It was appropriate that Oracle put a stake in the ground over security at last week’s OpenWorld conference in San Francisco. As the database of choice for more than 420,000 customers, the effort to find ways to better protect their data is one of the clearest signs of customer-centricity the company could have picked.
Fortunately or unfortunately, as you choose to look at it, their logic is that to provide data security you need to move down the stack all the way to hardware. This sounds eminently reasonable to me though I think I can see a wrinkle. First the good news, like Woody Allen once said, “to a knife fight, always bring a gun,” and that neatly summarizes the Oracle plan. The company has decided to make data security and especially encryption a non-negotiable thing.
Currently some oracle database customers have the security option turned off which won’t help anybody so now the default will be always on. But encryption and de-encryption take CPU cycles which cash-strapped IT groups would rather see applied to “real” work. So the new regime will ding some IT budgets if they have to buy more compute power, but what’s the alternative? There’s not much you can do if security is an issue and it is. Oracle’s Xadata, device which moves database operations into flash memory can provide greater performance and therefore make everything better. But the last time I looked, those devices had a million dollar price tag. Perhaps this will be another decision point that drives companies to the cloud.
At the same time, the company is introducing the M7 CPU chip, which has embedded software instructions that allocate memory to legitimate processes. Any process that tries to use more memory because there’s a virus trying to freeload will cause an alarm of sorts and that will signal IT that it is potentially under attack. Since software bugs might also trigger the alarm there will be some false positives to deal with but a false positive is better than a real one.
These two innovations will help to lock down the data center but I wonder if they’ll just push the security problem out to the periphery, to desktops and devices that don’t have M7 technology. Ten thousand devices each asking for 100 customer names will pose a different but related security problem that might be harder to control so it looks to me like M7 technology will need to become a part of all devices for this scheme to be maximally protective.
Given all this, Oracle’s security innovations might not be perfect but I disagree with those who scoff at them. These approaches will definitely strangle malware where it is found though the Internet won’t be completely safe unless the security is ubiquitous. This reminds me of the way that antibiotics work, which include attacking and puncturing the cell wall, disrupting protein synthesis, and disabling DNA transcription and replication. While it’s true that some microbes have become resistant, especially to cell wall agents (i.e. the penicillin strategy), other approaches seem to be holding up. Interestingly, when you make protein or transcribe DNA you’re dealing with de-encrypting information, so I am very interested in seeing where this all goes
Right now, security might be the most important obstacle to greater expansion of the Internet of Things and to utility computing in general. The last things we need are cars and drones that can be hacked so these first attempts are indeed a welcome sign. No matter, this is an arms race and there will likely be setbacks but at least we are engaged.
(Cross-posted @ Beagle Research Group)