In light of the most recent ransomware attack (using malware dubbed Petya), IT leaders would do well to resist the siren call of third-party software maintenance firms. IT has become a board-level concern—not only because of security concerns but also because of the growing awareness that digital transformation is changing the competitive landscape in every industry.
Third-party maintainers don’t provide security patching. They also don’t provide many benefits that software providers offer, including consistent innovation cycles bringing customers the most advanced technology on a regular basis, access to a community of experts at the company that developed the software for rapid troubleshooting, and a strategic partnership to help them successfully navigate their own digital transformation.
Patches and Fixes
Third-party maintainers don’t have access to full source code, and thus cannot write security fixes or close vulnerabilities that can be exploited by malicious actors. They can only provide Band-Aids as bolt-on customizations. “Our patches and fixes impact the software at its root or root cause,” says Juan Jones, Oracle senior vice president of global support renewals.
In fact, no third-party maintainer can write security patches because patches are a term for modifications to the software’s source code, and third parties do not have access to the relevant source code. Those service providers instead write customizations that act as workarounds for whatever issue it is they are trying to address. If software were automobile tires, these third-party maintainers are fixing flats with chewing gum and duct tape.
Oracle, by contrast, provides “factory parts,” says Jones.
The recent Petya attack against multinational companies as far apart as Russia, Ukraine, Britain, and the United States, on the heels of the WannaCry hack from earlier this spring, are stark reminders of how acute the problem can be, and how much unwanted attention it can bring. As one security expert told the Washington Post, “If you were running an updated operating system and had the latest patch, you would be protected.”
Ovum Consulting in a recent report noted that, “Although it seems self-evident, we regularly remind customers that vendors who create enterprise software such as Oracle are best-suited to maintain and support those products, especially where maintaining strong IT security is a priority. Customers who create custom, home-grown applications that are maintained by internal IT support are one thing, but supporting complex software built to run critical enterprise systems should be left to the experts. We would advise customers to avoid any potential risk and turn to providers who are tried and trusted, have strong security expertise, and have a comprehensive portfolio of integrated support offerings.”
Upgrade Rights
No third-party vendor can provide upgrades to software installed on your servers because they don’t own the intellectual property. This means you won’t have access to the most recent innovations your software vendor has developed to help you compete more effectively in your markets, or to ensure that your software is secure from attacks like Petya and WannaCry.
“Whether it is features and functions in database technology; whether it is new business modules and innovative business functionality in applications; innovative ways of doing new workflows; innovative ways that allow you to expand into global markets—whatever the case may be in terms of that functionality—you get that from Oracle and you can’t get that from any third-party maintainer,” notes Jones.
Knowledgebase
Third-party vendors can’t give their customers access to Oracle’s deep knowledgebase. With hundreds of thousands of entries for every type of software it makes, the information in this knowledgebase is essential for every customer’s IT department. Jones notes that this expertise represents the experiences of hundreds of thousands of Oracle customers and subject-matter experts.
“That single repository of information captures the shared customer experience. It has all of our patches, all of our fixes, all of our wizards and software tools and everything else, all in one place, in a single portal across the entire breadth of the Oracle product line. We have that. Nobody else has that,” he said.
Partnering, Not Profiteering
Oracle has been in business for 40 years and is in this for the long haul—always with its customers' best interests front and center. It’s becoming well-understood that businesses can only invest in innovation when they offload so-called run-the-business IT and leverage the R&D investments underwritten by cloud applications and infrastructure providers such as Oracle.
That’s why Oracle is providing some customers with financial incentives to help them move from on-premises to cloud—which helps them “move from maintenance OpEx to innovation OpEx,” says Jones. “We enable customers to transform their support investment into cloud investment.”
Oracle also helps customers make this journey by sharing its own experience as well as the experience of thousands of its own customers. “We have tools and technology to help make it seamless for you to move into our cloud—either onto new products or to lift-and-shift products that are applications that you already have and deploy them into the cloud,” he noted.
Customers’ lawyers have another reason for throwing up the caution flag: the legal risk to their own customers can’t be ignored. One third-party maintainer, in particular, has been found liable of building its business by infringing Oracle’s intellectual property.
IT has become a board-level concern, thanks to cybersecurity concerns on the one hand and the imperative for innovation on the other. And no one wants to be in the position of defending a decision to partner with a third-party software maintenance firm that has based its entire stock-in-trade on infringing materials, even if it means saving a bit of money in the short term.
