What is the focus of your Java strategy?

Compliance, Security, Costs

Where is the Focus of Your Java Strategy?

Compliance, Security, Costs: What is the Focus of Your Java Strategy?

In April 2019, the rules for Oracle JDK Licensing were changed to require a commercial subscription in order to deploy security patches and updates for Java (personal usage and development excluded).

More than a year has passed and there are many lessons to be learned by analyzing the different Java strategies and approaches that organizations have put in place. Read on to learn more about the results of strategic conversations, projects and advisories we’ve had with our customers and the perspective we’ve gained by supporting them in defining their Java strategies.

For many organizations, the biggest challenge when it comes to Java has been the lack of visibility and control over thousands of software installations across different versions. Besides the usage of commercial features, Oracle Java could also be deployed for free with security patches available online

What is the focus of your Java strategy?
Customers' challenge with Java, source: SoftwareONE

Oracle Java 8 is the most widely used version but we still see installations of 7, 6 and even Java 5 in some customer environments. The most recent Long Term Support release, Java 11, is also gaining in popularity and usage.

While the latest security patches and updates for Java 8 and 11 are available to download online for free, in most cases their deployments require a subscription.

Although Oracle released several announcements about the planned licensing changes beforehand, we still saw a significant amount of confusion and the need for guidance across our customers. Around 50 percent of the companies that took part in our recent SoftwareONE webinars (in both DACH and North America) said they have not yet taken any actions on their Java strategy, even one year after the licensing changes.

Top Three Scenarios for Your Java Strategy

For those organizations looking to optimize their Java strategy, we have created the following three scenarios to provide guidance for the compliance, financial, and security perspectives.

1. Focus on Compliance

There is a short-term solution to avoid the risk of deploying Java patchsets without owning the required subscriptions - remove those that fall into this category and replace them with older patchsets, as long as the applications support them.

This, however, requires your organization to have an inventory solution in place that can identify all of your Oracle Java installations and highlight where compliance issues might arise. In the picture below all Oracle JDKs previously updated to a patchset requiring a subscription have been moved back to a “compliant” situation.

What is the focus of your Java strategy?
Scenario 1 - Compliance, source: SoftwareONE

This compliance-focused scenario is a reactive approach that many organizations have adopted to limit their financial risks before defining their long-term Java strategies. However, it means neglecting the need to patch Oracle Java as they would with any other software.

Strength of Scenario

Criteria Evaluation

2. Focus on Security

Organizations that identify security as the main priority for their Java strategies might have business applications that are highly dependent on Oracle Java and cannot afford to have them unavailable, even for a few hours. Therefore, they decide to cover their business critical environments with Oracle Java subscriptions and cover both security and compliance while doing so.

In the picture below all Oracle JDKs are being updated to the latest available patchset.

Strength of Scenario

Criteria Evaluation

3. A Hybrid Focus

The strongest scenario is one that is based on compliance, costs and security simultaneously.

By identifying and implementing an OpenJDK distribution as a possible alternative to Oracle JDK, organizations can leverage a community-based distribution to upgrade and patch the software without any additional subscription costs. Alternatively, for organizations that require support, commercial subscriptions are available for OpenJDK as well.

Implementing OpenJDK and setting it as a standard requires testing to understand its compatibility with applications. The good news is that starting with JDK 11, the differences in the binary code between Oracle and OpenJDK have reduced significantly.

In the picture below “uncompliant” Oracle JDKs are being migrated to OpenJDK and upgraded to the latest patchset.

What is the focus of your Java strategy?
Scenario 3 - Hybrid focus, source: SoftwareONE

A hybrid strategy can be pursued by organizations in the middle-long term to generate financial savings, ensure security and reach compliance.

Strength of Scenario

Criteria Evaluation

When determining your long-term Java strategy, you’ll want to focus on the financial, security and compliance aspects. Whatever your Java roadmap is, SoftwareONE - with its 50+ Oracle and Java experts worldwide and its unique technology to recognize applications running on Java - is here to help you define your roadmap and support you along the way.

What is the focus of your Java strategy?
SoftwareONE Java Expertise

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment


Massimo Borrelli

Oracle Subject Lead

EuroCloud Europe, CSAM, ISTQB Certified Tester, ITIL Foundation Certificate

Related Articles

  • 14 June 2021
  • Bala Sethunathan
  • Managed Security, Cybersecurity User Awareness, Cyber Threat Bulletin, Cybersecurity

Cyber Security Update May 2021

At present, cloud misconfigurations present a high data breach risk. Get to know these best practices that help to secure your cloud-based assets.

IT Insights in May 2021 | SoftwareONE Blog

IT Insights in May 2021

The tech world is such a rapidly developing field that it may sometimes be hard to stay up to date. With our monthly IT insights, you won’t lose the overview. Read about the latest vendor news and trending topics.

Getting Started with FinOps: Why Cloud Security is Your Step Zero | SoftwareONE Blog

Getting Started with FinOps: Why Cloud Security is Your Step Zero

Whether you’re looking to control costs arising from cloud workloads, fraud, or data breaches, cloud security is the important step zero before starting with FinOps. Learn more.