Rimini Street has launched Rimini Protect. It is a set of new security solutions that are available all the time. It builds on services that the company has been offering its customers for some time. What is different here is that everything has been pulled together into a single product suite with new capabilities and services.
Gabe Dimeglio, vice president and executive advisor, security at Rimini Street, said, “Enterprises that rely on dated software vendor patching models still find themselves vulnerable to attacks because patches address only known vulnerabilities. They do not protect against unknown vulnerabilities. Rimini Protect is one of the many innovative solutions from Rimini Street that help our clients take a smart path with their technology portfolio.
“Rimini Protect goes well beyond typical software vendor patching to protect the entire environment of applications, middleware and databases using active security controls that monitor activities in real-time to identify malicious actions and proactively block processes that attempt to exploit known and new zero-day vulnerabilities.”
What is in Rimini Protect?
The easy answer is to look at the website created for the product. It lists six services and three security solutions. Those services and solutions are:
All of these services are part of a Global Security Services offering backed by Rimini Street’s current security experts.
- Security Case Resolution: Log security cases either online or directly with an assigned Primary Support Engineer (PSE). Clients can track and manage cases via our client support portal.
- Security Advisory Services: Help improve security across the IT environment, including security customizations and hardening guides.
- Security Alerts: Get rapid response communication of new threats, with identification details and recommended mitigation.
- Security Configuration Analysis and Enhancements: Benefit from state-of-the-art security audit tools to help fine-tune and optimize configurations to secure systems and enhancements to take your security to the next level.
- Strategic Security Roadmap: Establish a security roadmap that aligns to the needs of the business and ensures the security and compliance of future services, enabling competitive growth objectives instead of hindering them.
- Security Assessment: Understand your compliance and security control maturity and identify potential gaps or opportunities for improvement in existing programs.
- Rimini Street Advanced Application and Middleware Security: Protects against both known and unknown vulnerabilities using Java Runtime detection and remediation before attacks reach their intended target, including releases that are no longer fully supported by the vendor.
- Rimini Street Advanced Database Security: A next-generation database security solution helps protect databases from known and unknown vulnerabilities by continuously monitoring and analyzing shared memory.
- Rimini Protect™ for SAP Applications: A fully managed service providing shields that remediate applications’ vulnerabilities at speed and scale without touching a line of code, protecting from even sophisticated attacks.
Why is Rimini Street launching this?
It’s simple, Rimini Street sees a huge opportunity in the enterprise database market for security services. As database products age, so does support from the major vendors. Many offer support for a period of time or for a given number of releases. The expectation is that most customers will update in that period of time.
Enterprise Times spoke with Sebastian Grady, President, Rimini Street, about this issue. He used Oracle as an example of how support changes. He said: “When a product becomes generally available GA, you get Premier Support for about five years; then you have the opportunity to buy extended support. That typically costs 10% or 20% more than Premier Support. It extends your five years for an additional three years.
“After that, you get into what’s called sustaining support. The big problem with sustaining support is it does not include new updates, fixes, security alerts, or critical patch updates. So you want to talk about security, you don’t get any critical patch updates, no more security patches from Oracle when you’re in sustaining support”
In the case of Oracle, any customer on Oracle Database 12c Release 1 or earlier is caught in this trap. Grady says that at least 50% of the Fortune 500 customers he talks to are worried about this. They have critical applications running on those older versions, and the cost of migrating to a new version of the database runs into millions of dollars. The biggest concern is the lack of security updates for those products.
Protecting against Java Deserialisation attacks
Grady believes so. He sees the new tools in Rimini Protect as delivering that protection for customers on older versions of Oracle databases in particular. Grady uses the example of Java Deserialisation as an example. He claims that it is responsible for 80% of the security breaches affecting Oracle software.
To deal with this, Grady points to Rimini Street Advanced Application and Middleware Security (AAMS). It sits inside the Java compiler. He said: “It is truly zero-day, when log4j came out, customers didn’t have to do anything. They were fully protected. We OEM this product, we support it, and it’s just a killer product. It sits right inside the Java compiler, and it protects you from any of the insecure Java Deserialisation issues.”
Another issue that Grady highlights is that of patching. First, there is the problem of sifting through the huge number of patches that vendors issue to determine priority and relevance. But then there is the challenge of what happens if you don’t get patches. This is where AAMS helps to some degree.
It is not just Oracle that AAMS is applicable to. It can be used in any environment where Java is used. From a wider database market, the company has another product – Rimini Street Advanced Database Security. According to Grady, it “comes from the enterprise security suite of McAfee. It is a zero-day product, for the most part, and works on a lot of databases.”
Oracle is not the only target for Rimini Street
While Grady explicitly calls out Oracle here, this is not a unique or new problem. Many vendors have this problem, as do their customers. Look at Microsoft. There are still customers with older versions of its operating systems who run a daily risk of security breaches due to no security updates. It is not just its operating systems. People still use outdated versions of browsers and other Microsoft products because they often cannot afford to update them.
ERP is another area where this is an issue, one one that provides the bulk of revenues for Rimini Street. While the industry has been working hard to move to a modern cloud world, it has a long legacy tail. For many of those customers moving from those old on-premises versions of software is a huge problem. In many cases, it is not just a simple update to a new version. Whole sections of bespoke code need to be rewritten to make the change.
Another vendor that Rimini Street has its sights on is SAP. Rimini Protect for SAP Applications remediates SAP vulnerabilities. Like the Oracle solutions Rimini Street has, this is about dealing with risk without changing code. That way, it does not become a problem for the SAP developers. It does not force companies to be constantly reviewing and testing their internal code and impacting delivery schedules.
A first step to becoming an MSSP?
Is this the first step to Rimini Street becoming a Managed Security Services Provider (MSSP)? It’s an interesting question. In terms of a pure play MSSP, that might be a bit of a jump. It’s a very crowded market, and Rimini Street would have to spend significant amounts of money to gain a foothold and traction.
There is ample room for it to become an MSSP in the database, Oracle, SAP, and application space. Doing so would be an extension of what it already offers customers. That means it can ramp up its security services without impacting its existing business.
What is interesting is that as that MSSP business ramps up, it has the potential to far outweigh revenue from the existing business. It will be interesting to see how Rimini Street balances that shift in business.
When we put this to Grady he said that the “Oracle and SAP maintenance is a large percentage of our revenue, 80% plus. But we’re selling a lot more managed services, professional services and security managed services. These are where the pain points are with customers.”
He continued saying, “But to your point, if we lead with some of these offerings, that really attack the pain points head-on, our core business will just be pulled through. We have an opportunity to, and we’re doing this, to change the way we’re positioning and marketing our company as really being these ninjas because we have the capability.”
Interestingly, Grady also sees Rimini Street as being an MSSP around core ERP. If that side of the business starts to grow, it will take the company into a very different and very profitable space. Another bonus that Grady calls out is that many of the existing MSSPs are not targeting ERP. That means Rimini Street has an opportunity to grow quickly, and here’s a major challenge – if it can attract, train and retain staff.
Enterprise Times: What does this mean?
It’s easy to see this as just a repositioning of the existing services that Rimini Street offers and to some extent, that’s exactly what it is. However, by making this a new division it opens up a new business opportunity for the company. One that is aligned with what it already offers but also makes it attractive to the much wider ERP and database market.
If it gets this right it would not be a surprise to see a significant shift in revenue streams. That shift should not deprecate the existing Oracle and SAP maintenance business but enhance it. How quickly will it be able to grow the new security division to be the majority revenue stream? That’s hard to know without more information from Rimini Street. However, could this accelerate its move to being a billion dollar business? The answer is yes.