from the portal, they enter their email address, and Oracle will absolutely use the domain name as part of your email address to tie that back to your organization.
And the sales reps will call, they will contact you and say, we see that you’ve downloaded Java a hundred times in the last, three months. We need to talk so we can Assess your Java usage and figure out what you need to purchase. Now of course, again, from a contractual standpoint, yes, every organization is now subject to these licensing terms, and they should be making purchases if they are using Java in their environment.
That said, it’s not just as simple as assessing whether you have licensable Java if you’re an Oracle customer. In other regards, chances are much of your Oracle. Java usage is included with your other Oracle licenses and deployments. And so that must be assessed. There’s a lot of the third-party applications that might be in your environment where the third party is also providing the Java license.
An example of that would be WebEx, Cisco’s WebEx. They entered an agreement with Oracle where they provide the third-party agreement. So, all of that must be assessed. But unfortunately, without the specifics of the notice that you received since it does have a, seem to have a security requirements aspect to it, I’d say absolutely.
Make sure your security team is aware of it as well.
Avinash Kotikalapudi: Yeah, just to add to that, Scott and again, without seeing the actual content in the email we really can’t comment much. What we have also heard giving these emails and trying to say, we are going to help you with the security and that kind of a cause to run an audit, right?
There are third parties which are being collecting this data and maybe handing over to some of these. Leaders in the Oracle space, and that again, will trigger an audit for you guys saying that, hey, there is, we see these things and you need to make sure; you pay up or whatever it is.
I think, obviously you got to be very careful and yeah, obviously, right? If something it doesn’t look right, involve these right folks from security as well as the other individuals really.
Scott Jensen: Yeah. Thanks. Yeah, exactly. Thanks, Avinash. Couple more questions. I alluded to the challenges.
One question is related to the challenges of Java that’s embedded with other applications. And I like that you call it a challenge because it is really a challenge to assess that. Like I said, some of your some of your third-party agreements would include Java and effectively what we do, just to give some additional insight, is when we assess a customer’s environment for them, we request a list of all applications in their environment, on those devices where Java’s installed.
And we’ve built a repository over the last three years of all known applications that require Java. And so, we take your list of applications, and we pair it against our repository, and we try to. To, I quickly identify those that require Java, whether the software publisher, the third-party A publisher provides the license or not, and whether the licensing onus would be on your organization.
And so of course we found a faster way to do it. But if you were to do this yourself, that’s a, that’s effectively the process you must undergo is by taking each application and, doing research to see whether it needs it. Of course, this should be done in collaboration with your, cis admins and the before Java gets removed or uninstalled widespread, there should always be, a test and, QA process to make sure that there’s not any, widespread implications of doing so.
So, are you aware if Oracle has been keen to audit organizations during this health situation? Oracle has certainly maintained their audit program. If you mean by health situation being the global pandemic, then Absolutely yes. Oracle has continued with their audit program in relates in relations to auditing Java specifically. They did begin to audit Java in December of 2021, so just about six months ago. It was like Christmas Eve basically when Oracle sent Java notices to several customers in North America. I have firsthand knowledge of this because one of them it was an existing client of ours at the time and still is an existing client.
And so, we’ve been helping them navigate that Java audit. I presented a couple weeks ago at another conference and there were other organizations there that confirmed that they too have received official Java audit notices. I do have a I wrote a blog article about this in February and there’s a podcast on the same topic.
If you just Google “Anglepoint Oracle Java audits.” Then you’ll get a couple results for our blog article in our podcast where we discuss this in a little bit more detail. But yes, they are auditing for Java. Can you provide a list of all non-oral applications that come with Java as part of their licensing?
I cannot provide that list. We do consider that proprietary information at this point and part of our value add for the services we provide. But it is something where if engaged with us right in a Java assessment, we would be utilizing that information to expedite the analysis process for Java.
Alright, I think that covers the questions for today. I just want to, take a moment to thank everybody for attending. We really appreciate it. Of course, we’ve both Avinash and I have included our contact information on the screen. Feel free to get in touch with us directly. And Braden, I’m sure you’ll probably send something out afterwards as well where if somebody wanted to contact us, they could do but we really appreciate your attendance today and we hope that. This was of value to you, and we hope that you’ll be able to get your security and ITAM teams working as closely as possible going forward.
Avinash Kotikalapudi: Yes, I want to thank everybody and it’s great that we know we could spend some time with your talking about how we can work these teams together.
Thanks a lot. And we hope everybody had could take back some valuable I information from this session here.