Oracle OpenWorld 2015 - the secure cloud, Oracle style

Profile picture for user gonzodaddy By Den Howlett October 27, 2015
Summary:
Oracle is making bold security claims with its M7 chip. If correct, then it places Oracle in an interesting position when it comes to cloud architectures.

hackers_security_password-100004008-gallery
I'm not being facetious when I say that Larry Ellison used his second Oracle OpenWorld 2015 keynote to give a riveting performance covering security and how Oracle's new M7 chip puts security in silicon.

Security is a topic that usually turns me (and 95% of my colleagues) off. It's not our bailiwick by any stretch of the imagination. But then the seemingly endless stream of database hack stories we see in the media should, by now, have given every C-suite a serious pause for thought.

It has long been known that the primary culprit of security breaches is the end user. Successive vendors have tried numerous measures designed to prevent hackers from getting into systems but often with little demonstrable success. How many of us for example use the same password for every service we access?

And just how many systems out there are poorly designed from a security perspective? We don't know. What we do know however is that many of the systems that are breached fall foul of some of the simplest methods of attack. And those attacks are costly.  From the Talk Talk example we discussed earlier:

The cyber-attack on TalkTalk is set to cost the telco millions of pounds in compensation, potentially threatening the very future of the firm. It’s also proving to be a text book example of how not to handle such a crisis.

Talk Talk revealed on Thursday evening that hackers had stolen personal details of its customers, including dates of birth, telephone numbers, credit card and bank account details, which can be used to carry out identity fraud.

A 15 year old has been arrested in connection with the attack, to which the gut reaction must be: WTF? While the exact nature of the attack is not known, the smart money is on a relatively simple and well known technique known as a SQL injection. Regardless, the case is a mess and exactly the kind of thing Ellison hopes the M7 can foil.

Ellison's argument is persuasive. He says that if you can embed security at the silicon layer, then it renders any attack nigh on impossible. That's a big statement, based largely upon Oracle engineers' understanding of how security works and the claim that silicon cannot be hacked.

During his keynote, Ellison carefully explained how M7's security works, how it is applied and what this means for cloud infrastructure. Again, while technical in nature, I liked the fact Ellison made a case that pretty much anyone can understand. Here's the pertinent slide:

How it works - Oracle M7 security

Crucially, Ellison made the point that in the M7 architecture, security is always on. It cannot be switched off. That means it acts as a protective shield rather than as a reactive component. What's more, Ellison claims that because of its features, developers become more productive.

He them went on to describe how M7 would have detected high profile attacks like Venom and Heartbleed, in real-time.

SSM protection
As he warmed to his theme, Ellison went on to claim that the way Oracle has designed its infrastructure architecture, not only is the data secure, but that only those with the right 'keys' can see that data. Put another way and in the context of Oracle's broad cloud push, he said:

Almost all small SaaS companies have access to your data - how do you feel about that?

It's an important question in today's climate although I am not sure it represents the right argument. For example, I see many good uses for aggregated and anonymized data coming out of SaaS applications. Benchmarking is the obvious one. But on the flip side, concerns over privacy --- and here we're thinking about HR records --- must be a classic no-go area.

To that extent, Ellison went on to describe key features of the vaulting mechanisms that Oracle proposes in what is a multi-layer approach to preventative security. It all added a sense of comfort to those who are concerned about this topic.

But I think Ellison was overstating it somewhat when he claimed that Oracle could secure the Internet. Well yes, as long as everyone uses Oracle M7 processors which run only on the SPARC architecture. Fact is, 99% of servers use X86 chips. To counter that obvious objection, Ellison claimed that providers might only need as few as three percent of servers operating with the M7 architecture for this to provide sufficient of a preventative layer in a data center scheme.

That will be tested in due course but I was left wondering whether Ellison's grand claims stand up to scrutiny.

Afterwards, I spoke with the head of development for a core banking system. These systems have to be highly resilient and stable. Only a small handful of companies in the world sell these systems to banks that are naturally conservative and risk averse. Would they be candidates for the M7? Perhaps. In my source's assessment, Oracle's claim for prevention does not necessarily stand up since there is an app server in the middle of the stack.

However, that was tempered by adding that if you follow Oracle's recommendations and acquire the whole Oracle stack, then you will likely reduce the chances of attack dramatically by virtue of the fact that Oracle's security pervades every layers of the hardware and software stack.

My take

Ellison is a master showman and while I will always likely bitch at his competitive pokes, I felt that the balance of argument was sufficiently persuasive for me to at least ask the logical next question: how can I test this out?

If M7 stands up to scrutiny, it could revive the flagging fortunes of Oracle's hardware business which has seen ongoing sequential declines for some years.

Colleagues have long argued that Oracle's engineered systems represent a persuasive collection of hardware and software that differentiate Oracle in the cloud market. I've never been convinced on cost or TCO grounds alone. In this case and in the current climate, Oracle's full stack may be the only way that some companies and cloud vendors can get comfortable with security.

However, the fact Oracle claims to have created an architecture that prevents them from seeing any data in Oracle cloud environments may also become an important point of conjecture with some of Oracle's most important customers: the US security services.

Oracle is not the only software company that talks to chip makers. You will frequently see Intel rolled out in discussions around what SAP is doing. IBM furrows its own path. But this is the first time I have heard a vendor talking soup to nuts security in such a persuasive and clear cut manner.

Disclosure: SAP and Oracle are premier partners at time of writing. Oracle covered most of my travel costs for attending OpenWorld.