The recent reported vulnerabilities in Java are of course a top concern for enterprises large and small. However, as reported by some of the media, there's a lot of confusion about what do do.
The advice is to turn off Java in browsers until there's a fix. It's harder to do than you might think, due to having to open less-than-intuitive application control panels to adjust the Java install package settings. However, it is possible and there are good guides out there to show you how. Mind you, a lot of web-facing Internet applications (not web sites) use Java due to its sophistication and ability to deliver a nice customer experience outside the browser. Take WebEx, for example. It has a Java package that runs locally on the desktop to enable nice online meetings. So turning it off may not be practical all the time for business reasons.
On the other hand, Java is used to create actual applications. Java applications need a Java
virtual machine to execute. Using Java in the browser or on the desktop requires a hefty install for the Java VM and Java application stack, with browser plugins from Oracle and of course regular, annoying patching. Java applications may run using a browser plugin, but they may also be standalone applications with their own GUI. They might also be on smart devices. Android runs mostly Java-based applications, for example. The latest vulnerabilities relate to the execution of arbitrary applications exploiting the Java system itself.
To help explain all this, I found this article useful to share when asked questions on this topic.
However, also remember that fixing one vulnerability simple leads to trying to fix the next. That’s not a fun game. So, if data breaches and attackers stealing data are your concern— or you want to be able to use data easily in low-trust environments that are probably vulnerable to compromise — then instead of worrying about Java issues or similar vulnerabilities, why not protect the data independently of the system, using data-centric security?
Data-centric security can be applied to email inside and outside the enterprise, files, payment transactions, data in applications, databases, big data, cloud, mobile email, and even back office legacy mainframe infrastructure — practically any structured or unstructured data, anywhere it goes.
With data-centric security, organizations can protect the data from cradle to grave, instead of trying to keep up with the constant barrage of IT system vulnerabilities. Patching is of course important and a good best practice, but it’s not always practical to do immediately — and sometimes a patch might not even exist. After all, patching is a burdensome arms race that can never be won.
Data-centric security, on the other hand, is a powerful enabler that can be applied easily
and quickly, and opens new doors to more use of data without increasing risk. It provides enterprises large and small with more freedom to expand and grow as data-driven leaders, and to escape the burden of traditional approaches to IT security that are becoming increasingly transparent to the new attackers — the bad guys now creating powerful malware to steal your data from vulnerable systems. So why not take a look at a newer, powerful data-centric approach to ease the pain of compliance and data breach risk management?