Oracle OpenWorld 2019 - Oracle beefs up cloud security, announces three new features to build on Autonomous Database success

Profile picture for user kmarko By Kurt Marko September 16, 2019
Summary:
Can Oracle’s autonomous features - removing the need for human management - be a competitive edge in a world where buyers are so security conscious?

security-lock-in-cloud

Oracle isn’t the first business faced with milking a declining business model long enough to allow its replacement to mature enough to sustain the company, however, seldom have the stakes been higher. In Oracle’s case, the strategic disruption comes from the rise of cloud infrastructure and software services and the concomitant change of customer behavior in favor of rentable, vendor-managed, usage-based IT services over licensed, self-managed software and hardware. As such, each Oracle quarterly earnings release amounts to a report card on the company’s progress from software to cloud sales. Likewise, its OpenWorld conference is an annual update on how the company plans to convince more customers that its cloud services are both a viable option for the most critical enterprise workloads and legitimate alternative to those from market leaders AWS and MIcrosoft.

Given its use as the backbone of core business processes for so many organizations, the two factors where Oracle must differentiate from its cloud competitors are reliability and security. Oracle’s Q1 2020 earnings , which showed a meager 4 percent growth (constant currency) in its cloud services business amidst a 9 percent increase in cloud operational expenses even as AWS and Azure continue growing at mid-double-digit rates, illustrate the uphill climb the company faces in making the cloud transformation. However, a steady stream of new customers for the centerpiece of its cloud portfolio, the Oracle Autonomous Database, indicate a promising start on both criteria, but at OpenWorld, the company will introduce three new and enhanced security features that improve the case for Oracle Cloud as the safe, reliable choice for enterprise workloads.

Context - Oracle’s cloud worldview

Oracle’s voluble Founder and Chairman, Larry Ellison, remains the company’s most ardent and articulate spokesman and his comments during the conference call following last week’s earnings announcement didn’t disappoint. It’s instructive to review these since they provide context and insight into the company’s thinking regarding the cloud market and customer demands and here, Ellison unabashedly calls Oracle’s Autonomous Database, first announced in 2017 and released a year later, as “a game changer.”

Ellison uses the terms first- and second-generation cloud to describe what most might classify IaaS versus SaaS. The former being rental resources that the customer must configure, manage and secure, while in second-generation cloud, the vendor or system itself takes care of these things. ( See this column for my thoughts on Oracle’s strength in SaaS versus IaaS.)

As Ellison puts it (emphasis added): 

Autonomous technology is the key element that differentiates a second-generation cloud from a first-generation cloud.”

Second-generation cloud, not only do we deliver the benefits of pay per use, we also take the human labor out of running the cloud. That's an even bigger economic savings. Sharing computers and renting computers is not as costly as paying for the labor to run those computers. So from an economic advantage, a second-generation autonomous cloud is much less expensive to run than a first-generation cloud. But that's not what's really important. What's really important is the second-generation autonomous cloud prevents data theft, which you can never do in a first-generation manual cloud.

Ellison then uses the recent AWS-Capital One data leak to bolster his case, and it’s a reasonable one. As I recently wrote , the incident illustrated the shared responsibilities of IaaS vendors and customers and how even extremely knowledgeable cloud users can make serious mistakes. Here’s Ellison (emphasis added),

Let me point out how reasonable Amazon was when they refused to accept responsibility for the configuration errors made by the people at Capital One. They have a policy that said; you have control of your data, you have control of your system, you are responsible for running your system, and if you make mistakes, it's on you, it's not on us. That is not an unreasonable position.”

Lest you think Ellison going soft on a key competitor is a sign of age-induced feeblemindedness, what follows show that he’s just setting you up for hard sell (emphasis added),

When you have a totally manual system and your users are responsible for configuring the system, when your users are responsible for backing the system up, when your users are responsible for encrypting the data, when your users are responsible for patching the systems, user errors can lead to catastrophic results.

In a manual system, there's no way to prevent that. In an autonomous system, the Capital One data breach could never have happened because the Oracle Autonomous Database doesn't let human beings configure the system, it configures itself automatically. The Oracle Autonomous Database system doesn't ask human beings to patch it, to close security holes. The system automatically patches itself while running.

The Oracle Database doesn't ask if you want to back it up or if you want to encrypt your data, it does all of this automatically while it's running. The only way you can prevent data theft is to eliminate human error.The only way you can do that was with an autonomous database and we have one, and our competitors don't. This is a very big deal.

Later in the call, Ellison noted that in the most recent Q1 Oracle added 3,700 trial customers for the Autonomous Database and now has 2,000 paying customers in total. Noteworthy is the fact that 13 percent weren’t previously Oracle customers and, as Ellison says,“43 percent of the workloads that are going on to Autonomous Database are net new. They're not moving them from On-Premise to the Autonomous Database.”

The self-driving features are undoubtedly a significant draw to the Autonomous Database, and as the Capital One incident demonstrates, none are more critical than security configuration and enforcement. On this front, Oracle is introducing three new services to automatically protect workloads and data on its Cloud.

Announcement summary

Oracle is using OpenWorld to introduce three security services focused on policy and configuration management, data protection and high-security applications. In order, these are:

  • Oracle Cloud Guard provides monitoring of an organization’s entire cloud fleet by aggregating log data from cloud infrastructure and both Oracle and third-party applications, then analyzing it to spot threats and misconfigurations. Once identified, the service can automatically remediate threats. For example, when Cloud Guard spots unusual activity, it can shut down an instance suspected of malware infection or revoke the permissions of someone suspected of data theft or other nefarious behavior. The service will be available in early 2020.
     
  • Oracle Data Safe delivers a similar level of automated protection to database information by monitoring database activity, configuration and access requests. The service can automatically discover and mask sensitive data, such as that containing PII on various Oracle Database Cloud and Autonomous Database services. Data Safe supplements features such as automatic data encryption and patching that are intrinsic to the database services and is available now.
     
  • Maximum Security Zones are designed for applications that require maximal security via an environment that enforces tight controls and governance processes on all applications within it. The service allows customers to lock down configuration to prevent inadvertent or surreptitious changes and will proactively block any suspected attacks, data theft or other anomalous behavior. The service works by automatically activating all relevant and preconfigured security services, including Cloud Guard. Maximum Security Zones will also be available in early 2020.

As Ellison noted during his earnings remarks, a fundamental tenet of what he calls second-generation cloud is automated application and enforcement of security policies. True to his word, the new security services transfer the primary responsibility for security monitoring and administration from the cloud customer to an automated system operated by Oracle.

My take

Security perennially ranks as one of the top two or three concerns of enterprise customers of cloud services, thus Oracle can gain a competitive advantage through differentiating itself by superior security technology. While other cloud vendors offer a plethora of security services — for example, AWS Inspector, Config, CloudWatch, CloudTrail and Trusted Advisor — they typically require users to take an active role in setting up, monitoring, interpreting and acting upon the tool’s output.

Given the complexity of database setup and customization, along with the many interfaces available for security exploits, it is an application ripe for some security innovation and simplification. Oracle is wise to be focusing on delivering fool-proof security and extending the self-optimizing and -configuring nature of Autonomous Database into more advanced security features.